ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

[master] dnssec-cds

Browse Source 
4757.   [func]          New "dnssec-cds" command creates a new parent DS
                        RRset based on CDS or CDNSKEY RRsets found in
                        a child zone, and generates either a dsset file
                        or stream of nsupdate commands to update the
                        parent. Thanks to Tony Finch. [RT #46090]
This commit is contained in:
Evan Hunt
2017-10-05 01:04:18 -07:00
parent 14afc8425b
commit ba37674d03
23 changed files with 2853 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@@ -1,3 +1,9 @@
4757. [func] New "dnssec-cds" command creates a new parent DS
RRset based on CDS or CDNSKEY RRsets found in
a child zone, and generates either a dsset file
or stream of nsupdate commands to update the
parent. Thanks to Tony Finch. [RT #46090]
4756. [bug] Interrupting dig could lead to an INSIST failure after
certain errors were encountered while querying a host
whose name resolved to more than one address. Change

1
bin/dnssec/.gitignore vendored
View File

@@ -1,3 +1,4 @@
dnssec-cds
dnssec-dsfromkey
dnssec-keyfromlabel
dnssec-keygen

32
bin/dnssec/Makefile.in
View File

@@ -32,30 +32,37 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-verify@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
dnssec-verify.c dnssec-importkey.c dnssectool.c
SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
dnssec-verify.8 dnssec-importkey.8
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
HTMLPAGES = dnssec-cds.html dnssec-dsfromkey.html \
dnssec-importkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html \
dnssec-verify.html dnssec-importkey.html
dnssec-verify.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -115,4 +122,3 @@ uninstall::
clean distclean::
rm -f ${TARGETS}

293
bin/dnssec/dnssec-cds.8 Normal file
View File

@@ -0,0 +1,293 @@
.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-cds
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2017-10-02
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
.SH "SYNOPSIS"
.HP 11
\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-cds\fR
command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&.
.PP
Two input files are required\&. The
\fB\-f \fR\fB\fIchild\-file\fR\fR
option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
\fB\-d \fR\fB\fIpath\fR\fR
option specifies the location of a file containing the current DS records\&. For example, this could be a
dsset\-
file generated by
\fBdnssec\-signzone\fR, or the output of
\fBdnssec\-dsfromkey\fR, or the output of a previous run of
\fBdnssec\-cds\fR\&.
.PP
For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
dsset\-
file, or from the
\fB\-s\fR
option\&.
.PP
To protect against breaking the delegation,
\fBdnssec\-cds\fR
ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
.PP
By default, replacement DS records are written to the standard output; with the
\fB\-i\fR
option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
.PP
Warning: Be careful not to delete the DS records when
\fBdnssec\-cds\fR
fails!
.PP
Alternatively,
\fBdnssec\-cds \-u\fR
writes an
\fBnsupdate\fR
script to the standard output\&. You can use the
\fB\-u\fR
and
\fB\-i\fR
options together to maintain a
dsset\-
file as well as emit an
\fBnsupdate\fR
script\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zones\&.
.RE
.PP
\-D
.RS 4
Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
.RE
.PP
\-d \fIpath\fR
.RS 4
Location of the parent DS records\&. The
\fIpath\fR
can be the name of a file containing the DS records, or if it is a directory,
\fBdnssec\-cds\fR
looks for a
dsset\-
file for the
\fIdomain\fR
inside the directory\&.
.sp
To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
dsset\-
file\&. This can be adjusted with the
\fB\-s\fR
option\&.
.RE
.PP
\-f \fIchild\-file\fR
.RS 4
File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
.sp
The EXAMPLES below describe how to generate this file\&.
.RE
.PP
\-i [\fIextension\fR]
.RS 4
Update the
dsset\-
file in place, instead of writing DS records to the standard output\&.
.sp
There must be no space between the
\fB\-i\fR
and the
\fIextension\fR\&. If you provide no
\fIextension\fR
then the old
dsset\-
is discarded\&. If an
\fIextension\fR
is present, a backup of the old
dsset\-
file is kept with the
\fIextension\fR
appended to its filename\&.
.sp
To protect against replay attacks, the modification time of the
dsset\-
file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
dsset\-
file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
.sp
If no
\fIstart\-time\fR
is specified, the modification time of the
dsset\-
file is used\&.
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
.RE
.PP
\-u
.RS 4
Write an
\fBnsupdate\fR
script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
.sp
Note: The TTL of new records needs to be specified, either in the original
dsset\-
file, or with the
\fB\-T\fR
option, or using the
\fBnsupdate\fR
\fBttl\fR
command\&.
.RE
.PP
\-V
.RS 4
Print version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
.RE
.PP
\fIdomain\fR
.RS 4
The name of the delegation point / child zone apex\&.
.RE
.SH "EXIT STATUS"
.PP
The
\fBdnssec\-cds\fR
command exits 0 on success, or non\-zero if an error occurred\&.
.PP
In the success case, the DS records might or might not need to be changed\&.
.SH "EXAMPLES"
.PP
Before running
\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
\fBdnssec\-cds\fR
on every
dsset\-
file\&.
.PP
To fetch the child records required by
\fBdnssec\-cds\fR
you can invoke
\fBdig\fR
as in the script below\&. It\*(Aqs okay if the
\fBdig\fR
fails since
\fBdnssec\-cds\fR
performs all the necessary checking\&.
.sp
.if n \{\
.RS 4
.\}
.nf
for f in dsset\-*
do
d=${f#dsset\-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-i \-f /dev/stdin \-d $f $d
done
.fi
.if n \{\
.RE
.\}
.PP
When the parent zone is automatically signed by
\fBnamed\fR, you can use
\fBdnssec\-cds\fR
with
\fBnsupdate\fR
to maintain a delegation as follows\&. The
dsset\-
file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
.sp
.if n \{\
.RS 4
.\}
.nf
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
nsupdate \-l
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBdnssec-settime\fR(8),
\fBdnssec-signzone\fR(8),
\fBnsupdate\fR(1),
BIND 9 Administrator Reference Manual,
RFC 7344\&.
.SH "AUTHORS"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.PP
\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
.br
.RS 4
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC")
.br

