Habbie/20120523_defaults_for_secure_zone.patch

## 20120523_defaults_for_secure_zone.patch
Index: dbdnsseckeeper.cc
===================================================================
--- dbdnsseckeeper.cc	(revision 2623)
+++ dbdnsseckeeper.cc	(working copy)
@@ -336,10 +336,10 @@
   return retkeyset;
 }

-bool DNSSECKeeper::secureZone(const std::string& name, int algorithm)
+bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
 {
   clearCaches(name); // just to be sure ;)
-  return addKey(name, true, algorithm);
+  return addKey(name, true, algorithm, size);
 }

 bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, const QType& qtype,
@@ -403,4 +403,4 @@
     }
     s_last_prune=time(0);
   }
-}
\ No newline at end of file
+}
Index: pdnssec.cc
===================================================================
--- pdnssec.cc	(revision 2623)
+++ pdnssec.cc	(working copy)
@@ -33,12 +33,28 @@
   return arg;
 }

+int string2algorithm(const string &algorithm)
+{
+  if (!algorithm.compare("rsamd5")) return 1;
+  if (!algorithm.compare("dh")) return 2;
+  if (!algorithm.compare("dsa")) return 3;
+  if (!algorithm.compare("ecc")) return 4;
+  if (!algorithm.compare("rsasha1")) return 5;
+  if (!algorithm.compare("rsasha256")) return 8;
+  if (!algorithm.compare("rsasha512")) return 10;
+  if (!algorithm.compare("gost")) return 12;
+  if (!algorithm.compare("ecdsa256")) return 13;
+  if (!algorithm.compare("ecdsa384")) return 14;
+  if (!algorithm.compare("ed25519")) return 250;
+  return -1;
+}
+
 string humanTime(time_t t)
 {
   char ret[256];
   struct tm tm;
   localtime_r(&t, &tm);
-  strftime(ret, sizeof(ret)-1, "%c", &tm);   // %h:%M %Y-%m-%d
+  strftime(ret, sizeof(ret)-1, "%c", &tm);   // %h:%M %Y-%m-%
   return ret;
 }

@@ -64,11 +80,15 @@

   string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
   cleanSlashes(configname);
-
+  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+  ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
+  ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256";
+  ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
+  ::arg().set("module-dir","Default directory for modules")=LIBDIR;
+
   ::arg().laxFile(configname.c_str());
-  ::arg().set("module-dir","Default directory for modules")=LIBDIR;
+
   BackendMakers().launch(::arg()["launch"]); // vrooooom!
-  ::arg().laxFile(configname.c_str());
   //cerr<<"Backend: "<<::arg()["launch"]<<", '" << ::arg()["gmysql-dbname"] <<"'" <<endl;

   S.declare("qsize-q","Number of questions waiting for database attention");
@@ -78,6 +98,7 @@

   S.declare("query-cache-hit","Number of hits on the query cache");
   S.declare("query-cache-miss","Number of misses on the query cache");
+
   ::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000";
   ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no";
   ::arg().set("recursive-cache-ttl","Seconds to store packets for recursive queries in the PacketCache")="10";
@@ -90,7 +111,7 @@
   ::arg().set("soa-expire-default","Default SOA expire")="604800";
   ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no";
   ::arg().set("soa-minimum-ttl","Default SOA minimum ttl")="3600";
-
+
   UeberBackend::go();
 }

@@ -424,12 +445,45 @@

 bool secureZone(DNSSECKeeper& dk, const std::string& zone)
 {
+  // parse attribute
+  vector<string> k_algos;
+  vector<string> z_algos;
+  int k_size;
+  int z_size;
+
+  cout << ::arg()["default-ksk-algorithms"] << endl;
+  cout << ::arg()["default-zsk-algorithms"] << endl;
+
+  stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,");
+  k_size = ::arg().asNum("default-ksk-size");
+  stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,");
+  z_size = ::arg().asNum("default-zsk-size");
+
+  if (k_size < 0) {
+     throw runtime_error("KSK key size must be equal or greater than 0");
+  }
+
+  if (k_algos.size() < 1) {
+     throw runtime_error("No algorithm(s) given for KSK");
+  }
+
+  if (z_size < 0) {
+     throw runtime_error("ZSK key size must be equal or greater than 0");
+  }
+
+  if (z_algos.size() < 1) {
+     throw runtime_error("No algorithm(s) given for ZSK");
+  }
+
   if(dk.isSecuredZone(zone)) {
     cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
     return false;
   }

