* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.108.8.4 2010/01/19 23:48:12 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.108.8.6 2010/08/16 23:46:30 tbox Exp $ */
/*! \file */
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
- fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
- fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
- fprintf(stderr, " DH:\t\t[128..4096]\n");
- fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
- fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
+ fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
+ fprintf(stderr, " DH:\t\t[128..4096]\n");
+ fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
+ fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
"by 64\n");
- fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
- fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
- fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
- fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
- fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
- fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
+ fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
+ fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
+ fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
+ fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
+ fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
+ fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
fprintf(stderr, " (if using the default algorithm, key size\n"
" defaults to 2048 for KSK, or 1024 for all "
"others)\n");
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
"USER | OTHER\n");
- fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
+ fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
#ifdef USE_PKCS11
fprintf(stderr, " -h: print usage and exit\n");
fprintf(stderr, " -m <memory debugging mode>:\n");
- fprintf(stderr, " usage | trace | record | size | mctx\n");
+ fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set key publication date "
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"all dates\n");
+ fprintf(stderr, " -S <key>: generate a successor to an existing "
+ "key\n");
+ fprintf(stderr, " -i <interval>: prepublication interval for "
+ "successor key "
+ "(default: 30 days)\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
int
main(int argc, char **argv) {
- char *algname = NULL, *nametype = NULL, *type = NULL;
+ char *algname = NULL, *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
isc_textregion_t r;
char filename[255];
const char *directory = NULL;
+ const char *predecessor = NULL;
+ dst_key_t *prevkey = NULL;
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
+ int prepub = -1;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
/*
* Process memory debugging argument first.
*/
-#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:qr:s:T:t:v:hGP:A:R:I:D:"
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
unsetdel = ISC_TRUE;
}
break;
+ case 'S':
+ predecessor = isc_commandline_argument;
+ break;
+ case 'i':
+ prepub = strtottl(isc_commandline_argument);
+ break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
setup_logging(verbose, mctx, &log);
- if (argc < isc_commandline_index + 1)
- fatal("the key name was not specified");
- if (argc > isc_commandline_index + 1)
- fatal("extraneous arguments");
+ if (predecessor == NULL) {
+ if (prepub == -1)
+ prepub = 0;
+
+ if (argc < isc_commandline_index + 1)
+ fatal("the key name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("extraneous arguments");
+
+ dns_fixedname_init(&fname);
+ name = dns_fixedname_name(&fname);
+ isc_buffer_init(&buf, argv[isc_commandline_index],
+ strlen(argv[isc_commandline_index]));
+ isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+ ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+ if (ret != ISC_R_SUCCESS)
+ fatal("invalid key name %s: %s",
+ argv[isc_commandline_index],
+ isc_result_totext(ret));
+
+ if (algname == NULL) {
+ use_default = ISC_TRUE;
+ if (use_nsec3)
+ algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+ else
+ algname = strdup(DEFAULT_ALGORITHM);
+ if (verbose > 0)
+ fprintf(stderr, "no algorithm specified; "
+ "defaulting to %s\n", algname);
+ }
- if (algname == NULL) {
- use_default = ISC_TRUE;
- if (use_nsec3)
- algname = strdup(DEFAULT_NSEC3_ALGORITHM);
- else
- algname = strdup(DEFAULT_ALGORITHM);
- if (verbose > 0)
- fprintf(stderr, "no algorithm specified; "
- "defaulting to %s\n", algname);
- }
+ if (strcasecmp(algname, "RSA") == 0) {
+ fprintf(stderr, "The use of RSA (RSAMD5) is not "
+ "recommended.\nIf you still wish to "
+ "use RSA (RSAMD5) please specify "
