ldns-signzone.c
Go to the documentation of this file.
1/*
2 * ldns-signzone signs a zone file
3 *
4 * (c) NLnet Labs, 2005 - 2008
5 * See the file LICENSE for the license
6 */
7
8#include <stdio.h>
9
10#include "config.h"
11
12#ifdef HAVE_SSL
13
14#include <stdlib.h>
15#include <unistd.h>
16
17#include <errno.h>
18
19#include <time.h>
20
21#include <ldns/ldns.h>
22#include <ldns/keys.h>
23
24#include <openssl/conf.h>
25#if defined(HAVE_OPENSSL_ENGINE_H) && !defined(OPENSSL_NO_ENGINE)
26#include <openssl/engine.h>
27#else
28# ifndef OPENSSL_NO_ENGINE
29# define OPENSSL_NO_ENGINE
30# endif
31#endif
32#include <openssl/err.h>
33
34#define MAX_FILENAME_LEN 250
35
36char *prog;
37int verbosity = 1;
38
39static void
40usage(FILE *fp, const char *prog) {
41 fprintf(fp, "%s [OPTIONS] zonefile key [key [key]]\n", prog);
42 fprintf(fp, " signs the zone with the given key(s)\n");
43 fprintf(fp, " -b\t\tuse layout in signed zone and print comments DNSSEC records\n");
44 fprintf(fp, " -d\t\tused keys are not added to the zone\n");
45 fprintf(fp, " -e <date>\texpiration date\n");
46 fprintf(fp, " -f <file>\toutput zone to file (default <name>.signed)\n");
47 fprintf(fp, " -i <date>\tinception date\n");
48 fprintf(fp, " -o <domain>\torigin for the zone\n");
49 fprintf(fp, " -u\t\tset SOA serial to the number of seconds since 1-1-1970\n");
50 fprintf(fp, " -v\t\tprint version and exit\n");
51 fprintf(fp, " -z <[scheme:]hash>\tAdd ZONEMD resource record\n");
52 fprintf(fp, "\t\t<scheme> should be \"simple\" (or 1)\n");
53 fprintf(fp, "\t\t<hash> should be \"sha384\" or \"sha512\" (or 1 or 2)\n");
54 fprintf(fp, "\t\tthis option can be given more than once\n");
55 fprintf(fp, " -Z\t\tAllow ZONEMDs to be added without signing\n");
56 fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n");
57 fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n");
58#ifndef OPENSSL_NO_ENGINE
59 fprintf(fp, " -E <name>\tuse <name> as the crypto engine for signing\n");
60 fprintf(fp, " \tThis can have a lot of extra options, see the manual page for more info\n");
61 fprintf(fp, " -k <algorithm>,<key>\tuse `key' with `algorithm' from engine as ZSK\n");
62 fprintf(fp, " -K <algorithm>,<key>\tuse `key' with `algorithm' from engine as KSK\n");
63#endif
64 fprintf(fp, " -n\t\tuse NSEC3 instead of NSEC.\n");
65 fprintf(fp, "\t\tIf you use NSEC3, you can specify the following extra options:\n");
66 fprintf(fp, "\t\t-a [algorithm] hashing algorithm\n");
67 fprintf(fp, "\t\t-t [number] number of hash iterations\n");
68 fprintf(fp, "\t\t-s [string] salt\n");
69 fprintf(fp, "\t\t-p set the opt-out flag on all nsec3 rrs\n");
70 fprintf(fp, "\n");
71 fprintf(fp, " keys must be specified by their base name (usually K<name>+<alg>+<id>),\n");
72 fprintf(fp, " i.e. WITHOUT the .private extension.\n");
73 fprintf(fp, " If the public part of the key is not present in the zone, the DNSKEY RR\n");
74 fprintf(fp, " will be read from the file called <base name>.key. If that does not exist,\n");
75 fprintf(fp, " a default DNSKEY will be generated from the private key and added to the zone.\n");
76 fprintf(fp, " A date can be a timestamp (seconds since the epoch), or of\n the form <YYYYMMdd[hhmmss]>\n");
77#ifndef OPENSSL_NO_ENGINE
78 fprintf(fp, " For -k or -K, the algorithm can be specified as an integer or a symbolic name:" );
79
80#define __LIST(x) fprintf ( fp, " %3d: %-15s", LDNS_SIGN_ ## x, # x )
81
82 fprintf ( fp, "\n " );
83 __LIST ( RSAMD5 );
84#ifdef USE_DSA
85 __LIST ( DSA );
86#endif
87 __LIST ( RSASHA1 );
88 fprintf ( fp, "\n " );
89#ifdef USE_DSA
90 __LIST ( DSA_NSEC3 );
91#endif
92 __LIST ( RSASHA1_NSEC3 );
93 __LIST ( RSASHA256 );
94 fprintf ( fp, "\n " );
95 __LIST ( RSASHA512 );
96 __LIST ( ECC_GOST );
97 __LIST ( ECDSAP256SHA256 );
98 fprintf ( fp, "\n " );
99 __LIST ( ECDSAP384SHA384 );
100
101#ifdef USE_ED25519
102 __LIST ( ED25519 );
103#endif
104
105#ifdef USE_ED448
106 __LIST ( ED448 );
107#endif
108 fprintf ( fp, "\n" );
109
110#undef __LIST
111#endif
112}
113
114static void check_tm(struct tm tm)
115{
116 if (tm.tm_year < 70) {
117 fprintf(stderr, "You cannot specify dates before 1970\n");
118 exit(EXIT_FAILURE);
119 }
120 if (tm.tm_mon < 0 || tm.tm_mon > 11) {
121 fprintf(stderr, "The month must be in the range 1 to 12\n");
122 exit(EXIT_FAILURE);
123 }
124 if (tm.tm_mday < 1 || tm.tm_mday > 31) {
125 fprintf(stderr, "The day must be in the range 1 to 31\n");
126 exit(EXIT_FAILURE);
127 }
128
129 if (tm.tm_hour < 0 || tm.tm_hour > 23) {
130 fprintf(stderr, "The hour must be in the range 0-23\n");
131 exit(EXIT_FAILURE);
132 }
133
134 if (tm.tm_min < 0 || tm.tm_min > 59) {
135 fprintf(stderr, "The minute must be in the range 0-59\n");
136 exit(EXIT_FAILURE);
137 }
138
139 if (tm.tm_sec < 0 || tm.tm_sec > 59) {
140 fprintf(stderr, "The second must be in the range 0-59\n");
141 exit(EXIT_FAILURE);
142 }
143
144}
145
146/*
147 * if the ttls are different, make them equal
148 * if one of the ttls equals LDNS_DEFAULT_TTL, that one is changed
149 * otherwise, rr2 will get the ttl of rr1
150 *
151 * prints a warning if a non-default TTL is changed
152 */
153static void
154equalize_ttls(ldns_rr *rr1, ldns_rr *rr2, uint32_t default_ttl)
155{
156 uint32_t ttl1, ttl2;
157
158 ttl1 = ldns_rr_ttl(rr1);
159 ttl2 = ldns_rr_ttl(rr2);
160
161 if (ttl1 != ttl2) {
162 if (ttl1 == default_ttl) {
163 ldns_rr_set_ttl(rr1, ttl2);
164 } else if (ttl2 == default_ttl) {
165 ldns_rr_set_ttl(rr2, ttl1);
