d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of BIND 9.8.0-P4

Browse Source
This commit is contained in:
Doug Barton 2011-07-16 10:49:33 +00:00
parent 46da9ebeb3
commit 473038528a
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/bind9/dist/; revision=224090
svn path=/vendor/bind9/9.8.0-P4/; revision=224091; tag=vendor/bind9/9.8.0-P4
609 changed files with 77034 additions and 19032 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1494
CHANGES
View File

File diff suppressed because it is too large Load Diff

2
COPYRIGHT
View File

@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
$Id: COPYRIGHT,v 1.14.176.3 2011-01-04 23:45:42 tbox Exp $
$Id: COPYRIGHT,v 1.17 2011-01-04 23:47:13 tbox Exp $
Portions Copyright (C) 1996-2001 Nominum, Inc.

2
FAQ.xml
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: FAQ.xml,v 1.46.56.9 2010-01-20 23:47:43 tbox Exp $ -->
<!-- $Id: FAQ.xml,v 1.54 2010-01-19 23:48:55 tbox Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>

313
HISTORY Normal file
View File

@ -0,0 +1,313 @@
Summary of functional enhancements from prior major releases of BIND 9:
BIND 9.6.0
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
The BIND 8 resolver library, libbind, has been removed from the
BIND 9 distribution and is now available as a separate download.
Change the default pid file location from /var/run to
/var/run/{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
GSS-TSIG support (RFC 3645).
DHCID support.
Experimental http server and statistics support for named via xml.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Use Doxygen to generate internal documentation.
Efficient LRU cache-cleaning mechanism.
NSID support.
BIND 9.4.0
Implemented "additional section caching (or acache)", an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.
New notify type 'master-only'. Enable notify for master
zones only.
Accept 'notify-source' style syntax for query-source.
rndc now allows addresses to be set in the server clauses.
New option "allow-query-cache". This lets "allow-query"
be used to specify the default zone access level rather
than having to have every zone override the global value.
"allow-query-cache" can be set at both the options and view
levels. If "allow-query-cache" is not set then "allow-recursion"
is used if set, otherwise "allow-query" is used if set
unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
rndc: the source address can now be specified.
ixfr-from-differences now takes master and slave in addition
to yes and no at the options and view levels.
Allow the journal's name to be changed via named.conf.
'rndc notify zone [class [view]]' resend the NOTIFY messages
for the specified zone.
'dig +trace' now randomly selects the next servers to try.
Report if there is a bad delegation.
Improve check-names error messages.
Make public the function to read a key file, dst_key_read_public().
dig now returns the byte count for axfr/ixfr.
allow-update is now settable at the options / view level.
named-checkconf now checks the logging configuration.
host now can turn on memory debugging flags with '-m'.
Don't send notify messages to self.
Perform sanity checks on NS records which refer to 'in zone' names.
New zone option "notify-delay". Specify a minimum delay
between sets of NOTIFY messages.
Extend adjusting TTL warning messages.
Named and named-checkzone can now both check for non-terminal
wildcard records.
"rndc freeze/thaw" now freezes/thaws all zones.
named-checkconf now check acls to verify that they only
refer to existing acls.
The server syntax has been extended to support a range of
servers.
Report differences between hints and real NS rrset and
associated address records.
Preserve the case of domain names in rdata during zone
transfers.
Restructured the data locking framework using architecture
dependent atomic operations (when available), improving
response performance on multi-processor machines significantly.
x86, x86_64, alpha, powerpc, and mips are currently supported.
UNIX domain controls are now supported.
Add support for additional zone file formats for improving
loading performance. The masterfile-format option in
named.conf can be used to specify a non-default format. A
separate command named-compilezone was provided to generate
zone files in the new format. Additionally, the -I and -O
options for dnssec-signzone specify the input and output
formats.
dnssec-signzone can now randomize signature end times
(dnssec-signzone -j jitter).
Add support for CH A record.
Add additional zone data constancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.
edns-udp-size can now be overridden on a per server basis.
dig can now specify the EDNS version when making a query.
Added framework for handling multiple EDNS versions.
Additional memory debugging support to track size and mctx
arguments.
Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".
"USE INTERNAL MALLOC" is now runtime selectable.
The lame cache is now done on a <qname,qclass,qtype> basis
as some servers only appear to be lame for certain query
types.
Limit the number of recursive clients that can be waiting
for a single query (<qname,qtype,qclass>) to resolve. New
options clients-per-query and max-clients-per-query.
dig: report the number of extra bytes still left in the
packet after processing all the records.
Support for IPSECKEY rdata type.
Raise the UDP recieve buffer size to 32k if it is less than 32k.
x86 and x86_64 now have seperate atomic locking implementations.
named-checkconf now validates update-policy entries.
Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.
ISC string copy API.
Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.
New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.
dig now has a '-q queryname' and '+showsearch' options.
host/nslookup now continue (default)/fail on SERVFAIL.
dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.
Integrate contibuted DLZ code into named.
Integrate contibuted IDN code from JPNIC.
libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
DNSSEC is now DS based (RFC 3658).
See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
DNSSEC lookaside validation.
check-names is now implemented.
rrset-order in more complete.
IPv4/IPv6 transition support, dual-stack-servers.
IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
It is now possible to specify the size of a journal, max-journal-size.
It is now possible to define a named set of master servers to be
used in masters clause, masters.
The advertised EDNS UDP size can now be set, edns-udp-size.
allow-v6-synthesis has been obsoleted.
NOTE:
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as
NOTIMP rather than NOTIMPL. This will have impact on scripts
that are looking for NOTIMPL.
libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
The size of the cache can now be limited using the
"max-cache-size" option.
The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the
new option "allow-v6-synthesis". This allows stub resolvers that
support AAAA records but not A6 record chains or binary labels to
perform lookups in domains that make use of these IPv6 DNS
features.
Performance has been improved.
The man pages now use the more portable "man" macros rather than
the "mandoc" macros, and are installed by "make install".
The named.conf parser has been completely rewritten. It now
supports "include" directives in more places such as inside "view"
statements, and it no longer has any reserved words.
The "rndc status" command is now implemented.
rndc can now be configured automatically.
A BIND 8 compatible stub resolver library is now included in
lib/bind.
OpenSSL has been removed from the distribution. This means that to
use DNSSEC, OpenSSL must be installed and the --with-openssl option
must be supplied to configure. This does not apply to the use of
TSIG, which does not require OpenSSL.
The source distribution now builds on Windows. See
win32utils/readme1.txt and win32utils/win32-build.txt for details.
This distribution also includes a new lightweight stub
resolver library and associated resolver daemon that fully
support forward and reverse lookups of both IPv4 and IPv6
addresses. This library is considered experimental and
is not a complete replacement for the BIND 8 resolver library.
Applications that use the BIND 8 res_* functions to perform
DNS lookups or dynamic updates still need to be linked against
the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
BIND 9.2 is capable of acting as an authoritative server
for DNSSEC secured zones. This functionality is believed to
be stable and complete except for lacking support for
verifications involving wildcard records in secure zones.
When acting as a caching server, BIND 9.2 can be configured
to perform DNSSEC secure resolution on behalf of its clients.
This part of the DNSSEC implementation is still considered
experimental. For detailed information about the state of the
DNSSEC implementation, see the file doc/misc/dnssec.
There are a few known bugs:
On some systems, IPv6 and IPv4 sockets interact in
unexpected ways. For details, see doc/misc/ipv6.
To reduce the impact of these problems, the server
no longer listens for requests on IPv6 addresses
by default. If you need to accept DNS queries over
IPv6, you must specify "listen-on-v6 { any; };"
in the named.conf options statement.
FreeBSD prior to 4.2 (and 4.2 if running as non-root)
and OpenBSD prior to 2.8 log messages like
"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
OS X 10.2 (Darwin 6.0) reports errors like
"fcntl(3, F_SETFL, 4): Operation not supported by device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
--with-libtool does not work on AIX.
A bug in some versions of the Microsoft DNS server can cause zone
transfers from a BIND 9 server to a W2K server to fail. For details,
see the "Zone Transfers" section in doc/misc/migration.

15
KNOWN-DEFECTS
View File

@ -1,15 +0,0 @@
dnssec-signzone was designed so that it could sign a zone partially, using
only a subset of the DNSSEC keys needed to produce a fully-signed zone.
This permits a zone administrator, for example, to sign a zone with one
key on one machine, move the resulting partially-signed zone to a second
machine, and sign it again with a second key.
An unfortunate side-effect of this flexibility is that dnssec-signzone
does not check to make sure it's signing a zone with any valid keys at
all. An attempt to sign a zone without any keys will appear to succeed,
producing a "signed" zone with no signatures. There is no warning issued
when a zone is not signed.
This will be corrected in a future release. In the meantime, ISC
recommends examining the output of dnssec-signzone to confirm that
the zone is properly signed by all keys before using it.

11
Makefile.in
View File

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.52.48.2 2009-02-20 23:47:23 tbox Exp $
# $Id: Makefile.in,v 1.58 2009-11-26 20:52:44 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -21,13 +21,13 @@ top_srcdir = @top_srcdir@
@BIND9_VERSION@
SUBDIRS = make lib bin doc
SUBDIRS = make lib bin doc @LIBEXPORT@
TARGETS =
MANPAGES = isc-config.sh.1
HTMLPAGES = isc-config.sh.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@ -54,7 +54,8 @@ installdirs:
install:: isc-config.sh installdirs
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
tags:
rm -f TAGS

128
NSEC3-NOTES
View File

@ -1,128 +0,0 @@
DNSSEC and UPDATE
Converting from insecure to secure
As of BIND 9.6.0 it is possible to move a zone between being insecure
to secure and back again. A secure zone can be using NSEC or NSEC3.
To move a zone from insecure to secure you need to configure named
so that it can see the K* files which contain the public and private
parts of the keys that will be used to sign the zone. These files
will have been generated by dnssec-keygen. You can do this by
placing them in the key-directory as specified in named.conf.
zone example.net {
type master;
allow-update { .... };
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
Assuming one KSK and one ZSK DNSKEY key have been generated. Then
this will cause the zone to be signed with the ZSK and the DNSKEY
RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
generated as part of the initial signing process.
% nsupdate
> ttl 3600
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> send
While the update request will complete almost immediately the zone
will not be completely signed until named has had time to walk the
zone and generate the NSEC and RRSIG records. Initially the NSEC
record at the zone apex will have the OPT bit set. When the NSEC
chain is complete the OPT bit will be cleared. Additionally when
the zone is fully signed the private type (default TYPE65534) records
will have a non zero value for the final octet.
The private type record has 5 octets.
algorithm (octet 1)
key id in network order (octet 2 and 3)
removal flag (octet 4)
complete flag (octet 5)
If you wish to go straight to a secure zone using NSEC3 you should
also add a NSEC3PARAM record to the update request with the flags
field set to indicate whether the NSEC3 chain will have the OPTOUT
bit set or not.
% nsupdate
> ttl 3600
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
> send
Again the update request will complete almost immediately however the
NSEC3PARAM record will have additional flag bits set indicating that the
NSEC3 chain is under construction. When the NSEC3 chain is complete the
flags field will be set to zero.
While the initial signing and NSEC/NSEC3 chain generation is happening
other updates are possible.
DNSKEY roll overs via UPDATE
It is possible to perform key rollovers via update. You need to
add the K* files for the new keys so that named can find them. You
can then add the new DNSKEY RRs via update. Named will then cause
the zone to be signed with the new keys. When the signing is
complete the private type records will be updated so that the last
octet is non zero.
If this is for a KSK you need to inform the parent and any trust
anchor repositories of the new KSK.
You should then wait for the maximum TLL in the zone before removing the
old DNSKEY. If it is a KSK that is being updated you also need to wait
for the DS RRset in the parent to be updated and its TTL to expire.
This ensures that all clients will be able to verify at least a signature
when you remove the old DNSKEY.
The old DNSKEY can be removed via UPDATE. Take care to specify
the correct key. Named will clean out any signatures generated by
the old key after the update completes.
NSEC3PARAM rollovers via UPDATE.
Add the new NSEC3PARAM record via update. When the new NSEC3 chain
has been generated the NSEC3PARAM flag field will be zero. At this
point you can remove the old NSEC3PARAM record. The old chain will
be removed after the update request completes.
Converting from NSEC to NSEC3
To do this you just need to add a NSEC3PARAM record. When the
conversion is complete the NSEC chain will have been removed and
the NSEC3PARAM record will have a zero flag field. The NSEC3 chain
will be generated before the NSEC chain is destroyed.
Converting from NSEC3 to NSEC
To do this remove all NSEC3PARAM records with a zero flag field. The
NSEC chain will be generated before the NSEC3 chain is removed.
Converting from secure to insecure
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
will be removed as well as associated NSEC3PARAM records. This will
take place after the update requests completes.
Periodic re-signing.
Named will periodically re-sign RRsets which have not been re-signed
as a result of some update action. The signature lifetimes will
be adjusted so as to spread the re-sign load over time rather than
all at once.
NSEC3 and OPTOUT
Named only supports creating new NSEC3 chains where all the NSEC3
records in the zone have the same OPTOUT state. Named supports
UPDATES to zones where the NSEC3 records in the chain have mixed
OPTOUT state. Named does not support changing the OPTOUT state of
an individual NSEC3 record, the entire chain needs to be changed if
the OPTOUT state of an individual NSEC3 needs to be changed.

448
README
View File

@ -42,368 +42,95 @@ BIND 9
Stichting NLnet - NLnet Foundation
Nominum, Inc.
BIND 9.6.3
BIND 9.6.3 is a maintenance release, fixing bugs in 9.6.2.
BIND 9.6.2
BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
It also introduces support for the SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512.
Known issues in this release:
- A validating resolver that has been incorrectly configured with
an invalid trust anchor will be unable to resolve names covered
by that trust anchor. In all current versions of BIND 9, such a
resolver will also generate significant unnecessary DNS traffic
while trying to validate. The latter problem will be addressed
in future BIND 9 releases. In the meantime, to avoid these
problems, exercise caution when configuring "trusted-keys":
make sure all keys are correct and current when you add them,
and update your configuration in a timely manner when keys
roll over.
BIND 9.6.1
BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
BIND 9.6.0
BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
releases, including:
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
The BIND 8 resolver library, libbind, has been removed from the
BIND 9 distribution and is now available as a separate download.
Change the default pid file location from /var/run to
/var/run/{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
BIND 9.5.0 has a number of new features over 9.4,
including:
GSS-TSIG support (RFC 3645).
DHCID support.
Experimental http server and statistics support for named via xml.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Use Doxygen to generate internal documentation.
Efficient LRU cache-cleaning mechanism.
NSID support.
BIND 9.4.0
BIND 9.4.0 has a number of new features over 9.3,
including:
Implemented "additional section caching (or acache)", an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.
New notify type 'master-only'. Enable notify for master
zones only.
Accept 'notify-source' style syntax for query-source.
rndc now allows addresses to be set in the server clauses.
New option "allow-query-cache". This lets "allow-query"
be used to specify the default zone access level rather
than having to have every zone override the global value.
"allow-query-cache" can be set at both the options and view
levels. If "allow-query-cache" is not set then "allow-recursion"
is used if set, otherwise "allow-query" is used if set
unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
rndc: the source address can now be specified.
ixfr-from-differences now takes master and slave in addition
to yes and no at the options and view levels.
Allow the journal's name to be changed via named.conf.
'rndc notify zone [class [view]]' resend the NOTIFY messages
for the specified zone.
'dig +trace' now randomly selects the next servers to try.
Report if there is a bad delegation.
Improve check-names error messages.
Make public the function to read a key file, dst_key_read_public().
dig now returns the byte count for axfr/ixfr.
allow-update is now settable at the options / view level.
named-checkconf now checks the logging configuration.
host now can turn on memory debugging flags with '-m'.
Don't send notify messages to self.
Perform sanity checks on NS records which refer to 'in zone' names.
New zone option "notify-delay". Specify a minimum delay
between sets of NOTIFY messages.
Extend adjusting TTL warning messages.
Named and named-checkzone can now both check for non-terminal
wildcard records.
"rndc freeze/thaw" now freezes/thaws all zones.
named-checkconf now check acls to verify that they only
refer to existing acls.
The server syntax has been extended to support a range of
servers.
Report differences between hints and real NS rrset and
associated address records.
Preserve the case of domain names in rdata during zone
transfers.
Restructured the data locking framework using architecture
dependent atomic operations (when available), improving
response performance on multi-processor machines significantly.
x86, x86_64, alpha, powerpc, and mips are currently supported.
UNIX domain controls are now supported.
Add support for additional zone file formats for improving
loading performance. The masterfile-format option in
named.conf can be used to specify a non-default format. A
separate command named-compilezone was provided to generate
zone files in the new format. Additionally, the -I and -O
options for dnssec-signzone specify the input and output
formats.
dnssec-signzone can now randomize signature end times
(dnssec-signzone -j jitter).
Add support for CH A record.
Add additional zone data constancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.
edns-udp-size can now be overridden on a per server basis.
dig can now specify the EDNS version when making a query.
Added framework for handling multiple EDNS versions.
Additional memory debugging support to track size and mctx
arguments.
Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".
"USE INTERNAL MALLOC" is now runtime selectable.
The lame cache is now done on a <qname,qclass,qtype> basis
as some servers only appear to be lame for certain query
types.
Limit the number of recursive clients that can be waiting
for a single query (<qname,qtype,qclass>) to resolve. New
options clients-per-query and max-clients-per-query.
dig: report the number of extra bytes still left in the
packet after processing all the records.
Support for IPSECKEY rdata type.
Raise the UDP recieve buffer size to 32k if it is less than 32k.
x86 and x86_64 now have seperate atomic locking implementations.
named-checkconf now validates update-policy entries.
Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.
ISC string copy API.
Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.
New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.
dig now has a '-q queryname' and '+showsearch' options.
host/nslookup now continue (default)/fail on SERVFAIL.
dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.
Integrate contibuted DLZ code into named.
Integrate contibuted IDN code from JPNIC.
libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
BIND 9.3.0 has a number of new features over 9.2,
including:
DNSSEC is now DS based (RFC 3658).
See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
DNSSEC lookaside validation.
check-names is now implemented.
rrset-order in more complete.
IPv4/IPv6 transition support, dual-stack-servers.
IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
It is now possible to specify the size of a journal, max-journal-size.
It is now possible to define a named set of master servers to be
used in masters clause, masters.
The advertised EDNS UDP size can now be set, edns-udp-size.
allow-v6-synthesis has been obsoleted.
NOTE:
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as
NOTIMP rather than NOTIMPL. This will have impact on scripts
that are looking for NOTIMPL.
libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
BIND 9.2.0 has a number of new features over 9.1,
including:
- The size of the cache can now be limited using the
"max-cache-size" option.
- The server can now automatically convert RFC1886-style
recursive lookup requests into RFC2874-style lookups,
when enabled using the new option "allow-v6-synthesis".
This allows stub resolvers that support AAAA records
but not A6 record chains or binary labels to perform
lookups in domains that make use of these IPv6 DNS
features.
- Performance has been improved.
- The man pages now use the more portable "man" macros
rather than the "mandoc" macros, and are installed
by "make install".
- The named.conf parser has been completely rewritten.
It now supports "include" directives in more
places such as inside "view" statements, and it no
longer has any reserved words.
- The "rndc status" command is now implemented.
- rndc can now be configured automatically.
- A BIND 8 compatible stub resolver library is now
included in lib/bind.
- OpenSSL has been removed from the distribution. This
means that to use DNSSEC, OpenSSL must be installed and
the --with-openssl option must be supplied to configure.
This does not apply to the use of TSIG, which does not
require OpenSSL.
- The source distribution now builds on Windows.
See win32utils/readme1.txt and win32utils/win32-build.txt
for details.
This distribution also includes a new lightweight stub
resolver library and associated resolver daemon that fully
support forward and reverse lookups of both IPv4 and IPv6
addresses. This library is considered experimental and
is not a complete replacement for the BIND 8 resolver library.
Applications that use the BIND 8 res_* functions to perform
DNS lookups or dynamic updates still need to be linked against
the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
BIND 9.2 is capable of acting as an authoritative server
for DNSSEC secured zones. This functionality is believed to
be stable and complete except for lacking support for
verifications involving wildcard records in secure zones.
When acting as a caching server, BIND 9.2 can be configured
to perform DNSSEC secure resolution on behalf of its clients.
This part of the DNSSEC implementation is still considered
experimental. For detailed information about the state of the
DNSSEC implementation, see the file doc/misc/dnssec.
There are a few known bugs:
On some systems, IPv6 and IPv4 sockets interact in
unexpected ways. For details, see doc/misc/ipv6.
To reduce the impact of these problems, the server
no longer listens for requests on IPv6 addresses
by default. If you need to accept DNS queries over
IPv6, you must specify "listen-on-v6 { any; };"
in the named.conf options statement.
FreeBSD prior to 4.2 (and 4.2 if running as non-root)
and OpenBSD prior to 2.8 log messages like
"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
OS X 10.2 (Darwin 6.0) reports errors like
"fcntl(3, F_SETFL, 4): Operation not supported by device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
--with-libtool does not work on AIX.
A bug in some versions of the Microsoft DNS server can cause zone
transfers from a BIND 9 server to a W2K server to fail. For details,
see the "Zone Transfers" section in doc/misc/migration.
For a summary of functional enhancements in previous
releases, see the HISTORY file.
For a detailed list of user-visible changes from
previous releases, see the CHANGES file.
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
- Built-in trust anchor for the root zone, which can be
switched on via "dnssec-validation auto;"
- Support for DNS64.
- Support for response policy zones (RPZ).
- Support for writable DLZ zones.
- Improved ease of configuration of GSS/TSIG for
interoperability with Active Directory
- Support for GOST signing algorithm for DNSSEC.
- Removed RTT Banding from server selection algorithm.
- New "static-stub" zone type.
- Allow configuration of resolver timeouts via
"resolver-query-timeout" option.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration.
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
Known issues in this release:
- In rare cases, DNSSEC validation can leak memory. When this
happens, it will cause an assertion failure when named exits,
but is otherwise harmless. A fix exists, but was too late for
this release; it will be included in BIND 9.7.1.
Compatibility notes:
- If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
you should ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7 implements
those features in a way which is not backwards compatible.
- Prior releases had a bug which caused HMAC-SHA* keys with long
secrets to be used incorrectly. Fixing this bug means that older
versions of BIND 9 may fail to interoperate with this version
when using TSIG keys. If this occurs, the new "isc-hmac-fixup"
tool will convert a key with a long secret into a form that works
correctly with all versions of BIND 9. See the "isc-hmac-fixup"
man page for additional details.
- Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
It is possible for the new key ID to collide with that of a
different key. Newly generated keys will not have this problem,
as "dnssec-keygen" looks for potential collisions before
generating keys, but exercise caution if using key revokation
with keys that were generated by older versions of BIND 9. See
the Administrator's Reference Manual, section 4.10 ("Dynamic
Trust Anchor Management") for more details.
- A bug was fixed in which a key's scheduled inactivity date was
stored incorectly. Users who participated in the 9.7.0 BETA test
and had DNSSEC keys with scheduled inactivity dates will need to
reset those keys' dates using "dnssec-settime -I".
Building
@ -417,7 +144,7 @@ Building
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
Mac OS X 10.5
NetBSD 3.x and 4.0-beta
NetBSD 3.x, 4.0-beta, 5.0-beta
OpenBSD 3.3 and up
Solaris 8, 9, 9 (x86), 10
Ubuntu 7.04, 7.10
@ -594,6 +321,9 @@ Documentation
Frequently asked questions and their answers can be found in
FAQ.
Additional information on various subjects can be found
in the other README files.
Bug Reports and Mailing Lists