+ "\"-a RSAMD5\"\n");
+ return (1);
+ } else if (strcasecmp(algname, "HMAC-MD5") == 0)
+ alg = DST_ALG_HMACMD5;
+ else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+ alg = DST_ALG_HMACSHA1;
+ else if (strcasecmp(algname, "HMAC-SHA224") == 0)
+ alg = DST_ALG_HMACSHA224;
+ else if (strcasecmp(algname, "HMAC-SHA256") == 0)
+ alg = DST_ALG_HMACSHA256;
+ else if (strcasecmp(algname, "HMAC-SHA384") == 0)
+ alg = DST_ALG_HMACSHA384;
+ else if (strcasecmp(algname, "HMAC-SHA512") == 0)
+ alg = DST_ALG_HMACSHA512;
+ else {
+ r.base = algname;
+ r.length = strlen(algname);
+ ret = dns_secalg_fromtext(&alg, &r);
+ if (ret != ISC_R_SUCCESS)
+ fatal("unknown algorithm %s", algname);
+ if (alg == DST_ALG_DH)
+ options |= DST_TYPE_KEY;
+ }
- if (strcasecmp(algname, "RSA") == 0) {
- fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
- "If you still wish to use RSA (RSAMD5) please "
- "specify \"-a RSAMD5\"\n");
- return (1);
- } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACMD5;
- } else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA1;
- } else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA224;
- } else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA256;
- } else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA384;
- } else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
- options |= DST_TYPE_KEY;
- alg = DST_ALG_HMACSHA512;
- } else {
- r.base = algname;
- r.length = strlen(algname);
- ret = dns_secalg_fromtext(&alg, &r);
- if (ret != ISC_R_SUCCESS)
- fatal("unknown algorithm %s", algname);
- if (alg == DST_ALG_DH)
- options |= DST_TYPE_KEY;
- }
+ if (use_nsec3 &&
+ alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+ alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
+ fatal("%s is incompatible with NSEC3; "
+ "do not use the -3 option", algname);
+ }
- if (use_nsec3 &&
- alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
- alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
- fatal("%s is incompatible with NSEC3; "
- "do not use the -3 option", algname);
- }
+ if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+ if (strcasecmp(type, "NOAUTH") == 0)
+ flags |= DNS_KEYTYPE_NOAUTH;
+ else if (strcasecmp(type, "NOCONF") == 0)
+ flags |= DNS_KEYTYPE_NOCONF;
+ else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+ flags |= (DNS_KEYTYPE_NOAUTH |
+ DNS_KEYTYPE_NOCONF);
+ if (size < 0)
+ size = 0;
+ }
+ else if (strcasecmp(type, "AUTHCONF") == 0)
+ /* nothing */;
+ else
+ fatal("invalid type %s", type);
+ }
- if (type != NULL && (options & DST_TYPE_KEY) != 0) {
- if (strcasecmp(type, "NOAUTH") == 0)
- flags |= DNS_KEYTYPE_NOAUTH;
- else if (strcasecmp(type, "NOCONF") == 0)
- flags |= DNS_KEYTYPE_NOCONF;
- else if (strcasecmp(type, "NOAUTHCONF") == 0) {
- flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
- if (size < 0)
- size = 0;
+ if (size < 0) {
+ if (use_default) {
+ if ((kskflag & DNS_KEYFLAG_KSK) != 0)
+ size = 2048;
+ else
+ size = 1024;
+ if (verbose > 0)
+ fprintf(stderr, "key size not "
+ "specified; defaulting "
+ "to %d\n", size);
+ } else {
+ fatal("key size not specified (-b option)");
+ }
}
- else if (strcasecmp(type, "AUTHCONF") == 0)
- /* nothing */;
- else
- fatal("invalid type %s", type);
- }
- if (size < 0) {
- if (use_default) {
- size = ((kskflag & DNS_KEYFLAG_KSK) != 0) ? 2048 : 1024;
- if (verbose > 0)
- fprintf(stderr, "key size not specified; "
- "defaulting to %d\n", size);
- } else {
- fatal("key size not specified (-b option)");
+ if (!oldstyle && prepub > 0) {
+ if (setpub && setact && (activate - prepub) < publish)
+ fatal("Activation and publication dates "
+ "are closer together than the\n\t"
+ "prepublication interval.");
+
+ if (!setpub && !setact) {
+ setpub = setact = ISC_TRUE;
+ publish = now;
+ activate = now + prepub;
+ } else if (setpub && !setact) {
+ setact = ISC_TRUE;
+ activate = publish + prepub;
+ } else if (setact && !setpub) {
+ setpub = ISC_TRUE;
+ publish = activate - prepub;
+ }
+
+ if ((activate - prepub) < now)
+ fatal("Time until activation is shorter "
+ "than the\n\tprepublication interval.");
}
+ } else {
+ char keystr[DST_KEY_FORMATSIZE];
+ isc_stdtime_t when;
+ int major, minor;
+
+ if (prepub == -1)
+ prepub = (30 * 86400);
+
+ if (algname != NULL)
+ fatal("-S and -a cannot be used together");
+ if (size >= 0)
+ fatal("-S and -b cannot be used together");
+ if (nametype != NULL)
+ fatal("-S and -n cannot be used together");
+ if (type != NULL)
+ fatal("-S and -t cannot be used together");
+ if (setpub || unsetpub)
+ fatal("-S and -P cannot be used together");
+ if (setact || unsetact)
+ fatal("-S and -A cannot be used together");
