BIND9 Internals: bin/dnssec/dnssec-signzone.c File Reference

#define PATH_MAX 1024

Definition at line 95 of file dnssec-signzone.c.

#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3)

Definition at line 105 of file dnssec-signzone.c.

Referenced by main().

#define OPTOUT ( x ) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)

Definition at line 106 of file dnssec-signzone.c.

#define REVOKE ( x ) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)

Definition at line 108 of file dnssec-signzone.c.

#define BUFSIZE 2048

Definition at line 110 of file dnssec-signzone.c.

#define MAXDSKEYS 8

Definition at line 111 of file dnssec-signzone.c.

Referenced by main().

#define SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453)

Definition at line 113 of file dnssec-signzone.c.

#define SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0)

Definition at line 114 of file dnssec-signzone.c.

Referenced by sign().

#define SIGNER_EVENT_WORK (SIGNER_EVENTCLASS + 1)

Definition at line 115 of file dnssec-signzone.c.

Referenced by assignwork().

#define SOA_SERIAL_KEEP 0

Definition at line 117 of file dnssec-signzone.c.

Referenced by main().

#define SOA_SERIAL_INCREMENT 1

Definition at line 118 of file dnssec-signzone.c.

Referenced by main().

#define SOA_SERIAL_UNIXTIME 2

Definition at line 119 of file dnssec-signzone.c.

Referenced by main().

#define SOA_SERIAL_DATE 3

Definition at line 120 of file dnssec-signzone.c.

Referenced by main().

#define INCSTAT ( counter )

Value:

if (printstats) {               \
                LOCK(&statslock);       \
                counter++;              \
                UNLOCK(&statslock);     \
        }

Definition at line 189 of file dnssec-signzone.c.

Referenced by setverifies(), signset(), and signwithkey().

#define CMDLINE_FLAGS "3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQRr:s:ST:tuUv:VX:xzZ:"

typedef struct hashlist hashlist_t

Definition at line 101 of file dnssec-signzone.c.

typedef struct signer_event sevent_t

Definition at line 122 of file dnssec-signzone.c.

static void sign	(	isc_task_t *	task,
		isc_event_t *	event
	)			`[static]`

Sign a database node.

Definition at line 1563 of file dnssec-signzone.c.

References dns_fixedname_name, fatal(), signer_event::fname, isc_event_allocate(), isc_event_free(), ISC_EVENT_PTR, isc_task_send(), signer_event::node, SIGNER_EVENT_WRITE, signname(), and writenode().

static void dumpnode	(	dns_name_t *	name,
		dns_dbnode_t *	node
	)			`[static]`

static void signwithkey	(	dns_name_t *	name,
		dns_rdataset_t *	rdataset,
		dst_key_t *	key,
		dns_ttl_t	ttl,
		dns_diff_t *	add,
		const char *	logmsg
	)			`[static]`

Sign the given RRset with given key, and add the signature record to the given tuple.

Definition at line 271 of file dnssec-signzone.c.

References BUFSIZE, check_result(), dns_diff_append(), DNS_DIFFOP_ADDRESIGN, dns_difftuple_create(), dns_dnssec_sign(), dns_dnssec_verify(), DNS_RDATA_INIT, dnskey_endtime, dst_key_format(), DST_KEY_FORMATSIZE, endtime, fatal(), INCSTAT, isc_buffer_init, isc_entropy_stopcallbacksources(), ISC_R_SUCCESS, isc_random_jitter(), isc_result_totext(), ISC_TRUE, jitter, keystr, nsigned, nverified, nverifyfailed, starttime, tryverify, dns_rdataset::type, and vbprintf().

Referenced by signset().

static isc_boolean_t issigningkey ( dns_dnsseckey_t * key ) [inline, static]

Definition at line 321 of file dnssec-signzone.c.

References dns_dnsseckey::force_sign, and dns_dnsseckey::hint_sign.

Referenced by signset().

static isc_boolean_t ispublishedkey ( dns_dnsseckey_t * key ) [inline, static]

Definition at line 326 of file dnssec-signzone.c.

References dns_dnsseckey::force_publish, dns_dnsseckey::hint_publish, and dns_dnsseckey::hint_remove.

Referenced by signset().

static isc_boolean_t iszonekey ( dns_dnsseckey_t * key ) [inline, static]

Definition at line 332 of file dnssec-signzone.c.

References dns_name_equal(), dst_key_iszonekey(), dst_key_name(), ISC_TF, and dns_dnsseckey::key.

Referenced by dns_zonekey_iszonekey(), and signset().

static isc_boolean_t isksk ( dns_dnsseckey_t * key ) [inline, static]

Definition at line 338 of file dnssec-signzone.c.

References dns_dnsseckey::ksk.

Referenced by signset(), and writeset().

static isc_boolean_t iszsk ( dns_dnsseckey_t * key ) [inline, static]

Definition at line 343 of file dnssec-signzone.c.

References ignore_kskflag, and dns_dnsseckey::ksk.

Referenced by signset().

static dns_dnsseckey_t* keythatsigned_unlocked ( dns_rdata_rrsig_t * rrsig ) [static]

Find the key that generated an RRSIG, if it is in the key list. If so, return a pointer to it, otherwise return NULL.

No locking is performed here, this must be done by the caller.

Definition at line 354 of file dnssec-signzone.c.

References dns_name_equal(), dst_key_alg(), dst_key_id(), dst_key_name(), ISC_LIST_HEAD, ISC_LIST_NEXT, dns_dnsseckey::key, key, and keylist.

Referenced by keythatsigned().

static dns_dnsseckey_t* keythatsigned ( dns_rdata_rrsig_t * rrsig ) [static]

Finds the key that generated a RRSIG, if possible. First look at the keys that we've loaded already, and then see if there's a key on disk.

Definition at line 373 of file dnssec-signzone.c.

References directory, dns_dnsseckey_create(), dst_key_free(), dst_key_fromfile(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, dns_dnsseckey::index, ISC_FALSE, ISC_LIST_APPEND, ISC_R_SUCCESS, isc_rwlock_lock(), isc_rwlock_unlock(), isc_rwlocktype_read, isc_rwlocktype_write, key, keycount, keylist, and keythatsigned_unlocked().

Referenced by signset().

static isc_boolean_t expecttofindkey ( dns_name_t * name ) [static]

Check to see if we expect to find a key at this name. If we see a RRSIG and can't find the signing key that we expect to find, we drop the rrsig. I'm not sure if this is completely correct, but it seems to work.

Definition at line 433 of file dnssec-signzone.c.

References dns_db_find(), DNS_DBFIND_NOWILD, dns_fixedname_init, dns_fixedname_name, dns_name_format(), DNS_NAME_FORMATSIZE, DNS_R_CNAME, DNS_R_DELEGATION, DNS_R_DNAME, DNS_R_NXDOMAIN, DNS_R_NXRRSET, fatal(), gversion, ISC_FALSE, ISC_R_SUCCESS, isc_result_totext(), and ISC_TRUE.

Referenced by signset().

static isc_boolean_t setverifies	(	dns_name_t *	name,
		dns_rdataset_t *	set,
		dst_key_t *	key,
		dns_rdata_t *	rrsig
	)			`[inline, static]`

Definition at line 460 of file dnssec-signzone.c.

References dns_dnssec_verify(), INCSTAT, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, nverified, and nverifyfailed.

Referenced by signset().

static void signset	(	dns_diff_t *	del,
		dns_diff_t *	add,
		dns_dbnode_t *	node,
		dns_name_t *	name,
		dns_rdataset_t *	set
	)			`[static]`

Signs a set. Goes through contortions to decide if each RRSIG should be dropped or retained, and then determines if any new SIGs need to be generated.

Definition at line 480 of file dnssec-signzone.c.

