Changeset 1761

Timestamp:

12/27/10 21:55:18 (2 years ago)

Author:

ahu

Message:

with this commit, ldns-signzone+nsd and 'drill -t axfr' on powerdns and nsd delivers identical results for an NSEC zone!

Location:

trunk/pdns/pdns

Files:

• dnssecinfra.cc (modified) (2 diffs)
• dnssecinfra.hh (modified) (1 diff)
• dnsseckeeper.hh (modified) (2 diffs)
• fsdnsseckeeper.cc (modified) (10 diffs)
• tcpreceiver.cc (modified) (3 diffs)

trunk/pdns/pdns/dnssecinfra.cc

@@ -150 +150 @@
 }
 
-DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc, uint8_t algorithm)
+DNSKEYRecordContent makeDNSKEYFromRSAKey(const rsa_context* rc, uint8_t algorithm, uint16_t flags)
 {
   DNSKEYRecordContent drc;
@@ -176 +176 @@
   drc.d_algorithm = algorithm;
 
-  drc.d_flags=256 + (modulus.length()>128);  // oops, I just made this up..
+  drc.d_flags=flags;
 
   return drc;

trunk/pdns/pdns/dnssecinfra.hh

@@ -29 +29 @@
 bool sharedDNSSECCompare(const boost::shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b);
 string getSHA1HashForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, std::vector<boost::shared_ptr<DNSRecordContent> >& signRecords);
-DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc, uint8_t algorithm);
+DNSKEYRecordContent makeDNSKEYFromRSAKey(const rsa_context* rc, uint8_t algorithm, uint16_t flags);
 DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest=1);
 

trunk/pdns/pdns/dnsseckeeper.hh

@@ -56 +56 @@
   }
 
-  rsa_context& getContext()
+  const rsa_context& getConstContext() const
   {
     return d_context;
   }
+
+  rsa_context& getContext() 
+  {
+    return d_context;
+  }
+
 
   void create(unsigned int bits);
@@ -78 +84 @@
   
   RSAContext d_key;
-  DNSKEYRecordContent getDNSKEY();
+  DNSKEYRecordContent getDNSKEY() const;
   uint8_t d_algorithm;
+  uint16_t d_flags;
 };
 

trunk/pdns/pdns/fsdnsseckeeper.cc

@@ -69 +69 @@
   }
   return !keys.empty();
-  
-  #if 0
-  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zone + "/keys/" ) );
-
-  if ( !fs::exists( full_path ) )
-    return false;
-
-  fs::directory_iterator end_iter;
-  for ( fs::directory_iterator dir_itr( full_path );
-        dir_itr != end_iter;
-        ++dir_itr )
-  {
-    //    cerr<<"Entry: '"<< dir_itr->leaf() <<"'"<<endl;
-    if(ends_with(dir_itr->leaf(),".private")) {
-      //      cerr<<"Hit!"<<endl;
-
-      if(dpk) {
-        getRSAKeyFromISC(&dpk->d_key.getContext(), dir_itr->path().file_string().c_str());
-        
-        if(getNSEC3PARAM(zone)) {
-          dpk->d_algorithm = 7;
-        }
-        else {
-          dpk->d_algorithm = 5;
-        }
-      
-      }
-      return true;
-    }
-  }
-
-  return false;
-  #endif
 }
 
@@ -129 +96 @@
 
   if ( !fs::exists( full_path ) )
-    unixDie("Unable to get free key id from '"+dirname+"'");
+    unixDie("Unable to get filname key id from '"+dirname+"'");
 
   fs::directory_iterator end_iter;
@@ -137 +104 @@
     ++dir_itr )
   {
+    if(!ends_with(dir_itr->leaf(), ".private"))
+      continue;
     parts = splitField(dir_itr->leaf(), '-');
           if(atoi(parts.first.c_str()) == (signed int)id) 
@@ -152 +121 @@
   string isc = dpk.d_key.convertToISC();
   DNSKEYRecordContent drc = dpk.getDNSKEY();
-  drc.d_flags = 256; // KSK
+  drc.d_flags = 256 + keyOrZone; // KSK
   drc.d_algorithm = algorithm; 
   string iscName=d_dirname+"/"+name+"/keys/";
@@ -189 +158 @@
 void DNSSECKeeper::removeKey(const std::string& zname, unsigned int id)
 {
-  string fname = getKeyFilenameById(d_dirname+"/keys/", id);
+  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys", id);
   if(unlink(fname.c_str()) < 0)
     unixDie("removing key file '"+fname+"'");
@@ -196 +165 @@
 void DNSSECKeeper::deactivateKey(const std::string& zname, unsigned int id)
 {
-  string fname = getKeyFilenameById(d_dirname+"/keys/", id);
+  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys/", id);
   string newname = boost::replace_last_copy(fname, ".active", ".passive");
   if(rename(fname.c_str(), newname.c_str()) < 0)
@@ -204 +173 @@
 void DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
 {
-  string fname = getKeyFilenameById(d_dirname+"/keys/", id);
+  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys/", id);
   string newname = boost::replace_last_copy(fname, ".passive", ".active");
   if(rename(fname.c_str(), newname.c_str()) < 0)
@@ -275 +244 @@
         dpk.d_algorithm = 5;
       }
-      
       struct tm ts1, ts2;
       
@@ -296 +264 @@
       kmd.active = kmd.fname.find(".active") != string::npos;
       kmd.keyOrZone = kmd.fname.find(".ksk") != string::npos;
+      
+      dpk.d_flags = 256 + kmd.keyOrZone;  // this is a clear sign we've got our abstractions wrong! FIXME XXX
+      
       if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == kmd.keyOrZone)
         keyset.push_back(make_pair(dpk, kmd));
@@ -305 +276 @@
 }
 
-DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY()
-{
-  return makeDNSKEYFromRSAKey(&d_key.getContext(), d_algorithm);
+DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
+{
+  return makeDNSKEYFromRSAKey(&d_key.getConstContext(), d_algorithm, d_flags);
 }
 

trunk/pdns/pdns/tcpreceiver.cc

@@ -19 +19 @@
 #include "utility.hh"
 #include "dnssecinfra.hh"
+#include "dnsseckeeper.hh"
 #include <cstdio>
 #include <cstring>
@@ -457 +458 @@
   outpacket->addRecord(soa); // AXFR format begins and ends with a SOA record, so we add one
   //  sendPacket(outpacket, outsock);
+  typedef map<string, set<uint16_t>, CanonicalCompare> nsecrepo_t;
+  nsecrepo_t nsecrepo;
+  // this is where the DNSKEYs go
+  
+  DNSSECKeeper dk(::arg()["key-repository"]);
+  DNSSECKeeper::keyset_t keys = dk.getKeys(target);
+  BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) {
+    rr.qname = target;
+    rr.qtype = QType(QType::DNSKEY);
+    rr.ttl = 3600;
+    rr.content = value.first.getDNSKEY().getZoneRepresentation();
+    nsecrepo[rr.qname].insert(rr.qtype.getCode());
+    outpacket->addRecord(rr);
+  }
 
   /* now write all other records */
@@ -469 +484 @@
   outpacket->d_dnssecOk=true; // WRONG
 
-  typedef map<string, set<uint16_t>, CanonicalCompare> nsecrepo_t;
-  nsecrepo_t nsecrepo;
+
 
   while(B->get(rr)) {