Bug #46090 for bind9-public: [PATCH] dnssec-cds

Mon, 25 Sep 2017 06:35:58 -0400 Tony Finch <dot@dotat.at> - Ticket created

Date:	Mon, 25 Sep 2017 11:35:14 +0100
From:	"Tony Finch" <dot@dotat.at>
CC:	"Tony Finch" <dot@dotat.at>
To:	bind9-bugs@isc.org
Subject:	[PATCH] dnssec-cds

My implementation of RFC 7344 is now in reasonably good shape, thanks to help from JP Mens. I have copied it into its own branch (based off today's master) at https://git.csx.cam.ac.uk/x/ucs/ipreg/bind9.git/log/refs/heads/u/fanf2/dnssec-cds There are three commits, two cleanup commits then one for dnssec-cds itself, including documentation and tests. I'll send the patches to this ticket as well. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode East Sole, Lundy, Fastnet: Variable 4, becoming southeasterly 4 or 5 later. Slight or moderate. Fair. Moderate or good.

Mon, 25 Sep 2017 07:14:30 -0400 Tony Finch <dot@dotat.at> - Correspondence added

To:	"BIND9 Bugs via RT" <bind9-confidential@isc.org>
Subject:	Re: [ISC-Bugs #46090] [PATCH] alphabetize
From:	"Tony Finch" <dot@dotat.at>
Date:	Mon, 25 Sep 2017 12:13:59 +0100

sed -n '19,57p' conf.sh.in | sort --- bin/tests/system/conf.sh.in | 56 ++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 0d63f12..94d5a44 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -17,42 +17,42 @@ TOP=${SYSTEMTESTTOP:=.}/../../.. # Make it absolute so that it continues to work after we cd. TOP=`cd $TOP && pwd` -NAMED=$TOP/bin/named/named -DIG=$TOP/bin/dig/dig -DELV=$TOP/bin/delv/delv -RNDC=$TOP/bin/rndc/rndc -NSUPDATE=$TOP/bin/nsupdate/nsupdate +ARPANAME=$TOP/bin/tools/arpaname +CHECKCONF=$TOP/bin/check/named-checkconf +CHECKDS=$TOP/bin/python/dnssec-checkds +CHECKZONE=$TOP/bin/check/named-checkzone +COVERAGE=$TOP/bin/python/dnssec-coverage DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen -TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen -RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen -KEYGEN=$TOP/bin/dnssec/dnssec-keygen -KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel -SIGNER=$TOP/bin/dnssec/dnssec-signzone -REVOKE=$TOP/bin/dnssec/dnssec-revoke -SETTIME=$TOP/bin/dnssec/dnssec-settime +DELV=$TOP/bin/delv/delv +DIG=$TOP/bin/dig/dig +DNSTAPREAD=$TOP/bin/tools/dnstap-read DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +FEATURETEST=$TOP/bin/tests/system/feature-test +FSTRM_CAPTURE=@FSTRM_CAPTURE@ +GENRANDOM=$TOP/bin/tools/genrandom IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey -CHECKDS=$TOP/bin/python/dnssec-checkds -COVERAGE=$TOP/bin/python/dnssec-coverage +JOURNALPRINT=$TOP/bin/tools/named-journalprint +KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel +KEYGEN=$TOP/bin/dnssec/dnssec-keygen KEYMGR=$TOP/bin/python/dnssec-keymgr -CHECKZONE=$TOP/bin/check/named-checkzone -CHECKCONF=$TOP/bin/check/named-checkconf +MDIG=$TOP/bin/tools/mdig +NAMED=$TOP/bin/named/named +NSEC3HASH=$TOP/bin/tools/nsec3hash +NSLOOKUP=$TOP/bin/dig/nslookup +NSUPDATE=$TOP/bin/nsupdate/nsupdate +NZD2NZF=$TOP/bin/tools/named-nzd2nzf +PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" -PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" -JOURNALPRINT=$TOP/bin/tools/named-journalprint -VERIFY=$TOP/bin/dnssec/dnssec-verify -ARPANAME=$TOP/bin/tools/arpaname RESOLVE=$TOP/lib/samples/resolve +REVOKE=$TOP/bin/dnssec/dnssec-revoke +RNDC=$TOP/bin/rndc/rndc +RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen RRCHECKER=$TOP/bin/tools/named-rrchecker -GENRANDOM=$TOP/bin/tools/genrandom -NSEC3HASH=$TOP/bin/tools/nsec3hash -NSLOOKUP=$TOP/bin/dig/nslookup -DNSTAPREAD=$TOP/bin/tools/dnstap-read -MDIG=$TOP/bin/tools/mdig -NZD2NZF=$TOP/bin/tools/named-nzd2nzf -FSTRM_CAPTURE=@FSTRM_CAPTURE@ -FEATURETEST=$TOP/bin/tests/system/feature-test +SETTIME=$TOP/bin/dnssec/dnssec-settime +SIGNER=$TOP/bin/dnssec/dnssec-signzone +TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen +VERIFY=$TOP/bin/dnssec/dnssec-verify WIRETEST=$TOP/bin/tests/wire_test RANDFILE=$TOP/bin/tests/system/random.data -- 2.10.1.445.g3cdd5d1

