From e242fa6542b3eb66e00593921ba0fd69a6811fcb Mon Sep 17 00:00:00 2001
From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sat, 19 Jun 2010 12:13:14 +0000
Subject: [PATCH] fix up algorithm 5 and 7 confusion, make sure that basis
 comparisons against BIND again give identical answers.

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1645 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---
 pdns/dnsseckeeper.cc | 29 +++++++++++++++--------------
 pdns/dnsseckeeper.hh |  4 ++--
 pdns/pdnssec.cc      | 40 ++++++++++++++++++++--------------------
 3 files changed, 37 insertions(+), 36 deletions(-)

diff --git a/pdns/dnsseckeeper.cc b/pdns/dnsseckeeper.cc
index 996767047..7bfe76b72 100644
--- a/pdns/dnsseckeeper.cc
+++ b/pdns/dnsseckeeper.cc
@@ -78,6 +78,14 @@ bool DNSSECKeeper::haveKSKFor(const std::string& zone, DNSSECPrivateKey* dpk)
 
       if(dpk) {
 	getRSAKeyFromISC(&dpk->d_key.getContext(), dir_itr->path().file_string().c_str());
+	
+	if(getNSEC3PARAM(zone)) {
+	  dpk->d_algorithm = 7;
+	}
+	else {
+	  dpk->d_algorithm = 5;
+	}
+
       }
       return true;
     }
@@ -86,7 +94,7 @@ bool DNSSECKeeper::haveKSKFor(const std::string& zone, DNSSECPrivateKey* dpk)
   return false;
 }
 
-void DNSSECKeeper::addZSKFor(const std::string& name, bool next)
+void DNSSECKeeper::addZSKFor(const std::string& name, int algorithm, bool next)
 {
   DNSSECPrivateKey dpk;
   dpk.d_key.create(1024); // for testing, 1024
@@ -94,7 +102,7 @@ void DNSSECKeeper::addZSKFor(const std::string& name, bool next)
   string isc = dpk.d_key.convertToISC();
   DNSKEYRecordContent drc = dpk.getDNSKEY();
   drc.d_flags = 256; // KSK
-  
+  drc.d_algorithm = algorithm; 
   string iscName=d_dirname+"/"+name+"/zsks/";
   time_t inception=getCurrentInception();
   time_t end=inception+14*86400;
@@ -125,7 +133,7 @@ void DNSSECKeeper::addZSKFor(const std::string& name, bool next)
 
   {  
     ofstream dnskeyFile((iscName+".dnskey").c_str());
-    dnskeyFile << name << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
+    dnskeyFile << toCanonic("", name) << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
   }
 
 }
@@ -145,7 +153,7 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
 {
   fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
   ifstream ifs(full_path.external_directory_string().c_str());
-  cerr<<"called for nsec3param..."<<endl;
+  // cerr<<"called for nsec3param..."<<endl;
   if(!ifs)
     return false;
     
@@ -161,13 +169,6 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
     delete tmp;
     
     cerr<<"hmm salt: "<<makeHexDump(ns3p->d_salt)<<endl;
-/*
-    ns3p->d_algorithm=1;
-    ns3p->d_iterations= 100;
-    ns3p->d_salt.assign("\xab\xcd", 2);
-    ns3p->d_saltlength=2;
-    ns3p->d_flags=0;
-    */
   }
   return true;
 }
@@ -252,7 +253,7 @@ DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY()
 }
 
 
-void DNSSECKeeper::addZone(const std::string& name)
+void DNSSECKeeper::secureZone(const std::string& name, int algorithm)
 {
   mkdir((d_dirname+"/"+name).c_str(), 0700);
   mkdir((d_dirname+"/"+name+"/ksks").c_str(), 0700);
@@ -265,7 +266,7 @@ void DNSSECKeeper::addZone(const std::string& name)
   string isc = dpk.d_key.convertToISC();
   DNSKEYRecordContent drc = dpk.getDNSKEY();
   drc.d_flags = 257; // ZSK
-  
+  drc.d_algorithm = algorithm;  
   string iscName=d_dirname+"/"+name+"/ksks/";
 
   time_t now=time(0);
@@ -283,7 +284,7 @@ void DNSSECKeeper::addZone(const std::string& name)
 
   {  
     ofstream dnskeyFile((iscName+".dnskey").c_str());
-    dnskeyFile << name << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
+    dnskeyFile << toCanonic("", name) << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
   }
 
 }
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 3ac5b372c..f76d2c6de 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -94,10 +94,10 @@ public:
   
   typedef std::vector<std::pair<DNSSECPrivateKey, KeyMetaData> > zskset_t;
   zskset_t getZSKsFor(const std::string& zone, bool all=false);
-  void addZSKFor(const std::string& zname, bool next=false);
+  void addZSKFor(const std::string& zname, int algorithm, bool next=false);
   void deleteZSKFor(const std::string& zname, const std::string& fname);
 
-  void addZone(const std::string& fname);
+  void secureZone(const std::string& fname, int algorithm);
   bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0);
   void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent* n3p);
 
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index c71a8b902..a92fcece9 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -187,17 +187,17 @@ try
     
     
     if(!zskset.empty())  {
-      cerr<<"There were ZSKs already for zone '"<<zone<<"': "<<endl;
+      cout<<"There were ZSKs already for zone '"<<zone<<"': "<<endl;
       
       BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-        cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<<humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
+        cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<<humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
         if(value.second.active) 
           inforce++;
         if(value.second.endValidity < now - 2*86400) { // 'expired more than two days ago'  
-          cerr<<"\tThis key is no longer used and too old to keep around, deleting!\n";
+          cout<<"\tThis key is no longer used and too old to keep around, deleting!\n";
           dk.deleteZSKFor(zone, value.second.fname);
         } else if(value.second.endValidity < now) { // 'expired more than two days ago'  
-          cerr<<"\tThis key is no longer in active use, but needs to linger\n";
+          cout<<"\tThis key is no longer in active use, but needs to linger\n";
         }
       }
     }
@@ -206,17 +206,17 @@ try
       cerr << "Two or more ZSKs were active already, not generating a third" << endl;
       return 0;
     }
-    dk.addZSKFor(zone);
-    dk.addZSKFor(zone, true); // 'next'
+    dk.addZSKFor(zone, 5);
+    dk.addZSKFor(zone, 5, true); // 'next'
 
     zskset = dk.getZSKsFor(zone);
     if(zskset.empty()) {
       cerr<<"This should not happen, still no ZSK!"<<endl;
     }
 
-    cerr<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
+    cout<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
     BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-      cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
+      cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
     }
 
   }
@@ -232,10 +232,10 @@ try
       cerr << "No KSK for zone '"<<zone<<"'."<<endl;
     }
     else {
-      cerr<<"KSK present:"<<endl;
-      cerr<<"Tag = "<<dpk.getDNSKEY().getTag()<<endl;
-      cerr<<"KSK DNSKEY = "<<zone<<" IN DNSKEY "<< dpk.getDNSKEY().getZoneRepresentation() << endl;
-      cerr<<"DS = "<<zone<<" IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY()).getZoneRepresentation() << endl << endl;
+      cout<<"KSK present:"<<endl;
+      cout<<"Tag = "<<dpk.getDNSKEY().getTag()<<endl;
+      cout<<"KSK DNSKEY = "<<zone<<" IN DNSKEY "<< dpk.getDNSKEY().getZoneRepresentation() << endl;
+      cout<<"DS = "<<zone<<" IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY()).getZoneRepresentation() << endl << endl;
     }
     
     
@@ -245,9 +245,9 @@ try
       cerr << "No ZSKs for zone '"<<zone<<"'."<<endl;
     }
     else {  
-      cerr << "ZSKs for zone '"<<zone<<"':"<<endl;
+      cout << "ZSKs for zone '"<<zone<<"':"<<endl;
       BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-        cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<< humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
+        cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<", "<< humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
       }
     }
   }
@@ -264,12 +264,12 @@ try
       return 0;
     }
       
-    dk.addZone(zone);
+    dk.secureZone(zone, 5);
 
     if(!dk.haveKSKFor(zone, &dpk)) {
       cerr << "This should not happen, still no key!" << endl;
     }
-    cerr<<"Created KSK with tag "<<dpk.getDNSKEY().getTag()<<endl;
+    cout<<"Created KSK with tag "<<dpk.getDNSKEY().getTag()<<endl;
   
     DNSSECKeeper::zskset_t zskset=dk.getZSKsFor(zone);
 
@@ -278,17 +278,17 @@ try
       return 0;
     }
       
-    dk.addZSKFor(zone);
-    dk.addZSKFor(zone, true); // 'next'
+    dk.addZSKFor(zone, 5);
+    dk.addZSKFor(zone, 5, true); // 'next'
 
     zskset = dk.getZSKsFor(zone);
     if(zskset.empty()) {
       cerr<<"This should not happen, still no ZSK!"<<endl;
     }
 
-    cerr<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
+    cout<<"There are now "<<zskset.size()<<" ZSKs"<<endl;
     BOOST_FOREACH(DNSSECKeeper::zskset_t::value_type value, zskset) {
-      cerr<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
+      cout<<"Tag = "<<value.first.getDNSKEY().getTag()<<"\tActive: "<<value.second.active<<endl;
     }
   }
   else {
-- 
2.50.1