112
README.idnkit
View File

@ -1,112 +0,0 @@
BIND-9 IDN patch
Japan Network Information Center (JPNIC)
* What is this patch for?
This patch adds internationalized domain name (IDN) support to BIND-9.
You'll get internationalized version of dig/host/nslookup commands.
+ internationalized dig/host/nslookup
dig/host/nslookup accepts non-ASCII domain names in the local
codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
the locale information. The domain names are normalized and
converted to the encoding on the DNS protocol, and sent to DNS
servers. The replies are converted back to the local codeset
and displayed.
* Compilation & installation
0. Prerequisite
You have to build and install idnkit before building this patched version
of bind-9.
1. Running configure script
Run `configure' in the top directory. See `README' for the
configuration options.
This patch adds the following 4 options to `configure'. You should
at least specify `--with-idn' option to enable IDN support.
--with-idn[=IDN_PREFIX]
To enable IDN support, you have to specify `--with-idn' option.
The argument IDN_PREFIX is the install prefix of idnkit. If
IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
is assumed.
--with-libiconv[=LIBICONV_PREFIX]
Specify this option if idnkit you have installed links GNU
libiconv. The argument LIBICONV_PREFIX is install prefix of
GNU libiconv. If the argument is omitted, PREFIX (derived
from `--prefix=PREFIX') is assumed.
`--with-libiconv' is shorthand option for GNU libiconv.
--with-libiconv=/usr/local
This is equivalent to:
--with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
`--with-libiconv' assumes that your C compiler has `-R'
option, and that the option adds the specified run-time path
to an executable binary. If `-R' option of your compiler has
different meaning, or your compiler lacks the option, you
should use `--with-iconv' option instead. Binary command
without run-time path information might be unexecutable.
In that case, you would see an error message like:
error in loading shared libraries: libiconv.so.2: cannot
open shared object file
If both `--with-libiconv' and `--with-iconv' options are
specified, `--with-iconv' is prior to `--with-libiconv'.
--with-iconv=ICONV_LIBSPEC
If your libc doesn't provide iconv(), you need to specify the
library containing iconv() with this option. `ICONV_LIBSPEC'
is the argument(s) to `cc' or `ld' to link the library, for
example, `--with-iconv="-L/usr/local/lib -liconv"'.
You don't need to specify the header file directory for "iconv.h"
to the compiler, as it isn't included directly by bind-9 with
this patch.
--with-idnlib=IDN_LIBSPEC
With this option, you can explicitly specify the argument(s)
to `cc' or `ld' to link the idnkit's library, `libidnkit'. If
this option is not specified, `-L${PREFIX}/lib -lidnkit' is
assumed, where ${PREFIX} is the installation prefix specified
with `--with-idn' option above. You may need to use this
option to specify extra arguments, for example,
`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
Please consult `README' for other configuration options.
Note that if you want to specify some extra header file directories,
you should use the environment variable STD_CINCLUDES instead of
CFLAGS, as described in README.
2. Compilation and installation
After running "configure", just do
make
make install
for compiling and installing.
* Contact information
Please see http//www.nic.ad.jp/en/idn/ for the latest news
about idnkit and this patch.
Bug reports and comments on this kit should be sent to
mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
; $Id: README.idnkit,v 1.2.762.1 2009-01-18 23:25:14 marka Exp $

61
README.pkcs11
View File

@ -1,61 +0,0 @@
BIND-9 PKCS#11 support
Prerequisite
The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
and some improvements, including user friendly PIN management.
Compilation
"configure --with-pkcs11 ..."
PKCS#11 Libraries
Tested with Solaris one with a SCA board and with openCryptoki with the
software token.
OpenSSL Engines
With PKCS#11 support the PKCS#11 engine is statically loaded but at its
initialization it dynamically loads the PKCS#11 objects.
Even the pre commands are therefore unused they are defined with:
SO_PATH:
define: PKCS11_SO_PATH
default: /usr/local/lib/engines/engine_pkcs11.so
MODULE_PATH:
define: PKCS11_MODULE_PATH
default: /usr/lib/libpkcs11.so
Without PKCS#11 support, a specific OpenSSL engine can be still used
by defining ENGINE_ID at compile time.
PKCS#11 tools
The contrib/pkcs11-keygen directory contains a set of experimental tools
to handle keys stored in a Hardware Security Module at the benefit of BIND.
The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
for the way to use it (these are the original notes so with the original
path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
PIN management
With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
each time it is required. With the improved engine, the PIN should be
entered the first time it is required or can be configured in the
OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- at the beginning:
openssl_conf = openssl_def
- at any place these sections:
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = put__your__pin__value__here
Note
Some names here are registered trademarks, at least Solaris is a trademark
of Sun Microsystems Inc...

4
acconfig.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: acconfig.h,v 1.51.334.2 2009-02-16 23:47:15 tbox Exp $ */
/* $Id: acconfig.h,v 1.53 2008-12-01 23:47:44 tbox Exp $ */
/*! \file */

7
bin/Makefile.in
View File

@ -1,4 +1,4 @@
# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -13,13 +13,14 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.25 2007-06-19 23:46:59 tbox Exp $
# $Id: Makefile.in,v 1.29 2009-10-05 12:07:08 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tests nsupdate check
SUBDIRS = named rndc dig dnssec tests tools nsupdate \
check confgen @PKCS11_TOOLS@
TARGETS =
@BIND9_MAKE_RULES@

20
bin/check/Makefile.in
View File

@ -1,4 +1,4 @@
# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.32 2007-06-19 23:46:59 tbox Exp $
# $Id: Makefile.in,v 1.36 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -32,6 +32,7 @@ CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
@ -39,7 +40,8 @@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
LIBS = @LIBS@
LIBS = ${ISCLIBS} @LIBS@
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
@ -69,14 +71,14 @@ named-checkzone.@O@: named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
${DNSLIBS} ${ISCLIBS} ${LIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
${ISCLIBS} ${LIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}

5
bin/check/check-tool.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check-tool.c,v 1.35.36.5 2010-09-07 23:46:05 tbox Exp $ */
/* $Id: check-tool.c,v 1.41 2010-09-07 23:46:59 tbox Exp $ */
/*! \file */
@ -601,8 +601,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
isc_buffer_add(&buffer, strlen(zonename));
dns_fixedname_init(&fixorigin);
origin = dns_fixedname_name(&fixorigin);
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
ISC_FALSE, NULL));
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
CHECK(dns_zone_setorigin(zone, origin));
CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
CHECK(dns_zone_setfile2(zone, filename, fileformat));

2
bin/check/check-tool.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check-tool.h,v 1.14.334.2 2010-09-07 23:46:05 tbox Exp $ */
/* $Id: check-tool.h,v 1.16 2010-09-07 23:46:59 tbox Exp $ */
#ifndef CHECK_TOOL_H
#define CHECK_TOOL_H

35
bin/check/named-checkconf.8
View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named-checkconf.8,v 1.30.334.1 2009-07-11 01:55:20 tbox Exp $
.\" $Id: named-checkconf.8,v 1.33 2009-12-29 01:14:03 tbox Exp $
.\"
.hy 0
.ad l
@ -33,11 +33,29 @@
named\-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP 16
\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR]
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
checks the syntax, but not the semantics, of a named configuration file.
checks the syntax, but not the semantics, of a
\fBnamed\fR
configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
\fI/etc/named.conf\fR
is read by default.
.PP
Note: files that
\fBnamed\fR
reads in separate parser contexts, such as
\fIrndc.key\fR
and
\fIbind.keys\fR, are not automatically read by
\fBnamed\-checkconf\fR. Configuration errors in these files may cause
\fBnamed\fR
to fail to run, even if
\fBnamed\-checkconf\fR
was successful.
\fBnamed\-checkconf\fR
can be run on these files explicitly, however.
.SH "OPTIONS"
.PP
\-h
@ -59,6 +77,13 @@ Print the version of the
program and exit.
.RE
.PP
\-p
.RS 4
Print out the
\fInamed.conf\fR
and included files in canonical form if no errors were detected.
.RE
.PP
\-z
.RS 4
Perform a test load of all master zones found in
@ -88,7 +113,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br

43
bin/check/named-checkconf.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named-checkconf.c,v 1.46.222.4 2010-09-07 23:46:05 tbox Exp $ */
/* $Id: named-checkconf.c,v 1.54 2010-09-07 01:49:08 marka Exp $ */
/*! \file */
@ -59,9 +59,12 @@ isc_log_t *logc = NULL;
} while (0)
/*% usage */
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
fprintf(stderr, "usage: %s [-h] [-j] [-p] [-v] [-z] [-t directory] "
"[named.conf]\n", program);
exit(1);
}
@ -202,6 +205,24 @@ configure_zone(const char *vclass, const char *view,
return (ISC_R_FAILURE);
zfile = cfg_obj_asstring(fileobj);
obj = NULL;
if (get_maps(maps, "check-dup-records", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
}
obj = NULL;
if (get_maps(maps, "check-mx", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@ -387,6 +408,15 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
return (result);
}
static void
output(void *closure, const char *text, int textlen) {
UNUSED(closure);
if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
perror("fwrite");
exit(1);
}
}
/*% The main processing routine */
int
main(int argc, char **argv) {
@ -399,10 +429,11 @@ main(int argc, char **argv) {
int exit_status = 0;
isc_entropy_t *ectx = NULL;
isc_boolean_t load_zones = ISC_FALSE;
isc_boolean_t print = ISC_FALSE;
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
switch (c) {
case 'd':
debug++;
@ -421,6 +452,10 @@ main(int argc, char **argv) {
}
break;
case 'p':
print = ISC_TRUE;
break;
case 'v':
printf(VERSION "\n");
exit(0);
@ -485,6 +520,8 @@ main(int argc, char **argv) {
exit_status = 1;
}
if (print && exit_status == 0)
cfg_print(config, output, NULL);
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);

36
bin/check/named-checkconf.docbook
View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkconf.docbook,v 1.19 2007-06-19 06:58:03 marka Exp $ -->
<!-- $Id: named-checkconf.docbook,v 1.22 2009-12-28 23:21:16 each Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
@ -35,6 +35,7 @@
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -58,6 +59,7 @@
<arg><option>-j</option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req">filename</arg>
<arg><option>-p</option></arg>
<arg><option>-z</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -65,8 +67,21 @@
<refsect1>
<title>DESCRIPTION</title>
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a named
configuration file.
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <filename>/etc/named.conf</filename> is read
by default.
</para>
<para>
Note: files that <command>named</command> reads in separate
parser contexts, such as <filename>rndc.key</filename> and
<filename>bind.keys</filename>, are not automatically read
by <command>named-checkconf</command>. Configuration
errors in these files may cause <command>named</command> to
fail to run, even if <command>named-checkconf</command> was
successful. <command>named-checkconf</command> can be run
on these files explicitly, however.
</para>
</refsect1>
@ -87,8 +102,7 @@
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that
include
Chroot to <filename>directory</filename> so that include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</para>
@ -105,6 +119,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>

41
bin/check/named-checkconf.html
View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkconf.html,v 1.30.334.1 2009-07-11 01:55:20 tbox Exp $ -->
<!-- $Id: named-checkconf.html,v 1.33 2009-12-29 01:14:03 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -29,17 +29,30 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543387"></a><h2>DESCRIPTION</h2>
<a name="id2543395"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a named
configuration file.
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
Note: files that <span><strong class="command">named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
by <span><strong class="command">named-checkconf</strong></span>. Configuration
errors in these files may cause <span><strong class="command">named</strong></span> to
fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
successful. <span><strong class="command">named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543399"></a><h2>OPTIONS</h2>
<a name="id2543444"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -47,8 +60,7 @@
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Chroot to <code class="filename">directory</code> so that
include
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</p></dd>
@ -57,6 +69,11 @@
Print the version of the <span><strong class="command">named-checkconf</strong></span>
program and exit.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Perform a test load of all master zones found in
@ -74,21 +91,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543507"></a><h2>RETURN VALUES</h2>
<a name="id2543568"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543518"></a><h2>SEE ALSO</h2>
<a name="id2543579"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543548"></a><h2>AUTHOR</h2>
<a name="id2543609"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

19
bin/check/named-checkzone.8
View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: named-checkzone.8,v 1.42.334.3 2009-11-11 01:56:22 tbox Exp $
.\" $Id: named-checkzone.8,v 1.47 2010-01-17 01:14:02 tbox Exp $
.\"
.hy 0
.ad l
@ -33,9 +33,9 @@
named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP 16
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP 18
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
@ -201,6 +201,15 @@ then write to standard out. This is mandatory for
\fBnamed\-compilezone\fR.
.RE
.PP
\-r \fImode\fR
.RS 4
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.RE
.PP
\-s \fIstyle\fR
.RS 4
Specify the style of the dumped zone file. Possible styles are
@ -272,7 +281,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004\-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004\-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br

47
bin/check/named-checkzone.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named-checkzone.c,v 1.51.34.6 2010-09-07 23:46:06 tbox Exp $ */
/* $Id: named-checkzone.c,v 1.61 2010-09-07 23:46:59 tbox Exp $ */
/*! \file */
@ -70,6 +70,9 @@ static enum { progmode_check, progmode_compile } progmode;
} \
} while (0)
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr,
@ -77,12 +80,13 @@ usage(void) {
"[-f inputformat] [-F outputformat] "
"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-r (ignore|warn|fail)] "
"[-i (full|full-sibling|local|local-sibling|none)] "
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
"[-W (ignore|warn)] "
"%s zonename filename\n",
prog_name,
progmode == progmode_check ? "[-o filename]" : "{-o filename}");
progmode == progmode_check ? "[-o filename]" : "-o filename");
exit(1);
}
@ -140,17 +144,19 @@ main(int argc, char **argv) {
if (progmode == progmode_compile) {
zone_options |= (DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_FATALNS |
DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL |
DNS_ZONEOPT_CHECKWILDCARD);
}
} else
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv,
"c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
"c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:W:"))
!= EOF) {
switch (c) {
case 'c':
@ -262,16 +268,27 @@ main(int argc, char **argv) {
}
break;
case 'o':
output_filename = isc_commandline_argument;
break;
case 'q':
quiet++;
break;
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chroot: %s: %s\n",
isc_commandline_argument,
isc_result_totext(result));
case 'r':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKDUPRRFAIL);
} else {
fprintf(stderr, "invalid argument to -r: %s\n",
isc_commandline_argument);
exit(1);
}
break;
@ -289,8 +306,14 @@ main(int argc, char **argv) {
}
break;
case 'o':
output_filename = isc_commandline_argument;
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chroot: %s: %s\n",
isc_commandline_argument,
isc_result_totext(result));
exit(1);
}
break;
case 'v':

22
bin/check/named-checkzone.docbook
View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkzone.docbook,v 1.34.334.3 2009-11-10 20:01:41 each Exp $ -->
<!-- $Id: named-checkzone.docbook,v 1.40 2010-01-16 23:48:15 tbox Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
@ -37,6 +37,7 @@
<year>2006</year>
<year>2007</year>
<year>2009</year>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -69,6 +70,8 @@
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@ -92,7 +95,7 @@
<arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
@ -319,6 +322,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">style</replaceable></term>
<listitem>

26
bin/check/named-checkzone.html
View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkzone.html,v 1.42.334.3 2009-11-11 01:56:22 tbox Exp $ -->
<!-- $Id: named-checkzone.html,v 1.47 2010-01-17 01:14:02 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -29,11 +29,11 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543674"></a><h2>DESCRIPTION</h2>
<a name="id2543694"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@ -53,7 +53,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543709"></a><h2>OPTIONS</h2>
<a name="id2543730"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@ -177,6 +177,14 @@
write to standard out.
This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd><p>
Specify the style of the dumped zone file.
@ -239,14 +247,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544330"></a><h2>RETURN VALUES</h2>
<a name="id2544377"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544342"></a><h2>SEE ALSO</h2>
<a name="id2544389"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@ -254,7 +262,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544375"></a><h2>AUTHOR</h2>
<a name="id2544422"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

101
bin/confgen/Makefile.in Normal file
View File

@ -0,0 +1,101 @@
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.8 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c
SUBDIRS = unix
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
MANPAGES = rndc-confgen.8 ddns-confgen.8
HTMLPAGES = rndc-confgen.html ddns-confgen.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@BIND9_MAKE_RULES@
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
clean distclean maintainer-clean::
rm -f ${TARGETS}

143
bin/confgen/ddns-confgen.8 Normal file
View File

@ -0,0 +1,143 @@
.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: ddns-confgen.8,v 1.10 2009-09-19 01:14:52 tbox Exp $
.\"
.hy 0
.ad l
.\" Title: ddns\-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Jan 29, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
ddns\-confgen \- ddns key generation tool
.SH "SYNOPSIS"
.HP 13
\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
.SH "DESCRIPTION"
.PP
\fBddns\-confgen\fR
generates a key for use by
\fBnsupdate\fR
and
\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
\fBnsupdate\fR
and
\fBnamed.conf\fR
syntax that will be needed to use it, including an example
\fBupdate\-policy\fR
statement.
.PP
If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
\fBnamed.conf\fR
syntax. For example,
\fBddns\-confgen example.com\fR
would generate a key called "ddns\-key.example.com", and sample
\fBnamed.conf\fR
command that could be used in the zone definition for "example.com".
.PP
Note that
\fBnamed\fR
itself can configure a local DDNS key for use with
\fBnsupdate \-l\fR.
\fBddns\-confgen\fR
is only needed when a more elaborate configuration is required: for instance, if
\fBnsupdate\fR
is to be used from a remote system.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBddns\-confgen\fR.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the DDNS authentication key. The default is
\fBddns\-key\fR
when neither the
\fB\-s\fR
nor
\fB\-z\fR
option is specified; otherwise, the default is
\fBddns\-key\fR
as a separate label followed by the argument of the option, e.g.,
\fBddns\-key.example.com.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
.RE
.PP
\-q
.RS 4
Quiet mode: Print only the key, with no explanatory text or usage examples.
.RE
.PP
\-r \fIrandomfile\fR
.RS 4
Specifies a source of random data for generating the authorization. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.RE
.PP
\-s \fIname\fR
.RS 4
Single host mode: The example
\fBnamed.conf\fR
text shows how to set an update policy for the specified
\fIname\fR
using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
\fB\-z\fR
option.
.RE
.PP
\-z \fIzone\fR
.RS 4
zone mode: The example
\fBnamed.conf\fR
text shows how to set an update policy for the specified
\fIzone\fR
using the "zonesub" nametype, allowing updates to all subdomain names within that
\fIzone\fR. This option cannot be used with the
\fB\-s\fR
option.
.RE
.SH "SEE ALSO"
.PP
\fBnsupdate\fR(1),
\fBnamed.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
.br

257
bin/confgen/ddns-confgen.c Normal file
View File

@ -0,0 +1,257 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ddns-confgen.c,v 1.9 2009-09-29 15:06:05 fdupont Exp $ */
/*! \file */
/**
* ddns-confgen generates configuration files for dynamic DNS. It can
* be used as a convenient alternative to writing the ddns.key file
* and the corresponding key and update-policy statements in named.conf.
*/
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/assertions.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYNAME "ddns-key"
static char program[256];
const char *progname;
isc_boolean_t verbose = ISC_FALSE;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
-a alg: algorithm (default hmac-sha256)\n\
-k keyname: name of the key as it will be used in named.conf\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s name: domain name to be updated using the created key\n\
-z zone: name of the zone as it will be used in named.conf\n\
-q: quiet mode: print the key, with no explanatory text\n",
progname);
exit (status);
}
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
isc_boolean_t quiet = ISC_FALSE;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
const char *randomfile = NULL;
const char *keyname = NULL;
const char *zone = NULL;
const char *self_domain = NULL;
char *keybuf = NULL;
dns_secalg_t alg = DST_ALG_HMACSHA256;
const char *algname = alg_totext(alg);
int keysize = 256;
int len = 0;
int ch;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS)
memcpy(program, "ddns-confgen", 13);
progname = program;
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"a:hk:Mmr:qs:Vy:z:")) != -1) {
switch (ch) {
case 'a':
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
fatal("Unsupported algorithm '%s'", algname);
keysize = alg_bits(alg);
break;
case 'h':
usage(0);
case 'k':
case 'y':
keyname = isc_commandline_argument;
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
break;
case 'm':
show_final_mem = ISC_TRUE;
break;
case 'q':
quiet = ISC_TRUE;
break;
case 'r':
randomfile = isc_commandline_argument;
break;
case 's':
self_domain = isc_commandline_argument;
break;
case 'V':
verbose = ISC_TRUE;
break;
case 'z':
zone = isc_commandline_argument;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage(1);
} else
usage(0);
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (self_domain != NULL && zone != NULL)
usage(1); /* -s and -z cannot coexist */
if (argc > 0)
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
if (keyname == NULL) {
const char *suffix = NULL;
keyname = DEFAULT_KEYNAME;
if (self_domain != NULL)
suffix = self_domain;
else if (zone != NULL)
suffix = zone;
if (suffix != NULL) {
len = strlen(keyname) + strlen(suffix) + 2;
keybuf = isc_mem_get(mctx, len);
if (keybuf == NULL)
fatal("failed to allocate memory for keyname");
snprintf(keybuf, len, "%s.%s", keyname, suffix);
keyname = (const char *) keybuf;
}
}
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (!quiet)
printf("\
# To activate this key, place the following in named.conf, and\n\
# in a separate keyfile on the system or systems from which nsupdate\n\
# will be run:\n");
printf("\
key \"%s\" {\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n",
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer));
if (!quiet) {
if (self_domain != NULL) {
printf("\n\
# Then, in the \"zone\" statement for the zone containing the\n\
# name \"%s\", place an \"update-policy\" statement\n\
# like this one, adjusted as needed for your preferred permissions:\n\
update-policy {\n\
grant %s name %s ANY;\n\
};\n",
self_domain, keyname, self_domain);
} else if (zone != NULL) {
printf("\n\
# Then, in the \"zone\" definition statement for \"%s\",\n\
# place an \"update-policy\" statement like this one, adjusted as \n\
# needed for your preferred permissions:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
zone, keyname);
} else {
printf("\n\
# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
# update, place an \"update-policy\" statement granting update permission\n\
# to this key. For example, the following statement grants this key\n\
# permission to update any name within the zone:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
keyname);
}
printf("\n\
# After the keyfile has been placed, the following command will\n\
# execute nsupdate using this key:\n\
nsupdate -k <keyfile>\n");
}
if (keybuf != NULL)
isc_mem_put(mctx, keybuf, len);
if (show_final_mem)
isc_mem_stats(mctx, stderr);
isc_mem_destroy(&mctx);
return (0);
}

218
bin/confgen/ddns-confgen.docbook Normal file
View File

@ -0,0 +1,218 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: ddns-confgen.docbook,v 1.6 2009-09-18 22:08:55 fdupont Exp $ -->
<refentry id="man.ddns-confgen">
<refentryinfo>
<date>Jan 29, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>ddns-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>ddns-confgen</application></refname>
<refpurpose>ddns key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>ddns-confgen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group>
<arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
<arg><option>-q</option></arg>
<arg choice="opt">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>ddns-confgen</command>
generates a key for use by <command>nsupdate</command>
and <command>named</command>. It simplifies configuration
of dynamic zones by generating a key and providing the
<command>nsupdate</command> and <command>named.conf</command>
syntax that will be needed to use it, including an example
<command>update-policy</command> statement.
</para>
<para>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<command>named.conf</command> syntax. For example,
<command>ddns-confgen example.com</command> would
generate a key called "ddns-key.example.com", and sample
<command>named.conf</command> command that could be used
in the zone definition for "example.com".
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance, if
<command>nsupdate</command> is to be used from a remote system.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>ddns-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the DDNS authentication key.
The default is <constant>ddns-key</constant> when neither
the <option>-s</option> nor <option>-z</option> option is
specified; otherwise, the default
is <constant>ddns-key</constant> as a separate label
followed by the argument of the option, e.g.,
<constant>ddns-key.example.com.</constant>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomfile</replaceable></term>
<listitem>
<para>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<filename>/dev/random</filename> or equivalent device, the
default source of randomness is keyboard input.
<filename>randomdev</filename> specifies the name of a
character device or file containing random data to be used
instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard input
should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
Single host mode: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype.
The default key name is
ddns-key.<replaceable class="parameter">name</replaceable>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z <replaceable class="parameter">zone</replaceable></term>
<listitem>
<para>
zone mode: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">zone</replaceable>
using the "zonesub" nametype, allowing updates to all subdomain
names within
that <replaceable class="parameter">zone</replaceable>.
This option cannot be used with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