References check_result(), cycle, dns_db_findrdataset(), dns_diff_append(), DNS_DIFFOP_ADDRESIGN, DNS_DIFFOP_DELRESIGN, dns_difftuple_create(), dns_dnssec_keyactive(), dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdata_freestruct(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_count(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dst_key_alg(), endtime, expecttofindkey(), fatal(), gversion, INCSTAT, dns_dnsseckey::index, INSIST, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, isc_mem_get, isc_mem_put, ISC_MIN, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), isc_serial_gt(), isc_serial_lt(), ISC_TRUE, isksk(), ispublishedkey(), issigningkey(), iszonekey(), iszsk(), keep, dns_dnsseckey::key, key, keycount, keylist, keyset_kskonly, keythatsigned(), ndropped, now, nretained, remove_inactkeysigs, remove_orphansigs, REVOKE, set(), setverifies(), sig_format(), SIG_FORMATSIZE, signwithkey(), starttime, dns_rdataset::ttl, ttl, type_format(), TYPE_FORMATSIZE, and vbprintf().

Referenced by signname().

static void hashlist_init	(	hashlist_t *	l,
		unsigned int	nodes,
		unsigned int	length
	)			`[static]`

Definition at line 709 of file dnssec-signzone.c.

References hashlist::entries, hashlist::hashbuf, hashlist::length, and hashlist::size.

Referenced by main().

static void hashlist_add	(	hashlist_t *	l,
		const unsigned char *	hash,
		size_t	len
	)			`[static]`

Definition at line 726 of file dnssec-signzone.c.

References hashlist::entries, fatal(), hashlist::hashbuf, hashlist::length, REQUIRE, and hashlist::size.

Referenced by hashlist_add_dns_name().

static void hashlist_add_dns_name	(	hashlist_t *	l,
		dns_name_t *	name,
		unsigned int	hashalg,
		unsigned int	iterations,
		const unsigned char *	salt,
		size_t	salt_len,
		isc_boolean_t	speculative
	)			`[static]`

Definition at line 743 of file dnssec-signzone.c.

References dns_name_format(), DNS_NAME_FORMATSIZE, hash, hashlist_add(), isc_iterated_hash(), dns_name::length, dns_name::ndata, NSEC3_MAX_HASH_LENGTH, and verbose.

Referenced by addnowildcardhash(), and nsec3ify().

static int hashlist_comp	(	const void *	a,
		const void *	b
	)			`[static]`

Definition at line 767 of file dnssec-signzone.c.

References hash_length.

Referenced by hashlist_exists(), hashlist_findnext(), and hashlist_sort().

static void hashlist_sort ( hashlist_t * l ) [static]

Definition at line 772 of file dnssec-signzone.c.

References hashlist::entries, hashlist::hashbuf, hashlist_comp(), and hashlist::length.

Referenced by nsec3ify().

static isc_boolean_t hashlist_hasdup ( hashlist_t * l ) [static]

Definition at line 777 of file dnssec-signzone.c.

References hashlist::entries, hashlist::hashbuf, ISC_FALSE, ISC_TRUE, and hashlist::length.

Referenced by nsec3ify().

static const unsigned char* hashlist_findnext	(	const hashlist_t *	l,
		const unsigned char	hash[NSEC3_MAX_HASH_LENGTH]
	)			`[static]`

Definition at line 803 of file dnssec-signzone.c.

References hashlist::entries, hash, hashlist::hashbuf, hashlist_comp(), INSIST, and hashlist::length.

Referenced by addnsec3().

static isc_boolean_t hashlist_exists	(	const hashlist_t *	l,
		const unsigned char	hash[NSEC3_MAX_HASH_LENGTH]
	)			`[static]`

Definition at line 824 of file dnssec-signzone.c.

References hashlist::entries, hash, hashlist::hashbuf, hashlist_comp(), ISC_FALSE, ISC_TRUE, and hashlist::length.

Referenced by nsec3clean().

static void addnowildcardhash	(	hashlist_t *	l,
		dns_name_t *	name,
		unsigned int	hashalg,
		unsigned int	iterations,
		const unsigned char *	salt,
		size_t	salt_len
	)			`[static]`

Definition at line 834 of file dnssec-signzone.c.

References check_result(), dns_db_detachnode(), dns_db_findnode(), dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_wildcardname, fixed, hashlist_add_dns_name(), ISC_FALSE, ISC_R_NOSPACE, ISC_R_SUCCESS, ISC_TRUE, verbose, and wild.

Referenced by nsec3ify().

static void opendb	(	const char *	prefix,
		dns_name_t *	name,
		dns_rdataclass_t	rdclass,
		dns_db_t **	dbp
	)			`[static]`

Definition at line 868 of file dnssec-signzone.c.

References check_result(), dns_db_create(), dns_db_detach(), dns_db_load3(), dns_dbtype_zone, DNS_MASTER_HINT, dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_tofilenametext(), DNS_R_SEENINCLUDE, dns_rootname, dsdir, fatal(), inputformat, isc_buffer_availablelength, isc_buffer_init, isc_buffer_putstr, isc_buffer_putuint8, ISC_FALSE, ISC_R_SUCCESS, and PATH_MAX.

Referenced by loadds().

static isc_result_t loadds	(	dns_name_t *	name,
		isc_uint32_t	ttl,
		dns_rdataset_t *	dsset
	)			`[static]`

Load the DS set for a child zone, if a dsset-* file can be found. If not, try to find a keyset-* file from an earlier version of dnssec-signzone, and build DS records from that.

Definition at line 911 of file dnssec-signzone.c.

References check_result(), dns_db_closeversion(), dns_db_detach(), dns_db_detachnode(), dns_db_findnode(), dns_db_findrdataset(), dns_db_newversion(), dns_diff_append(), dns_diff_apply(), dns_diff_clear(), dns_diff_init(), DNS_DIFFOP_ADDRESIGN, dns_difftuple_create(), DNS_DS_BUFFERSIZE, dns_ds_buildrdata(), DNS_DSDIGEST_SHA1, DNS_DSDIGEST_SHA256, dns_rdata_init(), dns_rdata_reset(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), gclass, ISC_FALSE, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_TRUE, key, opendb(), dns_rdataset::ttl, and vbprintf().

Referenced by add_ds().

static isc_boolean_t secure	(	dns_name_t *	name,
		dns_dbnode_t *	node
	)			`[static]`

Definition at line 1011 of file dnssec-signzone.c.

References dns_db_findrdataset(), dns_name_equal(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), gversion, ISC_FALSE, ISC_R_SUCCESS, and ISC_TF.

Referenced by assignwork(), dns_view_issecuredomain(), dns_zone_detach(), dns_zone_markdirty(), dns_zone_replacedb(), get_key(), ISC_LIST(), issecure(), keyfetch_done(), next_active(), ns_server_zonestatus(), nsec3ify(), zone_loaddone(), zone_send_securedb(), zone_shutdown(), and zone_xfrdone().

static void signname	(	dns_dbnode_t *	node,
		dns_name_t *	name
	)			`[static]`

Signs all records at a name.

Definition at line 1031 of file dnssec-signzone.c.

References check_result(), del, dns_db_allrdatasets(), dns_diff_applysilently(), dns_diff_clear(), dns_diff_init(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), fatal(), gversion, is_delegation(), ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, isdelegation(), namebuf, nsec_datatype, signset(), and dns_rdataset::type.

Referenced by sign(), and signapex().

static isc_boolean_t active_node ( dns_dbnode_t * node ) [inline, static]

The node is empty of everything but NSEC / RRSIG records.

Definition at line 1107 of file dnssec-signzone.c.

References check_result(), dns_rdataset::covers, dns_db_allrdatasets(), dns_db_deleterdataset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), fatal(), gversion, ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, nsec_datatype, and dns_rdataset::type.