Mon, 25 Sep 2017 07:14:31 -0400 The RT System itself - Status changed from 'new' to 'open'

Mon, 25 Sep 2017 07:18:09 -0400 Tony Finch <dot@dotat.at> - Correspondence added

To:	"Tony Finch via RT" <bind9-confidential@isc.org>
Subject:	[ISC-Bugs #46090] [PATCH] dnssec-dsfromkey: make better use of shared dnssectool code
From:	"Tony Finch" <dot@dotat.at>
Date:	Mon, 25 Sep 2017 12:17:11 +0100

Use strtottl() for the -T option, and make a new strtodigest() function for parsing DS digest type names. --- bin/dnssec/dnssec-dsfromkey.c | 24 +++--------------------- bin/dnssec/dnssectool.c | 19 +++++++++++++++++++ bin/dnssec/dnssectool.h | 3 +++ 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index ad44c3c..8597d05 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -346,7 +346,7 @@ usage(void) { int main(int argc, char **argv) { - char *algname = NULL, *classname = NULL; + char *classname = NULL; char *filename = NULL, *dir = NULL, *namestr; char *lookaside = NULL; char *endp; @@ -393,7 +393,7 @@ main(int argc, char **argv) { showall = ISC_TRUE; break; case 'a': - algname = isc_commandline_argument; + dtype = strtodsdigest(isc_commandline_argument); both = ISC_FALSE; break; case 'C': @@ -430,7 +430,7 @@ main(int argc, char **argv) { break; case 'T': emitttl = ISC_TRUE; - ttl = atol(isc_commandline_argument); + ttl = strtottl(isc_commandline_argument); break; case 'v': verbose = strtol(isc_commandline_argument, &endp, 0); @@ -460,24 +460,6 @@ main(int argc, char **argv) { } } - if (algname != NULL) { - if (strcasecmp(algname, "SHA1") == 0 || - strcasecmp(algname, "SHA-1") == 0) - dtype = DNS_DSDIGEST_SHA1; - else if (strcasecmp(algname, "SHA256") == 0 || - strcasecmp(algname, "SHA-256") == 0) - dtype = DNS_DSDIGEST_SHA256; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - else if (strcasecmp(algname, "GOST") == 0) - dtype = DNS_DSDIGEST_GOST; -#endif - else if (strcasecmp(algname, "SHA384") == 0 || - strcasecmp(algname, "SHA-384") == 0) - dtype = DNS_DSDIGEST_SHA384; - else - fatal("unknown algorithm %s", algname); - } - rdclass = strtoclass(classname); if (usekeyset && filename != NULL) diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 908a2bc..6e67391 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -414,6 +414,25 @@ strtoclass(const char *str) { return (rdclass); } +unsigned int +strtodsdigest(const char *algname) { + if (strcasecmp(algname, "SHA1") == 0 || + strcasecmp(algname, "SHA-1") == 0) + return (DNS_DSDIGEST_SHA1); + else if (strcasecmp(algname, "SHA256") == 0 || + strcasecmp(algname, "SHA-256") == 0) + return (DNS_DSDIGEST_SHA256); +#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) + else if (strcasecmp(algname, "GOST") == 0) + return (DNS_DSDIGEST_GOST); +#endif + else if (strcasecmp(algname, "SHA384") == 0 || + strcasecmp(algname, "SHA-384") == 0) + return (DNS_DSDIGEST_SHA384); + else + fatal("unknown algorithm %s", algname); +} + isc_result_t try_dir(const char *dirname) { isc_result_t result; diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 13cbf33..8de518b 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -65,6 +65,9 @@ isc_stdtime_t strtotime(const char *str, isc_int64_t now, isc_int64_t base, isc_boolean_t *setp); +unsigned int +strtodsdigest(const char *str); + dns_rdataclass_t strtoclass(const char *str); -- 2.10.1.445.g3cdd5d1

