Add DNSKEY rr corresponding to the KSK to the SKR
When signing a KSR, add the DNSKEY records from the signing KSK(s) to the DNSKEY RRset prior to signing.
This commit is contained in:
Matthijs Mekking
@@ -682,12 +682,19 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration,
|
|||||||
|
|
||||||
static void
|
static void
|
||||||
create_cds(ksr_ctx_t *ksr, dns_kasp_t *kasp, dns_dnsseckeylist_t *keys,
|
create_cds(ksr_ctx_t *ksr, dns_kasp_t *kasp, dns_dnsseckeylist_t *keys,
|
||||||
dns_rdataset_t *cdnskeyset, dns_rdataset_t *cdsset) {
|
dns_rdataset_t *dnskeyset, dns_rdataset_t *cdnskeyset,
|
||||||
|
dns_rdataset_t *cdsset) {
|
||||||
|
dns_rdatalist_t *dnskeylist = isc_mem_get(mctx, sizeof(*dnskeylist));
|
||||||
dns_rdatalist_t *cdnskeylist = isc_mem_get(mctx, sizeof(*cdnskeylist));
|
dns_rdatalist_t *cdnskeylist = isc_mem_get(mctx, sizeof(*cdnskeylist));
|
||||||
dns_rdatalist_t *cdslist = isc_mem_get(mctx, sizeof(*cdslist));
|
dns_rdatalist_t *cdslist = isc_mem_get(mctx, sizeof(*cdslist));
|
||||||
isc_result_t ret = ISC_R_SUCCESS;
|
isc_result_t ret = ISC_R_SUCCESS;
|
||||||
dns_kasp_digestlist_t digests = dns_kasp_digests(kasp);
|
dns_kasp_digestlist_t digests = dns_kasp_digests(kasp);
|
||||||
|
|
||||||
|
dns_rdatalist_init(dnskeylist);
|
||||||
|
dnskeylist->rdclass = dns_rdataclass_in;
|
||||||
|
dnskeylist->type = dns_rdatatype_dnskey;
|
||||||
|
dnskeylist->ttl = ksr->ttl;
|
||||||
|
|
||||||
dns_rdatalist_init(cdnskeylist);
|
dns_rdatalist_init(cdnskeylist);
|
||||||
cdnskeylist->rdclass = dns_rdataclass_in;
|
cdnskeylist->rdclass = dns_rdataclass_in;
|
||||||
cdnskeylist->type = dns_rdatatype_cdnskey;
|
cdnskeylist->type = dns_rdatatype_cdnskey;
|
||||||
@@ -702,17 +709,37 @@ create_cds(ksr_ctx_t *ksr, dns_kasp_t *kasp, dns_dnsseckeylist_t *keys,
|
|||||||
dk = ISC_LIST_NEXT(dk, link))
|
dk = ISC_LIST_NEXT(dk, link))
|
||||||
{
|
{
|
||||||
isc_buffer_t buf;
|
isc_buffer_t buf;
|
||||||
isc_buffer_t *newbuf = NULL;
|
isc_buffer_t *newbuf;
|
||||||
dns_rdata_t *rdata = NULL;
|
dns_rdata_t *rdata;
|
||||||
isc_region_t r;
|
isc_region_t r;
|
||||||
isc_region_t rcds;
|
isc_region_t rcds;
|
||||||
unsigned char rdatabuf[DST_KEY_MAXSIZE];
|
unsigned char kskbuf[DST_KEY_MAXSIZE];
|
||||||
|
unsigned char cdnskeybuf[DST_KEY_MAXSIZE];
|
||||||
unsigned char cdsbuf[DNS_DS_BUFFERSIZE];
|
unsigned char cdsbuf[DNS_DS_BUFFERSIZE];
|
||||||
|
|
||||||
|
/* KSK */
|
||||||
|
newbuf = NULL;
|
||||||
rdata = isc_mem_get(mctx, sizeof(*rdata));
|
rdata = isc_mem_get(mctx, sizeof(*rdata));
|
||||||
dns_rdata_init(rdata);
|
dns_rdata_init(rdata);
|
||||||
|
|
||||||
isc_buffer_init(&buf, rdatabuf, sizeof(rdatabuf));
|
isc_buffer_init(&buf, kskbuf, sizeof(kskbuf));
|
||||||
|