Referenced by nsec3ify(), and nsecify().

static void get_soa_ttls ( void ) [static]

Extracts the minimum TTL from the SOA record, and the SOA record's TTL.

Definition at line 1220 of file dnssec-signzone.c.

References check_result(), dns_db_find(), dns_fixedname_init, dns_fixedname_name, DNS_RDATA_INIT, dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_soa_getminimum(), fatal(), gversion, ISC_MIN, ISC_R_SUCCESS, isc_result_totext(), maxttl, name, set_maxttl, soa_ttl, dns_rdataset::ttl, and zone_soa_min_ttl.

Referenced by main().

static isc_result_t setsoaserial	(	isc_uint32_t	serial,
		dns_updatemethod_t	method
	)			`[static]`

Increment (or set if nonzero) the SOA serial.

Definition at line 1252 of file dnssec-signzone.c.

References check_result(), cleanup(), dns_db_addrdataset(), dns_db_deleterdataset(), dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_soa_getserial(), dns_soa_setserial(), dns_update_soaserial(), dns_updatemethod_date, dns_updatemethod_none, dns_updatemethod_unixtime, gversion, ISC_R_SUCCESS, program, and RUNTIME_CHECK.

Referenced by main().

static void cleannode	(	dns_db_t *	db,
		dns_dbversion_t *	dbversion,
		dns_dbnode_t *	node
	)			`[static]`

Delete any RRSIG records at a node.

Definition at line 1330 of file dnssec-signzone.c.

References check_result(), destroy(), disable_zone_check, dns_db_allrdatasets(), dns_db_deleterdataset(), dns_masterformat_text, dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), fatal(), ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, and outputformat.

Referenced by signapex(), and writenode().

static void presign ( void ) [static]

Set up the iterator and global state before starting the tasks.

Definition at line 1369 of file dnssec-signzone.c.

References check_result(), and dns_db_createiterator().

Referenced by main().

static void postsign ( void ) [static]

Clean up the iterator and global state after the tasks complete.

Definition at line 1381 of file dnssec-signzone.c.

References dns_dbiterator_destroy().

Referenced by main().

static void signapex ( void ) [static]

Sign the apex of the zone. Note the origin may not be the first node if there are out of zone records.

Definition at line 1391 of file dnssec-signzone.c.

References check_dns_dbiterator_current, check_result(), cleannode(), dns_db_detachnode(), dns_dbiterator_current(), dns_dbiterator_first(), dns_dbiterator_seek(), dns_fixedname_init, dns_fixedname_name, dumpnode(), fatal(), finished, fixed, gversion, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, name, and signname().

Referenced by main().

static void assignwork	(	isc_task_t *	task,
		isc_task_t *	worker
	)			`[static]`

Assigns a node to a worker thread. This is protected by the master task's lock.

Definition at line 1420 of file dnssec-signzone.c.

References check_dns_dbiterator_current, dns_db_detachnode(), dns_db_findrdataset(), dns_dbiterator_current(), dns_dbiterator_next(), dns_fixedname_init, dns_fixedname_name, dns_name_copy(), dns_name_equal(), dns_name_issubdomain(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), dumpnode(), fatal(), finished, signer_event::fname, gversion, is_delegation(), isc_app_shutdown(), isc_event_allocate(), ISC_EVENT_PTR, ISC_FALSE, isc_mem_get, isc_mem_put, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), isc_task_detach(), isc_task_send(), ISC_TRUE, LOCK, name, namelock, signer_event::node, nsec3flags, nsec_datatype, ntasks, OPTOUT, secure(), shuttingdown, sign(), SIGNER_EVENT_WORK, and UNLOCK.

Referenced by startworker(), and writenode().

static void startworker	(	isc_task_t *	task,
		isc_event_t *	event
	)			`[static]`

Start a worker task.

Definition at line 1534 of file dnssec-signzone.c.

References assignwork(), and isc_event_free().

Referenced by main().

static void writenode	(	isc_task_t *	task,
		isc_event_t *	event
	)			`[static]`

Write a node to the output file, and restart the worker task.

Definition at line 1546 of file dnssec-signzone.c.

References assignwork(), cleannode(), dns_db_detachnode(), dns_fixedname_name, dumpnode(), signer_event::fname, gversion, isc_event_free(), isc_mem_put, and signer_event::node.

Referenced by sign().

static void add_ds	(	dns_name_t *	name,
		dns_dbnode_t *	node,
		isc_uint32_t	nsttl
	)			`[static]`

Update / remove the DS RRset. Preserve RRSIG(DS) if possible.

Definition at line 1588 of file dnssec-signzone.c.

References check_result(), dns_db_addrdataset(), dns_db_deleterdataset(), dns_db_findrdataset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), gversion, ISC_R_SUCCESS, and loadds().

Referenced by nsec3ify(), and nsecify().

static void remove_records	(	dns_dbnode_t *	node,
		dns_rdatatype_t	which,
		isc_boolean_t	checknsec
	)			`[static]`

Definition at line 1626 of file dnssec-signzone.c.

References check_result(), dns_rdataset::covers, dns_db_allrdatasets(), dns_db_deleterdataset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), fatal(), gversion, ISC_R_SUCCESS, dns_rdataset::type, and update_chain.

Referenced by nsec3ify(), and nsecify().

static void remove_sigs	(	dns_dbnode_t *	node,
		isc_boolean_t	delegation,
		dns_rdatatype_t	which
	)			`[static]`

Definition at line 1672 of file dnssec-signzone.c.

References check_result(), dns_rdataset::covers, dns_db_allrdatasets(), dns_db_deleterdataset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), dns_rdatatype_atparent(), gversion, ISC_R_SUCCESS, nsec_datatype, and dns_rdataset::type.

Referenced by nsec3ify(), and nsecify().

static void nsecify ( void ) [static]

Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.

Definition at line 1714 of file dnssec-signzone.c.

References active_node(), add_ds(), check_dns_dbiterator_current, check_result(), dns_rdataset::covers, dns_db_allrdatasets(), dns_db_createiterator(), dns_db_deleterdataset(), dns_db_detachnode(), DNS_DB_NONSEC3, DNS_DB_NSEC3ONLY, dns_dbiterator_current(), dns_dbiterator_destroy(), dns_dbiterator_first(), dns_dbiterator_next(), dns_dbiterator_pause(), dns_fixedname_init, dns_fixedname_name, dns_name_clone(), dns_name_copy(), dns_name_equal(), dns_name_issubdomain(), dns_nsec_build(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), fatal(), generateds, gversion, is_delegation(), ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, name, remove_records(), remove_sigs(), dns_rdataset::type, and zone_soa_min_ttl.

Referenced by main().

static void addnsec3param	(	const unsigned char *	salt,
		size_t	salt_len,
		dns_iterations_t	iterations
	)			`[static]`

Definition at line 1841 of file dnssec-signzone.c.

References check_result(), DE_CONST, dns_db_addrdataset(), dns_db_deleterdataset(), dns_db_detachnode(), dns_db_findnode(), DNS_DBADD_MERGE, dns_hash_sha1, DNS_NSEC3_UNKNOWNALG, DNS_R_UNCHANGED, dns_rdata_fromstruct(), DNS_RDATA_INIT, dns_rdatalist_init(), dns_rdatalist_tordataset(), dns_rdataset_init(), gclass, gversion, isc_buffer_init, ISC_LINK_INIT, ISC_LIST_APPEND, ISC_R_SUCCESS, ISC_TRUE, dns_rdata::rdclass, dns_rdatalist::rdclass, dns_rdata::type, dns_rdatalist::type, and unknownalg.

