[Opendnssec-commits] matthijs r7165 - in branches/OpenDNSSEC-CDS: . conf m4 signer/src/parser signer/src/shared signer/src/signer

commits at svn.opendnssec.org commits at svn.opendnssec.org
Mon Jun 24 07:24:42 CEST 2013


Author: matthijs
Date: Mon Jun 24 07:24:42 2013
New Revision: 7165
URL: http://fisheye.opendnssec.org/changelog/opendnssec?cs=7165

Log:
CDS

Added:
   branches/OpenDNSSEC-CDS/
      - copied from r7137, branches/OpenDNSSEC-enforcer-ng/
Modified:
   branches/OpenDNSSEC-CDS/conf/kasp.rnc
   branches/OpenDNSSEC-CDS/conf/kasp.xml.in
   branches/OpenDNSSEC-CDS/conf/signconf.rnc
   branches/OpenDNSSEC-CDS/conf/signconf.xml.in
   branches/OpenDNSSEC-CDS/m4/opendnssec_common.m4
   branches/OpenDNSSEC-CDS/signer/src/parser/signconfparser.c
   branches/OpenDNSSEC-CDS/signer/src/shared/hsm.c
   branches/OpenDNSSEC-CDS/signer/src/shared/util.c
   branches/OpenDNSSEC-CDS/signer/src/signer/domain.c
   branches/OpenDNSSEC-CDS/signer/src/signer/keys.c
   branches/OpenDNSSEC-CDS/signer/src/signer/keys.h
   branches/OpenDNSSEC-CDS/signer/src/signer/rrset.c
   branches/OpenDNSSEC-CDS/signer/src/signer/zone.c

Modified: branches/OpenDNSSEC-CDS/conf/kasp.rnc
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/conf/kasp.rnc	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/conf/kasp.rnc	Mon Jun 24 07:24:42 2013	(r7165)
@@ -94,7 +94,11 @@
 
 				# use RFC 5011 for key rollover?
 				# Not implemented yet
-				element RFC5011 { empty }?
+				element RFC5011 { empty }?,
+
+				# use CDS for key rollover?
+				# Not implemented yet
+				element CDS { empty }?
 			}*,
 
 			# Zone Signing Keys (ZSK) parameters
@@ -114,7 +118,11 @@
 				
 				# use RFC 5011 for key rollover?
 				# Not implemented yet
-				element RFC5011 { empty }?
+				element RFC5011 { empty }?,
+
+				# use CDS for key rollover?
+				# Not implemented yet
+				element CDS { empty }?
 			}*
 		},
 

Modified: branches/OpenDNSSEC-CDS/conf/kasp.xml.in
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/conf/kasp.xml.in	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/conf/kasp.xml.in	Mon Jun 24 07:24:42 2013	(r7165)
@@ -54,6 +54,7 @@
 				<Algorithm length="2048">8</Algorithm>
 				<Lifetime>P1Y</Lifetime>
 				<Repository>SoftHSM</Repository>
+				<CDS/>
 			</KSK>
 
 			<!-- Parameters for ZSK only -->

Modified: branches/OpenDNSSEC-CDS/conf/signconf.rnc
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/conf/signconf.rnc	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/conf/signconf.rnc	Mon Jun 24 07:24:42 2013	(r7165)
@@ -76,7 +76,11 @@
 				element Publish { empty }?,
 				
 				# deactivate this key (i.e. do not recycle any signatures)
-				element Deactivate { empty }?
+				element Deactivate { empty }?,
+
+				# create CDS rr for this DNSKEY?
+				cds?
+
 			}*
 		},
 
@@ -116,4 +120,9 @@
 		}
 	}
 
+# CDS record
+cds = element CDS {
+		element	DigestType { algorithm }
+	}
+
 maxzonettl = element MaxZoneTTL { xsd:duration }

Modified: branches/OpenDNSSEC-CDS/conf/signconf.xml.in
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/conf/signconf.xml.in	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/conf/signconf.xml.in	Mon Jun 24 07:24:42 2013	(r7165)
@@ -36,6 +36,7 @@
 				<Locator>DFE7265B783F418685380AA784C2F31D</Locator>
 				<KSK/>
 				<Publish/>
+				<CDS><DigestType>1</DigestType></CDS>
 			</Key>
 
 			<Key>

Modified: branches/OpenDNSSEC-CDS/m4/opendnssec_common.m4
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/m4/opendnssec_common.m4	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/m4/opendnssec_common.m4	Mon Jun 24 07:24:42 2013	(r7165)
@@ -83,6 +83,7 @@
 AC_DEFINE_UNQUOTED(ODS_SE_MAX_BACKOFF,   [3600],                             [Number of seconds the OpenDNSSEC signer engine should backoff when a task failed])
 AC_DEFINE_UNQUOTED(ODS_SE_WORKERTHREADS, [4],                                [Default number of worker threads for the OpenDNSSEC signer engine])
 AC_DEFINE_UNQUOTED(ODS_SE_STOP_RESPONSE, ["Engine shut down."],              [Shutdown message for the OpenDNSSEC signer client])
+AC_DEFINE_UNQUOTED(ODS_SE_FILE_MAGIC_V4, [";OpenDNSSEC2.0-backup-v4"],       [File magic for storing backups from the OpenDNSSEC signer engine])
 AC_DEFINE_UNQUOTED(ODS_SE_FILE_MAGIC_V3, [";OpenDNSSEC-backup-v3"],          [File magic for storing backups from the OpenDNSSEC signer engine])
 AC_DEFINE_UNQUOTED(ODS_SE_FILE_MAGIC_V2, [";ODSSE2"],                        [File magic for storing backups from the OpenDNSSEC signer engine])
 AC_DEFINE_UNQUOTED(ODS_SE_FILE_MAGIC_V1, [";ODSSE1"],                        [File magic for storing backups from the OpenDNSSEC signer engine])

Modified: branches/OpenDNSSEC-CDS/signer/src/parser/signconfparser.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/parser/signconfparser.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/parser/signconfparser.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -57,12 +57,14 @@
     xmlXPathContextPtr xpathCtx = NULL;
     xmlXPathObjectPtr xpathObj = NULL;
     xmlNode* curNode = NULL;
+    xmlNode* childNode = NULL;
     xmlChar* xexpr = NULL;
     key_type* new_key = NULL;
     keylist_type* kl = NULL;
     char* locator = NULL;
     char* flags = NULL;
     char* algorithm = NULL;
+    char* cds_digest_type = NULL;
     int ksk, zsk, publish, i;
 
     if (!cfgfile || !sc) {
@@ -101,6 +103,7 @@
             locator = NULL;
             flags = NULL;
             algorithm = NULL;
+            cds_digest_type = NULL;
             ksk = 0;
             zsk = 0;
             publish = 0;
@@ -117,6 +120,15 @@
                     ksk = 1;
                 } else if (xmlStrEqual(curNode->name, (const xmlChar *)"ZSK")) {
                     zsk = 1;
+                } else if (xmlStrEqual(curNode->name, (const xmlChar *)"CDS")) {
+                    childNode = curNode->children;
+                    while (childNode) {
+                        if (xmlStrEqual(childNode->name, (const xmlChar *)"DigestType")) {
+                            cds_digest_type = (char *) xmlNodeGetContent(childNode);
+                            childNode = NULL;
+                        }
+                        childNode = childNode->next;
+                    }
                 } else if (xmlStrEqual(curNode->name, (const xmlChar *)"Publish")) {
                     publish = 1;
                 }
@@ -130,14 +142,15 @@
                     new_key->flags == (uint32_t) atoi(flags) &&
                     new_key->publish == publish &&
                     new_key->ksk == ksk &&
-                    new_key->zsk == zsk) {
+                    new_key->zsk == zsk,
+                    new_key->cds_digest_type == (int) atoi(cds_digest_type)) {
                     /* duplicate */
                     ods_log_warning("[%s] unable to push duplicate key %s "
                         "to keylist, skipping", parser_str, locator);
                 } else {
                     new_key = keylist_push(kl, locator,
                         (uint8_t) atoi(algorithm), (uint32_t) atoi(flags),
-                        publish, ksk, zsk);
+                        publish, ksk, zsk, (int) atoi(cds_digest_type));
                 }
             } else {
                 ods_log_error("[%s] unable to push key to keylist: <Key> "
@@ -147,6 +160,7 @@
             /* free((void*)locator); */
             free((void*)algorithm);
             free((void*)flags);
+            free((void*)cds_digest_type);
         }
     }
     xmlXPathFreeObject(xpathObj);

