support single-type ZSK signing

author Kees Monshouwer <mind04@monshouwer.org>

Mon, 5 Jan 2015 10:26:08 +0000 (11:26 +0100)

committer mind04 <mind04@monshouwer.org>

Mon, 5 Jan 2015 11:34:47 +0000 (12:34 +0100)
author Kees Monshouwer <mind04@monshouwer.org>
Mon, 5 Jan 2015 10:26:08 +0000 (11:26 +0100)
committer mind04 <mind04@monshouwer.org>
Mon, 5 Jan 2015 11:34:47 +0000 (12:34 +0100)
diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc

index 4f0e49ba3fef4e6e1e3283852c200590ed82fe65..4f10bce1241c905c1ec57d124a314c6ae41b2d54 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -54,8 +54,8 @@ bool DNSSECKeeper::isSecuredZone(const std::string& zone)
    if(isPresigned(zone))
      return true;
  
-  keyset_t keys = getKeys(zone, true); // does the cache
-  
+  keyset_t keys = getKeys(zone); // does the cache
+
    BOOST_FOREACH(keyset_t::value_type& val, keys) {
      if(val.second.active) {
        return true;
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh

index cbf4749541f013b92d0a6b7e03f6b1136f93d63b..7bffd979ae5a77d1dab169cfbb04bae20af08d1a 100644 (file)
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -121,8 +121,8 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
  uint32_t getStartOfWeek();
  void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, 
    vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
-                    vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc, bool ksk);
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+  vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
  
  std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const std::string& qname);
  void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc

index 3ecbf35483f337634ad9cb312b48d26760d57956..dcf0cc90c3283ddd04953a416fdad8f808c70c04 100644 (file)
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -32,8 +32,8 @@ extern StatBag S;
  
  /* this is where the RRSIGs begin, keys are retrieved,
     but the actual signing happens in fillOutRRSIG */
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
-                     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs, bool ksk)
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+                     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs)
  {
    if(toSign.empty())
      return -1;
@@ -60,21 +60,24 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
      rrc.d_algorithm = keymeta.first.d_algorithm;
      if(!keymeta.second.active) 
        continue;
-      
+
      if(keymeta.second.keyOrZone)
        KSKs.push_back(keymeta.first);
-    else if(!ksk)
+    else
        ZSKs.push_back(keymeta.first);
    }
-  if(ksk)
-    signingKeys = &KSKs;
-  else {
+  if(signQType == QType::DNSKEY) {
+    if(KSKs.empty())
+      signingKeys = &ZSKs;
+    else
+      signingKeys = &KSKs;
+  } else {
      if(ZSKs.empty())
        signingKeys = &KSKs;
      else
-      signingKeys =&ZSKs;
+      signingKeys = &ZSKs;
    }
-  
+
    BOOST_FOREACH(DNSSECPrivateKey& dpk, *signingKeys) {
      fillOutRRSIG(dpk, signQName, rrc, toSign);
      rrcs.push_back(rrc);
@@ -96,7 +99,7 @@ void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, c
      dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned, origTTL); // does it all
    }
    else {
-    if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0)  {
+    if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs) < 0)  {
        // cerr<<"Error signing a record!"<<endl;
        return;
      }
author	Kees Monshouwer <mind04@monshouwer.org>
	Mon, 5 Jan 2015 10:26:08 +0000 (11:26 +0100)
committer	mind04 <mind04@monshouwer.org>
	Mon, 5 Jan 2015 11:34:47 +0000 (12:34 +0100)
pdns/dbdnsseckeeper.cc		patch \| blob \| history
pdns/dnssecinfra.hh		patch \| blob \| history
pdns/dnssecsigner.cc		patch \| blob \| history