lib » dns » include » dns

dnssec.h File Reference

#include <isc/lang.h>
#include <isc/stdtime.h>
#include <isc/stats.h>
#include <dns/diff.h>
#include <dns/types.h>
#include <dst/dst.h>

Go to the source code of this file.

Data Structures

struct  dns_dnsseckey

Defines

#define DNS_DNSSEC_H   1
#define DNS_MAXZONEKEYS   32

Enumerations

enum  dns_keysource_t { dns_keysource_unknown, dns_keysource_repository, dns_keysource_zoneapex, dns_keysource_user }

Functions

isc_result_t dns_dnssec_keyfromrdata (dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx, dst_key_t **key)
 Creates a DST key from a DNS record. Basically a wrapper around dst_key_fromdns().
isc_result_t dns_dnssec_sign (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_stdtime_t *inception, isc_stdtime_t *expire, isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
 Generates a RRSIG record covering this rdataset. This has no effect on existing RRSIG records.
isc_result_t dns_dnssec_verify (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata)
isc_result_t dns_dnssec_verify2 (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
isc_result_t dns_dnssec_verify3 (dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_boolean_t ignoretime, unsigned int maxbits, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
 Verifies the RRSIG record covering this rdataset signed by a specific key. This does not determine if the key's owner is authorized to sign this record, as this requires a resolver or database. If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
isc_boolean_t dns_dnssec_keyactive (dst_key_t *key, isc_stdtime_t now)
 Returns ISC_TRUE if 'key' is active as of the time specified in 'now' (i.e., if the activation date has passed, inactivation or deletion date has not yet been reached, and the key is not revoked -- or if it is a legacy key without metadata). Otherwise returns ISC_FALSE.
isc_result_t dns_dnssec_signmessage (dns_message_t *msg, dst_key_t *key)
 Signs a message with a SIG(0) record. This is implicitly called by dns_message_renderend() if msg->sig0key is not NULL.
isc_result_t dns_dnssec_verifymessage (isc_buffer_t *source, dns_message_t *msg, dst_key_t *key)
 Verifies a message signed by a SIG(0) record. This is not called implicitly by dns_message_parse(). If dns_message_signer() is called before dns_dnssec_verifymessage(), it will return DNS_R_NOTVERIFIEDYET. dns_dnssec_verifymessage() will set the verified_sig0 flag in msg if the verify succeeds, and the sig0status field otherwise.
isc_boolean_t dns_dnssec_selfsigns (dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_boolean_t ignoretime, isc_mem_t *mctx)
 Does this key ('rdata') self sign the rrset ('rdataset')?
isc_boolean_t dns_dnssec_signs (dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_boolean_t ignoretime, isc_mem_t *mctx)
 Verify that 'rdataset' is validly signed in 'sigrdataset' by the key in 'rdata'.
isc_result_t dns_dnsseckey_create (isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp)
 Create and initialize a dns_dnsseckey_t structure.
void dns_dnsseckey_destroy (isc_mem_t *mctx, dns_dnsseckey_t **dkp)
 Reclaim a dns_dnsseckey_t structure.
isc_result_t dns_dnssec_findmatchingkeys (dns_name_t *origin, const char *directory, isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
 Search 'directory' for K* key files matching the name in 'origin'. Append all such keys, along with use hints gleaned from their metadata, onto 'keylist'.
isc_result_t dns_dnssec_keylistfromrdataset (dns_name_t *origin, const char *directory, isc_mem_t *mctx, dns_rdataset_t *keyset, dns_rdataset_t *keysigs, dns_rdataset_t *soasigs, isc_boolean_t savekeys, isc_boolean_t publickey, dns_dnsseckeylist_t *keylist)
 Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'. Omit duplicates. If 'publickey' is ISC_FALSE, search 'directory' for matching key files, and load the private keys that go with the public ones. If 'savekeys' is ISC_TRUE, mark the keys so they will not be deleted or inactivated regardless of metadata.
isc_result_t dns_dnssec_updatekeys (dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, dns_ttl_t hint_ttl, dns_diff_t *diff, isc_boolean_t allzsk, isc_mem_t *mctx, void(*report)(const char *,...))
 Update the list of keys in 'keys' with new key information in 'newkeys'.
isc_result_t dns_dnssec_findzonekeys (dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys)
isc_result_t dns_dnssec_findzonekeys2 (dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, const char *directory, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys)
 Finds a set of zone keys. XXX temporary - this should be handled in dns_zone_t.