1392
bin/dnssec/dnssec-cds.c Normal file
View File

File diff suppressed because it is too large Load Diff

373
bin/dnssec/dnssec-cds.docbook Normal file
View File

@@ -0,0 +1,373 @@
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
<info>
<date>2017-10-02</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
<author>
<personname>Tony Finch</personname>
<email>dot@dotat.at</email>
<email>fanf2@cam.ac.uk</email>
<affiliation>Cambridge University Information Services</affiliation>
<personblurb></personblurb>
</author>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-cds</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-cds</application></refname>
<refpurpose>change DS records for a child zone based on CDS/CDNSKEY</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2017</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-cds</command>
<arg choice="opt" rep="repeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="req" rep="norepeat"><option>-d <replaceable class="parameter">dsset-file</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">child-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option><arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">domain</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
The <command>dnssec-cds</command> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred.
</para>
<para>
Two input files are required. The
<option>-f <replaceable class="parameter">child-file</replaceable></option>
option specifies a file containing the child's CDS and/or CDNSKEY
records, plus RRSIG and DNSKEY records so that they can be
authenticated. The
<option>-d <replaceable class="parameter">path</replaceable></option>
option specifies the location of a file containing the current DS
records. For example, this could be a <filename>dsset-</filename>
file generated by <command>dnssec-signzone</command>, or the output of
<command>dnssec-dsfromkey</command>, or the output of a previous
run of <command>dnssec-cds</command>.
</para>
<para>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <command>dnssec-cds</command>. This time is obtained from the
modification time of the <filename>dsset-</filename> file, or
from the <option>-s</option> option.
</para>
<para>
To protect against breaking the delegation,
<command>dnssec-cds</command> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</para>
<para>
By default, replacement DS records are written to the standard
output; with the <option>-i</option> option the input file is
overwritten in place. The replacement DS records will be the
same as the existing records when no change is required. The
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</para>
<para>
Warning: Be careful not to delete the DS records
when <command>dnssec-cds</command> fails!
</para>
<para>
Alternatively, <command>dnssec-cds -u</command> writes
an <command>nsupdate</command> script to the standard output.
You can use the <option>-u</option> and <option>-i</option>
options together to maintain a <filename>dsset-</filename> file
as well as emit an <command>nsupdate</command> script.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</para>
<para>
The <replaceable>algorithm</replaceable> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">path</replaceable></term>
<listitem>
<para>
Location of the parent DS records.
The <replaceable>path</replaceable> can be the name of a file
containing the DS records, or if it is a
directory, <command>dnssec-cds</command> looks for
a <filename>dsset-</filename> file for
the <replaceable>domain</replaceable> inside the directory.
</para>
<para>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <filename>dsset-</filename> file. This can be
adjusted with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">child-file</replaceable></term>
<listitem>
<para>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</para>
<para>
The EXAMPLES below describe how to generate this file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i<arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></term>
<listitem>
<para>
Update the <filename>dsset-</filename> file in place,
instead of writing DS records to the standard output.
</para>
<para>
There must be no space between the <option>-i</option> and
the <replaceable>extension</replaceable>. If you provide
no <replaceable>extension</replaceable> then the
old <filename>dsset-</filename> is discarded. If
an <replaceable>extension</replaceable> is present, a
backup of the old <filename>dsset-</filename> file is kept
with the <replaceable>extension</replaceable> appended to
its filename.
</para>
<para>
To protect against replay attacks, the modification time
of the <filename>dsset-</filename> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
UTC on August 27th, 2017. A time relative to
the <filename>dsset-</filename> file is indicated with -N,
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</para>
<para>
If no <replaceable>start-time</replaceable> is specified, the
modification time of the <filename>dsset-</filename> file
is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Write an <command>nsupdate</command> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</para>
<para>
Note: The TTL of new records needs to be specified, either
in the original <filename>dsset-</filename> file, or with
the <option>-T</option> option, or using
the <command>nsupdate</command> <command>ttl</command>
command.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print version information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>domain</replaceable></term>
<listitem>
<para>
The name of the delegation point / child zone apex.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXIT STATUS</title></info>
<para>
The <command>dnssec-cds</command> command exits 0 on success, or
non-zero if an error occurred.
</para>
<para>
In the success case, the DS records might or might not need
to be changed.
</para>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
Before running <command>dnssec-signzone</command>, you can ensure
that the delegations are up-to-date by running
<command>dnssec-cds</command> on every <filename>dsset-</filename> file.
</para>
<para>
To fetch the child records required by <command>dnssec-cds</command>
you can invoke <command>dig</command> as in the script below. It's
okay if the <command>dig</command> fails since
<command>dnssec-cds</command> performs all the necessary checking.
</para>
<programlisting>for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
</programlisting>
<para>
When the parent zone is automatically signed by
<command>named</command>, you can use <command>dnssec-cds</command>
with <command>nsupdate</command> to maintain a delegation as follows.
The <filename>dsset-</filename> file allows the script to avoid
having to fetch and validate the parent DS records, and it keeps the
replay attack protection time.
</para>
<programlisting>
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</programlisting>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para>
<citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 7344</citetitle>.
</para>
</refsection>
</refentry>

