#include <config.h>#include <stdlib.h>#include <isc/buffer.h>#include <isc/dir.h>#include <isc/mem.h>#include <isc/print.h>#include <isc/serial.h>#include <isc/string.h>#include <isc/util.h>#include <dns/db.h>#include <dns/diff.h>#include <dns/dnssec.h>#include <dns/fixedname.h>#include <dns/keyvalues.h>#include <dns/log.h>#include <dns/message.h>#include <dns/rdata.h>#include <dns/rdatalist.h>#include <dns/rdataset.h>#include <dns/rdatastruct.h>#include <dns/result.h>#include <dns/stats.h>#include <dns/tsig.h>#include <dst/result.h>Go to the source code of this file.
Defines | |
| #define | is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR) |
| #define | RETERR(x) |
| #define | TYPE_SIGN 0 |
| #define | TYPE_VERIFY 1 |
| #define | is_zone_key(key) |
Functions | |
| static isc_result_t | digest_callback (void *arg, isc_region_t *data) |
| static int | rdata_compare_wrapper (const void *rdata1, const void *rdata2) |
| static isc_result_t | rdataset_to_sortedarray (dns_rdataset_t *set, isc_mem_t *mctx, dns_rdata_t **rdata, int *nrdata) |
| static void | inc_stat (isc_statscounter_t counter) |
| isc_result_t | dns_dnssec_keyfromrdata (dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx, dst_key_t **key) |
| Creates a DST key from a DNS record. Basically a wrapper around dst_key_fromdns(). | |
| static isc_result_t | digest_sig (dst_context_t *ctx, isc_boolean_t downcase, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *rrsig) |
| isc_result_t | dns_dnssec_sign (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_stdtime_t *inception, isc_stdtime_t *expire, isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata) |
| Generates a RRSIG record covering this rdataset. This has no effect on existing RRSIG records. | |
| isc_result_t | dns_dnssec_verify2 (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild) |
| isc_result_t | dns_dnssec_verify3 (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, unsigned int maxbits, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild) |
| Verifies the RRSIG record covering this rdataset signed by a specific key. This does not determine if the key's owner is authorized to sign this record, as this requires a resolver or database. If 'ignoretime' is ISC_TRUE, temporal validity will not be checked. | |
| isc_result_t | dns_dnssec_verify (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata) |
| isc_boolean_t | dns_dnssec_keyactive (dst_key_t *key, isc_stdtime_t now) |
| Returns ISC_TRUE if 'key' is active as of the time specified in 'now' (i.e., if the activation date has passed, inactivation or deletion date has not yet been reached, and the key is not revoked -- or if it is a legacy key without metadata). Otherwise returns ISC_FALSE. | |
| isc_result_t | dns_dnssec_findzonekeys2 (dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, const char *directory, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys) |
| Finds a set of zone keys. XXX temporary - this should be handled in dns_zone_t. | |
| isc_result_t | dns_dnssec_findzonekeys (dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys) |
| isc_result_t | dns_dnssec_signmessage (dns_message_t *msg, dst_key_t *key) |
| Signs a message with a SIG(0) record. This is implicitly called by dns_message_renderend() if msg->sig0key is not NULL. | |
| isc_result_t | dns_dnssec_verifymessage (isc_buffer_t *source, dns_message_t *msg, dst_key_t *key) |
| Verifies a message signed by a SIG(0) record. This is not called implicitly by dns_message_parse(). If dns_message_signer() is called before dns_dnssec_verifymessage(), it will return DNS_R_NOTVERIFIEDYET. dns_dnssec_verifymessage() will set the verified_sig0 flag in msg if the verify succeeds, and the sig0status field otherwise. | |
| isc_boolean_t | dns_dnssec_selfsigns (dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_boolean_t ignoretime, isc_mem_t *mctx) |
| Does this key ('rdata') self sign the rrset ('rdataset')? | |
| isc_boolean_t | dns_dnssec_signs (dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_boolean_t ignoretime, isc_mem_t *mctx) |
| Verify that 'rdataset' is validly signed in 'sigrdataset' by the key in 'rdata'. | |
