Created
April 26, 2013 11:42
-
-
Save Habbie/5466748 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Index: dbdnsseckeeper.cc | |
=================================================================== | |
--- dbdnsseckeeper.cc (revision 2623) | |
+++ dbdnsseckeeper.cc (working copy) | |
@@ -336,10 +336,10 @@ | |
return retkeyset; | |
} | |
-bool DNSSECKeeper::secureZone(const std::string& name, int algorithm) | |
+bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size) | |
{ | |
clearCaches(name); // just to be sure ;) | |
- return addKey(name, true, algorithm); | |
+ return addKey(name, true, algorithm, size); | |
} | |
bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, const QType& qtype, | |
@@ -403,4 +403,4 @@ | |
} | |
s_last_prune=time(0); | |
} | |
-} | |
\ No newline at end of file | |
+} | |
Index: pdnssec.cc | |
=================================================================== | |
--- pdnssec.cc (revision 2623) | |
+++ pdnssec.cc (working copy) | |
@@ -33,12 +33,28 @@ | |
return arg; | |
} | |
+int string2algorithm(const string &algorithm) | |
+{ | |
+ if (!algorithm.compare("rsamd5")) return 1; | |
+ if (!algorithm.compare("dh")) return 2; | |
+ if (!algorithm.compare("dsa")) return 3; | |
+ if (!algorithm.compare("ecc")) return 4; | |
+ if (!algorithm.compare("rsasha1")) return 5; | |
+ if (!algorithm.compare("rsasha256")) return 8; | |
+ if (!algorithm.compare("rsasha512")) return 10; | |
+ if (!algorithm.compare("gost")) return 12; | |
+ if (!algorithm.compare("ecdsa256")) return 13; | |
+ if (!algorithm.compare("ecdsa384")) return 14; | |
+ if (!algorithm.compare("ed25519")) return 250; | |
+ return -1; | |
+} | |
+ | |
string humanTime(time_t t) | |
{ | |
char ret[256]; | |
struct tm tm; | |
localtime_r(&t, &tm); | |
- strftime(ret, sizeof(ret)-1, "%c", &tm); // %h:%M %Y-%m-%d | |
+ strftime(ret, sizeof(ret)-1, "%c", &tm); // %h:%M %Y-%m-% | |
return ret; | |
} | |
@@ -64,11 +80,15 @@ | |
string configname=::arg()["config-dir"]+"/"+s_programname+".conf"; | |
cleanSlashes(configname); | |
- | |
+ ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256"; | |
+ ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0"; | |
+ ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256"; | |
+ ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0"; | |
+ ::arg().set("module-dir","Default directory for modules")=LIBDIR; | |
+ | |
::arg().laxFile(configname.c_str()); | |
- ::arg().set("module-dir","Default directory for modules")=LIBDIR; | |
+ | |
BackendMakers().launch(::arg()["launch"]); // vrooooom! | |
- ::arg().laxFile(configname.c_str()); | |
//cerr<<"Backend: "<<::arg()["launch"]<<", '" << ::arg()["gmysql-dbname"] <<"'" <<endl; | |
S.declare("qsize-q","Number of questions waiting for database attention"); | |
@@ -78,6 +98,7 @@ | |
S.declare("query-cache-hit","Number of hits on the query cache"); | |
S.declare("query-cache-miss","Number of misses on the query cache"); | |
+ | |
::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000"; | |
::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; | |
::arg().set("recursive-cache-ttl","Seconds to store packets for recursive queries in the PacketCache")="10"; | |
@@ -90,7 +111,7 @@ | |
::arg().set("soa-expire-default","Default SOA expire")="604800"; | |
::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no"; | |
::arg().set("soa-minimum-ttl","Default SOA minimum ttl")="3600"; | |
- | |
+ | |
UeberBackend::go(); | |
} | |
@@ -424,12 +445,45 @@ | |
bool secureZone(DNSSECKeeper& dk, const std::string& zone) | |
{ | |
+ // parse attribute | |