Referenced by nsec3ify().

static void addnsec3	(	dns_name_t *	name,
		dns_dbnode_t *	node,
		const unsigned char *	salt,
		size_t	salt_len,
		unsigned int	iterations,
		hashlist_t *	hashlist,
		dns_ttl_t	ttl
	)			`[static]`

static void nsec3clean	(	dns_name_t *	name,
		dns_dbnode_t *	node,
		unsigned int	hashalg,
		unsigned int	iterations,
		const unsigned char *	salt,
		size_t	salt_len,
		hashlist_t *	hashlist
	)			`[static]`

Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list.

Extract the hash from the first label of 'name' then see if it is in hashlist. If 'name' is not in the hashlist then delete the any NSEC3 records which have the same parameters as the chain we are building.

XXXMPA Should we also check that it of the form <hash>.<origin>?

Definition at line 1963 of file dnssec-signzone.c.

References check_result(), dns_db_deleterdataset(), dns_db_findrdataset(), dns_db_subtractrdataset(), dns_name_getlabel(), DNS_R_NXRRSET, DNS_R_UNCHANGED, dns_rdata_clone(), dns_rdata_init(), dns_rdata_tostruct(), dns_rdatalist_init(), dns_rdatalist_tordataset(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), gversion, hash, hashlist_exists(), isc_base32hex_decoderegion(), isc_buffer_init, isc_buffer_usedlength, ISC_FALSE, ISC_LIST_APPEND, ISC_MIN, ISC_R_NOMORE, ISC_R_SUCCESS, isc_region_consume, ISC_TRUE, maxttl, NSEC3_MAX_HASH_LENGTH, dns_rdata::rdclass, dns_rdatalist::rdclass, set_maxttl, dns_rdataset::ttl, dns_rdatalist::ttl, dns_rdata::type, and dns_rdatalist::type.

Referenced by nsec3ify().

static void rrset_cleanup	(	dns_name_t *	name,
		dns_rdataset_t *	rdataset,
		dns_diff_t *	add,
		dns_diff_t *	del
	)			`[static]`

Definition at line 2062 of file dnssec-signzone.c.

References check_result(), dns_diff_append(), DNS_DIFFOP_ADDRESIGN, DNS_DIFFOP_DELRESIGN, dns_difftuple_create(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdata_casecompare(), DNS_RDATA_INIT, dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), ISC_R_SUCCESS, maxttl, set_maxttl, dns_rdataset::ttl, dns_rdataset::type, type_format(), TYPE_FORMATSIZE, and vbprintf().

Referenced by cleanup_zone().

static void cleanup_zone ( void ) [static]

static void nsec3ify	(	unsigned int	hashalg,
		dns_iterations_t	iterations,
		const unsigned char *	salt,
		size_t	salt_len,
		hashlist_t *	hashlist
	)			`[static]`

Definition at line 2184 of file dnssec-signzone.c.

References active_node(), add_ds(), addnowildcardhash(), addnsec3(), addnsec3param(), check_dns_dbiterator_current, check_result(), dns_db_createiterator(), dns_db_detachnode(), DNS_DB_NONSEC3, DNS_DB_NSEC3ONLY, dns_dbiterator_current(), dns_dbiterator_destroy(), dns_dbiterator_first(), dns_dbiterator_next(), dns_dbiterator_pause(), dns_fixedname_init, dns_fixedname_name, dns_name_copy(), dns_name_countlabels(), dns_name_downcase(), dns_name_equal(), dns_name_fullcompare(), dns_name_issubdomain(), dns_name_split(), dns_rdataset_init(), fatal(), generateds, gversion, hashlist_add_dns_name(), hashlist_hasdup(), hashlist_sort(), is_delegation(), ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, name, nsec3clean(), nsec3flags, OPTOUT, remove_records(), remove_sigs(), secure(), and zone_soa_min_ttl.

Referenced by main().

static void loadzone	(	char *	file,
		char *	origin,
		dns_rdataclass_t	rdclass,
		dns_db_t **	db
	)			`[static]`

Load the zone file from disk.

Definition at line 2433 of file dnssec-signzone.c.

References check_result(), dns_db_create(), dns_db_load2(), dns_dbtype_zone, dns_fixedname_init, dns_fixedname_name, dns_name_fromtext(), DNS_R_SEENINCLUDE, dns_rootname, fatal(), inputformat, isc_buffer_add, isc_buffer_init, ISC_R_SUCCESS, isc_result_totext(), and name.

Referenced by main().

static void loadzonekeys	(	isc_boolean_t	preserve_keys,
		isc_boolean_t	load_public
	)			`[static]`

Finds all public zone keys in the zone, and attempts to load the private keys from disk.

Definition at line 2466 of file dnssec-signzone.c.

References cleanup(), currentversion(), directory, dns_db_closeversion(), dns_db_currentversion(), dns_db_detachnode(), dns_db_findnode(), dns_db_findrdataset(), dns_dnssec_keylistfromrdataset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), fatal(), ISC_FALSE, ISC_R_SUCCESS, isc_result_totext(), keylist, keyttl, set_keyttl, and dns_rdataset::ttl.

Referenced by main().

static void loadexplicitkeys	(	char *	keyfiles[],
		int	n,
		isc_boolean_t	setksk
	)			`[static]`

Definition at line 2531 of file dnssec-signzone.c.

References directory, dns_dnsseckey_create(), dns_keysource_user, dns_name_equal(), dst_key_alg(), dst_key_free(), dst_key_fromnamedfile(), dst_key_id(), dst_key_isprivate(), dst_key_name(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, fatal(), dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, ISC_LIST_APPEND, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_dnsseckey::key, key, keylist, dns_dnsseckey::ksk, and dns_dnsseckey::source.

Referenced by main().

static void report	(	const char *	format,
			...
	)			`[static]`

Definition at line 2582 of file dnssec-signzone.c.

static void build_final_keylist ( void ) [static]

Definition at line 2591 of file dnssec-signzone.c.

References check_result(), directory, dns_db_closeversion(), dns_db_newversion(), dns_diff_applysilently(), dns_diff_clear(), dns_diff_init(), dns_dnssec_findmatchingkeys(), dns_dnssec_updatekeys(), dns_name_format(), DNS_NAME_FORMATSIZE, fatal(), ignore_kskflag, ISC_LIST_INIT, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, keylist, keyttl, name, and report().

Referenced by main().

static void warnifallksk ( dns_db_t * db ) [static]

static void set_nsec3params	(	isc_boolean_t	update,
		isc_boolean_t	set_salt,
		isc_boolean_t	set_optout,
		isc_boolean_t	set_iter
	)			`[static]`

static void writeset	(	const char *	prefix,
		dns_rdatatype_t	type
	)			`[static]`

Definition at line 2778 of file dnssec-signzone.c.

References check_result(), dns_db_closeversion(), dns_db_create(), dns_db_detach(), dns_db_newversion(), dns_dbtype_zone, dns_diff_append(), dns_diff_apply(), dns_diff_clear(), dns_diff_init(), DNS_DIFFOP_ADDRESIGN, dns_difftuple_create(), DNS_DS_BUFFERSIZE, dns_ds_buildrdata(), DNS_DSDIGEST_SHA1, DNS_DSDIGEST_SHA256, dns_fixedname_init, dns_fixedname_name, dns_master_dump(), dns_name_concatenate(), dns_name_countlabels(), DNS_NAME_FORMATSIZE, dns_name_getlabelsequence(), dns_name_init(), dns_name_tofilenametext(), dns_rdata_fromregion(), dns_rdata_init(), dns_rdata_reset(), dns_rootname, dsdir, dst_key_alg(), DST_KEY_MAXSIZE, dst_key_todns(), fatal(), fixed, gclass, isc_buffer_init, isc_buffer_putuint8, isc_buffer_usedregion, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, isc_mem_get, isc_mem_put, ISC_TRUE, isksk(), dns_dnsseckey::key, key, keylist, name, namebuf, r, REVOKE, style, dns_rdata::type, and zone_soa_min_ttl.