166 } else {
167 ldns_rr_set_ttl(rr2, ttl1);
168 fprintf(stderr,
169 "warning: changing non-default TTL %u to %u\n",
170 (unsigned int) ttl2, (unsigned int) ttl1);
171 }
172 }
173}
174
175static void
176equalize_ttls_rr_list(ldns_rr_list *rr_list, ldns_rr *rr, uint32_t default_ttl)
177{
178 size_t i;
179 ldns_rr *cur_rr;
180
181 for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
182 cur_rr = ldns_rr_list_rr(rr_list, i);
183 if (ldns_rr_compare_no_rdata(cur_rr, rr) == 0) {
184 equalize_ttls(cur_rr, rr, default_ttl);
185 }
186 }
187}
188
189static ldns_rr *
190find_key_in_zone(ldns_rr *pubkey_gen, ldns_zone *zone) {
191 size_t key_i;
192 ldns_rr *pubkey;
193
194 for (key_i = 0;
195 key_i < ldns_rr_list_rr_count(ldns_zone_rrs(zone));
196 key_i++) {
197 pubkey = ldns_rr_list_rr(ldns_zone_rrs(zone), key_i);
198 if (ldns_rr_get_type(pubkey) == LDNS_RR_TYPE_DNSKEY &&
199 (ldns_calc_keytag(pubkey)
200 ==
201 ldns_calc_keytag(pubkey_gen) ||
202 /* KSK has gen-keytag + 1 */
203 ldns_calc_keytag(pubkey)
204 ==
205 ldns_calc_keytag(pubkey_gen) + 1)
206 ) {
207 if (verbosity >= 2) {
208 fprintf(stderr, "Found it in the zone!\n");
209 }
210 return pubkey;
211 }
212 }
213 return NULL;
214}
215
216static ldns_rr *
217find_key_in_file(const char *keyfile_name_base, ldns_key* ATTR_UNUSED(key),
218 uint32_t zone_ttl)
219{
220 char *keyfile_name;
221 FILE *keyfile;
222 int line_nr;
223 uint32_t default_ttl = zone_ttl;
224
225 ldns_rr *pubkey = NULL;
226 keyfile_name = LDNS_XMALLOC(char,
227 strlen(keyfile_name_base) + 5);
228 snprintf(keyfile_name,
229 strlen(keyfile_name_base) + 5,
230 "%s.key",
231 keyfile_name_base);
232 if (verbosity >= 2) {
233 fprintf(stderr, "Trying to read %s\n", keyfile_name);
234 }
235 keyfile = fopen(keyfile_name, "r");
236 line_nr = 0;
237 if (keyfile) {
238 if (ldns_rr_new_frm_fp_l(&pubkey,
239 keyfile,
240 &default_ttl,
241 NULL,
242 NULL,
243 &line_nr) ==
244 LDNS_STATUS_OK) {
245 if (verbosity >= 2) {
246 printf("Key found in file: %s\n", keyfile_name);
247 }
248 }
249 fclose(keyfile);
250 }
251 LDNS_FREE(keyfile_name);
252 return pubkey;
253}
254
255/* this function tries to find the specified keys either in the zone that
256 * has been read, or in a <basename>.key file. If the key is not found,
257 * a public key is generated, and it is assumed the key is a ZSK
258 *
259 * if add_keys is true; the DNSKEYs are added to the zone prior to signing
260 * if it is false, they are not added.
261 * Even if keys are not added, the function is still needed, to check
262 * whether keys of which we only have key data are KSKs or ZSKS
263 */
264static void
265find_or_create_pubkey(const char *keyfile_name_base, ldns_key *key, ldns_zone *orig_zone, bool add_keys, uint32_t default_ttl) {
266 ldns_rr *pubkey_gen, *pubkey;
267 int key_in_zone;
268
269 if (default_ttl == LDNS_DEFAULT_TTL) {
270 default_ttl = ldns_rr_ttl(ldns_zone_soa(orig_zone));
271 }
272
273 if (!ldns_key_pubkey_owner(key)) {
274 ldns_key_set_pubkey_owner(key, ldns_rdf_clone(ldns_rr_owner(ldns_zone_soa(orig_zone))));
275 }
276
277 /* find the public key in the zone, or in a
278 * separate file
279 * we 'generate' one anyway,
280 * then match that to any present in the zone,
281 * if it matches, we drop our own. If not,
282 * we try to see if there is a .key file present.
283 * If not, we use our own generated one, with
284 * some default values
285 *
286 * Even if -d (do-not-add-keys) is specified,
287 * we still need to do this, because we need
288 * to have any key flags that are set this way
289 */
290 pubkey_gen = ldns_key2rr(key);
291 ldns_rr_set_ttl(pubkey_gen, default_ttl);
292
293 if (verbosity >= 2) {
294 fprintf(stderr,
295 "Looking for key with keytag %u or %u\n",
296 (unsigned int) ldns_calc_keytag(pubkey_gen),
297 (unsigned int) ldns_calc_keytag(pubkey_gen)+1
298 );
299 }
300
301 pubkey = find_key_in_zone(pubkey_gen, orig_zone);
302 key_in_zone = 1;
303 if (!pubkey) {
304 key_in_zone = 0;
305 /* it was not in the zone, try to read a .key file */
306 pubkey = find_key_in_file(keyfile_name_base, key, default_ttl);
307 if (!pubkey && !(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
308 /* maybe it is a ksk? */
309 ldns_key_set_keytag(key, ldns_key_keytag(key) + 1);
310 pubkey = find_key_in_file(keyfile_name_base, key, default_ttl);
311 if (!pubkey) {
312 /* ok, no file, set back to ZSK */
313 ldns_key_set_keytag(key, ldns_key_keytag(key) - 1);
314 }
315 }
316 if(pubkey && ldns_dname_compare(ldns_rr_owner(pubkey), ldns_rr_owner(ldns_zone_soa(orig_zone))) != 0) {
317 fprintf(stderr, "Error %s.key has wrong name: %s\n",
318 keyfile_name_base, ldns_rdf2str(ldns_rr_owner(pubkey)));
319 exit(EXIT_FAILURE); /* leak rdf2str, but we exit */
320 }
321 }
322
323 if (!pubkey) {
324 /* okay, no public key found,
325 just use our generated one */
326 pubkey = pubkey_gen;
327 if (verbosity >= 2) {
328 fprintf(stderr, "Not in zone, no .key file, generating ZSK DNSKEY from private key data\n");
329 }
330 } else {
331 ldns_rr_free(pubkey_gen);
332 }
333 ldns_key_set_flags(key, ldns_rdf2native_int16(ldns_rr_rdf(pubkey, 0)));
334 ldns_key_set_keytag(key, ldns_calc_keytag(pubkey));
335
336 if (add_keys && !key_in_zone) {
337 equalize_ttls_rr_list(ldns_zone_rrs(orig_zone), pubkey, default_ttl);
338 ldns_zone_push_rr(orig_zone, pubkey);
339 }
340}
341
342#ifndef OPENSSL_NO_ENGINE
343/*
344 * For keys coming from the engine (-k or -K), parse algorithm specification.
