Permalink
Browse files

allow common signing key

  • Loading branch information...
1 parent 03281d9 commit 558ff848c5f17594a63089ce722e2e15c02e2a47 @mind04 mind04 committed with mind04 Apr 4, 2016
Showing with 34 additions and 33 deletions.
  1. +34 −33 pdns/pdnssec.cc
View
@@ -1023,18 +1023,14 @@ bool secureZone(DNSSECKeeper& dk, const std::string& zone)
throw runtime_error("KSK key size must be equal to or greater than 0");
}
- if (k_algos.size() < 1) {
- throw runtime_error("No algorithm(s) given for KSK");
+ if (k_algos.size() < 1 && z_algos.size() < 1) {
+ throw runtime_error("Zero algorithms given for KSK+ZSK in total");
}
if (z_size < 0) {
throw runtime_error("ZSK key size must be equal to or greater than 0");
}
- if (z_algos.size() < 1) {
- throw runtime_error("No algorithm(s) given for ZSK");
- }
-
if(dk.isSecuredZone(zone)) {
cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
return false;
@@ -1054,42 +1050,47 @@ bool secureZone(DNSSECKeeper& dk, const std::string& zone)
}
if (k_size)
- cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl;
+ cout << "Securing zone with key size " << k_size << endl;
else
- cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl;
-
- // run secure-zone with first default algorith, then add keys
- if(!dk.secureZone(zone, shorthand2algorithm(k_algos[0]), k_size)) {
- cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
- cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
- cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
- cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
- return false;
- }
+ cout << "Securing zone with default key size" << endl;
- if(!dk.isSecuredZone(zone)) {
- cerr<<"Failed to secure zone. Is your backend dnssec enabled? (set "<<endl;
- cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl;
- cerr<<"If you run with the BIND backend, make sure you have configured"<<endl;
- cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl;
- cerr<<"'pdnssec create-bind-db /path/fname'!"<<endl;
- return false;
- }
+ BOOST_FOREACH(string k_algo, k_algos)
+ {
+ cout << "Adding KSK with algorithm " << k_algo << endl;
- DNSSECKeeper::keyset_t zskset=dk.getKeys(zone, false);
+ int algo = shorthand2algorithm(k_algo);
- if(!zskset.empty()) {
- cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
- return false;
+ if(!dk.addKey(zone, true, algo, k_size, true)) {
+ cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
+ cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
+ cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
+ cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
+ return false;
+ }
}
-
- for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
- dk.addKey(zone, true, shorthand2algorithm(*i), k_size, true); // obvious errors will have been caught above
BOOST_FOREACH(string z_algo, z_algos)
{
+ cout << "Adding ZSK with algorithm " << z_algo << endl;
+
int algo = shorthand2algorithm(z_algo);
- dk.addKey(zone, false, algo, z_size);
+
+ if(!dk.addKey(zone, false, algo, z_size, true)) {
+ cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
+ cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
+ cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
+ cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
+ return false;
+ }
+ }
+
+ if(!dk.isSecuredZone(zone)) {
+ cerr<<"Failed to secure zone. Is your backend dnssec enabled? (set "<<endl;
+ cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl;
+ cerr<<"If you run with the BIND backend, make sure you have configured"<<endl;
+ cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl;
+ cerr<<"'pdnsutil create-bind-db /path/fname'!"<<endl;
+ return false;
}
// rectifyZone(dk, zone);

0 comments on commit 558ff84

Please sign in to comment.