upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

3177. [func] 'rndc keydone', remove the indicator record that

Browse source 
named has finished signing the zone with the
                        corresponding key.  [RT #26206]
This commit is contained in:
Mark Andrews 2011-10-25 01:54:22 +00:00
parent 4aa19ee16a
commit b1c6de5456
21 changed files with 495 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
3177. [func] 'rndc keydone', remove the indicator record that
named has finished signing the zone with the
corresponding key. [RT #26206]
3176. [doc] Corrected example code and added a README to the
sample external DLZ module in contrib/dlz/example.
[RT #26215]

12
bin/dnssec/dnssec-dsfromkey.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-dsfromkey.c,v 1.23 2011/09/03 05:51:29 each Exp $ */
/* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */
/*! \file */
@ -62,6 +62,7 @@ static dns_rdataclass_t rdclass;
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static isc_uint32_t ttl;
static isc_result_t
initname(char *setname) {
@ -294,6 +295,9 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
isc_buffer_usedregion(&nameb, &r);
printf("%.*s ", (int)r.length, r.base);
if (ttl != 0U)
printf("%u ", ttl);
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
@ -329,6 +333,7 @@ usage(void) {
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
fprintf(stderr, " -T TTL\n");
fprintf(stderr, " -f file: read keyset from zone file\n");
fprintf(stderr, " -A: when used with -f, "
"include all keys in DS set, not just KSKs\n");
@ -368,7 +373,7 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"12Aa:c:d:Ff:K:l:sv:h")) != -1) {
"12Aa:c:d:Ff:K:l:sT:v:h")) != -1) {
switch (ch) {
case '1':
dtype = DNS_DSDIGEST_SHA1;
@ -408,6 +413,9 @@ main(int argc, char **argv) {
case 's':
usekeyset = ISC_TRUE;
break;
case 'T':
ttl = atol(isc_commandline_argument);
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')

13
bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.16 2011/03/27 06:39:59 marka Exp $ -->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011/10/25 01:54:18 marka Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
<date>August 26, 2009</date>
@ -52,6 +52,7 @@
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis>
@ -64,6 +65,7 @@
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
@ -113,6 +115,15 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>

4
bin/named/control.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.c,v 1.44 2011/08/02 20:36:11 each Exp $ */
/* $Id: control.c,v 1.45 2011/10/25 01:54:18 marka Exp $ */
/*! \file */
@ -205,6 +205,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
result = ns_server_add_zone(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_DELZONE)) {
result = ns_server_del_zone(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_KEYDONE)) {
result = ns_server_keydone(ns_g_server, command);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,

3
bin/named/include/named/control.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.h,v 1.34 2011/08/02 20:36:12 each Exp $ */
/* $Id: control.h,v 1.35 2011/10/25 01:54:19 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
@ -64,6 +64,7 @@
#define NS_COMMAND_ADDZONE "addzone"
#define NS_COMMAND_DELZONE "delzone"
#define NS_COMMAND_SYNC "sync"
#define NS_COMMAND_KEYDONE "keydone"
isc_result_t
ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);

8
bin/named/include/named/server.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.113 2011/08/02 20:36:12 each Exp $ */
/* $Id: server.h,v 1.114 2011/10/25 01:54:19 marka Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
@ -342,4 +342,10 @@ ns_server_add_zone(ns_server_t *server, char *args);
isc_result_t
ns_server_del_zone(ns_server_t *server, char *args);
/*%
* Deletes the matching key done private record from the zone.
*/
isc_result_t
ns_server_keydone(ns_server_t *server, char *args);
#endif /* NAMED_SERVER_H */

74
bin/named/server.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.622 2011/10/14 05:38:49 marka Exp $ */
/* $Id: server.c,v 1.623 2011/10/25 01:54:19 marka Exp $ */
/*! \file */
@ -5912,7 +5912,7 @@ next_token(char **stringp, const char *delim) {
*/
static isc_result_t
zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
const char **zonename)
const char **zonename, isc_boolean_t skip)
{
char *input, *ptr;
const char *zonetxt;
@ -5928,10 +5928,12 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
input = args;
/* Skip the command name. */
ptr = next_token(&input, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
if (skip) {
/* Skip the command name. */
ptr = next_token(&input, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
}
/* Look for the zone name. */
zonetxt = next_token(&input, " \t");
@ -5999,7 +6001,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) {
dns_zone_t *zone = NULL;
dns_zonetype_t type;
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
@ -6023,7 +6025,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
dns_zonetype_t type;
const char *msg = NULL;
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
@ -6083,7 +6085,7 @@ ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
dns_zone_t *zone = NULL;
const unsigned char msg[] = "zone notify queued";
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
@ -6108,7 +6110,7 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
const unsigned char msg2[] = "not a slave or stub zone";
dns_zonetype_t type;
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
@ -7216,7 +7218,7 @@ ns_server_rekey(ns_server_t *server, char *args) {
if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
fullsign = ISC_TRUE;
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
@ -7283,7 +7285,7 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) {
(void) next_token(&args, " \t");
}
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
@ -7359,7 +7361,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
isc_boolean_t frozen;
const char *msg = NULL;
result = zone_from_args(server, args, &zone, NULL);
result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
@ -7687,7 +7689,7 @@ ns_server_del_zone(ns_server_t *server, char *args) {
FILE *ifp = NULL, *ofp = NULL;
/* Parse parameters */
CHECK(zone_from_args(server, args, &zone, &zonename));
CHECK(zone_from_args(server, args, &zone, &zonename, ISC_TRUE));
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
@ -7855,3 +7857,47 @@ newzone_cfgctx_destroy(void **cfgp) {
isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
*cfgp = NULL;
}
/*
* Act on a "keydone" command from the command channel.
*/
isc_result_t
ns_server_keydone(ns_server_t *server, char *args) {
isc_result_t result;
dns_zone_t *zone = NULL;
const char *ptr = NULL;
ptr = next_token(&args, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
ptr = next_token(&args, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
/*
* Is the rdata sane?
*/
if (strspn(ptr, "0123456789ABCDEFabcdef") != 10U ||
strncmp(ptr, "00", 2) == 0 || strcmp(ptr + 6, "0001") != 0)
return (DNS_R_SYNTAX);
/*
* Find the zone.
*/
result = zone_from_args(server, args, &zone, NULL, ISC_FALSE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
return(ISC_R_NOTFOUND);
if (dns_zone_gettype(zone) != dns_zone_master) {
result = DNS_R_NOTMASTER;
goto cleanup;
}
result = dns_zone_keydone(zone, ptr);
cleanup:
dns_zone_detach(&zone);
return (result);
}

5
bin/rndc/rndc.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc.c,v 1.134 2011/03/21 15:39:05 each Exp $ */
/* $Id: rndc.c,v 1.135 2011/10/25 01:54:19 marka Exp $ */
/*! \file */
@ -154,6 +154,9 @@ command is one of the following:\n\
Add zone to given view. Requires new-zone-file option.\n\
delzone [\"file\"] zone [class [view]]\n\
Removes zone from given view. Requires new-zone-file option.\n\
keydone rdata zone [class [view]]\n\
Remove the private record with the corresponding rdata from\n\
the given zone.\n\
\n\
* == not yet implemented\n\
Version: %s\n",

6
bin/tests/system/inline/clean.sh
View file

@ -12,11 +12,15 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
# $Id: clean.sh,v 1.4 2011/10/25 01:54:19 marka Exp $
rm -f */named.memstats
rm -f */named.run
rm -f */trusted.conf
rm -f ns1/K*
rm -f ns1/dsset-*
rm -f ns1/root.db
rm -f ns1/root.db.signed
rm -f ns2/bits.db
rm -f ns2/bits.db.jnl
rm -f ns3/K*

4
bin/tests/system/inline/ns1/named.conf
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */
/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */
// NS1
@ -39,4 +39,4 @@ zone "." {
file "root.db.signed";
};
// include "trusted.conf";
include "trusted.conf";

35
bin/tests/system/inline/ns1/root.db.in Normal file
View file

@ -0,0 +1,35 @@
; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
; Copyright (C) 2000, 2001 Internet Software Consortium.
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db.in,v 1.2 2011/10/25 01:54:20 marka Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
bits. NS ns3.bits.
ns3.bits. A 10.53.0.3
bits. NS ns4.bits.
ns4.bits. A 10.53.0.4
noixfr. NS ns3.noixfr.
ns3.noixfr. A 10.53.0.3

41
bin/tests/system/inline/ns1/sign.sh Normal file
View file

@ -0,0 +1,41 @@
#!/bin/sh -e
#
# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2011/10/25 01:54:20 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
zone=.
rm -f K.+*+*.key
rm -f K.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$SIGNER -S -x -T 1200 -o ${zone} root.db
cat ${keyname}.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > trusted.conf
cp trusted.conf ../ns6/trusted.conf

8
bin/tests/system/inline/ns3/named.conf
View file

@ -14,11 +14,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */
/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */
// NS2
// NS3
controls { /* empty */ };
include "../../common/rndc.key";
controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.3;

4
bin/tests/system/inline/ns3/sign.sh
View file

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
# $Id: sign.sh,v 1.3 2011/10/25 01:54:20 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -26,9 +26,11 @@ rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=noixfr
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

43
bin/tests/system/inline/ns6/named.conf Normal file
View file

@ -0,0 +1,43 @@
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/10/25 01:54:21 marka Exp $ */
// NS6
include "../../common/rndc.key";
controls { inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
notify yes;
notify-delay 0;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";

6
bin/tests/system/inline/setup.sh
View file

@ -12,10 +12,13 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
# $Id: setup.sh,v 1.4 2011/10/25 01:54:19 marka Exp $
sh clean.sh
cp ns1/root.db.in ns1/root.db
rm -f ns1/root.db.signed
touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db
rm -f ns2/bits.db.jnl
@ -39,3 +42,4 @@ cp ns5/named.conf.pre ns5/named.conf
../../../tools/genrandom 400 random.data
(cd ns3; sh -e sign.sh)
(cd ns1; sh -e sign.sh)

75
bin/tests/system/inline/tests.sh
View file

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
# $Id: tests.sh,v 1.4 2011/10/25 01:54:20 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -34,7 +34,7 @@ do
$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l`
records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l`
[ $records = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
@ -42,6 +42,75 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking removal of private type record via 'rndc keydone' ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
for record in $records
do
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1
break; # We only want to remove 1 record for now.
done 2>&1 |sed 's/^/I:ns3 /'
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking private type was properly signed ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking removal of remaining private type record via 'rndc keydone' ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
for record in $records
do
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1
done 2>&1 |sed 's/^/I:ns3 /'
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ans=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking negative private type response was properly signed ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
$NSUPDATE << EOF
zone bits
server 10.53.0.2 5300
@ -195,7 +264,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:restart bump in the wire signer server ($n)"
ret=0
$PERL ../start.pl --noclean . ns3 || ret=1
$PERL ../start.pl --noclean --restart . ns3 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

33
doc/arm/Bv9ARM-book.xml
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.506 2011/10/13 23:44:47 tbox Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.507 2011/10/25 01:54:21 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -1555,6 +1555,28 @@ zone "eng.example.com" {
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>keydone
<replaceable>rdata</replaceable>
<replaceable>zone</replaceable>
<optional><replaceable>class</replaceable>
<optional><replaceable>view</replaceable></optional></optional>
</userinput></term>
<listitem>
<para>
Remove the <command>sig-signing-type</command> record
which matches the <replaceable>rdata</replaceable>
(in hexadecimal) from the specified zone. Only
<replaceable>rdata</replaceable> that
indicate that named has finished signing the zone
with the corresponding key will be removed. (i.e.
the first two characters are not "00", the
last four characters are "0001" and the total
length is 10 hexadecimal characters.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
@ -8704,6 +8726,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
It is expected that this parameter may be removed
in a future version once there is a standard type.
</para>
<para>
These records can be removed from the zone once named
has completed signing the zone with the matching key
using <command>nsupdate</command> or
<command>rndc keydone</command>.
<command>rndc keydone</command> is the only supported
way to remove these records from
<command>inline-signing</command> zones.
</para>
</listitem>
</varlistentry>

3
lib/dns/include/dns/events.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: events.h,v 1.59 2011/09/02 21:15:36 each Exp $ */
/* $Id: events.h,v 1.60 2011/10/25 01:54:22 marka Exp $ */
#ifndef DNS_EVENTS_H
#define DNS_EVENTS_H 1
@ -77,6 +77,7 @@
#define DNS_EVENT_ZONESECURESERIAL (ISC_EVENTCLASS_DNS + 47)
#define DNS_EVENT_ZONESECUREDB (ISC_EVENTCLASS_DNS + 48)
#define DNS_EVENT_ZONELOAD (ISC_EVENTCLASS_DNS + 49)
#define DNS_EVENT_KEYDONE (ISC_EVENTCLASS_DNS + 50)
#define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0)
#define DNS_EVENT_LASTEVENT (ISC_EVENTCLASS_DNS + 65535)

5
lib/dns/include/dns/zone.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.194 2011/09/06 22:29:33 smann Exp $ */
/* $Id: zone.h,v 1.195 2011/10/25 01:54:22 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
@ -1978,6 +1978,9 @@ dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
void
dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
isc_result_t
dns_zone_keydone(dns_zone_t *zone, const char *data);
ISC_LANG_ENDDECLS
#endif /* DNS_ZONE_H */

