39 static const char* sc_str =
"signconf";
52 ods_log_error(
"[%s] unable to create signconf: allocator_create() "
58 ods_log_error(
"[%s] unable to create signconf: allocator_alloc() "
100 const char* rngfile = ODS_SE_RNGDIR
"/signconf.rng";
104 if (!scfile || !signconf) {
110 ods_log_error(
"[%s] unable to read signconf: parse error in "
124 if (signconf->
nsec_type == LDNS_RR_TYPE_NSEC3) {
136 "nsec3params_create() failed", sc_str, scfile);
150 ods_log_error(
"[%s] unable to read signconf: failed to open file %s",
162 time_t last_modified)
168 if (!scfile || !signconf) {
173 if (st_mtime <= last_modified) {
179 ods_log_error(
"[%s] unable to update signconf: signconf_create() "
183 status = signconf_read(new_sc, scfile);
187 ods_log_error(
"[%s] unable to update signconf: signconf %s has "
188 "errors", sc_str, scfile);
194 ods_log_error(
"[%s] unable to update signconf: failed to read file "
207 signconf_backup_duration(FILE* fd,
const char* opt,
duration_type* duration)
210 fprintf(fd,
"%s %s ", opt, str);
211 free((
void*) str?str:
"(null)");
227 fprintf(fd,
";;Signconf: lastmod %u ", (
unsigned) sc->
last_modified);
228 if (strcmp(version, ODS_SE_FILE_MAGIC_V2) &&
229 strcmp(version, ODS_SE_FILE_MAGIC_V1)) {
231 fprintf(fd,
"maxzonettl 0 ");
237 signconf_backup_duration(fd,
"jitter", sc->
sig_jitter);
239 fprintf(fd,
"nsec %u ", (
unsigned) sc->
nsec_type);
240 signconf_backup_duration(fd,
"dnskeyttl", sc->
dnskey_ttl);
241 signconf_backup_duration(fd,
"soattl", sc->
soa_ttl);
242 signconf_backup_duration(fd,
"soamin", sc->
soa_min);
244 if (strcmp(version, ODS_SE_FILE_MAGIC_V2) == 0) {
245 fprintf(fd,
"audit 0");
257 signconf_soa_serial_check(
const char* serial) {
262 if (strlen(serial) == 4 && strncmp(serial,
"keep", 4) == 0) {
265 if (strlen(serial) == 7 && strncmp(serial,
"counter", 7) == 0) {
268 if (strlen(serial) == 8 && strncmp(serial,
"unixtime", 8) == 0) {
271 if (strlen(serial) == 11 && strncmp(serial,
"datecounter", 11) == 0) {
288 ods_log_error(
"[%s] check failed: no signature resign interval found",
293 ods_log_error(
"[%s] check failed: no signature resign interval found",
298 ods_log_error(
"[%s] check failed: no signature default validity found",
303 ods_log_error(
"[%s] check failed: no signature denial validity found",
308 ods_log_error(
"[%s] check failed: no signature jitter found", sc_str);
312 ods_log_error(
"[%s] check failed: no signature inception offset found",
316 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
325 }
else if (sc->
nsec_type != LDNS_RR_TYPE_NSEC) {
326 ods_log_error(
"[%s] check failed: wrong nsec type %i", sc_str,
335 ods_log_error(
"[%s] check failed: no dnskey ttl found", sc_str);
339 ods_log_error(
"[%s] check failed: no soa ttl found", sc_str);
343 ods_log_error(
"[%s] check failed: no soa minimum found", sc_str);
347 ods_log_error(
"[%s] check failed: no soa serial type found", sc_str);