Variables

ISC_LANG_BEGINDECLS
LIBDNS_EXTERNAL_DATA
isc_stats_t		dns_dnssec_stats
 Maximum number of keys supported in a zone.

Detailed Description

Definition in file dnssec.h.

Define Documentation

#define DNS_DNSSEC_H   1

Definition at line 21 of file dnssec.h.

#define DNS_MAXZONEKEYS   32

Definition at line 39 of file dnssec.h.

Referenced by dns_update_signaturesinc(), zone_nsec3chain(), zone_resigninc(), and zone_sign().

Enumeration Type Documentation

enum dns_keysource_t

Enumerator:
dns_keysource_unknown 
dns_keysource_repository 
dns_keysource_zoneapex 
dns_keysource_user 

Definition at line 45 of file dnssec.h.

Function Documentation

isc_result_t dns_dnssec_keyfromrdata ( dns_name_t name,
dns_rdata_t rdata,
isc_mem_t mctx,
dst_key_t **  key 
)

Creates a DST key from a DNS record. Basically a wrapper around dst_key_fromdns().

Requires:

Returns:

Definition at line 141 of file dnssec.c.

References isc_region::base, dns_rdata_toregion(), dst_key_fromdns(), INSIST, isc_buffer_add, isc_buffer_init, isc_region::length, r, dns_rdata::rdclass, REQUIRE, and dns_rdata::type.

Referenced by checkkey(), compute_tag(), dns_dnssec_findzonekeys2(), dns_dnssec_keylistfromrdataset(), dns_dnssec_signs(), dns_tkey_processdhresponse(), dns_view_untrust(), goodsig(), isselfsigned(), process_dhtkey(), revocable(), and trust_key().

isc_result_t dns_dnssec_sign ( dns_name_t name,
dns_rdataset_t set,
dst_key_t key,
isc_stdtime_t inception,
isc_stdtime_t expire,
isc_mem_t mctx,
isc_buffer_t buffer,
dns_rdata_t sigrdata 
)

Generates a RRSIG record covering this rdataset. This has no effect on existing RRSIG records.

Requires:

Returns:

Definition at line 190 of file dnssec.c.

References isc_region::base, databuf, digest_callback(), digest_sig(), dns_fixedname_init, dns_fixedname_name, DNS_KEYFLAG_OWNERMASK, DNS_KEYOWNER_ZONE, DNS_KEYTYPE_NOAUTH, DNS_LOGCATEGORY_DNSSEC, dns_name_clone(), dns_name_countlabels(), dns_name_downcase(), dns_name_init(), dns_name_iswildcard(), dns_name_toregion(), DNS_R_INVALIDTIME, DNS_R_KEYUNAUTHORIZED, dns_rdata_compare(), dns_rdata_digest(), dns_rdata_fromstruct(), dns_rdata_init(), dst_context_adddata(), dst_context_create3(), dst_context_destroy(), dst_context_sign(), dst_key_alg(), dst_key_flags(), dst_key_id(), dst_key_name(), dst_key_sigsize(), INSIST, isc_buffer_add, isc_buffer_allocate(), isc_buffer_free(), isc_buffer_init, isc_buffer_putuint16, isc_buffer_putuint32, isc_buffer_usedregion, ISC_FALSE, ISC_LINK_INIT, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_NOSPACE, ISC_R_SUCCESS, ISC_TRUE, isc_region::length, r, rdataset_to_sortedarray(), dns_rdata::rdclass, REQUIRE, RUNTIME_CHECK, and set().

Referenced by add_sigs(), sign_a_node(), and signwithkey().

isc_result_t dns_dnssec_verify ( dns_name_t name,
dns_rdataset_t set,
dst_key_t key,
isc_boolean_t  ignoretime,
isc_mem_t mctx,
dns_rdata_t sigrdata 
)

Definition at line 598 of file dnssec.c.

References dns_dnssec_verify2(), DNS_R_FROMWILDCARD, and ISC_R_SUCCESS.