+ vector<string> k_algos; | |
+ vector<string> z_algos; | |
+ int k_size; | |
+ int z_size; | |
+ | |
+ cout << ::arg()["default-ksk-algorithms"] << endl; | |
+ cout << ::arg()["default-zsk-algorithms"] << endl; | |
+ | |
+ stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,"); | |
+ k_size = ::arg().asNum("default-ksk-size"); | |
+ stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,"); | |
+ z_size = ::arg().asNum("default-zsk-size"); | |
+ | |
+ if (k_size < 0) { | |
+ throw runtime_error("KSK key size must be equal or greater than 0"); | |
+ } | |
+ | |
+ if (k_algos.size() < 1) { | |
+ throw runtime_error("No algorithm(s) given for KSK"); | |
+ } | |
+ | |
+ if (z_size < 0) { | |
+ throw runtime_error("ZSK key size must be equal or greater than 0"); | |
+ } | |
+ | |
+ if (z_algos.size() < 1) { | |
+ throw runtime_error("No algorithm(s) given for ZSK"); | |
+ } | |
+ | |
if(dk.isSecuredZone(zone)) { | |
cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl; | |
return false; | |
} | |
- if(!dk.secureZone(zone, 8)) { | |
+ cout << "Securing zone with " << k_algos[0] << " algorithm" << endl; | |
+ | |
+ // run secure-zone with first default algorith, then add keys | |
+ if(!dk.secureZone(zone, string2algorithm(k_algos[0]), k_size)) { | |
cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC\n"; | |
cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled.\n"; | |
cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or\n"; | |
@@ -451,11 +505,19 @@ | |
cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl; | |
return false; | |
} | |
- | |
- dk.addKey(zone, false, 8); | |
- dk.addKey(zone, false, 8, 0, false); // not active | |
- // rectifyZone(dk, zone); | |
- // showZone(dk, zone); | |
+ | |
+ for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++) | |
+ dk.addKey(zone, true, string2algorithm(*i), k_size, true); | |
+ | |
+ BOOST_FOREACH(string z_algo, z_algos) | |
+ { | |
+ int algo = string2algorithm(z_algo); | |
+ dk.addKey(zone, false, algo, z_size); | |
+ dk.addKey(zone, false, algo, z_size, false); // not active | |
+ } | |
+ | |
+ //rectifyZone(dk, zone); | |
+ //showZone(dk, zone); | |
cout<<"Zone "<<zone<<" secured"<<endl; | |
return true; | |
} | |
@@ -651,20 +713,8 @@ | |
keyOrZone = false; | |
else if(pdns_iequals(cmds[n], "ksk")) | |
keyOrZone = true; | |
- else if(pdns_iequals(cmds[n], "rsasha1")) | |
- algorithm=5; | |
- else if(pdns_iequals(cmds[n], "rsasha256")) | |
- algorithm=8; | |
- else if(pdns_iequals(cmds[n], "rsasha512")) | |
- algorithm=10; | |
- else if(pdns_iequals(cmds[n], "gost")) | |
- algorithm=12; | |
- else if(pdns_iequals(cmds[n], "ecdsa256")) | |
- algorithm=13; | |
- else if(pdns_iequals(cmds[n], "ecdsa384")) | |
- algorithm=14; | |
- else if(pdns_iequals(cmds[n], "ed25519")) | |
- algorithm=250; | |
+ else if((algorithm = string2algorithm(cmds[n]))>0) | |
+ continue; | |
else if(atoi(cmds[n].c_str())) | |
bits = atoi(cmds[n].c_str()); | |
else { | |
Index: dnsseckeeper.hh | |
=================================================================== | |
--- dnsseckeeper.hh (revision 2623) | |
+++ dnsseckeeper.hh (working copy) | |
@@ -75,7 +75,7 @@ | |
void activateKey(const std::string& zname, unsigned int id); | |
void deactivateKey(const std::string& zname, unsigned int id); | |
- bool secureZone(const std::string& fname, int algorithm); | |
+ bool secureZone(const std::string& fname, int algorithm, int size); | |
bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0); | |
void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment