void makeRSAPublicKeyFromDNS(rsa_context* rc, const DNSKEYRecordContent& dkrc);
bool sharedDNSSECCompare(const boost::shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b);
string getSHA1HashForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, std::vector<boost::shared_ptr<DNSRecordContent> >& signRecords);
-DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc, uint8_t algorithm);
+DNSKEYRecordContent makeDNSKEYFromRSAKey(const rsa_context* rc, uint8_t algorithm, uint16_t flags);
DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest=1);
bool getSignerFor(const std::string& keyrepodir, const std::string& qname, std::string &signer);
*dpk = keys.begin()->first;
}
return !keys.empty();
-
- #if 0
- fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zone + "/keys/" ) );
-
- if ( !fs::exists( full_path ) )
- return false;
-
- fs::directory_iterator end_iter;
- for ( fs::directory_iterator dir_itr( full_path );
- dir_itr != end_iter;
- ++dir_itr )
- {
- // cerr<<"Entry: '"<< dir_itr->leaf() <<"'"<<endl;
- if(ends_with(dir_itr->leaf(),".private")) {
- // cerr<<"Hit!"<<endl;
-
- if(dpk) {
- getRSAKeyFromISC(&dpk->d_key.getContext(), dir_itr->path().file_string().c_str());
-
- if(getNSEC3PARAM(zone)) {
- dpk->d_algorithm = 7;
- }
- else {
- dpk->d_algorithm = 5;
- }
-
- }
- return true;
- }
- }
-
- return false;
- #endif
}
unsigned int DNSSECKeeper::getNextKeyIDFromDir(const std::string& dirname)
fs::path full_path = fs::system_complete( fs::path(dirname));
if ( !fs::exists( full_path ) )
- unixDie("Unable to get free key id from '"+dirname+"'");
+ unixDie("Unable to get filname key id from '"+dirname+"'");
fs::directory_iterator end_iter;
pair<string, string> parts;
dir_itr != end_iter;
++dir_itr )
{
+ if(!ends_with(dir_itr->leaf(), ".private"))
+ continue;
parts = splitField(dir_itr->leaf(), '-');
if(atoi(parts.first.c_str()) == (signed int)id)
return dirname+"/"+dir_itr->leaf();
string isc = dpk.d_key.convertToISC();
DNSKEYRecordContent drc = dpk.getDNSKEY();
- drc.d_flags = 256; // KSK
+ drc.d_flags = 256 + keyOrZone; // KSK
drc.d_algorithm = algorithm;
string iscName=d_dirname+"/"+name+"/keys/";
unsigned int id = getNextKeyIDFromDir(iscName);
void DNSSECKeeper::removeKey(const std::string& zname, unsigned int id)
{
- string fname = getKeyFilenameById(d_dirname+"/keys/", id);
+ string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys", id);
if(unlink(fname.c_str()) < 0)
unixDie("removing key file '"+fname+"'");
}
void DNSSECKeeper::deactivateKey(const std::string& zname, unsigned int id)
{
- string fname = getKeyFilenameById(d_dirname+"/keys/", id);
+ string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys/", id);
string newname = boost::replace_last_copy(fname, ".active", ".passive");
if(rename(fname.c_str(), newname.c_str()) < 0)
unixDie("renaming file to deactivate key, from: '"+fname+"' to '"+newname+"'");
void DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
{
- string fname = getKeyFilenameById(d_dirname+"/keys/", id);
+ string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys/", id);
string newname = boost::replace_last_copy(fname, ".passive", ".active");
if(rename(fname.c_str(), newname.c_str()) < 0)
unixDie("renaming file to deactivate key, from: '"+fname+"' to '"+newname+"'");
else {
dpk.d_algorithm = 5;
}
-
struct tm ts1, ts2;
memset(&ts1, 0, sizeof(ts1));
kmd.fname = dir_itr->leaf();
kmd.active = kmd.fname.find(".active") != string::npos;
kmd.keyOrZone = kmd.fname.find(".ksk") != string::npos;
+
+ dpk.d_flags = 256 + kmd.keyOrZone; // this is a clear sign we've got our abstractions wrong! FIXME XXX
+
if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == kmd.keyOrZone)
keyset.push_back(make_pair(dpk, kmd));
}
return keyset;
}
-DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY()
+DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
{
- return makeDNSKEYFromRSAKey(&d_key.getContext(), d_algorithm);
+ return makeDNSKEYFromRSAKey(&d_key.getConstContext(), d_algorithm, d_flags);
}
#include "packetcache.hh"
#include "utility.hh"
#include "dnssecinfra.hh"
+#include "dnsseckeeper.hh"
#include <cstdio>
#include <cstring>
#include <cstdlib>
outpacket=shared_ptr<DNSPacket>(q->replyPacket());
outpacket->addRecord(soa); // AXFR format begins and ends with a SOA record, so we add one
// sendPacket(outpacket, outsock);
+ typedef map<string, set<uint16_t>, CanonicalCompare> nsecrepo_t;
+ nsecrepo_t nsecrepo;
+ // this is where the DNSKEYs go
+
+ DNSSECKeeper dk(::arg()["key-repository"]);
+ DNSSECKeeper::keyset_t keys = dk.getKeys(target);
+ BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) {
+ rr.qname = target;
+ rr.qtype = QType(QType::DNSKEY);
+ rr.ttl = 3600;
+ rr.content = value.first.getDNSKEY().getZoneRepresentation();
+ nsecrepo[rr.qname].insert(rr.qtype.getCode());
+ outpacket->addRecord(rr);
+ }
/* now write all other records */
outpacket->setCompress(false);
outpacket->d_dnssecOk=true; // WRONG
- typedef map<string, set<uint16_t>, CanonicalCompare> nsecrepo_t;
- nsecrepo_t nsecrepo;
+
while(B->get(rr)) {
if(rr.auth || rr.qtype.getCode() == QType::NS)
projects / pdns / commitdiff