Modified: branches/OpenDNSSEC-CDS/signer/src/shared/hsm.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/shared/hsm.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/shared/hsm.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -94,6 +94,10 @@
         /* DNSKEY still exists in zone */
         key->dnskey = NULL;
     }
+    if (key->cds) {
+        /* CDS still exists in zone */
+        key->cds = NULL;
+    }
     if (key->hsmkey) {
         hsm_key_free(key->hsmkey);
         key->hsmkey = NULL;

Modified: branches/OpenDNSSEC-CDS/signer/src/shared/util.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/shared/util.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/shared/util.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -55,6 +55,7 @@
     }
     type = ldns_rr_get_type(rr);
     return (type == LDNS_RR_TYPE_RRSIG ||
+            type == LDNS_RR_TYPE_CDS ||
             type == LDNS_RR_TYPE_NSEC ||
             type == LDNS_RR_TYPE_NSEC3 ||
             type == LDNS_RR_TYPE_NSEC3PARAMS);

Modified: branches/OpenDNSSEC-CDS/signer/src/signer/domain.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/domain.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/signer/domain.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -290,8 +290,9 @@
     rrset = domain->rrsets;
     while (rrset) {
         if (rrset->rrtype == LDNS_RR_TYPE_NSEC3PARAMS ||
-            rrset->rrtype == LDNS_RR_TYPE_DNSKEY) {
-            /* always do full diff on NSEC3PARAMS | DNSKEY RRset */
+            rrset->rrtype == LDNS_RR_TYPE_DNSKEY ||
+            rrset->rrtype == LDNS_RR_TYPE_CDS) {
+            /* always do full diff on NSEC3PARAMS | DNSKEY | CDS RRset */
             rrset_diff(rrset, 0);
         } else {
             rrset_diff(rrset, is_ixfr);

Modified: branches/OpenDNSSEC-CDS/signer/src/signer/keys.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/keys.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/signer/keys.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -118,7 +118,8 @@
  */
 key_type*
 keylist_push(keylist_type* kl, const char* locator,
-    uint8_t algorithm, uint32_t flags, int publish, int ksk, int zsk)
+    uint8_t algorithm, uint32_t flags, int publish, int ksk, int zsk,
+    int digest_type)
 {
     key_type* keys_old = NULL;
     signconf_type* sc = NULL;
@@ -146,6 +147,8 @@
     kl->keys[kl->count -1].publish = publish;
     kl->keys[kl->count -1].ksk = ksk;
     kl->keys[kl->count -1].zsk = zsk;
+    kl->keys[kl->count -1].cds_digest_type = digest_type;
+    kl->keys[kl->count -1].cds    = NULL;
     kl->keys[kl->count -1].dnskey = NULL;
     kl->keys[kl->count -1].hsmkey = NULL;
     kl->keys[kl->count -1].params = NULL;
@@ -175,9 +178,16 @@
     if (key->zsk) {
         fprintf(fd, "\t\t\t\t<ZSK />\n");
     }
+    if (key->zsk) {
+        fprintf(fd, "\t\t\t\t<ZSK />\n");
+    }
     if (key->publish) {
         fprintf(fd, "\t\t\t\t<Publish />\n");
     }
+    if (key->cds_digest_type) {
+        fprintf(fd, "\t\t\t\t<CDS><DigestType>%d</DigestType></CDS>\n",
+            key->cds_digest_type);
+    }
     fprintf(fd, "\t\t\t</Key>\n");
     fprintf(fd, "\n");
     return;
@@ -195,8 +205,9 @@
         return;
     }
     ods_log_debug("[%s] zone %s key: LOCATOR[%s] FLAGS[%u] ALGORITHM[%u] "
-        "KSK[%i] ZSK[%i] PUBLISH[%i]", key_str, name?name:"(null)", key->locator,
-        key->flags, key->algorithm, key->ksk, key->zsk, key->publish);
+        "KSK[%i] ZSK[%i] CDS[%i] PUBLISH[%i]", key_str, name?name:"(null)",
+        key->locator, key->flags, key->algorithm, key->ksk, key->zsk,
+        key->cds_digest_type, key->publish);
     return;
 }
 