272
bin/dnssec/dnssec-cds.html Normal file
View File

@@ -0,0 +1,272 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-cds</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-cds</span> &#8212; change DS records for a child zone based on CDS/CDNSKEY</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-cds</code> [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D</code>] {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>} {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>} [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {domain}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
the child zone, the CDS is preferred.
</p>
<p>
Two input files are required. The
<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
option specifies a file containing the child's CDS and/or CDNSKEY
records, plus RRSIG and DNSKEY records so that they can be
authenticated. The
<code class="option">-d <em class="replaceable"><code>path</code></em></code>
option specifies the location of a file containing the current DS
records. For example, this could be a <code class="filename">dsset-</code>
file generated by <span class="command"><strong>dnssec-signzone</strong></span>, or the output of
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
modification time of the <code class="filename">dsset-</code> file, or
from the <code class="option">-s</code> option.
</p>
<p>
To protect against breaking the delegation,
<span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
verified by every key algorithm in the new DS RRset, and that the
same set of keys are covered by every DS digest type.
</p>
<p>
By default, replacement DS records are written to the standard
output; with the <code class="option">-i</code> option the input file is
overwritten in place. The replacement DS records will be the
same as the existing records when no change is required. The
output can be empty if the CDS / CDNSKEY records specify that
the child zone wants to go insecure.
</p>
<p>
Warning: Be careful not to delete the DS records
when <span class="command"><strong>dnssec-cds</strong></span> fails!
</p>
<p>
Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
You can use the <code class="option">-u</code> and <code class="option">-i</code>
options together to maintain a <code class="filename">dsset-</code> file
as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specify a digest algorithm to use when converting CDNSKEY
records to DS records. This option can be repeated, so
that multiple DS records are created for each CDNSKEY
record. This option has no effect when using CDS records.
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class of the zones.
</p></dd>
<dt><span class="term">-D</span></dt>
<dd><p>
Generate DS records from CDNSKEY records if both CDS and
CDNSKEY records are present in the child zone. By default
CDS records are preferred.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
<dd>
<p>
Location of the parent DS records.
The <em class="replaceable"><code>path</code></em> can be the name of a file
containing the DS records, or if it is a
directory, <span class="command"><strong>dnssec-cds</strong></span> looks for
a <code class="filename">dsset-</code> file for
the <em class="replaceable"><code>domain</code></em> inside the directory.
</p>
<p>
To protect against replay attacks, child records are
rejected if they were signed earlier than the modification
time of the <code class="filename">dsset-</code> file. This can be
adjusted with the <code class="option">-s</code> option.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
<dd>
<p>
File containing the child's CDS and/or CDNSKEY records,
plus its DNSKEY records and the covering RRSIG records so
that they can be authenticated.
</p>
<p>
The EXAMPLES below describe how to generate this file.
</p>
</dd>
<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
<dd>
<p>
Update the <code class="filename">dsset-</code> file in place,
instead of writing DS records to the standard output.
</p>
<p>
There must be no space between the <code class="option">-i</code> and
the <em class="replaceable"><code>extension</code></em>. If you provide
no <em class="replaceable"><code>extension</code></em> then the
old <code class="filename">dsset-</code> is discarded. If
an <em class="replaceable"><code>extension</code></em> is present, a
backup of the old <code class="filename">dsset-</code> file is kept
with the <em class="replaceable"><code>extension</code></em> appended to
its filename.
</p>
<p>
To protect against replay attacks, the modification time
of the <code class="filename">dsset-</code> file is set to match
the signature inception time of the child records,
provided that is later than the file's current
modification time.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd>
<p>
Specify the date and time after which RRSIG records become
acceptable. This can be either an absolute or relative
time. An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
UTC on August 27th, 2017. A time relative to
the <code class="filename">dsset-</code> file is indicated with -N,
which is N seconds before the file modification time. A
time relative to the current time is indicated with now+N.
</p>
<p>
If no <em class="replaceable"><code>start-time</code></em> is specified, the
modification time of the <code class="filename">dsset-</code> file
is used.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Specifies a TTL to be used for new DS records. If not
specified, the default is the TTL of the old DS records.
If they had no explicit TTL then the new DS records also
have no explicit TTL.
</p></dd>
<dt><span class="term">-u</span></dt>
<dd>
<p>
Write an <span class="command"><strong>nsupdate</strong></span> script to the
standard output, instead of printing the new DS reords.
The output will be empty if no change is needed.
</p>
<p>
Note: The TTL of new records needs to be specified, either
in the original <code class="filename">dsset-</code> file, or with
the <code class="option">-T</code> option, or using
the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
command.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Print version information.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level. Level 1 is intended to be
usefully verbose for general users; higher levels are
intended for developers.
</p></dd>
<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
The name of the delegation point / child zone apex.
</p></dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXIT STATUS</h2>
<p>
The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
non-zero if an error occurred.
</p>
<p>
In the success case, the DS records might or might not need
to be changed.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>EXAMPLES</h2>
<p>
Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
that the delegations are up-to-date by running
<span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
</p>
<p>
To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
okay if the <span class="command"><strong>dig</strong></span> fails since
<span class="command"><strong>dnssec-cds</strong></span> performs all the necessary checking.
</p>
<pre class="programlisting">for f in dsset-*
do
d=${f#dsset-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -i -f /dev/stdin -d $f $d
done
</pre>
<p>
When the parent zone is automatically signed by
<span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
The <code class="filename">dsset-</code> file allows the script to avoid
having to fetch and validate the parent DS records, and it keeps the
replay attack protection time.
</p>
<pre class="programlisting">
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l
</pre>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 7344</em>.
</p>
</div>
</div></body>
</html>