141
bin/confgen/ddns-confgen.html Normal file
View File

@ -0,0 +1,141 @@
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: ddns-confgen.html,v 1.10 2009-09-19 01:14:52 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543395"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
of dynamic zones by generating a key and providing the
<span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
syntax that will be needed to use it, including an example
<span><strong class="command">update-policy</strong></span> statement.
</p>
<p>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<span><strong class="command">named.conf</strong></span> syntax. For example,
<span><strong class="command">ddns-confgen example.com</strong></span> would
generate a key called "ddns-key.example.com", and sample
<span><strong class="command">named.conf</strong></span> command that could be used
in the zone definition for "example.com".
</p>
<p>
Note that <span><strong class="command">named</strong></span> itself can configure a
local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
<span><strong class="command">ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance, if
<span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543454"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">ddns-confgen</strong></span>.
</p></dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
specified; otherwise, the default
is <code class="constant">ddns-key</code> as a separate label
followed by the argument of the option, e.g.,
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<code class="filename">/dev/random</code> or equivalent device, the
default source of randomness is keyboard input.
<code class="filename">randomdev</code> specifies the name of a
character device or file containing random data to be used
instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard input
should be used.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
Single host mode: The example <span><strong class="command">named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>name</code></em>
using the "name" nametype.
The default key name is
ddns-key.<em class="replaceable"><code>name</code></em>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p></dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd><p>
zone mode: The example <span><strong class="command">named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>zone</code></em>
using the "zonesub" nametype, allowing updates to all subdomain
names within
that <em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543642"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543681"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

39
bin/confgen/include/confgen/os.h Normal file
View File

@ -0,0 +1,39 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
/*! \file */
#ifndef RNDC_OS_H
#define RNDC_OS_H 1
#include <isc/lang.h>
#include <stdio.h>
ISC_LANG_BEGINDECLS
int set_user(FILE *fd, const char *user);
/*%<
* Set the owner of the file referenced by 'fd' to 'user'.
* Returns:
* 0 success
* -1 insufficient permissions, or 'user' does not exist.
*/
ISC_LANG_ENDDECLS
#endif

218
bin/confgen/keygen.c Normal file
View File

@ -0,0 +1,218 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keygen.c,v 1.4 2009-11-12 14:02:38 marka Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
/*%
* Convert algorithm type to string.
*/
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return "hmac-md5";
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
return "hmac-sha224";
case DST_ALG_HMACSHA256:
return "hmac-sha256";
case DST_ALG_HMACSHA384:
return "hmac-sha384";
case DST_ALG_HMACSHA512:
return "hmac-sha512";
default:
return "(unknown)";
}
}
/*%
* Convert string to algorithm type.
*/
dns_secalg_t
alg_fromtext(const char *name) {
if (strcmp(name, "hmac-md5") == 0)
return DST_ALG_HMACMD5;
if (strcmp(name, "hmac-sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcmp(name, "hmac-sha224") == 0)
return DST_ALG_HMACSHA224;
if (strcmp(name, "hmac-sha256") == 0)
return DST_ALG_HMACSHA256;
if (strcmp(name, "hmac-sha384") == 0)
return DST_ALG_HMACSHA384;
if (strcmp(name, "hmac-sha512") == 0)
return DST_ALG_HMACSHA512;
return DST_ALG_UNKNOWN;
}
/*%
* Return default keysize for a given algorithm type.
*/
int
alg_bits(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return 128;
case DST_ALG_HMACSHA1:
return 160;
case DST_ALG_HMACSHA224:
return 224;
case DST_ALG_HMACSHA256:
return 256;
case DST_ALG_HMACSHA384:
return 384;
case DST_ALG_HMACSHA512:
return 512;
default:
return 0;
}
}
/*%
* Generate a key of size 'keysize' using entropy source 'randomfile',
* and place it in 'key_txtbuffer'
*/
void
generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
int keysize, isc_buffer_t *key_txtbuffer) {
isc_result_t result = ISC_R_SUCCESS;
isc_entropysource_t *entropy_source = NULL;
int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
int entropy_flags = 0;
isc_entropy_t *ectx = NULL;
isc_buffer_t key_rawbuffer;
isc_region_t key_rawregion;
char key_rawsecret[64];
dst_key_t *key = NULL;
switch (alg) {
case DST_ALG_HMACMD5:
if (keysize < 1 || keysize > 512)
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
break;
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 256)
fatal("keysize %d out of range (must be 1-256)\n",
keysize);
break;
default:
fatal("unsupported algorithm %d\n", alg);
}
DO("create entropy context", isc_entropy_create(mctx, &ectx));
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
open_keyboard));
entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
DO("generate key", dst_key_generate(dns_rootname, alg,
keysize, 0, 0,
DNS_KEYPROTO_ANY,
dns_rdataclass_in, mctx, &key));
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
key_txtbuffer));
/*
* Shut down the entropy source now so the "stop typing" message
* does not muck with the output.
*/
if (entropy_source != NULL)
isc_entropy_destroysource(&entropy_source);
if (key != NULL)
dst_key_free(&key);
isc_entropy_detach(&ectx);
dst_lib_destroy();
}
/*%
* Write a key file to 'keyfile'. If 'user' is non-NULL,
* make that user the owner of the file. The key will have
* the name 'keyname' and the secret in the buffer 'secret'.
*/
void
write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret,
dns_secalg_t alg) {
isc_result_t result;
const char *algname = alg_totext(alg);
FILE *fd = NULL;
DO("create keyfile", isc_file_safecreate(keyfile, &fd));
if (user != NULL) {
if (set_user(fd, user) == -1)
fatal("unable to set file owner\n");
}
fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
"\tsecret \"%.*s\";\n};\n",
keyname, algname,
(int)isc_buffer_usedlength(secret),
(char *)isc_buffer_base(secret));
fflush(fd);
if (ferror(fd))
fatal("write to %s failed\n", keyfile);
if (fclose(fd))
fatal("fclose(%s) failed\n", keyfile);
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
}

41
bin/confgen/keygen.h Normal file
View File

@ -0,0 +1,41 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keygen.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
#ifndef RNDC_KEYGEN_H
#define RNDC_KEYGEN_H 1
/*! \file */
#include <isc/lang.h>
ISC_LANG_BEGINDECLS
void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
int keysize, isc_buffer_t *key_txtbuffer);
void write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret,
dns_secalg_t alg);
const char *alg_totext(dns_secalg_t alg);
dns_secalg_t alg_fromtext(const char *name);
int alg_bits(dns_secalg_t alg);
ISC_LANG_ENDDECLS
#endif /* RNDC_KEYGEN_H */

6
bin/rndc/rndc-confgen.8 → bin/confgen/rndc-confgen.8
View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: rndc-confgen.8,v 1.20.418.1 2009-07-11 01:55:21 tbox Exp $
.\" $Id: rndc-confgen.8,v 1.7 2009-07-11 01:12:45 tbox Exp $
.\"
.hy 0
.ad l
@ -205,7 +205,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
.br

126
bin/rndc/rndc-confgen.c → bin/confgen/rndc-confgen.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc-confgen.c,v 1.26 2008-10-15 23:47:31 tbox Exp $ */
/* $Id: rndc-confgen.c,v 1.5 2009-09-29 15:06:05 fdupont Exp $ */
/*! \file */
@ -52,9 +52,10 @@
#include <dns/name.h>
#include <dst/dst.h>
#include <rndc/os.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
@ -68,6 +69,9 @@ isc_boolean_t verbose = ISC_FALSE;
const char *keyfile, *keydef;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
@ -75,72 +79,36 @@ usage(int status) {
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-b bits: from 1 through 512, default %d; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: a file containing random data\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef, DEFAULT_KEYLENGTH);
-a: generate just the key clause and write it to keyfile (%s)\n\
-b bits: from 1 through 512, default %d; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef, DEFAULT_KEYLENGTH);
exit (status);
}
/*%
* Write an rndc.key file to 'keyfile'. If 'user' is non-NULL,
* make that user the owner of the file. The key will have
* the name 'keyname' and the secret in the buffer 'secret'.
*/
static void
write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret )
{
FILE *fd;
fd = safe_create(keyfile);
if (fd == NULL)
fatal( "unable to create \"%s\"\n", keyfile);
if (user != NULL) {
if (set_user(fd, user) == -1)
fatal("unable to set file owner\n");
}
fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
"\tsecret \"%.*s\";\n};\n", keyname,
(int)isc_buffer_usedlength(secret),
(char *)isc_buffer_base(secret));
fflush(fd);
if (ferror(fd))
fatal("write to %s failed\n", keyfile);
if (fclose(fd))
fatal("fclose(%s) failed\n", keyfile);
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
}
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
isc_buffer_t key_rawbuffer;
isc_buffer_t key_txtbuffer;
isc_region_t key_rawregion;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_entropy_t *ectx = NULL;
isc_entropysource_t *entropy_source = NULL;
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *key = NULL;
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
char key_rawsecret[64];
char key_txtsecret[256];
dns_secalg_t alg = DST_ALG_HMACMD5;
const char *algname = alg_totext(alg);
char *p;
int ch;
int port;
int keysize;
int entropy_flags = 0;
int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
@ -237,53 +205,13 @@ main(int argc, char **argv) {
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
DO("create entropy context", isc_entropy_create(mctx, &ectx));
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
open_keyboard));
entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
keysize, 0, 0,
DNS_KEYPROTO_ANY,
dns_rdataclass_in, mctx, &key));
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
&key_txtbuffer));
/*
* Shut down the entropy source now so the "stop typing" message
* does not muck with the output.
*/
if (entropy_source != NULL)
isc_entropy_destroysource(&entropy_source);
if (key != NULL)
dst_key_free(&key);
isc_entropy_detach(&ectx);
dst_lib_destroy();
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
keyname, &key_txtbuffer);
keyname, &key_txtbuffer, alg);
if (chrootdir != NULL) {
char *buf;
@ -294,14 +222,14 @@ main(int argc, char **argv) {
snprintf(buf, len, "%s%s%s", chrootdir,
(*keyfile != '/') ? "/" : "", keyfile);
write_key_file(buf, user, keyname, &key_txtbuffer);
write_key_file(buf, user, keyname, &key_txtbuffer, alg);
isc_mem_put(mctx, buf, len);
}
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
algorithm hmac-md5;\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n\
\n\
@ -314,7 +242,7 @@ options {\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
# algorithm hmac-md5;\n\
# algorithm %s;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
@ -323,11 +251,11 @@ options {\n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
keyname,
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
keyname, serveraddr, port,
keyname,
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
serveraddr, port, serveraddr, keyname);

5
bin/rndc/rndc-confgen.docbook → bin/confgen/rndc-confgen.docbook
View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc-confgen.docbook,v 1.13 2007-06-18 23:47:25 tbox Exp $ -->
<!-- $Id: rndc-confgen.docbook,v 1.4 2009-06-15 23:47:59 tbox Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>
@ -40,6 +40,7 @@
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>

14
bin/rndc/rndc-confgen.html → bin/confgen/rndc-confgen.html
View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc-confgen.html,v 1.25.418.1 2009-07-11 01:55:21 tbox Exp $ -->
<!-- $Id: rndc-confgen.html,v 1.7 2009-07-11 01:12:45 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543429"></a><h2>DESCRIPTION</h2>
<a name="id2543432"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@ -48,7 +48,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543474"></a><h2>OPTIONS</h2>
<a name="id2543477"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@ -155,7 +155,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543787"></a><h2>EXAMPLES</h2>
<a name="id2543790"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@ -172,7 +172,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543829"></a><h2>SEE ALSO</h2>
<a name="id2543832"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -180,7 +180,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543867"></a><h2>AUTHOR</h2>
<a name="id2543870"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

5
bin/rndc/unix/Makefile.in → bin/confgen/unix/Makefile.in
View File

@ -1,5 +1,4 @@
# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2001 Internet Software Consortium.
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -13,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.5 2007-06-19 23:46:59 tbox Exp $
# $Id: Makefile.in,v 1.3 2009-06-11 23:47:55 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@

33
bin/rndc/unix/os.c → bin/confgen/unix/os.c
View File

@ -1,6 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -15,13 +14,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.c,v 1.10 2007-06-19 23:46:59 tbox Exp $ */
/* $Id: os.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
/*! \file */
#include <config.h>
#include <rndc/os.h>
#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
@ -42,29 +41,3 @@ set_user(FILE *fd, const char *user) {
}
return (fchown(fileno(fd), pw->pw_uid, -1));
}
FILE *
safe_create(const char *filename) {
int fd;
FILE *f;
struct stat sb;
int flags = O_WRONLY;
if (stat(filename, &sb) == -1) {
if (errno != ENOENT)
return (NULL);
flags = O_WRONLY | O_CREAT | O_EXCL;
} else if ((sb.st_mode & S_IFREG) == 0) {
errno = EOPNOTSUPP;
return (NULL);
} else
flags = O_WRONLY | O_TRUNC;
fd = open(filename, flags, S_IRUSR | S_IWUSR);
if (fd == -1)
return (NULL);
f = fdopen(fd, "w");
if (f == NULL)
close(fd);
return (f);
}

56
bin/confgen/util.c Normal file
View File

@ -0,0 +1,56 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: util.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
/*! \file */
#include <config.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include <isc/boolean.h>
#include "util.h"
extern isc_boolean_t verbose;
extern const char *progname;
void
notify(const char *fmt, ...) {
va_list ap;
if (verbose) {
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fputs("\n", stderr);
}
}
void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", progname);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
exit(1);
}

52
bin/confgen/util.h Normal file
View File

@ -0,0 +1,52 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: util.h,v 1.4 2009-09-29 15:06:05 fdupont Exp $ */
#ifndef RNDC_UTIL_H
#define RNDC_UTIL_H 1
/*! \file */
#include <isc/lang.h>
#include <isc/platform.h>
#include <isc/formatcheck.h>
#define NS_CONTROL_PORT 953
#undef DO
#define DO(name, function) \
do { \
result = function; \
if (result != ISC_R_SUCCESS) \
fatal("%s: %s", name, isc_result_totext(result)); \
else \
notify("%s", name); \
} while (0)
ISC_LANG_BEGINDECLS
void
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_LANG_ENDDECLS
#endif /* RNDC_UTIL_H */

26
bin/dig/Makefile.in
View File

@ -1,4 +1,4 @@
# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.41 2007-06-19 23:46:59 tbox Exp $
# $Id: Makefile.in,v 1.47 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISC_INCLUDES} ${LWRES_INCLUDES}
${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
@ -33,6 +33,7 @@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
@ -44,8 +45,11 @@ LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
${ISCCFGLIBS} @IDNLIBS@ @LIBS@
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCLIBS} @IDNLIBS@ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
SUBDIRS =
@ -66,16 +70,16 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
export BASEOBJS="nslookup.@O@ dighost.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}

11
bin/dig/dig.1
View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dig.1,v 1.50.44.3 2009-07-11 01:55:20 tbox Exp $
.\" $Id: dig.1,v 1.54 2010-03-05 01:14:15 tbox Exp $
.\"
.hy 0
.ad l
@ -455,6 +455,11 @@ Print records like the SOA records in a verbose multi\-line format with human\-r
output.
.RE
.PP
\fB+[no]onesoa\fR
.RS 4
Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
@ -562,7 +567,7 @@ RFC1035.
.PP
There are probably too many query options.
.SH "COPYRIGHT"
Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br

176
bin/dig/dig.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.c,v 1.225.26.7 2010-05-13 00:43:37 marka Exp $ */
/* $Id: dig.c,v 1.237 2010-05-13 00:40:46 marka Exp $ */
/*! \file */
@ -68,7 +68,8 @@ static char domainopt[DNS_NAME_MAXTEXT];
static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
onesoa = ISC_FALSE;
/*% opcode text */
static const char * const opcodetext[] = {
@ -138,6 +139,9 @@ print_usage(FILE *fp) {
" [ host [@local-server] {local-d-opt} [...]]\n", fp);
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
print_usage(stderr);
@ -222,6 +226,7 @@ help(void) {
#endif
#endif
" +[no]multiline (Print records in an expanded format)\n"
" +[no]onesoa (AXFR prints only one soa record)\n"
" global d-opts and servers (before host name) affect all queries.\n"
" local d-opts and servers (after host name) affect only that lookup.\n"
" -h (print help and exit)\n"
@ -468,6 +473,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
}
if (onesoa && query->lookup->rdtype == dns_rdatatype_axfr)
flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA :
DNS_MESSAGETEXTFLAG_OMITSOA;
if (!query->lookup->comments)
flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
@ -673,19 +681,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
}
}
static isc_uint32_t
parse_uint(char *arg, const char *desc, isc_uint32_t max) {
isc_result_t result;
isc_uint32_t tmp;
result = isc_parse_uint32(&tmp, arg, 10);
if (result == ISC_R_SUCCESS && tmp > max)
result = ISC_R_RANGE;
if (result != ISC_R_SUCCESS)
fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
return (tmp);
}
/*%
* We're not using isc_commandline_parse() here since the command line
* syntax of dig is quite a bit different from that which can be described
@ -697,8 +692,10 @@ static void
plus_option(char *option, isc_boolean_t is_batchfile,
dig_lookup_t *lookup)
{
isc_result_t result;
char option_store[256];
char *cmd, *value, *ptr;
isc_uint32_t num;
isc_boolean_t state = ISC_TRUE;
#ifdef DIG_SIGCHASE
size_t n;
@ -746,6 +743,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
lookup->section_additional = state;
break;
case 'f': /* adflag */
case '\0': /* +ad is a synonym for +adflag */
FULLCHECK("adflag");
lookup->adflag = state;
break;
@ -787,8 +785,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
lookup->udpsize = (isc_uint16_t) parse_uint(value,
"buffer size", COMMSIZE);
result = parse_uint(&num, value, COMMSIZE,
"buffer size");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse buffer size");
lookup->udpsize = num;
break;
default:
goto invalid_option;
@ -797,8 +798,15 @@ plus_option(char *option, isc_boolean_t is_batchfile,
case 'c':
switch (cmd[1]) {
case 'd':/* cdflag */
FULLCHECK("cdflag");
lookup->cdflag = state;
switch (cmd[2]) {
case 'f': /* cdflag */
case '\0': /* +cd is a synonym for +cdflag */
FULLCHECK("cdflag");
lookup->cdflag = state;
break;
default:
goto invalid_option;
}
break;
case 'l': /* cl */
FULLCHECK("cl");
@ -853,7 +861,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
}
if (value == NULL)
goto need_value;
lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
result = parse_uint(&num, value, 255, "edns");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse edns");
lookup->edns = num;
break;
case 'f': /* fail */
FULLCHECK("fail");
@ -883,7 +894,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
ndots = parse_uint(value, "ndots", MAXNDOTS);
result = parse_uint(&num, value, MAXNDOTS, "ndots");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse ndots");
ndots = num;
break;
case 's':
switch (cmd[2]) {
@ -918,6 +932,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto invalid_option;
}
break;
case 'o':
FULLCHECK("onesoa");
onesoa = state;
break;
case 'q':
switch (cmd[1]) {
case 'r': /* qr */
@ -948,8 +966,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
lookup->retries = parse_uint(value, "retries",
MAXTRIES - 1);
result = parse_uint(&lookup->retries, value,
MAXTRIES - 1, "retries");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse retries");
lookup->retries++;
break;
default:
@ -1025,7 +1045,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
timeout = parse_uint(value, "timeout", MAXTIMEOUT);
result = parse_uint(&timeout, value, MAXTIMEOUT,
"timeout");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse timeout");
if (timeout == 0)
timeout = 1;
break;
@ -1058,8 +1081,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto need_value;
if (!state)
goto invalid_option;
lookup->retries = parse_uint(value, "tries",
MAXTRIES);
result = parse_uint(&lookup->retries, value,
MAXTRIES, "tries");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse tries");
if (lookup->retries == 0)
lookup->retries = 1;
break;
@ -1125,6 +1150,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
struct in6_addr in6;
in_port_t srcport;
char *hash, *cmd;
isc_uint32_t num;
while (strpbrk(option, single_dash_opts) == &option[0]) {
/*
@ -1140,6 +1166,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
have_ipv6 = ISC_FALSE;
} else {
fatal("can't find IPv4 networking");
/* NOTREACHED */
return (ISC_FALSE);
}
break;
@ -1149,6 +1176,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
have_ipv4 = ISC_FALSE;
} else {
fatal("can't find IPv6 networking");
/* NOTREACHED */
return (ISC_FALSE);
}
break;
@ -1199,9 +1227,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
case 'b':
hash = strchr(value, '#');
if (hash != NULL) {
srcport = (in_port_t)
parse_uint(hash + 1,
"port number", MAXPORT);
result = parse_uint(&num, hash + 1, MAXPORT,
"port number");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse port number");
srcport = num;
*hash = '\0';
} else
srcport = 0;
@ -1245,7 +1275,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
keyfile[sizeof(keyfile)-1]=0;
return (value_from_next);
case 'p':
port = (in_port_t) parse_uint(value, "port number", MAXPORT);
result = parse_uint(&num, value, MAXPORT, "port number");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse port number");
port = num;
return (value_from_next);
case 'q':
if (!config_only) {
@ -1288,11 +1321,14 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
"extra type option\n");
}
if (rdtype == dns_rdatatype_ixfr) {
isc_uint32_t serial;
(*lookup)->rdtype = dns_rdatatype_ixfr;
(*lookup)->rdtypeset = ISC_TRUE;
(*lookup)->ixfr_serial =
parse_uint(&value[5], "serial number",
MAXSERIAL);
result = parse_uint(&serial, &value[5],
MAXSERIAL, "serial number");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse serial number");
(*lookup)->ixfr_serial = serial;
(*lookup)->section_question = plusquest;
(*lookup)->comments = pluscomm;
(*lookup)->tcp_mode = ISC_TRUE;
@ -1320,65 +1356,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
usage();
ptr3 = next_token(&value,":"); /* secret or NULL */
if (ptr3 != NULL) {
if (strcasecmp(ptr, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_uint(&ptr[9],
"digest-bits [0..128]",
128);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = parse_uint(&ptr[10],
"digest-bits [0..160]",
160);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
hmacname = DNS_TSIG_HMACSHA224_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA224_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..224]",
224);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
hmacname = DNS_TSIG_HMACSHA256_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA256_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..256]",
256);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
hmacname = DNS_TSIG_HMACSHA384_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA384_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..384]",
384);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
hmacname = DNS_TSIG_HMACSHA512_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA512_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..512]",
512);
digestbits = (digestbits + 7) & ~0x7U;
} else {
fprintf(stderr, ";; Warning, ignoring "
"invalid TSIG algorithm %s\n", ptr);
return (value_from_next);
}
parse_hmac(ptr);
ptr = ptr2;
ptr2 = ptr3;
} else {
@ -1422,6 +1400,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
fprintf(stderr, "Invalid option: -%s\n", option);
usage();
}
/* NOTREACHED */
return (ISC_FALSE);
}
@ -1626,13 +1605,18 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
"extra type option\n");
}
if (rdtype == dns_rdatatype_ixfr) {
isc_uint32_t serial;
lookup->rdtype =
dns_rdatatype_ixfr;
lookup->rdtypeset = ISC_TRUE;
lookup->ixfr_serial =
parse_uint(&rv[0][5],
"serial number",
MAXSERIAL);
result = parse_uint(&serial,
&rv[0][5],
MAXSERIAL,
"serial number");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse "
"serial number");
lookup->ixfr_serial = serial;
lookup->section_question =
plusquest;
lookup->comments = pluscomm;

16
bin/dig/dig.docbook
View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dig.docbook,v 1.42.44.3 2009-02-02 04:42:48 marka Exp $ -->
<!-- $Id: dig.docbook,v 1.47 2010-03-04 23:50:34 tbox Exp $ -->
<refentry id="man.dig">
<refentryinfo>
@ -44,6 +44,7 @@
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@ -766,6 +767,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]onesoa</option></term>
<listitem>
<para>
Print only one (starting) SOA record when performing
an AXFR. The default is to print both the starting and
ending SOA records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]fail</option></term>
<listitem>

28
bin/dig/dig.html
View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dig.html,v 1.45.44.3 2009-07-11 01:55:20 tbox Exp $ -->
<!-- $Id: dig.html,v 1.49 2010-03-05 01:14:15 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -34,7 +34,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543518"></a><h2>DESCRIPTION</h2>
<a name="id2543522"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@ -80,7 +80,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543592"></a><h2>SIMPLE USAGE</h2>
<a name="id2543595"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@ -126,7 +126,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543683"></a><h2>OPTIONS</h2>
<a name="id2543686"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@ -230,7 +230,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544032"></a><h2>QUERY OPTIONS</h2>
<a name="id2544035"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@ -499,6 +499,12 @@
each record on a single line, to facilitate machine parsing
of the <span><strong class="command">dig</strong></span> output.
</p></dd>
<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
<dd><p>
Print only one (starting) SOA record when performing
an AXFR. The default is to print both the starting and
ending SOA records.
</p></dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd><p>
Do not try the next server if you receive a SERVFAIL. The
@ -555,7 +561,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545166"></a><h2>MULTIPLE QUERIES</h2>
<a name="id2545184"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@ -601,7 +607,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545228"></a><h2>IDN SUPPORT</h2>
<a name="id2545245"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -615,14 +621,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545251"></a><h2>FILES</h2>
<a name="id2545336"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545336"></a><h2>SEE ALSO</h2>
<a name="id2545353"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@ -630,7 +636,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545373"></a><h2>BUGS</h2>
<a name="id2545390"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>

