diff options
Diffstat (limited to 'contrib/bind9/bin/dnssec/dnssec-signzone.c')
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.c | 1094 |
1 files changed, 896 insertions, 198 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c index 9b49169..1da280f 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.c +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c @@ -1,6 +1,19 @@ /* - * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.177.18.26 2008/06/02 23:46:01 tbox Exp $ */ +/* $Id: dnssec-signzone.c,v 1.209.12.3 2009/01/18 23:25:15 marka Exp $ */ /*! \file */ @@ -26,11 +39,13 @@ #include <time.h> #include <isc/app.h> +#include <isc/base32.h> #include <isc/commandline.h> #include <isc/entropy.h> #include <isc/event.h> #include <isc/file.h> #include <isc/hash.h> +#include <isc/hex.h> #include <isc/mem.h> #include <isc/mutex.h> #include <isc/os.h> @@ -38,10 +53,11 @@ #include <isc/random.h> #include <isc/serial.h> #include <isc/stdio.h> +#include <isc/stdlib.h> #include <isc/string.h> #include <isc/task.h> -#include <isc/util.h> #include <isc/time.h> +#include <isc/util.h> #include <dns/db.h> #include <dns/dbiterator.h> @@ -54,7 +70,9 @@ #include <dns/master.h> #include <dns/masterdump.h> #include <dns/nsec.h> +#include <dns/nsec3.h> #include <dns/rdata.h> +#include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/rdataclass.h> #include <dns/rdatasetiter.h> @@ -71,6 +89,13 @@ const char *program = "dnssec-signzone"; int verbose; +typedef struct hashlist hashlist_t; + +static int nsec_datatype = dns_rdatatype_nsec; + +#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3) +#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) + #define BUFSIZE 2048 #define MAXDSKEYS 8 @@ -125,6 +150,7 @@ static dns_dbversion_t *gversion; /* The database version */ static dns_dbiterator_t *gdbiter; /* The database iterator */ static dns_rdataclass_t gclass; /* The class */ static dns_name_t *gorigin; /* The database origin */ +static int nsec3flags = 0; static isc_task_t *master = NULL; static unsigned int ntasks = 0; static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE; @@ -136,6 +162,8 @@ static dns_name_t *dlv = NULL; static dns_fixedname_t dlv_fixed; static dns_master_style_t *dsstyle = NULL; static unsigned int serialformat = SOA_SERIAL_KEEP; +static unsigned int hash_length = 0; +static isc_boolean_t unknownalg = ISC_FALSE; #define INCSTAT(counter) \ if (printstats) { \ @@ -147,19 +175,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP; static void sign(isc_task_t *task, isc_event_t *event); - -static inline void -set_bit(unsigned char *array, unsigned int index, unsigned int bit) { - unsigned int shift, mask; - - shift = 7 - (index % 8); - mask = 1 << shift; - - if (bit != 0) - array[index / 8] |= mask; - else - array[index / 8] &= (~mask & 0xFF); -} +static isc_boolean_t +nsec3only(dns_dbnode_t *node); static void dumpnode(dns_name_t *name, dns_dbnode_t *node) { @@ -549,6 +566,169 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t)); } +struct hashlist { + unsigned char *hashbuf; + size_t entries; + size_t size; + size_t length; +}; + +static void +hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) { + + l->entries = 0; + l->length = length + 1; + + if (nodes != 0) { + l->size = nodes; + l->hashbuf = malloc(l->size * l->length); + if (l->hashbuf == NULL) + l->size = 0; + } else { + l->size = 0; + l->hashbuf = NULL; + } +} + +static void +hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len) +{ + + REQUIRE(len <= l->length); + + if (l->entries == l->size) { + l->size = l->size * 2 + 100; + l->hashbuf = realloc(l->hashbuf, l->size * l->length); + } + memset(l->hashbuf + l->entries * l->length, 0, l->length); + memcpy(l->hashbuf + l->entries * l->length, hash, len); + l->entries++; +} + +static void +hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, + unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length, + isc_boolean_t speculative) +{ + char nametext[DNS_NAME_FORMATSIZE]; + unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1]; + unsigned int len; + size_t i; + + len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length, + name->ndata, name->length); + if (verbose) { + dns_name_format(name, nametext, sizeof nametext); + for (i = 0 ; i < len; i++) + fprintf(stderr, "%02x", hash[i]); + fprintf(stderr, " %s\n", nametext); + } + hash[len++] = speculative ? 1 : 0; + hashlist_add(l, hash, len); +} + +static int +hashlist_comp(const void *a, const void *b) { + return (memcmp(a, b, hash_length + 1)); +} + +static void +hashlist_sort(hashlist_t *l) { + qsort(l->hashbuf, l->entries, l->length, hashlist_comp); +} + +static isc_boolean_t +hashlist_hasdup(hashlist_t *l) { + unsigned char *current; + unsigned char *next = l->hashbuf; + size_t entries = l->entries; + + /* + * Skip initial speculative wild card hashs. + */ + while (entries > 0U && next[l->length-1] != 0U) { + next += l->length; + entries--; + } + + current = next; + while (entries-- > 1U) { + next += l->length; + if (next[l->length-1] != 0) + continue; + if (memcmp(current, next, l->length - 1) == 0) + return (ISC_TRUE); + current = next; + } + return (ISC_FALSE); +} + +static const unsigned char * +hashlist_findnext(const hashlist_t *l, + const unsigned char hash[NSEC3_MAX_HASH_LENGTH]) +{ + unsigned int entries = l->entries; + const unsigned char *next = bsearch(hash, l->hashbuf, l->entries, + l->length, hashlist_comp); + INSIST(next != NULL); + + do { + if (next < l->hashbuf + (l->entries - 1) * l->length) + next += l->length; + else + next = l->hashbuf; + if (next[l->length - 1] == 0) + break; + } while (entries-- > 1); + INSIST(entries != 0); + return (next); +} + +static isc_boolean_t +hashlist_exists(const hashlist_t *l, + const unsigned char hash[NSEC3_MAX_HASH_LENGTH]) +{ + if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp)) + return (ISC_TRUE); + else + return (ISC_FALSE); +} + +static void +addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name, + unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length) +{ + dns_fixedname_t fixed; + dns_name_t *wild; + dns_dbnode_t *node = NULL; + isc_result_t result; + char namestr[DNS_NAME_FORMATSIZE]; + + dns_fixedname_init(&fixed); + wild = dns_fixedname_name(&fixed); + + result = dns_name_concatenate(dns_wildcardname, name, wild, NULL); + if (result == ISC_R_NOSPACE) + return; + check_result(result,"addnowildcardhash: dns_name_concatenate()"); + + result = dns_db_findnode(gdb, wild, ISC_FALSE, &node); + if (result == ISC_R_SUCCESS) { + dns_db_detachnode(gdb, &node); + return; + } + + if (verbose) { + dns_name_format(wild, namestr, sizeof(namestr)); + fprintf(stderr, "adding no-wildcardhash for %s\n", namestr); + } + + hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length, + ISC_TRUE); +} + static void opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp) @@ -665,91 +845,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { } static isc_boolean_t -nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type, - unsigned int val) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_nsec_t nsec; - unsigned int newlen; - unsigned char bitmap[8192 + 512]; - unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE]; - isc_boolean_t answer = ISC_FALSE; - unsigned int i, len, window; - int octet; - - result = dns_rdataset_first(rdataset); - check_result(result, "dns_rdataset_first()"); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &nsec, NULL); - check_result(result, "dns_rdata_tostruct"); - - INSIST(nsec.len <= sizeof(bitmap)); - - newlen = 0; - - memset(bitmap, 0, sizeof(bitmap)); - for (i = 0; i < nsec.len; i += len) { - INSIST(i + 2 <= nsec.len); - window = nsec.typebits[i]; - len = nsec.typebits[i+1]; - i += 2; - INSIST(len > 0 && len <= 32); - INSIST(i + len <= nsec.len); - memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len); - } - set_bit(bitmap + 512, type, val); - for (window = 0; window < 256; window++) { - for (octet = 31; octet >= 0; octet--) - if (bitmap[window * 32 + 512 + octet] != 0) - break; - if (octet < 0) - continue; - bitmap[newlen] = window; - bitmap[newlen + 1] = octet + 1; - newlen += 2; - /* - * Overlapping move. - */ - memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1); - newlen += octet + 1; - } - if (newlen != nsec.len || - memcmp(nsec.typebits, bitmap, newlen) != 0) { - dns_rdata_t newrdata = DNS_RDATA_INIT; - isc_buffer_t b; - dns_diff_t diff; - dns_difftuple_t *tuple = NULL; - - dns_diff_init(mctx, &diff); - result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name, - rdataset->ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - nsec.typebits = bitmap; - nsec.len = newlen; - isc_buffer_init(&b, nsecdata, sizeof(nsecdata)); - result = dns_rdata_fromstruct(&newrdata, rdata.rdclass, - dns_rdatatype_nsec, &nsec, - &b); - check_result(result, "dns_rdata_fromstruct"); - - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, rdataset->ttl, - &newrdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - result = dns_diff_apply(&diff, gdb, gversion); - check_result(result, "dns_difftuple_apply"); - dns_diff_clear(&diff); - answer = ISC_TRUE; - } - dns_rdata_freestruct(&nsec); - return (answer); -} - -static isc_boolean_t delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { dns_rdataset_t nsset; isc_result_t result; @@ -769,10 +864,25 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { return (ISC_TF(result == ISC_R_SUCCESS)); } +static isc_boolean_t +secure(dns_name_t *name, dns_dbnode_t *node) { + dns_rdataset_t dsset; + isc_result_t result; + + if (dns_name_equal(name, gorigin)) + return (ISC_FALSE); + + dns_rdataset_init(&dsset); + result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds, + 0, 0, &dsset, NULL); + if (dns_rdataset_isassociated(&dsset)) + dns_rdataset_disassociate(&dsset); + + return (ISC_TF(result == ISC_R_SUCCESS)); +} + /*% - * Signs all records at a name. This mostly just signs each set individually, - * but also adds the RRSIG bit to any NSECs generated earlier, deals with - * parent/child KEY signatures, and handles other exceptional cases. + * Signs all records at a name. */ static void signname(dns_dbnode_t *node, dns_name_t *name) { @@ -780,89 +890,19 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; isc_boolean_t isdelegation = ISC_FALSE; - isc_boolean_t hasds = ISC_FALSE; - isc_boolean_t changed = ISC_FALSE; dns_diff_t del, add; char namestr[DNS_NAME_FORMATSIZE]; - isc_uint32_t nsttl = 0; + dns_rdataset_init(&rdataset); dns_name_format(name, namestr, sizeof(namestr)); /* * Determine if this is a delegation point. */ - if (delegation(name, node, &nsttl)) + if (delegation(name, node, NULL)) isdelegation = ISC_TRUE; /* - * If this is a delegation point, look for a DS set. - */ - if (isdelegation) { - dns_rdataset_t dsset; - dns_rdataset_t sigdsset; - - dns_rdataset_init(&dsset); - dns_rdataset_init(&sigdsset); - result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_ds, - 0, 0, &dsset, &sigdsset); - if (result == ISC_R_SUCCESS) { - dns_rdataset_disassociate(&dsset); - if (generateds) { - result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_ds, - 0); - check_result(result, "dns_db_deleterdataset"); - } else - hasds = ISC_TRUE; - } - if (generateds) { - result = loadds(name, nsttl, &dsset); - if (result == ISC_R_SUCCESS) { - result = dns_db_addrdataset(gdb, node, - gversion, 0, - &dsset, 0, NULL); - check_result(result, "dns_db_addrdataset"); - hasds = ISC_TRUE; - dns_rdataset_disassociate(&dsset); - if (dns_rdataset_isassociated(&sigdsset)) - dns_rdataset_disassociate(&sigdsset); - } else if (dns_rdataset_isassociated(&sigdsset)) { - result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_rrsig, - dns_rdatatype_ds); - check_result(result, "dns_db_deleterdataset"); - dns_rdataset_disassociate(&sigdsset); - } - } else if (dns_rdataset_isassociated(&sigdsset)) - dns_rdataset_disassociate(&sigdsset); - } - - /* - * Make sure that NSEC bits are appropriately set. - */ - dns_rdataset_init(&rdataset); - RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, &rdataset, - NULL) == ISC_R_SUCCESS); - if (!nokeys) - changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1); - if (changed) { - dns_rdataset_disassociate(&rdataset); - RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, - &rdataset, - NULL) == ISC_R_SUCCESS); - } - if (hasds) - (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1); - else - (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0); - dns_rdataset_disassociate(&rdataset); - - /* * Now iterate through the rdatasets. */ dns_diff_init(mctx, &del); @@ -884,7 +924,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { * isn't a DS record. */ if (isdelegation) { - if (rdataset.type != dns_rdatatype_nsec && + if (rdataset.type != nsec_datatype && rdataset.type != dns_rdatatype_ds) goto skip; } else if (rdataset.type == dns_rdatatype_ds) { @@ -938,6 +978,7 @@ active_node(dns_dbnode_t *node) { while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); if (rdataset.type != dns_rdatatype_nsec && + rdataset.type != dns_rdatatype_nsec3 && rdataset.type != dns_rdatatype_rrsig) active = ISC_TRUE; dns_rdataset_disassociate(&rdataset); @@ -950,7 +991,7 @@ active_node(dns_dbnode_t *node) { fatal("rdataset iteration failed: %s", isc_result_totext(result)); - if (!active) { + if (!active && nsec_datatype == dns_rdatatype_nsec) { /*% * The node is empty of everything but NSEC / RRSIG records. */ @@ -1009,6 +1050,32 @@ active_node(dns_dbnode_t *node) { fatal("rdataset iteration failed: %s", isc_result_totext(result)); dns_rdatasetiter_destroy(&rdsiter2); + +#if 0 + /* + * Delete all NSEC records and RRSIG(NSEC) if we are in + * NSEC3 mode and vica versa. + */ + for (result = dns_rdatasetiter_first(rdsiter2); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter2)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + if (type == dns_rdatatype_rrsig) + type = covers; + dns_rdataset_disassociate(&rdataset); + if (type == nsec_datatype || + (type != dns_rdatatype_nsec && + type != dns_rdatatype_nsec3)) + continue; + if (covers != 0) + type = dns_rdatatype_rrsig; + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, "dns_db_deleterdataset()"); + } +#endif } dns_rdatasetiter_destroy(&rdsiter); @@ -1169,11 +1236,8 @@ presign(void) { isc_result_t result; gdbiter = NULL; - result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter); + result = dns_db_createiterator(gdb, 0, &gdbiter); check_result(result, "dns_db_createiterator()"); - - result = dns_dbiterator_first(gdbiter); - check_result(result, "dns_dbiterator_first()"); } /*% @@ -1186,6 +1250,8 @@ postsign(void) { /*% * Sign the apex of the zone. + * Note the origin may not be the first node if there are out of zone + * records. */ static void signapex(void) { @@ -1196,13 +1262,15 @@ signapex(void) { dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); + result = dns_dbiterator_seek(gdbiter, gorigin); + check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); check_result(result, "dns_dbiterator_current()"); signname(node, name); dumpnode(name, node); cleannode(gdb, gversion, node); dns_db_detachnode(gdb, &node); - result = dns_dbiterator_next(gdbiter); + result = dns_dbiterator_first(gdbiter); if (result == ISC_R_NOMORE) finished = ISC_TRUE; else if (result != ISC_R_SUCCESS) @@ -1223,6 +1291,8 @@ assignwork(isc_task_t *task, isc_task_t *worker) { dns_rdataset_t nsec; isc_boolean_t found; isc_result_t result; + static dns_name_t *zonecut = NULL; /* Protected by namelock. */ + static dns_fixedname_t fzonecut; /* Protected by namelock. */ static unsigned int ended = 0; /* Protected by namelock. */ if (shuttingdown) @@ -1250,19 +1320,51 @@ assignwork(isc_task_t *task, isc_task_t *worker) { if (result != ISC_R_SUCCESS) fatal("failure iterating database: %s", isc_result_totext(result)); + /* + * The origin was handled by signapex(). + */ + if (dns_name_equal(name, gorigin)) { + dns_db_detachnode(gdb, &node); + goto next; + } + /* + * Sort the zone data from the glue and out-of-zone data. + * For NSEC zones nodes with zone data have NSEC records. + * For NSEC3 zones the NSEC3 nodes are zone data but + * outside of the zone name space. For the rest we need + * to track the bottom of zone cuts. + * Nodes which don't need to be signed are dumped here. + */ dns_rdataset_init(&nsec); result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, + nsec_datatype, 0, 0, &nsec, NULL); - if (result == ISC_R_SUCCESS) - found = ISC_TRUE; - else - dumpnode(name, node); if (dns_rdataset_isassociated(&nsec)) dns_rdataset_disassociate(&nsec); - if (!found) + if (result == ISC_R_SUCCESS) { + found = ISC_TRUE; + } else if (nsec_datatype == dns_rdatatype_nsec3) { + if (dns_name_issubdomain(name, gorigin) && + (zonecut == NULL || + !dns_name_issubdomain(name, zonecut))) { + if (delegation(name, node, NULL)) { + dns_fixedname_init(&fzonecut); + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(name, zonecut, NULL); + if (!OPTOUT(nsec3flags) || + secure(name, node)) + found = ISC_TRUE; + } else + found = ISC_TRUE; + } + } + + if (!found) { + dumpnode(name, node); dns_db_detachnode(gdb, &node); + } + next: result = dns_dbiterator_next(gdbiter); if (result == ISC_R_NOMORE) { finished = ISC_TRUE; @@ -1348,6 +1450,43 @@ sign(isc_task_t *task, isc_event_t *event) { } /*% + * Update / remove the DS RRset. Preserve RRSIG(DS) if possible. + */ +static void +add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) { + dns_rdataset_t dsset; + dns_rdataset_t sigdsset; + isc_result_t result; + + dns_rdataset_init(&dsset); + dns_rdataset_init(&sigdsset); + result = dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_ds, + 0, 0, &dsset, &sigdsset); + if (result == ISC_R_SUCCESS) { + dns_rdataset_disassociate(&dsset); + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_ds, 0); + check_result(result, "dns_db_deleterdataset"); + } + result = loadds(name, nsttl, &dsset); + if (result == ISC_R_SUCCESS) { + result = dns_db_addrdataset(gdb, node, gversion, 0, + &dsset, 0, NULL); + check_result(result, "dns_db_addrdataset"); + dns_rdataset_disassociate(&dsset); + if (dns_rdataset_isassociated(&sigdsset)) + dns_rdataset_disassociate(&sigdsset); + } else if (dns_rdataset_isassociated(&sigdsset)) { + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_rrsig, + dns_rdatatype_ds); + check_result(result, "dns_db_deleterdataset"); + dns_rdataset_disassociate(&sigdsset); + } +} + +/*% * Generate NSEC records for the zone. */ static void @@ -1358,6 +1497,7 @@ nsecify(void) { dns_name_t *name, *nextname, *zonecut; isc_boolean_t done = ISC_FALSE; isc_result_t result; + isc_uint32_t nsttl = 0; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); @@ -1366,7 +1506,7 @@ nsecify(void) { dns_fixedname_init(&fzonecut); zonecut = NULL; - result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter); + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); check_result(result, "dns_db_createiterator()"); result = dns_dbiterator_first(dbiter); @@ -1374,9 +1514,11 @@ nsecify(void) { while (!done) { dns_dbiterator_current(dbiter, &node, name); - if (delegation(name, node, NULL)) { + if (delegation(name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); + if (generateds) + add_ds(name, node, nsttl); } result = dns_dbiterator_next(dbiter); nextnode = NULL; @@ -1419,6 +1561,451 @@ nsecify(void) { } /*% + * Does this node only contain NSEC3 records or RRSIG records or is empty. + */ +static isc_boolean_t +nsec3only(dns_dbnode_t *node) { + dns_rdatasetiter_t *rdsiter = NULL; + isc_result_t result; + dns_rdataset_t rdataset; + isc_boolean_t answer = ISC_TRUE; + + dns_rdataset_init(&rdataset); + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + result = dns_rdatasetiter_first(rdsiter); + while (result == ISC_R_SUCCESS) { + dns_rdatasetiter_current(rdsiter, &rdataset); + if (rdataset.type != dns_rdatatype_nsec3 && + rdataset.type != dns_rdatatype_rrsig) { + answer = ISC_FALSE; + result = ISC_R_NOMORE; + } else + result = dns_rdatasetiter_next(rdsiter); + dns_rdataset_disassociate(&rdataset); + } + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); + dns_rdatasetiter_destroy(&rdsiter); + return (answer); +} + +static void +addnsec3param(const unsigned char *salt, size_t salt_length, + unsigned int iterations) +{ + dns_dbnode_t *node = NULL; + dns_rdata_nsec3param_t nsec3param; + unsigned char nsec3parambuf[5 + 255]; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_buffer_t b; + isc_result_t result; + + dns_rdataset_init(&rdataset); + + nsec3param.common.rdclass = gclass; + nsec3param.common.rdtype = dns_rdatatype_nsec3param; + ISC_LINK_INIT(&nsec3param.common, link); + nsec3param.mctx = NULL; + nsec3param.flags = 0; + nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1; + nsec3param.iterations = iterations; + nsec3param.salt_length = salt_length; + DE_CONST(salt, nsec3param.salt); + + isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf)); + result = dns_rdata_fromstruct(&rdata, gclass, + dns_rdatatype_nsec3param, + &nsec3param, &b); + rdatalist.rdclass = rdata.rdclass; + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.ttl = 0; + ISC_LIST_INIT(rdatalist.rdata); + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + result = dns_rdatalist_tordataset(&rdatalist, &rdataset); + check_result(result, "dns_rdatalist_tordataset()"); + + result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node); + check_result(result, "dns_db_find(gorigin)"); + result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset, + DNS_DBADD_MERGE, NULL); + if (result == DNS_R_UNCHANGED) + result = ISC_R_SUCCESS; + check_result(result, "addnsec3param: dns_db_addrdataset()"); + dns_db_detachnode(gdb, &node); +} + +static void +addnsec3(dns_name_t *name, dns_dbnode_t *node, + const unsigned char *salt, size_t salt_length, + unsigned int iterations, hashlist_t *hashlist, + dns_ttl_t ttl) +{ + unsigned char hash[NSEC3_MAX_HASH_LENGTH]; + const unsigned char *nexthash; + unsigned char nsec3buffer[DNS_NSEC3_BUFFERSIZE]; + dns_fixedname_t hashname; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; + dns_dbnode_t *nsec3node = NULL; + char namebuf[DNS_NAME_FORMATSIZE]; + size_t hash_length; + + dns_name_format(name, namebuf, sizeof(namebuf)); + + dns_fixedname_init(&hashname); + dns_rdataset_init(&rdataset); + + dns_name_downcase(name, name, NULL); + result = dns_nsec3_hashname(&hashname, hash, &hash_length, + name, gorigin, dns_hash_sha1, iterations, + salt, salt_length); + check_result(result, "addnsec3: dns_nsec3_hashname()"); + nexthash = hashlist_findnext(hashlist, hash); + result = dns_nsec3_buildrdata(gdb, gversion, node, + unknownalg ? + DNS_NSEC3_UNKNOWNALG : dns_hash_sha1, + nsec3flags, iterations, + salt, salt_length, + nexthash, ISC_SHA1_DIGESTLENGTH, + nsec3buffer, &rdata); + check_result(result, "addnsec3: dns_nsec3_buildrdata()"); + rdatalist.rdclass = rdata.rdclass; + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.ttl = ttl; + ISC_LIST_INIT(rdatalist.rdata); + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + result = dns_rdatalist_tordataset(&rdatalist, &rdataset); + check_result(result, "dns_rdatalist_tordataset()"); + result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname), + ISC_TRUE, &nsec3node); + check_result(result, "addnsec3: dns_db_findnode()"); + result = dns_db_addrdataset(gdb, nsec3node, gversion, 0, &rdataset, + 0, NULL); + if (result == DNS_R_UNCHANGED) + result = ISC_R_SUCCESS; + check_result(result, "addnsec3: dns_db_addrdataset()"); + dns_db_detachnode(gdb, &nsec3node); +} + +/*% + * Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list. + * + * Extract the hash from the first label of 'name' then see if it + * is in hashlist. If 'name' is not in the hashlist then delete the + * any NSEC3 records which have the same parameters as the chain we + * are building. + * + * XXXMPA Should we also check that it of the form <hash>.