return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", vector<string>());
}
+/**
+ * Add domainmetadata to allow publishing CDS records for zone zname
+ *
+ * @param zname DNSName of the zone
+ * @param digestAlgos string with comma-separated numbers that describe the
+ * used digest algorithms. This is copied to the database
+ * verbatim
+ * @return true if the data was inserted, false otherwise
+ */
+bool DNSSECKeeper::setPublishCDS(const DNSName& zname, const string& digestAlgos)
+{
+ clearCaches(zname);
+ vector<string> meta;
+ meta.push_back(digestAlgos);
+ return d_keymetadb->setDomainMetadata(zname, "PUBLISH_CDS", meta);
+}
+
+/**
+ * Remove domainmetadata to stop publishing CDS records for zone zname
+ *
+ * @param zname DNSName of the zone
+ * @return true if the operation was successful, false otherwise
+ */
+bool DNSSECKeeper::unsetPublishCDS(const DNSName& zname)
+{
+ clearCaches(zname);
+ return d_keymetadb->setDomainMetadata(zname, "PUBLISH_CDS", vector<string>());
+}
+
/**
* Add domainmetadata to allow publishing CDNSKEY records.for zone zname
*
bool unsetPresigned(const DNSName& zname);
bool setPublishCDNSKEY(const DNSName& zname);
bool unsetPublishCDNSKEY(const DNSName& zname);
+ bool setPublishCDS(const DNSName& zname, const string& digestAlgos);
+ bool unsetPublishCDS(const DNSName& zname);
bool TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname);
bool getTSIGForAccess(const DNSName& zone, const string& master, DNSName* keyname);
return haveOne;
}
+/**
+ * This adds CDS records to the answer packet r.
+ *
+ * @param p Pointer to the DNSPacket containing the original question.
+ * @param r Pointer to the DNSPacket where the records should be inserted into.
+ * @param sd SOAData of the zone for which CDS records sets should be added,
+ * used to determine record TTL.
+ * @return bool that shows if any records were added.
+**/
+bool PacketHandler::addCDS(DNSPacket *p, DNSPacket *r, const SOAData& sd)
+{
+ string publishCDS;
+ d_dk.getFromMeta(p->qdomain, "PUBLISH_CDS", publishCDS);
+ if (publishCDS.empty())
+ return false;
+
+ vector<string> digestAlgos;
+ stringtok(digestAlgos, publishCDS, ", ");
+
+ DNSResourceRecord rr;
+ rr.qtype=QType::CDS;
+ rr.ttl=sd.default_ttl;
+ rr.qname=p->qdomain;
+ rr.auth=true;
+
+ bool haveOne=false;
+ DNSSECPrivateKey dpk;
+
+ DNSSECKeeper::keyset_t keyset = d_dk.getKeys(p->qdomain);
+
+ for(auto value : keyset) {
+ if (!value.second.keyOrZone) {
+ // Don't send out CDS records for ZSKs
+ continue;
+ }
+ for(auto digestAlgo : digestAlgos){
+ rr.content=makeDSFromDNSKey(p->qdomain, value.first.getDNSKEY(), lexical_cast<int>(digestAlgo)).getZoneRepresentation();
+ r->addRecord(rr);
+ haveOne=true;
+ }
+ }
+
+ if(::arg().mustDo("direct-dnskey")) {
+ B.lookup(QType(QType::CDS), p->qdomain, p, sd.domain_id);
+
+ while(B.get(rr)) {
+ rr.ttl=sd.default_ttl;
+ r->addRecord(rr);
+ haveOne=true;
+ }
+ }
+
+ return haveOne;
+}
/** This adds NSEC3PARAM records. Returns true if one was added */
bool PacketHandler::addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd)
d_dk.getFromMeta(name, "PUBLISH_CDNSKEY", publishCDNSKEY);
if (publishCDNSKEY == "1")
nrc.d_set.insert(QType::CDNSKEY);
+ string publishCDS;
+ d_dk.getFromMeta(name, "PUBLISH_CDS", publishCDS);
+ if (! publishCDS.empty())
+ nrc.d_set.insert(QType::CDS);
}
DNSResourceRecord rr;
d_dk.getFromMeta(name, "PUBLISH_CDNSKEY", publishCDNSKEY);
if (publishCDNSKEY == "1")
n3rc.d_set.insert(QType::CDNSKEY);
+ string publishCDS;
+ d_dk.getFromMeta(name, "PUBLISH_CDS", publishCDS);
+ if (! publishCDS.empty())
+ n3rc.d_set.insert(QType::CDS);
}
B.lookup(QType(QType::ANY), name, NULL, sd.domain_id);
if(pdns_iequals(sd.qname, p->qdomain)) {
addDNSKEY(p, r, sd);
addDNSKEY(p, r, sd, true);
+ addCDS(p, r, sd);
addNSEC3PARAM(p, r, sd);
}
}
if(addDNSKEY(p,r, sd, true))
goto sendit;
}
+ else if(p->qtype.getCode() == QType::CDS)
+ {
+ if(addCDS(p,r, sd))
+ goto sendit;
+ }
else if(p->qtype.getCode() == QType::NSEC3PARAM)
{
if(addNSEC3PARAM(p,r, sd))
void addRootReferral(DNSPacket *r);
int doChaosRequest(DNSPacket *p, DNSPacket *r, DNSName &target);
bool addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd, bool doCDNSKEY);
+ bool addCDS(DNSPacket *p, DNSPacket *r, const SOAData& sd);
bool addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd);
int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd, bool retargeted);
void addNSECX(DNSPacket *p, DNSPacket* r, const DNSName &target, const DNSName &wildcard, const DNSName &auth, int mode);
cerr<<"set-nsec3 ZONE ['params' [narrow]] Enable NSEC3 with PARAMs. Optionally narrow"<<endl;
cerr<<"set-presigned ZONE Use presigned RRSIGs from storage"<<endl;
cerr<<"set-publish-cdnskey ZONE Enable sending CDNSKEY responses for ZONE"<<endl;
+ cerr<<"set-publish-cds ZONE [DIGESTALGOS] Enable sending CDS responses for ZONE, using DIGESTALGOS as signature algirithms"<<endl;
+ cerr<<" DIGESTALGORITHMS should be a comma separated list of numbers, is is '1,2' by default"<<endl;
cerr<<"set-meta ZONE KIND [value value ..]"<<endl;
cerr<<" Set zone metadata, optionally providing a value. Empty clears meta."<<endl;
cerr<<"show-zone ZONE Show DNSSEC (public) key details about a zone"<<endl;
cerr<<"unset-nsec3 ZONE Switch back to NSEC"<<endl;
cerr<<"unset-presigned ZONE No longer use presigned RRSIGs"<<endl;
cerr<<"unset-publish-cdnskey ZONE Disable sending CDNSKEY responses for ZONE"<<endl;
+ cerr<<"unset-publish-cds ZONE Disable sending CDS responses for ZONE"<<endl;
cerr<<"test-schema ZONE Test DB schema - will create ZONE"<<endl;
cerr<<desc<<endl;
return 0;
}
return 0;
}
+ else if(cmds[0]=="set-publish-cds") {
+ if(cmds.size() < 2) {
+ cerr<<"Syntax: pdnssec set-publish-cds ZONE [DIGESTALGOS]"<<endl;
+ return 0;
+ }
+
+ // If DIGESTALGOS is unset
+ if(cmds.size() == 2)
+ cmds.push_back("1,2");
+
+ if (! dk.setPublishCDS(cmds[1], cmds[2])) {
+ cerr << "Could not set publishing for CDS records for "<< cmds[1]<<endl;
+ return 1;
+ }
+ return 0;
+ }
else if(cmds[0]=="unset-presigned") {
if(cmds.size() < 2) {
cerr<<"Syntax: pdnssec unset-presigned ZONE"<<endl;
}
return 0;
}
+ else if(cmds[0]=="unset-publish-cds") {
+ if(cmds.size() < 2) {
+ cerr<<"Syntax: pdnssec unset-publish-cds ZONE"<<endl;
+ return 0;
+ }
+ if (! dk.unsetPublishCDS(cmds[1])) {
+ cerr << "Could not unset publishing for CDS records for "<< cmds[1]<<endl;
+ return 1;
+ }
+ return 0;
+ }
else if(cmds[0]=="hash-zone-record") {
if(cmds.size() < 3) {
cerr<<"Syntax: pdnssec hash-zone-record ZONE RNAME"<<endl;
projects / pdns / commitdiff