Referenced by goodsig(), setverifies(), and signwithkey().

isc_result_t dns_dnssec_verify2 ( dns_name_t name,
dns_rdataset_t set,
dst_key_t key,
isc_boolean_t  ignoretime,
isc_mem_t mctx,
dns_rdata_t sigrdata,
dns_name_t wild 
)

Definition at line 370 of file dnssec.c.

References dns_dnssec_verify3().

Referenced by dns_dnssec_signs(), dns_dnssec_verify(), keyfetch_done(), and revocable().

isc_result_t dns_dnssec_verify3 ( dns_name_t name,
dns_rdataset_t set,
dst_key_t key,
isc_boolean_t  ignoretime,
unsigned int  maxbits,
isc_mem_t mctx,
dns_rdata_t sigrdata,
dns_name_t wild 
)

Verifies the RRSIG record covering this rdataset signed by a specific key. This does not determine if the key's owner is authorized to sign this record, as this requires a resolver or database. If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.

'maxbits' specifies the maximum number of rsa exponent bits accepted.

Requires:

Returns:

Definition at line 379 of file dnssec.c.

References isc_region::base, digest_callback(), digest_sig(), dns_dnssecstats_asis, dns_dnssecstats_downcase, dns_dnssecstats_fail, dns_dnssecstats_wildcard, dns_fixedname_init, dns_fixedname_name, DNS_KEYFLAG_OWNERMASK, DNS_KEYOWNER_ZONE, DNS_KEYTYPE_NOAUTH, dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC, dns_name_concatenate(), dns_name_countlabels(), dns_name_downcase(), dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_issubdomain(), dns_name_split(), dns_name_toregion(), DNS_R_FROMWILDCARD, DNS_R_KEYUNAUTHORIZED, DNS_R_SIGEXPIRED, DNS_R_SIGFUTURE, DNS_R_SIGINVALID, dns_rdata_compare(), dns_rdata_digest(), dns_rdata_freestruct(), dns_rdata_tostruct(), dns_wildcardname, dst_context_adddata(), dst_context_create4(), dst_context_destroy(), dst_context_verify2(), dst_key_flags(), DST_R_VERIFYFAILURE, inc_stat(), INSIST, isc_buffer_add, isc_buffer_init, isc_buffer_putuint16, isc_buffer_putuint32, isc_buffer_putuint8, isc_buffer_usedregion, ISC_FALSE, ISC_LOG_DEBUG, isc_log_write(), isc_mem_put, ISC_R_SUCCESS, isc_serial_lt(), isc_stdtime_get(), ISC_TRUE, isc_region::length, namebuf, now, r, rdataset_to_sortedarray(), REQUIRE, RUNTIME_CHECK, set(), and dns_rdata::type.

Referenced by dns_dnssec_verify2(), isselfsigned(), and verify().

isc_result_t dns_dnssec_findzonekeys ( dns_db_t db,
dns_dbversion_t ver,
dns_dbnode_t node,
dns_name_t name,
isc_mem_t mctx,
unsigned int  maxkeys,
dst_key_t **  keys,
unsigned int *  nkeys 
)

Definition at line 831 of file dnssec.c.

References dns_dnssec_findzonekeys2().

isc_result_t dns_dnssec_findzonekeys2 ( dns_db_t db,
dns_dbversion_t ver,
dns_dbnode_t node,
dns_name_t name,
const char *  directory,
isc_mem_t mctx,
unsigned int  maxkeys,
dst_key_t **  keys,
unsigned int *  nkeys 
)

Finds a set of zone keys. XXX temporary - this should be handled in dns_zone_t.

Definition at line 667 of file dnssec.c.

References dns_db_findrdataset(), dns_dnssec_keyactive(), dns_dnssec_keyfromrdata(), DNS_KEYFLAG_REVOKE, DNS_KEYTYPE_NOAUTH, dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_secalg_format(), DNS_SECALG_FORMATSIZE, dst_key_alg(), dst_key_flags(), dst_key_free(), dst_key_fromfile(), dst_key_getfilename(), dst_key_id(), dst_key_name(), dst_key_pubcompare(), dst_key_setflags(), dst_key_setinactive(), dst_key_setttl(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, is_zone_key, isc_buffer_init, ISC_DIR_NAMEMAX, ISC_FALSE, ISC_LOG_WARNING, isc_log_write(), ISC_R_FILENOTFOUND, ISC_R_NOMORE, ISC_R_NOPERM, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), isc_stdtime_get(), ISC_TRUE, namebuf, now, REQUIRE, RETERR, and dns_rdataset::ttl.