Mon, 25 Sep 2017 07:26:02 -0400 Tony Finch <dot@dotat.at> - Correspondence added

Subject:	Re: [ISC-Bugs #46090] [PATCH] dnssec-cds: RFC 7344 CDS/CDNSKEY parent side
Date:	Mon, 25 Sep 2017 12:19:31 +0100
To:	"Tony Finch via RT" <bind9-confidential@isc.org>
From:	"Tony Finch" <dot@dotat.at>

Message body is not shown because it is too large.

Tue, 26 Sep 2017 20:19:54 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public

Wed, 27 Sep 2017 14:41:26 -0400 Vicky Risk <vicky@isc.org> - Versions Planned 9.12 added

Wed, 27 Sep 2017 14:41:44 -0400 Vicky Risk <vicky@isc.org> - Priority P1 High added

Wed, 27 Sep 2017 14:41:44 -0400 Vicky Risk <vicky@isc.org> - Severity S3 Low added

Wed, 27 Sep 2017 14:41:45 -0400 Vicky Risk <vicky@isc.org> - Area feature added

Tue, 03 Oct 2017 04:22:07 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

This looks quite good, I've changed a number of style issues but the only code I modified was to get rid of a goto in make_new_ds_set() and remove a small helper function that was only ever called from one place and which I thought just added a bit of unnecessary confusion. I'm going to call Tony's code "reviewed", but I'm putting the branch in the review queue so someone can make sure I didn't dork up those two changes. They're in commit 7a13d99989b.

Tue, 03 Oct 2017 04:24:15 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'review'

Thu, 05 Oct 2017 04:04:57 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

4757. [func] New "dnssec-cds" command creates a new parent DS RRset based on CDS or CDNSKEY RRsets found in a child zone, and generates either a dsset file or stream of nsupdate commands to update the parent. Thanks to Tony Finch. [RT #46090] 9.12.0

Thu, 05 Oct 2017 04:04:58 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'review' to 'qa'

Thu, 05 Oct 2017 04:04:58 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0 added

Tue, 24 Oct 2017 04:45:58 -0400 Stephen Morris <stephen@isc.org> - Taken

Tue, 24 Oct 2017 10:32:36 -0400 Stephen Morris <stephen@isc.org> - Status changed from 'qa' to 'resolved'

Created:	Mon, 25 Sep 2017 06:35:58 -0400
Updated:	Tue, 24 Oct 2017 10:32:36 -0400
Closed:	Tue, 24 Oct 2017 10:32:36 -0400

Bug #46090 for bind9-public: [PATCH] dnssec-cds

This bug tracker is no longer active.