223
bin/dig/dighost.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dighost.c,v 1.311.70.17 2010-12-09 01:12:54 marka Exp $ */
/* $Id: dighost.c,v 1.336 2010-12-09 00:54:33 marka Exp $ */
/*! \file
* \note
@ -53,6 +53,7 @@
#include <ctype.h>
#endif
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/rdata.h>
@ -71,10 +72,12 @@
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/lang.h>
#include <isc/log.h>
#include <isc/netaddr.h>
#ifdef DIG_SIGCHASE
#include <isc/netdb.h>
#endif
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/result.h>
@ -84,6 +87,8 @@
#include <isc/types.h>
#include <isc/util.h>
#include <isccfg/namedconf.h>
#include <lwres/lwres.h>
#include <lwres/net.h>
@ -121,6 +126,7 @@ in_port_t port = 53;
unsigned int timeout = 0;
unsigned int extrabytes;
isc_mem_t *mctx = NULL;
isc_log_t *lctx = NULL;
isc_taskmgr_t *taskmgr = NULL;
isc_task_t *global_task = NULL;
isc_timermgr_t *timermgr = NULL;
@ -393,7 +399,7 @@ count_dots(char *string) {
static void
hex_dump(isc_buffer_t *b) {
unsigned int len;
unsigned int len, i;
isc_region_t r;
isc_buffer_usedregion(b, &r);
@ -401,11 +407,29 @@ hex_dump(isc_buffer_t *b) {
printf("%d bytes\n", r.length);
for (len = 0; len < r.length; len++) {
printf("%02x ", r.base[len]);
if (len % 16 == 15)
if (len % 16 == 15) {
fputs(" ", stdout);
for (i = len - 15; i <= len; i++) {
if (r.base[i] >= '!' && r.base[i] <= '}')
putchar(r.base[i]);
else
putchar('.');
}
printf("\n");
}
}
if (len % 16 != 0)
if (len % 16 != 0) {
for (i = len; (i % 16) != 0; i++)
fputs(" ", stdout);
fputs(" ", stdout);
for (i = ((len>>4)<<4); i < len; i++) {
if (r.base[i] >= '!' && r.base[i] <= '}')
putchar(r.base[i]);
else
putchar('.');
}
printf("\n");
}
}
/*%
@ -903,9 +927,7 @@ setup_text_key(void) {
secretsize = isc_buffer_usedlength(&secretbuf);
result = dns_name_fromtext(&keyname, namebuf,
dns_rootname, ISC_FALSE,
namebuf);
result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
if (result != ISC_R_SUCCESS)
goto failure;
@ -924,14 +946,164 @@ setup_text_key(void) {
isc_buffer_free(&namebuf);
}
isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc) {
isc_uint32_t n;
isc_result_t result = isc_parse_uint32(&n, value, 10);
if (result == ISC_R_SUCCESS && n > max)
result = ISC_R_RANGE;
if (result != ISC_R_SUCCESS) {
printf("invalid %s '%s': %s\n", desc,
value, isc_result_totext(result));
return (result);
}
*uip = n;
return (ISC_R_SUCCESS);
}
static isc_uint32_t
parse_bits(char *arg, const char *desc, isc_uint32_t max) {
isc_result_t result;
isc_uint32_t tmp;
result = parse_uint(&tmp, arg, max, desc);
if (result != ISC_R_SUCCESS)
fatal("couldn't parse digest bits");
tmp = (tmp + 7) & ~0x7U;
return (tmp);
}
/*
* Parse HMAC algorithm specification
*/
void
parse_hmac(const char *hmac) {
char buf[20];
int len;
REQUIRE(hmac != NULL);
len = strlen(hmac);
if (len >= (int) sizeof(buf))
fatal("unknown key type '%.*s'", len, hmac);
strncpy(buf, hmac, sizeof(buf));
digestbits = 0;
if (strcasecmp(buf, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
} else if (strcasecmp(buf, "hmac-sha224") == 0) {
hmacname = DNS_TSIG_HMACSHA224_NAME;
} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA224_NAME;
digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
} else if (strcasecmp(buf, "hmac-sha256") == 0) {
hmacname = DNS_TSIG_HMACSHA256_NAME;
} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA256_NAME;
digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
} else if (strcasecmp(buf, "hmac-sha384") == 0) {
hmacname = DNS_TSIG_HMACSHA384_NAME;
} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA384_NAME;
digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
} else if (strcasecmp(buf, "hmac-sha512") == 0) {
hmacname = DNS_TSIG_HMACSHA512_NAME;
} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA512_NAME;
digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
} else {
fprintf(stderr, ";; Warning, ignoring "
"invalid TSIG algorithm %s\n", buf);
}
}
/*
* Get a key from a named.conf format keyfile
*/
static isc_result_t
read_confkey(void) {
isc_log_t *lctx = NULL;
cfg_parser_t *pctx = NULL;
cfg_obj_t *file = NULL;
const cfg_obj_t *key = NULL;
const cfg_obj_t *secretobj = NULL;
const cfg_obj_t *algorithmobj = NULL;
const char *keyname;
const char *secretstr;
const char *algorithm;
isc_result_t result;
if (! isc_file_exists(keyfile))
return (ISC_R_FILENOTFOUND);
result = cfg_parser_create(mctx, lctx, &pctx);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
&file);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = cfg_map_get(file, "key", &key);
if (result != ISC_R_SUCCESS)
goto cleanup;
(void) cfg_map_get(key, "secret", &secretobj);
(void) cfg_map_get(key, "algorithm", &algorithmobj);
if (secretobj == NULL || algorithmobj == NULL)
fatal("key must have algorithm and secret");
keyname = cfg_obj_asstring(cfg_map_getname(key));
secretstr = cfg_obj_asstring(secretobj);
algorithm = cfg_obj_asstring(algorithmobj);
strncpy(keynametext, keyname, sizeof(keynametext));
strncpy(keysecret, secretstr, sizeof(keysecret));
parse_hmac(algorithm);
setup_text_key();
cleanup:
if (pctx != NULL) {
if (file != NULL)
cfg_obj_destroy(pctx, &file);
cfg_parser_destroy(&pctx);
}
return (result);
}
static void
setup_file_key(void) {
isc_result_t result;
dst_key_t *dstkey = NULL;
debug("setup_file_key()");
result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
mctx, &dstkey);
/* Try reading the key from a K* pair */
result = dst_key_fromnamedfile(keyfile, NULL,
DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
&dstkey);
/* If that didn't work, try reading it as a session.key keyfile */
if (result != ISC_R_SUCCESS) {
result = read_confkey();
if (result == ISC_R_SUCCESS)
return;
}
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Couldn't read key from %s: %s\n",
keyfile, isc_result_totext(result));
@ -1119,6 +1291,7 @@ set_search_domain(char *domain) {
void
setup_libs(void) {
isc_result_t result;
isc_logconfig_t *logconfig = NULL;
debug("setup_libs()");
@ -1135,6 +1308,18 @@ setup_libs(void) {
result = isc_mem_create(0, 0, &mctx);
check_result(result, "isc_mem_create");
result = isc_log_create(mctx, &lctx, &logconfig);
check_result(result, "isc_log_create");
isc_log_setcontext(lctx);
dns_log_init(lctx);
dns_log_setcontext(lctx);
result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
check_result(result, "isc_log_usechannel");
isc_log_setdebuglevel(lctx, 0);
result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
check_result(result, "isc_taskmgr_create");
@ -1871,7 +2056,7 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, lookup->origin->origin, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
ISC_FALSE, &lookup->onamebuf);
0, &lookup->onamebuf);
if (result != ISC_R_SUCCESS) {
dns_message_puttempname(lookup->sendmsg,
&lookup->name);
@ -1888,7 +2073,7 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, lookup->textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->name, &b,
lookup->oname, ISC_FALSE,
lookup->oname, 0,
&lookup->namebuf);
}
if (result != ISC_R_SUCCESS) {
@ -1912,16 +2097,14 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, idn_textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->name, &b,
dns_rootname,
ISC_FALSE,
dns_rootname, 0,
&lookup->namebuf);
#else
len = strlen(lookup->textname);
isc_buffer_init(&b, lookup->textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(lookup->name, &b,
dns_rootname,
ISC_FALSE,
dns_rootname, 0,
&lookup->namebuf);
#endif
}
@ -3549,9 +3732,11 @@ destroy_libs(void) {
free_name(&chase_signame, mctx);
#endif
debug("Destroy memory");
#endif
debug("Removing log context");
isc_log_destroy(&lctx);
debug("Destroy memory");
if (memdebugging != 0)
isc_mem_stats(mctx, stderr);
if (mctx != NULL)
@ -4041,7 +4226,7 @@ get_trusted_key(isc_mem_t *mctx)
return (ISC_R_FAILURE);
}
fclose(fptemp);
result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
result = dst_key_fromnamedfile(filetemp, NULL, DST_TYPE_PUBLIC,
mctx, &key);
removetmpkey(mctx, filetemp);
isc_mem_free(mctx, filetemp);
@ -4075,7 +4260,7 @@ nameFromString(const char *str, dns_name_t *p_ret) {
dns_fixedname_init(&fixedname);
result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
dns_rootname, ISC_TRUE, NULL);
dns_rootname, DNS_NAME_DOWNCASE, NULL);
check_result(result, "nameFromString");
if (dns_name_dynamic(p_ret))

2
bin/dig/host.1
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: host.1,v 1.29.114.2 2009-07-11 01:55:20 tbox Exp $
.\" $Id: host.1,v 1.31 2009-07-11 01:12:45 tbox Exp $
.\"
.hy 0
.ad l

5
bin/dig/host.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: host.c,v 1.116.216.5 2010-10-19 23:45:58 tbox Exp $ */
/* $Id: host.c,v 1.124 2010-11-16 05:38:30 marka Exp $ */
/*! \file */
@ -141,6 +141,9 @@ rcode_totext(dns_rcode_t rcode)
return totext.deconsttext;
}
ISC_PLATFORM_NORETURN_PRE static void
show_usage(void) ISC_PLATFORM_NORETURN_POST;
static void
show_usage(void) {
fputs(

2
bin/dig/host.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: host.docbook,v 1.18.114.2 2009-01-22 23:47:05 tbox Exp $ -->
<!-- $Id: host.docbook,v 1.20 2009-01-20 23:47:56 tbox Exp $ -->
<refentry id="man.host">
<refentryinfo>

2
bin/dig/host.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: host.html,v 1.28.114.2 2009-07-11 01:55:20 tbox Exp $ -->
<!-- $Id: host.html,v 1.30 2009-07-11 01:12:45 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

14
bin/dig/include/dig/dig.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.h,v 1.107.120.2 2009-01-06 23:47:26 tbox Exp $ */
/* $Id: dig.h,v 1.111 2009-09-29 15:06:06 fdupont Exp $ */
#ifndef DIG_H
#define DIG_H
@ -292,8 +292,9 @@ isc_result_t
get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
isc_boolean_t strict);
void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@ -325,6 +326,13 @@ setup_libs(void);
void
setup_system(void);
isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc);
void
parse_hmac(const char *hmacstr);
dig_lookup_t *
requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);

2
bin/dig/nslookup.1
View File

@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: nslookup.1,v 1.14.354.2 2010-02-23 01:56:02 tbox Exp $
.\" $Id: nslookup.1,v 1.16 2010-02-23 01:14:31 tbox Exp $
.\"
.hy 0
.ad l

20
bin/dig/nslookup.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nslookup.c,v 1.117.334.5 2009-10-20 01:11:22 marka Exp $ */
/* $Id: nslookup.c,v 1.127 2010-11-17 23:47:08 tbox Exp $ */
#include <config.h>
@ -541,22 +541,6 @@ safecpy(char *dest, char *src, int size) {
dest[size-1] = 0;
}
static isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc) {
isc_uint32_t n;
isc_result_t result = isc_parse_uint32(&n, value, 10);
if (result == ISC_R_SUCCESS && n > max)
result = ISC_R_RANGE;
if (result != ISC_R_SUCCESS) {
printf("invalid %s '%s': %s\n", desc,
value, isc_result_totext(result));
return result;
}
*uip = n;
return (ISC_R_SUCCESS);
}
static void
set_port(const char *value) {
isc_uint32_t n;

2
bin/dig/nslookup.docbook
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nslookup.docbook,v 1.16.334.2 2010-02-22 23:47:53 tbox Exp $ -->
<!-- $Id: nslookup.docbook,v 1.18 2010-02-22 23:49:11 tbox Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.

2
bin/dig/nslookup.html
View File

@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nslookup.html,v 1.21.354.2 2010-02-23 01:56:02 tbox Exp $ -->
<!-- $Id: nslookup.html,v 1.23 2010-02-23 01:14:31 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

41
bin/dnssec/Makefile.in
View File

@ -1,4 +1,4 @@
# Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.35 2008-11-07 02:28:49 marka Exp $
# $Id: Makefile.in,v 1.42 2009-12-05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -25,11 +25,12 @@ top_srcdir = @top_srcdir@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\"
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
@ -38,44 +39,56 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
dnssec-signzone.c dnssectool.c
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c dnssectool.c
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
dnssec-signzone.8
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-signzone.html
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-keygen.@O@ ${OBJS} ${LIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-signzone.@O@ ${OBJS} ${LIBS}
dnssec-revoke.@O@ ${OBJS} ${LIBS}
dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
doc man:: ${MANOBJS}

73
bin/dnssec/dnssec-dsfromkey.8
View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -12,18 +12,18 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-dsfromkey.8,v 1.5.14.1 2010-05-19 02:06:11 tbox Exp $
.\" $Id: dnssec-dsfromkey.8,v 1.13 2010-12-24 01:14:20 tbox Exp $
.\"
.hy 0
.ad l
.\" Title: dnssec\-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: November 29, 2008
.\" Date: August 26, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@ -32,9 +32,9 @@
dnssec\-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] {keyfile}
.HP 17
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.SH "DESCRIPTION"
.PP
\fBdnssec\-dsfromkey\fR
@ -55,32 +55,50 @@ Use SHA\-256 as the digest algorithm.
.RS 4
Select the digest algorithm. The value of
\fBalgorithm\fR
must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Look for key files (or, in keyset mode,
\fIkeyset\-\fR
files) in
\fBdirectory\fR.
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
\fBfile\fR. If the zone name is the same as
\fBfile\fR, then it may be omitted.
.RE
.PP
\-A
.RS 4
Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set instead of a DS set. The specified
\fBdomain\fR
is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
.RE
.PP
\-s
.RS 4
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-s
.RS 4
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class (default is IN), useful only in the keyset mode.
.RE
.PP
\-d \fIdirectory\fR
.RS 4
Look for
\fIkeyset\fR
files in
\fBdirectory\fR
as the directory, ignored when not in the keyset mode.
.RE
.SH "EXAMPLE"
.PP
To build the SHA\-256 DS RR from the
@ -115,10 +133,11 @@ A keyfile error can give a "file not found" even if the file exists.
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 3658,
RFC 4431.
RFC 4509.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC")
.br

314
bin/dnssec/dnssec-dsfromkey.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-dsfromkey.c,v 1.2.14.6 2010-01-11 23:47:22 tbox Exp $ */
/* $Id: dnssec-dsfromkey.c,v 1.19 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
@ -36,6 +36,8 @@
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/keyvalues.h>
#include <dns/master.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
@ -48,54 +50,40 @@
#include "dnssectool.h"
#ifndef PATH_MAX
#define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
#endif
const char *program = "dnssec-dsfromkey";
int verbose;
static dns_rdataclass_t rdclass;
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static dns_db_t *db = NULL;
static dns_dbnode_t *node = NULL;
static dns_rdataset_t keyset;
static isc_mem_t *mctx = NULL;
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static void
loadkeys(char *dirname, char *setname)
{
isc_result_t result;
char filename[1024];
isc_buffer_t buf;
static isc_result_t
initname(char *setname) {
isc_result_t result;
isc_buffer_t buf;
dns_rdataset_init(&keyset);
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
isc_buffer_init(&buf, setname, strlen(setname));
isc_buffer_add(&buf, strlen(setname));
result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't convert DNS name %s", setname);
result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
return (result);
}
isc_buffer_init(&buf, filename, sizeof(filename));
if (dirname != NULL) {
if (isc_buffer_availablelength(&buf) < strlen(dirname))
fatal("directory name '%s' too long", dirname);
isc_buffer_putstr(&buf, dirname);
if (dirname[strlen(dirname) - 1] != '/') {
if (isc_buffer_availablelength(&buf) < 1)
fatal("directory name '%s' too long", dirname);
isc_buffer_putstr(&buf, "/");
}
}
static isc_result_t
loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
char setname[DNS_NAME_FORMATSIZE];
if (isc_buffer_availablelength(&buf) < strlen("keyset-"))
fatal("directory name '%s' too long", dirname);
isc_buffer_putstr(&buf, "keyset-");
result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
check_result(result, "dns_name_tofilenametext()");
if (isc_buffer_availablelength(&buf) == 0)
fatal("name %s too long", setname);
isc_buffer_putuint8(&buf, 0);
dns_name_format(name, setname, sizeof(setname));
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
rdclass, 0, NULL, &db);
@ -111,11 +99,49 @@ loadkeys(char *dirname, char *setname)
fatal("can't find %s node in %s", setname, filename);
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
0, 0, &keyset, NULL);
0, 0, rdataset, NULL);
if (result == ISC_R_NOTFOUND)
fatal("no DNSKEY RR for %s in %s", setname, filename);
else if (result != ISC_R_SUCCESS)
fatal("dns_db_findrdataset");
if (node != NULL)
dns_db_detachnode(db, &node);
if (db != NULL)
dns_db_detach(&db);
return (result);
}
static isc_result_t
loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
isc_result_t result;
char filename[PATH_MAX + 1];
isc_buffer_t buf;
dns_rdataset_init(rdataset);
isc_buffer_init(&buf, filename, sizeof(filename));
if (dirname != NULL) {
/* allow room for a trailing slash */
if (strlen(dirname) >= isc_buffer_availablelength(&buf))
return (ISC_R_NOSPACE);
isc_buffer_putstr(&buf, dirname);
if (dirname[strlen(dirname) - 1] != '/')
isc_buffer_putstr(&buf, "/");
}
if (isc_buffer_availablelength(&buf) < 7)
return (ISC_R_NOSPACE);
isc_buffer_putstr(&buf, "keyset-");
result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
check_result(result, "dns_name_tofilenametext()");
if (isc_buffer_availablelength(&buf) == 0)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(&buf, 0);
return (loadsetfromfile(filename, rdataset));
}
static void
@ -127,20 +153,20 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
isc_buffer_t keyb;
isc_region_t r;
dns_rdataset_init(&keyset);
dns_rdata_init(rdata);
isc_buffer_init(&keyb, key_buf, key_buf_size);
result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("invalid keyfile name %s: %s",
filename, isc_result_totext(result));
if (verbose > 2) {
char keystr[KEY_FORMATSIZE];
char keystr[DST_KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
}
@ -169,7 +195,7 @@ logkey(dns_rdata_t *rdata)
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t buf;
char keystr[KEY_FORMATSIZE];
char keystr[DST_KEY_FORMATSIZE];
isc_buffer_init(&buf, rdata->data, rdata->length);
isc_buffer_add(&buf, rdata->length);
@ -177,89 +203,132 @@ logkey(dns_rdata_t *rdata)
if (result != ISC_R_SUCCESS)
return;
key_format(key, keystr, sizeof(keystr));
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
dst_key_free(&key);
}
static void
emitds(unsigned int dtype, dns_rdata_t *rdata)
emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
dns_rdata_t *rdata)
{
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
char class_buf[10];
isc_buffer_t textb, classb;
isc_region_t r;
dns_rdata_t ds;
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
char name_buf[DNS_NAME_MAXWIRE];
char class_buf[10];
isc_buffer_t textb, nameb, classb;
isc_region_t r;
dns_rdata_t ds;
dns_rdata_dnskey_t dnskey;
isc_buffer_init(&textb, text_buf, sizeof(text_buf));
isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
isc_buffer_init(&classb, class_buf, sizeof(class_buf));
dns_rdata_init(&ds);
result = dns_rdata_tostruct(rdata, &dnskey, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't convert DNSKEY");
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
return;
result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
if (result != ISC_R_SUCCESS)
fatal("can't build DS");
fatal("can't build record");
result = dns_name_totext(name, ISC_FALSE, &nameb);
if (result != ISC_R_SUCCESS)
fatal("can't print name");
/* Add lookaside origin, if set */
if (lookaside != NULL) {
if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, lookaside);
if (lookaside[strlen(lookaside) - 1] != '.') {
if (isc_buffer_availablelength(&nameb) < 1)
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, ".");
}
}
result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
if (result != ISC_R_SUCCESS)
fatal("can't print DS rdata");
fatal("can't print rdata");
result = dns_rdataclass_totext(rdclass, &classb);
if (result != ISC_R_SUCCESS)
fatal("can't print DS class");
fatal("can't print class");
result = dns_name_print(name, stdout);
if (result != ISC_R_SUCCESS)
fatal("can't print DS name");
isc_buffer_usedregion(&nameb, &r);
isc_util_fwrite(r.base, 1, r.length, stdout);
putchar(' ');
isc_buffer_usedregion(&classb, &r);
isc_util_fwrite(r.base, 1, r.length, stdout);
printf(" DS ");
if (lookaside == NULL)
printf(" DS ");
else
printf(" DLV ");
isc_buffer_usedregion(&textb, &r);
isc_util_fwrite(r.base, 1, r.length, stdout);
putchar('\n');
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s options keyfile\n\n", program);
fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n",
fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
fprintf(stderr, " %s options [-K dir] [-c class] -s dnsname\n\n",
program);
fprintf(stderr, " %s options -f zonefile (as zone name)\n\n", program);
fprintf(stderr, " %s options -f zonefile zonename\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -v <verbose level>\n");
fprintf(stderr, " -K <directory>: directory in which to find "
"key file or keyset file\n");
fprintf(stderr, " -a algorithm: digest algorithm "
"(SHA-1, SHA-256 or GOST)\n");
fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n");
fprintf(stderr, " -a algorithm: use algorithm\n");
fprintf(stderr, "Keyset options:\n");
fprintf(stderr, " -s: keyset mode\n");
fprintf(stderr, " -c class\n");
fprintf(stderr, " -d directory\n");
fprintf(stderr, "Output: DS RRs\n");
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
fprintf(stderr, " -f file: read keyset from zone file\n");
fprintf(stderr, " -A: when used with -f, "
"include all keys in DS set, not just KSKs\n");
fprintf(stderr, "Output: DS or DLV RRs\n");
exit (-1);
}
int
main(int argc, char **argv) {
char *algname = NULL, *classname = NULL, *dirname = NULL;
char *endp;
int ch;
unsigned int dtype = DNS_DSDIGEST_SHA1;
isc_boolean_t both = ISC_TRUE;
isc_boolean_t usekeyset = ISC_FALSE;
isc_result_t result;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdata_t rdata;
char *algname = NULL, *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
int ch;
unsigned int dtype = DNS_DSDIGEST_SHA1;
isc_boolean_t both = ISC_TRUE;
isc_boolean_t usekeyset = ISC_FALSE;
isc_boolean_t showall = ISC_FALSE;
isc_result_t result;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata;
dns_rdata_init(&rdata);
@ -275,7 +344,7 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"12a:c:d:sv:h")) != -1) {
"12Aa:c:d:Ff:K:l:sv:h")) != -1) {
switch (ch) {
case '1':
dtype = DNS_DSDIGEST_SHA1;
@ -285,6 +354,9 @@ main(int argc, char **argv) {
dtype = DNS_DSDIGEST_SHA256;
both = ISC_FALSE;
break;
case 'A':
showall = ISC_TRUE;
break;
case 'a':
algname = isc_commandline_argument;
both = ISC_FALSE;
@ -293,7 +365,21 @@ main(int argc, char **argv) {
classname = isc_commandline_argument;
break;
case 'd':
dirname = isc_commandline_argument;
fprintf(stderr, "%s: the -d option is deprecated; "
"use -K\n", program);
/* fall through */
case 'K':
dir = isc_commandline_argument;
if (strlen(dir) == 0U)
fatal("directory must be non-empty string");
break;
case 'f':
filename = isc_commandline_argument;
break;
case 'l':
lookaside = isc_commandline_argument;
if (strlen(lookaside) == 0U)
fatal("lookaside must be a non-empty string");
break;
case 's':
usekeyset = ISC_TRUE;
@ -303,11 +389,14 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
/* FALLTHROUGH */
case 'h':
usage();
@ -325,13 +414,24 @@ main(int argc, char **argv) {
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
#ifdef HAVE_OPENSSL_GOST
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
else
fatal("unknown algorithm %s", algname);
}
rdclass = strtoclass(classname);
if (argc < isc_commandline_index + 1)
if (usekeyset && filename != NULL)
fatal("cannot use both -s and -f");
/* When not using -f, -A is implicit */
if (filename == NULL)
showall = ISC_TRUE;
if (argc < isc_commandline_index + 1 && filename == NULL)
fatal("the key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
@ -344,28 +444,50 @@ main(int argc, char **argv) {
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst");
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
setup_logging(verbose, mctx, &log);
if (usekeyset) {
loadkeys(dirname, argv[isc_commandline_index]);
dns_rdataset_init(&rdataset);
for (result = dns_rdataset_first(&keyset);
if (usekeyset || filename != NULL) {
if (argc < isc_commandline_index + 1 && filename != NULL) {
/* using zone name as the zone file name */
namestr = filename;
} else
namestr = argv[isc_commandline_index];
result = initname(namestr);
if (result != ISC_R_SUCCESS)
fatal("could not initialize name %s", namestr);
if (usekeyset)
result = loadkeyset(dir, &rdataset);
else
result = loadsetfromfile(filename, &rdataset);
if (result != ISC_R_SUCCESS)
fatal("could not load DNSKEY set: %s\n",
isc_result_totext(result));
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&keyset)) {
result = dns_rdataset_next(&rdataset)) {
dns_rdata_init(&rdata);
dns_rdataset_current(&keyset, &rdata);
dns_rdataset_current(&rdataset, &rdata);
if (verbose > 2)
logkey(&rdata);
if (both) {
emitds(DNS_DSDIGEST_SHA1, &rdata);
emitds(DNS_DSDIGEST_SHA256, &rdata);
emit(DNS_DSDIGEST_SHA1, showall, lookaside,
&rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside,
&rdata);
} else
emitds(dtype, &rdata);
emit(dtype, showall, lookaside, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
@ -374,18 +496,14 @@ main(int argc, char **argv) {
DST_KEY_MAXSIZE, &rdata);
if (both) {
emitds(DNS_DSDIGEST_SHA1, &rdata);
emitds(DNS_DSDIGEST_SHA256, &rdata);
emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
} else
emitds(dtype, &rdata);
emit(dtype, showall, lookaside, &rdata);
}
if (dns_rdataset_isassociated(&keyset))
dns_rdataset_disassociate(&keyset);
if (node != NULL)
dns_db_detachnode(db, &node);
if (db != NULL)
dns_db_detach(&db);
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();