345 */
346static enum ldns_enum_signing_algorithm
347parse_algspec ( const char * const p )
348{
349 if ( p == NULL )
350 return 0;
351
352 if ( isdigit ( (const unsigned char)*p ) ) {
353 const char *nptr = NULL;
354 const long id = strtol ( p, (char **) &nptr, 10 );
355 return id > 0 && nptr != NULL && *nptr == ',' ? id : 0;
356 }
357
358#define __MATCH(x) \
359 if ( !memcmp ( # x, p, sizeof ( # x ) - 1 ) \
360 && p [ sizeof ( # x ) - 1 ] == ',' ) { \
361 return LDNS_SIGN_ ## x; \
362 }
363
364 __MATCH ( RSAMD5 );
365 __MATCH ( RSASHA1 );
366#ifdef USE_DSA
367 __MATCH ( DSA );
368#endif
369 __MATCH ( RSASHA1_NSEC3 );
370 __MATCH ( RSASHA256 );
371 __MATCH ( RSASHA512 );
372#ifdef USE_DSA
373 __MATCH ( DSA_NSEC3 );
374#endif
375 __MATCH ( ECC_GOST );
376 __MATCH ( ECDSAP256SHA256 );
377 __MATCH ( ECDSAP384SHA384 );
378
379#ifdef USE_ED25519
380 __MATCH ( ED25519 );
381#endif
382
383#ifdef USE_ED448
384 __MATCH ( ED448 );
385#endif
386
387#undef __MATCH
388
389 return 0;
390}
391
392/*
393 * For keys coming from the engine (-k or -K), parse key specification
394 * in the form of <algorithm>,<key-id>. No whitespace is allowed
395 * between <algorithm> and the comma, and between the comma and
396 * <key-id>. <key-id> format is specific to the engine at hand, i.e.
397 * it can be the old OpenSC syntax or a PKCS #11 URI as defined in RFC 7512
398 * and (partially) supported by OpenSC (as of 20180312).
399 */
400static const char *
401parse_keyspec ( const char * const p,
402 enum ldns_enum_signing_algorithm * const algorithm,
403 const char ** const id )
404{
405 const char * const comma = strchr ( p, ',' );
406
407 if ( comma == NULL || !(*algorithm = parse_algspec ( p )) )
408 return NULL;
409 return comma [ 1 ] ? *id = comma + 1 : NULL;
410}
411
412/*
413 * Load a key from the engine.
414 */
415static ldns_key *
416load_key ( const char * const p, ENGINE * const e )
417{
418 enum ldns_enum_signing_algorithm alg = 0;
419 const char *id = NULL;
420 ldns_status status = LDNS_STATUS_ERR;
421 ldns_key *key = NULL;
422
423 /* Parse key specification. */
424 if ( parse_keyspec ( p, &alg, &id ) == NULL ) {
425 fprintf ( stderr,
426 "Failed to parse key specification `%s'.\n",
427 p );
428 usage ( stderr, prog );
429 exit ( EXIT_FAILURE );
430 }
431
432 /* Validate that the algorithm can be used for signing. */
433 switch ( alg ) {
434 case LDNS_SIGN_RSAMD5:
435 case LDNS_SIGN_RSASHA1:
436 case LDNS_SIGN_RSASHA1_NSEC3:
437 case LDNS_SIGN_RSASHA256:
438 case LDNS_SIGN_RSASHA512:
439#ifdef USE_DSA
440 case LDNS_SIGN_DSA:
441 case LDNS_SIGN_DSA_NSEC3:
442#endif
443 case LDNS_SIGN_ECC_GOST:
444#ifdef USE_ECDSA
445 case LDNS_SIGN_ECDSAP256SHA256:
446 case LDNS_SIGN_ECDSAP384SHA384:
447#endif
448 break;
449 default:
450 fprintf ( stderr,
451 "Algorithm %d cannot be used for signing.\n",
452 alg );
453 usage ( stderr, prog );
454 exit ( EXIT_FAILURE );
455 }
456
457 printf ( "Engine key id: %s, algo %d\n", id, alg );
458
459 /* Attempt to load the key from the engine. */
460 status = ldns_key_new_frm_engine (
461 &key, e, (char *) id, (ldns_algorithm)alg );
462 if ( status != LDNS_STATUS_OK ) {
463 ERR_print_errors_fp ( stderr );
464 exit ( EXIT_FAILURE );
465 }
466
467 return key;
468}
469
470/*
471 * For keys coming from the engine (-k or -K), set key parameters
472 * and determine whether the key is listed in the zone file.
473 */
474static void
475post_process_engine_key ( ldns_key_list * const keys,
476 ldns_key * const key,
477 ldns_zone * const zone,
478 const bool add_keys,
479 const uint32_t ttl,
480 const uint32_t inception,
481 const uint32_t expiration )
482{
483 if ( key == NULL ) return;
484
485 if ( expiration ) ldns_key_set_expiration ( key, expiration );
486
487 if ( inception ) ldns_key_set_inception ( key, inception );
488
489 ldns_key_list_push_key ( keys, key );
490 find_or_create_pubkey ( "", key, zone, add_keys, ttl );
491}
492
493/*
494 * Initialize OpenSSL, for versions 1.1 and newer.
495 */
496static ENGINE *
497init_openssl_engine ( const char * const id )
498{
499 ENGINE *e = NULL;
500
501#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
502 ERR_load_crypto_strings();
503#endif
504#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) || !defined(HAVE_OPENSSL_INIT_CRYPTO)
505 OpenSSL_add_all_algorithms();
506#else
507 if ( !OPENSSL_init_crypto ( OPENSSL_INIT_LOAD_CONFIG, NULL ) ) {
508 fprintf ( stderr, "OPENSSL_init_crypto(3) failed.\n" );
509 ERR_print_errors_fp ( stderr );
510 exit ( EXIT_FAILURE );
511 }
512#endif
513
514 if ( (e = ENGINE_by_id ( id )) == NULL ) {
515 fprintf ( stderr, "ENGINE_by_id(3) failed.\n" );
516 ERR_print_errors_fp ( stderr );
517 exit ( EXIT_FAILURE );
518 }
519
520 if ( !ENGINE_set_default_DSA ( e ) ) {
521 fprintf ( stderr, "ENGINE_set_default_DSA(3) failed.\n" );
522 ERR_print_errors_fp ( stderr );
523 exit ( EXIT_FAILURE );
524 }
525
526 if ( !ENGINE_set_default_RSA ( e ) ) {
527 fprintf ( stderr, "ENGINE_set_default_RSA(3) failed.\n" );
528 ERR_print_errors_fp ( stderr );
529 exit ( EXIT_FAILURE );
530 }
531
532 return e;
533}
534
535/*
536 * De-initialize OpenSSL, for versions 1.1 and newer.
537 *
538 * All of that is not strictly necessary because the process exits
539 * anyway, however, when an engine is used, this is the only hope
540 * of letting the engine's driver know that the program terminates
541 * (for the fear that the driver's reference counting may go awry, etc.)