| isc_result_t | dns_dnsseckey_create (isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp) |
| Create and initialize a dns_dnsseckey_t structure. | |
| void | dns_dnsseckey_destroy (isc_mem_t *mctx, dns_dnsseckey_t **dkp) |
| Reclaim a dns_dnsseckey_t structure. | |
| static void | get_hints (dns_dnsseckey_t *key, isc_stdtime_t now) |
| isc_result_t | dns_dnssec_findmatchingkeys (dns_name_t *origin, const char *directory, isc_mem_t *mctx, dns_dnsseckeylist_t *keylist) |
| Get a list of DNSSEC keys from the key repository. | |
| static isc_result_t | addkey (dns_dnsseckeylist_t *keylist, dst_key_t **newkey, isc_boolean_t savekeys, isc_mem_t *mctx) |
| Add 'newkey' to 'keylist' if it's not already there. | |
| static isc_result_t | mark_active_keys (dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) |
| Mark all keys which signed the DNSKEY/SOA RRsets as "active", for future reference. | |
| isc_result_t | dns_dnssec_keylistfromrdataset (dns_name_t *origin, const char *directory, isc_mem_t *mctx, dns_rdataset_t *keyset, dns_rdataset_t *keysigs, dns_rdataset_t *soasigs, isc_boolean_t savekeys, isc_boolean_t publickey, dns_dnsseckeylist_t *keylist) |
| Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'. | |
| static isc_result_t | make_dnskey (dst_key_t *key, unsigned char *buf, int bufsize, dns_rdata_t *target) |
| static isc_result_t | publish_key (dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin, dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk, void(*report)(const char *,...)) |
| static isc_result_t | remove_key (dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin, dns_ttl_t ttl, isc_mem_t *mctx, const char *reason, void(*report)(const char *,...)) |
| isc_result_t | dns_dnssec_updatekeys (dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, dns_ttl_t hint_ttl, dns_diff_t *diff, isc_boolean_t allzsk, isc_mem_t *mctx, void(*report)(const char *,...)) |
| Update the list of keys in 'keys' with new key information in 'newkeys'. | |
Variables | |
| LIBDNS_EXTERNAL_DATA isc_stats_t * | dns_dnssec_stats |
| Maximum number of keys supported in a zone. | |
Definition in file dnssec.c.
| #define is_response | ( | msg | ) | (msg->flags & DNS_MESSAGEFLAG_QR) |
Definition at line 51 of file dnssec.c.
Referenced by dns_dnssec_signmessage(), dns_dnssec_verifymessage(), dns_tsig_sign(), dns_tsig_verify(), and tsig_verify_tcp().
| #define RETERR | ( | x | ) |
Value:
do { \ result = (x); \ if (result != ISC_R_SUCCESS) \ goto failure; \ } while (0)
| #define is_zone_key | ( | key | ) |
Value:
((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \ == DNS_KEYOWNER_ZONE)
Definition at line 663 of file dnssec.c.
Referenced by dns_dnssec_findzonekeys2(), and dns_dnssec_keylistfromrdataset().
| static isc_result_t digest_callback | ( | void * | arg, | |
| isc_region_t * | data | |||
| ) | [static] |
Definition at line 74 of file dnssec.c.
References dst_context_adddata().
Referenced by dns_dnssec_sign(), and dns_dnssec_verify3().
| static int rdata_compare_wrapper | ( | const void * | rdata1, | |
| const void * | rdata2 | |||
| ) | [static] |
Definition at line 90 of file dnssec.c.
References dns_rdata_compare().
Referenced by rdataset_to_sortedarray().
| static isc_result_t rdataset_to_sortedarray | ( | dns_rdataset_t * | set, | |
| isc_mem_t * | mctx, | |||
| dns_rdata_t ** | rdata, | |||
| int * | nrdata | |||
| ) | [static] |
Definition at line 99 of file dnssec.c.
References dns_rdata_init(), dns_rdataset_clone(), dns_rdataset_count(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, and rdata_compare_wrapper().
Referenced by dns_dnssec_sign(), and dns_dnssec_verify3().
| static void inc_stat | ( | isc_statscounter_t | counter | ) | [inline, static] |
Definition at line 81 of file dnssec.c.
References dns_dnssec_stats, and isc_stats_increment().
Referenced by dns_dnssec_verify3().
| isc_result_t dns_dnssec_keyfromrdata | ( | dns_name_t * | name, | |
| dns_rdata_t * | rdata, | |||
| isc_mem_t * | mctx, | |||
| dst_key_t ** | key | |||
| ) |
Creates a DST key from a DNS record. Basically a wrapper around dst_key_fromdns().
Requires:
Definition at line 141 of file dnssec.c.
References isc_region::base, dns_rdata_toregion(), dst_key_fromdns(), INSIST, isc_buffer_add, isc_buffer_init, isc_region::length, r, dns_rdata::rdclass, REQUIRE, and dns_rdata::type.
Referenced by checkkey(), compute_tag(), dns_dnssec_findzonekeys2(), dns_dnssec_keylistfromrdataset(), dns_dnssec_signs(), dns_tkey_processdhresponse(), dns_view_untrust(), goodsig(), isselfsigned(), process_dhtkey(), revocable(), and trust_key().
| static isc_result_t digest_sig | ( | dst_context_t * | ctx, | |
| isc_boolean_t | downcase, | |||
| dns_rdata_t * | sigrdata, | |||
| dns_rdata_rrsig_t * | rrsig | |||
| ) | [static] |
Definition at line 162 of file dnssec.c.
References dns_fixedname_init, dns_fixedname_name, dns_name_downcase(), dns_name_toregion(), dns_rdata_toregion(), dst_context_adddata(), INSIST, ISC_R_SUCCESS, isc_region::length, r, and RUNTIME_CHECK.
Referenced by dns_dnssec_sign(), and dns_dnssec_verify3().
| isc_result_t dns_dnssec_sign | ( | dns_name_t * | name, | |
| dns_rdataset_t * | set, | |||
| dst_key_t * | key, | |||
| isc_stdtime_t * | inception, | |||
| isc_stdtime_t * | expire, | |||
| isc_mem_t * | mctx, | |||
| isc_buffer_t * | buffer, | |||
| dns_rdata_t * | sigrdata | |||
| ) |
Generates a RRSIG record covering this rdataset. This has no effect on existing RRSIG records.
Requires:
Definition at line 190 of file dnssec.c.
References isc_region::base, databuf, digest_callback(), digest_sig(), dns_fixedname_init, dns_fixedname_name, DNS_KEYFLAG_OWNERMASK, DNS_KEYOWNER_ZONE, DNS_KEYTYPE_NOAUTH, DNS_LOGCATEGORY_DNSSEC, dns_name_clone(), dns_name_countlabels(), dns_name_downcase(), dns_name_init(), dns_name_iswildcard(), dns_name_toregion(), DNS_R_INVALIDTIME, DNS_R_KEYUNAUTHORIZED, dns_rdata_compare(), dns_rdata_digest(), dns_rdata_fromstruct(), dns_rdata_init(), dst_context_adddata(), dst_context_create3(), dst_context_destroy(), dst_context_sign(), dst_key_alg(), dst_key_flags(), dst_key_id(), dst_key_name(), dst_key_sigsize(), INSIST, isc_buffer_add, isc_buffer_allocate(), isc_buffer_free(), isc_buffer_init, isc_buffer_putuint16, isc_buffer_putuint32, isc_buffer_usedregion, ISC_FALSE, ISC_LINK_INIT, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_NOSPACE, ISC_R_SUCCESS, ISC_TRUE, isc_region::length, r, rdataset_to_sortedarray(), dns_rdata::rdclass, REQUIRE, RUNTIME_CHECK, and set().
Referenced by add_sigs(), sign_a_node(), and signwithkey().
| isc_result_t dns_dnssec_verify2 | ( | dns_name_t * | name, | |
| dns_rdataset_t * | set, | |||
| dst_key_t * | key, | |||
| isc_boolean_t | ignoretime, | |||
| isc_mem_t * | mctx, | |||
| dns_rdata_t * | sigrdata, | |||
| dns_name_t * | wild | |||
| ) |
Definition at line 370 of file dnssec.c.
References dns_dnssec_verify3().
Referenced by dns_dnssec_signs(), dns_dnssec_verify(), keyfetch_done(), and revocable().
| isc_result_t dns_dnssec_verify3 | ( | dns_name_t * | name, | |
| dns_rdataset_t * | set, | |||
| dst_key_t * | key, | |||
| isc_boolean_t | ignoretime, | |||
| unsigned int | maxbits, | |||
| isc_mem_t * | mctx, | |||
| dns_rdata_t * | sigrdata, | |||
| dns_name_t * | wild | |||
| ) |
Verifies the RRSIG record covering this rdataset signed by a specific key. This does not determine if the key's owner is authorized to sign this record, as this requires a resolver or database. If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
'maxbits' specifies the maximum number of rsa exponent bits accepted.
Requires:
Definition at line 379 of file dnssec.c.
References isc_region::base, digest_callback(), digest_sig(), dns_dnssecstats_asis, dns_dnssecstats_downcase, dns_dnssecstats_fail, dns_dnssecstats_wildcard, dns_fixedname_init, dns_fixedname_name, DNS_KEYFLAG_OWNERMASK, DNS_KEYOWNER_ZONE, DNS_KEYTYPE_NOAUTH, dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC, dns_name_concatenate(), dns_name_countlabels(), dns_name_downcase(), dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_issubdomain(), dns_name_split(), dns_name_toregion(), DNS_R_FROMWILDCARD, DNS_R_KEYUNAUTHORIZED, DNS_R_SIGEXPIRED, DNS_R_SIGFUTURE, DNS_R_SIGINVALID, dns_rdata_compare(), dns_rdata_digest(), dns_rdata_freestruct(), dns_rdata_tostruct(), dns_wildcardname, dst_context_adddata(), dst_context_create4(), dst_context_destroy(), dst_context_verify2(), dst_key_flags(), DST_R_VERIFYFAILURE, inc_stat(), INSIST, isc_buffer_add, isc_buffer_init, isc_buffer_putuint16, isc_buffer_putuint32, isc_buffer_putuint8, isc_buffer_usedregion, ISC_FALSE, ISC_LOG_DEBUG, isc_log_write(), isc_mem_put, ISC_R_SUCCESS, isc_serial_lt(), isc_stdtime_get(), ISC_TRUE, isc_region::length, namebuf, now, r, rdataset_to_sortedarray(), REQUIRE, RUNTIME_CHECK, set(), and dns_rdata::type.
Referenced by dns_dnssec_verify2(), isselfsigned(), and verify().
| isc_result_t dns_dnssec_verify | ( | dns_name_t * | name, | |
| dns_rdataset_t * | set, | |||
| dst_key_t * | key, | |||
| isc_boolean_t | ignoretime, | |||
| isc_mem_t * | mctx, | |||
| dns_rdata_t * | sigrdata | |||
| ) |
Definition at line 598 of file dnssec.c.
References dns_dnssec_verify2(), DNS_R_FROMWILDCARD, and ISC_R_SUCCESS.
Referenced by goodsig(), setverifies(), and signwithkey().
| isc_boolean_t dns_dnssec_keyactive | ( | dst_key_t * | key, | |
| isc_stdtime_t | now | |||
| ) |
Returns ISC_TRUE if 'key' is active as of the time specified in 'now' (i.e., if the activation date has passed, inactivation or deletion date has not yet been reached, and the key is not revoked -- or if it is a legacy key without metadata). Otherwise returns ISC_FALSE.
Requires:
Definition at line 612 of file dnssec.c.
References dst_key_getprivateformat(), dst_key_gettime(), DST_TIME_ACTIVATE, DST_TIME_DELETE, DST_TIME_INACTIVE, DST_TIME_PUBLISH, DST_TIME_REVOKE, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, and RUNTIME_CHECK.
Referenced by dns_dnssec_findzonekeys2(), and signset().
| isc_result_t dns_dnssec_findzonekeys2 | ( | dns_db_t * | db, | |
| dns_dbversion_t * | ver, | |||
| dns_dbnode_t * | node, | |||
| dns_name_t * | name, | |||
| const char * | directory, | |||
| isc_mem_t * | mctx, | |||
| unsigned int | maxkeys, | |||
| dst_key_t ** | keys, | |||
| unsigned int * | nkeys | |||
| ) |
Finds a set of zone keys. XXX temporary - this should be handled in dns_zone_t.
Definition at line 667 of file dnssec.c.