8
bin/dnssec/dnssec-dsfromkey.8
View File

@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Manual: BIND9
.\" Source: ISC
@@ -38,11 +38,11 @@
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
.HP 17
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
.SH "DESCRIPTION"
.PP

24
bin/dnssec/dnssec-dsfromkey.c
View File

@@ -346,7 +346,7 @@ usage(void) {
int
main(int argc, char **argv) {
char *algname = NULL, *classname = NULL;
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
@@ -393,7 +393,7 @@ main(int argc, char **argv) {
showall = ISC_TRUE;
break;
case 'a':
algname = isc_commandline_argument;
dtype = strtodsdigest(isc_commandline_argument);
both = ISC_FALSE;
break;
case 'C':
@@ -430,7 +430,7 @@ main(int argc, char **argv) {
break;
case 'T':
emitttl = ISC_TRUE;
ttl = atol(isc_commandline_argument);
ttl = strtottl(isc_commandline_argument);
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -460,24 +460,6 @@ main(int argc, char **argv) {
}
}
if (algname != NULL) {
if (strcasecmp(algname, "SHA1") == 0 ||
strcasecmp(algname, "SHA-1") == 0)
dtype = DNS_DSDIGEST_SHA1;
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
dtype = DNS_DSDIGEST_SHA384;
else
fatal("unknown algorithm %s", algname);
}
rdclass = strtoclass(classname);
if (usekeyset && filename != NULL)

6
bin/dnssec/dnssec-importkey.8
View File

@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-importkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
@@ -38,9 +38,9 @@
.SH "NAME"
dnssec-importkey \- import DNSKEY records from external systems so they can be managed
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-importkey\fR\ 'u
.HP 17
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
.HP \w'\fBdnssec\-importkey\fR\ 'u
.HP 17
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP

4
bin/dnssec/dnssec-settime.8
View File

@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
@@ -38,7 +38,7 @@
.SH "NAME"
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
.HP 15
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP

23
bin/dnssec/dnssectool.c
View File

@@ -412,6 +412,29 @@ strtoclass(const char *str) {
return (rdclass);
}
unsigned int
strtodsdigest(const char *algname) {
if (strcasecmp(algname, "SHA1") == 0 ||
strcasecmp(algname, "SHA-1") == 0)
{
return (DNS_DSDIGEST_SHA1);
} else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
{
return (DNS_DSDIGEST_SHA256);
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
} else if (strcasecmp(algname, "GOST") == 0) {
return (DNS_DSDIGEST_GOST);
#endif
} else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
{
return (DNS_DSDIGEST_SHA384);
} else {
fatal("unknown algorithm %s", algname);
}
}
isc_result_t
try_dir(const char *dirname) {
isc_result_t result;

3
bin/dnssec/dnssectool.h
View File

@@ -65,6 +65,9 @@ isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base,
isc_boolean_t *setp);
unsigned int
strtodsdigest(const char *str);
dns_rdataclass_t
strtoclass(const char *str);

13
bin/tests/system/cds/.gitignore vendored Normal file
View File

@@ -0,0 +1,13 @@
CDNSKEY*
CDS*
DS*
K*
UP*
brk.*
db.*
dsset-*
err
empty
out
sig.*
vars.sh

6
bin/tests/system/cds/checkmtime.pl Normal file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/perl
my $target = shift;
my $file = shift;
my $mtime = time - (stat $file)[9];
die "bad mtime $mtime"
unless abs($mtime - $target) < 3;

