Permalink
Browse files

support single-type ZSK signing

  • Loading branch information...
1 parent 92cef2d commit 003aae580d9034f666ba39a6a6b8ecd7453b928a @mind04 mind04 committed with mind04 Jan 5, 2015
Showing with 17 additions and 14 deletions.
  1. +2 −2 pdns/dbdnsseckeeper.cc
  2. +2 −2 pdns/dnssecinfra.hh
  3. +13 −10 pdns/dnssecsigner.cc
@@ -54,8 +54,8 @@ bool DNSSECKeeper::isSecuredZone(const std::string& zone)
if(isPresigned(zone))
return true;
- keyset_t keys = getKeys(zone, true); // does the cache
-
+ keyset_t keys = getKeys(zone); // does the cache
+
BOOST_FOREACH(keyset_t::value_type& val, keys) {
if(val.second.active) {
return true;
View
@@ -121,8 +121,8 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
uint32_t getStartOfWeek();
void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace,
vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
- vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc, bool ksk);
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+ vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const std::string& qname);
void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
View
@@ -32,8 +32,8 @@ extern StatBag S;
/* this is where the RRSIGs begin, keys are retrieved,
but the actual signing happens in fillOutRRSIG */
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
- vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs, bool ksk)
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+ vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs)
{
if(toSign.empty())
return -1;
@@ -60,21 +60,24 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
rrc.d_algorithm = keymeta.first.d_algorithm;
if(!keymeta.second.active)
continue;
-
+
if(keymeta.second.keyOrZone)
KSKs.push_back(keymeta.first);
- else if(!ksk)
+ else
ZSKs.push_back(keymeta.first);
}
- if(ksk)
- signingKeys = &KSKs;
- else {
+ if(signQType == QType::DNSKEY) {
+ if(KSKs.empty())
+ signingKeys = &ZSKs;
+ else
+ signingKeys = &KSKs;
+ } else {
if(ZSKs.empty())
signingKeys = &KSKs;
else
- signingKeys =&ZSKs;
+ signingKeys = &ZSKs;
}
-
+
BOOST_FOREACH(DNSSECPrivateKey& dpk, *signingKeys) {
fillOutRRSIG(dpk, signQName, rrc, toSign);
rrcs.push_back(rrc);
@@ -96,7 +99,7 @@ void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, c
dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned, origTTL); // does it all
}
else {
- if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0) {
+ if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs) < 0) {
// cerr<<"Error signing a record!"<<endl;
return;
}

0 comments on commit 003aae5

Please sign in to comment.