Habbie/20121127_dnssec_default_ksk_zsk[1].patch

## 20121127_dnssec_default_ksk_zsk[1].patch
Index: common_startup.cc
===================================================================
--- common_startup.cc	(revision 2923)
+++ common_startup.cc	(working copy)
@@ -140,6 +140,10 @@

   ::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
   ::arg().setSwitch("direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+  ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
+  ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256";
+  ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
 }

 void declareStats(void)
Index: dbdnsseckeeper.cc
===================================================================
--- dbdnsseckeeper.cc	(revision 2923)
+++ dbdnsseckeeper.cc	(working copy)
@@ -347,10 +347,10 @@
   return retkeyset;
 }

-bool DNSSECKeeper::secureZone(const std::string& name, int algorithm)
+bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
 {
   clearCaches(name); // just to be sure ;)
-  return addKey(name, true, algorithm);
+  return addKey(name, true, algorithm, size);
 }

 bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname,
Index: pdnssec.cc
===================================================================
--- pdnssec.cc	(revision 2923)
+++ pdnssec.cc	(working copy)
@@ -42,6 +42,22 @@
   return ret;
 }

+static int shorthand2algorithm(const string &algorithm)
+{
+  if (!algorithm.compare("rsamd5")) return 1;
+  if (!algorithm.compare("dh")) return 2;
+  if (!algorithm.compare("dsa")) return 3;
+  if (!algorithm.compare("ecc")) return 4;
+  if (!algorithm.compare("rsasha1")) return 5;
+  if (!algorithm.compare("rsasha256")) return 8;
+  if (!algorithm.compare("rsasha512")) return 10;
+  if (!algorithm.compare("gost")) return 12;
+  if (!algorithm.compare("ecdsa256")) return 13;
+  if (!algorithm.compare("ecdsa384")) return 14;
+  if (!algorithm.compare("ed25519")) return 250;
+  return -1;
+}
+
 void loadMainConfig(const std::string& configdir)
 {
   ::arg().set("config-dir","Location of configuration directory (pdns.conf)")=configdir;
@@ -64,6 +80,11 @@

   string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
   cleanSlashes(configname);
+
+  ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
+  ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
+  ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256";
+  ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";

   ::arg().laxFile(configname.c_str());
   ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
@@ -549,6 +570,33 @@

 bool secureZone(DNSSECKeeper& dk, const std::string& zone)
 {
+  // parse attribute
+  vector<string> k_algos;
+  vector<string> z_algos;
+  int k_size;
+  int z_size;
+
+  stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,");
+  k_size = ::arg().asNum("default-ksk-size");
+  stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,");
+  z_size = ::arg().asNum("default-zsk-size");
+
+  if (k_size < 0) {
+     throw runtime_error("KSK key size must be equal or greater than 0");
+  }
+
+  if (k_algos.size() < 1) {
+     throw runtime_error("No algorithm(s) given for KSK");
+  }
+
+  if (z_size < 0) {
+     throw runtime_error("ZSK key size must be equal or greater than 0");
+  }
+
+  if (z_algos.size() < 1) {
+     throw runtime_error("No algorithm(s) given for ZSK");
+  }
+
   if(dk.isSecuredZone(zone)) {
     cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
     return false;
@@ -567,7 +615,13 @@
     cout<<"pdnssec disable-dnssec "<<zone<<" right now!"<<endl;
   }

