checkpoint

bin/tests/system/dnssec/ns2/example.db.in

@@ -162,4 +162,7 @@ ns.managed-future	A	10.53.0.3
 revkey			NS	ns.revkey
 ns.revkey		A	10.53.0.3
 
+offline-ksk		NS	ns.offline-ksk
+ns.offline-ksk		A	10.53.0.3
+
 dname-at-apex-nsec3	NS	ns3

bin/tests/system/dnssec/ns3/named.conf.in

@@ -363,6 +363,15 @@ zone "revoked.trusted" {
 	file "revoked.trusted.db.signed";
 };
 
+zone "offline-ksk.example" {
+	type master;
+	file "offline-ksk.example.db.signed";
+	auto-dnssec maintain;
+	update-check-ksk yes;
+	dnssec-dnskey-kskonly yes;
+	allow-update { any; };
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";

bin/tests/system/dnssec/ns3/offline-ksk.example.db.in

@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2012042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	ns
+ns			A	10.53.0.3

bin/tests/system/dnssec/ns3/sign.sh

@@ -669,3 +669,30 @@ $DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
 cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
     "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
 "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
+
+#
+# Offline KSK test.
+#
+set -x
+zone=offline-ksk.example
+infile=offline-ksk.example.db.in
+zonefile=offline-ksk.example.db
+rm -rf offline
+mkdir -p offline
+# kskname=$("$KEYGEN" -K offline -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
+# $IMPORTKEY "offline/${kskname}.key"
+$IMPORTKEY -K offline "${zskname}.key"
+cat "$infile" "${zskname}.key" > "$zonefile"
+# cat "$infile" "${kskname}.key" "${zskname}.key" > "$zonefile"
+# "$CHECKZONE" -qD "${zone}" "${zonefile}" |
+# awk '$4 == "SOA" || $4 == "DNSKEY" { print }' > "offline/${zonefile}"
+# cat << EOF >> "offline/${zonefile}"
+# @	0	IN	NS	.
+# EOF
+# "$SIGNER" -P -3 - -o "${zone}" "offline/${zonefile}"
+# "$CHECKZONE" -qD "${zone}" "offline/${zonefile}.signed" |
+# awk '$4 == "RRSIG" && $5 == "DNSKEY" { print } ' >> "$zonefile"
+cp "$zonefile" "${zonefile}.signed"
+# $DSFROMKEY "${kskname}.key" > "dsset-${zone}$TP"
+#"$SIGNER" -P -3 - -o "$zone" "$zonefile"

bin/tests/system/dnssec/tests.sh

@@ -113,6 +113,67 @@ stripns () {
     awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1"
 }
 
+dig_with_opts @10.53.0.3 axfr offline-ksk.example +rrcomments
+
+set -x
+zone=offline-ksk.example
+zonefile=offline-ksk.example.db
+rm -rf offline
+mkdir -p offline
+dig_with_opts @10.53.0.3 dnskey +dnssec offline-ksk.example > offline/dnskey
+awk '$4 == "DNSKEY" && $5 == "256" { print }' < offline/dnskey > "offline/${zonefile}"
+alg=$(awk '$4 == "DNSKEY" && $5 == "256" { print $7 }' "offline/${zonefile}")
+ttl=$(awk '$4 == "DNSKEY" && $5 == "256" { print $2 }' "offline/${zonefile}")
+$IMPORTKEY -K offline -f "offline/${zonefile}" "${zone}"
+kskname=$("$KEYGEN" -K offline -q -a "$alg" -L "$ttl" -fk "$zone")
+# $IMPORTKEY -K ns3 -f "offline/${kskname}.key" -L "$ttl" -P now  "${zone}"
+cat "offline/${kskname}.key" >> "offline/${zonefile}"
+echo "@ 0 IN SOA . . 0 0 0 0 0" >> "offline/${zonefile}"
+echo "@ 0 IN NS ." >> "offline/${zonefile}"
+"$SIGNER" -K offline -P -o "${zone}" "offline/${zonefile}"
+(
+cat << EOF
+zone $zone
+server 10.53.0.3 $PORT
+del $zone DNSKEY
+EOF
+"$CHECKZONE" -qD "${zone}" "offline/${zonefile}.signed" |
+awk '$4 == "DNSKEY" || $4 == "RRSIG" && $5 == "DNSKEY" { print "add", $0 }'
+awk '$4 == "RRSIG" && $5 == "DNSKEY" { print "del", $0 }' < offline/dnskey
+echo send
+) > offline/nsupdate
+$NSUPDATE -d < offline/nsupdate
+
+dig_with_opts @10.53.0.3 dnskey +dnssec +rrcomments offline-ksk.example > dig.out.ns3.test$n
+id=$(awk '$4 == "DNSKEY" && $5 == "256" { print $NF }' < dig.out.ns3.test$n)
+(
+cat << EOF
+zone $zone
+server 10.53.0.3 $PORT
+del $zone DNSKEY
+EOF
+dig_with_opts @10.53.0.3 dnskey +dnssec offline-ksk.example |
+awk '$4 == "RRSIG" && $5 == "DNSKEY" && $11 == "'${id}'" { print "del", $0 }'
+echo send
+) | $NSUPDATE -d < offline/nsupdate
+
+dig_with_opts @10.53.0.3 axfr offline-ksk.example +rrcomments
+
+# rndccmd 10.53.0.3 sign offline-ksk.example
+
+# sleep 1
+
+# dig_with_opts @10.53.0.3 axfr offline-ksk.example +rrcomments
+
+# rm -rf offline
+
+# dig_with_opts @10.53.0.3 dnskey offline-ksk.example |
+# awk '$4 == "DNSKEY" && $5 == "256" { print }' |
+# $IMPORTKEY -f - -K offline
+# $KEYGEN -
+
+exit 0
+
 # Check that for a query against a validating resolver where the
 # authoritative zone is unsigned (insecure delegation), glue is returned
 # in the additional section
@@ -4120,5 +4181,21 @@ do
   status=$((status+ret))
 done
 
