/*
* Create a specialised SSU table that points at an external DLZ database
*/
isc_result_t
dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
dns_dlzdb_t *dlzdatabase)
{
isc_result_t result;
dns_ssurule_t *rule;
dns_ssutable_t *table = NULL;
REQUIRE(tablep != NULL && *tablep == NULL);
result = dns_ssutable_create(mctx, &table);
if (result != ISC_R_SUCCESS)
return (result);
table->dlzdatabase = dlzdatabase;
rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
if (rule == NULL) {
dns_ssutable_detach(&table);
return (ISC_R_NOMEMORY);
}
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = ISC_TRUE;
rule->matchtype = DNS_SSUMATCHTYPE_DLZ;
rule->ntypes = 0;
rule->types = NULL;
rule->magic = SSURULEMAGIC;
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
*tablep = table;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_order_add(dns_order_t *order, dns_name_t *name,
dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
unsigned int mode)
{
dns_order_ent_t *ent;
REQUIRE(DNS_ORDER_VALID(order));
REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
mode == DNS_RDATASETATTR_FIXEDORDER ||
mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
ent = isc_mem_get(order->mctx, sizeof(*ent));
if (ent == NULL)
return (ISC_R_NOMEMORY);
dns_fixedname_init(&ent->name);
RUNTIME_CHECK(dns_name_copy(name, dns_fixedname_name(&ent->name), NULL)
== ISC_R_SUCCESS);
ent->rdtype = rdtype;
ent->rdclass = rdclass;
ent->mode = mode;
ISC_LINK_INIT(ent, link);
ISC_LIST_INITANDAPPEND(order->ents, ent, link);
return (ISC_R_SUCCESS);
}
/*
* A supplemental routine just to add a key to ring. Note that reference
* counter should be counted separately because we may be adding the key
* as part of creation of the key, in which case the reference counter was
* already initialized. Also note we don't need RWLOCK for the reference
* counter: it's protected by a separate lock.
*/
static isc_result_t
keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
dns_tsigkey_t *tkey)
{
isc_result_t result;
RWLOCK(&ring->lock, isc_rwlocktype_write);
ring->writecount++;
/*
* Do on the fly cleaning. Find some nodes we might not
* want around any more.
*/
if (ring->writecount > 10) {
cleanup_ring(ring);
ring->writecount = 0;
}
result = dns_rbt_addname(ring->keys, name, tkey);
if (tkey->generated) {
/*
* Add the new key to the LRU list and remove the least
* recently used key if there are too many keys on the list.
*/
ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
if (ring->generated++ > ring->maxgenerated)
remove_fromring(ISC_LIST_HEAD(ring->lru));
}
RWUNLOCK(&ring->lock, isc_rwlocktype_write);
return (result);
}
isc_result_t
dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
dns_name_t *identity, unsigned int matchtype,
dns_name_t *name, unsigned int ntypes,
dns_rdatatype_t *types)
{
dns_ssurule_t *rule;
isc_mem_t *mctx;
isc_result_t result;
REQUIRE(VALID_SSUTABLE(table));
REQUIRE(dns_name_isabsolute(identity));
REQUIRE(dns_name_isabsolute(name));
REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
REQUIRE(dns_name_iswildcard(name));
if (ntypes > 0)
REQUIRE(types != NULL);
mctx = table->mctx;
rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
if (rule == NULL)
return (ISC_R_NOMEMORY);
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = grant;
rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
if (rule->identity == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
dns_name_init(rule->identity, NULL);
result = dns_name_dup(identity, mctx, rule->identity);
if (result != ISC_R_SUCCESS)
goto failure;
rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
if (rule->name == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
dns_name_init(rule->name, NULL);
result = dns_name_dup(name, mctx, rule->name);
if (result != ISC_R_SUCCESS)
goto failure;
rule->matchtype = matchtype;
rule->ntypes = ntypes;
if (ntypes > 0) {
rule->types = isc_mem_get(mctx,
ntypes * sizeof(dns_rdatatype_t));
if (rule->types == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
} else
rule->types = NULL;
rule->magic = SSURULEMAGIC;
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
return (ISC_R_SUCCESS);
failure:
if (rule->identity != NULL) {
if (dns_name_dynamic(rule->identity))
dns_name_free(rule->identity, mctx);
isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
}
if (rule->name != NULL) {
if (dns_name_dynamic(rule->name))
dns_name_free(rule->name, mctx);
isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
}
if (rule->types != NULL)
isc_mem_put(mctx, rule->types,
ntypes * sizeof(dns_rdatatype_t));
isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
return (result);
}
int
main(int argc, char *argv[]) {
int i, ch;
char *startstr = NULL, *endstr = NULL;
dns_fixedname_t fdomain;
dns_name_t *domain = NULL;
char *output = NULL;
char *endp;
unsigned char data[65536];
dns_db_t *db;
dns_dbversion_t *version;
dns_diff_t diff;
dns_difftuple_t *tuple;
dns_fixedname_t tname;
dst_key_t *key = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
dns_rdataclass_t rdclass;
isc_result_t result;
isc_buffer_t b;
isc_region_t r;
isc_log_t *log = NULL;
keynode_t *keynode;
unsigned int eflags;
isc_boolean_t pseudorandom = ISC_FALSE;
isc_boolean_t tryverify = ISC_FALSE;
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("failed to create memory context: %s",
isc_result_totext(result));
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
{
switch (ch) {
case 'a':
tryverify = ISC_TRUE;