-  if(!dk.secureZone(zone, 8)) {
+  if (k_size)
+    cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl;
+  else
+    cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl;
+
+  // run secure-zone with first default algorith, then add keys
+  if(!dk.secureZone(zone, shorthand2algorithm(k_algos[0]), k_size)) {
     cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC\n";
     cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled.\n";
     cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or\n";
@@ -589,9 +643,17 @@
     cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
     return false;
   }
-
-  dk.addKey(zone, false, 8);
-  dk.addKey(zone, false, 8, 0, false); // not active
+
+  for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
+     dk.addKey(zone, true, shorthand2algorithm(*i), k_size, true);
+
+  BOOST_FOREACH(string z_algo, z_algos)
+  {
+    int algo = shorthand2algorithm(z_algo);
+    dk.addKey(zone, false, algo, z_size);
+    dk.addKey(zone, false, algo, z_size, false); // not active
+  }
+
   // rectifyZone(dk, zone);
   // showZone(dk, zone);
   cout<<"Zone "<<zone<<" secured"<<endl;
@@ -913,6 +975,7 @@
     const string& zone=cmds[1];
     // need to get algorithm, bits & ksk or zsk from commandline
     bool keyOrZone=false;
+    int tmp_algo=0;
     int bits=0;
     int algorithm=8;
     for(unsigned int n=2; n < cmds.size(); ++n) {
@@ -920,21 +983,9 @@
         keyOrZone = false;
       else if(pdns_iequals(cmds[n], "ksk"))
         keyOrZone = true;
-      else if(pdns_iequals(cmds[n], "rsasha1"))
-        algorithm=5;
-      else if(pdns_iequals(cmds[n], "rsasha256"))
-        algorithm=8;
-      else if(pdns_iequals(cmds[n], "rsasha512"))
-        algorithm=10;
-      else if(pdns_iequals(cmds[n], "gost"))
-        algorithm=12;
-      else if(pdns_iequals(cmds[n], "ecdsa256"))
-        algorithm=13;
-      else if(pdns_iequals(cmds[n], "ecdsa384"))
-        algorithm=14;
-      else if(pdns_iequals(cmds[n], "ed25519"))
-        algorithm=250;
-      else if(atoi(cmds[n].c_str()))
+      else if((tmp_algo = shorthand2algorithm(cmds[n]))>0) {
+        algorithm = tmp_algo;
+      } else if(atoi(cmds[n].c_str()))
         bits = atoi(cmds[n].c_str());
       else {
         cerr<<"Unknown algorithm, key flag or size '"<<cmds[n]<<"'"<<endl;
Index: dnsseckeeper.hh
===================================================================
--- dnsseckeeper.hh	(revision 2923)
+++ dnsseckeeper.hh	(working copy)
@@ -75,7 +75,7 @@
   bool activateKey(const std::string& zname, unsigned int id);
   bool deactivateKey(const std::string& zname, unsigned int id);

-  bool secureZone(const std::string& fname, int algorithm);
+  bool secureZone(const std::string& fname, int algorithm, int size);

   bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
   bool setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
	Index: common_startup.cc
	===================================================================
	--- common_startup.cc (revision 2923)
	+++ common_startup.cc (working copy)
	@@ -140,6 +140,10 @@

	::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
	::arg().setSwitch("direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
	+ ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
	+ ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
	+ ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256";
	+ ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
	}

	void declareStats(void)
	Index: dbdnsseckeeper.cc
	===================================================================
	--- dbdnsseckeeper.cc (revision 2923)
	+++ dbdnsseckeeper.cc (working copy)
	@@ -347,10 +347,10 @@
	return retkeyset;
	}

	-bool DNSSECKeeper::secureZone(const std::string& name, int algorithm)
	+bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
	{
	clearCaches(name); // just to be sure ;)
	- return addKey(name, true, algorithm);
	+ return addKey(name, true, algorithm, size);
	}

	bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname,
	Index: pdnssec.cc
	===================================================================
	--- pdnssec.cc (revision 2923)
	+++ pdnssec.cc (working copy)
	@@ -42,6 +42,22 @@
	return ret;
	}

	+static int shorthand2algorithm(const string &algorithm)
	+{
	+ if (!algorithm.compare("rsamd5")) return 1;
	+ if (!algorithm.compare("dh")) return 2;
	+ if (!algorithm.compare("dsa")) return 3;
	+ if (!algorithm.compare("ecc")) return 4;
	+ if (!algorithm.compare("rsasha1")) return 5;
	+ if (!algorithm.compare("rsasha256")) return 8;
	+ if (!algorithm.compare("rsasha512")) return 10;
	+ if (!algorithm.compare("gost")) return 12;
	+ if (!algorithm.compare("ecdsa256")) return 13;
	+ if (!algorithm.compare("ecdsa384")) return 14;
	+ if (!algorithm.compare("ed25519")) return 250;
	+ return -1;
	+}
	+
	void loadMainConfig(const std::string& configdir)
	{
	::arg().set("config-dir","Location of configuration directory (pdns.conf)")=configdir;
	@@ -64,6 +80,11 @@

	string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
	cleanSlashes(configname);
	+
	+ ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
	+ ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
	+ ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha1,rsasha256";
	+ ::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";