122
bin/dnssec/dnssec-dsfromkey.docbook
View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -17,10 +17,10 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008-11-07 13:54:11 jreed Exp $ -->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010-12-23 23:47:08 tbox Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
<date>November 29, 2008</date>
<date>August 26, 2009</date>
</refentryinfo>
<refmeta>
@ -37,6 +37,8 @@
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@ -48,17 +50,22 @@
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>dnssec-dsfromkey</command>
<arg choice="req">-s</arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">dnsname</arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -99,12 +106,79 @@
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1) or
SHA-256 (SHA256). These values are case insensitive.
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
@ -113,39 +187,6 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file. Following options make sense
only in this mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN), useful only
in the keyset mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>keyset</filename> files in
<option>directory</option> as the directory, ignored when
not in the keyset mode.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -197,6 +238,7 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>,
<citetitle>RFC 4431</citetitle>.
<citetitle>RFC 4509</citetitle>.
</para>
</refsect1>

81
bin/dnssec/dnssec-dsfromkey.html
View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.html,v 1.5.14.1 2010-05-19 02:06:11 tbox Exp $ -->
<!-- $Id: dnssec-dsfromkey.html,v 1.13 2010-12-24 01:14:19 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -28,18 +28,18 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543424"></a><h2>DESCRIPTION</h2>
<a name="id2543464"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543435"></a><h2>OPTIONS</h2>
<a name="id2543476"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@ -53,34 +53,54 @@
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
SHA-256 (SHA256). These values are case insensitive.
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd><p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p></dd>
<dt><span class="term">-A</span></dt>
<dd><p>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431.
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file. Following options make sense
only in this mode.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN), useful only
in the keyset mode.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for <code class="filename">keyset</code> files in
<code class="option">directory</code> as the directory, ignored when
not in the keyset mode.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543563"></a><h2>EXAMPLE</h2>
<a name="id2543662"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@ -95,7 +115,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543593"></a><h2>FILES</h2>
<a name="id2543692"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@ -109,22 +129,23 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543628"></a><h2>CAVEAT</h2>
<a name="id2543728"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543638"></a><h2>SEE ALSO</h2>
<a name="id2543737"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em>,
<em class="citetitle">RFC 4431</em>.
<em class="citetitle">RFC 4509</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543674"></a><h2>AUTHOR</h2>
<a name="id2543777"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

86
bin/dnssec/dnssec-keyfromlabel.8
View File

@ -1,4 +1,4 @@
.\" Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keyfromlabel.8,v 1.6.14.3 2010-01-16 01:55:32 tbox Exp $
.\" $Id: dnssec-keyfromlabel.8,v 1.18.14.1.2.1 2011-06-09 03:41:05 tbox Exp $
.\"
.hy 0
.ad l
@ -32,18 +32,22 @@
dnssec\-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 20
\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
.PP
The
\fBname\fR
of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or DH (Diffie Hellman). These values are case insensitive.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
@ -56,9 +60,19 @@ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA
Note 2: DH automatically sets the \-k flag.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11".
.RE
.PP
\-l \fIlabel\fR
.RS 4
Specifies the label of keys in the crypto hardware (PKCS#11 device).
Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
.RE
.PP
\-n \fInametype\fR
@ -68,6 +82,15 @@ Specifies the owner type of the key. The value of
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata. By default,
\fBdnssec\-keyfromlabel\fR
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
@ -75,13 +98,23 @@ Indicates that the DNS record containing the key should have the specified class
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
.RE
.PP
\-G
.RS 4
Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
\fBdnssec\-keyfromlabel\fR.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written.
.RE
.PP
\-k
@ -91,7 +124,7 @@ Generate KEY records rather than DNSKEY records.
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.RE
.PP
\-t \fItype\fR
@ -105,6 +138,39 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
.RS 4
Sets the debugging level.
.RE
.PP
\-y
.RS 4
Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
.RE
.SH "GENERATED KEY FILES"
.PP
When
@ -138,7 +204,7 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
.PP
The
\fI.private\fR
file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
@ -149,5 +215,5 @@ RFC 4034.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC")
.br

336
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2007-2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -14,12 +14,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.4.50.2 2010-01-15 23:47:31 tbox Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.32 2010-12-23 04:07:59 marka Exp $ */
/*! \file */
#include <config.h>
#include <ctype.h>
#include <stdlib.h>
#include <isc/buffer.h>
@ -27,9 +28,11 @@
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/region.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
@ -47,35 +50,60 @@
const char *program = "dnssec-keyfromlabel";
int verbose;
#define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512";
" RSASHA256 | RSASHA512 | ECCGOST";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s -a alg -l label [options] name\n\n",
fprintf(stderr, " %s -l label [options] name\n\n",
program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Required options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " -l label: label of the key\n");
fprintf(stderr, " -l label: label of the key pair\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " (default: RSASHA1, or "
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
#ifdef USE_PKCS11
fprintf(stderr, " -E enginename (default: pkcs11)\n");
#else
fprintf(stderr, " -E enginename\n");
#endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -c <class> (default: IN)\n");
fprintf(stderr, " -f keyflag: KSK\n");
fprintf(stderr, " -t <type>: "
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -p <protocol>: "
"default: 3 [dnssec]\n");
fprintf(stderr, " -v <verbose level>\n");
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
fprintf(stderr, " -y: permit keys that might collide\n");
fprintf(stderr, " -v verbose level\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
"K<name>+<alg>+<id>.private\n");
exit (-1);
}
@ -83,14 +111,20 @@ usage(void) {
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
const char *directory = NULL;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *classname = NULL;
char *endp;
dst_key_t *key = NULL, *oldkey;
dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0, ksk = 0;
isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
dns_secalg_t alg;
isc_boolean_t null_key = ISC_FALSE;
isc_boolean_t oldstyle = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch;
int protocol = -1, signatory = 0;
@ -103,6 +137,20 @@ main(int argc, char **argv) {
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
isc_boolean_t use_nsec3 = ISC_FALSE;
isc_boolean_t avoid_collisions = ISC_TRUE;
isc_boolean_t exact;
unsigned char c;
if (argc == 1)
usage();
@ -113,28 +161,49 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"a:c:f:kl:n:p:t:v:h")) != -1)
"3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case '3':
use_nsec3 = ISC_TRUE;
break;
case 'a':
algname = isc_commandline_argument;
break;
case 'C':
oldstyle = ISC_TRUE;
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
ksk = DNS_KEYFLAG_KSK;
c = (unsigned char)(isc_commandline_argument[0]);
if (toupper(c) == 'K')
kskflag = DNS_KEYFLAG_KSK;
else if (toupper(c) == 'R')
revflag = DNS_KEYFLAG_REVOKE;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
break;
case 'K':
directory = isc_commandline_argument;
ret = try_dir(directory);
if (ret != ISC_R_SUCCESS)
fatal("cannot open directory %s: %s",
directory, isc_result_totext(ret));
break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'l':
label = isc_commandline_argument;
label = isc_mem_strdup(mctx, isc_commandline_argument);
break;
case 'n':
nametype = isc_commandline_argument;
@ -153,11 +222,80 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'y':
avoid_collisions = ISC_FALSE;
break;
case 'G':
genonly = ISC_TRUE;
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setpub = ISC_TRUE;
publish = strtotime(isc_commandline_argument,
now, now);
} else {
unsetpub = ISC_TRUE;
}
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setact = ISC_TRUE;
activate = strtotime(isc_commandline_argument,
now, now);
} else {
unsetact = ISC_TRUE;
}
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setrev = ISC_TRUE;
revoke = strtotime(isc_commandline_argument,
now, now);
} else {
unsetrev = ISC_TRUE;
}
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetinact = ISC_TRUE;
}
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setdel = ISC_TRUE;
delete = strtotime(isc_commandline_argument,
now, now);
} else {
unsetdel = ISC_TRUE;
}
break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();
@ -170,10 +308,11 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
ret = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
ret = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
fatal("could not initialize dst");
fatal("could not initialize dst: %s",
isc_result_totext(ret));
setup_logging(verbose, mctx, &log);
@ -184,8 +323,30 @@ main(int argc, char **argv) {
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (algname == NULL)
fatal("no algorithm was specified");
if (strchr(label, ':') == NULL &&
engine != NULL && strlen(engine) != 0U) {
char *l;
int len;
len = strlen(label) + strlen(engine) + 2;
l = isc_mem_allocate(mctx, len);
if (l == NULL)
fatal("cannot allocate memory");
snprintf(l, len, "%s:%s", engine, label);
isc_mem_free(mctx, label);
label = l;
}
if (algname == NULL) {
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
}
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
@ -201,6 +362,14 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
}
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
@ -234,10 +403,15 @@ main(int argc, char **argv) {
rdclass = strtoclass(classname);
if (directory == NULL)
directory = ".";
if ((options & DST_TYPE_KEY) != 0) /* KEY */
flags |= signatory;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
flags |= ksk;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
flags |= kskflag;
flags |= revflag;
}
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
@ -260,53 +434,108 @@ main(int argc, char **argv) {
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS)
fatal("invalid key name %s: %s", argv[isc_commandline_index],
isc_result_totext(ret));
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
null_key = ISC_TRUE;
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol,
rdclass, "", label, NULL, mctx, &key);
rdclass, engine, label, NULL, mctx, &key);
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[ALG_FORMATSIZE];
char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
alg_format(alg, algstr, sizeof(algstr));
fatal("failed to generate key %s/%s: %s\n",
dns_secalg_format(alg, algstr, sizeof(algstr));
fatal("failed to get key %s/%s: %s\n",
namestr, algstr, isc_result_totext(ret));
/* NOTREACHED */
exit(-1);
}
/*
* Try to read a key with the same name, alg and id from disk.
* If there is one we must continue generating a new one
* unless we were asked to generate a null key, in which
* case we return failure.
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default, but
* can be overridden. Creation date is always set to "now".
*/
ret = dst_key_fromfile(name, dst_key_id(key), alg,
DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
/* do not overwrite an existing key */
if (ret == ISC_R_SUCCESS) {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
fprintf(stderr, "%s: %s already exists\n",
program, filename);
dst_key_free(&key);
exit (1);
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact))
fatal("cannot use -G together with -P or -A options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (setact)
dst_key_settime(key, DST_TIME_PUBLISH, activate);
else if (!genonly && !unsetpub)
dst_key_settime(key, DST_TIME_PUBLISH, now);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
else if (!genonly && !unsetact)
dst_key_settime(key, DST_TIME_ACTIVATE, now);
if (setrev) {
if (kskflag == 0)
fprintf(stderr, "%s: warning: Key is "
"not flagged as a KSK, but -R "
"was used. Revoking a ZSK is "
"legal, but undefined.\n",
program);
dst_key_settime(key, DST_TIME_REVOKE, revoke);
}
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
*/
dst_key_setprivateformat(key, 1, 2);
}
ret = dst_key_tofile(key, options, NULL);
/*
* Do not overwrite an existing key. Warn LOUDLY if there
* is a risk of ID collision due to this key or another key
* being revoked.
*/
if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact))
{
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
if (exact)
fatal("%s: %s already exists\n", program, filename);
if (avoid_collisions)
fatal("%s: %s could collide with another key upon "
"revokation\n", program, filename);
fprintf(stderr, "%s: WARNING: Key %s could collide with "
"another key upon revokation. If you plan "
"to revoke keys, destroy this key and "
"generate a different one.\n",
program, filename);
}
ret = dst_key_tofile(key, options, directory);
if (ret != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
@ -322,6 +551,7 @@ main(int argc, char **argv) {
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_free(mctx, label);
isc_mem_destroy(&mctx);
return (0);

195
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6.14.2 2010-01-15 23:47:31 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18.14.1.2.1 2011-06-02 23:47:27 tbox Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@ -37,7 +37,9 @@
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@ -45,15 +47,25 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keyfromlabel</command>
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
<arg><option>-3</option></arg>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-y</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -65,6 +77,11 @@
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</para>
<para>
The <option>name</option> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</para>
</refsect1>
<refsect1>
@ -76,9 +93,8 @@
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5,
RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
RSASHA512 or DH (Diffie Hellman).
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
These values are case insensitive.
</para>
<para>
@ -98,12 +114,35 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the name of the crypto hardware (OpenSSL engine).
When compiled with PKCS#11 support it defaults to "pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label of keys in the crypto hardware
(PKCS#11 device).
Specifies the label of the key pair in the crypto hardware.
The label may be preceded by an optional OpenSSL engine name,
separated by a colon, as in "pkcs11:keylabel".
</para>
</listitem>
</varlistentry>
@ -117,8 +156,22 @@
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are
case insensitive.
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keyfromlabel</command>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
@ -138,7 +191,17 @@
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
@ -148,7 +211,16 @@
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
@ -166,7 +238,7 @@
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
@ -195,6 +267,93 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TIMING OPTIONS</title>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -214,8 +373,7 @@
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
of the algorithm.
</para>
</listitem>
<listitem>
@ -229,8 +387,7 @@
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
private
key.
private key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
@ -239,8 +396,8 @@
statement).
</para>
<para>
The <filename>.private</filename> file contains algorithm
specific
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>

136
bin/dnssec/dnssec-keyfromlabel.html
View File

@ -1,5 +1,5 @@
<!--
- Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.html,v 1.5.44.3 2010-01-16 01:55:32 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.html,v 1.17.14.1.2.1 2011-06-09 03:41:05 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -28,26 +28,30 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543416"></a><h2>DESCRIPTION</h2>
<a name="id2543494"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543428"></a><h2>OPTIONS</h2>
<a name="id2543512"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5,
RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
RSASHA512 or DH (Diffie Hellman).
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
These values are case insensitive.
</p>
<p>
@ -65,10 +69,23 @@
Note 2: DH automatically sets the -k flag.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Specifies the name of the crypto hardware (OpenSSL engine).
When compiled with PKCS#11 support it defaults to "pkcs11".
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd><p>
Specifies the label of keys in the crypto hardware
(PKCS#11 device).
Specifies the label of the key pair in the crypto hardware.
The label may be preceded by an optional OpenSSL engine name,
separated by a colon, as in "pkcs11:keylabel".
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
@ -77,8 +94,17 @@
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are
case insensitive.
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
@ -88,12 +114,21 @@
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
<span><strong class="command">dnssec-keyfromlabel</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
@ -101,7 +136,7 @@
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
@ -117,10 +152,65 @@
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543632"></a><h2>GENERATED KEY FILES</h2>
<a name="id2543876"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544042"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@ -132,8 +222,7 @@
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
of the algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
@ -144,8 +233,7 @@
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private
key.
private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
@ -154,14 +242,14 @@
statement).
</p>
<p>
The <code class="filename">.private</code> file contains algorithm
specific
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543704"></a><h2>SEE ALSO</h2>
<a name="id2544115"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -169,7 +257,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543737"></a><h2>AUTHOR</h2>
<a name="id2544148"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

114
bin/dnssec/dnssec-keygen.8
View File

@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.40.44.4 2010-01-16 01:55:32 tbox Exp $
.\" $Id: dnssec-keygen.8,v 1.55 2010-12-24 01:14:19 tbox Exp $
.\"
.hy 0
.ad l
@ -33,11 +33,11 @@
dnssec\-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
.PP
The
\fBname\fR
@ -48,16 +48,28 @@ of the key is specified on the command line. For DNSSEC keys, this must match th
.RS 4
Selects the cryptographic algorithm. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
option is specified, in which case NSEC3RSASHA1 will be used instead. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
.sp
Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.
.sp
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
\fB\-a\fR, then there is no default key size, and the
\fB\-b\fR
must be used.
.RE
.PP
\-n \fInametype\fR
@ -67,11 +79,30 @@ Specifies the owner type of the key. The value of
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata. By default,
\fBdnssec\-keygen\fR
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
.RE
.PP
\-E \fIengine\fR
.RS 4
Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-e
.RS 4
If generating an RSAMD5/RSASHA1 key, use a large exponent.
@ -79,7 +110,12 @@ If generating an RSAMD5/RSASHA1 key, use a large exponent.
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
.RE
.PP
\-G
.RS 4
Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
.RE
.PP
\-g \fIgenerator\fR
@ -93,9 +129,14 @@ Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written.
.RE
.PP
\-k
.RS 4
Generate KEY records rather than DNSKEY records.
Deprecated in favor of \-T KEY.
.RE
.PP
\-p \fIprotocol\fR
@ -103,6 +144,15 @@ Generate KEY records rather than DNSKEY records.
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
\fBdnssec\-keygen\fR
is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
\fIstderr\fR
indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
.RE
.PP
\-r \fIrandomdev\fR
.RS 4
Specifies the source of randomness. If the operating system does not provide a
@ -114,11 +164,24 @@ specifies the name of a character device or file containing random data to be us
indicates that keyboard input should be used.
.RE
.PP
\-S \fIkey\fR
.RS 4
Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
.RE
.PP
\-s \fIstrength\fR
.RS 4
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
.RE
.PP
\-T \fIrrtype\fR
.RS 4
Specifies the resource record type to use for the key.
\fBrrtype\fR
must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key.
@ -130,6 +193,43 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
.RS 4
Sets the debugging level.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
.sp
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
.sp
As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
.RE
.SH "GENERATED KEYS"
.PP
When

802
bin/dnssec/dnssec-keygen.c
View File

File diff suppressed because it is too large Load Diff

264
bin/dnssec/dnssec-keygen.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.22.44.4 2010-01-15 23:47:33 tbox Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.36 2010-12-23 04:07:59 marka Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@ -57,20 +57,34 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keygen</command>
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
<arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-3</option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-C</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -80,7 +94,8 @@
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</para>
<para>
The <option>name</option> of the key is specified on the command
@ -99,19 +114,27 @@
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
For TSIG/TKEY, the value must
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</para>
</listitem>
</varlistentry>
@ -127,6 +150,15 @@
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
</para>
</listitem>
</varlistentry>
@ -145,6 +177,34 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
are NSEC3-capable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
@ -155,6 +215,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Uses a crypto hardware (OpenSSL engine) for random number
and, when supported, key generation. When compiled with PKCS#11
support it defaults to pkcs11; the empty name resets it to
no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem>
@ -169,7 +241,17 @@
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
@ -196,11 +278,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
Deprecated in favor of -T KEY.
</para>
</listitem>
</varlistentry>
@ -217,6 +308,25 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
@ -234,6 +344,21 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
@ -245,6 +370,22 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
@ -269,6 +410,109 @@
</variablelist>
</refsect1>
<refsect1>
<title>TIMING OPTIONS</title>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>GENERATED KEYS</title>
<para>

196
bin/dnssec/dnssec-keygen.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.html,v 1.32.44.4 2010-01-16 01:55:32 tbox Exp $ -->
<!-- $Id: dnssec-keygen.html,v 1.47 2010-12-24 01:14:20 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -29,14 +29,15 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543483"></a><h2>DESCRIPTION</h2>
<a name="id2543578"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
@ -45,37 +46,56 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543501"></a><h2>OPTIONS</h2>
<a name="id2543596"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
For TSIG/TKEY, the value must
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd><p>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits.
</p></dd>
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
@ -86,11 +106,36 @@
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
are NSEC3-capable.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Uses a crypto hardware (OpenSSL engine) for random number
and, when supported, key generation. When compiled with PKCS#11
support it defaults to pkcs11; the empty name resets it to
no engine.
</p></dd>
<dt><span class="term">-e</span></dt>
<dd><p>
If generating an RSAMD5/RSASHA1 key, use a large exponent.
@ -98,7 +143,12 @@
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
@ -112,9 +162,13 @@
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
@ -123,6 +177,20 @@
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span><strong class="command">dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
@ -135,12 +203,37 @@
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
@ -155,7 +248,78 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543836"></a><h2>GENERATED KEYS</h2>
<a name="id2544301"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544491"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@ -201,7 +365,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543918"></a><h2>EXAMPLE</h2>
<a name="id2544642"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@ -222,7 +386,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544030"></a><h2>SEE ALSO</h2>
<a name="id2544685"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@ -231,7 +395,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544061"></a><h2>AUTHOR</h2>
<a name="id2544716"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

83
bin/dnssec/dnssec-revoke.8 Normal file
View File

@ -0,0 +1,83 @@
.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-revoke.8,v 1.9 2010-05-19 01:14:14 tbox Exp $
.\"
.hy 0
.ad l
.\" Title: dnssec\-revoke
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 1, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-revoke\fR
reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
.SH "OPTIONS"
.PP
\-h
.RS 4
Emit usage message and exit.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside.
.RE
.PP
\-r
.RS 4
After writing the new keyset files remove the original keyset files.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-E \fIengine\fR
.RS 4
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-f
.RS 4
Force overwrite: Causes
\fBdnssec\-revoke\fR
to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
.br

269
bin/dnssec/dnssec-revoke.c Normal file
View File

@ -0,0 +1,269 @@
/*
* Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-revoke.c,v 1.22 2010-05-06 23:50:56 tbox Exp $ */
/*! \file */
#include <config.h>
#include <libgen.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/result.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-revoke";
int verbose;
static isc_mem_t *mctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
#ifdef USE_PKCS11
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -K directory: use directory for key files\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -r: remove old keyfiles after "
"creating revoked version\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
exit (-1);
}
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *dir = NULL;
char newname[1024], oldname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp;
int ch;
isc_entropy_t *ectx = NULL;
dst_key_t *key = NULL;
isc_uint32_t flags;
isc_buffer_t buf;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t remove = ISC_FALSE;
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
dir = isc_mem_strdup(mctx, isc_commandline_argument);
if (dir == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'r':
remove = ISC_TRUE;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
fatal("The key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if (dir != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&dir, &filename);
if (result != ISC_R_SUCCESS)
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
if (strcmp(dir, ".") == 0) {
isc_mem_free(mctx, dir);
dir = NULL;
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile name %s: %s",
filename, isc_result_totext(result));
dst_key_format(key, keystr, sizeof(keystr));
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
if (force)
set_keyversion(key);
else
check_keyversion(key, keystr);
flags = dst_key_flags(key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
isc_stdtime_t now;
if ((flags & DNS_KEYFLAG_KSK) == 0)
fprintf(stderr, "%s: warning: Key is not flagged "
"as a KSK. Revoking a ZSK is "
"legal, but undefined.\n",
program);
isc_stdtime_get(&now);
dst_key_settime(key, DST_TIME_REVOKE, now);
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
isc_buffer_init(&buf, newname, sizeof(newname));
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(newname, F_OK) == 0 && !force) {
fatal("Key file %s already exists; "
"use -f to force overwrite", newname);
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
dir);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
isc_buffer_clear(&buf);
dst_key_buildfilename(key, 0, dir, &buf);
printf("%s\n", newname);
/*
* Remove old key file, if told to (and if
* it isn't the same as the new file)
*/
if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
isc_buffer_init(&buf, oldname, sizeof(oldname));
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
if (strcmp(oldname, newname) == 0)
goto cleanup;
if (access(oldname, F_OK) == 0)
unlink(oldname);
isc_buffer_clear(&buf);
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(oldname, F_OK) == 0)
unlink(oldname);
}
} else {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Key %s is already revoked", keystr);
}
cleanup:
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
if (dir != NULL)
isc_mem_free(mctx, dir);
isc_mem_destroy(&mctx);
return (0);
}

149
bin/dnssec/dnssec-revoke.docbook Normal file
View File

@ -0,0 +1,149 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-revoke.docbook,v 1.7 2009-11-03 21:44:46 each Exp $ -->
<refentry id="man.dnssec-revoke">
<refentryinfo>
<date>June 1, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-revoke</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-revoke</application></refname>
<refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-revoke</command>
<arg><option>-hr</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-revoke</command>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
After writing the new keyset files remove the original keyset
files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force overwrite: Causes <command>dnssec-revoke</command> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

87
bin/dnssec/dnssec-revoke.html Normal file
View File

@ -0,0 +1,87 @@
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-revoke.html,v 1.9 2010-05-19 01:14:14 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-revoke</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543373"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543385"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-r</span></dt>
<dd><p>
After writing the new keyset files remove the original keyset
files.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
<dt><span class="term">-f</span></dt>
<dd><p>
Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543491"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543515"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

166
bin/dnssec/dnssec-settime.8 Normal file
View File

@ -0,0 +1,166 @@
.\" Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-settime.8,v 1.14 2010-08-17 01:15:26 tbox Exp $
.\"
.hy 0
.ad l
.\" Title: dnssec\-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: July 15, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-settime \- Set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP 15
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
reads a DNSSEC private key file and sets the key timing metadata as specified by the
\fB\-P\fR,
\fB\-A\fR,
\fB\-R\fR,
\fB\-I\fR, and
\fB\-D\fR
options. The metadata can then be used by
\fBdnssec\-signzone\fR
or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
.PP
If none of these options is set on the command line, then
\fBdnssec\-settime\fR
simply prints the key timing metadata already stored in the key.
.PP
When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
and
\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file.
.SH "OPTIONS"
.PP
\-f
.RS 4
Force an update of an old\-format key with no metadata fields. Without this option,
\fBdnssec\-settime\fR
will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside.
.RE
.PP
\-h
.RS 4
Emit usage message and exit.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-E \fIengine\fR
.RS 4
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
.RE
.PP
\-S \fIpredecessor key\fR
.RS 4
Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation date of the successor key will be set to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
.sp
If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
.sp
As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
.RE
.SH "PRINTING OPTIONS"
.PP
\fBdnssec\-settime\fR
can also be used to print the timing metadata associated with a key.
.PP
\-u
.RS 4
Print times in UNIX epoch format.
.RE
.PP
\-p \fIC/P/A/R/I/D/all\fR
.RS 4
Print a specific metadata value or set of metadata values. The
\fB\-p\fR
option may be followed by one or more of the following letters to indicate which value or values to print:
\fBC\fR
for the creation date,
\fBP\fR
for the publication date,
\fBA\fR
for the activation date,
\fBR\fR
for the revocation date,
\fBI\fR
for the inactivation date, or
\fBD\fR
for the deletion date. To print all of the metadata, use
\fB\-p all\fR.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
.br

576
bin/dnssec/dnssec-settime.c Normal file
View File

@ -0,0 +1,576 @@
/*
* Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.28 2010-12-19 07:29:36 each Exp $ */
/*! \file */
#include <config.h>
#include <libgen.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/result.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-settime";
int verbose;
static isc_mem_t *mctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
#ifdef USE_PKCS11
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
"revocation date\n");
fprintf(stderr, " -I date/[+-]offset/none: set/unset key "
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time "
"value or values "
"[default: all]\n");
fprintf(stderr, " -u: print times in unix epoch "
"format\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
exit (-1);
}
static void
printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
FILE *stream)
{
isc_result_t result;
const char *output = NULL;
isc_stdtime_t when;
if (tag != NULL)
fprintf(stream, "%s: ", tag);
result = dst_key_gettime(key, type, &when);
if (result == ISC_R_NOTFOUND) {
fprintf(stream, "UNSET\n");
} else if (epoch) {
fprintf(stream, "%d\n", (int) when);
} else {
time_t time = when;
output = ctime(&time);
fprintf(stream, "%s", output);
}
}
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp, *p;
int ch;
isc_entropy_t *ectx = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
dst_key_t *key = NULL;
isc_buffer_t buf;
dns_name_t *name = NULL;
dns_secalg_t alg = 0;
unsigned int size = 0;
isc_uint16_t flags = 0;
int prepub = -1;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
isc_stdtime_get(&now);
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:P:p:R:S:uv:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = ISC_TRUE;
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
do {
switch (*p++) {
case 'C':
printcreate = ISC_TRUE;
break;
case 'P':
printpub = ISC_TRUE;
break;
case 'A':
printact = ISC_TRUE;
break;
case 'R':
printrev = ISC_TRUE;
break;
case 'I':
printinact = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'u':
epoch = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
directory = isc_mem_strdup(mctx,
isc_commandline_argument);
if (directory == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetpub = ISC_TRUE;
} else {
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetact = ISC_TRUE;
} else {
setact = ISC_TRUE;
act = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetrev = ISC_TRUE;
} else {
setrev = ISC_TRUE;
rev = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetinact = ISC_TRUE;
} else {
setinact = ISC_TRUE;
inact = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetdel = ISC_TRUE;
} else {
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
fatal("The key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t when;
int major, minor;
if (prepub == -1)
prepub = (30 * 86400);
if (setpub || unsetpub)
fatal("-S and -P cannot be used together");
if (setact || unsetact)
fatal("-S and -A cannot be used together");
result = dst_key_fromnamedfile(predecessor, directory,
DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &prevkey);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
if (!dst_key_isprivate(prevkey))
fatal("%s is not a private key", filename);
name = dst_key_name(prevkey);
alg = dst_key_alg(prevkey);
size = dst_key_size(prevkey);
flags = dst_key_flags(prevkey);
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
fatal("Predecessor has incompatible format "
"version %d.%d\n\t", major, minor);
result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no activation date. "
"You must set one before\n\t"
"generating a successor.");
result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no inactivation date. "
"You must set one before\n\t"
"generating a successor.");
pub = act - prepub;
if (pub < now && prepub != 0)
fatal("Predecessor will become inactive before the\n\t"
"prepublication period ends. Either change "
"its inactivation date,\n\t"
"or use the -i option to set a shorter "
"prepublication interval.");
result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
if (result != ISC_R_SUCCESS)
fprintf(stderr, "%s: WARNING: Predecessor has no "
"removal date;\n\t"
"it will remain in the zone "
"indefinitely after rollover.\n",
program);
changed = setpub = setact = ISC_TRUE;
dst_key_free(&prevkey);
} else {
if (prepub < 0)
prepub = 0;
if (prepub > 0) {
if (setpub && setact && (act - prepub) < pub)
fatal("Activation and publication dates "
"are closer together than the\n\t"
"prepublication interval.");
if (setpub && !setact) {
setact = ISC_TRUE;
act = pub + prepub;
} else if (setact && !setpub) {
setpub = ISC_TRUE;
pub = act - prepub;
}
if ((act - prepub) < now)
fatal("Time until activation is shorter "
"than the\n\tprepublication interval.");
}
}
if (directory != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&directory, &filename);
if (result != ISC_R_SUCCESS)
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
}
result = dst_key_fromnamedfile(filename, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
if (!dst_key_isprivate(key))
fatal("%s is not a private key", filename);
dst_key_format(key, keystr, sizeof(keystr));
if (predecessor != NULL) {
if (!dns_name_equal(name, dst_key_name(key)))
fatal("Key name mismatch");
if (alg != dst_key_alg(key))
fatal("Key algorithm mismatch");
if (size != dst_key_size(key))
fatal("Key size mismatch");
if (flags != dst_key_flags(key))
fatal("Key flags mismatch");
}
if (force)
set_keyversion(key);
else
check_keyversion(key, keystr);
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
/*
* Set time values.
*/
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, pub);
else if (unsetpub)
dst_key_unsettime(key, DST_TIME_PUBLISH);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, act);
else if (unsetact)
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
program, keystr);
if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
fprintf(stderr, "%s: warning: Key %s is not flagged as "
"a KSK, but -R was used. Revoking a "
"ZSK is legal, but undefined.\n",
program, keystr);
dst_key_settime(key, DST_TIME_REVOKE, rev);
} else if (unsetrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; removing the revocation date "
"will not affect this.\n",
program, keystr);
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inact);
else if (unsetinact)
dst_key_unsettime(key, DST_TIME_INACTIVE);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
/*
* Print out time values, if -p was used.
*/
if (printcreate)
printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
if (printpub)
printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
if (printact)
printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
if (printinact)
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", newname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
}
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_free(mctx, directory);
isc_mem_destroy(&mctx);
return (0);
}

319
bin/dnssec/dnssec-settime.docbook Normal file
View File

@ -0,0 +1,319 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.11 2010-08-16 22:21:06 marka Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-settime</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-settime</application></refname>
<refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-settime</command>
<arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
<option>-R</option>, <option>-I</option>, and <option>-D</option>
options. The metadata can then be used by
<command>dnssec-signzone</command> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</para>
<para>
If none of these options is set on the command line,
then <command>dnssec-settime</command> simply prints the key timing
metadata already stored in the key.
</para>
<para>
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force an update of an old-format key with no metadata fields.
Without this option, <command>dnssec-settime</command> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TIMING OPTIONS</title>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">predecessor key</replaceable></term>
<listitem>
<para>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>PRINTING OPTIONS</title>
<para>
<command>dnssec-settime</command> can also be used to print the
timing metadata associated with a key.
</para>
<variablelist>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Print times in UNIX epoch format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
<listitem>
<para>
Print a specific metadata value or set of metadata values.
The <option>-p</option> option may be followed by one or more
of the following letters to indicate which value or values to print:
<option>C</option> for the creation date,
<option>P</option> for the publication date,
<option>A</option> for the activation date,
<option>R</option> for the revocation date,
<option>I</option> for the inactivation date, or
<option>D</option> for the deletion date.
To print all of the metadata, use <option>-p all</option>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

208
bin/dnssec/dnssec-settime.html Normal file
View File

@ -0,0 +1,208 @@
<!--
- Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.html,v 1.14 2010-08-17 01:15:26 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-settime</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543419"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
<code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
options. The metadata can then be used by
<span><strong class="command">dnssec-signzone</strong></span> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</p>
<p>
If none of these options is set on the command line,
then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
metadata already stored in the key.
</p>
<p>
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543467"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Without this option, <span><strong class="command">dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543559"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543698"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543912"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543945"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

162
bin/dnssec/dnssec-signzone.8
View File

@ -13,18 +13,18 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.47.44.8 2009-11-07 01:56:11 tbox Exp $
.\" $Id: dnssec-signzone.8,v 1.59 2009-12-04 01:13:44 tbox Exp $
.\"
.hy 0
.ad l
.\" Title: dnssec\-signzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 08, 2009
.\" Date: June 05, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-SIGNZONE" "8" "June 08, 2009" "BIND9" "BIND9"
.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@ -33,15 +33,13 @@
dnssec\-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
.HP 16
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-signzone\fR
signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. It also generates a
\fIkeyset\-\fR
file containing the key\-signing keys for the zone, and if signing a zone which contains delegations, it can optionally generate DS records for the child zones from their
\fIkeyset\-\fR
files.
signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
\fIkeyset\fR
file for each child zone.
.SH "OPTIONS"
.PP
\-a
@ -54,6 +52,45 @@ Verify all generated signatures.
Specifies the DNS class of the zone.
.RE
.PP
\-C
.RS 4
Compatibility mode: Generate a
\fIkeyset\-\fR\fI\fIzonename\fR\fR
file in addition to
\fIdsset\-\fR\fI\fIzonename\fR\fR
when signing a zone, for use by older versions of
\fBdnssec\-signzone\fR.
.RE
.PP
\-d \fIdirectory\fR
.RS 4
Look for
\fIdsset\-\fR
or
\fIkeyset\-\fR
files in
\fBdirectory\fR.
.RE
.PP
\-E \fIengine\fR
.RS 4
Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-g
.RS 4
Generate DS records for child zones from
\fIdsset\-\fR
or
\fIkeyset\-\fR
file. Existing DS records will be removed.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory.
.RE
.PP
\-k \fIkey\fR
.RS 4
Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
@ -64,22 +101,6 @@ Treat specified key as a key signing key ignoring any key flags. This option may
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
.RE
.PP
\-d \fIdirectory\fR
.RS 4
Look for
\fIkeyset\fR
files in
\fBdirectory\fR
as the directory
.RE
.PP
\-g
.RS 4
If the zone contains any delegations, and there are
\fIkeyset\-\fR
files for any of the child zones, then DS records for the child zones will be generated from the keys in those files. Existing DS records will be removed.
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
@ -93,6 +114,9 @@ Specify the date and time when the generated RRSIG records expire. As with
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
\fBend\-time\fR
is specified, 30 days from the start time is used as a default.
\fBend\-time\fR
must be later than
\fBstart\-time\fR.
.RE
.PP
\-f \fIoutput\-file\fR
@ -208,34 +232,94 @@ specifies the name of a character device or file containing random data to be us
indicates that keyboard input should be used.
.RE
.PP
\-S
.RS 4
Smart signing: Instructs
\fBdnssec\-signzone\fR
to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.
.sp
When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:
.RS 4
.PP
.RS 4
If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.
.RE
.PP
.RS 4
If the key's publication date is set and is in the past, the key is published in the zone.
.RE
.PP
.RS 4
If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.
.RE
.PP
.RS 4
If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.
.RE
.PP
.RS 4
If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.
.RE
.RE
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies the TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the minimum TTL value from the zone's SOA record. This option is ignored when signing without
\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them.
.RE
.PP
\-t
.RS 4
Print statistics at completion.
.RE
.PP
\-u
.RS 4
Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
\fBdnssec\-signzone\fR
will retain the existing chain when re\-signing.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-x
.RS 4
Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
\fBdnssec\-dnskey\-kskonly yes;\fR
zone option in
\fBnamed\fR.)
.RE
.PP
\-z
.RS 4
Ignore KSK flag on key when determining what to sign.
Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
\fBupdate\-check\-ksk no;\fR
zone option in
\fBnamed\fR.)
.RE
.PP
\-3 \fIsalt\fR
.RS 4
Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
.RE
.PP
\-H \fIiterations\fR
.RS 4
When generating a NSEC3 chain use this many interations. The default is 100.
When generating an NSEC3 chain, use this many interations. The default is 10.
.RE
.PP
\-A
.RS 4
When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
.sp
Using this option twice (i.e.,
\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
\fB\-u\fR
option to modify an NSEC3 chain which previously had OPTOUT set.
.RE
.PP
zonefile
@ -253,9 +337,11 @@ The following command signs the
\fBexample.com\fR
zone with the DSA key generated by
\fBdnssec\-keygen\fR
(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
\fIkeyset\fR
files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
(Kexample.com.+003+17247). Because the
\fB\-S\fR
option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
\fIdsset\fR
files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
.sp
.RS 4
.nf
@ -283,18 +369,6 @@ db.example.com.signed
%
.fi
.RE
.SH "KNOWN BUGS"
.PP
\fBdnssec\-signzone\fR
was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key.
.PP
An unfortunate side\-effect of this flexibility is that
\fBdnssec\-signzone\fR
does not check to make sure it's signing a zone with any valid keys at all. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures. There is no warning issued when a zone is not fully signed.
.PP
This will be corrected in a future release. In the meantime, ISC recommends examining the output of
\fBdnssec\-signzone\fR
to confirm that the zone is properly signed by all keys before using it.
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),

1173
bin/dnssec/dnssec-signzone.c
View File

File diff suppressed because it is too large Load Diff

264
bin/dnssec/dnssec-signzone.docbook
View File

@ -18,10 +18,10 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.31.44.8 2009-11-06 21:36:22 each Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.44 2009-12-03 23:18:16 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 08, 2009</date>
<date>June 05, 2009</date>
</refentryinfo>
<refmeta>
@ -60,10 +60,12 @@
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg><option>-g</option></arg>
<arg><option>-h</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
@ -75,9 +77,13 @@
<arg><option>-p</option></arg>
<arg><option>-P</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-S</option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-t</option></arg>
<arg><option>-u</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
@ -92,10 +98,10 @@
<para><command>dnssec-signzone</command>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. It also generates a <filename>keyset-</filename> file containing
the key-signing keys for the zone, and if signing a zone which
contains delegations, it can optionally generate DS records for
the child zones from their <filename>keyset-</filename> files.
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<filename>keyset</filename> file for each child zone.
</para>
</refsect1>
@ -121,6 +127,63 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: Generate a
<filename>keyset-<replaceable>zonename</replaceable></filename>
file in addition to
<filename>dsset-<replaceable>zonename</replaceable></filename>
when signing a zone, for use by older versions of
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>dsset-</filename> or
<filename>keyset-</filename> files in <option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Uses a crypto hardware (OpenSSL engine) for the crypto operations
it supports, for instance signing with private keys from
a secure key store. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Generate DS records for child zones from
<filename>dsset-</filename> or <filename>keyset-</filename>
file. Existing DS records will be removed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">key</replaceable></term>
<listitem>
@ -141,28 +204,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>keyset</filename> files in
<option>directory</option> as the directory
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
If the zone contains any delegations, and there are
<filename>keyset-</filename> files for any of the child zones,
then DS records for the child zones will be generated from the
keys in those files. Existing DS records will be removed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
@ -190,6 +231,8 @@
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
<option>end-time</option> must be later than
<option>start-time</option>.
</para>
</listitem>
</varlistentry>
@ -395,6 +438,89 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-S</term>
<listitem>
<para>
Smart signing: Instructs <command>dnssec-signzone</command> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</para>
<para>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</para>
<variablelist>
<varlistentry>
<listitem>
<para>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's publication date is set and is in the past, the
key is published in the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies the TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not specified,
the default is the minimum TTL value from the zone's SOA
record. This option is ignored when signing without
<option>-S</option>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
@ -404,6 +530,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <command>dnssec-signzone</command> will
retain the existing chain when re-signing.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
@ -413,11 +553,27 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<command>dnssec-dnskey-kskonly yes;</command> zone option in
<command>named</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore KSK flag on key when determining what to sign.
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<command>update-check-ksk no;</command> zone option in
<command>named</command>.)
</para>
</listitem>
</varlistentry>
@ -426,7 +582,7 @@
<term>-3 <replaceable class="parameter">salt</replaceable></term>
<listitem>
<para>
Generate a NSEC3 chain with the given hex encoded salt.
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<replaceable class="parameter">salt</replaceable>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</para>
@ -437,8 +593,8 @@
<term>-H <replaceable class="parameter">iterations</replaceable></term>
<listitem>
<para>
When generating a NSEC3 chain use this many interations. The
default is 100.
When generating an NSEC3 chain, use this many interations. The
default is 10.
</para>
</listitem>
</varlistentry>
@ -447,10 +603,16 @@
<term>-A</term>
<listitem>
<para>
When generating a NSEC3 chain set the OPTOUT flag on all
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</para>
<para>
Using this option twice (i.e., <option>-AA</option>)
turns the OPTOUT flag off for all records. This is useful
when using the <option>-u</option> option to modify an NSEC3
chain which previously had OPTOUT set.
</para>
</listitem>
</varlistentry>
@ -484,10 +646,11 @@
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated by <command>dnssec-keygen</command>
(Kexample.com.+003+17247). The zone's keys must be in the master
file (<filename>db.example.com</filename>). This invocation looks
for <filename>keyset</filename> files, in the current directory,
so that DS records can be generated from them (<command>-g</command>).
(Kexample.com.+003+17247). Because the <command>-S</command> option
is not being used, the zone's keys must be in the master file
(<filename>db.example.com</filename>). This invocation looks
for <filename>dsset</filename> files, in the current directory,
so that DS records can be imported from them (<command>-g</command>).
</para>
<programlisting>% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
@ -509,33 +672,6 @@ db.example.com.signed
%</programlisting>
</refsect1>
<refsect1>
<title>KNOWN BUGS</title>
<para>
<command>dnssec-signzone</command> was designed so that it could
sign a zone partially, using only a subset of the DNSSEC keys
needed to produce a fully-signed zone. This permits a zone
administrator, for example, to sign a zone with one key on one
machine, move the resulting partially-signed zone to a second
machine, and sign it again with a second key.
</para>
<para>
An unfortunate side-effect of this flexibility is that
<command>dnssec-signzone</command> does not check to make sure
it's signing a zone with any valid keys at all. An attempt to
sign a zone without any keys will appear to succeed, producing
a "signed" zone with no signatures. There is no warning issued
when a zone is not fully signed.
</para>
<para>
This will be corrected in a future release. In the meantime, ISC
recommends examining the output of <command>dnssec-signzone</command>
to confirm that the zone is properly signed by all keys before
using it.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>