CHECK(dst_key_todns(dk->key, &buf));
|
||||||
|
isc_buffer_usedregion(&buf, &r);
|
||||||
|
isc_buffer_allocate(mctx, &newbuf, r.length);
|
||||||
|
isc_buffer_putmem(newbuf, r.base, r.length);
|
||||||
|
isc_buffer_usedregion(newbuf, &r);
|
||||||
|
dns_rdata_fromregion(rdata, dns_rdataclass_in,
|
||||||
|
dns_rdatatype_dnskey, &r);
|
||||||
|
ISC_LIST_APPEND(dnskeylist->rdata, rdata, link);
|
||||||
|
ISC_LIST_APPEND(cleanup_list, newbuf, link);
|
||||||
|
isc_buffer_clear(newbuf);
|
||||||
|
|
||||||
|
/* CDNSKEY */
|
||||||
|
newbuf = NULL;
|
||||||
|
rdata = isc_mem_get(mctx, sizeof(*rdata));
|
||||||
|
dns_rdata_init(rdata);
|
||||||
|
|
||||||
|
isc_buffer_init(&buf, cdnskeybuf, sizeof(cdnskeybuf));
|
||||||
CHECK(dst_key_todns(dk->key, &buf));
|
CHECK(dst_key_todns(dk->key, &buf));
|
||||||
isc_buffer_usedregion(&buf, &r);
|
isc_buffer_usedregion(&buf, &r);
|
||||||
isc_buffer_allocate(mctx, &newbuf, r.length);
|
isc_buffer_allocate(mctx, &newbuf, r.length);
|
||||||
@@ -726,6 +753,7 @@ create_cds(ksr_ctx_t *ksr, dns_kasp_t *kasp, dns_dnsseckeylist_t *keys,
|
|||||||
ISC_LIST_APPEND(cleanup_list, newbuf, link);
|
ISC_LIST_APPEND(cleanup_list, newbuf, link);
|
||||||
isc_buffer_clear(newbuf);
|
isc_buffer_clear(newbuf);
|
||||||
|
|
||||||
|
/* CDS */
|
||||||
for (dns_kasp_digest_t *alg = ISC_LIST_HEAD(digests);
|
for (dns_kasp_digest_t *alg = ISC_LIST_HEAD(digests);
|
||||||
alg != NULL; alg = ISC_LIST_NEXT(alg, link))
|
alg != NULL; alg = ISC_LIST_NEXT(alg, link))
|
||||||
{
|
{
|
||||||
@@ -755,12 +783,13 @@ create_cds(ksr_ctx_t *ksr, dns_kasp_t *kasp, dns_dnsseckeylist_t *keys,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* All good */
|
/* All good */
|
||||||
|
dns_rdatalist_tordataset(dnskeylist, dnskeyset);
|
||||||
dns_rdatalist_tordataset(cdnskeylist, cdnskeyset);
|
dns_rdatalist_tordataset(cdnskeylist, cdnskeyset);
|
||||||
dns_rdatalist_tordataset(cdslist, cdsset);
|
dns_rdatalist_tordataset(cdslist, cdsset);
|
||||||
return;
|
return;
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
fatal("failed to create CDS/CDNSKEY");
|
fatal("failed to create KSK/CDS/CDNSKEY");
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -972,6 +1001,7 @@ sign(ksr_ctx_t *ksr) {
|
|||||||
dns_dnsseckeylist_t keys;
|
dns_dnsseckeylist_t keys;
|
||||||
dns_kasp_t *kasp = NULL;
|
dns_kasp_t *kasp = NULL;
|
||||||
dns_rdatalist_t *rdatalist = NULL;
|
dns_rdatalist_t *rdatalist = NULL;
|
||||||
|
dns_rdataset_t ksk = DNS_RDATASET_INIT;
|
||||||
dns_rdataset_t cdnskey = DNS_RDATASET_INIT;
|
dns_rdataset_t cdnskey = DNS_RDATASET_INIT;
|
||||||
dns_rdataset_t cds = DNS_RDATASET_INIT;
|
dns_rdataset_t cds = DNS_RDATASET_INIT;
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
