if(dpk) {
getRSAKeyFromISC(&dpk->d_key.getContext(), dir_itr->path().file_string().c_str());
+
+ if(getNSEC3PARAM(zone)) {
+ dpk->d_algorithm = 7;
+ }
+ else {
+ dpk->d_algorithm = 5;
+ }
+
}
return true;
}
return false;
}
-void DNSSECKeeper::addZSKFor(const std::string& name, bool next)
+void DNSSECKeeper::addZSKFor(const std::string& name, int algorithm, bool next)
{
DNSSECPrivateKey dpk;
dpk.d_key.create(1024); // for testing, 1024
string isc = dpk.d_key.convertToISC();
DNSKEYRecordContent drc = dpk.getDNSKEY();
drc.d_flags = 256; // KSK
-
+ drc.d_algorithm = algorithm;
string iscName=d_dirname+"/"+name+"/zsks/";
time_t inception=getCurrentInception();
time_t end=inception+14*86400;
{
ofstream dnskeyFile((iscName+".dnskey").c_str());
- dnskeyFile << name << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
+ dnskeyFile << toCanonic("", name) << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
}
}
{
fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
ifstream ifs(full_path.external_directory_string().c_str());
- cerr<<"called for nsec3param..."<<endl;
+ // cerr<<"called for nsec3param..."<<endl;
if(!ifs)
return false;
delete tmp;
cerr<<"hmm salt: "<<makeHexDump(ns3p->d_salt)<<endl;
-/*
- ns3p->d_algorithm=1;
- ns3p->d_iterations= 100;
- ns3p->d_salt.assign("\xab\xcd", 2);
- ns3p->d_saltlength=2;
- ns3p->d_flags=0;
- */
}
return true;
}
}
-void DNSSECKeeper::addZone(const std::string& name)
+void DNSSECKeeper::secureZone(const std::string& name, int algorithm)
{
mkdir((d_dirname+"/"+name).c_str(), 0700);
mkdir((d_dirname+"/"+name+"/ksks").c_str(), 0700);
string isc = dpk.d_key.convertToISC();
DNSKEYRecordContent drc = dpk.getDNSKEY();
drc.d_flags = 257; // ZSK
-
+ drc.d_algorithm = algorithm;
string iscName=d_dirname+"/"+name+"/ksks/";
time_t now=time(0);
{
ofstream dnskeyFile((iscName+".dnskey").c_str());
- dnskeyFile << name << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
+ dnskeyFile << toCanonic("", name) << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
}
}
typedef std::vector<std::pair<DNSSECPrivateKey, KeyMetaData> > zskset_t;
zskset_t getZSKsFor(const std::string& zone, bool all=false);
- void addZSKFor(const std::string& zname, bool next=false);
+ void addZSKFor(const std::string& zname, int algorithm, bool next=false);
void deleteZSKFor(const std::string& zname, const std::string& fname);
- void addZone(const std::string& fname);
+ void secureZone(const std::string& fname, int algorithm);
bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0);
void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent* n3p);
if(!zskset.empty()) {
- cerr<<"There were ZSKs already for zone '"<<zone<<"': "<<endl;
+ cout<<"There were ZSKs already for zone '"<<zone<<"': "<<endl;
BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
- cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<<humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
+ cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<<humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
if(value.second.active)
inforce++;
if(value.second.endValidity < now - 2*86400) { // 'expired more than two days ago'
- cerr<<"\tThis key is no longer used and too old to keep around, deleting!\n";
+ cout<<"\tThis key is no longer used and too old to keep around, deleting!\n";
dk.deleteZSKFor(zone, value.second.fname);
} else if(value.second.endValidity < now) { // 'expired more than two days ago'
- cerr<<"\tThis key is no longer in active use, but needs to linger\n";
+ cout<<"\tThis key is no longer in active use, but needs to linger\n";
}
}
}
cerr << "Two or more ZSKs were active already, not generating a third" << endl;
return 0;
}
- dk.addZSKFor(zone);
- dk.addZSKFor(zone, true); // 'next'
+ dk.addZSKFor(zone, 5);
+ dk.addZSKFor(zone, 5, true); // 'next'
zskset = dk.getZSKsFor(zone);
if(zskset.empty()) {
cerr<<"This should not happen, still no ZSK!"<<endl;
}
- cerr<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
+ cout<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
- cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
+ cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
}
}
cerr << "No KSK for zone '"<<zone<<"'."<<endl;
}
else {
- cerr<<"KSK present:"<<endl;
- cerr<<"Tag = "<<dpk.getDNSKEY().getTag()<<endl;
- cerr<<"KSK DNSKEY = "<<zone<<" IN DNSKEY "<< dpk.getDNSKEY().getZoneRepresentation() << endl;
- cerr<<"DS = "<<zone<<" IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY()).getZoneRepresentation() << endl << endl;
+ cout<<"KSK present:"<<endl;
+ cout<<"Tag = "<<dpk.getDNSKEY().getTag()<<endl;
+ cout<<"KSK DNSKEY = "<<zone<<" IN DNSKEY "<< dpk.getDNSKEY().getZoneRepresentation() << endl;
+ cout<<"DS = "<<zone<<" IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY()).getZoneRepresentation() << endl << endl;
}
cerr << "No ZSKs for zone '"<<zone<<"'."<<endl;
}
else {
- cerr << "ZSKs for zone '"<<zone<<"':"<<endl;
+ cout << "ZSKs for zone '"<<zone<<"':"<<endl;
BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
- cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<< humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
+ cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<< humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
}
}
}
return 0;
}
- dk.addZone(zone);
+ dk.secureZone(zone, 5);
if(!dk.haveKSKFor(zone, &dpk)) {
cerr << "This should not happen, still no key!" << endl;
}
- cerr<<"Created KSK with tag "<<dpk.getDNSKEY().getTag()<<endl;
+ cout<<"Created KSK with tag "<<dpk.getDNSKEY().getTag()<<endl;
DNSSECKeeper::zskset_t zskset=dk.getZSKsFor(zone);
return 0;
}
- dk.addZSKFor(zone);
- dk.addZSKFor(zone, true); // 'next'
+ dk.addZSKFor(zone, 5);
+ dk.addZSKFor(zone, 5, true); // 'next'
zskset = dk.getZSKsFor(zone);
if(zskset.empty()) {
cerr<<"This should not happen, still no ZSK!"<<endl;
}
- cerr<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
+ cout<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
- cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
+ cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
}
}
else {
projects / pdns / commitdiff