200
bin/dnssec/dnssec-signzone.html
View File

@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.html,v 1.33.44.8 2009-11-07 01:56:11 tbox Exp $ -->
<!-- $Id: dnssec-signzone.html,v 1.45 2009-12-04 01:13:44 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@ -29,21 +29,21 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543558"></a><h2>DESCRIPTION</h2>
<a name="id2543596"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. It also generates a <code class="filename">keyset-</code> file containing
the key-signing keys for the zone, and if signing a zone which
contains delegations, it can optionally generate DS records for
the child zones from their <code class="filename">keyset-</code> files.
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<code class="filename">keyset</code> file for each child zone.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543576"></a><h2>OPTIONS</h2>
<a name="id2543611"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@ -53,6 +53,38 @@
<dd><p>
Specifies the DNS class of the zone.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: Generate a
<code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
file in addition to
<code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
when signing a zone, for use by older versions of
<span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for <code class="filename">dsset-</code> or
<code class="filename">keyset-</code> files in <code class="option">directory</code>.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Uses a crypto hardware (OpenSSL engine) for the crypto operations
it supports, for instance signing with private keys from
a secure key store. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
<dt><span class="term">-g</span></dt>
<dd><p>
Generate DS records for child zones from
<code class="filename">dsset-</code> or <code class="filename">keyset-</code>
file. Existing DS records will be removed.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</p></dd>
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Treat specified key as a key signing key ignoring any
@ -63,18 +95,6 @@
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for <code class="filename">keyset</code> files in
<code class="option">directory</code> as the directory
</p></dd>
<dt><span class="term">-g</span></dt>
<dd><p>
If the zone contains any delegations, and there are
<code class="filename">keyset-</code> files for any of the child zones,
then DS records for the child zones will be generated from the
keys in those files. Existing DS records will be removed.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd><p>
Specify the date and time when the generated RRSIG records
@ -95,6 +115,8 @@
the start time. A time relative to the current time is
indicated with now+N. If no <code class="option">end-time</code> is
specified, 30 days from the start time is used as a default.
<code class="option">end-time</code> must be later than
<code class="option">start-time</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
<dd><p>
@ -229,35 +251,119 @@
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S</span></dt>
<dd>
<p>
Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</p>
<p>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</p>
<div class="variablelist"><dl>
<dt></dt>
<dd><p>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's publication date is set and is in the past, the
key is published in the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</p></dd>
</dl></div>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Specifies the TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not specified,
the default is the minimum TTL value from the zone's SOA
record. This option is ignored when signing without
<code class="option">-S</code>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them.
</p></dd>
<dt><span class="term">-t</span></dt>
<dd><p>
Print statistics at completion.
</p></dd>
<dt><span class="term">-u</span></dt>
<dd><p>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
retain the existing chain when re-signing.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-x</span></dt>
<dd><p>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Ignore KSK flag on key when determining what to sign.
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<span><strong class="command">update-check-ksk no;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
<dd><p>
Generate a NSEC3 chain with the given hex encoded salt.
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<em class="replaceable"><code>salt</code></em>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</p></dd>
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
<dd><p>
When generating a NSEC3 chain use this many interations. The
default is 100.
When generating an NSEC3 chain, use this many interations. The
default is 10.
</p></dd>
<dt><span class="term">-A</span></dt>
<dd><p>
When generating a NSEC3 chain set the OPTOUT flag on all
<dd>
<p>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</p></dd>
</p>
<p>
Using this option twice (i.e., <code class="option">-AA</code>)
turns the OPTOUT flag off for all records. This is useful
when using the <code class="option">-u</code> option to modify an NSEC3
chain which previously had OPTOUT set.
</p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
The file containing the zone to be signed.
@ -273,14 +379,15 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544503"></a><h2>EXAMPLE</h2>
<a name="id2544896"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
(Kexample.com.+003+17247). The zone's keys must be in the master
file (<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">keyset</code> files, in the current directory,
so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
(Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
is not being used, the zone's keys must be in the master file
(<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">dsset</code> files, in the current directory,
so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
@ -302,39 +409,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2544554"></a><h2>KNOWN BUGS</h2>
<p>
<span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
sign a zone partially, using only a subset of the DNSSEC keys
needed to produce a fully-signed zone. This permits a zone
administrator, for example, to sign a zone with one key on one
machine, move the resulting partially-signed zone to a second
machine, and sign it again with a second key.
</p>
<p>
An unfortunate side-effect of this flexibility is that
<span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
it's signing a zone with any valid keys at all. An attempt to
sign a zone without any keys will appear to succeed, producing
a "signed" zone with no signatures. There is no warning issued
when a zone is not fully signed.
</p>
<p>
This will be corrected in a future release. In the meantime, ISC
recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
to confirm that the zone is properly signed by all keys before
using it.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544716"></a><h2>SEE ALSO</h2>
<a name="id2545019"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544741"></a><h2>AUTHOR</h2>
<a name="id2545044"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

223
bin/dnssec/dnssectool.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.c,v 1.45.334.5 2009-06-22 05:05:00 marka Exp $ */
/* $Id: dnssectool.c,v 1.60 2010-01-19 23:48:56 tbox Exp $ */
/*! \file */
@ -28,6 +28,7 @@
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/list.h>
#include <isc/mem.h>
@ -36,6 +37,8 @@
#include <isc/util.h>
#include <isc/print.h>
#include <dns/dnssec.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdatastruct.h>
@ -110,39 +113,16 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
r.base[r.length] = 0;
}
void
alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
isc_buffer_t b;
isc_region_t r;
isc_result_t result;
isc_buffer_init(&b, cp, size - 1);
result = dns_secalg_totext(alg, &b);
check_result(result, "dns_secalg_totext()");
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
}
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_NAME_FORMATSIZE];
dns_name_format(&sig->signer, namestr, sizeof(namestr));
alg_format(sig->algorithm, algstr, sizeof(algstr));
dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
}
void
key_format(const dst_key_t *key, char *cp, unsigned int size) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_NAME_FORMATSIZE];
dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
}
void
setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
isc_result_t result;
@ -265,32 +245,92 @@ cleanup_entropy(isc_entropy_t **ectx) {
isc_entropy_detach(ectx);
}
static isc_stdtime_t
time_units(isc_stdtime_t offset, char *suffix, const char *str) {
switch (suffix[0]) {
case 'Y': case 'y':
return (offset * (365 * 24 * 3600));
case 'M': case 'm':
switch (suffix[1]) {
case 'O': case 'o':
return (offset * (30 * 24 * 3600));
case 'I': case 'i':
return (offset * 60);
case '\0':
fatal("'%s' ambiguous: use 'mi' for minutes "
"or 'mo' for months", str);
default:
fatal("time value %s is invalid", str);
}
/* NOTREACHED */
break;
case 'W': case 'w':
return (offset * (7 * 24 * 3600));
case 'D': case 'd':
return (offset * (24 * 3600));
case 'H': case 'h':
return (offset * 3600);
case 'S': case 's': case '\0':
return (offset);
default:
fatal("time value %s is invalid", str);
}
/* NOTREACHED */
return(0); /* silence compiler warning */
}
dns_ttl_t
strtottl(const char *str) {
const char *orig = str;
dns_ttl_t ttl;
char *endp;
ttl = strtol(str, &endp, 0);
if (ttl == 0 && endp == str)
fatal("TTL must be numeric");
ttl = time_units(ttl, endp, orig);
return (ttl);
}
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
isc_int64_t val, offset;
isc_result_t result;
const char *orig = str;
char *endp;
if (str[0] == '+') {
if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
return ((isc_stdtime_t) 0);
if (strncmp(str, "now", 3) == 0) {
base = now;
str += 3;
}
if (str[0] == '\0')
return ((isc_stdtime_t) base);
else if (str[0] == '+') {
offset = strtol(str + 1, &endp, 0);
if (*endp != '\0')
fatal("time value %s is invalid", str);
offset = time_units((isc_stdtime_t) offset, endp, orig);
val = base + offset;
} else if (strncmp(str, "now+", 4) == 0) {
offset = strtol(str + 4, &endp, 0);
if (*endp != '\0')
fatal("time value %s is invalid", str);
val = now + offset;
} else if (str[0] == '-') {
offset = strtol(str + 1, &endp, 0);
offset = time_units((isc_stdtime_t) offset, endp, orig);
val = base - offset;
} else if (strlen(str) == 8U) {
char timestr[15];
sprintf(timestr, "%s000000", str);
result = dns_time64_fromtext(timestr, &val);
if (result != ISC_R_SUCCESS)
fatal("time value %s is invalid", str);
fatal("time value %s is invalid: %s", orig,
isc_result_totext(result));
} else if (strlen(str) > 14U) {
fatal("time value %s is invalid", orig);
} else {
result = dns_time64_fromtext(str, &val);
if (result != ISC_R_SUCCESS)
fatal("time value %s is invalid", str);
fatal("time value %s is invalid: %s", orig,
isc_result_totext(result));
}
return ((isc_stdtime_t) val);
@ -311,3 +351,114 @@ strtoclass(const char *str) {
fatal("unknown class %s", str);
return (rdclass);
}
isc_result_t
try_dir(const char *dirname) {
isc_result_t result;
isc_dir_t d;
isc_dir_init(&d);
result = isc_dir_open(&d, dirname);
if (result == ISC_R_SUCCESS) {
isc_dir_close(&d);
}
return (result);
}
/*
* Check private key version compatibility.
*/
void
check_keyversion(dst_key_t *key, char *keystr) {
int major, minor;
dst_key_getprivateformat(key, &major, &minor);
INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
fatal("Key %s has incompatible format version %d.%d, "
"use -f to force upgrade to new version.",
keystr, major, minor);
if (minor > DST_MINOR_VERSION)
fatal("Key %s has incompatible format version %d.%d, "
"use -f to force downgrade to current version.",
keystr, major, minor);
}
void
set_keyversion(dst_key_t *key) {
int major, minor;
dst_key_getprivateformat(key, &major, &minor);
INSIST(major <= DST_MAJOR_VERSION);
if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
dst_key_setprivateformat(key, DST_MAJOR_VERSION,
DST_MINOR_VERSION);
/*
* If the key is from a version older than 1.3, set
* set the creation date
*/
if (major < 1 || (major == 1 && minor <= 2)) {
isc_stdtime_t now;
isc_stdtime_get(&now);
dst_key_settime(key, DST_TIME_CREATED, now);
}
}
isc_boolean_t
key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact)
{
isc_result_t result;
isc_boolean_t conflict = ISC_FALSE;
dns_dnsseckeylist_t matchkeys;
dns_dnsseckey_t *key = NULL;
isc_uint16_t oldid, diff;
isc_uint16_t bits = DNS_KEYFLAG_REVOKE; /* flag bits to look for */
if (exact != NULL)
*exact = ISC_FALSE;
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND)
return (ISC_FALSE);
while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
key = ISC_LIST_HEAD(matchkeys);
if (dst_key_alg(key->key) != alg)
goto next;
oldid = dst_key_id(key->key);
diff = (oldid > id) ? (oldid - id) : (id - oldid);
if ((diff & ~bits) == 0) {
conflict = ISC_TRUE;
if (diff != 0) {
if (verbose > 1)
fprintf(stderr, "Key ID %d could "
"collide with %d\n",
id, oldid);
} else {
if (exact != NULL)
*exact = ISC_TRUE;
if (verbose > 1)
fprintf(stderr, "Key ID %d exists\n",
id);
}
}
next:
ISC_LIST_UNLINK(matchkeys, key, link);
dns_dnsseckey_destroy(mctx, &key);
}
/* Finish freeing the list */
while (!ISC_LIST_EMPTY(matchkeys)) {
key = ISC_LIST_HEAD(matchkeys);
ISC_LIST_UNLINK(matchkeys, key, link);
dns_dnsseckey_destroy(mctx, &key);
}
return (conflict);
}

33
bin/dnssec/dnssectool.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2007-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.h,v 1.22.48.2 2009-09-04 23:46:58 tbox Exp $ */
/* $Id: dnssectool.h,v 1.31 2010-01-19 23:48:56 tbox Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
@ -27,8 +27,9 @@
typedef void (fatalcallback_t)(void);
void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
void
setfatalcallback(fatalcallback_t *callback);
@ -43,17 +44,9 @@ void
type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
#define TYPE_FORMATSIZE 20
void
alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
#define ALG_FORMATSIZE 20
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
void
key_format(const dst_key_t *key, char *cp, unsigned int size);
#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
void
setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
@ -67,10 +60,24 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
void
cleanup_entropy(isc_entropy_t **ectx);
dns_ttl_t strtottl(const char *str);
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base);
dns_rdataclass_t
strtoclass(const char *str);
isc_result_t
try_dir(const char *dirname);
void
check_keyversion(dst_key_t *key, char *keystr);
void
set_keyversion(dst_key_t *key);
isc_boolean_t
key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact);
#endif /* DNSSEC_DNSSECTOOL_H */

33
bin/named/Makefile.in
View File

@ -1,4 +1,4 @@
# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.101 2008-09-23 17:25:47 jinmei Exp $
# $Id: Makefile.in,v 1.114 2010-12-22 09:00:40 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -43,9 +43,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = @USE_DLZ@
CDEFINES = @USE_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
CWARNINGS =
@ -53,6 +53,7 @@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
@ -70,6 +71,10 @@ LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
SUBDIRS = unix
TARGETS = named@EXEEXT@ lwresd@EXEEXT@
@ -86,10 +91,12 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
UOBJS = unix/os.@O@
SYMOBJS = symtbl.@O@
SRCS = builtin.c client.c config.c control.c \
controlconf.c interfacemgr.c \
listenlist.c log.c logconf.c main.c notify.c \
query.c server.c sortlist.c statschannel.c \
query.c server.c sortlist.c statschannel.c symtbl.c symtbl-empty.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -111,15 +118,20 @@ main.@O@: main.c
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
config.@O@: config.c
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
config.@O@: config.c bind.keys.h
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
${OBJS} ${UOBJS} ${LIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
lwresd@EXEEXT@: named@EXEEXT@
rm -f lwresd@EXEEXT@
@ -133,7 +145,10 @@ docclean manclean maintainer-clean::
clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
bind9.xsl.h: bind9.xsl convertxsl.pl
maintainer-clean::
rm -f bind.keys.h
bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
depend: bind9.xsl.h

99
bin/named/bind.keys.h Normal file
View File

@ -0,0 +1,99 @@
/*
* Generated by bindkeys.pl 1.7 2011-01-04 23:47:13 tbox Exp
* From bind.keys 1.7 2011-01-03 23:45:07 each Exp
*/
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
trusted-keys {\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
managed-keys {\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"

2
bin/named/bind9.xsl
View File

@ -15,7 +15,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: bind9.xsl,v 1.19.82.2 2009-01-29 23:47:43 tbox Exp $ -->
<!-- $Id: bind9.xsl,v 1.21 2009-01-27 23:47:54 tbox Exp $ -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

4
bin/named/bind9.xsl.h
View File

@ -1,6 +1,6 @@
/*
* Generated by convertxsl.pl 1.14 2008-07-17 23:43:26 jinmei Exp
* From bind9.xsl 1.19.82.2 2009-01-29 23:47:43 tbox Exp
* From bind9.xsl 1.21 2009-01-27 23:47:54 tbox Exp
*/
static char xslmsg[] =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
@ -20,7 +20,7 @@ static char xslmsg[] =
" - PERFORMANCE OF THIS SOFTWARE.\n"
"-->\n"
"\n"
"<!-- \045Id: bind9.xsl,v 1.19.82.2 2009-01-29 23:47:43 tbox Exp \045 -->\n"
"<!-- \045Id: bind9.xsl,v 1.21 2009-01-27 23:47:54 tbox Exp \045 -->\n"
"\n"
"<xsl:stylesheet version=\"1.0\"\n"
" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"

205
bin/named/builtin.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: builtin.c,v 1.12.334.3 2010-08-03 23:45:47 tbox Exp $ */
/* $Id: builtin.c,v 1.20 2011-01-07 23:47:07 tbox Exp $ */
/*! \file
* \brief
@ -47,6 +47,7 @@ static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_dns64_lookup(dns_sdblookup_t *lookup);
/*
* We can't use function pointers as the db_data directly
@ -65,9 +66,179 @@ static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
static builtin_t dns64_builtin = { do_dns64_lookup, NULL, NULL };
static dns_sdbimplementation_t *builtin_impl;
static const char hex[] = "0123456789abcdef";
static const char HEX[] = "0123456789ABCDEF";
static isc_result_t
dns64_cname(const char *zone, const char *name, dns_sdblookup_t *lookup) {
size_t zlen, nlen, j;
const char *s;
unsigned char v[16];
unsigned int i;
char reverse[sizeof("123.123.123.123.in-addr.arpa.")];
/*
* The sum the length of the relative name and the length of the zone
* name for a IPv6 reverse lookup comes to 71.
*
* The reverse of 2001::10.0.0.1 (dns64 2001::/96) has a zone of
* "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa"
* and a name of "1.0.0.0.0.0.a.0". The sum of the lengths of these
* two strings is 71.
*
* The minimum length for a ip6.arpa zone name is 8.
*
* The length of name should always be odd as we are expecting
* a series of nibbles.
*/
zlen = strlen(zone);
nlen = strlen(name);
if ((zlen + nlen) > 71U || zlen < 8U || (nlen % 2) != 1U)
return (ISC_R_NOTFOUND);
/*
* We assume the zone name is well formed.
*/
/*
* XXXMPA We could check the dns64 suffix here if we need to.
*/
/*
* Check that name is a series of nibbles.
* Compute the byte values that correspond to the nibbles as we go.
*
* Shift the final result 4 bits, by setting 'i' to 1, if we if we
* have a odd number of nibbles so that "must be zero" tests below
* are byte aligned and we correctly return ISC_R_NOTFOUND or
* ISC_R_SUCCESS. We will not generate a CNAME in this case.
*/
i = (nlen % 4) == 1U ? 1 : 0;
j = nlen;
memset(v, 0, sizeof(v));
while (j >= 1U) {
INSIST((i/2) < sizeof(v));
if (j > 1U && name[1] != '.')
return (ISC_R_NOTFOUND);
v[i/2] >>= 4;
if ((s = strchr(hex, name[0])) != NULL)
v[i/2] |= (s - hex) << 4;
else if ((s = strchr(HEX, name[0])) != NULL)
v[i/2] |= (s - HEX) << 4;
else
return (ISC_R_NOTFOUND);
if (j > 1U)
j -= 2;
else
j -= 1;
name += 2;
i++;
}
/*
* If we get here then we know name only consisted of nibbles.
* Now we need to determine if the name exists or not and whether
* it corresponds to a empty node in the zone or there should be
* a CNAME.
*/
switch (zlen) {
case 24: /* prefix len 32 */
/*
* If the total length is not 71 then this is a empty node
* so return success.
*/
if (nlen + zlen != 71U)
return (ISC_R_SUCCESS);
snprintf(reverse, sizeof(reverse), "%u.%u.%u.%u.in-addr.arpa.",
v[8], v[9], v[10], v[11]);
break;
case 28: /* prefix len 40 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 11U && v[nlen/4 - 3] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 71 then this is a empty node
* so return success.
*/
if (nlen + zlen != 71U)
return (ISC_R_SUCCESS);
snprintf(reverse, sizeof(reverse), "%u.%u.%u.%u.in-addr.arpa.",
v[6], v[8], v[9], v[10]);
break;
case 32: /* prefix len 48 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 7U && v[nlen/4 - 2] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 71 then this is a empty node
* so return success.
*/
if (nlen + zlen != 71U)
return (ISC_R_SUCCESS);
snprintf(reverse, sizeof(reverse), "%u.%u.%u.%u.in-addr.arpa.",
v[5], v[6], v[8], v[9]);
break;
case 36: /* prefix len 56 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 3U && v[nlen/4 - 1] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 71 then this is a empty node
* so return success.
*/
if (nlen + zlen != 71U)
return (ISC_R_SUCCESS);
snprintf(reverse, sizeof(reverse), "%u.%u.%u.%u.in-addr.arpa.",
v[4], v[5], v[6], v[8]);
break;
case 40: /* prefix len 64 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (v[nlen/4] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 71 then this is a empty node
* so return success.
*/
if (nlen + zlen != 71U)
return (ISC_R_SUCCESS);
snprintf(reverse, sizeof(reverse), "%u.%u.%u.%u.in-addr.arpa.",
v[3], v[4], v[5], v[6]);
break;
case 56: /* prefix len 96 */
/*
* If the total length is not 71 then this is a empty node
* so return success.
*/
if (nlen + zlen != 71U)
return (ISC_R_SUCCESS);
snprintf(reverse, sizeof(reverse), "%u.%u.%u.%u.in-addr.arpa.",
v[0], v[1], v[2], v[3]);
break;
default:
/*
* This should never be reached unless someone adds a
* zone declaration with this internal type to named.conf.
*/
return (ISC_R_NOTFOUND);
}
return (dns_sdb_putrr(lookup, "CNAME", 600, reverse));
}
static isc_result_t
builtin_lookup(const char *zone, const char *name, void *dbdata,
dns_sdblookup_t *lookup)
@ -78,6 +249,8 @@ builtin_lookup(const char *zone, const char *name, void *dbdata,
if (strcmp(name, "@") == 0)
return (b->do_lookup(lookup));
else if (b->do_lookup == do_dns64_lookup)
return (dns64_cname(zone, name, lookup));
else
return (ISC_R_NOTFOUND);
}
@ -132,11 +305,13 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
"Michael Graff",
"Andreas Gustafsson",
"Bob Halley",
"Evan Hunt",
"JINMEI Tatuya",
"David Lawrence",
"Danny Mayer",
"Damien Neil",
"Matt Nelson",
"Jeremy C. Reed",
"Michael Sawyer",
"Brian Wellington",
NULL
@ -173,6 +348,12 @@ do_id_lookup(dns_sdblookup_t *lookup) {
return (put_txt(lookup, ns_g_server->server_id));
}
static isc_result_t
do_dns64_lookup(dns_sdblookup_t *lookup) {
UNUSED(lookup);
return (ISC_R_SUCCESS);
}
static isc_result_t
do_empty_lookup(dns_sdblookup_t *lookup) {
@ -220,7 +401,7 @@ builtin_create(const char *zone, int argc, char **argv,
UNUSED(zone);
UNUSED(driverdata);
if (strcmp(argv[0], "empty") == 0) {
if (strcmp(argv[0], "empty") == 0 || strcmp(argv[0], "dns64") == 0) {
if (argc != 3)
return (DNS_R_SYNTAX);
} else if (argc != 1)
@ -234,7 +415,8 @@ builtin_create(const char *zone, int argc, char **argv,
*dbdata = &authors_builtin;
else if (strcmp(argv[0], "id") == 0)
*dbdata = &id_builtin;
else if (strcmp(argv[0], "empty") == 0) {
else if (strcmp(argv[0], "empty") == 0 ||
strcmp(argv[0], "dns64") == 0) {
builtin_t *empty;
char *server;
char *contact;
@ -246,7 +428,10 @@ builtin_create(const char *zone, int argc, char **argv,
server = isc_mem_strdup(ns_g_mctx, argv[1]);
contact = isc_mem_strdup(ns_g_mctx, argv[2]);
if (empty == NULL || server == NULL || contact == NULL) {
*dbdata = &empty_builtin;
if (strcmp(argv[0], "empty") == 0)
*dbdata = &empty_builtin;
else
*dbdata = &dns64_builtin;
if (server != NULL)
isc_mem_free(ns_g_mctx, server);
if (contact != NULL)
@ -254,7 +439,12 @@ builtin_create(const char *zone, int argc, char **argv,
if (empty != NULL)
isc_mem_put(ns_g_mctx, empty, sizeof (*empty));
} else {
memcpy(empty, &empty_builtin, sizeof (empty_builtin));
if (strcmp(argv[0], "empty") == 0)
memcpy(empty, &empty_builtin,
sizeof (empty_builtin));
else
memcpy(empty, &dns64_builtin,
sizeof (empty_builtin));
empty->server = server;
empty->contact = contact;
*dbdata = empty;
@ -276,7 +466,7 @@ builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
*/
if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
*dbdata == &authors_builtin || *dbdata == &id_builtin ||
*dbdata == &empty_builtin)
*dbdata == &empty_builtin || *dbdata == &dns64_builtin)
return;
isc_mem_free(ns_g_mctx, b->server);
@ -306,3 +496,4 @@ void
ns_builtin_deinit(void) {
dns_sdb_unregister(&builtin_impl);
}