Referenced by main().

static void print_time ( FILE * fp ) [static]

Definition at line 2922 of file dnssec-signzone.c.

References dns_masterformat_text, and outputformat.

Referenced by main().

static void print_version ( FILE * fp ) [static]

Definition at line 2933 of file dnssec-signzone.c.

References dns_masterformat_text, outputformat, and VERSION.

Referenced by main().

static ISC_PLATFORM_NORETURN_PRE void usage ( void ) [static]

Definition at line 2941 of file dnssec-signzone.c.

References PK11_LIB_LOCATION, program, and VERSION.

static void removetempfile ( void ) [static]

Definition at line 3044 of file dnssec-signzone.c.

References isc_file_remove(), removefile, and tempfile.

Referenced by main().

static void print_stats	(	isc_time_t *	timer_start,
		isc_time_t *	timer_finish,
		isc_time_t *	sign_start,
		isc_time_t *	sign_finish
	)			`[static]`

Definition at line 3050 of file dnssec-signzone.c.

References isc_time_microdiff(), ndropped, nretained, nsigned, nverified, nverifyfailed, and output_stdout.

Referenced by main().

int main	(	int	argc,
		char *	argv[]
	)

Definition at line 3085 of file dnssec-signzone.c.

References answer, build_final_keylist(), check_result(), cleanup_entropy(), cleanup_logging(), cleanup_zone(), CMDLINE_FLAGS, cycle, DESTROYLOCK, directory, disable_zone_check, dns_db_class(), dns_db_closeversion(), dns_db_detach(), dns_db_newversion(), dns_db_nodecount(), dns_db_origin(), dns_dnsseckey_destroy(), dns_fixedname_init, dns_fixedname_name, dns_hash_sha1, dns_master_dumptostream3(), dns_master_initrawheader(), dns_master_style_explicitttl, dns_master_style_full, dns_master_stylecreate(), dns_master_styledestroy(), dns_masterformat_map, dns_masterformat_raw, dns_masterformat_text, DNS_MASTERRAW_COMPAT, DNS_MASTERRAW_SOURCESERIALSET, dns_name_destroy(), dns_name_fromtext(), DNS_NAME_MAXWIRE, dns_nsec3_hashlength(), dns_nsec3_maxiterations(), dns_nsec_nseconly(), dns_result_register(), dns_rootname, DNS_STYLEFLAG_NO_TTL, dns_updatemethod_date, dns_updatemethod_increment, dns_updatemethod_unixtime, dnskey_endtime, dsdir, dst_lib_destroy(), dst_lib_init2(), endtime, fatal(), finished, dns_masterrawheader::flags, gclass, generateds, get_soa_ttls(), gsalt, gversion, hash_length, hashlist_init(), header, ignore_kskflag, dns_dnsseckey::index, inputformat, IS_NSEC3, isc_app_finish(), isc_app_onrun(), isc_app_run(), isc_app_start(), isc_buffer_add, isc_buffer_init, isc_buffer_usedlength, isc_commandline_argument, isc_commandline_errprint, isc_commandline_index, isc_commandline_option, isc_commandline_parse(), isc_commandline_reset, ISC_ENTROPY_BLOCKING, ISC_ENTROPY_GOODONLY, ISC_FALSE, isc_file_bopenunique(), isc_file_mktemplate(), isc_file_openunique(), isc_file_rename(), isc_hash_create(), isc_hash_destroy(), isc_hex_decodestring(), ISC_INT32_MAX, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_INIT, ISC_LIST_NEXT, ISC_LIST_UNLINK, isc_mem_allocate, isc_mem_create(), ISC_MEM_DEBUGCTX, isc_mem_debugging, ISC_MEM_DEBUGRECORD, ISC_MEM_DEBUGSIZE, ISC_MEM_DEBUGTRACE, ISC_MEM_DEBUGUSAGE, isc_mem_destroy(), isc_mem_free, isc_mem_get, isc_mem_put, isc_mem_stats(), isc_mutex_init, isc_os_ncpus(), ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), isc_rwlock_init(), isc_stdio_close(), isc_stdtime_get(), isc_task_create(), isc_task_detach(), isc_taskmgr_create(), isc_taskmgr_destroy(), ISC_TRUE, jitter, key, keycount, keylist, keyset_kskonly, keyttl, loadexplicitkeys(), loadzone(), loadzonekeys(), MAXDSKEYS, maxttl, namelock, nokeys, now, nsec3flags, nsec3ify(), nsec3iter, nsec_datatype, nsecify(), ntasks, OPTOUT, origin, outfp, output(), output_dnssec_only, output_stdout, outputformat, pk11_result_register(), postsign(), presign(), print_stats(), print_time(), print_version(), printstats, program, rawversion, rdclass, remove_inactkeysigs, remove_orphansigs, removefile, removetempfile(), RUNTIME_CHECK, salt_length, saltbuf, serialformat, serialnum, set_keyttl, set_maxttl, set_nsec3params(), setfatalcallback(), setsoaserial(), setup_entropy(), setup_logging(), shuttingdown, signapex(), smartsign, snset, SOA_SERIAL_DATE, SOA_SERIAL_INCREMENT, SOA_SERIAL_KEEP, SOA_SERIAL_UNIXTIME, soa_ttl, dns_masterrawheader::sourceserial, starttime, startworker(), statslock, strtoclass(), strtotime(), strtottl(), tempfile, TIME_NOW, try_dir(), tryverify, unknownalg, update_chain, usage(), vbprintf(), verbose, verifyzone(), version, warnifallksk(), and writeset().

const char* program = "dnssec-signzone"

Definition at line 98 of file dnssec-signzone.c.

int verbose

Definition at line 99 of file dnssec-signzone.c.

int nsec_datatype = dns_rdatatype_nsec [static]

Definition at line 103 of file dnssec-signzone.c.

Referenced by active_node(), assignwork(), main(), remove_sigs(), set_nsec3params(), and signname().

dns_dnsseckeylist_t keylist [static]

Definition at line 129 of file dnssec-signzone.c.

Referenced by bind9_check_controls(), build_final_keylist(), check_viewconf(), keythatsigned(), keythatsigned_unlocked(), load_view_keys(), loadexplicitkeys(), loadzonekeys(), main(), ns_tsigkeyring_fromconfig(), signset(), and writeset().

unsigned int keycount = 0 [static]

Definition at line 130 of file dnssec-signzone.c.

Referenced by keythatsigned(), main(), ns_config_getipandkeylist(), and signset().

isc_rwlock_t keylist_lock

Definition at line 131 of file dnssec-signzone.c.

isc_stdtime_t starttime = 0 [static]

Definition at line 132 of file dnssec-signzone.c.

Referenced by main(), signset(), and signwithkey().

isc_stdtime_t endtime = 0 [static]

Definition at line 132 of file dnssec-signzone.c.

Referenced by main(), signset(), and signwithkey().

isc_stdtime_t dnskey_endtime = 0 [static]

Definition at line 132 of file dnssec-signzone.c.

Referenced by main(), and signwithkey().

isc_stdtime_t now [static]

Definition at line 132 of file dnssec-signzone.c.

Referenced by acache_incremental_cleaning_action(), add_initial_keys(), ATF_TC_BODY(), cancel_refresh(), check_hints(), cleanup_ring(), control_recvmessage(), create_keydata(), dns_badcache_add(), dns_badcache_flushname(), dns_badcache_flushtree(), dns_badcache_print(), dns_dnssec_findmatchingkeys(), dns_dnssec_findzonekeys2(), dns_dnssec_signmessage(), dns_dnssec_verify3(), dns_dnssec_verifymessage(), dns_keyring_restore(), dns_master_dumpnodetostream(), dns_ntatable_totext(), dns_root_checkhints(), dns_time64_from32(), dns_tkey_builddhquery(), dns_tkey_buildgssquery(), dns_tsig_sign(), dns_tsig_verify(), dns_tsigkey_find(), dns_tsigkeyring_dumpanddetach(), dns_update_signaturesinc(), dns_update_soaserial(), dns_view_loadnta(), dns_zone_create(), dns_zone_maintenance(), dns_zone_notify(), dns_zone_setsigresigninginterval(), evloop(), fctx_cancelquery(), fctx_getaddresses(), fctx_sendevents(), fetch_done(), generate_session_key(), got_transfer_quota(), isc__timer_create(), isc__timer_reset(), isc__timer_touch(), isc_httpd_recvdone(), isc_time_formathttptimestamp(), isc_time_formatISO8601(), isc_time_formattimestamp(), keyfetch_done(), load_secroots(), load_text(), main(), mark_secure(), minimal_update(), mkey_dumpzone(), ns_client_addopt(), ns_server_dumpsecroots(), ns_server_nta(), ns_zone_configure_writeable_dlz(), process_gsstkey(), publish_key(), query_recurse(), rdatasetiter_first(), rdatasetiter_next(), received(), refresh_callback(), refresh_time(), rndc_connected(), rndc_recvnonce(), set_keyversion(), signset(), stub_callback(), symtab_clean(), totext_keydata(), tsig_verify_tcp(), view_find(), wouldvalidate(), xfrin_connect_done(), zone_addnsec3chain(), zone_load(), zone_maintenance(), zone_needdump(), zone_nsec3chain(), zone_postload(), zone_refreshkeys(), zone_resigninc(), zone_sign(), and zone_xfrdone().

int cycle = -1 [static]

Definition at line 133 of file dnssec-signzone.c.

Referenced by main(), and signset().

int jitter = 0 [static]

Definition at line 134 of file dnssec-signzone.c.

Referenced by main(), signwithkey(), zone_nsec3chain(), zone_resigninc(), and zone_sign().

isc_boolean_t tryverify = ISC_FALSE [static]

Definition at line 135 of file dnssec-signzone.c.

Referenced by main(), and signwithkey().

isc_boolean_t printstats = ISC_FALSE [static]

Definition at line 136 of file dnssec-signzone.c.

Referenced by main().

isc_mem_t* mctx = NULL [static]

Definition at line 137 of file dnssec-signzone.c.

isc_entropy_t* ectx = NULL [static]

Definition at line 138 of file dnssec-signzone.c.

dns_ttl_t zone_soa_min_ttl [static]

Definition at line 139 of file dnssec-signzone.c.

Referenced by get_soa_ttls(), nsec3ify(), nsecify(), and writeset().

dns_ttl_t soa_ttl [static]

Definition at line 140 of file dnssec-signzone.c.

Referenced by get_soa_ttls(), and main().

FILE* outfp = NULL [static]

Definition at line 141 of file dnssec-signzone.c.

Referenced by dumpnode(), and main().

char* tempfile = NULL [static]

Definition at line 142 of file dnssec-signzone.c.

Referenced by main(), and removetempfile().

const dns_master_style_t* masterstyle [static]

Definition at line 143 of file dnssec-signzone.c.

Referenced by ISC_LIST(), and ns_zone_configure().

dns_masterformat_t inputformat = dns_masterformat_text [static]

Definition at line 144 of file dnssec-signzone.c.

Referenced by loadzone(), main(), and opendb().

dns_masterformat_t outputformat = dns_masterformat_text [static]

Definition at line 145 of file dnssec-signzone.c.

Referenced by cleannode(), dumpnode(), main(), print_time(), and print_version().

isc_uint32_t rawversion = 1 [static]

Definition at line 146 of file dnssec-signzone.c.

Referenced by main(), and writeheader().

isc_uint32_t serialnum = 0 [static]

Definition at line 146 of file dnssec-signzone.c.

Referenced by main().

isc_boolean_t snset = ISC_FALSE [static]

Definition at line 147 of file dnssec-signzone.c.

Referenced by main().

unsigned int nsigned = 0 [static]

Definition at line 148 of file dnssec-signzone.c.

Referenced by print_stats(), and signwithkey().

unsigned int nretained = 0 [static]

Definition at line 148 of file dnssec-signzone.c.

Referenced by print_stats(), and signset().

unsigned int ndropped = 0 [static]

Definition at line 148 of file dnssec-signzone.c.

Referenced by print_stats(), and signset().

unsigned int nverified = 0 [static]

Definition at line 149 of file dnssec-signzone.c.

Referenced by print_stats(), setverifies(), and signwithkey().

unsigned int nverifyfailed = 0 [static]

Definition at line 149 of file dnssec-signzone.c.

Referenced by print_stats(), setverifies(), and signwithkey().

const char* directory = NULL [static]

Definition at line 150 of file dnssec-signzone.c.

Referenced by build_final_keylist(), configure_view_dnsseckeys(), directory_callback(), find_zone_keys(), keythatsigned(), loadexplicitkeys(), loadzonekeys(), and main().

const char * dsdir = NULL [static]

Definition at line 150 of file dnssec-signzone.c.

Referenced by main(), opendb(), and writeset().

isc_mutex_t namelock [static]

Definition at line 151 of file dnssec-signzone.c.

Referenced by assignwork(), and main().

isc_mutex_t statslock [static]

Definition at line 151 of file dnssec-signzone.c.

Referenced by main().

isc_taskmgr_t* taskmgr = NULL [static]

Definition at line 152 of file dnssec-signzone.c.

dns_db_t* gdb [static]

Definition at line 153 of file dnssec-signzone.c.

dns_dbversion_t* gversion [static]

Definition at line 154 of file dnssec-signzone.c.

Referenced by active_node(), add_ds(), addnsec3(), addnsec3param(), assignwork(), cleanup_zone(), dumpnode(), expecttofindkey(), get_soa_ttls(), main(), nsec3clean(), nsec3ify(), nsecify(), remove_records(), remove_sigs(), secure(), setsoaserial(), signapex(), signname(), signset(), and writenode().

dns_dbiterator_t* gdbiter [static]

Definition at line 155 of file dnssec-signzone.c.

dns_rdataclass_t gclass [static]

Definition at line 156 of file dnssec-signzone.c.

Referenced by addnsec3param(), loadds(), main(), and writeset().

dns_name_t* gorigin [static]

Definition at line 157 of file dnssec-signzone.c.

int nsec3flags = 0 [static]

Definition at line 158 of file dnssec-signzone.c.

Referenced by addnsec3(), assignwork(), main(), nsec3ify(), and set_nsec3params().

dns_iterations_t nsec3iter = 10U [static]

Definition at line 159 of file dnssec-signzone.c.

Referenced by main(), and set_nsec3params().

unsigned char saltbuf[255] [static]

Definition at line 160 of file dnssec-signzone.c.

Referenced by main(), set_nsec3params(), and zone_addnsec3chain().

unsigned char* gsalt = saltbuf [static]

Definition at line 161 of file dnssec-signzone.c.

Referenced by main(), and set_nsec3params().

size_t salt_length = 0 [static]

Definition at line 162 of file dnssec-signzone.c.

Referenced by dns_nsec3_addnsec3(), dns_nsec3_delnsec3(), getnsec3parameters(), main(), query_findclosestnsec3(), and set_nsec3params().

isc_task_t* master = NULL [static]

Definition at line 163 of file dnssec-signzone.c.

Referenced by forward_callback(), got_transfer_quota(), recvsoa(), refresh_callback(), stub_callback(), and zone_notify().

unsigned int ntasks = 0 [static]

Definition at line 164 of file dnssec-signzone.c.