12
bin/tests/system/cds/checktime.pl Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/perl
$target = shift;
while (<>) {
$notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]$};
$inception = $1 if m{^.* inception time \d+ [(](\d+)[)]$};
}
die "missing notbefore time" unless $notbefore;
die "missing inception time" unless $inception;
my $delta = $inception - $notbefore;
die "bad inception time $delta"
unless abs($delta - $target) < 3;

11
bin/tests/system/cds/clean.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/sh -e
#
# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
while read glob
do rm -f $glob
done <.gitignore

7
bin/tests/system/cds/mangle.pl Normal file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/perl
my $re = $ARGV[0];
shift;
while (<>) {
s{($re)........}{${1}00000000};
print;
}

12
bin/tests/system/cds/prereq.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/sh
#
# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh

120
bin/tests/system/cds/setup.sh Normal file
View File

@@ -0,0 +1,120 @@
#!/bin/sh -e
#
# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
set -eu
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
touch empty
Z=cds.test
keyz=$($KEYGEN -q -r $RANDFILE -a RSASHA256 $Z)
key1=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
key2=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
idz=$(echo $keyz | sed 's/.*+0*//')
id1=$(echo $key1 | sed 's/.*+0*//')
id2=$(echo $key2 | sed 's/.*+0*//')
cat <<EOF >vars.sh
Z=$Z
key1=$key1
key2=$key2
idz=$idz
id1=$id1
id2=$id2
EOF
tac() {
perl -e 'print reverse <>' "$@"
}
convert() {
local key=$1 n=$2
$DSFROMKEY $key >DS.$n
grep ' 8 1 ' DS.$n >DS.$n-1
grep ' 8 2 ' DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
}
convert $key1 1
convert $key2 2
# consistent order wrt IDs
sort DS.1 DS.2 >DS.both
cp DS.1 DS.inplace
$PERL -we 'utime time, time - 7200, "DS.inplace" or die'
mangle="$PERL mangle.pl"
$mangle " IN DS $id1 8 1 " <DS.1 >DS.broke1
$mangle " IN DS $id1 8 2 " <DS.1 >DS.broke2
$mangle " IN DS $id1 8 [12] " <DS.1 >DS.broke12
sed 's/^/update add /;$a send' <DS.2 >UP.add2
sed 's/^/update del /;$a send' <DS.1 >UP.del1
cat UP.add2 UP.del1 | sed 3d >UP.swap
sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
sign() {
cat >db.$1
$SIGNER >/dev/null 2>&1 -r $RANDFILE \
-S -O full -o $Z -f sig.$1 db.$1
}
sign null <<EOF
\$TTL 1h
@ SOA localhost. root.localhost. (
1 ; serial
1h ; refresh
1h ; retry
1w ; expiry
1h ; minimum
)
;
NS localhost.
;
EOF
cat sig.null CDS.1 >brk.unsigned-cds
cat db.null CDS.1 | sign cds.1
cat db.null CDS.2 | sign cds.2
cat db.null CDS.1 CDS.2 | sign cds.both
tac <sig.cds.1 >sig.cds.rev1
cat db.null CDNSKEY.2 | sign cdnskey.2
cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2
$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.zsk
$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.ksk
$mangle " IN CDS $id1 8 1 " <db.cds.1 |
sign cds-mangled
sed 's/IN CDS '$id1' 8 1 /IN CDS '$((id1 ^ 255))' 8 1 /' <db.cds.1 |
sign bad-digests
sed '/IN CDS '$id1' 8 /p;s//IN CDS '$((id1 ^ 255))' 13 /' <db.cds.1 |
sign bad-algos
rm -f dsset-*

