ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

rndc dnssec -checkds set algorithm

Browse Source 
In the rare case that you have multiple keys acting as KSK and that
have the same keytag, you can now set the algorithm when calling
'-checkds'.
This commit is contained in:
Matthijs Mekking
2020-08-04 10:33:19 +02:00
parent e4c82fc7ae
commit 46fcd927e7
7 changed files with 65 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/dns/include/dns/keymgr.h
View File

@@ -57,12 +57,13 @@ dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
isc_result_t
dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish,
dns_keytag_t id);
dns_keytag_t id, unsigned int algorithm);
/*%<
* Check DS for one key in 'keyring'. The key must have the KSK role.
* If 'dspublish' is set to true, set the DS Publish time to 'now'.
* If 'dspublish' is set to false, set the DS Removed time to 'now'.
* If a specific key 'id' is given it must match the keytag.
* If the 'algorithm' is non-zero, it must match the key's algorithm.
* The result is stored in the key state file.
*
* Requires:

11
lib/dns/keymgr.c
View File

@@ -1873,7 +1873,7 @@ failure:
static isc_result_t
keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish,
dns_keytag_t id, bool check_id) {
dns_keytag_t id, unsigned int alg, bool check_id) {
int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
isc_dir_t dir;
isc_result_t result;
@@ -1893,6 +1893,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
if (check_id && dst_key_id(dkey->key) != id) {
continue;
}
if (alg > 0 && dst_key_alg(dkey->key) != alg) {
continue;
}
if (ksk_key != NULL) {
/*
@@ -1935,16 +1938,16 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
isc_result_t
dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish) {
return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0,
return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0, 0,
false));
}
isc_result_t
dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish,
dns_keytag_t id) {
dns_keytag_t id, unsigned int alg) {
return (keymgr_checkds(kasp, keyring, directory, now, dspublish, id,
true));
alg, true));
}
static void