542 * Still, there is no guarantee that this function helps...
543 */
544static void
545shutdown_openssl ( ENGINE * const e )
546{
547 if ( e != NULL ) {
548#ifdef HAVE_ENGINE_FREE
549 ENGINE_free ( e );
550#endif
551#ifdef HAVE_ENGINE_CLEANUP
552 ENGINE_cleanup ();
553#endif
554 }
555
556#ifdef HAVE_CONF_MODULES_UNLOAD
557 CONF_modules_unload ( 1 );
558#endif
559#ifdef HAVE_EVP_CLEANUP
560 EVP_cleanup ();
561#endif
562#ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
563 CRYPTO_cleanup_all_ex_data ();
564#endif
565#ifdef HAVE_ERR_FREE_STRINGS
566 ERR_free_strings ();
567#endif
568}
569#endif
570
571int str2zonemd_signflag(const char *str, const char **reason)
572{
573 char *colon;
574
575 static const char *reasons[] = {
576 "Unknown <scheme>, should be \"simple\""
577 , "Syntax error in <hash>, should be \"sha384\" or \"sha512\""
578 , "Unknown <hash>, should be \"sha384\" or \"sha512\""
579 };
580
581 if (!str)
582 return LDNS_STATUS_NULL;
583
584 if ((colon = strchr(str, ':'))) {
585 if ((colon - str != 1 || str[0] != '1')
586 && (colon - str != 6 || strncasecmp(str, "simple", 6))) {
587 if (reason) *reason = reasons[0];
588 return 0;
589 }
590
591 if (strchr(colon + 1, ':')) {
592 if (reason) *reason = reasons[1];
593 return 0;
594 }
595 return str2zonemd_signflag(colon + 1, reason);
596 }
597 if (!strcasecmp(str, "1") || !strcasecmp(str, "sha384"))
598 return LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384;
599 if (!strcasecmp(str, "2") || !strcasecmp(str, "sha512"))
600 return LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512;
601
602 if (reason) *reason = reasons[2];
603 return 0;
604}
605
606int
607main(int argc, char *argv[])
608{
609 const char *zonefile_name;
610 FILE *zonefile = NULL;
611 int line_nr = 0;
612 int c;
613 int argi;
614#ifndef OPENSSL_NO_ENGINE
615 ENGINE *engine = NULL;
616#endif
617 ldns_zone *orig_zone;
618 ldns_rr_list *orig_rrs = NULL;
619 ldns_rr *orig_soa = NULL;
620 ldns_dnssec_zone *signed_zone;
621
622 char *keyfile_name_base;
623 char *keyfile_name = NULL;
624 FILE *keyfile = NULL;
625 ldns_key *key = NULL;
626#ifndef OPENSSL_NO_ENGINE
627 ldns_key *eng_ksk = NULL; /* KSK specified with -K */
628 ldns_key *eng_zsk = NULL; /* ZSK specified with -k */
629#endif
630 ldns_key_list *keys;
631 ldns_status s;
632 size_t i;
633 ldns_rr_list *added_rrs;
634
635 char *outputfile_name = NULL;
636 FILE *outputfile;
637
638 bool use_nsec3 = false;
639 int signflags = 0;
640 bool unixtime_serial = false;
641
642 /* Add the given keys to the zone if they are not yet present */
643 bool add_keys = true;
644 uint8_t nsec3_algorithm = 1;
645 uint8_t nsec3_flags = 0;
646 size_t nsec3_iterations_cmd = 1;
647 uint16_t nsec3_iterations = 1;
648 uint8_t nsec3_salt_length = 0;
649 uint8_t *nsec3_salt = NULL;
650
651 /* we need to know the origin before reading ksk's,
652 * so keep an array of filenames until we know it
653 */
654 struct tm tm;
655 uint32_t inception;
656 uint32_t expiration;
657 ldns_rdf *origin = NULL;
658 uint32_t ttl = LDNS_DEFAULT_TTL;
659 ldns_rr_class class = LDNS_RR_CLASS_IN;
660
661 ldns_status result;
662
663 ldns_output_format_storage fmt_st;
664 ldns_output_format* fmt = ldns_output_format_init(&fmt_st);
665
666 /* For parson zone digest parameters */
667 int flag;
668 const char *reason = NULL;
669
670 prog = strdup(argv[0]);
671 inception = 0;
672 expiration = 0;
673
674 keys = ldns_key_list_new();
675
676 while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZAUE:K:")) != -1) {
677 switch (c) {
678 case 'a':
679 nsec3_algorithm = (uint8_t) atoi(optarg);
680 if (nsec3_algorithm != 1) {
681 fprintf(stderr, "Bad NSEC3 algorithm, only RSASHA1 allowed\n");
682 exit(EXIT_FAILURE);
683 }
684 break;
685 case 'b':
686 ldns_output_format_set(fmt, LDNS_COMMENT_FLAGS
687 | LDNS_COMMENT_LAYOUT
688 | LDNS_COMMENT_NSEC3_CHAIN
689 | LDNS_COMMENT_BUBBLEBABBLE);
690 break;
691 case 'd':
692 add_keys = false;
693 break;
694 case 'e':
695 /* try to parse YYYYMMDD first,
696 * if that doesn't work, it
697 * should be a timestamp (seconds since epoch)
698 */
699 memset(&tm, 0, sizeof(tm));
700
701 if (strlen(optarg) == 8 &&
702 sscanf(optarg, "%4d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday)
703 ) {
704 tm.tm_year -= 1900;
705 tm.tm_mon--;
706 check_tm(tm);
707 expiration =
708 (uint32_t) ldns_mktime_from_utc(&tm);
709 } else if (strlen(optarg) == 14 &&
710 sscanf(optarg, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec)
711 ) {
712 tm.tm_year -= 1900;
713 tm.tm_mon--;
714 check_tm(tm);
715 expiration =
716 (uint32_t) ldns_mktime_from_utc(&tm);
717 } else {
718 expiration = (uint32_t) atol(optarg);
719 }
720 break;
721 case 'f':
722 outputfile_name = LDNS_XMALLOC(char, MAX_FILENAME_LEN + 1);
723 strncpy(outputfile_name, optarg, MAX_FILENAME_LEN);
724 break;
725 case 'i':
726 memset(&tm, 0, sizeof(tm));
727
728 if (strlen(optarg) == 8 &&
729 sscanf(optarg, "%4d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday)
730 ) {
731 tm.tm_year -= 1900;
732 tm.tm_mon--;
733 check_tm(tm);
734 inception =
735 (uint32_t) ldns_mktime_from_utc(&tm);
736 } else if (strlen(optarg) == 14 &&
737 sscanf(optarg, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec)
738 ) {
739 tm.tm_year -= 1900;
740 tm.tm_mon--;
741 check_tm(tm);
742 inception =
743 (uint32_t) ldns_mktime_from_utc(&tm);
744 } else {
745 inception = (uint32_t) atol(optarg);
746 }
747 break;
748 case 'n':
749 use_nsec3 = true;
750 break;
751 case 'o':
752 if (ldns_str2rdf_dname(&origin, optarg) != LDNS_STATUS_OK) {
753 fprintf(stderr, "Bad origin, not a correct domain name\n");