References dns_db_findrdataset(), dns_dnssec_keyactive(), dns_dnssec_keyfromrdata(), DNS_KEYFLAG_REVOKE, DNS_KEYTYPE_NOAUTH, dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_secalg_format(), DNS_SECALG_FORMATSIZE, dst_key_alg(), dst_key_flags(), dst_key_free(), dst_key_fromfile(), dst_key_getfilename(), dst_key_id(), dst_key_name(), dst_key_pubcompare(), dst_key_setflags(), dst_key_setinactive(), dst_key_setttl(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, is_zone_key, isc_buffer_init, ISC_DIR_NAMEMAX, ISC_FALSE, ISC_LOG_WARNING, isc_log_write(), ISC_R_FILENOTFOUND, ISC_R_NOMORE, ISC_R_NOPERM, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), isc_stdtime_get(), ISC_TRUE, namebuf, now, REQUIRE, RETERR, and dns_rdataset::ttl.
Referenced by dns_dnssec_findzonekeys(), and find_zone_keys().
| isc_result_t dns_dnssec_findzonekeys | ( | dns_db_t * | db, | |
| dns_dbversion_t * | ver, | |||
| dns_dbnode_t * | node, | |||
| dns_name_t * | name, | |||
| isc_mem_t * | mctx, | |||
| unsigned int | maxkeys, | |||
| dst_key_t ** | keys, | |||
| unsigned int * | nkeys | |||
| ) |
| isc_result_t dns_dnssec_signmessage | ( | dns_message_t * | msg, | |
| dst_key_t * | key | |||
| ) |
Signs a message with a SIG(0) record. This is implicitly called by dns_message_renderend() if msg->sig0key is not NULL.
Requires:
Definition at line 841 of file dnssec.c.
References isc_region::base, dns_message::buffer, databuf, DNS_LOGCATEGORY_DNSSEC, dns_message_gettemprdata(), dns_message_gettemprdatalist(), dns_message_gettemprdataset(), DNS_MESSAGE_HEADERLEN, dns_message_renderheader(), dns_message_takebuffer(), dns_name_clone(), dns_name_init(), dns_rdata_fromstruct(), dns_rdatalist_tordataset(), dns_rdataset_init(), DNS_TSIG_FUDGE, dst_context_adddata(), dst_context_create3(), dst_context_destroy(), dst_context_sign(), dst_key_alg(), dst_key_id(), dst_key_name(), dst_key_sigsize(), header, is_response, isc_buffer_allocate(), isc_buffer_free(), isc_buffer_init, isc_buffer_usedregion, ISC_FALSE, ISC_LINK_INIT, ISC_LIST_APPEND, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_region_consume, isc_stdtime_get(), ISC_TRUE, dns_message::mctx, mctx, now, dns_message::query, r, dns_rdatalist::rdclass, REQUIRE, RETERR, RUNTIME_CHECK, dns_message::sig0, and dns_rdatalist::type.
Referenced by dns_message_renderend().
| isc_result_t dns_dnssec_verifymessage | ( | isc_buffer_t * | source, | |
| dns_message_t * | msg, | |||
| dst_key_t * | key | |||
| ) |
Verifies a message signed by a SIG(0) record. This is not called implicitly by dns_message_parse(). If dns_message_signer() is called before dns_dnssec_verifymessage(), it will return DNS_R_NOTVERIFIEDYET. dns_dnssec_verifymessage() will set the verified_sig0 flag in msg if the verify succeeds, and the sig0status field otherwise.
Requires:
Definition at line 976 of file dnssec.c.
References isc_region::base, DNS_LOGCATEGORY_DNSSEC, DNS_MESSAGE_HEADERLEN, dns_name_equal(), DNS_R_SIGEXPIRED, DNS_R_SIGFUTURE, DNS_R_SIGINVALID, DNS_R_UNEXPECTEDTSIG, dns_rdata_freestruct(), DNS_RDATA_INIT, dns_rdata_toregion(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_tsigerror_badkey, dns_tsigerror_badsig, dns_tsigerror_badtime, dst_context_adddata(), dst_context_create3(), dst_context_destroy(), dst_context_verify(), dst_key_name(), header, is_response, isc_buffer_usedregion, ISC_FALSE, ISC_R_SUCCESS, isc_serial_lt(), isc_stdtime_get(), ISC_TRUE, isc_region::length, dns_message::mctx, mctx, now, dns_message::query, r, REQUIRE, RETERR, dns_message::sig0, dns_message::sig0status, dns_message::sigstart, dns_message::verified_sig, and dns_message::verify_attempted.
Referenced by dns_message_checksig().
| isc_boolean_t dns_dnssec_selfsigns | ( | dns_rdata_t * | rdata, | |
| dns_name_t * | name, | |||
| dns_rdataset_t * | rdataset, | |||
| dns_rdataset_t * | sigrdataset, | |||
| isc_boolean_t | ignoretime, | |||
| isc_mem_t * | mctx | |||
| ) |
Does this key ('rdata') self sign the rrset ('rdataset')?
Definition at line 1111 of file dnssec.c.
References dns_rdataset::covers, dns_dnssec_signs(), INSIST, and dns_rdataset::type.
Referenced by verifyzone().
| isc_boolean_t dns_dnssec_signs | ( | dns_rdata_t * | rdata, | |
| dns_name_t * | name, | |||
| dns_rdataset_t * | rdataset, | |||
| dns_rdataset_t * | sigrdataset, | |||
| isc_boolean_t | ignoretime, | |||
| isc_mem_t * | mctx | |||
| ) |
Verify that 'rdataset' is validly signed in 'sigrdataset' by the key in 'rdata'.
dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY rrset. dns_dnssec_signs() works on any rrset.
Definition at line 1131 of file dnssec.c.
References dns_rdataset::covers, dns_dnssec_keyfromrdata(), dns_dnssec_verify2(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dst_key_free(), dst_key_id(), INSIST, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, key, RUNTIME_CHECK, and dns_rdataset::type.
Referenced by dns_dnssec_selfsigns(), and verifyzone().
| isc_result_t dns_dnsseckey_create | ( | isc_mem_t * | mctx, | |
| dst_key_t ** | dstkey, | |||
| dns_dnsseckey_t ** | dkp | |||
| ) |
Create and initialize a dns_dnsseckey_t structure.
Requires:
Definition at line 1178 of file dnssec.c.
References DNS_KEYFLAG_KSK, dns_keysource_unknown, dst_key_flags(), dst_key_getprivateformat(), dns_dnsseckey::first_sign, dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, dns_dnsseckey::hint_publish, dns_dnsseckey::hint_remove, dns_dnsseckey::hint_sign, dns_dnsseckey::index, INSIST, dns_dnsseckey::is_active, ISC_FALSE, ISC_LINK_INIT, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TF, dns_dnsseckey::key, dns_dnsseckey::ksk, dns_dnsseckey::legacy, dns_dnsseckey::prepublish, REQUIRE, and dns_dnsseckey::source.
Referenced by addkey(), dns_dnssec_findmatchingkeys(), keythatsigned(), and loadexplicitkeys().
| void dns_dnsseckey_destroy | ( | isc_mem_t * | mctx, | |
| dns_dnsseckey_t ** | dkp | |||
| ) |
Reclaim a dns_dnsseckey_t structure.
Requires:
Definition at line 1219 of file dnssec.c.
References dst_key_free(), isc_mem_put, dns_dnsseckey::key, and REQUIRE.
Referenced by dns_dnssec_findmatchingkeys(), dns_dnssec_updatekeys(), key_collision(), and main().
| static void get_hints | ( | dns_dnsseckey_t * | key, | |
| isc_stdtime_t | now | |||
| ) | [static] |
Definition at line 1231 of file dnssec.c.
References DNS_KEYFLAG_REVOKE, dst_key_flags(), dst_key_gettime(), dst_key_setflags(), DST_TIME_ACTIVATE, DST_TIME_DELETE, DST_TIME_INACTIVE, DST_TIME_PUBLISH, DST_TIME_REVOKE, dns_dnsseckey::hint_publish, dns_dnsseckey::hint_remove, dns_dnsseckey::hint_sign, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, dns_dnsseckey::key, dns_dnsseckey::prepublish, and REQUIRE.
Referenced by dns_dnssec_findmatchingkeys().
| isc_result_t dns_dnssec_findmatchingkeys | ( | dns_name_t * | origin, | |
| const char * | directory, | |||
| isc_mem_t * | mctx, | |||
| dns_dnsseckeylist_t * | keylist | |||
| ) |
Get a list of DNSSEC keys from the key repository.
Search 'directory' for K* key files matching the name in 'origin'. Append all such keys, along with use hints gleaned from their metadata, onto 'keylist'.
Definition at line 1327 of file dnssec.c.
