From 5209ee174acc101b37b3764d8242f05271d51a5a Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Tue, 22 Dec 2015 11:29:50 +0100
Subject: [PATCH] allow combined signing key; drop default KSK

---
 pdns/common_startup.cc                        |  2 +-
 pdns/pdns.conf-dist                           |  2 +-
 pdns/pdnsutil.cc                              | 43 +++++++++++--------
 .../tests/00dnssec-grabkeys/command           |  2 +-
 .../tests/axfr/expected_result.dnssec         |  1 -
 .../tests/axfr/expected_result.nsec3          |  1 -
 .../tests/axfr/expected_result.nsec3-optout   |  1 -
 .../direct-dnskey/expected_result.dnssec      |  1 -
 8 files changed, 29 insertions(+), 24 deletions(-)

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 57f913cff..06871f9d1 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -168,7 +168,7 @@ void declareArguments()
 
   ::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
   ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
-  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="";
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
   ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 7d119edf2..69ccfa6f4 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -97,7 +97,7 @@
 #################################
 # default-ksk-algorithms	Default KSK algorithms
 #
-# default-ksk-algorithms=rsasha256
+# default-ksk-algorithms=
 
 #################################
 # default-ksk-size	Default KSK size (0 means default)
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index f32c03fe1..568ff3c25 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -136,7 +136,7 @@ void loadMainConfig(const std::string& configdir)
   string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
   cleanSlashes(configname);
 
-  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="";
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
   ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
@@ -1193,18 +1193,14 @@ bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
      throw runtime_error("KSK key size must be equal to or greater than 0");
   }
 
-  if (k_algos.size() < 1) {
-     throw runtime_error("No algorithm(s) given for KSK");
+  if (k_algos.size() < 1 && z_algos.size() < 1) {
+     throw runtime_error("Zero algorithms given for KSK+ZSK in total");
   }
 
   if (z_size < 0) {
      throw runtime_error("ZSK key size must be equal to or greater than 0");
   }
 
-  if (z_algos.size() < 1) {
-     throw runtime_error("No algorithm(s) given for ZSK");
-  }
-
   if(dk.isSecuredZone(zone)) {
     cerr << "Zone '"<<zone.toString()<<"' already secure, remove keys with pdnsutil remove-zone-key if needed"<<endl;
     return false;
@@ -1224,9 +1220,9 @@ bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
   }
 
   if (k_size)
-    cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl;
+    cout << "Securing zone with key size " << k_size << endl;
   else
-    cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl;
+    cout << "Securing zone with default key size" << endl;
 