Referenced by assignwork(), dns_zonemgr_setsize(), and main().

isc_boolean_t shuttingdown = ISC_FALSE [static]

Definition at line 165 of file dnssec-signzone.c.

Referenced by assignwork(), getinput(), main(), recvsoa(), shutdown_program(), and update_completed().

isc_boolean_t finished = ISC_FALSE [static]

Definition at line 165 of file dnssec-signzone.c.

Referenced by assignwork(), dispatch(), main(), and signapex().

isc_boolean_t nokeys = ISC_FALSE [static]

Definition at line 166 of file dnssec-signzone.c.

Referenced by main().

isc_boolean_t removefile = ISC_FALSE [static]

Definition at line 167 of file dnssec-signzone.c.

Referenced by dns_view_saventa(), main(), and removetempfile().

isc_boolean_t generateds = ISC_FALSE [static]

Definition at line 168 of file dnssec-signzone.c.

Referenced by main(), nsec3ify(), and nsecify().

isc_boolean_t ignore_kskflag = ISC_FALSE [static]

Definition at line 169 of file dnssec-signzone.c.

Referenced by build_final_keylist(), iszsk(), main(), and warnifallksk().

isc_boolean_t keyset_kskonly = ISC_FALSE [static]

Definition at line 170 of file dnssec-signzone.c.

Referenced by main(), signset(), zone_nsec3chain(), zone_resigninc(), and zone_sign().

dns_name_t* dlv = NULL [static]

Definition at line 171 of file dnssec-signzone.c.

Referenced by check_options(), configure_view(), dlv_algorithm_supported(), dlv_validatezonekey(), freestruct_dlv(), fromstruct_dlv(), and tostruct_dlv().

dns_fixedname_t dlv_fixed [static]

Definition at line 172 of file dnssec-signzone.c.

dns_master_style_t* dsstyle = NULL [static]

Definition at line 173 of file dnssec-signzone.c.

unsigned int serialformat = SOA_SERIAL_KEEP [static]

Definition at line 174 of file dnssec-signzone.c.

Referenced by main().

unsigned int hash_length = 0 [static]

Definition at line 175 of file dnssec-signzone.c.

Referenced by hashlist_comp(), and main().

isc_boolean_t unknownalg = ISC_FALSE [static]

Definition at line 176 of file dnssec-signzone.c.

Referenced by addnsec3(), addnsec3param(), and main().

isc_boolean_t disable_zone_check = ISC_FALSE [static]

Definition at line 177 of file dnssec-signzone.c.

Referenced by cleannode(), main(), and warnifallksk().

isc_boolean_t update_chain = ISC_FALSE [static]

Definition at line 178 of file dnssec-signzone.c.

Referenced by main(), and remove_records().

isc_boolean_t set_keyttl = ISC_FALSE [static]

Definition at line 179 of file dnssec-signzone.c.

Referenced by loadzonekeys(), and main().

dns_ttl_t keyttl [static]

Definition at line 180 of file dnssec-signzone.c.

Referenced by build_final_keylist(), loadzonekeys(), and main().

isc_boolean_t smartsign = ISC_FALSE [static]

Definition at line 181 of file dnssec-signzone.c.

Referenced by dumpnode(), and main().

isc_boolean_t remove_orphansigs = ISC_FALSE [static]

Definition at line 182 of file dnssec-signzone.c.

Referenced by main(), and signset().

isc_boolean_t remove_inactkeysigs = ISC_FALSE [static]

Definition at line 183 of file dnssec-signzone.c.

Referenced by main(), and signset().

isc_boolean_t output_dnssec_only = ISC_FALSE [static]

Definition at line 184 of file dnssec-signzone.c.

Referenced by dumpnode(), and main().

isc_boolean_t output_stdout = ISC_FALSE [static]

Definition at line 185 of file dnssec-signzone.c.

Referenced by main(), and print_stats().

isc_boolean_t set_maxttl = ISC_FALSE

Definition at line 186 of file dnssec-signzone.c.

Referenced by get_soa_ttls(), main(), nsec3clean(), and rrset_cleanup().

dns_ttl_t maxttl = 0 [static]

Definition at line 187 of file dnssec-signzone.c.

Referenced by configure_zone(), get_soa_ttls(), ISC_LIST(), main(), ns_zone_configure(), nsec3clean(), rrset_cleanup(), and update_action().