References dns_dnsseckey_create(), dns_dnsseckey_destroy(), dns_keysource_repository, dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, DNS_NAME_FORMATSIZE, dns_name_tofilenametext(), dst_key_free(), dst_key_fromnamedfile(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, isc_dir::entry, get_hints(), INSIST, isc_buffer_init, isc_buffer_usedlength, isc_dir_close(), isc_dir_init(), isc_dir_open(), isc_dir_read(), ISC_FALSE, ISC_LIST_APPEND, ISC_LIST_APPENDLIST, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_INIT, ISC_LIST_UNLINK, ISC_LOG_WARNING, isc_log_write(), ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), isc_stdtime_get(), ISC_TRUE, dns_dnsseckey::key, key, dns_dnsseckey::legacy, isc_direntry::length, isc_direntry::name, namebuf, now, REQUIRE, RETERR, and dns_dnsseckey::source.
Referenced by build_final_keylist(), and key_collision().
| static isc_result_t addkey | ( | dns_dnsseckeylist_t * | keylist, | |
| dst_key_t ** | newkey, | |||
| isc_boolean_t | savekeys, | |||
| isc_mem_t * | mctx | |||
| ) | [static] |
Add 'newkey' to 'keylist' if it's not already there.
If 'savekeys' is ISC_TRUE, then we need to preserve all the keys in the keyset, regardless of whether they have metadata indicating they should be deactivated or removed.
Definition at line 1439 of file dnssec.c.
References dns_dnsseckey_create(), dns_keysource_zoneapex, dns_name_equal(), dst_key_alg(), dst_key_free(), dst_key_id(), dst_key_isprivate(), dst_key_name(), dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, ISC_LIST_APPEND, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, ISC_TRUE, dns_dnsseckey::key, key, dns_dnsseckey::legacy, and dns_dnsseckey::source.
Referenced by dns_dnssec_keylistfromrdataset().
| static isc_result_t mark_active_keys | ( | dns_dnsseckeylist_t * | keylist, | |
| dns_rdataset_t * | rrsigs | |||
| ) | [static] |
Mark all keys which signed the DNSKEY/SOA RRsets as "active", for future reference.
Definition at line 1493 of file dnssec.c.
References DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dst_key_alg(), dst_key_id(), dns_dnsseckey::is_active, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_NOMORE, ISC_R_SUCCESS, ISC_TRUE, dns_dnsseckey::key, key, REQUIRE, and RUNTIME_CHECK.
Referenced by dns_dnssec_keylistfromrdataset().
| isc_result_t dns_dnssec_keylistfromrdataset | ( | dns_name_t * | origin, | |
| const char * | directory, | |||
| isc_mem_t * | mctx, | |||
| dns_rdataset_t * | keyset, | |||
| dns_rdataset_t * | keysigs, | |||
| dns_rdataset_t * | soasigs, | |||
| isc_boolean_t | savekeys, | |||
| isc_boolean_t | publickey, | |||
| dns_dnsseckeylist_t * | keylist | |||
| ) |
Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'. Omit duplicates. If 'publickey' is ISC_FALSE, search 'directory' for matching key files, and load the private keys that go with the public ones. If 'savekeys' is ISC_TRUE, mark the keys so they will not be deleted or inactivated regardless of metadata.
Definition at line 1541 of file dnssec.c.
References addkey(), dns_dnssec_keyfromrdata(), DNS_KEYFLAG_REVOKE, DNS_KEYTYPE_NOAUTH, dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_secalg_format(), DNS_SECALG_FORMATSIZE, dst_key_alg(), dst_key_flags(), dst_key_free(), dst_key_fromfile(), dst_key_getfilename(), dst_key_getttl(), dst_key_id(), dst_key_name(), dst_key_pubcompare(), dst_key_setflags(), dst_key_setttl(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, is_zone_key, isc_buffer_init, ISC_DIR_NAMEMAX, ISC_FALSE, ISC_LOG_WARNING, isc_log_write(), ISC_R_FILENOTFOUND, ISC_R_NOMORE, ISC_R_NOPERM, ISC_R_SUCCESS, isc_result_totext(), mark_active_keys(), namebuf, REQUIRE, RETERR, and dns_rdataset::ttl.
Referenced by loadzonekeys().
| static isc_result_t make_dnskey | ( | dst_key_t * | key, | |
| unsigned char * | buf, | |||
| int | bufsize, | |||
| dns_rdata_t * | target | |||
| ) | [static] |
Definition at line 1691 of file dnssec.c.