+ if (use_nsec3)
+ fatal("-S and -3 cannot be used together");
+ if (oldstyle)
+ fatal("-S and -C cannot be used together");
+ if (genonly)
+ fatal("-S and -G cannot be used together");
+
+ ret = dst_key_fromnamedfile(predecessor, directory,
+ DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+ mctx, &prevkey);
+ if (ret != ISC_R_SUCCESS)
+ fatal("Invalid keyfile %s: %s",
+ filename, isc_result_totext(ret));
+ if (!dst_key_isprivate(prevkey))
+ fatal("%s is not a private key", filename);
+
+ name = dst_key_name(prevkey);
+ alg = dst_key_alg(prevkey);
+ size = dst_key_size(prevkey);
+ flags = dst_key_flags(prevkey);
+
+ dst_key_format(prevkey, keystr, sizeof(keystr));
+ dst_key_getprivateformat(prevkey, &major, &minor);
+ if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+ fatal("Key %s has incompatible format version %d.%d\n\t"
+ "It is not possible to generate a successor key.",
+ keystr, major, minor);
+
+ ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+ if (ret != ISC_R_SUCCESS)
+ fatal("Key %s has no activation date.\n\t"
+ "You must use dnssec-settime -A to set one "
+ "before generating a successor.", keystr);
+
+ ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
+ if (ret != ISC_R_SUCCESS)
+ fatal("Key %s has no inactivation date.\n\t"
+ "You must use dnssec-settime -I to set one "
+ "before generating a successor.", keystr);
+
+ publish = activate - prepub;
+ if (publish < now)
+ fatal("Key %s becomes inactive\n\t"
+ "sooner than the prepublication period "
+ "for the new key ends.\n\t"
+ "Either change the inactivation date with "
+ "dnssec-settime -I,\n\t"
+ "or use the -i option to set a shorter "
+ "prepublication interval.", keystr);
+
+ ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+ if (ret != ISC_R_SUCCESS)
+ fprintf(stderr, "%s: WARNING: Key %s has no removal "
+ "date;\n\t it will remain in the zone "
+ "indefinitely after rollover.\n\t "
+ "You can use dnssec-settime -D to "
+ "change this.\n", program, keystr);
+
+ setpub = setact = ISC_TRUE;
}
switch (alg) {
fatal("invalid DSS key size: %d", size);
break;
case DST_ALG_HMACMD5:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
fatal("HMAC-MD5 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 128))
dbits);
break;
case DST_ALG_HMACSHA1:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 160)
fatal("HMAC-SHA1 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 160))
dbits);
break;
case DST_ALG_HMACSHA224:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 224)
fatal("HMAC-SHA224 key size %d out of range", size);
if (dbits != 0 && (dbits < 112 || dbits > 224))
dbits);
break;
case DST_ALG_HMACSHA256:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 256)
fatal("HMAC-SHA256 key size %d out of range", size);
if (dbits != 0 && (dbits < 128 || dbits > 256))
dbits);
break;
case DST_ALG_HMACSHA384:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 384)
fatal("HMAC-384 key size %d out of range", size);
if (dbits != 0 && (dbits < 192 || dbits > 384))
dbits);
break;
case DST_ALG_HMACSHA512:
+ options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
fatal("HMAC-SHA512 key size %d out of range", size);
if (dbits != 0 && (dbits < 256 || dbits > 512))
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
- dns_fixedname_init(&fname);
- name = dns_fixedname_name(&fname);
- isc_buffer_init(&buf, argv[isc_commandline_index],
- strlen(argv[isc_commandline_index]));
- isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
- ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
- if (ret != ISC_R_SUCCESS)
- fatal("invalid key name %s: %s", argv[isc_commandline_index],
- isc_result_totext(ret));
-
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
/*
* Set key timing metadata (unless using -C)
*
- * Publish and activation dates are set to "now" by default,
- * but can be overridden. Creation date is always set to
- * "now".
+ * Creation date is always set to "now".
+ *
+ * For a new key without an explicit predecessor, publish
+ * and activation dates are set to "now" by default, but
+ * can both be overridden.
+ *
+ * For a successor key, activation is set to match the
+ * predecessor's inactivation date. Publish is set to 30
+ * days earlier than that (XXX: this should be configurable).
+ * If either of the resulting dates are in the past, that's
+ * an error; the inactivation date of the predecessor key
+ * must be updated before a successor key can be created.
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
printf("%s\n", filename);
dst_key_free(&key);
+ if (prevkey != NULL)
+ dst_key_free(&prevkey);
cleanup_logging(&log);
cleanup_entropy(&ectx);