349 }
else if (signconf_soa_serial_check(sc->
soa_serial) != 0) {
350 ods_log_error(
"[%s] check failed: wrong soa serial type %s", sc_str,
376 }
else if (a->
nsec_type == LDNS_RR_TYPE_NSEC3) {
400 fprintf(out,
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
402 fprintf(out,
"<SignerConfiguration>\n");
403 fprintf(out,
"\t<Zone name=\"%s\">\n", name?name:
"(null)");
405 fprintf(out,
"\t\t<Signatures>\n");
407 fprintf(out,
"\t\t\t<Resign>%s</Resign>\n", s?s:
"(null)");
410 fprintf(out,
"\t\t\t<Refresh>%s</Refresh>\n", s?s:
"(null)");
412 fprintf(out,
"\t\t\t<Validity>\n");
414 fprintf(out,
"\t\t\t\t<Default>%s</Default>\n", s?s:
"(null)");
417 fprintf(out,
"\t\t\t\t<Denial>%s</Denial>\n", s?s:
"(null)");
419 fprintf(out,
"\t\t\t</Validity>\n");
421 fprintf(out,
"\t\t\t<Jitter>%s</Jitter>\n", s?s:
"(null)");
424 fprintf(out,
"\t\t\t<InceptionOffset>%s</InceptionOffset>\n",
427 fprintf(out,
"\t\t</Signatures>\n");
430 fprintf(out,
"\t\t<Denial>\n");
431 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC) {
432 fprintf(out,
"\t\t\t<NSEC />\n");
433 }
else if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
434 fprintf(out,
"\t\t\t<NSEC3>\n");
437 fprintf(out,
"\t\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
441 fprintf(out,
"\t\t\t\t<OptOut />\n");
443 fprintf(out,
"\t\t\t\t<Hash>\n");
444 fprintf(out,
"\t\t\t\t\t<Algorithm>%i</Algorithm>\n",
446 fprintf(out,
"\t\t\t\t\t<Iterations>%i</Iterations>\n",
448 fprintf(out,
"\t\t\t\t\t<Salt>%s</Salt>\n",
450 fprintf(out,
"\t\t\t\t</Hash>\n");
451 fprintf(out,
"\t\t\t</NSEC3>\n");
453 fprintf(out,
"\t\t</Denial>\n");
456 fprintf(out,
"\t\t<Keys>\n");
458 fprintf(out,
"\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
462 fprintf(out,
"\t\t</Keys>\n");
465 fprintf(out,
"\t\t<SOA>\n");
467 fprintf(out,
"\t\t\t<TTL>%s</TTL>\n", s?s:
"(null)");
470 fprintf(out,
"\t\t\t<Minimum>%s</Minimum>\n", s?s:
"(null)");
472 fprintf(out,
"\t\t\t<Serial>%s</Serial>\n",
474 fprintf(out,
"\t\t</SOA>\n");
476 fprintf(out,
"\t</Zone>\n");
477 fprintf(out,
"</SignerConfiguration>\n");
491 char* refresh = NULL;
492 char* validity = NULL;
496 char* dnskeyttl = NULL;
499 char* paramttl = NULL;
513 ods_log_info(
"[%s] zone %s signconf: RESIGN[%s] REFRESH[%s] "
514 "VALIDITY[%s] DENIAL[%s] JITTER[%s] OFFSET[%s] NSEC[%i] "
515 "DNSKEYTTL[%s] SOATTL[%s] MINIMUM[%s] SERIAL[%s]",
518 resign?resign:
"(null)",
519 refresh?refresh:
"(null)",
520 validity?validity:
"(null)",
521 denial?denial:
"(null)",
522 jitter?jitter:
"(null)",
523 offset?offset:
"(null)",
525 dnskeyttl?dnskeyttl:
"(null)",
526 soattl?soattl:
"(null)",
527 soamin?soamin:
"(null)",
530 if (sc->
nsec_type == LDNS_RR_TYPE_NSEC3) {
532 "ALGORITHM[%u] ITERATIONS[%u] SALT[%s]",
535 paramttl?paramttl:
"PT0S",
545 free((
void*)refresh);
546 free((
void*)validity);
550 free((
void*)dnskeyttl);
551 free((
void*)paramttl);