return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", vector<string>());
}
+/**
+ * Add domainmetadata to allow publishing CDNSKEY records.for zone zname
+ *
+ * @param zname DNSName of the zone
+ * @return true if the data was inserted, false otherwise
+ */
+bool DNSSECKeeper::setPublishCDNSKEY(const DNSName& zname)
+{
+ clearCaches(zname);
+ vector<string> meta;
+ meta.push_back("1");
+ return d_keymetadb->setDomainMetadata(zname, "PUBLISH_CDNSKEY", meta);
+}
+
+/**
+ * Remove domainmetadata to stop publishing CDNSKEY records for zone zname
+ *
+ * @param zname DNSName of the zone
+ * @return true if the operation was successful, false otherwise
+ */
+bool DNSSECKeeper::unsetPublishCDNSKEY(const DNSName& zname)
+{
+ clearCaches(zname);
+ return d_keymetadb->setDomainMetadata(zname, "PUBLISH_CDNSKEY", vector<string>());
+}
DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, boost::tribool allOrKeyOrZone, bool useCache)
{
bool isPresigned(const DNSName& zname);
bool setPresigned(const DNSName& zname);
bool unsetPresigned(const DNSName& zname);
+ bool setPublishCDNSKEY(const DNSName& zname);
+ bool unsetPublishCDNSKEY(const DNSName& zname);
bool TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname);
bool getTSIGForAccess(const DNSName& zone, const string& master, DNSName* keyname);
}
}
-/** This adds DNSKEY records. Returns true if one was added */
-bool PacketHandler::addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd)
+/**
+ * This adds DNSKEY records to the answer packet. Returns true if one was added.
+ * The optional doCDNSKEY parameter signifies that we need to add a CDNSKEY (RFC 7344)
+ * instead of DNSKEY.
+ *
+ * @param p Pointer to the DNSPacket containing the original question
+ * @param r Pointer to the DNSPacket where the records should be inserted into
+ * @param sd SOAData of the zone for which DNSKEY records sets should be added
+ * @param doCDNSKEY When set to true, add CDNSKEYs instead of DNSKEYs
+ * @return bool that shows if any records were added
+**/
+bool PacketHandler::addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd, bool doCDNSKEY=false)
{
+ string publishCDNSKEY;
+ d_dk.getFromMeta(p->qdomain, "PUBLISH_CDNSKEY", publishCDNSKEY);
+ if (doCDNSKEY && publishCDNSKEY != "1")
+ return false;
+
DNSResourceRecord rr;
bool haveOne=false;
DNSSECPrivateKey dpk;
DNSSECKeeper::keyset_t keyset = d_dk.getKeys(p->qdomain);
for(const auto& value: keyset) {
- rr.qtype=QType::DNSKEY;
+ if (doCDNSKEY && !value.second.keyOrZone) {
+ // Don't send out CDNSKEY records for ZSKs
+ continue;
+ }
+ rr.qtype=doCDNSKEY ? QType::CDNSKEY : QType::DNSKEY;
rr.ttl=sd.default_ttl;
rr.qname=p->qdomain;
rr.content=value.first.getDNSKEY().getZoneRepresentation();
}
if(::arg().mustDo("direct-dnskey")) {
- B.lookup(QType(QType::DNSKEY), p->qdomain, p, sd.domain_id);
+ if(doCDNSKEY)
+ B.lookup(QType(QType::CDNSKEY), p->qdomain, p, sd.domain_id);
+ else
+ B.lookup(QType(QType::DNSKEY), p->qdomain, p, sd.domain_id);
+
while(B.get(rr)) {
rr.ttl=sd.default_ttl;
r->addRecord(rr);
if(sd.qname == name) {
nrc.d_set.insert(QType::SOA); // 1dfd8ad SOA can live outside the records table
nrc.d_set.insert(QType::DNSKEY);
+ string publishCDNSKEY;
+ d_dk.getFromMeta(name, "PUBLISH_CDNSKEY", publishCDNSKEY);
+ if (publishCDNSKEY == "1")
+ nrc.d_set.insert(QType::CDNSKEY);
}
DNSResourceRecord rr;
n3rc.d_set.insert(QType::SOA); // 1dfd8ad SOA can live outside the records table
n3rc.d_set.insert(QType::NSEC3PARAM);
n3rc.d_set.insert(QType::DNSKEY);
+ string publishCDNSKEY;
+ d_dk.getFromMeta(name, "PUBLISH_CDNSKEY", publishCDNSKEY);
+ if (publishCDNSKEY == "1")
+ n3rc.d_set.insert(QType::CDNSKEY);
}
B.lookup(QType(QType::ANY), name, NULL, sd.domain_id);
addNSECX(p, r, target, "", sd.qname, 5);
if(pdns_iequals(sd.qname, p->qdomain)) {
addDNSKEY(p, r, sd);
+ addDNSKEY(p, r, sd, true);
addNSEC3PARAM(p, r, sd);
}
}
if(addDNSKEY(p, r, sd))
goto sendit;
}
+ else if(p->qtype.getCode() == QType::CDNSKEY)
+ {
+ if(addDNSKEY(p,r, sd, true))
+ goto sendit;
+ }
else if(p->qtype.getCode() == QType::NSEC3PARAM)
{
if(addNSEC3PARAM(p,r, sd))
int processNotify(DNSPacket *);
void addRootReferral(DNSPacket *r);
int doChaosRequest(DNSPacket *p, DNSPacket *r, DNSName &target);
- bool addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd);
+ bool addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd, bool doCDNSKEY);
bool addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd);
int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd, bool retargeted);
void addNSECX(DNSPacket *p, DNSPacket* r, const DNSName &target, const DNSName &wildcard, const DNSName &auth, int mode);
cerr<<"secure-zone ZONE [ZONE ..] Add KSK and two ZSKs"<<endl;
cerr<<"set-nsec3 ZONE ['params' [narrow]] Enable NSEC3 with PARAMs. Optionally narrow"<<endl;
cerr<<"set-presigned ZONE Use presigned RRSIGs from storage"<<endl;
+ cerr<<"set-publish-cdnskey ZONE Enable sending CDNSKEY responses for ZONE"<<endl;
cerr<<"set-meta ZONE KIND [value value ..]"<<endl;
cerr<<" Set zone metadata, optionally providing a value. Empty clears meta."<<endl;
cerr<<"show-zone ZONE Show DNSSEC (public) key details about a zone"<<endl;
cerr<<"unset-nsec3 ZONE Switch back to NSEC"<<endl;
cerr<<"unset-presigned ZONE No longer use presigned RRSIGs"<<endl;
+ cerr<<"unset-publish-cdnskey ZONE Disable sending CDNSKEY responses for ZONE"<<endl;
cerr<<"test-schema ZONE Test DB schema - will create ZONE"<<endl;
cerr<<desc<<endl;
return 0;
}
return 0;
}
+ else if(cmds[0]=="set-publish-cdnskey") {
+ if(cmds.size() < 2) {
+ cerr<<"Syntax: pdnssec set-publish-cdnskey ZONE"<<endl;
+ return 0;
+ }
+ if (! dk.setPublishCDNSKEY(cmds[1])) {
+ cerr << "Could not set publishing for CDNSKEY records for "<< cmds[1]<<endl;
+ return 1;
+ }
+ return 0;
+ }
else if(cmds[0]=="unset-presigned") {
if(cmds.size() < 2) {
cerr<<"Syntax: pdnssec unset-presigned ZONE"<<endl;
}
return 0;
}
+ else if(cmds[0]=="unset-publish-cdnskey") {
+ if(cmds.size() < 2) {
+ cerr<<"Syntax: pdnssec unset-publish-cdnskey ZONE"<<endl;
+ return 0;
+ }
+ if (! dk.unsetPublishCDNSKEY(cmds[1])) {
+ cerr << "Could not unset publishing for CDNSKEY records for "<< cmds[1]<<endl;
+ return 1;
+ }
+ return 0;
+ }
else if(cmds[0]=="hash-zone-record") {
if(cmds.size() < 3) {
cerr<<"Syntax: pdnssec hash-zone-record ZONE RNAME"<<endl;
projects / pdns / commitdiff