Referenced by dns_dnssec_findzonekeys(), and find_zone_keys().

isc_boolean_t dns_dnssec_keyactive ( dst_key_t key,
isc_stdtime_t  now 
)

Returns ISC_TRUE if 'key' is active as of the time specified in 'now' (i.e., if the activation date has passed, inactivation or deletion date has not yet been reached, and the key is not revoked -- or if it is a legacy key without metadata). Otherwise returns ISC_FALSE.

Requires:

Definition at line 612 of file dnssec.c.

References dst_key_getprivateformat(), dst_key_gettime(), DST_TIME_ACTIVATE, DST_TIME_DELETE, DST_TIME_INACTIVE, DST_TIME_PUBLISH, DST_TIME_REVOKE, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, and RUNTIME_CHECK.

Referenced by dns_dnssec_findzonekeys2(), and signset().

isc_result_t dns_dnssec_signmessage ( dns_message_t msg,
dst_key_t key 
)

Signs a message with a SIG(0) record. This is implicitly called by dns_message_renderend() if msg->sig0key is not NULL.

Requires:

Returns:

Definition at line 841 of file dnssec.c.

References isc_region::base, dns_message::buffer, databuf, DNS_LOGCATEGORY_DNSSEC, dns_message_gettemprdata(), dns_message_gettemprdatalist(), dns_message_gettemprdataset(), DNS_MESSAGE_HEADERLEN, dns_message_renderheader(), dns_message_takebuffer(), dns_name_clone(), dns_name_init(), dns_rdata_fromstruct(), dns_rdatalist_tordataset(), dns_rdataset_init(), DNS_TSIG_FUDGE, dst_context_adddata(), dst_context_create3(), dst_context_destroy(), dst_context_sign(), dst_key_alg(), dst_key_id(), dst_key_name(), dst_key_sigsize(), header, is_response, isc_buffer_allocate(), isc_buffer_free(), isc_buffer_init, isc_buffer_usedregion, ISC_FALSE, ISC_LINK_INIT, ISC_LIST_APPEND, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_region_consume, isc_stdtime_get(), ISC_TRUE, dns_message::mctx, mctx, now, dns_message::query, r, dns_rdatalist::rdclass, REQUIRE, RETERR, RUNTIME_CHECK, dns_message::sig0, and dns_rdatalist::type.

Referenced by dns_message_renderend().

isc_result_t dns_dnssec_verifymessage ( isc_buffer_t source,
dns_message_t msg,
dst_key_t key 
)

Verifies a message signed by a SIG(0) record. This is not called implicitly by dns_message_parse(). If dns_message_signer() is called before dns_dnssec_verifymessage(), it will return DNS_R_NOTVERIFIEDYET. dns_dnssec_verifymessage() will set the verified_sig0 flag in msg if the verify succeeds, and the sig0status field otherwise.

Requires:

Returns:

Definition at line 976 of file dnssec.c.

References isc_region::base, DNS_LOGCATEGORY_DNSSEC, DNS_MESSAGE_HEADERLEN, dns_name_equal(), DNS_R_SIGEXPIRED, DNS_R_SIGFUTURE, DNS_R_SIGINVALID, DNS_R_UNEXPECTEDTSIG, dns_rdata_freestruct(), DNS_RDATA_INIT, dns_rdata_toregion(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_tsigerror_badkey, dns_tsigerror_badsig, dns_tsigerror_badtime, dst_context_adddata(), dst_context_create3(), dst_context_destroy(), dst_context_verify(), dst_key_name(), header, is_response, isc_buffer_usedregion, ISC_FALSE, ISC_R_SUCCESS, isc_serial_lt(), isc_stdtime_get(), ISC_TRUE, isc_region::length, dns_message::mctx, mctx, now, dns_message::query, r, REQUIRE, RETERR, dns_message::sig0, dns_message::sig0status, dns_message::sigstart, dns_message::verified_sig, and dns_message::verify_attempted.

