Commit 117588fe authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec: not using SEP bit to determine KSK-ness

parent 3c8cdd6a
......@@ -196,7 +196,7 @@ int knot_parent_ds_query(kdnssec_ctx_t *kctx, zone_keyset_t *keyset, size_t time
{
for (size_t i = 0; i < keyset->count; i++) {
zone_key_t *key = &keyset->keys[i];
if (dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_KSK &&
if (key->is_ksk &&
key->cds_priority > 1) {
if (parents_have_ds(kctx, key, timeout)) {
return knot_dnssec_ksk_sbm_confirm(kctx);
......
......@@ -38,6 +38,22 @@ static int key_params_check(key_params_t *params)
return KNOT_EOK;
}
/*! \brief Determine presence of SEP bit by trial-end-error using known keytag. */
static int dnskey_guess_flags(dnssec_key_t *key, uint16_t keytag)
{
dnssec_key_set_flags(key, DNSKEY_FLAGS_KSK);
if (dnssec_key_get_keytag(key) == keytag) {
return KNOT_EOK;
}
dnssec_key_set_flags(key, DNSKEY_FLAGS_ZSK);
if (dnssec_key_get_keytag(key) == keytag) {
return KNOT_EOK;
}
return KNOT_EMALF;
}
static int params2dnskey(const knot_dname_t *dname, key_params_t *params,
dnssec_key_t **key_ptr)
{
......@@ -64,15 +80,18 @@ static int params2dnskey(const knot_dname_t *dname, key_params_t *params,
dnssec_key_set_algorithm(key, params->algorithm);
uint16_t flags = dnskey_flags(params->is_ksk);
dnssec_key_set_flags(key, flags);
ret = dnssec_key_set_pubkey(key, &params->public_key);
if (ret != KNOT_EOK) {
dnssec_key_free(key);
return knot_error_from_libdnssec(ret);
}
ret = dnskey_guess_flags(key, params->keytag);
if (ret != KNOT_EOK) {
dnssec_key_free(key);
return ret;
}
*key_ptr = key;
return KNOT_EOK;
......@@ -113,8 +132,7 @@ static void kaspkey2params(knot_kasp_key_t *key, key_params_t *params)
params->keytag = dnssec_key_get_keytag(key->key);
dnssec_key_get_pubkey(key->key, &params->public_key);
params->algorithm = dnssec_key_get_algorithm(key->key);
params->is_ksk = dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_KSK;
assert(params->is_ksk == key->is_ksk);
params->is_ksk = key->is_ksk;
params->is_csk = (key->is_ksk && key->is_zsk);
params->timing = key->timing;
params->is_pub_only = key->is_pub_only;
......
......@@ -36,14 +36,14 @@ static bool key_present(const kdnssec_ctx_t *ctx, bool ksk, bool zsk)
return false;
}
static bool key_id_present(const kdnssec_ctx_t *ctx, const char *keyid, uint16_t flag)
static bool key_id_present(const kdnssec_ctx_t *ctx, const char *keyid, bool want_ksk)
{
assert(ctx);
assert(ctx->zone);
for (size_t i = 0; i < ctx->zone->num_keys; i++) {
const knot_kasp_key_t *key = &ctx->zone->keys[i];
if (strcmp(keyid, key->id) == 0 &&
dnssec_key_get_flags(key->key) == flag) {
key->is_ksk == want_ksk) {
return true;
}
}
......@@ -126,7 +126,7 @@ static int share_or_generate_key(kdnssec_ctx_t *ctx, bool ksk, bool zsk, knot_ti
}
// if we already have the policy-last key, we have to generate new one
if (ret == KNOT_ENOENT || key_id_present(ctx, borrow_key, DNSKEY_FLAGS_KSK)) {
if (ret == KNOT_ENOENT || key_id_present(ctx, borrow_key, true)) {
knot_kasp_key_t *key = NULL;
ret = kdnssec_generate_key(ctx, ksk, zsk, &key);
if (ret != KNOT_EOK) {
......
......@@ -160,7 +160,7 @@ static int key_command(int argc, char *argv[], int optind)
}
if (argc < 3) {
for (int i = 0; i < kctx.zone->num_keys && ret == KNOT_EOK; i++) {
if (dnssec_key_get_flags(kctx.zone->keys[i].key) == DNSKEY_FLAGS_KSK) {
if (kctx.zone->keys[i].is_ksk) {
ret = generate_rr(zone_name, &kctx.zone->keys[i]);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment