proposed new command line option for dnssec-signzone

Pierre Beyssac pb at fasterix.frmug.org
Mon Sep 23 10:18:43 UTC 2013 

Hello all,

I'm new to this list.

The following patch went unnoticed in the bind-users list, so after
failing to find a public bugzilla or equivalent for feature requests,
I figured I would try to subscribe here and send the patch again...

Pierre

----- Forwarded message from Pierre Beyssac <pb at fasterix.frmug.org> -----

Date: Wed, 18 Sep 2013 22:27:02 +0200
From: Pierre Beyssac <pb at fasterix.frmug.org>
To: bind-users <bind-users at lists.isc.org>
Subject: proposed new command line option for dnssec-signzone

Hello all,

I have written a small patch for dnssec-signzone to handle what I
assume is a pretty common case for big zones: ZSK rollover without
double RRSIGs, ie removal of the RRSIG records signed with the old
ZSK (inactive but still published while waiting for cache expiration
of the old RRSIGs).

This is one of the ZSK rollover procedures described in RFC 4641.

I am using this on zone eu.org (over 45000 RRs, not counting DNSSEC)
and tested it on a (simulated) ZSK rollover.

I'm not too sure about sending these here but as the bind-workers
list seems to be reserved to developers, here goes, since the patch
is pretty short.
-- 
Sent from my FreeBSD server on its IPv6 connection
Pierre Beyssac	      	    		pb at fasterix.frmug.org

diff -ur bind-9.9.3-P2/bin/dnssec/dnssec-signzone.8 bind-9.9.3-P2.pb/bin/dnssec/dnssec-signzone.8
--- bind-9.9.3-P2/bin/dnssec/dnssec-signzone.8	2013-07-17 00:13:06.000000000 +0200
+++ bind-9.9.3-P2.pb/bin/dnssec/dnssec-signzone.8	2013-09-17 01:21:24.000000000 +0200
@@ -271,6 +271,13 @@
 to remove all orphaned signatures.
 .RE
 .PP
+\-1
+.RS 4
+Remove signatures from keys that are no longer active.
+.sp
+This is similar to the \fB\-R\fR option, but it removes signatures from keys that are no longer active, even if their DNSKEY record is still published. This allows a ZSK-rollover using the RFC4641 procedure, i.e. single RRSIG for each RR.
+.RE
+.PP
 \-r \fIrandomdev\fR
 .RS 4
 Specifies the source of randomness. If the operating system does not provide a
diff -ur bind-9.9.3-P2/bin/dnssec/dnssec-signzone.c bind-9.9.3-P2.pb/bin/dnssec/dnssec-signzone.c
--- bind-9.9.3-P2/bin/dnssec/dnssec-signzone.c	2013-07-17 00:13:06.000000000 +0200
+++ bind-9.9.3-P2.pb/bin/dnssec/dnssec-signzone.c	2013-09-17 01:16:24.000000000 +0200
@@ -176,6 +176,7 @@
 static dns_ttl_t keyttl;
 static isc_boolean_t smartsign = ISC_FALSE;
 static isc_boolean_t remove_orphans = ISC_FALSE;
+static isc_boolean_t remove_orphans_inact = ISC_FALSE;
 static isc_boolean_t output_dnssec_only = ISC_FALSE;
 static isc_boolean_t output_stdout = ISC_FALSE;
 
@@ -557,6 +558,11 @@
 			keep = (!expired && !remove_orphans);
 			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
 				 keep ? "retained" : "dropped", sigstr);
+		} else if (!dns_dnssec_key_active(&key->key, now)
+			   && remove_orphans_inact) {
+			keep = ISC_FALSE;
+			vbprintf(2, "\trrsig by %s dropped - key inactive\n",
+				 sigstr);
 		} else if (issigningkey(key)) {
 			wassignedby[key->index] = ISC_TRUE;
 
@@ -2950,6 +2956,8 @@
 	fprintf(stderr, "disable post-sign verification\n");
 	fprintf(stderr, "\t-R:\t");
 	fprintf(stderr, "remove signatures from keys that no longer exist\n");
+	fprintf(stderr, "\t-1:\t");
+	fprintf(stderr, "remove signatures from keys that are no longer active\n");
 	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
@@ -3052,7 +3060,7 @@
 	isc_boolean_t nonsecify = ISC_FALSE;
 
 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:n:N:o:O:PpRr:s:ST:tuUv:X:xzZ:"
+	"13:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:n:N:o:O:PpRr:s:ST:tuUv:X:xzZ:"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3255,6 +3263,10 @@
 			pseudorandom = ISC_TRUE;
 			break;
 
+		case '1':
+			remove_orphans_inact = ISC_TRUE;
+			break;
+
 		case 'R':
 			remove_orphans = ISC_TRUE;
 			break;
diff -ur bind-9.9.3-P2/lib/dns/dnssec.c bind-9.9.3-P2.pb/lib/dns/dnssec.c
--- bind-9.9.3-P2/lib/dns/dnssec.c	2013-07-17 00:13:06.000000000 +0200
+++ bind-9.9.3-P2.pb/lib/dns/dnssec.c	2013-09-17 00:39:14.869119000 +0200
@@ -609,8 +609,8 @@
 	return (result);
 }
 
-static isc_boolean_t
-key_active(dst_key_t *key, isc_stdtime_t now) {
+isc_boolean_t
+dns_dnssec_key_active(dst_key_t *key, isc_stdtime_t now) {
 	isc_result_t result;
 	isc_stdtime_t publish, active, revoke, inactive, delete;
 	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
@@ -763,7 +763,7 @@
 		/*
 		 * If a key is marked inactive, skip it
 		 */
-		if (!key_active(keys[count], now)) {
+		if (!dns_dnssec_key_active(keys[count], now)) {
 			dst_key_free(&keys[count]);
 			keys[count] = pubkey;
 			pubkey = NULL;
diff -ur bind-9.9.3-P2/lib/dns/include/dns/dnssec.h bind-9.9.3-P2.pb/lib/dns/include/dns/dnssec.h
--- bind-9.9.3-P2/lib/dns/include/dns/dnssec.h	2013-07-17 00:13:06.000000000 +0200
+++ bind-9.9.3-P2.pb/lib/dns/include/dns/dnssec.h	2013-09-17 00:39:55.920863000 +0200
@@ -174,6 +174,10 @@
 			dns_name_t *name, isc_mem_t *mctx,
 			unsigned int maxkeys, dst_key_t **keys,
 			unsigned int *nkeys);
+
+isc_result_t
+dns_dnssec_key_active(dst_key_t *key, isc_stdtime_t now);
+
 isc_result_t
 dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 			 dns_dbnode_t *node, dns_name_t *name,

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


----- End forwarded message -----

-- 
Sent from my FreeBSD server on its IPv6 connection
Pierre Beyssac	      	    		pb at fasterix.frmug.org

More information about the bind-workers mailing list