break;
case 's':
startstr = isc_commandline_argument;
break;
case 'e':
endstr = isc_commandline_argument;
break;
case 't':
endp = NULL;
ttl = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("TTL must be numeric");
break;
case 'r':
setup_entropy(mctx, isc_commandline_argument, &ectx);
break;
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("verbose level must be numeric");
break;
case 'p':
pseudorandom = ISC_TRUE;
break;
case 'h':
default:
usage();
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (argc < 1)
usage();
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
eflags = ISC_ENTROPY_BLOCKING;
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
result = dst_lib_init(mctx, ectx, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_stdtime_get(&now);
if (startstr != NULL)
starttime = strtotime(startstr, now, now);
else
starttime = now;
if (endstr != NULL)
endtime = strtotime(endstr, now, starttime);
else
endtime = starttime + (30 * 24 * 60 * 60);
if (ttl == -1) {
ttl = 3600;
fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
program);
}
setup_logging(verbose, mctx, &log);
dns_diff_init(mctx, &diff);
rdclass = 0;
ISC_LIST_INIT(keylist);
for (i = 0; i < argc; i++) {
char namestr[DNS_NAME_FORMATSIZE];
isc_buffer_t namebuf;
key = NULL;
result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("error loading key from %s: %s", argv[i],
isc_result_totext(result));
if (rdclass == 0)
rdclass = dst_key_class(key);
isc_buffer_init(&namebuf, namestr, sizeof(namestr));
result = dns_name_tofilenametext(dst_key_name(key),
ISC_FALSE,
&namebuf);
check_result(result, "dns_name_tofilenametext");
isc_buffer_putuint8(&namebuf, 0);
if (domain == NULL) {
dns_fixedname_init(&fdomain);
domain = dns_fixedname_name(&fdomain);
dns_name_copy(dst_key_name(key), domain, NULL);
} else if (!dns_name_equal(domain, dst_key_name(key))) {
char str[DNS_NAME_FORMATSIZE];
dns_name_format(domain, str, sizeof(str));
fatal("all keys must have the same owner - %s "
"and %s do not match", str, namestr);
}
if (output == NULL) {
output = isc_mem_allocate(mctx,
strlen("keyset-") +
strlen(namestr) + 1);
if (output == NULL)
fatal("out of memory");
sprintf(output, "keyset-%s", namestr);
}
if (dst_key_iszonekey(key)) {
dst_key_t *zonekey = NULL;
result = dst_key_fromnamedfile(argv[i],
DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &zonekey);
if (result != ISC_R_SUCCESS)
fatal("failed to read private key %s: %s",
argv[i], isc_result_totext(result));
if (!zonekey_on_list(zonekey)) {
keynode = isc_mem_get(mctx, sizeof(keynode_t));
if (keynode == NULL)
fatal("out of memory");
keynode->key = zonekey;
ISC_LIST_INITANDAPPEND(keylist, keynode, link);
} else
dst_key_free(&zonekey);
}
dns_rdata_reset(&rdata);
isc_buffer_init(&b, data, sizeof(data));
result = dst_key_todns(key, &b);
dst_key_free(&key);
if (result != ISC_R_SUCCESS)
fatal("failed to convert key %s to a DNS KEY: %s",
argv[i], isc_result_totext(result));
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
domain, ttl, &rdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
}
db = NULL;
result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
rdclass, 0, NULL, &db);
if (result != ISC_R_SUCCESS)
fatal("failed to create a database");
version = NULL;
dns_db_newversion(db, &version);
result = dns_diff_apply(&diff, db, version);
check_result(result, "dns_diff_apply");
dns_diff_clear(&diff);
dns_fixedname_init(&tname);
dns_rdataset_init(&rdataset);
result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
NULL, dns_fixedname_name(&tname), &rdataset,
NULL);
check_result(result, "dns_db_find");
if (ISC_LIST_EMPTY(keylist))
fprintf(stderr,
"%s: no private zone key found; not self-signing\n",
program);
for (keynode = ISC_LIST_HEAD(keylist);
keynode != NULL;
keynode = ISC_LIST_NEXT(keynode, link))
{
dns_rdata_reset(&rdata);
isc_buffer_init(&b, data, sizeof(data));
result = dns_dnssec_sign(domain, &rdataset, keynode->key,
&starttime, &endtime, mctx, &b,
&rdata);
isc_entropy_stopcallbacksources(ectx);
if (result != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(keynode->key, keystr, sizeof(keystr));
fatal("failed to sign keyset with key %s: %s",
keystr, isc_result_totext(result));
}
if (tryverify) {
result = dns_dnssec_verify(domain, &rdataset,
keynode->key, ISC_TRUE,
mctx, &rdata);
if (result != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(keynode->key, keystr, sizeof(keystr));
fatal("signature from key '%s' failed to "
"verify: %s",
keystr, isc_result_totext(result));
}
}
tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
domain, ttl, &rdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
}
result = dns_diff_apply(&diff, db, version);
check_result(result, "dns_diff_apply");
dns_diff_clear(&diff);
dns_rdataset_disassociate(&rdataset);
dns_db_closeversion(db, &version, ISC_TRUE);
result = dns_db_dump(db, version, output);
if (result != ISC_R_SUCCESS) {
char domainstr[DNS_NAME_FORMATSIZE];
dns_name_format(domain, domainstr, sizeof(domainstr));
fatal("failed to write database for %s to %s",
domainstr, output);
}
printf("%s\n", output);
dns_db_detach(&db);
while (!ISC_LIST_EMPTY(keylist)) {
keynode = ISC_LIST_HEAD(keylist);
ISC_LIST_UNLINK(keylist, keynode, link);
dst_key_free(&keynode->key);
isc_mem_put(mctx, keynode, sizeof(keynode_t));
}
cleanup_logging(&log);
cleanup_entropy(&ectx);
isc_mem_free(mctx, output);
dst_lib_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
return (0);
}