233
bin/tests/system/cds/tests.sh Normal file
View File

@@ -0,0 +1,233 @@
#!/bin/sh -e
#
# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
set -eu
status=0
die() {
echo "I:failed"
status=1
}
ck() {
local x=$1 die=:
shift
echo "I:$name"
if [ $x != $("$@" 2>err 1>out; echo $?) ]
then echo "D:exit status does not match $y"
die=die
fi
ckerr
ckout
$die
rm -f err out xerr xout
unset name err out
}
ckerr() {
if [ -n "${err:=}" ]
then egrep "$err" err >/dev/null &&
return 0
else [ -s err ] ||
return 0
fi
echo "D:stderr did not match '$err'"
sed 's/^/D:/' err
die=die
}
ckout() {
cmp out "${out:-empty}" >/dev/null && return
echo "D:stdout did not match '$out'"
( echo "wanted"
cat "$out"
echo "got"
cat out
) | sed 's/^/D:/'
die=die
}
Z=cds.test
name='usage'
err='Usage'
ck 1 $CDS
name='need a DS file'
err='DS pathname'
ck 1 $CDS $Z
name='name of dsset in directory'
err="./dsset-$Z.: file not found"
ck 1 $CDS -d . $Z
name='load a file'
err='could not find DS records'
ck 1 $CDS -d empty $Z
name='load DS records'
err='path to file containing child data must be specified'
ck 1 $CDS -d DS.1 $Z
name='missing DNSKEY'
err='could not find signed DNSKEY RRset'
ck 1 $CDS -f db.null -d DS.1 $Z
name='sigs too old'
err='could not validate child DNSKEY RRset'
ck 1 $CDS -f sig.null -d DS.1 $Z
name='sigs too old, verbosely'
err='skip RRSIG by key [0-9]+: too old'
ck 1 $CDS -v1 -f sig.null -d DS.1 $Z
name='old sigs are allowed'
err='found RRSIG by key'
out=DS.1
ck 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
name='no CDS/CDNSKEY records'
out=DS.1
ck 0 $CDS -s -7200 -f sig.null -d DS.1 $Z
name='no child records, verbosely'
err='has neither CDS nor CDNSKEY records'
out=DS.1
ck 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
name='unsigned CDS'
err='missing RRSIG CDS records'
ck 1 $CDS -f brk.unsigned-cds -d DS.1 $Z
name='correct signature inception time'
$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr
ck 0 $PERL checktime.pl 3600 xerr
name='in-place reads modification time'
ck 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z
name='in-place output correct modification time'
ck 0 $PERL checkmtime.pl 3600 DS.inplace
name='in-place backup correct modification time'
ck 0 $PERL checkmtime.pl 7200 DS.inplace.bak
name='in-place correct output'
ck 0 cmp DS.1 DS.inplace
name='in-place backup unmodified'
ck 0 cmp DS.1 DS.inplace.bak
name='one mangled DS'
err='found RRSIG by key'
out=DS.1
ck 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z
name='other mangled DS'
err='found RRSIG by key'
out=DS.1
ck 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z
name='both mangled DS'
err='could not validate child DNSKEY RRset'
ck 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z
name='mangle RRSIG CDS by ZSK'
err='found RRSIG by key'
out=DS.1
ck 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z
name='mangle RRSIG CDS by KSK'
err='could not validate child CDS RRset'
ck 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z
name='mangle CDS 1'
err='could not validate child DNSKEY RRset with new DS records'
ck 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z
name='inconsistent digests'
err='do not cover each key with the same set of digest types'
ck 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z
name='inconsistent algorithms'
err='missing signature for algorithm'
ck 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z
name='add DS records'
out=DS.both
$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out
# sort to allow for numerical vs lexical order of key tags
ck 0 sort DS.out
name='update add'
out=UP.add2
ck 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z
name='remove DS records'
out=DS.2
ck 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z
name='update del'
out=UP.del1
ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z
name='swap DS records'
out=DS.2
ck 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z
name='update swap'
out=UP.swap
ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z
name='TTL from -T'
out=DS.ttl2
ck 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
name='update TTL from -T'
out=UP.swapttl
ck 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
name='update TTL from dsset'
out=UP.swapttl
ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
name='TTL from -T overrides dsset'
out=DS.ttlong2
ck 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
name='stable DS record order (no change)'
out=DS.1
ck 0 $CDS -s -7200 -f sig.null -d DS.rev1 $Z
name='stable DS record order (changes)'
out=DS.1
ck 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z
name='CDNSKEY default algorithm'
out=DS.2-2
ck 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
name='CDNSKEY SHA1'
out=DS.2-1
ck 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
name='CDNSKEY two algorithms'
out=DS.2
ck 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
name='CDNSKEY two algorithms, reversed'
out=DS.2
ck 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
name='CDNSKEY and CDS'
out=DS.2
ck 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
name='prefer CDNSKEY'
out=DS.2-2
ck 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
echo "I:exit status: 0"
exit $status