130
bin/named/client.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.c,v 1.259.12.5 2010-09-24 08:30:27 tbox Exp $ */
/* $Id: client.c,v 1.271 2011-01-11 23:47:12 tbox Exp $ */
#include <config.h>
@ -918,7 +918,7 @@ ns_client_send(ns_client_t *client) {
dns_compress_t cctx;
isc_boolean_t cleanup_cctx = ISC_FALSE;
unsigned char sendbuf[SEND_BUFFER_SIZE];
unsigned int dnssec_opts;
unsigned int render_opts;
unsigned int preferred_glue;
isc_boolean_t opt_included = ISC_FALSE;
@ -930,10 +930,21 @@ ns_client_send(ns_client_t *client) {
client->message->flags |= DNS_MESSAGEFLAG_RA;
if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
dnssec_opts = 0;
render_opts = 0;
else
dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;
render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* filter-aaaa-on-v4 yes or break-dnssec option to suppress
* AAAA records
* We already know that request came via IPv4,
* that we have both AAAA and A records,
* and that we either have no signatures that the client wants
* or we are supposed to break DNSSEC.
*/
if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0)
render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
#endif
preferred_glue = 0;
if (client->view != NULL) {
if (client->view->preferred_glue == dns_rdatatype_a)
@ -977,7 +988,7 @@ ns_client_send(ns_client_t *client) {
result = dns_message_rendersection(client->message,
DNS_SECTION_ANSWER,
DNS_MESSAGERENDER_PARTIAL |
dnssec_opts);
render_opts);
if (result == ISC_R_NOSPACE) {
client->message->flags |= DNS_MESSAGEFLAG_TC;
goto renderend;
@ -987,7 +998,7 @@ ns_client_send(ns_client_t *client) {
result = dns_message_rendersection(client->message,
DNS_SECTION_AUTHORITY,
DNS_MESSAGERENDER_PARTIAL |
dnssec_opts);
render_opts);
if (result == ISC_R_NOSPACE) {
client->message->flags |= DNS_MESSAGEFLAG_TC;
goto renderend;
@ -996,7 +1007,7 @@ ns_client_send(ns_client_t *client) {
goto done;
result = dns_message_rendersection(client->message,
DNS_SECTION_ADDITIONAL,
preferred_glue | dnssec_opts);
preferred_glue | render_opts);
if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
goto done;
renderend:
@ -1355,7 +1366,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
dns_name_t *signame;
isc_boolean_t ra; /* Recursion available. */
isc_netaddr_t netaddr;
isc_netaddr_t destaddr;
int match;
dns_messageid_t id;
unsigned int flags;
@ -1473,7 +1483,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
/*
* Silently drop multicast requests for the present.
* XXXMPA look at when/if mDNS spec stabilizes.
* XXXMPA revisit this as mDNS spec was published.
*/
if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
@ -1647,24 +1657,20 @@ client_request(isc_task_t *task, isc_event_t *event) {
* etc), we regard this as an error for safety.
*/
if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);
isc_netaddr_fromsockaddr(&client->destaddr,
&client->interface->addr);
else {
isc_sockaddr_t sockaddr;
result = ISC_R_FAILURE;
if (TCP_CLIENT(client)) {
isc_sockaddr_t destsockaddr;
if (TCP_CLIENT(client))
result = isc_socket_getsockname(client->tcpsocket,
&destsockaddr);
if (result == ISC_R_SUCCESS)
isc_netaddr_fromsockaddr(&destaddr,
&destsockaddr);
}
&sockaddr);
if (result == ISC_R_SUCCESS)
isc_netaddr_fromsockaddr(&client->destaddr, &sockaddr);
if (result != ISC_R_SUCCESS &&
client->interface->addr.type.sa.sa_family == AF_INET6 &&
(client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
isc_uint32_t zone = 0;
/*
* XXXJT technically, we should convert the receiving
* interface ID to a proper scope zone ID. However,
@ -1673,12 +1679,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
* interface index as link ID. Despite the assumption,
* it should cover most typical cases.
*/
if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;
isc_netaddr_fromin6(&destaddr,
isc_netaddr_fromin6(&client->destaddr,
&client->pktinfo.ipi6_addr);
isc_netaddr_setzone(&destaddr, zone);
if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
isc_netaddr_setzone(&client->destaddr,
client->pktinfo.ipi6_ifindex);
result = ISC_R_SUCCESS;
}
if (result != ISC_R_SUCCESS) {
@ -1708,7 +1713,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
tsig = dns_tsigkey_identity(client->message->tsigkey);
if (allowed(&netaddr, tsig, view->matchclients) &&
allowed(&destaddr, tsig, view->matchdestinations) &&
allowed(&client->destaddr, tsig,
view->matchdestinations) &&
!((client->message->flags & DNS_MESSAGEFLAG_RD)
== 0 && view->matchrecursiveonly))
{
@ -1771,9 +1777,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
}
if (result == ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(&client->signername, namebuf, sizeof(namebuf));
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request has valid signature");
"request has valid signature: %s", namebuf);
client->signer = &client->signername;
} else if (result == ISC_R_NOTFOUND) {
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@ -1861,10 +1869,10 @@ client_request(isc_task_t *task, isc_event_t *event) {
ns_client_checkaclsilent(client, NULL,
client->view->cacheacl,
ISC_TRUE) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, &client->interface->addr,
ns_client_checkaclsilent(client, &client->destaddr,
client->view->recursiononacl,
ISC_TRUE) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, &client->interface->addr,
ns_client_checkaclsilent(client, &client->destaddr,
client->view->cacheonacl,
ISC_TRUE) == ISC_R_SUCCESS)
ra = ISC_TRUE;
@ -2600,12 +2608,12 @@ ns_client_getsockaddr(ns_client_t *client) {
}
isc_result_t
ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
dns_acl_t *acl, isc_boolean_t default_allow)
{
isc_result_t result;
isc_netaddr_t tmpnetaddr;
int match;
isc_netaddr_t netaddr;
if (acl == NULL) {
if (default_allow)
@ -2614,15 +2622,13 @@ ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
goto deny;
}
if (netaddr == NULL) {
isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr);
netaddr = &tmpnetaddr;
}
if (sockaddr == NULL)
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
else
isc_netaddr_fromsockaddr(&netaddr, sockaddr);
result = dns_acl_match(&netaddr, client->signer, acl,
&ns_g_server->aclenv,
&match, NULL);
result = dns_acl_match(netaddr, client->signer, acl,
&ns_g_server->aclenv, &match, NULL);
if (result != ISC_R_SUCCESS)
goto deny; /* Internal error, already logged. */
@ -2642,8 +2648,14 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
const char *opname, dns_acl_t *acl,
isc_boolean_t default_allow, int log_level)
{
isc_result_t result =
ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
isc_result_t result;
isc_netaddr_t netaddr;
if (sockaddr != NULL)
isc_netaddr_fromsockaddr(&netaddr, sockaddr);
result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
acl, default_allow);
if (result == ISC_R_SUCCESS)
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@ -2753,9 +2765,14 @@ void
ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
ns_client_t *client;
char namebuf[DNS_NAME_FORMATSIZE];
char original[DNS_NAME_FORMATSIZE];
char peerbuf[ISC_SOCKADDR_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
char classbuf[DNS_RDATACLASS_FORMATSIZE];
const char *name;
const char *sep;
const char *origfor;
dns_rdataset_t *rdataset;
REQUIRE(VALID_MANAGER(manager));
@ -2773,8 +2790,31 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
sep = "";
}
dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
fprintf(f, "; client %s%s%s: '%s' requesttime %d\n",
peerbuf, sep, name, namebuf, client->requesttime);
if (client->query.qname != client->query.origqname &&
client->query.origqname != NULL) {
origfor = " for ";
dns_name_format(client->query.origqname, original,
sizeof(original));
} else {
origfor = "";
original[0] = '\0';
}
rdataset = ISC_LIST_HEAD(client->query.qname->list);
if (rdataset == NULL && client->query.origqname != NULL)
rdataset = ISC_LIST_HEAD(client->query.origqname->list);
if (rdataset != NULL) {
dns_rdatatype_format(rdataset->type, typebuf,
sizeof(typebuf));
dns_rdataclass_format(rdataset->rdclass, classbuf,
sizeof(classbuf));
} else {
strcpy(typebuf, "-");
strcpy(classbuf, "-");
}
fprintf(f, "; client %s%s%s: id %u '%s/%s/%s'%s%s "
"requesttime %d\n", peerbuf, sep, name,
client->message->id, namebuf, typebuf, classbuf,
origfor, original, client->requesttime);
client = ISC_LIST_NEXT(client, link);
}
UNLOCK(&manager->lock);

74
bin/named/config.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.93.14.2 2009-03-17 23:47:28 tbox Exp $ */
/* $Id: config.c,v 1.113.16.1.2.1 2011-06-02 23:47:28 tbox Exp $ */
/*! \file */
@ -42,9 +42,13 @@
#include <dns/tsig.h>
#include <dns/zone.h>
#include <dst/dst.h>
#include <named/config.h>
#include <named/globals.h>
#include "bind.keys.h"
/*% default configuration */
static char defaultconf[] = "\
options {\n\
@ -55,7 +59,10 @@ options {\n\
files unlimited;\n\
stacksize default;\n"
#endif
" deallocate-on-exit true;\n\
"# session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\
session-keyname local-ddns;\n\
session-keyalg hmac-sha256;\n\
deallocate-on-exit true;\n\
# directory <none>\n\
dump-file \"named_dump.db\";\n\
fake-iquery no;\n\
@ -70,8 +77,10 @@ options {\n\
multiple-cnames no;\n\
# named-xfer <obsolete>;\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
port 53;\n\
recursing-file \"named.recursing\";\n\
secroots-file \"named.secroots\";\n\
"
#ifdef PATH_RANDOMDEV
"\
@ -80,6 +89,7 @@ options {\n\
#endif
"\
recursive-clients 1000;\n\
resolver-query-timeout 30;\n\
rrset-order {type NS order random; order cyclic; };\n\
serial-queries 20;\n\
serial-query-rate 20;\n\
@ -101,6 +111,9 @@ options {\n\
max-udp-size 4096;\n\
request-nsid false;\n\
reserved-sockets 512;\n\
\n\
/* DLV */\n\
dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
allow-notify {none;};\n\
@ -135,6 +148,7 @@ options {\n\
check-names master fail;\n\
check-names slave warn;\n\
check-names response ignore;\n\
check-dup-records warn;\n\
check-mx warn;\n\
acache-enable no;\n\
acache-cleaning-interval 60;\n\
@ -146,7 +160,13 @@ options {\n\
max-clients-per-query 100;\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
"
#ifdef ALLOW_FILTER_AAAA_ON_V4
" filter-aaaa-on-v4 no;\n\
filter-aaaa { any; };\n\
"
#endif
" /* zone */\n\
allow-query {any;};\n\
@ -174,6 +194,7 @@ options {\n\
max-refresh-time 2419200; /* 4 weeks */\n\
min-refresh-time 300;\n\
multi-master no;\n\
dnssec-secure-to-insecure no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
@ -188,6 +209,7 @@ options {\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
dnssec-dnskey-kskonly no;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"
@ -198,6 +220,7 @@ options {\n\
view \"_bind\" chaos {\n\
recursion no;\n\
notify no;\n\
allow-new-zones no;\n\
\n\
zone \"version.bind\" chaos {\n\
type master;\n\
@ -213,11 +236,24 @@ view \"_bind\" chaos {\n\
type master;\n\
database \"_builtin authors\";\n\
};\n\
\n\
zone \"id.server\" chaos {\n\
type master;\n\
database \"_builtin id\";\n\
};\n\
};\n\
"
"#\n\
# Default trusted key(s) for builtin DLV support\n\
# (used if \"dnssec-lookaside auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"
/* Imported from bind.keys.h: */
MANAGED_KEYS
"# END MANAGED KEYS\n\
";
isc_result_t
@ -339,6 +375,8 @@ ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
ztype = dns_zone_slave;
else if (strcasecmp(str, "stub") == 0)
ztype = dns_zone_stub;
else if (strcasecmp(str, "static-stub") == 0)
ztype = dns_zone_staticstub;
else
INSIST(0);
return (ztype);
@ -615,7 +653,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
isc_buffer_add(&b, strlen(keystr));
dns_fixedname_init(&fname);
result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
dns_rootname, ISC_FALSE, NULL);
dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = dns_name_dup(dns_fixedname_name(&fname), mctx,
@ -747,22 +785,30 @@ struct keyalgorithms {
const char *str;
enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
hmacsha256, hmacsha384, hmacsha512 } hmac;
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
{ "hmac-md5", hmacmd5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
{ "hmac-sha1", hmacsha1, 160 },
{ "hmac-sha224", hmacsha224, 224 },
{ "hmac-sha256", hmacsha256, 256 },
{ "hmac-sha384", hmacsha384, 384 },
{ "hmac-sha512", hmacsha512, 512 },
{ NULL, hmacnone, 0 }
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
{ NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
};
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits)
{
return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
}
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
unsigned int *typep, isc_uint16_t *digestbits)
{
int i;
size_t len = 0;
@ -801,6 +847,8 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
INSIST(0);
}
}
if (typep != NULL)
*typep = algorithms[i].type;
if (digestbits != NULL)
*digestbits = bits;
return (ISC_R_SUCCESS);

11
bin/named/control.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.c,v 1.33.266.4 2010-12-03 23:45:46 tbox Exp $ */
/* $Id: control.c,v 1.41 2010-12-03 22:05:19 each Exp $ */
/*! \file */
@ -158,6 +158,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
ns_server_dumpdb(ns_g_server, command);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
result = ns_server_dumpsecroots(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_TRACE)) {
result = ns_server_setdebuglevel(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
@ -192,6 +194,13 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
result = ns_server_notifycommand(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
result = ns_server_validation(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_SIGN) ||
command_compare(command, NS_COMMAND_LOADKEYS)) {
result = ns_server_rekey(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_ADDZONE)) {
result = ns_server_add_zone(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_DELZONE)) {
result = ns_server_del_zone(ns_g_server, command);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,

17
bin/named/include/named/client.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.h,v 1.86.120.2 2009-01-18 23:47:34 tbox Exp $ */
/* $Id: client.h,v 1.91 2009-10-26 23:14:53 each Exp $ */
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@ -138,6 +138,7 @@ struct ns_client {
ns_interface_t *interface;
isc_sockaddr_t peeraddr;
isc_boolean_t peeraddr_valid;
isc_netaddr_t destaddr;
struct in6_pktinfo pktinfo;
isc_event_t ctlevent;
/*%
@ -167,6 +168,10 @@ struct ns_client {
#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */
#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */
#ifdef ALLOW_FILTER_AAAA_ON_V4
#define NS_CLIENTATTR_FILTER_AAAA 0x40 /*%< suppress AAAAs */
#define NS_CLIENTATTR_FILTER_AAAA_RC 0x80 /*%< recursing for A against AAAA */
#endif
extern unsigned int ns_client_requests;
@ -274,10 +279,8 @@ ns_client_getsockaddr(ns_client_t *client);
*/
isc_result_t
ns_client_checkaclsilent(ns_client_t *client,
isc_sockaddr_t *sockaddr,
dns_acl_t *acl,
isc_boolean_t default_allow);
ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
dns_acl_t *acl, isc_boolean_t default_allow);
/*%
* Convenience function for client request ACL checking.
@ -296,12 +299,12 @@ ns_client_checkaclsilent(ns_client_t *client,
*
* Requires:
*\li 'client' points to a valid client.
*\li 'sockaddr' points to a valid address, or is NULL.
*\li 'netaddr' points to a valid address, or is NULL.
*\li 'acl' points to a valid ACL, or is NULL.
*
* Returns:
*\li ISC_R_SUCCESS if the request should be allowed
* \li ISC_R_REFUSED if the request should be denied
* \li DNS_R_REFUSED if the request should be denied
*\li No other return values are possible.
*/

7
bin/named/include/named/config.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h,v 1.14 2007-06-19 23:46:59 tbox Exp $ */
/* $Id: config.h,v 1.16 2009-06-11 23:47:55 tbox Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
@ -75,5 +75,8 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits);
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
unsigned int *typep, isc_uint16_t *digestbits);
#endif /* NAMED_CONFIG_H */

9
bin/named/include/named/control.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: control.h,v 1.25 2007-06-19 23:46:59 tbox Exp $ */
/* $Id: control.h,v 1.31 2010-08-16 22:21:06 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
@ -42,6 +42,7 @@
#define NS_COMMAND_DUMPSTATS "stats"
#define NS_COMMAND_QUERYLOG "querylog"
#define NS_COMMAND_DUMPDB "dumpdb"
#define NS_COMMAND_SECROOTS "secroots"
#define NS_COMMAND_TRACE "trace"
#define NS_COMMAND_NOTRACE "notrace"
#define NS_COMMAND_FLUSH "flush"
@ -57,6 +58,10 @@
#define NS_COMMAND_NULL "null"
#define NS_COMMAND_NOTIFY "notify"
#define NS_COMMAND_VALIDATION "validation"
#define NS_COMMAND_SIGN "sign"
#define NS_COMMAND_LOADKEYS "loadkeys"
#define NS_COMMAND_ADDZONE "addzone"
#define NS_COMMAND_DELZONE "delzone"
isc_result_t
ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);

21
bin/named/include/named/globals.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: globals.h,v 1.80.12.3 2010-09-15 12:16:50 marka Exp $ */
/* $Id: globals.h,v 1.89 2010-09-15 12:07:55 marka Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
@ -30,6 +30,8 @@
#include <dns/zone.h>
#include <dst/dst.h>
#include <named/types.h>
#undef EXTERN
@ -86,8 +88,13 @@ EXTERN cfg_obj_t * ns_g_config INIT(NULL);
EXTERN const cfg_obj_t * ns_g_defaults INIT(NULL);
EXTERN const char * ns_g_conffile INIT(NS_SYSCONFDIR
"/named.conf");
EXTERN cfg_obj_t * ns_g_bindkeys INIT(NULL);
EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR
"/rndc.key");
EXTERN dns_tsigkey_t * ns_g_sessionkey INIT(NULL);
EXTERN dns_name_t ns_g_sessionkeyname;
EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR
"/lwresd.conf");
EXTERN const char * lwresd_g_resolvconffile INIT("/etc"
@ -112,6 +119,10 @@ EXTERN const char * ns_g_chrootdir INIT(NULL);
EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE);
EXTERN const char * ns_g_defaultsessionkeyfile
INIT(NS_LOCALSTATEDIR "/run/named/"
"session.key");
#if NS_RUN_PID_DIR
EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR
"/run/named/"
@ -128,6 +139,12 @@ EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
EXTERN const char * ns_g_username INIT(NULL);
#ifdef USE_PKCS11
EXTERN const char * ns_g_engine INIT("pkcs11");
#else
EXTERN const char * ns_g_engine INIT(NULL);
#endif
EXTERN int ns_g_listen INIT(3);
EXTERN isc_time_t ns_g_boottime;
EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE);

2
bin/named/include/named/log.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: log.h,v 1.25.332.2 2009-01-07 23:47:16 tbox Exp $ */
/* $Id: log.h,v 1.27 2009-01-07 23:47:46 tbox Exp $ */
#ifndef NAMED_LOG_H
#define NAMED_LOG_H 1

2
bin/named/include/named/lwdclient.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: lwdclient.h,v 1.18.332.2 2009-01-18 23:47:34 tbox Exp $ */
/* $Id: lwdclient.h,v 1.20 2009-01-17 23:47:42 tbox Exp $ */
#ifndef NAMED_LWDCLIENT_H
#define NAMED_LWDCLIENT_H 1

9
bin/named/include/named/main.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,15 +15,16 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: main.h,v 1.15 2007-06-19 23:46:59 tbox Exp $ */
/* $Id: main.h,v 1.17 2009-09-29 23:48:03 tbox Exp $ */
#ifndef NAMED_MAIN_H
#define NAMED_MAIN_H 1
/*! \file */
void
ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
ns_main_earlyfatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
void
ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);

2
bin/named/include/named/notify.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: notify.h,v 1.14.332.2 2009-01-18 23:47:34 tbox Exp $ */
/* $Id: notify.h,v 1.16 2009-01-17 23:47:42 tbox Exp $ */
#ifndef NAMED_NOTIFY_H
#define NAMED_NOTIFY_H 1

17
bin/named/include/named/query.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2010, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.h,v 1.40.332.2 2010-09-24 08:30:28 tbox Exp $ */
/* $Id: query.h,v 1.45 2011-01-13 04:59:24 tbox Exp $ */
#ifndef NAMED_QUERY_H
#define NAMED_QUERY_H 1
@ -26,6 +26,8 @@
#include <isc/buffer.h>
#include <isc/netaddr.h>
#include <dns/rdataset.h>
#include <dns/rpz.h>
#include <dns/types.h>
#include <named/types.h>
@ -34,6 +36,7 @@
typedef struct ns_dbversion {
dns_db_t *db;
dns_dbversion_t *version;
isc_boolean_t acl_checked;
isc_boolean_t queryok;
ISC_LINK(struct ns_dbversion) link;
} ns_dbversion_t;
@ -54,9 +57,16 @@ struct ns_query {
isc_boolean_t isreferral;
isc_mutex_t fetchlock;
dns_fetch_t * fetch;
dns_rpz_st_t * rpz_st;
isc_bufferlist_t namebufs;
ISC_LIST(ns_dbversion_t) activeversions;
ISC_LIST(ns_dbversion_t) freeversions;
dns_rdataset_t * dns64_aaaa;
dns_rdataset_t * dns64_sigaaaa;
isc_boolean_t * dns64_aaaaok;
unsigned int dns64_aaaaoklen;
unsigned int dns64_options;
unsigned int dns64_ttl;
};
#define NS_QUERYATTR_RECURSIONOK 0x0001
@ -73,6 +83,9 @@ struct ns_query {
#define NS_QUERYATTR_NOADDITIONAL 0x0800
#define NS_QUERYATTR_CACHEACLOKVALID 0x1000
#define NS_QUERYATTR_CACHEACLOK 0x2000
#define NS_QUERYATTR_DNS64 0x4000
#define NS_QUERYATTR_DNS64EXCLUDE 0x8000
isc_result_t
ns_query_init(ns_client_t *client);

53
bin/named/include/named/server.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.93.120.3 2009-07-11 04:23:53 marka Exp $ */
/* $Id: server.h,v 1.110 2010-08-16 23:46:52 tbox Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
@ -54,6 +54,8 @@ struct ns_server {
dns_acl_t *blackholeacl;
char * statsfile; /*%< Statistics file name */
char * dumpfile; /*%< Dump file name */
char * secrootsfile; /*%< Secroots file name */
char * bindkeysfile; /*%< bind.keys file name */
char * recfile; /*%< Recursive file name */
isc_boolean_t version_set; /*%< User has set version */
char * version; /*%< User-specified version */
@ -91,13 +93,14 @@ struct ns_server {
isc_boolean_t flushonshutdown;
isc_boolean_t log_queries; /*%< For BIND 8 compatibility */
isc_stats_t * nsstats; /*%< Server statistics */
dns_stats_t * rcvquerystats; /*% Incoming query statistics */
dns_stats_t * opcodestats; /*%< Incoming message statistics */
isc_stats_t * zonestats; /*% Zone management statistics */
isc_stats_t * resolverstats; /*% Resolver statistics */
ns_cachelist_t cachelist; /*%< Possibly shared caches */
isc_stats_t * nsstats; /*%< Server stats */
dns_stats_t * rcvquerystats; /*% Incoming query stats */
dns_stats_t * opcodestats; /*%< Incoming message stats */
isc_stats_t * zonestats; /*% Zone management stats */
isc_stats_t * resolverstats; /*% Resolver stats */
isc_stats_t * sockstats; /*%< Socket stats */
isc_stats_t * sockstats; /*%< Socket statistics */
ns_controls_t * controls; /*%< Control channels */
unsigned int dispatchgen;
ns_dispatchlist_t dispatches;
@ -105,6 +108,12 @@ struct ns_server {
dns_acache_t *acache;
ns_statschannellist_t statschannels;
dns_tsigkey_t *sessionkey;
char *session_keyfile;
dns_name_t *session_keyname;
unsigned int session_keyalg;
isc_uint16_t session_keybits;
};
#define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R')
@ -236,6 +245,12 @@ ns_server_dumpstats(ns_server_t *server);
isc_result_t
ns_server_dumpdb(ns_server_t *server, char *args);
/*%
* Dump the current security roots to the secroots file.
*/
isc_result_t
ns_server_dumpsecroots(ns_server_t *server, char *args);
/*%
* Change or increment the server debug level.
*/
@ -279,6 +294,16 @@ isc_result_t
ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
isc_buffer_t *text);
/*%
* Update a zone's DNSKEY set from the key repository. If
* the command that triggered the call to this function was "sign",
* then force a full signing of the zone. If it was "loadkeys",
* then don't sign the zone; any needed changes to signatures can
* take place incrementally.
*/
isc_result_t
ns_server_rekey(ns_server_t *server, char *args);
/*%
* Dump the current recursive queries.
*/
@ -297,4 +322,16 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
isc_result_t
ns_server_validation(ns_server_t *server, char *args);
/*%
* Add a zone to a running process
*/
isc_result_t
ns_server_add_zone(ns_server_t *server, char *args);
/*%
* Deletes a zone from a running process
*/
isc_result_t
ns_server_del_zone(ns_server_t *server, char *args);
#endif /* NAMED_SERVER_H */

7
bin/named/include/named/tsigconf.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: tsigconf.h,v 1.16 2007-06-19 23:46:59 tbox Exp $ */
/* $Id: tsigconf.h,v 1.18 2009-06-11 23:47:55 tbox Exp $ */
#ifndef NS_TSIGCONF_H
#define NS_TSIGCONF_H 1
@ -36,8 +36,9 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*
* Requires:
* \li 'config' is not NULL.
* \li 'vconfig' is not NULL.
* \li 'mctx' is not NULL
* \li 'ring' is not NULL, and '*ring' is NULL
* \li 'ringp' is not NULL, and '*ringp' is NULL
*
* Returns:
* \li ISC_R_SUCCESS

Some files were not shown because too many files have changed in this diff Show More