<origin>? + */ +static void +nsec3clean(dns_name_t *name, dns_dbnode_t *node, + unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length, hashlist_t *hashlist) +{ + dns_label_t label; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata, delrdata; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset, delrdataset; + isc_boolean_t delete_rrsigs = ISC_FALSE; + isc_buffer_t target; + isc_result_t result; + unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1]; + + /* + * Get the first label. + */ + dns_name_getlabel(name, 0, &label); + + /* + * We want just the label contents. + */ + isc_region_consume(&label, 1); + + /* + * Decode base32hex string. + */ + isc_buffer_init(&target, hash, sizeof(hash) - 1); + result = isc_base32hex_decoderegion(&label, &target); + if (result != ISC_R_SUCCESS) + return; + + hash[isc_buffer_usedlength(&target)] = 0; + + if (hashlist_exists(hashlist, hash)) + return; + + /* + * Verify that the NSEC3 parameters match the current ones + * otherwise we are dealing with a different NSEC3 chain. + */ + dns_rdataset_init(&rdataset); + dns_rdataset_init(&delrdataset); + + result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_nsec3, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) + return; + + /* + * Delete any matching NSEC3 records which have parameters that + * match the NSEC3 chain we are building. + */ + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdata_init(&rdata); + dns_rdataset_current(&rdataset, &rdata); + dns_rdata_tostruct(&rdata, &nsec3, NULL); + if (nsec3.hash == hashalg && + nsec3.iterations == iterations && + nsec3.salt_length == salt_length && + !memcmp(nsec3.salt, salt, salt_length)) + break; + rdatalist.rdclass = rdata.rdclass; + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.ttl = rdataset.ttl; + ISC_LIST_INIT(rdatalist.rdata); + dns_rdata_init(&delrdata); + dns_rdata_clone(&rdata, &delrdata); + ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link); + result = dns_rdatalist_tordataset(&rdatalist, &delrdataset); + check_result(result, "dns_rdatalist_tordataset()"); + result = dns_db_subtractrdataset(gdb, node, gversion, + &delrdataset, 0, NULL); + dns_rdataset_disassociate(&delrdataset); + if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) + check_result(result, "dns_db_subtractrdataset(NSEC3)"); + delete_rrsigs = ISC_TRUE; + } + dns_rdataset_disassociate(&rdataset); + if (result != ISC_R_NOMORE) + check_result(result, "dns_rdataset_first/next"); + + if (!delete_rrsigs) + return; + /* + * Delete the NSEC3 RRSIGs + */ + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_rrsig, + dns_rdatatype_nsec3); + if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) + check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))"); +} + +/* + * Generate NSEC3 records for the zone. + */ +static void +nsec3ify(unsigned int hashalg, unsigned int iterations, + const unsigned char *salt, size_t salt_length, hashlist_t *hashlist) +{ + dns_dbiterator_t *dbiter = NULL; + dns_dbnode_t *node = NULL, *nextnode = NULL; + dns_fixedname_t fname, fnextname, fzonecut; + dns_name_t *name, *nextname, *zonecut; + isc_boolean_t done = ISC_FALSE; + isc_result_t result; + isc_boolean_t active; + isc_uint32_t nsttl = 0; + unsigned int count, nlabels; + int order; + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + dns_fixedname_init(&fnextname); + nextname = dns_fixedname_name(&fnextname); + dns_fixedname_init(&fzonecut); + zonecut = NULL; + + /* + * Walk the zone generating the hash names. + */ + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); + check_result(result, "dns_db_createiterator()"); + + result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); + + while (!done) { + dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_next(dbiter); + nextnode = NULL; + while (result == ISC_R_SUCCESS) { + result = dns_dbiterator_current(dbiter, &nextnode, + nextname); + if (result != ISC_R_SUCCESS) + break; + active = active_node(nextnode); + if (!active) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (!dns_name_issubdomain(nextname, gorigin) || + (zonecut != NULL && + dns_name_issubdomain(nextname, zonecut))) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (delegation(nextname, nextnode, &nsttl)) { + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(nextname, zonecut, NULL); + if (generateds) + add_ds(nextname, nextnode, nsttl); + if (OPTOUT(nsec3flags) && + !secure(nextname, nextnode)) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + } + dns_db_detachnode(gdb, &nextnode); + break; + } + if (result == ISC_R_NOMORE) { + dns_name_copy(gorigin, nextname, NULL); + done = ISC_TRUE; + } else if (result != ISC_R_SUCCESS) + fatal("iterating through the database failed: %s", + isc_result_totext(result)); + dns_name_downcase(name, name, NULL); + hashlist_add_dns_name(hashlist, name, hashalg, iterations, + salt, salt_length, ISC_FALSE); + dns_db_detachnode(gdb, &node); + /* + * Add hashs for empty nodes. Use closest encloser logic. + * The closest encloser either has data or is a empty + * node for another <name,nextname> span so we don't add + * it here. Empty labels on nextname are within the span. + */ + dns_name_downcase(nextname, nextname, NULL); + dns_name_fullcompare(name, nextname, &order, &nlabels); + addnowildcardhash(hashlist, name, hashalg, iterations, + salt, salt_length); + count = dns_name_countlabels(nextname); + while (count > nlabels + 1) { + count--; + dns_name_split(nextname, count, NULL, nextname); + hashlist_add_dns_name(hashlist, nextname, hashalg, + iterations, salt, salt_length, + ISC_FALSE); + addnowildcardhash(hashlist, nextname, hashalg, + iterations, salt, salt_length); + } + } + dns_dbiterator_destroy(&dbiter); + + /* + * We have all the hashes now so we can sort them. + */ + hashlist_sort(hashlist); + + /* + * Check for duplicate hashes. If found the salt needs to + * be changed. + */ + if (hashlist_hasdup(hashlist)) + fatal("Duplicate hash detected. Pick a different salt."); + + /* + * Generate the nsec3 records. + */ + zonecut = NULL; + done = ISC_FALSE; + + addnsec3param(salt, salt_length, iterations); + + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); + check_result(result, "dns_db_createiterator()"); + + result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); + + while (!done) { + dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_next(dbiter); + nextnode = NULL; + while (result == ISC_R_SUCCESS) { + result = dns_dbiterator_current(dbiter, &nextnode, + nextname); + if (result != ISC_R_SUCCESS) + break; + /* + * Cleanout NSEC3 RRsets which don't exist in the + * hash table. + */ + nsec3clean(nextname, nextnode, hashalg, iterations, + salt, salt_length, hashlist); + /* + * Skip NSEC3 only nodes when looking for the next + * node in the zone. Also skips now empty nodes. + */ + if (nsec3only(nextnode)) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (!dns_name_issubdomain(nextname, gorigin) || + (zonecut != NULL && + dns_name_issubdomain(nextname, zonecut))) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (delegation(nextname, nextnode, NULL)) { + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(nextname, zonecut, NULL); + if (OPTOUT(nsec3flags) && + !secure(nextname, nextnode)) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + } + dns_db_detachnode(gdb, &nextnode); + break; + } + if (result == ISC_R_NOMORE) { + dns_name_copy(gorigin, nextname, NULL); + done = ISC_TRUE; + } else if (result != ISC_R_SUCCESS) + fatal("iterating through the database failed: %s", + isc_result_totext(result)); + /* + * We need to pause here to release the lock on the database. + */ + dns_dbiterator_pause(dbiter); + addnsec3(name, node, salt, salt_length, iterations, + hashlist, zonettl); + dns_db_detachnode(gdb, &node); + /* + * Add NSEC3's for empty nodes. Use closest encloser logic. + */ + dns_name_fullcompare(name, nextname, &order, &nlabels); + count = dns_name_countlabels(nextname); + while (count > nlabels + 1) { + count--; + dns_name_split(nextname, count, NULL, nextname); + addnsec3(nextname, NULL, salt, salt_length, + iterations, hashlist, zonettl); + } + } + dns_dbiterator_destroy(&dbiter); +} + +/*% * Load the zone file from disk */ static void @@ -1788,6 +2375,9 @@ usage(void) { fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); fprintf(stderr, "\t-k key_signing_key\n"); fprintf(stderr, "\t-l lookasidezone\n"); + fprintf(stderr, "\t-3 salt (NSEC3 salt)\n"); + fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n"); + fprintf(stderr, "\t-A (NSEC3 optout)\n"); fprintf(stderr, "\t-z:\t"); fprintf(stderr, "ignore KSK flag in DNSKEYs"); @@ -1852,6 +2442,36 @@ main(int argc, char *argv[]) { isc_task_t **tasks = NULL; isc_buffer_t b; int len; + unsigned int iterations = 100U; + const unsigned char *salt = NULL; + size_t salt_length = 0; + unsigned char saltbuf[255]; + hashlist_t hashlist; + +#define CMDLINE_FLAGS "3:aAc:d:e:f:ghH:i:I:j:k:l:m:n:N:o:O:pr:s:StUv:z" + + /* + * Process memory debugging argument first. + */ + while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { + switch (ch) { + case 'm': + if (strcasecmp(isc_commandline_argument, "record") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGRECORD; + if (strcasecmp(isc_commandline_argument, "trace") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGTRACE; + if (strcasecmp(isc_commandline_argument, "usage") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; + if (strcasecmp(isc_commandline_argument, "size") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGSIZE; + if (strcasecmp(isc_commandline_argument, "mctx") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGCTX; + break; + default: + break; + } + } + isc_commandline_reset = ISC_TRUE; masterstyle = &dns_master_style_explicitttl; @@ -1863,10 +2483,34 @@ main(int argc, char *argv[]) { dns_result_register(); - while ((ch = isc_commandline_parse(argc, argv, - "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z")) - != -1) { + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { + case '3': + if (strcmp(isc_commandline_argument, "-")) { + isc_buffer_t target; + char *sarg; + + sarg = isc_commandline_argument; + isc_buffer_init(&target, saltbuf, + sizeof(saltbuf)); + result = isc_hex_decodestring(sarg, &target); + check_result(result, + "isc_hex_decodestring(salt)"); + salt = saltbuf; + salt_length = isc_buffer_usedlength(&target); + } else { + salt = saltbuf; + salt_length = 0; + } + nsec_datatype = dns_rdatatype_nsec3; + break; + + case 'A': + nsec3flags |= DNS_NSEC3FLAG_OPTOUT; + break; + case 'a': tryverify = ISC_TRUE; break; @@ -1891,11 +2535,19 @@ main(int argc, char *argv[]) { generateds = ISC_TRUE; break; + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); case 'h': - default: usage(); break; + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + case 'i': endp = NULL; cycle = strtol(isc_commandline_argument, &endp, 0); @@ -1934,6 +2586,9 @@ main(int argc, char *argv[]) { dskeyfile[ndskeys++] = isc_commandline_argument; break; + case 'm': + break; + case 'n': endp = NULL; ntasks = strtol(isc_commandline_argument, &endp, 0); @@ -1945,6 +2600,15 @@ main(int argc, char *argv[]) { serialformatstr = isc_commandline_argument; break; + case 'H': + iterations = strtoul(isc_commandline_argument, + &endp, 0); + if (*endp != '\0') + fatal("iterations must be numeric"); + if (iterations > 0xffffU) + fatal("iterations too big"); + break; + case 'o': origin = isc_commandline_argument; break; @@ -1975,6 +2639,10 @@ main(int argc, char *argv[]) { printstats = ISC_TRUE; break; + case 'U': /* Undocumented for testing only. */ + unknownalg = ISC_TRUE; + break; + case 'v': endp = NULL; verbose = strtol(isc_commandline_argument, &endp, 0); @@ -2018,7 +2686,7 @@ main(int argc, char *argv[]) { cycle = (endtime - starttime) / 4; if (ntasks == 0) - ntasks = isc_os_ncpus(); + ntasks = isc_os_ncpus() * 2; vbprintf(4, "using %d cpus\n", ntasks); rdclass = strtoclass(classname); @@ -2082,7 +2750,6 @@ main(int argc, char *argv[]) { 0, 24, 0, 0, 0, 8, mctx); check_result(result, "dns_master_stylecreate"); - gdb = NULL; TIME_NOW(&timer_start); loadzone(file, origin, rdclass, &gdb); @@ -2090,6 +2757,18 @@ main(int argc, char *argv[]) { gclass = dns_db_class(gdb); zonettl = soattl(); + if (IS_NSEC3) { + isc_boolean_t answer; + hash_length = dns_nsec3_hashlength(dns_hash_sha1); + hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2, + hash_length); + result = dns_nsec_nseconly(gdb, gversion, &answer); + check_result(result, "dns_nsec_nseconly"); + if (answer) + fatal("NSEC3 generation requested with " + "NSEC only DNSKEY"); + } + ISC_LIST_INIT(keylist); if (argc == 0) { @@ -2106,6 +2785,9 @@ main(int argc, char *argv[]) { fatal("cannot load dnskey %s: %s", argv[i], isc_result_totext(result)); + if (!dns_name_equal(gorigin, dst_key_name(newkey))) + fatal("key %s not at origin\n", argv[i]); + key = ISC_LIST_HEAD(keylist); while (key != NULL) { dst_key_t *dkey = key->key; @@ -2143,6 +2825,9 @@ main(int argc, char *argv[]) { fatal("cannot load dnskey %s: %s", dskeyfile[i], isc_result_totext(result)); + if (!dns_name_equal(gorigin, dst_key_name(newkey))) + fatal("key %s not at origin\n", dskeyfile[i]); + key = ISC_LIST_HEAD(keylist); while (key != NULL) { dst_key_t *dkey = key->key; @@ -2176,6 +2861,15 @@ main(int argc, char *argv[]) { nokeys = ISC_TRUE; } + if (IS_NSEC3) { + unsigned int max; + result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max); + check_result(result, "dns_nsec3_maxiterations()"); + if (iterations > max) + fatal("NSEC3 iterations too big for weakest DNSKEY " + "strength. Maximum iterations allowed %u.", max); + } + warnifallksk(gdb); gversion = NULL; @@ -2195,7 +2889,11 @@ main(int argc, char *argv[]) { break; } - nsecify(); + if (IS_NSEC3) + nsec3ify(dns_hash_sha1, iterations, salt, salt_length, + &hashlist); + else + nsecify(); if (!nokeys) { writeset("keyset-", dns_rdatatype_dnskey); |
