Permalink
Browse files

merge #476 by Aki Tuomi, providing default-ksk/zsk-algorithms/size co…

…nfiguration parameters for pdnssec. Also cleans up some duplicate code

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@3112 d19b8d6e-7fed-0310-83ef-9ca221ded41b
  • Loading branch information...
1 parent 2f2b014 commit 36758d25ce712a7ef408c1362bf74519c36236cf @Habbie Habbie committed Mar 7, 2013
Showing with 77 additions and 22 deletions.
  1. +4 −0 pdns/common_startup.cc
  2. +2 −2 pdns/dbdnsseckeeper.cc
  3. +1 −1 pdns/dnsseckeeper.hh
  4. +70 −19 pdns/pdnssec.cc
@@ -138,6 +138,10 @@ void declareArguments()
::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
::arg().setSwitch("experimental-direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+ ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+ ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
+ ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
+ ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
}
void declareStats(void)
@@ -347,10 +347,10 @@ DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tri
return retkeyset;
}
-bool DNSSECKeeper::secureZone(const std::string& name, int algorithm)
+bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
{
clearCaches(name); // just to be sure ;)
- return addKey(name, true, algorithm);
+ return addKey(name, true, algorithm, size);
}
bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname,
@@ -75,7 +75,7 @@ public:
bool activateKey(const std::string& zname, unsigned int id);
bool deactivateKey(const std::string& zname, unsigned int id);
- bool secureZone(const std::string& fname, int algorithm);
+ bool secureZone(const std::string& fname, int algorithm, int size);
bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
bool setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
View
@@ -42,6 +42,22 @@ string humanTime(time_t t)
return ret;
}
+static int shorthand2algorithm(const string &algorithm)
+{
+ if (!algorithm.compare("rsamd5")) return 1;
+ if (!algorithm.compare("dh")) return 2;
+ if (!algorithm.compare("dsa")) return 3;
+ if (!algorithm.compare("ecc")) return 4;
+ if (!algorithm.compare("rsasha1")) return 5;
+ if (!algorithm.compare("rsasha256")) return 8;
+ if (!algorithm.compare("rsasha512")) return 10;
+ if (!algorithm.compare("gost")) return 12;
+ if (!algorithm.compare("ecdsa256")) return 13;
+ if (!algorithm.compare("ecdsa384")) return 14;
+ if (!algorithm.compare("ed25519")) return 250;
+ return -1;
+}
+
void loadMainConfig(const std::string& configdir)
{
::arg().set("config-dir","Location of configuration directory (pdns.conf)")=configdir;
@@ -64,6 +80,11 @@ void loadMainConfig(const std::string& configdir)
string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
cleanSlashes(configname);
+
+ ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+ ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
+ ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
+ ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
::arg().set("module-dir","Default directory for modules")=LIBDIR;
@@ -568,6 +589,33 @@ void showZone(DNSSECKeeper& dk, const std::string& zone)
bool secureZone(DNSSECKeeper& dk, const std::string& zone)
{
+ // parse attribute
+ vector<string> k_algos;
+ vector<string> z_algos;
+ int k_size;
+ int z_size;
+
+ stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,");
+ k_size = ::arg().asNum("default-ksk-size");
+ stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,");
+ z_size = ::arg().asNum("default-zsk-size");
+
+ if (k_size < 0) {
+ throw runtime_error("KSK key size must be equal to or greater than 0");
+ }
+
+ if (k_algos.size() < 1) {
+ throw runtime_error("No algorithm(s) given for KSK");
+ }
+
+ if (z_size < 0) {
+ throw runtime_error("ZSK key size must be equal to or greater than 0");
+ }
+
+ if (z_algos.size() < 1) {
+ throw runtime_error("No algorithm(s) given for ZSK");
+ }
+
if(dk.isSecuredZone(zone)) {
cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
return false;
@@ -586,7 +634,13 @@ bool secureZone(DNSSECKeeper& dk, const std::string& zone)
cout<<"pdnssec disable-dnssec "<<zone<<" right now!"<<endl;
}
- if(!dk.secureZone(zone, 8)) {
+ if (k_size)
+ cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl;
+ else
+ cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl;
+
+ // run secure-zone with first default algorith, then add keys
+ if(!dk.secureZone(zone, shorthand2algorithm(k_algos[0]), k_size)) {
cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC\n";
cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled.\n";
cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or\n";
@@ -608,9 +662,17 @@ bool secureZone(DNSSECKeeper& dk, const std::string& zone)
cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
return false;
}
-
- dk.addKey(zone, false, 8);
- dk.addKey(zone, false, 8, 0, false); // not active
+
+ for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
+ dk.addKey(zone, true, shorthand2algorithm(*i), k_size, true);
+
+ BOOST_FOREACH(string z_algo, z_algos)
+ {
+ int algo = shorthand2algorithm(z_algo);
+ dk.addKey(zone, false, algo, z_size);
+ dk.addKey(zone, false, algo, z_size, false); // not active
+ }
+
// rectifyZone(dk, zone);
// showZone(dk, zone);
cout<<"Zone "<<zone<<" secured"<<endl;
@@ -931,28 +993,17 @@ try
const string& zone=cmds[1];
// need to get algorithm, bits & ksk or zsk from commandline
bool keyOrZone=false;
+ int tmp_algo=0;
int bits=0;
int algorithm=8;
for(unsigned int n=2; n < cmds.size(); ++n) {
if(pdns_iequals(cmds[n], "zsk"))
keyOrZone = false;
else if(pdns_iequals(cmds[n], "ksk"))
keyOrZone = true;
- else if(pdns_iequals(cmds[n], "rsasha1"))
- algorithm=5;
- else if(pdns_iequals(cmds[n], "rsasha256"))
- algorithm=8;
- else if(pdns_iequals(cmds[n], "rsasha512"))
- algorithm=10;
- else if(pdns_iequals(cmds[n], "gost"))
- algorithm=12;
- else if(pdns_iequals(cmds[n], "ecdsa256"))
- algorithm=13;
- else if(pdns_iequals(cmds[n], "ecdsa384"))
- algorithm=14;
- else if(pdns_iequals(cmds[n], "ed25519"))
- algorithm=250;
- else if(atoi(cmds[n].c_str()))
+ else if((tmp_algo = shorthand2algorithm(cmds[n]))>0) {
+ algorithm = tmp_algo;
+ } else if(atoi(cmds[n].c_str()))
bits = atoi(cmds[n].c_str());
else {
cerr<<"Unknown algorithm, key flag or size '"<<cmds[n]<<"'"<<endl;

0 comments on commit 36758d2

Please sign in to comment.