+dig_with_opts @10.53.0.3 axfr offline-ksk.example +rrcomments
+
+rndccmd 10.53.0.3 sign offline-ksk.example
+
+sleep 1
+
+dig_with_opts @10.53.0.3 axfr offline-ksk.example +rrcomments
+
+rm -rf offline
+
+dig_with_opts @10.53.0.3 dnskey offline-ksk.example |
+awk '$4 == "DNSKEY" && $5 == "256" { print }' |
+$IMPORTKEY -f - -K offline
+$KEYGEN -
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

lib/dns/dnssec.c

@@ -750,6 +750,8 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 					  directory,
 					  mctx, &keys[count]);
 
+fprintf(stderr, "YYYY dst_key_fromfile(%u)->%s\n", dst_key_id(pubkey), dns_result_totext(result));
+
 		/*
 		 * If the key was revoked and the private file
 		 * doesn't exist, maybe it was revoked internally
@@ -822,6 +824,19 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 		if (result != ISC_R_SUCCESS)
 			goto failure;
 
+#if 0
+		/*
+		 * Use the public key for external keys.
+		 */
+		if (dst_key_isexternal(keys[count])) {
+			dst_key_free(&keys[count]);
+			keys[count] = pubkey;
+			pubkey = NULL;
+			count++;
+			goto next;
+		}
+#endif
+
 		/*
 		 * If a key is marked inactive, skip it
 		 */
@@ -845,6 +860,7 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 			dst_key_free(&keys[count]);
 			goto next;
 		}
+fprintf(stderr, "dst_key_isexternal=>%u\n", dst_key_isexternal(keys[count]));
 		count++;
  next:
 		if (pubkey != NULL)
@@ -1544,7 +1560,6 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
 	return (ISC_R_SUCCESS);
 }
 
-
 /*%
  * Mark all keys which signed the DNSKEY/SOA RRsets as "active",
  * for future reference.

lib/dns/dst_api.c

@@ -519,6 +519,8 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
 	newfilename = NULL;
 	RETERR(result);
 
+fprintf(stderr, "dst_key_read_public->%s\n", isc_result_totext(result));
+
 	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
 	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		result = computeid(pubkey);
@@ -572,6 +574,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
 	dst_key_free(&pubkey);
 
 	*keyp = key;
+fprintf(stderr, "key->external=%u\n", key->external);
 	return (ISC_R_SUCCESS);
 
  out:

lib/dns/dst_parse.c

@@ -491,6 +491,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		}
 
 		if (strcmp(DST_AS_STR(token), "External:") == 0) {
+fprintf(stderr, "match External:\n");
 			external = true;
 			goto next;
 		}
@@ -575,6 +576,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		goto fail;
 	}
 
+fprintf(stderr, "external=%u\n", external);
 	key->external = external;
 
 	return (ISC_R_SUCCESS);
@@ -724,11 +726,11 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 		}
 		isc_buffer_usedregion(&b, &r);
 
-	       fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
+		fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
 	}
 
 	if (key->external)
-	       fprintf(fp, "External:\n");
+		fprintf(fp, "External:\n");
 
 	/* Add the metadata tags */
 	if (major > 1 || (major == 1 && minor >= 3)) {

lib/dns/update.c

@@ -1107,10 +1107,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		bool both = false;
 
 		/* Don't add signatures for offline or inactive keys */
-		if (!dst_key_isprivate(keys[i])) {
+		if (dst_key_inactive(keys[i])) {
 			continue;
 		}
-		if (dst_key_inactive(keys[i])) {
+		if (!dst_key_isprivate(keys[i])) {
+			if (type == dns_rdatatype_dnskey) {
+				added_sig = true;
+			}
 			continue;
 		}
 
@@ -1238,11 +1241,15 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		found = false;
 		for (i = 0; i < nkeys; i++) {
-			if (rrsig.keyid == dst_key_id(keys[i])) {
+			if (rrsig.keyid == dst_key_id(keys[i]) &&
+			    rrsig.algorithm == dst_key_alg(keys[i])) {
 				found = true;
+fprintf(stderr, "XXXX rrsig.keyid=%u dst_key_isexternal=%u dst_key_isprivate=%u dst_key_inactive=%u\n",
+	rrsig.keyid, dst_key_isexternal(keys[i]), dst_key_isprivate(keys[i]), dst_key_inactive(keys[i]));
 				if (!dst_key_isprivate(keys[i]) &&
 				    !dst_key_inactive(keys[i]))
 				{
+fprintf(stderr, "skip\n");
 					/*
 					 * The re-signing code in zone.c
 					 * will mark this as offline.