 
   DNSSECKeeper::keyset_t zskset=dk.getKeys(zone, false);
@@ -1236,8 +1232,27 @@ bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
-  for(vector<string>::iterator i = k_algos.begin(); i != k_algos.end(); i++) {
-    if(!dk.addKey(zone, true, shorthand2algorithm(k_algos[0]), k_size, true)) {
+  for(auto &k_algo: k_algos) {
+    cout << "Adding KSK with algorithm " << k_algo << endl;
+
+    int algo = shorthand2algorithm(k_algo);
+
+    if(!dk.addKey(zone, true, algo, k_size, true)) {
+      cerr<<"No backend was able to secure '"<<zone.toString()<<"', most likely because no DNSSEC"<<endl;
+      cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
+      cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
+      cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
+      return false;
+    }
+  }
+
+  for(auto &z_algo :  z_algos)
+  {
+    cout << "Adding ZSK with algorithm " << z_algo << endl;
+
+    int algo = shorthand2algorithm(z_algo);
+
+    if(!dk.addKey(zone, false, algo, z_size, true)) {
       cerr<<"No backend was able to secure '"<<zone.toString()<<"', most likely because no DNSSEC"<<endl;
       cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
       cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
@@ -1255,12 +1270,6 @@ bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
-  for(string z_algo :  z_algos)
-  {
-    int algo = shorthand2algorithm(z_algo);
-    dk.addKey(zone, false, algo, z_size);
-  }
-
   // rectifyZone(dk, zone);
   // showZone(dk, zone);
   cout<<"Zone "<<zone.toString()<<" secured"<<endl;
diff --git a/regression-tests/tests/00dnssec-grabkeys/command b/regression-tests/tests/00dnssec-grabkeys/command
index 8c9a673db..1cb5a783d 100755
--- a/regression-tests/tests/00dnssec-grabkeys/command
+++ b/regression-tests/tests/00dnssec-grabkeys/command
@@ -6,7 +6,7 @@ for zone in $(grep 'zone ' named.conf  | cut -f2 -d\")
 do
 	if [ "${zone: 0:16}" != "secure-delegated" ]
 	then
-		drill -p $port -o rd -D dnskey $zone @$nameserver | grep $'DNSKEY\t257' | grep -v 'RRSIG' | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
+		drill -p $port -o rd -D dnskey $zone @$nameserver | grep $'DNSKEY\t256' | grep -v 'RRSIG' | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
 	fi
 	echo "stub-zone:" >> unbound-host.conf
 	echo "  name: $zone" >> unbound-host.conf
diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec
index 285d2d92d..3180d23bb 100644
--- a/regression-tests/tests/axfr/expected_result.dnssec
+++ b/regression-tests/tests/axfr/expected_result.dnssec
@@ -11,7 +11,6 @@ dnssec-parent.com.	3600	IN	RRSIG	SOA 8 2 3600 [expiry] [inception] [keytag] dnss
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	86400	IN	DNSKEY	256 3 8 ...
-dnssec-parent.com.	86400	IN	DNSKEY	257 3 8 ...
 dnssec-parent.com.	86400	IN	NSEC	insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY
 dnssec-parent.com.	86400	IN	RRSIG	DNSKEY 8 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	86400	IN	RRSIG	NSEC 8 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3
index fac00d14f..36fd81a52 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3
+++ b/regression-tests/tests/axfr/expected_result.nsec3
@@ -13,7 +13,6 @@ dnssec-parent.com.	3600	IN	RRSIG	SOA 8 2 3600 [expiry] [inception] [keytag] dnss
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	86400	IN	DNSKEY	256 3 8 ...
-dnssec-parent.com.	86400	IN	DNSKEY	257 3 8 ...
 dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] A NS SOA RRSIG DNSKEY NSEC3PARAM
 dnssec-parent.com.	86400	IN	NSEC3PARAM	1 0 1 abcd
 dnssec-parent.com.	86400	IN	RRSIG	DNSKEY 8 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout
index c1aac6784..f3298b94a 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3-optout
+++ b/regression-tests/tests/axfr/expected_result.nsec3-optout
@@ -11,7 +11,6 @@ dnssec-parent.com.	3600	IN	RRSIG	SOA 8 2 3600 [expiry] [inception] [keytag] dnss
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	86400	IN	DNSKEY	256 3 8 ...
-dnssec-parent.com.	86400	IN	DNSKEY	257 3 8 ...
 dnssec-parent.com.	86400	IN	NSEC3	1 1 1 abcd [next owner] A NS SOA RRSIG DNSKEY NSEC3PARAM
 dnssec-parent.com.	86400	IN	NSEC3PARAM	1 0 1 abcd
 dnssec-parent.com.	86400	IN	RRSIG	DNSKEY 8 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/direct-dnskey/expected_result.dnssec b/regression-tests/tests/direct-dnskey/expected_result.dnssec
index e91b71279..477a963b1 100644
--- a/regression-tests/tests/direct-dnskey/expected_result.dnssec
+++ b/regression-tests/tests/direct-dnskey/expected_result.dnssec
@@ -1,5 +1,4 @@
 0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	257 3 8 ...
 0	example.com.	IN	RRSIG	86400	DNSKEY 8 2 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-- 
2.40.0