146
lib/dns/zone.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.636 2011/10/20 21:20:02 marka Exp $ */
/* $Id: zone.c,v 1.637 2011/10/25 01:54:22 marka Exp $ */
/*! \file */
@ -23,6 +23,7 @@
#include <errno.h>
#include <isc/file.h>
#include <isc/hex.h>
#include <isc/mutex.h>
#include <isc/print.h>
#include <isc/random.h>
@ -30,9 +31,9 @@
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
#include <isc/strerror.h>
#include <isc/stats.h>
#include <isc/stdtime.h>
#include <isc/strerror.h>
#include <isc/string.h>
#include <isc/taskpool.h>
#include <isc/timer.h>
@ -15319,3 +15320,144 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
dns_zone_attach(zone->raw, raw);
UNLOCK(&zone->lock);
}
struct keydone {
isc_event_t event;
unsigned int data[5];
};
static void
keydone(isc_task_t *task, isc_event_t *event) {
const char *me = "keydone";
isc_boolean_t commit = ISC_FALSE;
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_dbversion_t *oldver = NULL, *newver = NULL;
dns_zone_t *zone;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
dns_rdataset_t rdataset;
dns_diff_t diff;
isc_boolean_t have_rr = ISC_FALSE;
struct keydone *keydone = (struct keydone *)event;
dns_update_log_t log = { update_log_cb, NULL };
UNUSED(task);
zone = event->ev_arg;
INSIST(DNS_ZONE_VALID(zone));
ENTER;
dns_rdataset_init(&rdataset);
dns_diff_init(zone->mctx, &diff);
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
dns_db_currentversion(db, &oldver);
result = dns_db_newversion(db, &newver);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"keydone:dns_db_newversion -> %s\n",
dns_result_totext(result));
goto failure;
}
}
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
if (db == NULL)
goto failure;
result = dns_db_getoriginnode(db, &node);
if (result != ISC_R_SUCCESS)
goto failure;
result = dns_db_findrdataset(db, node, newver, zone->privatetype,
dns_rdatatype_none, 0, &rdataset, NULL);
if (result == ISC_R_NOTFOUND) {
INSIST(!dns_rdataset_isassociated(&rdataset));
goto failure;
}
if (result != ISC_R_SUCCESS) {
INSIST(!dns_rdataset_isassociated(&rdataset));
goto failure;
}
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset)) {
dns_rdataset_current(&rdataset, &rdata);
if (rdata.length != 5 ||
memcmp(rdata.data, keydone->data, 5) != 0) {
dns_rdata_reset(&rdata);
continue;
}
CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
&zone->origin, rdataset.ttl, &rdata));
dns_rdata_reset(&rdata);
}
if (!ISC_LIST_EMPTY(diff.tuples)) {
/* Write changes to journal file. */
CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
zone->updatemethod));
CHECK(dns_update_signatures(&log, zone, db, oldver, newver,
&diff, zone->sigvalidityinterval));
CHECK(zone_journal(zone, &diff, NULL, "keydone"));
commit = ISC_TRUE;
LOCK_ZONE(zone);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
zone_needdump(zone, 30);
UNLOCK_ZONE(zone);
}
failure:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (db != NULL) {
if (node != NULL)
dns_db_detachnode(db, &node);
if (oldver != NULL)
dns_db_closeversion(db, &oldver, ISC_FALSE);
if (newver != NULL)
dns_db_closeversion(db, &newver, commit);
dns_db_detach(&db);
}
dns_diff_clear(&diff);
isc_event_free(&event);
dns_zone_idetach(&zone);
}
isc_result_t
dns_zone_keydone(dns_zone_t *zone, const char *data) {
isc_result_t result;
isc_event_t *e;
isc_buffer_t b;
dns_zone_t *dummy = NULL;
REQUIRE(DNS_ZONE_VALID(zone));
LOCK_ZONE(zone);
e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_KEYDONE, keydone,
zone, sizeof(struct keydone));
if (e == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
isc_buffer_init(&b, ((struct keydone*)e)->data,
sizeof(((struct keydone*)e)->data));
result = isc_hex_decodestring(data, &b);
if (result != ISC_R_SUCCESS)
goto failure;
zone_iattach(zone, &dummy);
isc_task_send(zone->task, &e);
failure:
if (e != NULL)
isc_event_free(&e);
UNLOCK_ZONE(zone);
return (result);
}