dnssec-signzone.c File Reference

Data Structures

Defines

Typedefs

Functions

Variables

Detailed Description

Define Documentation

Typedef Documentation

Function Documentation

Variable Documentation


Data Structures
struct	signer_event
struct	hashlist
Defines
#define	PATH_MAX 1024
#define	IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3)
#define	OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
#define	REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
#define	BUFSIZE 2048
#define	MAXDSKEYS 8
#define	SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453)
#define	SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0)
#define	SIGNER_EVENT_WORK (SIGNER_EVENTCLASS + 1)
#define	SOA_SERIAL_KEEP 0
#define	SOA_SERIAL_INCREMENT 1
#define	SOA_SERIAL_UNIXTIME 2
#define	SOA_SERIAL_DATE 3
#define	INCSTAT(counter)
#define	CMDLINE_FLAGS "3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQRr:s:ST:tuUv:VX:xzZ:"
Typedefs
typedef struct hashlist	hashlist_t
typedef struct signer_event	sevent_t
Functions
static void	sign (isc_task_t task, isc_event_t event)
	Sign a database node.
static void	dumpnode (dns_name_t name, dns_dbnode_t node)
static void	signwithkey (dns_name_t name, dns_rdataset_t rdataset, dst_key_t key, dns_ttl_t ttl, dns_diff_t add, const char *logmsg)
	Sign the given RRset with given key, and add the signature record to the given tuple.
static isc_boolean_t	issigningkey (dns_dnsseckey_t *key)
static isc_boolean_t	ispublishedkey (dns_dnsseckey_t *key)
static isc_boolean_t	iszonekey (dns_dnsseckey_t *key)
static isc_boolean_t	isksk (dns_dnsseckey_t *key)
static isc_boolean_t	iszsk (dns_dnsseckey_t *key)
static dns_dnsseckey_t *	keythatsigned_unlocked (dns_rdata_rrsig_t *rrsig)
	Find the key that generated an RRSIG, if it is in the key list. If so, return a pointer to it, otherwise return NULL.
static dns_dnsseckey_t *	keythatsigned (dns_rdata_rrsig_t *rrsig)
	Finds the key that generated a RRSIG, if possible. First look at the keys that we've loaded already, and then see if there's a key on disk.
static isc_boolean_t	expecttofindkey (dns_name_t *name)
	Check to see if we expect to find a key at this name. If we see a RRSIG and can't find the signing key that we expect to find, we drop the rrsig. I'm not sure if this is completely correct, but it seems to work.
static isc_boolean_t	setverifies (dns_name_t name, dns_rdataset_t set, dst_key_t key, dns_rdata_t rrsig)
static void	signset (dns_diff_t del, dns_diff_t add, dns_dbnode_t node, dns_name_t name, dns_rdataset_t *set)
	Signs a set. Goes through contortions to decide if each RRSIG should be dropped or retained, and then determines if any new SIGs need to be generated.
static void	hashlist_init (hashlist_t *l, unsigned int nodes, unsigned int length)
static void	hashlist_add (hashlist_t l, const unsigned char hash, size_t len)
static void	hashlist_add_dns_name (hashlist_t l, dns_name_t name, unsigned int hashalg, unsigned int iterations, const unsigned char *salt, size_t salt_len, isc_boolean_t speculative)
static int	hashlist_comp (const void a, const void b)
static void	hashlist_sort (hashlist_t *l)
static isc_boolean_t	hashlist_hasdup (hashlist_t *l)
static const unsigned char *	hashlist_findnext (const hashlist_t *l, const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
static isc_boolean_t	hashlist_exists (const hashlist_t *l, const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
static void	addnowildcardhash (hashlist_t l, dns_name_t name, unsigned int hashalg, unsigned int iterations, const unsigned char *salt, size_t salt_len)
static void	opendb (const char prefix, dns_name_t name, dns_rdataclass_t rdclass, dns_db_t **dbp)
static isc_result_t	loadds (dns_name_t name, isc_uint32_t ttl, dns_rdataset_t dsset)
	Load the DS set for a child zone, if a dsset-* file can be found. If not, try to find a keyset-* file from an earlier version of dnssec-signzone, and build DS records from that.
static isc_boolean_t	secure (dns_name_t name, dns_dbnode_t node)
static void	signname (dns_dbnode_t node, dns_name_t name)
	Signs all records at a name.
static isc_boolean_t	active_node (dns_dbnode_t *node)
static void	get_soa_ttls (void)
	Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
static isc_result_t	setsoaserial (isc_uint32_t serial, dns_updatemethod_t method)
	Increment (or set if nonzero) the SOA serial.
static void	cleannode (dns_db_t db, dns_dbversion_t dbversion, dns_dbnode_t *node)
	Delete any RRSIG records at a node.
static void	presign (void)
	Set up the iterator and global state before starting the tasks.
static void	postsign (void)
	Clean up the iterator and global state after the tasks complete.
static void	signapex (void)
	Sign the apex of the zone. Note the origin may not be the first node if there are out of zone records.
static void	assignwork (isc_task_t task, isc_task_t worker)
	Assigns a node to a worker thread. This is protected by the master task's lock.
static void	startworker (isc_task_t task, isc_event_t event)
	Start a worker task.
static void	writenode (isc_task_t task, isc_event_t event)
	Write a node to the output file, and restart the worker task.
static void	add_ds (dns_name_t name, dns_dbnode_t node, isc_uint32_t nsttl)
	Update / remove the DS RRset. Preserve RRSIG(DS) if possible.
static void	remove_records (dns_dbnode_t *node, dns_rdatatype_t which, isc_boolean_t checknsec)
static void	remove_sigs (dns_dbnode_t *node, isc_boolean_t delegation, dns_rdatatype_t which)
static void	nsecify (void)
	Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
static void	addnsec3param (const unsigned char *salt, size_t salt_len, dns_iterations_t iterations)
static void	addnsec3 (dns_name_t name, dns_dbnode_t node, const unsigned char salt, size_t salt_len, unsigned int iterations, hashlist_t hashlist, dns_ttl_t ttl)
static void	nsec3clean (dns_name_t name, dns_dbnode_t node, unsigned int hashalg, unsigned int iterations, const unsigned char salt, size_t salt_len, hashlist_t hashlist)
	Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list.
static void	rrset_cleanup (dns_name_t name, dns_rdataset_t rdataset, dns_diff_t add, dns_diff_t del)
static void	cleanup_zone (void)
static void	nsec3ify (unsigned int hashalg, dns_iterations_t iterations, const unsigned char salt, size_t salt_len, hashlist_t hashlist)
static void	loadzone (char file, char origin, dns_rdataclass_t rdclass, dns_db_t **db)
	Load the zone file from disk.
static void	loadzonekeys (isc_boolean_t preserve_keys, isc_boolean_t load_public)
	Finds all public zone keys in the zone, and attempts to load the private keys from disk.
static void	loadexplicitkeys (char *keyfiles[], int n, isc_boolean_t setksk)
static void	report (const char *format,...)
static void	build_final_keylist (void)
static void	warnifallksk (dns_db_t *db)
static void	set_nsec3params (isc_boolean_t update, isc_boolean_t set_salt, isc_boolean_t set_optout, isc_boolean_t set_iter)
static void	writeset (const char *prefix, dns_rdatatype_t type)
static void	print_time (FILE *fp)
static void	print_version (FILE *fp)
static ISC_PLATFORM_NORETURN_PRE void	usage (void)
static void	removetempfile (void)
static void	print_stats (isc_time_t timer_start, isc_time_t timer_finish, isc_time_t sign_start, isc_time_t sign_finish)
int	main (int argc, char *argv[])
Variables
const char *	program = "dnssec-signzone"
int	verbose
static int	nsec_datatype = dns_rdatatype_nsec
static dns_dnsseckeylist_t	keylist
static unsigned int	keycount = 0
isc_rwlock_t	keylist_lock
static isc_stdtime_t	starttime = 0
static isc_stdtime_t	endtime = 0
static isc_stdtime_t	dnskey_endtime = 0
static isc_stdtime_t	now
static int	cycle = -1
static int	jitter = 0
static isc_boolean_t	tryverify = ISC_FALSE
static isc_boolean_t	printstats = ISC_FALSE
static isc_mem_t *	mctx = NULL
static isc_entropy_t *	ectx = NULL
static dns_ttl_t	zone_soa_min_ttl
static dns_ttl_t	soa_ttl
static FILE *	outfp = NULL
static char *	tempfile = NULL
static const dns_master_style_t *	masterstyle
static dns_masterformat_t	inputformat = dns_masterformat_text
static dns_masterformat_t	outputformat = dns_masterformat_text
static isc_uint32_t	rawversion = 1
static isc_uint32_t	serialnum = 0
static isc_boolean_t	snset = ISC_FALSE
static unsigned int	nsigned = 0
static unsigned int	nretained = 0
static unsigned int	ndropped = 0
static unsigned int	nverified = 0
static unsigned int	nverifyfailed = 0
static const char *	directory = NULL
static const char *	dsdir = NULL
static isc_mutex_t	namelock
static isc_mutex_t	statslock
static isc_taskmgr_t *	taskmgr = NULL
static dns_db_t *	gdb
static dns_dbversion_t *	gversion
static dns_dbiterator_t *	gdbiter
static dns_rdataclass_t	gclass
static dns_name_t *	gorigin
static int	nsec3flags = 0
static dns_iterations_t	nsec3iter = 10U
static unsigned char	saltbuf [255]
static unsigned char *	gsalt = saltbuf
static size_t	salt_length = 0
static isc_task_t *	master = NULL
static unsigned int	ntasks = 0
static isc_boolean_t	shuttingdown = ISC_FALSE
static isc_boolean_t	finished = ISC_FALSE
static isc_boolean_t	nokeys = ISC_FALSE
static isc_boolean_t	removefile = ISC_FALSE
static isc_boolean_t	generateds = ISC_FALSE
static isc_boolean_t	ignore_kskflag = ISC_FALSE
static isc_boolean_t	keyset_kskonly = ISC_FALSE
static dns_name_t *	dlv = NULL
static dns_fixedname_t	dlv_fixed
static dns_master_style_t *	dsstyle = NULL
static unsigned int	serialformat = SOA_SERIAL_KEEP
static unsigned int	hash_length = 0
static isc_boolean_t	unknownalg = ISC_FALSE
static isc_boolean_t	disable_zone_check = ISC_FALSE
static isc_boolean_t	update_chain = ISC_FALSE
static isc_boolean_t	set_keyttl = ISC_FALSE
static dns_ttl_t	keyttl
static isc_boolean_t	smartsign = ISC_FALSE
static isc_boolean_t	remove_orphansigs = ISC_FALSE
static isc_boolean_t	remove_inactkeysigs = ISC_FALSE
static isc_boolean_t	output_dnssec_only = ISC_FALSE
static isc_boolean_t	output_stdout = ISC_FALSE
isc_boolean_t	set_maxttl = ISC_FALSE
static dns_ttl_t	maxttl = 0