754 usage(stderr, prog);
755 exit(EXIT_FAILURE);
756 }
757 break;
758 case 'p':
759 nsec3_flags = nsec3_flags | LDNS_NSEC3_VARS_OPTOUT_MASK;
760 break;
761 case 'u':
762 unixtime_serial = true;
763 break;
764 case 'v':
765 printf("zone signer version %s (ldns version %s)\n", LDNS_VERSION, ldns_version());
766 exit(EXIT_SUCCESS);
767 break;
768 case 'z':
769 flag = str2zonemd_signflag(optarg, &reason);
770 if (flag)
771 signflags |= flag;
772 else {
773 fprintf( stderr
774 , "%s\nwith zone digest parameters:"
775 " \"%s\"\n"
776 , reason, optarg);
777 exit(EXIT_FAILURE);
778 }
779 break;
780 case 'Z':
781 signflags |= LDNS_SIGN_NO_KEYS_NO_NSECS;
782 break;
783 case 'A':
784 signflags |= LDNS_SIGN_DNSKEY_WITH_ZSK;
785 break;
786 case 'E':
787#ifndef OPENSSL_NO_ENGINE
788 engine = init_openssl_engine ( optarg );
789 break;
790#else
791 /* fallthrough */
792#endif
793 case 'k':
794#ifndef OPENSSL_NO_ENGINE
795 eng_zsk = load_key ( optarg, engine );
796 break;
797#else
798 /* fallthrough */
799#endif
800 case 'K':
801#ifndef OPENSSL_NO_ENGINE
802 eng_ksk = load_key ( optarg, engine );
803 /* I apologize for that, there is no API. */
804 eng_ksk -> _extra.dnssec.flags |= LDNS_KEY_SEP_KEY;
805#else
806 fprintf(stderr, "%s compiled without engine support\n"
807 , prog);
808 exit(EXIT_FAILURE);
809#endif
810 break;
811 case 'U':
812 signflags |= LDNS_SIGN_WITH_ALL_ALGORITHMS;
813 break;
814 case 's':
815 if (strlen(optarg) % 2 != 0) {
816 fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
817 exit(EXIT_FAILURE);
818 }
819 nsec3_salt_length = (uint8_t) strlen(optarg) / 2;
820 nsec3_salt = LDNS_XMALLOC(uint8_t, nsec3_salt_length);
821 for (c = 0; c < (int) strlen(optarg); c += 2) {
822 if (isxdigit((int) optarg[c]) && isxdigit((int) optarg[c+1])) {
823 nsec3_salt[c/2] = (uint8_t) ldns_hexdigit_to_int(optarg[c]) * 16 +
824 ldns_hexdigit_to_int(optarg[c+1]);
825 } else {
826 fprintf(stderr, "Salt value is not valid hex data.\n");
827 exit(EXIT_FAILURE);
828 }
829 }
830
831 break;
832 case 't':
833 nsec3_iterations_cmd = (size_t) atol(optarg);
834 if (nsec3_iterations_cmd > LDNS_NSEC3_MAX_ITERATIONS) {
835 fprintf(stderr, "Iterations count can not exceed %u, quitting\n", LDNS_NSEC3_MAX_ITERATIONS);
836 exit(EXIT_FAILURE);
837 }
838 nsec3_iterations = (uint16_t) nsec3_iterations_cmd;
839 break;
840 default:
841 usage(stderr, prog);
842 exit(EXIT_SUCCESS);
843 }
844 }
845
846 argc -= optind;
847 argv += optind;
848
849 if (argc < 1) {
850 printf("Error: not enough arguments\n");
851 usage(stdout, prog);
852 exit(EXIT_FAILURE);
853 } else {
854 zonefile_name = argv[0];
855 }
856
857 /* read zonefile first to find origin if not specified */
858
859 if (strncmp(zonefile_name, "-", 2) == 0) {
860 s = ldns_zone_new_frm_fp_l(&orig_zone,
861 stdin,
862 origin,
863 ttl,
864 class,
865 &line_nr);
866 if (s != LDNS_STATUS_OK) {
867 fprintf(stderr, "Zone not read, error: %s at stdin line %d\n",
868 ldns_get_errorstr_by_id(s),
869 line_nr);
870 exit(EXIT_FAILURE);
871 } else {
872 orig_soa = ldns_zone_soa(orig_zone);
873 if (!orig_soa) {
874 fprintf(stderr,
875 "Error reading zonefile: missing SOA record\n");
876 exit(EXIT_FAILURE);
877 }
878 orig_rrs = ldns_zone_rrs(orig_zone);
879 if (!orig_rrs) {
880 fprintf(stderr,
881 "Error reading zonefile: no resource records\n");
882 exit(EXIT_FAILURE);
883 }
884 }
885 } else {
886 zonefile = fopen(zonefile_name, "r");
887
888 if (!zonefile) {
889 fprintf(stderr,
890 "Error: unable to read %s (%s)\n",
891 zonefile_name,
892 strerror(errno));
893 exit(EXIT_FAILURE);
894 } else {
895 s = ldns_zone_new_frm_fp_l(&orig_zone,
896 zonefile,
897 origin,
898 ttl,
899 class,
900 &line_nr);
901 if (s != LDNS_STATUS_OK) {
902 fprintf(stderr, "Zone not read, error: %s at %s line %d\n",
903 ldns_get_errorstr_by_id(s),
904 zonefile_name, line_nr);
905 exit(EXIT_FAILURE);
906 } else {
907 orig_soa = ldns_zone_soa(orig_zone);
908 if (!orig_soa) {
909 fprintf(stderr,
910 "Error reading zonefile: missing SOA record\n");
911 exit(EXIT_FAILURE);
912 }
913 orig_rrs = ldns_zone_rrs(orig_zone);
914 if (!orig_rrs) {
915 fprintf(stderr,
916 "Error reading zonefile: no resource records\n");
917 exit(EXIT_FAILURE);
918 }
919 }
920 fclose(zonefile);
921 }
922 }
923
924 /* read the ZSKs */
925 argi = 1;
926 while (argi < argc) {
927 keyfile_name_base = argv[argi];
928 keyfile_name = LDNS_XMALLOC(char, strlen(keyfile_name_base) + 9);
929 snprintf(keyfile_name,
930 strlen(keyfile_name_base) + 9,
931 "%s.private",
932 keyfile_name_base);
933 keyfile = fopen(keyfile_name, "r");
934 line_nr = 0;
935 if (!keyfile) {
936 fprintf(stderr,
937 "Error: unable to read %s: %s\n",
938 keyfile_name,
939 strerror(errno));
940 } else {
941 s = ldns_key_new_frm_fp_l(&key, keyfile, &line_nr);
942 fclose(keyfile);
943 if (s == LDNS_STATUS_OK) {
944 /* set times in key? they will end up
945 in the rrsigs
946 */
947 if (expiration != 0) {
948 ldns_key_set_expiration(key, expiration);
949 }
950 if (inception != 0) {
951 ldns_key_set_inception(key, inception);
952 }
953
954 LDNS_FREE(keyfile_name);
955
956 ldns_key_list_push_key(keys, key);
957 } else {
958 fprintf(stderr, "Error reading key from %s at line %d: %s\n", argv[argi], line_nr, ldns_get_errorstr_by_id(s));
959 }
960 }
961 /* and, if not unset by -p, find or create the corresponding DNSKEY record */
962 if (key) {
963 find_or_create_pubkey(keyfile_name_base, key,
964 orig_zone, add_keys, ttl);
965 }
966 argi++;
967 }
968
969#ifndef OPENSSL_NO_ENGINE
970 /*
971 * The user may have loaded a KSK and a ZSK from the engine.
