On 7.5.2014 15:27, Petr Spacek wrote:
On 29.4.2014 23:34, Petr Spacek wrote:
This patch set adds support for NSEC3. See commit messages for details.


Patch 253 was obsoleted by patches 244v2 and 246v2.

You can download latest & greatest version from dnssec branch on github:

https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec

Patch 256v2 removes dead code from zone_master_reconfigure_nsec3param() 
function.

You can download latest & greatest version from dnssec branch on github.

This doesn't solve a race condition somewhere in start-up sequence, I'm looking into it.

--
Petr^2 Spacek
From 6e5795cb99fcea5092024dd00dcc630db744c0e8 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 29 Apr 2014 20:00:29 +0200
Subject: [PATCH] Add support for NSEC3.

NSEC3PARAM is loaded from NSEC3PARAMRecord attribute at zone apex
in LDAP. Default (when the attribute is not present) is to use NSEC.

Limitation: Only one NSEC3PARAM record per zone is supported at the moment.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
 src/ldap_helper.c   | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/zone_register.c |  1 +
 2 files changed, 65 insertions(+)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 7bfd12ffc3e741c586bafcf3631234079cb54350..3150b56f118b6270bb79a8bc2491c472b98477dc 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -261,6 +261,7 @@ static const setting_t settings_local_default[] = {
 	{ "serial_autoincrement",	no_default_string	}, /* No longer supported */
 	{ "verbose_checks",		no_default_boolean	},
 	{ "directory",			no_default_string	},
+	{ "nsec3param",			default_string("0 0 0 00")	}, /* NSEC only */
 	end_of_settings
 };
 
@@ -335,6 +336,10 @@ static isc_result_t ldap_pool_connect(ldap_pool_t *pool,
 static isc_threadresult_t
 ldap_syncrepl_watcher(isc_threadarg_t arg) ATTR_NONNULLS ATTR_CHECKRESULT;
 
+static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+zone_master_reconfigure_nsec3param(settings_set_t *zone_settings,
+				   dns_zone_t *secure);
+
 #define PRINT_BUFF_SIZE 10 /* for unsigned int 2^32 */
 isc_result_t
 validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
@@ -1109,6 +1114,7 @@ activate_zones(isc_task_t *task, ldap_instance_t *inst) {
 	DECLARE_BUFFERED_NAME(name);
 	unsigned int published_cnt = 0;
 	unsigned int total_cnt = 0;
+	settings_set_t *zone_settings = NULL;
 
 	INIT_BUFFERED_NAME(name);
 	CHECK(zr_rbt_iter_init(inst->zone_register, &iter, &name));
@@ -1124,6 +1130,13 @@ activate_zones(isc_task_t *task, ldap_instance_t *inst) {
 			dns_zone_log(raw, ISC_LOG_ERROR,
 				     "unable to load zone: %s",
 				     dns_result_totext(result));
+		else if (secure != NULL) {
+			zone_settings = NULL;
+			CHECK(zr_get_zone_settings(inst->zone_register,
+						   &name, &zone_settings));
+			CHECK(zone_master_reconfigure_nsec3param(zone_settings,
+								 secure));
+		}
 
 		/*
 		 * Don't bother if load fails, server will return
@@ -1880,6 +1893,45 @@ cleanup:
 #undef MAX_SERIAL_LENGTH
 }
 
+static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+zone_master_reconfigure_nsec3param(settings_set_t *zone_settings,
+				   dns_zone_t *secure) {
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	dns_rdata_t *nsec3p_rdata = NULL;
+	dns_rdata_nsec3param_t nsec3p_rr;
+	dns_name_t *origin = NULL;
+	const char *nsec3p_str = NULL;
+	ldap_entry_t *fake_entry = NULL;
+
+	REQUIRE(secure != NULL);
+
+	mctx = dns_zone_getmctx(secure);
+	origin = dns_zone_getorigin(secure);
+	CHECK(ldap_entry_init(mctx, &fake_entry));
+
+	CHECK(setting_get_str("nsec3param", zone_settings, &nsec3p_str));
+	dns_zone_log(secure, ISC_LOG_INFO,
+		     "reconfiguring NSEC3PARAM to '%s'", nsec3p_str);
+	CHECK(parse_rdata(mctx, fake_entry, dns_rdataclass_in,
+			  dns_rdatatype_nsec3param, origin, nsec3p_str,
+			  &nsec3p_rdata));
+	CHECK(dns_rdata_tostruct(nsec3p_rdata, &nsec3p_rr, NULL));
+	CHECK(dns_zone_setnsec3param(secure, nsec3p_rr.hash, nsec3p_rr.flags,
+				     nsec3p_rr.iterations,
+				     nsec3p_rr.salt_length, nsec3p_rr.salt,
+				     ISC_TRUE));
+
+cleanup:
+	if (nsec3p_rdata != NULL) {
+		isc_mem_put(mctx, nsec3p_rdata->data, nsec3p_rdata->length);
+		SAFE_MEM_PUT_PTR(mctx, nsec3p_rdata);
+	}
+	if (fake_entry != NULL)
+		ldap_entry_destroy(mctx, &fake_entry);
+	return result;
+}
+
 /**
  * Reconfigure master zone according to configuration in LDAP object.
  *
@@ -1998,6 +2050,18 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
 		/* dnssec-loadkeys-interval */
 		CHECK(dns_zone_setrefreshkeyinterval(secure, 60));
 
+		result = setting_update_from_ldap_entry("nsec3param",
+							zone_settings,
+							"nsec3paramRecord",
+							entry, task);
+		if (result == ISC_R_SUCCESS)
+			CHECK(zone_master_reconfigure_nsec3param(zone_settings,
+								 secure));
+		else if (result == ISC_R_IGNORE)
+			result = ISC_R_SUCCESS;
+		else
+			goto cleanup;
+
 		/* auto-dnssec = maintain */
 		dns_zone_setkeyopt(secure, DNS_ZONEKEY_ALLOW, ISC_TRUE);
 		dns_zone_setkeyopt(secure, DNS_ZONEKEY_MAINTAIN, ISC_TRUE);
diff --git a/src/zone_register.c b/src/zone_register.c
index 4c2f5a5a0369e0f4d3e089b75fa9e88c5924b92e..1d8d8fa5b3bde92d1f6190a086fee748cd00d221 100644
--- a/src/zone_register.c
+++ b/src/zone_register.c
@@ -88,6 +88,7 @@ static const setting_t zone_settings[] = {
 	{ "sync_ptr",			no_default_boolean	},
 	{ "forward_policy",		no_default_string	},
 	{ "forwarders",			no_default_string	},
+	{ "nsec3param",			no_default_string	},
 	end_of_settings
 };
 
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to