References dns_rdata_fromregion(), dns_rdata_reset(), dst_key_class(), dst_key_todns(), isc_buffer_init, isc_buffer_usedregion, ISC_R_SUCCESS, and r.
Referenced by publish_key(), and remove_key().
| static isc_result_t publish_key | ( | dns_diff_t * | diff, | |
| dns_dnsseckey_t * | key, | |||
| dns_name_t * | origin, | |||
| dns_ttl_t | ttl, | |||
| isc_mem_t * | mctx, | |||
| isc_boolean_t | allzsk, | |||
| void(*)(const char *,...) | report | |||
| ) | [static] |
Definition at line 1711 of file dnssec.c.
References dns_diff_appendminimal(), DNS_DIFFOP_ADD, dns_difftuple_create(), dns_keysource_user, DNS_RDATA_INIT, dns_rdata_reset(), dns_secalg_format(), dst_key_alg(), dst_key_format(), DST_KEY_FORMATSIZE, dst_key_id(), DST_KEY_MAXSIZE, dst_key_settime(), DST_TIME_ACTIVATE, ISC_R_SUCCESS, isc_stdtime_get(), dns_dnsseckey::key, keystr, dns_dnsseckey::ksk, make_dnskey(), now, dns_dnsseckey::prepublish, report(), RETERR, and dns_dnsseckey::source.
Referenced by dns_dnssec_updatekeys().
| static isc_result_t remove_key | ( | dns_diff_t * | diff, | |
| dns_dnsseckey_t * | key, | |||
| dns_name_t * | origin, | |||
| dns_ttl_t | ttl, | |||
| isc_mem_t * | mctx, | |||
| const char * | reason, | |||
| void(*)(const char *,...) | report | |||
| ) | [static] |
Definition at line 1753 of file dnssec.c.
References dns_diff_appendminimal(), DNS_DIFFOP_DEL, dns_difftuple_create(), DNS_RDATA_INIT, dns_secalg_format(), dst_key_alg(), dst_key_id(), DST_KEY_MAXSIZE, ISC_R_SUCCESS, dns_dnsseckey::key, make_dnskey(), report(), and RETERR.
Referenced by dns_dnssec_updatekeys().
| isc_result_t dns_dnssec_updatekeys | ( | dns_dnsseckeylist_t * | keys, | |
| dns_dnsseckeylist_t * | newkeys, | |||
| dns_dnsseckeylist_t * | removed, | |||
| dns_name_t * | origin, | |||
| dns_ttl_t | hint_ttl, | |||
| dns_diff_t * | diff, | |||
| isc_boolean_t | allzsk, | |||
| isc_mem_t * | mctx, | |||
| void(*)(const char *,...) | report | |||
| ) |
Update the list of keys in 'keys' with new key information in 'newkeys'.
For each key in 'newkeys', see if it has a match in 'keys'.
If 'allzsk' is true, we are allowing KSK-flagged keys to be used as ZSKs.
'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no existing RRset, and if none of the keys to be added has a default TTL (in which case we would use the shortest one). If the TTL is longer than the time until a new key will be activated, then we have to delay the key's activation.
'report' points to a function for reporting status.
On completion, any remaining keys in 'newkeys' are freed.
Definition at line 1784 of file dnssec.c.
References dns_dnsseckey_destroy(), DNS_KEYFLAG_REVOKE, dns_keysource_user, dns_keysource_zoneapex, dst_key_alg(), dst_key_flags(), dst_key_getttl(), dst_key_pubcompare(), dns_dnsseckey::first_sign, dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, dns_dnsseckey::hint_publish, dns_dnsseckey::hint_remove, dns_dnsseckey::hint_sign, dns_dnsseckey::is_active, ISC_FALSE, ISC_LIST_APPEND, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_LIST_UNLINK, ISC_R_SUCCESS, ISC_TF, ISC_TRUE, dns_dnsseckey::key, dns_dnsseckey::ksk, publish_key(), r1, r2, remove_key(), report(), RETERR, and dns_dnsseckey::source.
Referenced by build_final_keylist().
| LIBDNS_EXTERNAL_DATA isc_stats_t* dns_dnssec_stats |
Maximum number of keys supported in a zone.
Definition at line 49 of file dnssec.c.
Referenced by inc_stat().