972 * Since these keys carry no meta-information which is
973 * relevant to DNS (origin, TTL, etc), and because that
974 * information becomes known only after the command line
975 * and the zone file are parsed completely, the program
976 * needs to post-process these keys before they become usable.
977 */
978
979 /* The engine's KSK. */
980 post_process_engine_key ( keys,
981 eng_ksk,
982 orig_zone,
983 add_keys,
984 ttl,
985 inception,
986 expiration );
987
988 /* The engine's ZSK. */
989 post_process_engine_key ( keys,
990 eng_zsk,
991 orig_zone,
992 add_keys,
993 ttl,
994 inception,
995 expiration );
996#endif
997 if (ldns_key_list_key_count(keys) < 1
998 && !(signflags & LDNS_SIGN_NO_KEYS_NO_NSECS)) {
999
1000 fprintf(stderr, "Error: no keys to sign with. Aborting.\n\n");
1001 usage(stderr, prog);
1002 exit(EXIT_FAILURE);
1003 }
1004
1005 signed_zone = ldns_dnssec_zone_new();
1006 if (unixtime_serial) {
1007 ldns_rr_soa_increment_func_int(ldns_zone_soa(orig_zone),
1008 ldns_soa_serial_unixtime, 0);
1009 }
1010 if (ldns_dnssec_zone_add_rr(signed_zone, ldns_zone_soa(orig_zone)) !=
1011 LDNS_STATUS_OK) {
1012 fprintf(stderr,
1013 "Error adding SOA to dnssec zone, skipping record\n");
1014 }
1015
1016 for (i = 0;
1017 i < ldns_rr_list_rr_count(ldns_zone_rrs(orig_zone));
1018 i++) {
1019 if (ldns_dnssec_zone_add_rr(signed_zone,
1020 ldns_rr_list_rr(ldns_zone_rrs(orig_zone),
1021 i)) !=
1022 LDNS_STATUS_OK) {
1023 fprintf(stderr,
1024 "Error adding RR to dnssec zone");
1025 fprintf(stderr, ", skipping record:\n");
1026 ldns_rr_print(stderr,
1027 ldns_rr_list_rr(ldns_zone_rrs(orig_zone), i));
1028 }
1029 }
1030 /* list to store newly created rrs, so we can free them later */
1031 added_rrs = ldns_rr_list_new();
1032
1033 if (use_nsec3) {
1034 if (verbosity < 1)
1035 ; /* pass */
1036
1037 else if (nsec3_iterations > 500)
1038 fprintf(stderr, "Warning! NSEC3 iterations larger than "
1039 "500 may cause validating resolvers to return "
1040 "SERVFAIL!\n"
1041 "See: https://datatracker.ietf.org/doc/html/"
1042 "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
1043
1044 else if (nsec3_iterations > 100)
1045 fprintf(stderr, "Warning! NSEC3 iterations larger than "
1046 "100 may cause validating resolvers to return "
1047 "insecure responses!\n"
1048 "See: https://datatracker.ietf.org/doc/html/"
1049 "draft-hardaker-dnsop-nsec3-guidance-03#section-4\n");
1050
1051 result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone,
1052 added_rrs,
1053 keys,
1054 ldns_dnssec_default_replace_signatures,
1055 NULL,
1056 nsec3_algorithm,
1057 nsec3_flags,
1058 nsec3_iterations,
1059 nsec3_salt_length,
1060 nsec3_salt,
1061 signflags,
1062 &fmt_st.hashmap);
1063 } else {
1064 result = ldns_dnssec_zone_sign_flg(signed_zone,
1065 added_rrs,
1066 keys,
1067 ldns_dnssec_default_replace_signatures,
1068 NULL,
1069 signflags);
1070 }
1071 if (result != LDNS_STATUS_OK) {
1072 fprintf(stderr, "Error signing zone: %s\n",
1073 ldns_get_errorstr_by_id(result));
1074 }
1075
1076 if (!outputfile_name) {
1077 outputfile_name = LDNS_XMALLOC(char, MAX_FILENAME_LEN);
1078 snprintf(outputfile_name, MAX_FILENAME_LEN, "%s.signed", zonefile_name);
1079 }
1080
1081 if (signed_zone) {
1082 if (strncmp(outputfile_name, "-", 2) == 0) {
1083 ldns_dnssec_zone_print(stdout, signed_zone);
1084 } else {
1085 outputfile = fopen(outputfile_name, "w");
1086 if (!outputfile) {
1087 fprintf(stderr, "Unable to open %s for writing: %s\n",
1088 outputfile_name, strerror(errno));
1089 } else {
1090 ldns_dnssec_zone_print_fmt(
1091 outputfile, fmt, signed_zone);
1092 fclose(outputfile);
1093 }
1094 }
1095 } else {
1096 fprintf(stderr, "Error signing zone.\n");
1097
1098#ifdef HAVE_SSL
1099 if (ERR_peek_error()) {
1100#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
1101#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
1102 ERR_load_crypto_strings();
1103#endif
1104#endif
1105 ERR_print_errors_fp(stderr);
1106#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
1107#ifdef HAVE_ERR_FREE_STRINGS
1108 ERR_free_strings ();
1109#endif
1110#endif
1111 }
1112#endif
1113 exit(EXIT_FAILURE);
1114 }
1115
1116 ldns_key_list_free(keys);
1117 /* since the ldns_rr records are pointed to in both the ldns_zone
1118 * and the ldns_dnssec_zone, we can either deep_free the
1119 * dnssec_zone and 'shallow' free the original zone and added
1120 * records, or the other way around
1121 */
1122 ldns_dnssec_zone_free(signed_zone);
1123 ldns_zone_deep_free(orig_zone);
1124 ldns_rr_list_deep_free(added_rrs);
1125 ldns_rdf_deep_free(origin);
1126 LDNS_FREE(outputfile_name);
1127
1128#ifndef OPENSSL_NO_ENGINE
1129 shutdown_openssl ( engine );
1130#else
1131#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1132#ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
1133 CRYPTO_cleanup_all_ex_data ();
1134#endif
1135#endif
1136#endif
1137
1138 free(prog);
1139 exit(EXIT_SUCCESS);
1140}
1141
1142#else /* !HAVE_SSL */
1143int
1144main(int argc __attribute__((unused)),
1145 char **argv __attribute__((unused)))
1146{
1147 fprintf(stderr, "ldns-signzone needs OpenSSL support, which has not been compiled in\n");
1148 return 1;
1149}
1150#endif /* HAVE_SSL */
ATTR_UNUSED
#define ATTR_UNUSED(x)
Definition common.h:72
ldns_dname_compare
int ldns_dname_compare(const ldns_rdf *dname1, const ldns_rdf *dname2)
Compares the two dname rdf's according to the algorithm for ordering in RFC4034 Section 6.
Definition dname.c:359
LDNS_NSEC3_MAX_ITERATIONS
#define LDNS_NSEC3_MAX_ITERATIONS
Definition dnssec.h:87
ldns_calc_keytag
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
Definition dnssec.c:277
ldns_dnssec_default_replace_signatures
int ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n)
Default callback function to always leave present signatures, and add new ones.
LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384
#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384
Definition dnssec_sign.h:18
LDNS_SIGN_DNSKEY_WITH_ZSK
#define LDNS_SIGN_DNSKEY_WITH_ZSK
dnssec_verify
Definition dnssec_sign.h:15
LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512
#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512
Definition dnssec_sign.h:19
LDNS_SIGN_WITH_ALL_ALGORITHMS
#define LDNS_SIGN_WITH_ALL_ALGORITHMS
Definition dnssec_sign.h:16
ldns_dnssec_zone_sign_nsec3_flg_mkmap
ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags, ldns_rbtree_t **map)
signs the given zone with the given new zone, with NSEC3
Definition dnssec_sign.c:1463
LDNS_SIGN_NO_KEYS_NO_NSECS
#define LDNS_SIGN_NO_KEYS_NO_NSECS
Definition dnssec_sign.h:17
ldns_dnssec_zone_sign_flg
ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
signs the given zone with the given keys
Definition dnssec_sign.c:1376
ldns_dnssec_zone_print_fmt
void ldns_dnssec_zone_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_zone *zone)
Prints the complete zone to the given file descriptor.
Definition dnssec_zone.c:1081
ldns_dnssec_zone_new
ldns_dnssec_zone * ldns_dnssec_zone_new(void)
Creates a new dnssec_zone structure.
Definition dnssec_zone.c:570
ldns_dnssec_zone_print
void ldns_dnssec_zone_print(FILE *out, const ldns_dnssec_zone *zone)
Prints the complete zone to the given file descriptor.
Definition dnssec_zone.c:1109
ldns_dnssec_zone_add_rr
ldns_status ldns_dnssec_zone_add_rr(ldns_dnssec_zone *zone, ldns_rr *rr)
Adds the given RR to the zone.
Definition dnssec_zone.c:1002
ldns_dnssec_zone_free
void ldns_dnssec_zone_free(ldns_dnssec_zone *zone)
Frees the given zone structure, and its rbtree of dnssec_names Individual ldns_rr RRs within those na...
Definition dnssec_zone.c:865
LDNS_STATUS_NULL
@ LDNS_STATUS_NULL
Definition error.h:51
LDNS_STATUS_ERR
@ LDNS_STATUS_ERR
Definition error.h:37
LDNS_STATUS_OK
@ LDNS_STATUS_OK
Definition error.h:26
ldns_status
enum ldns_enum_status ldns_status
Definition error.h:148
ldns_get_errorstr_by_id
const char * ldns_get_errorstr_by_id(ldns_status err)
look up a descriptive text by each error.
Definition error.c:196
LDNS_COMMENT_BUBBLEBABBLE
#define LDNS_COMMENT_BUBBLEBABBLE
Provide bubblebabble representation for DS RR's as comment.
Definition host2str.h:56
ldns_rr_print
void ldns_rr_print(FILE *output, const ldns_rr *rr)
Prints the data in the resource record to the given file stream (in presentation format)
Definition host2str.c:3419
LDNS_COMMENT_FLAGS
#define LDNS_COMMENT_FLAGS
Show when a NSEC3 RR has the optout flag set as comment.
Definition host2str.h:58
ldns_rdf2str
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *.
Definition host2str.c:3276
LDNS_COMMENT_NSEC3_CHAIN
#define LDNS_COMMENT_NSEC3_CHAIN
Show the unhashed owner and next owner names for NSEC3 RR's as comment.
Definition host2str.h:60
LDNS_COMMENT_LAYOUT
#define LDNS_COMMENT_LAYOUT
Print mark up.
Definition host2str.h:62
keys.h
Addendum to dnssec.h, this module contains key and algorithm definitions and functions.
ldns_key_list_free
void ldns_key_list_free(ldns_key_list *key_list)
Frees a key list structure.
Definition keys.c:2073
ldns_key_new_frm_engine
ldns_status ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm a)
Read the key with the given id from the given engine and store it in the given ldns_key structure.
Definition keys.c:116
ldns_key_new_frm_fp_l
ldns_status ldns_key_new_frm_fp_l(ldns_key **k, FILE *fp, int *line_nr)
Creates a new private key based on the contents of the file pointed by fp.
Definition keys.c:417
ldns_key_set_expiration
void ldns_key_set_expiration(ldns_key *k, uint32_t e)
Set the key's expiration date (seconds after epoch)
Definition keys.c:1428
LDNS_KEY_SEP_KEY
#define LDNS_KEY_SEP_KEY
Definition keys.h:38
ldns_key_list_new
ldns_key_list * ldns_key_list_new(void)
Creates a new empty key list.
Definition keys.c:70
ldns_key_set_pubkey_owner
void ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r)
Set the key's pubkey owner.
Definition keys.c:1434
ldns_key_list_push_key
signed char ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key)
pushes a key to a keylist
Definition keys.c:1600
ldns_key_keytag
uint16_t ldns_key_keytag(const ldns_key *k)
return the keytag
Definition keys.c:1571
ldns_key_set_keytag
void ldns_key_set_keytag(ldns_key *k, uint16_t tag)
Set the key's key tag.
Definition keys.c:1440
ldns_key2rr
ldns_rr * ldns_key2rr(const ldns_key *k)
converts a ldns_key to a public key rr If the key data exists at an external point,...
Definition keys.c:1803
ldns_key_set_flags
void ldns_key_set_flags(ldns_key *k, uint16_t flags)
Set the key's flags.
Definition keys.c:1342
ldns_enum_signing_algorithm
ldns_enum_signing_algorithm
Algorithms used in dns for signing.