@@ -1006,8 +1036,8 @@ sign(ksr_ctx_t *ksr) {
|
|||||||
isc_result_totext(ret));
|
isc_result_totext(ret));
|
||||||
}
|
}
|
||||||
|
|
||||||
/* CDS and CDNSKEY */
|
/* KSK, CDS and CDNSKEY */
|
||||||
create_cds(ksr, kasp, &keys, &cdnskey, &cds);
|
create_cds(ksr, kasp, &keys, &ksk, &cdnskey, &cds);
|
||||||
|
|
||||||
for (ret = isc_lex_gettoken(lex, opt, &token); ret == ISC_R_SUCCESS;
|
for (ret = isc_lex_gettoken(lex, opt, &token); ret == ISC_R_SUCCESS;
|
||||||
ret = isc_lex_gettoken(lex, opt, &token))
|
ret = isc_lex_gettoken(lex, opt, &token))
|
||||||
@@ -1069,6 +1099,15 @@ sign(ksr_ctx_t *ksr) {
|
|||||||
rdatalist->rdclass = dns_rdataclass_in;
|
rdatalist->rdclass = dns_rdataclass_in;
|
||||||
rdatalist->type = dns_rdatatype_dnskey;
|
rdatalist->type = dns_rdatatype_dnskey;
|
||||||
rdatalist->ttl = TTL_MAX;
|
rdatalist->ttl = TTL_MAX;
|
||||||
|
for (isc_result_t r = dns_rdatalist_first(&ksk);
|
||||||
|
r == ISC_R_SUCCESS; r = dns_rdatalist_next(&ksk))
|
||||||
|
{
|
||||||
|
dns_rdata_t *clone =
|
||||||
|
isc_mem_get(mctx, sizeof(*clone));
|
||||||
|
dns_rdata_init(clone);
|
||||||
|
dns_rdatalist_current(&ksk, clone);
|
||||||
|
ISC_LIST_APPEND(rdatalist->rdata, clone, link);
|
||||||
|
}
|
||||||
inception = next_inception;
|
inception = next_inception;
|
||||||
have_bundle = true;
|
have_bundle = true;
|
||||||
|
|
||||||
@@ -1141,8 +1180,9 @@ sign(ksr_ctx_t *ksr) {
|
|||||||
|
|
||||||
fail:
|
fail:
|
||||||
/* Clean up */
|
/* Clean up */
|
||||||
freerrset(&cds);
|
freerrset(&ksk);
|
||||||
freerrset(&cdnskey);
|
freerrset(&cdnskey);
|
||||||
|
freerrset(&cds);
|
||||||
|
|
||||||
isc_lex_destroy(&lex);
|
isc_lex_destroy(&lex);
|
||||||
cleanup(&keys, kasp);
|
cleanup(&keys, kasp);
|
||||||
|
|||||||
@@ -113,11 +113,14 @@ Commands
|
|||||||
.. option:: request
|
.. option:: request
|
||||||
|
|
||||||
Create a Key Signing Request (KSR), given a DNSSEC policy and an interval.
|
Create a Key Signing Request (KSR), given a DNSSEC policy and an interval.
|
||||||
|
This will generate a file with a number of key bundles, where each bundle
|
||||||
|
contains the currently published ZSKs (according to the timing metadata).
|
||||||
|
|
||||||
.. option:: sign
|
.. option:: sign
|
||||||
|
|
||||||
Sign a Key Signing Request (KSR), given a DNSSEC policy and an interval,
|
Sign a Key Signing Request (KSR), given a DNSSEC policy and an interval,
|
||||||
creating a Signed Key Response (SKR).
|
creating a Signed Key Response (SKR). This will add the corresponding DNSKEY,
|
||||||
|
CDS, and CDNSKEY records for the KSK that is being used for signing.
|
||||||
|
|
||||||
Exit Status
|
Exit Status
|
||||||
~~~~~~~~~~~
|
~~~~~~~~~~~
|
||||||
|
|||||||
Reference in New Issue
Block a user