-  if(!dk.secureZone(zone, 8)) {
+  cout << "Securing zone with " << k_algos[0] << " algorithm" << endl;
+
+  // run secure-zone with first default algorith, then add keys
+  if(!dk.secureZone(zone, string2algorithm(k_algos[0]), k_size)) {
     cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC\n";
     cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled.\n";
     cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or\n";
@@ -451,11 +505,19 @@
     cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
     return false;
   }
-
-  dk.addKey(zone, false, 8);
-  dk.addKey(zone, false, 8, 0, false); // not active
-  // rectifyZone(dk, zone);
-  // showZone(dk, zone);
+
+  for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
+     dk.addKey(zone, true, string2algorithm(*i), k_size, true);
+
+  BOOST_FOREACH(string z_algo, z_algos)
+  {
+    int algo = string2algorithm(z_algo);
+    dk.addKey(zone, false, algo, z_size);
+    dk.addKey(zone, false, algo, z_size, false); // not active
+  }
+
+  //rectifyZone(dk, zone);
+  //showZone(dk, zone);
   cout<<"Zone "<<zone<<" secured"<<endl;
   return true;
 }
@@ -651,20 +713,8 @@
         keyOrZone = false;
       else if(pdns_iequals(cmds[n], "ksk"))
         keyOrZone = true;
-      else if(pdns_iequals(cmds[n], "rsasha1"))
-        algorithm=5;
-      else if(pdns_iequals(cmds[n], "rsasha256"))
-        algorithm=8;
-      else if(pdns_iequals(cmds[n], "rsasha512"))
-        algorithm=10;
-      else if(pdns_iequals(cmds[n], "gost"))
-        algorithm=12;
-      else if(pdns_iequals(cmds[n], "ecdsa256"))
-        algorithm=13;
-      else if(pdns_iequals(cmds[n], "ecdsa384"))
-        algorithm=14;
-      else if(pdns_iequals(cmds[n], "ed25519"))
-        algorithm=250;
+      else if((algorithm = string2algorithm(cmds[n]))>0)
+        continue;
       else if(atoi(cmds[n].c_str()))
         bits = atoi(cmds[n].c_str());
       else {
Index: dnsseckeeper.hh
===================================================================
--- dnsseckeeper.hh	(revision 2623)
+++ dnsseckeeper.hh	(working copy)
@@ -75,7 +75,7 @@
   void activateKey(const std::string& zname, unsigned int id);
   void deactivateKey(const std::string& zname, unsigned int id);

-  bool secureZone(const std::string& fname, int algorithm);
+  bool secureZone(const std::string& fname, int algorithm, int size);

   bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
   void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
	Index: dbdnsseckeeper.cc
	===================================================================
	--- dbdnsseckeeper.cc (revision 2623)
	+++ dbdnsseckeeper.cc (working copy)
	@@ -336,10 +336,10 @@
	return retkeyset;
	}

	-bool DNSSECKeeper::secureZone(const std::string& name, int algorithm)
	+bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
	{
	clearCaches(name); // just to be sure ;)
	- return addKey(name, true, algorithm);
	+ return addKey(name, true, algorithm, size);
	}

	bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, const QType& qtype,
	@@ -403,4 +403,4 @@
	}
	s_last_prune=time(0);
	}
	-}
	\ No newline at end of file
	+}
	Index: pdnssec.cc
	===================================================================
	--- pdnssec.cc (revision 2623)
	+++ pdnssec.cc (working copy)
	@@ -33,12 +33,28 @@
	return arg;
	}

	+int string2algorithm(const string &algorithm)
	+{
	+ if (!algorithm.compare("rsamd5")) return 1;
	+ if (!algorithm.compare("dh")) return 2;
	+ if (!algorithm.compare("dsa")) return 3;
	+ if (!algorithm.compare("ecc")) return 4;
	+ if (!algorithm.compare("rsasha1")) return 5;
	+ if (!algorithm.compare("rsasha256")) return 8;
	+ if (!algorithm.compare("rsasha512")) return 10;
	+ if (!algorithm.compare("gost")) return 12;
	+ if (!algorithm.compare("ecdsa256")) return 13;
	+ if (!algorithm.compare("ecdsa384")) return 14;
	+ if (!algorithm.compare("ed25519")) return 250;
	+ return -1;
	+}
	+
	string humanTime(time_t t)
	{
	char ret[256];
	struct tm tm;
	localtime_r(&t, &tm);
	- strftime(ret, sizeof(ret)-1, "%c", &tm); // %h:%M %Y-%m-%d
	+ strftime(ret, sizeof(ret)-1, "%c", &tm); // %h:%M %Y-%m-%
	return ret;
	}

	@@ -64,11 +80,15 @@

	string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
	cleanSlashes(configname);
	-
	+ ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
	+ ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
	+ ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256";
	+ ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
	+ ::arg().set("module-dir","Default directory for modules")=LIBDIR;
	+
	::arg().laxFile(configname.c_str());
	- ::arg().set("module-dir","Default directory for modules")=LIBDIR;
	+
	BackendMakers().launch(::arg()["launch"]); // vrooooom!
	- ::arg().laxFile(configname.c_str());
	//cerr<<"Backend: "<<::arg()["launch"]<<", '" << ::arg()["gmysql-dbname"] <<"'" <<endl;

	S.declare("qsize-q","Number of questions waiting for database attention");
	@@ -78,6 +98,7 @@

	S.declare("query-cache-hit","Number of hits on the query cache");
	S.declare("query-cache-miss","Number of misses on the query cache");
	+
	::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000";
	::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no";
	::arg().set("recursive-cache-ttl","Seconds to store packets for recursive queries in the PacketCache")="10";
	@@ -90,7 +111,7 @@
	::arg().set("soa-expire-default","Default SOA expire")="604800";
	::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no";
	::arg().set("soa-minimum-ttl","Default SOA minimum ttl")="3600";
	-
	+
	UeberBackend::go();
	}

	@@ -424,12 +445,45 @@

	bool secureZone(DNSSECKeeper& dk, const std::string& zone)
	{
	+ // parse attribute
	+ vector<string> k_algos;
	+ vector<string> z_algos;
	+ int k_size;
	+ int z_size;
	+
	+ cout << ::arg()["default-ksk-algorithms"] << endl;
	+ cout << ::arg()["default-zsk-algorithms"] << endl;
	+
	+ stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,");
	+ k_size = ::arg().asNum("default-ksk-size");
	+ stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,");
	+ z_size = ::arg().asNum("default-zsk-size");
	+
	+ if (k_size < 0) {
	+ throw runtime_error("KSK key size must be equal or greater than 0");
	+ }
	+
	+ if (k_algos.size() < 1) {
	+ throw runtime_error("No algorithm(s) given for KSK");
	+ }
	+
	+ if (z_size < 0) {
	+ throw runtime_error("ZSK key size must be equal or greater than 0");
	+ }
	+
	+ if (z_algos.size() < 1) {
	+ throw runtime_error("No algorithm(s) given for ZSK");
	+ }
	+
	if(dk.isSecuredZone(zone)) {
	cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
	return false;
	}

	- if(!dk.secureZone(zone, 8)) {
	+ cout << "Securing zone with " << k_algos[0] << " algorithm" << endl;
	+
	+ // run secure-zone with first default algorith, then add keys
	+ if(!dk.secureZone(zone, string2algorithm(k_algos[0]), k_size)) {
	cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC\n";
	cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled.\n";
	cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or\n";
	@@ -451,11 +505,19 @@
	cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
	return false;
	}
	-
	- dk.addKey(zone, false, 8);
	- dk.addKey(zone, false, 8, 0, false); // not active
	- // rectifyZone(dk, zone);
	- // showZone(dk, zone);
	+
	+ for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
	+ dk.addKey(zone, true, string2algorithm(*i), k_size, true);
	+
	+ BOOST_FOREACH(string z_algo, z_algos)
	+ {
	+ int algo = string2algorithm(z_algo);
	+ dk.addKey(zone, false, algo, z_size);
	+ dk.addKey(zone, false, algo, z_size, false); // not active
	+ }
	+
	+ //rectifyZone(dk, zone);
	+ //showZone(dk, zone);
	cout<<"Zone "<<zone<<" secured"<<endl;
	return true;
	}
	@@ -651,20 +713,8 @@
	keyOrZone = false;
	else if(pdns_iequals(cmds[n], "ksk"))
	keyOrZone = true;
	- else if(pdns_iequals(cmds[n], "rsasha1"))
	- algorithm=5;
	- else if(pdns_iequals(cmds[n], "rsasha256"))
	- algorithm=8;
	- else if(pdns_iequals(cmds[n], "rsasha512"))
	- algorithm=10;
	- else if(pdns_iequals(cmds[n], "gost"))
	- algorithm=12;
	- else if(pdns_iequals(cmds[n], "ecdsa256"))
	- algorithm=13;
	- else if(pdns_iequals(cmds[n], "ecdsa384"))
	- algorithm=14;
	- else if(pdns_iequals(cmds[n], "ed25519"))
	- algorithm=250;
	+ else if((algorithm = string2algorithm(cmds[n]))>0)
	+ continue;
	else if(atoi(cmds[n].c_str()))
	bits = atoi(cmds[n].c_str());
	else {
	Index: dnsseckeeper.hh
	===================================================================
	--- dnsseckeeper.hh (revision 2623)
	+++ dnsseckeeper.hh (working copy)
	@@ -75,7 +75,7 @@
	void activateKey(const std::string& zname, unsigned int id);
	void deactivateKey(const std::string& zname, unsigned int id);

	- bool secureZone(const std::string& fname, int algorithm);
	+ bool secureZone(const std::string& fname, int algorithm, int size);

	bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
	void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);