Referenced by dns_message_checksig().

isc_boolean_t dns_dnssec_selfsigns ( dns_rdata_t rdata,
dns_name_t name,
dns_rdataset_t rdataset,
dns_rdataset_t sigrdataset,
isc_boolean_t  ignoretime,
isc_mem_t mctx 
)

Does this key ('rdata') self sign the rrset ('rdataset')?

Definition at line 1111 of file dnssec.c.

References dns_rdataset::covers, dns_dnssec_signs(), INSIST, and dns_rdataset::type.

Referenced by verifyzone().

isc_boolean_t dns_dnssec_signs ( dns_rdata_t rdata,
dns_name_t name,
dns_rdataset_t rdataset,
dns_rdataset_t sigrdataset,
isc_boolean_t  ignoretime,
isc_mem_t mctx 
)

Verify that 'rdataset' is validly signed in 'sigrdataset' by the key in 'rdata'.

dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY rrset. dns_dnssec_signs() works on any rrset.

Definition at line 1131 of file dnssec.c.

References dns_rdataset::covers, dns_dnssec_keyfromrdata(), dns_dnssec_verify2(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dst_key_free(), dst_key_id(), INSIST, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, key, RUNTIME_CHECK, and dns_rdataset::type.

Referenced by dns_dnssec_selfsigns(), and verifyzone().

isc_result_t dns_dnsseckey_create ( isc_mem_t mctx,
dst_key_t **  dstkey,
dns_dnsseckey_t **  dkp 
)

Create and initialize a dns_dnsseckey_t structure.

Requires:

Returns:

Definition at line 1178 of file dnssec.c.

References DNS_KEYFLAG_KSK, dns_keysource_unknown, dst_key_flags(), dst_key_getprivateformat(), dns_dnsseckey::first_sign, dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, dns_dnsseckey::hint_publish, dns_dnsseckey::hint_remove, dns_dnsseckey::hint_sign, dns_dnsseckey::index, INSIST, dns_dnsseckey::is_active, ISC_FALSE, ISC_LINK_INIT, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TF, dns_dnsseckey::key, dns_dnsseckey::ksk, dns_dnsseckey::legacy, dns_dnsseckey::prepublish, REQUIRE, and dns_dnsseckey::source.

Referenced by addkey(), dns_dnssec_findmatchingkeys(), keythatsigned(), and loadexplicitkeys().

void dns_dnsseckey_destroy ( isc_mem_t mctx,
dns_dnsseckey_t **  dkp 
)

Reclaim a dns_dnsseckey_t structure.

Requires:

Ensures:

Definition at line 1219 of file dnssec.c.

References dst_key_free(), isc_mem_put, dns_dnsseckey::key, and REQUIRE.

Referenced by dns_dnssec_findmatchingkeys(), dns_dnssec_updatekeys(), key_collision(), and main().

isc_result_t dns_dnssec_findmatchingkeys ( dns_name_t origin,
const char *  directory,
isc_mem_t mctx,
dns_dnsseckeylist_t *  keylist 
)

Search 'directory' for K* key files matching the name in 'origin'. Append all such keys, along with use hints gleaned from their metadata, onto 'keylist'.

Requires:

Returns: Ensures:

Definition at line 1327 of file dnssec.c.

References dns_dnsseckey_create(), dns_dnsseckey_destroy(), dns_keysource_repository, dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, DNS_NAME_FORMATSIZE, dns_name_tofilenametext(), dst_key_free(), dst_key_fromnamedfile(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, isc_dir::entry, get_hints(), INSIST, isc_buffer_init, isc_buffer_usedlength, isc_dir_close(), isc_dir_init(), isc_dir_open(), isc_dir_read(), ISC_FALSE, ISC_LIST_APPEND, ISC_LIST_APPENDLIST, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_INIT, ISC_LIST_UNLINK, ISC_LOG_WARNING, isc_log_write(), ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_result_totext(), isc_stdtime_get(), ISC_TRUE, dns_dnsseckey::key, key, dns_dnsseckey::legacy, isc_direntry::length, isc_direntry::name, namebuf, now, REQUIRE, RETERR, and dns_dnsseckey::source.

Referenced by build_final_keylist(), and key_collision().

isc_result_t dns_dnssec_keylistfromrdataset ( dns_name_t origin,
const char *  directory,
isc_mem_t mctx,
dns_rdataset_t keyset,
dns_rdataset_t keysigs,
dns_rdataset_t soasigs,
isc_boolean_t  savekeys,
isc_boolean_t  publickey,
dns_dnsseckeylist_t *  keylist 
)

Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'. Omit duplicates. If 'publickey' is ISC_FALSE, search 'directory' for matching key files, and load the private keys that go with the public ones. If 'savekeys' is ISC_TRUE, mark the keys so they will not be deleted or inactivated regardless of metadata.

'keysigs' and 'soasigs', if not NULL and associated, contain the RRSIGS for the DNSKEY and SOA records respectively and are used to mark whether a key is already active in the zone.

Definition at line 1541 of file dnssec.c.

References addkey(), dns_dnssec_keyfromrdata(), DNS_KEYFLAG_REVOKE, DNS_KEYTYPE_NOAUTH, dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_secalg_format(), DNS_SECALG_FORMATSIZE, dst_key_alg(), dst_key_flags(), dst_key_free(), dst_key_fromfile(), dst_key_getfilename(), dst_key_getttl(), dst_key_id(), dst_key_name(), dst_key_pubcompare(), dst_key_setflags(), dst_key_setttl(), DST_TYPE_PRIVATE, DST_TYPE_PUBLIC, is_zone_key, isc_buffer_init, ISC_DIR_NAMEMAX, ISC_FALSE, ISC_LOG_WARNING, isc_log_write(), ISC_R_FILENOTFOUND, ISC_R_NOMORE, ISC_R_NOPERM, ISC_R_SUCCESS, isc_result_totext(), mark_active_keys(), namebuf, REQUIRE, RETERR, and dns_rdataset::ttl.

Referenced by loadzonekeys().

isc_result_t dns_dnssec_updatekeys ( dns_dnsseckeylist_t *  keys,
dns_dnsseckeylist_t *  newkeys,
dns_dnsseckeylist_t *  removed,
dns_name_t origin,
dns_ttl_t  hint_ttl,
dns_diff_t diff,
isc_boolean_t  allzsk,
isc_mem_t mctx,
void(*)(const char *,...)  report 
)

Update the list of keys in 'keys' with new key information in 'newkeys'.

For each key in 'newkeys', see if it has a match in 'keys'.

If 'allzsk' is true, we are allowing KSK-flagged keys to be used as ZSKs.

'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no existing RRset, and if none of the keys to be added has a default TTL (in which case we would use the shortest one). If the TTL is longer than the time until a new key will be activated, then we have to delay the key's activation.

'report' points to a function for reporting status.

On completion, any remaining keys in 'newkeys' are freed.

Definition at line 1784 of file dnssec.c.

References dns_dnsseckey_destroy(), DNS_KEYFLAG_REVOKE, dns_keysource_user, dns_keysource_zoneapex, dst_key_alg(), dst_key_flags(), dst_key_getttl(), dst_key_pubcompare(), dns_dnsseckey::first_sign, dns_dnsseckey::force_publish, dns_dnsseckey::force_sign, dns_dnsseckey::hint_publish, dns_dnsseckey::hint_remove, dns_dnsseckey::hint_sign, dns_dnsseckey::is_active, ISC_FALSE, ISC_LIST_APPEND, ISC_LIST_EMPTY, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_LIST_UNLINK, ISC_R_SUCCESS, ISC_TF, ISC_TRUE, dns_dnsseckey::key, dns_dnsseckey::ksk, publish_key(), r1, r2, remove_key(), report(), RETERR, and dns_dnsseckey::source.

Referenced by build_final_keylist().

Variable Documentation

ISC_LANG_BEGINDECLS LIBDNS_EXTERNAL_DATA isc_stats_t* dns_dnssec_stats

Maximum number of keys supported in a zone.

Definition at line 49 of file dnssec.c.

Referenced by inc_stat().

Generated on Tue Apr 28 17:41:09 2015 by Doxygen 1.5.4 for BIND9 Internals 9.11.0pre-alpha