	::arg().laxFile(configname.c_str());
	::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
	@@ -549,6 +570,33 @@

	bool secureZone(DNSSECKeeper& dk, const std::string& zone)
	{
	+ // parse attribute
	+ vector<string> k_algos;
	+ vector<string> z_algos;
	+ int k_size;
	+ int z_size;
	+
	+ stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,");
	+ k_size = ::arg().asNum("default-ksk-size");
	+ stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,");
	+ z_size = ::arg().asNum("default-zsk-size");
	+
	+ if (k_size < 0) {
	+ throw runtime_error("KSK key size must be equal or greater than 0");
	+ }
	+
	+ if (k_algos.size() < 1) {
	+ throw runtime_error("No algorithm(s) given for KSK");
	+ }
	+
	+ if (z_size < 0) {
	+ throw runtime_error("ZSK key size must be equal or greater than 0");
	+ }
	+
	+ if (z_algos.size() < 1) {
	+ throw runtime_error("No algorithm(s) given for ZSK");
	+ }
	+
	if(dk.isSecuredZone(zone)) {
	cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
	return false;
	@@ -567,7 +615,13 @@
	cout<<"pdnssec disable-dnssec "<<zone<<" right now!"<<endl;
	}

	- if(!dk.secureZone(zone, 8)) {
	+ if (k_size)
	+ cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl;
	+ else
	+ cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl;
	+
	+ // run secure-zone with first default algorith, then add keys
	+ if(!dk.secureZone(zone, shorthand2algorithm(k_algos[0]), k_size)) {
	cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC\n";
	cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled.\n";
	cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or\n";
	@@ -589,9 +643,17 @@
	cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
	return false;
	}
	-
	- dk.addKey(zone, false, 8);
	- dk.addKey(zone, false, 8, 0, false); // not active
	+
	+ for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
	+ dk.addKey(zone, true, shorthand2algorithm(*i), k_size, true);
	+
	+ BOOST_FOREACH(string z_algo, z_algos)
	+ {
	+ int algo = shorthand2algorithm(z_algo);
	+ dk.addKey(zone, false, algo, z_size);
	+ dk.addKey(zone, false, algo, z_size, false); // not active
	+ }
	+
	// rectifyZone(dk, zone);
	// showZone(dk, zone);
	cout<<"Zone "<<zone<<" secured"<<endl;
	@@ -913,6 +975,7 @@
	const string& zone=cmds[1];
	// need to get algorithm, bits & ksk or zsk from commandline
	bool keyOrZone=false;
	+ int tmp_algo=0;
	int bits=0;
	int algorithm=8;
	for(unsigned int n=2; n < cmds.size(); ++n) {
	@@ -920,21 +983,9 @@
	keyOrZone = false;
	else if(pdns_iequals(cmds[n], "ksk"))
	keyOrZone = true;
	- else if(pdns_iequals(cmds[n], "rsasha1"))
	- algorithm=5;
	- else if(pdns_iequals(cmds[n], "rsasha256"))
	- algorithm=8;
	- else if(pdns_iequals(cmds[n], "rsasha512"))
	- algorithm=10;
	- else if(pdns_iequals(cmds[n], "gost"))
	- algorithm=12;
	- else if(pdns_iequals(cmds[n], "ecdsa256"))
	- algorithm=13;
	- else if(pdns_iequals(cmds[n], "ecdsa384"))
	- algorithm=14;
	- else if(pdns_iequals(cmds[n], "ed25519"))
	- algorithm=250;
	- else if(atoi(cmds[n].c_str()))
	+ else if((tmp_algo = shorthand2algorithm(cmds[n]))>0) {
	+ algorithm = tmp_algo;
	+ } else if(atoi(cmds[n].c_str()))
	bits = atoi(cmds[n].c_str());
	else {
	cerr<<"Unknown algorithm, key flag or size '"<<cmds[n]<<"'"<<endl;
	Index: dnsseckeeper.hh
	===================================================================
	--- dnsseckeeper.hh (revision 2923)
	+++ dnsseckeeper.hh (working copy)
	@@ -75,7 +75,7 @@
	bool activateKey(const std::string& zname, unsigned int id);
	bool deactivateKey(const std::string& zname, unsigned int id);

	- bool secureZone(const std::string& fname, int algorithm);
	+ bool secureZone(const std::string& fname, int algorithm, int size);

	bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
	bool setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);