@@ -248,6 +259,7 @@
         return;
     }
     /* ldns_rr_free(key->dnskey); */
+    /* ldns_rr_free(key->cds); */
     hsm_key_free(key->hsmkey);
     hsm_sign_params_free(key->params);
     free((void*) key->locator);
@@ -287,9 +299,10 @@
         return;
     }
     fprintf(fd, ";;Key: locator %s algorithm %u flags %u publish %i ksk %i "
-        "zsk %i\n", key->locator, (unsigned) key->algorithm,
-        (unsigned) key->flags, key->publish, key->ksk, key->zsk);
-    if (strcmp(version, ODS_SE_FILE_MAGIC_V2) == 0) {
+        "zsk %i cds %i\n", key->locator, (unsigned) key->algorithm,
+        (unsigned) key->flags, key->publish, key->ksk, key->zsk,
+        key->cds_digest_type);
+    if (strcmp(version, ODS_SE_FILE_MAGIC_V3) == 0) {
         if (key->dnskey) {
             (void)util_rr_print(fd, key->dnskey);
         }
@@ -312,6 +325,7 @@
     int publish = 0;
     int ksk = 0;
     int zsk = 0;
+    int cds = 0;
 
     ods_log_assert(fd);
 
@@ -333,8 +347,12 @@
         }
         return NULL;
     }
+    if (!backup_read_check_str(fd, "cds") ||
+        !backup_read_int(fd, &cds)) {
+       ods_log_warning("[%s] CDS not in backup, default to 0", key_str);
+    }
     /* key ok */
-    return keylist_push(kl, locator, algorithm, flags, publish, ksk, zsk);
+    return keylist_push(kl, locator, algorithm, flags, publish, ksk, zsk, cds);
 }
 
 

Modified: branches/OpenDNSSEC-CDS/signer/src/signer/keys.h
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/keys.h	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/signer/keys.h	Mon Jun 24 07:24:42 2013	(r7165)
@@ -55,6 +55,7 @@
 typedef struct key_struct key_type;
 struct key_struct {
     ldns_rr* dnskey;
+    ldns_rr* cds;
     hsm_key_t* hsmkey;
     hsm_sign_params_t* params;
     const char* locator;
@@ -63,6 +64,7 @@
     int publish;
     int ksk;
     int zsk;
+    int cds_digest_type;
 };
 
 /**
@@ -111,11 +113,13 @@
  * \param[in] publish if true, publish key as a DNSKEY
  * \param[in] ksk if true, sign DNSKEY RRset with this key
  * \param[in] zsk if true, sign all but DNSKEY RRset with this key
+ * \param[in] digest_type digest type for CDS RR
  * \return key_type* key
  *
  */
 key_type* keylist_push(keylist_type* kl, const char* locator,
-    uint8_t algorithm, uint32_t flags, int publish, int ksk, int zsk);
+    uint8_t algorithm, uint32_t flags, int publish, int ksk, int zsk,
+    int digest_type);
 
 /**
  * Print key list.

Modified: branches/OpenDNSSEC-CDS/signer/src/signer/rrset.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/rrset.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/signer/rrset.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -564,6 +564,10 @@
     if (rrset->rrtype == LDNS_RR_TYPE_DNSKEY) {
         return 0;
     }
+    /* CDS RRset always needs to be signed with active key */
+    if (rrset->rrtype == LDNS_RR_TYPE_CDS) {
+        return 0;
+    }
     /* Let's look for RRSIGs from inactive ZSKs */
     for (i=0; i < rrset->rrsig_count; i++) {
         /* Same algorithm? */
@@ -723,14 +727,16 @@
          &inception, &expiration);
     /* Walk keys */
     for (i=0; i < zone->signconf->keys->count; i++) {
-        /* ZSKs don't sign DNSKEY RRset */
+        /* ZSKs don't sign DNSKEY|CDS RRset */
         if (!zone->signconf->keys->keys[i].zsk &&
-            rrset->rrtype != LDNS_RR_TYPE_DNSKEY) {
+            rrset->rrtype != LDNS_RR_TYPE_DNSKEY &&
+            rrset->rrtype != LDNS_RR_TYPE_CDS) {
             continue;
         }
-        /* KSKs only sign DNSKEY RRset */
+        /* KSKs only sign DNSKEY|CDS RRset */
         if (!zone->signconf->keys->keys[i].ksk &&
-            rrset->rrtype == LDNS_RR_TYPE_DNSKEY) {
+            (rrset->rrtype == LDNS_RR_TYPE_DNSKEY ||
+            rrset->rrtype == LDNS_RR_TYPE_CDS)) {
             continue;
         }
         /* Additional rules for signatures */

Modified: branches/OpenDNSSEC-CDS/signer/src/signer/zone.c
==============================================================================
--- branches/OpenDNSSEC-enforcer-ng/signer/src/signer/zone.c	Tue May 28 15:28:49 2013	(r7137)
+++ branches/OpenDNSSEC-CDS/signer/src/signer/zone.c	Mon Jun 24 07:24:42 2013	(r7165)
@@ -234,6 +234,7 @@
     ods_status status = ODS_STATUS_OK;
     rrset_type* rrset = NULL;
     rr_type* dnskey = NULL;
+    rr_type* cds = NULL;
 
     if (!zone || !zone->db || !zone->signconf || !zone->signconf->keys) {
         return ODS_STATUS_ASSERT_ERR;
@@ -299,6 +300,46 @@
                 "error adding dnskey", zone_str, zone->name);
             break;
         }
+        if (zone->signconf->keys->keys[i].cds_digest_type) {
+            if (!zone->signconf->keys->keys[i].cds) {
+                /* get cds */
+                zone->signconf->keys->keys[i].cds = ldns_key_rr2ds(
+                    zone->signconf->keys->keys[i].dnskey,
+                    zone->signconf->keys->keys[i].cds_digest_type);
+                if (!zone->signconf->keys->keys[i].cds) {
+                    ods_log_error("[%s] unable to publish dnskeys for zone %s: "
+                        "error creating dnskey", zone_str, zone->name);
+                    status = ODS_STATUS_ERR;
+                    break;
+                }
+            }
+            ods_log_debug("[%s] publish %s CDS locator %s", zone_str,
+                zone->name, zone->signconf->keys->keys[i].locator);
+            ods_log_assert(zone->signconf->keys->keys[i].cds);
+            ldns_rr_set_type(zone->signconf->keys->keys[i].cds,
+                LDNS_RR_TYPE_CDS);
+            ldns_rr_set_ttl(zone->signconf->keys->keys[i].cds, ttl);
+            ldns_rr_set_class(zone->signconf->keys->keys[i].dnskey, zone->klass);
+            status = zone_add_rr(zone, zone->signconf->keys->keys[i].cds, 0);
+            if (status == ODS_STATUS_UNCHANGED) {
+                /* rr already exists, adjust pointer */
+                rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_CDS);
+                ods_log_assert(rrset);
+                cds = rrset_lookup_rr(rrset,
+                    zone->signconf->keys->keys[i].cds);
+                ods_log_assert(cds);
+                if (cds->rr != zone->signconf->keys->keys[i].cds) {
+                    ldns_rr_free(zone->signconf->keys->keys[i].cds);
+                }
+                zone->signconf->keys->keys[i].cds = cds->rr;
+                status = ODS_STATUS_OK;
+            } else if (status != ODS_STATUS_OK) {
+               ods_log_error("[%s] unable to publish dnskeys for zone %s: "
+                   "error adding cds", zone_str, zone->name);
+                break;
+            }
+
+        }
     }
     /* done */
     hsm_destroy_context(ctx);
@@ -316,6 +357,7 @@
     uint16_t i = 0;
     rrset_type* rrset = NULL;
     rr_type* dnskey = NULL;
+    rr_type* cds = NULL;
     if (!zone || !zone->signconf || !zone->signconf->keys) {
         return;
     }
@@ -331,6 +373,17 @@
             }
         }
     }
+    /* unlink cds rrs */
+    for (i=0; i < zone->signconf->keys->count; i++) {
+        if (rrset && zone->signconf->keys->keys[i].cds) {
+            cds = rrset_lookup_rr(rrset,
+                zone->signconf->keys->keys[i].cds);
+            if (cds && !cds->exists &&
+                cds->rr == zone->signconf->keys->keys[i].cds) {
+                zone->signconf->keys->keys[i].cds = NULL;
+            }
+        }
+    }
     /* done */
     return;
 }



More information about the Opendnssec-commits mailing list