Definition keys.h:82
LDNS_SIGN_RSASHA1
@ LDNS_SIGN_RSASHA1
Definition keys.h:84
LDNS_SIGN_ECDSAP256SHA256
@ LDNS_SIGN_ECDSAP256SHA256
Definition keys.h:95
LDNS_SIGN_DSA_NSEC3
@ LDNS_SIGN_DSA_NSEC3
Definition keys.h:92
LDNS_SIGN_ECC_GOST
@ LDNS_SIGN_ECC_GOST
Definition keys.h:94
LDNS_SIGN_RSASHA1_NSEC3
@ LDNS_SIGN_RSASHA1_NSEC3
Definition keys.h:88
LDNS_SIGN_ECDSAP384SHA384
@ LDNS_SIGN_ECDSAP384SHA384
Definition keys.h:96
LDNS_SIGN_RSAMD5
@ LDNS_SIGN_RSAMD5
Definition keys.h:83
LDNS_SIGN_RSASHA512
@ LDNS_SIGN_RSASHA512
Definition keys.h:90
LDNS_SIGN_DSA
@ LDNS_SIGN_DSA
Definition keys.h:86
LDNS_SIGN_RSASHA256
@ LDNS_SIGN_RSASHA256
Definition keys.h:89
ldns_key_pubkey_owner
ldns_rdf * ldns_key_pubkey_owner(const ldns_key *k)
return the public key's owner
Definition keys.c:1577
ldns_key_flags
uint16_t ldns_key_flags(const ldns_key *k)
return the flag of the key
Definition keys.c:1553
ldns_key_list_key_count
size_t ldns_key_list_key_count(const ldns_key_list *key_list)
returns the number of keys in the key list
Definition keys.c:1447
ldns_key_set_inception
void ldns_key_set_inception(ldns_key *k, uint32_t i)
Set the key's inception date (seconds after epoch)
Definition keys.c:1422
ldns_algorithm
enum ldns_enum_algorithm ldns_algorithm
Definition keys.h:64
verbosity
int verbosity
Definition ldns-signzone.c:37
str2zonemd_signflag
int str2zonemd_signflag(const char *str, const char **reason)
Definition ldns-signzone.c:571
prog
char * prog
Definition ldns-signzone.c:36
MAX_FILENAME_LEN
#define MAX_FILENAME_LEN
Definition ldns-signzone.c:34
ldns.h
Including this file will include all ldns files, and define some lookup tables.
LDNS_DEFAULT_TTL
#define LDNS_DEFAULT_TTL
Definition ldns.h:136
main
int main(void)
Definition linktest.c:6
ldns_rdf_clone
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
Definition rdata.c:222
ldns_rdf_deep_free
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition rdata.c:230
ldns_rdf2native_int16
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
Definition rdata.c:84
LDNS_NSEC3_VARS_OPTOUT_MASK
#define LDNS_NSEC3_VARS_OPTOUT_MASK
Definition rdata.h:40
ldns_rr_ttl
uint32_t ldns_rr_ttl(const ldns_rr *rr)
returns the ttl of an rr structure.
Definition rr.c:935
ldns_rr_list_deep_free
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
Definition rr.c:1024
ldns_rr_free
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition rr.c:81
ldns_rr_list_new
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
Definition rr.c:1004
LDNS_RR_TYPE_DNSKEY
@ LDNS_RR_TYPE_DNSKEY
Definition rr.h:172
ldns_rr_rdf
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition rr.c:913
ldns_rr_list_rr_count
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition rr.c:961
ldns_rr_get_type
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition rr.c:947
ldns_rr_set_ttl
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
Definition rr.c:820
ldns_rr_compare_no_rdata
int ldns_rr_compare_no_rdata(const ldns_rr *rr1, const ldns_rr *rr2)
compares two rrs, up to the rdata.
Definition rr.c:1563
ldns_rr_class
enum ldns_enum_rr_class ldns_rr_class
Definition rr.h:61
ldns_rr_list_rr
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition rr.c:994
ldns_rr_new_frm_fp_l
ldns_status ldns_rr_new_frm_fp_l(ldns_rr **rr, FILE *fp, uint32_t *default_ttl, ldns_rdf **origin, ldns_rdf **prev, int *line_nr)
creates a new rr from a file containing a string.
Definition rr.c:800
ldns_rr_owner
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
Definition rr.c:923
LDNS_RR_CLASS_IN
@ LDNS_RR_CLASS_IN
the Internet
Definition rr.h:47
ldns_soa_serial_unixtime
uint32_t ldns_soa_serial_unixtime(uint32_t s, void *data)
Function to be used with ldns_rr_soa_increment_func or ldns_rr_soa_increment_func_int to set the soa ...
Definition rr_functions.c:383
ldns_rr_soa_increment_func_int
void ldns_rr_soa_increment_func_int(ldns_rr *soa, ldns_soa_serial_increment_func_t f, int data)
Increment the serial number of the given SOA with the given function using data as an argument for th...
Definition rr_functions.c:426
ldns_str2rdf_dname
ldns_status ldns_str2rdf_dname(ldns_rdf **rd, const char *str)
convert a dname string into wireformat
Definition str2host.c:311
ldns_struct_dnssec_zone
Structure containing a dnssec zone.
Definition dnssec_zone.h:91
ldns_struct_key_list
Same as rr_list, but now for keys.
Definition keys.h:173
ldns_struct_key
General key structure, can contain all types of keys that are used in DNSSEC.
Definition keys.h:122
ldns_struct_key::dnssec
struct ldns_struct_key::@1::@3 dnssec
Some values that influence generated signatures.
ldns_struct_key::flags
uint16_t flags
The dnssec key flags as specified in RFC4035, like ZSK and KSK.
Definition keys.h:161
ldns_struct_output_format_storage
Output format struct with additional data for flags that use them.
Definition host2str.h:103
ldns_struct_output_format_storage::hashmap
ldns_rbtree_t * hashmap
Definition host2str.h:104
ldns_struct_output_format
Output format specifier.
Definition host2str.h:89
ldns_struct_rdf
Resource record data field.
Definition rdata.h:197
ldns_struct_rr_list
List or Set of Resource Records.
Definition rr.h:346
ldns_struct_rr
Resource Record.
Definition rr.h:318
ldns_struct_zone
DNS Zone.
Definition zone.h:43
ldns_hexdigit_to_int
int ldns_hexdigit_to_int(char ch)
Returns the int value of the given (hex) digit.
Definition util.c:88
ldns_mktime_from_utc
time_t ldns_mktime_from_utc(const struct tm *tm)
Convert TM to seconds since epoch (midnight, January 1st, 1970).
Definition util.c:194
LDNS_FREE
#define LDNS_FREE(ptr)
Definition util.h:60
ldns_version
const char * ldns_version(void)
Show the internal library version.
Definition util.c:160
LDNS_VERSION
#define LDNS_VERSION
Definition util.h:30
LDNS_XMALLOC
#define LDNS_XMALLOC(type, count)
Definition util.h:51
ldns_zone_soa
ldns_rr * ldns_zone_soa(const ldns_zone *z)
Return the soa record of a zone.
Definition zone.c:17
ldns_zone_push_rr
signed char ldns_zone_push_rr(ldns_zone *z, ldns_rr *rr)
push an single rr to a zone structure.
Definition zone.c:53
ldns_zone_rrs
ldns_rr_list * ldns_zone_rrs(const ldns_zone *z)
Get a list of a zone's content.
Definition zone.c:35
ldns_zone_deep_free
void ldns_zone_deep_free(ldns_zone *zone)
Frees the allocated memory for the zone, the soa rr in it, and the rr_list structure in it,...
Definition zone.c:376
ldns_zone_new_frm_fp_l
ldns_status ldns_zone_new_frm_fp_l(ldns_zone **z, FILE *fp, const ldns_rdf *origin, uint32_t ttl, ldns_rr_class c, int *line_nr)
Create a new zone from a file, keep track of the line numbering.