66
bin/tests/system/conf.sh.in
View File

@@ -17,42 +17,43 @@ TOP=${SYSTEMTESTTOP:=.}/../../..
# Make it absolute so that it continues to work after we cd.
TOP=`cd $TOP && pwd`
NAMED=$TOP/bin/named/named
DIG=$TOP/bin/dig/dig
DELV=$TOP/bin/delv/delv
RNDC=$TOP/bin/rndc/rndc
NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
SIGNER=$TOP/bin/dnssec/dnssec-signzone
REVOKE=$TOP/bin/dnssec/dnssec-revoke
SETTIME=$TOP/bin/dnssec/dnssec-settime
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
CHECKDS=$TOP/bin/python/dnssec-checkds
COVERAGE=$TOP/bin/python/dnssec-coverage
KEYMGR=$TOP/bin/python/dnssec-keymgr
CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
ARPANAME=$TOP/bin/tools/arpaname
RESOLVE=$TOP/lib/samples/resolve
RRCHECKER=$TOP/bin/tools/named-rrchecker
CDS=$TOP/bin/dnssec/dnssec-cds
CHECKCONF=$TOP/bin/check/named-checkconf
CHECKDS=$TOP/bin/python/dnssec-checkds
CHECKZONE=$TOP/bin/check/named-checkzone
COVERAGE=$TOP/bin/python/dnssec-coverage
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
DELV=$TOP/bin/delv/delv
DIG=$TOP/bin/dig/dig
DNSTAPREAD=$TOP/bin/tools/dnstap-read
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
FEATURETEST=$TOP/bin/tests/system/feature-test
FSTRM_CAPTURE=@FSTRM_CAPTURE@
GENRANDOM=$TOP/bin/tools/genrandom
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
JOURNALPRINT=$TOP/bin/tools/named-journalprint
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
KEYMGR=$TOP/bin/python/dnssec-keymgr
MDIG=$TOP/bin/tools/mdig
NAMED=$TOP/bin/named/named
NSEC3HASH=$TOP/bin/tools/nsec3hash
NSLOOKUP=$TOP/bin/dig/nslookup
DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NSUPDATE=$TOP/bin/nsupdate/nsupdate
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
FEATURETEST=$TOP/bin/tests/system/feature-test
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
RESOLVE=$TOP/lib/samples/resolve
REVOKE=$TOP/bin/dnssec/dnssec-revoke
RNDC=$TOP/bin/rndc/rndc
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
RRCHECKER=$TOP/bin/tools/named-rrchecker
SETTIME=$TOP/bin/dnssec/dnssec-settime
SIGNER=$TOP/bin/dnssec/dnssec-signzone
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
VERIFY=$TOP/bin/dnssec/dnssec-verify
WIRETEST=$TOP/bin/tests/wire_test
RANDFILE=$TOP/bin/tests/system/random.data
@@ -69,7 +70,7 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain
cacheclean case catz cds chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
@@ -187,6 +188,7 @@ fi
#
export ARPANAME
export BIGKEY
export CDS
export CHECKZONE
export DESCRIPTION
export DIG

11
doc/arm/notes.xml
View File

@@ -275,6 +275,17 @@
<userinput>local</userinput>. [RT #42585]
</para>
</listitem>
<listitem>
<para>
The new <command>dnssec-cds</command> command generates a new DS
set to place in a parent zone, based on the contents of a child
zone's validated CDS or CDNSKEY records. It can produce a
<filename>dsset</filename> file suitable for input to
<command>dnssec-signzone</command>, or a series of
<command>nsupdate</command> to update the parent zone via dynamic
DNS. Thanks to Tony Finch for the contribution. [RT #46090]
</para>
</listitem>
<listitem>
<para>
<command>nsupdate</command> and <command>rndc</command> now accepts