subject:"Re\: \[Freeipa\-devel\] \[PATCH 0251\-0256\] Add support for NSEC3"

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

2014-11-03 Thread Petr Spacek


On 21.5.2014 13:56, Tomas Hozza wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/21/2014 11:33 AM, Petr Spacek wrote:

On 7.5.2014 15:27, Petr Spacek wrote:

On 29.4.2014 23:34, Petr Spacek wrote:

This patch set adds support for NSEC3. See commit messages for details.


Patch 253 was obsoleted by patches 244v2 and 246v2.

You can download latest  greatest version from dnssec branch on github:

https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec


Patch 256v2 removes dead code from zone_master_reconfigure_nsec3param()
function.

You can download latest  greatest version from dnssec branch on github.

This doesn't solve a race condition somewhere in start-up sequence, I'm
looking into it.


Hi.

I tested and reviewed patches 244-256 (all latest versions) and tested
thehttps://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec  HEAD.

Everything works as expected in constraints described in commit messages.

There is still a race condition with signing that Petr is aware of and
is working on it. (The zone is sometimes not signed if started using
systemd).

So I'm ACKing the patch-set 244-256


This is delayed push notice:
c125ae548b77fffc5af9fc9c5e0f5b3c0b83bfbb
3b120f9a1536b56616f0c2da946039bcdb548025
f72976d1f73470fbbd00791d2cb8f823d9053f61
9ae956c448b0b60123e2d26eb60b37eab08b4393
b26e562c7dc19cca9cfcd51907ecbdeb0d8856f6

Patch 253 was obsoleted by patches 244v2 and 246v2.

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

2014-05-21 Thread Petr Spacek


On 7.5.2014 15:27, Petr Spacek wrote:

On 29.4.2014 23:34, Petr Spacek wrote:

This patch set adds support for NSEC3. See commit messages for details.


Patch 253 was obsoleted by patches 244v2 and 246v2.

You can download latest  greatest version from dnssec branch on github:

https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec


Patch 256v2 removes dead code from zone_master_reconfigure_nsec3param() 
function.

You can download latest  greatest version from dnssec branch on github.

This doesn't solve a race condition somewhere in start-up sequence, I'm 
looking into it.


--
Petr^2 Spacek
From 6e5795cb99fcea5092024dd00dcc630db744c0e8 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 29 Apr 2014 20:00:29 +0200
Subject: [PATCH] Add support for NSEC3.

NSEC3PARAM is loaded from NSEC3PARAMRecord attribute at zone apex
in LDAP. Default (when the attribute is not present) is to use NSEC.

Limitation: Only one NSEC3PARAM record per zone is supported at the moment.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 src/ldap_helper.c   | 64 +
 src/zone_register.c |  1 +
 2 files changed, 65 insertions(+)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 7bfd12ffc3e741c586bafcf3631234079cb54350..3150b56f118b6270bb79a8bc2491c472b98477dc 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -261,6 +261,7 @@ static const setting_t settings_local_default[] = {
 	{ serial_autoincrement,	no_default_string	}, /* No longer supported */
 	{ verbose_checks,		no_default_boolean	},
 	{ directory,			no_default_string	},
+	{ nsec3param,			default_string(0 0 0 00)	}, /* NSEC only */
 	end_of_settings
 };
 
@@ -335,6 +336,10 @@ static isc_result_t ldap_pool_connect(ldap_pool_t *pool,
 static isc_threadresult_t
 ldap_syncrepl_watcher(isc_threadarg_t arg) ATTR_NONNULLS ATTR_CHECKRESULT;
 
+static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+zone_master_reconfigure_nsec3param(settings_set_t *zone_settings,
+   dns_zone_t *secure);
+
 #define PRINT_BUFF_SIZE 10 /* for unsigned int 2^32 */
 isc_result_t
 validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
@@ -1109,6 +1114,7 @@ activate_zones(isc_task_t *task, ldap_instance_t *inst) {
 	DECLARE_BUFFERED_NAME(name);
 	unsigned int published_cnt = 0;
 	unsigned int total_cnt = 0;
+	settings_set_t *zone_settings = NULL;
 
 	INIT_BUFFERED_NAME(name);
 	CHECK(zr_rbt_iter_init(inst-zone_register, iter, name));
@@ -1124,6 +1130,13 @@ activate_zones(isc_task_t *task, ldap_instance_t *inst) {
 			dns_zone_log(raw, ISC_LOG_ERROR,
  unable to load zone: %s,
  dns_result_totext(result));
+		else if (secure != NULL) {
+			zone_settings = NULL;
+			CHECK(zr_get_zone_settings(inst-zone_register,
+		   name, zone_settings));
+			CHECK(zone_master_reconfigure_nsec3param(zone_settings,
+ secure));
+		}
 
 		/*
 		 * Don't bother if load fails, server will return
@@ -1880,6 +1893,45 @@ cleanup:
 #undef MAX_SERIAL_LENGTH
 }
 
+static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+zone_master_reconfigure_nsec3param(settings_set_t *zone_settings,
+   dns_zone_t *secure) {
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	dns_rdata_t *nsec3p_rdata = NULL;
+	dns_rdata_nsec3param_t nsec3p_rr;
+	dns_name_t *origin = NULL;
+	const char *nsec3p_str = NULL;
+	ldap_entry_t *fake_entry = NULL;
+
+	REQUIRE(secure != NULL);
+
+	mctx = dns_zone_getmctx(secure);
+	origin = dns_zone_getorigin(secure);
+	CHECK(ldap_entry_init(mctx, fake_entry));
+
+	CHECK(setting_get_str(nsec3param, zone_settings, nsec3p_str));
+	dns_zone_log(secure, ISC_LOG_INFO,
+		 reconfiguring NSEC3PARAM to '%s', nsec3p_str);
+	CHECK(parse_rdata(mctx, fake_entry, dns_rdataclass_in,
+			  dns_rdatatype_nsec3param, origin, nsec3p_str,
+			  nsec3p_rdata));
+	CHECK(dns_rdata_tostruct(nsec3p_rdata, nsec3p_rr, NULL));
+	CHECK(dns_zone_setnsec3param(secure, nsec3p_rr.hash, nsec3p_rr.flags,
+ nsec3p_rr.iterations,
+ nsec3p_rr.salt_length, nsec3p_rr.salt,
+ ISC_TRUE));
+
+cleanup:
+	if (nsec3p_rdata != NULL) {
+		isc_mem_put(mctx, nsec3p_rdata-data, nsec3p_rdata-length);
+		SAFE_MEM_PUT_PTR(mctx, nsec3p_rdata);
+	}
+	if (fake_entry != NULL)
+		ldap_entry_destroy(mctx, fake_entry);
+	return result;
+}
+
 /**
  * Reconfigure master zone according to configuration in LDAP object.
  *
@@ -1998,6 +2050,18 @@ zone_master_reconfigure(ldap_entry_t *entry, settings_set_t *zone_settings,
 		/* dnssec-loadkeys-interval */
 		CHECK(dns_zone_setrefreshkeyinterval(secure, 60));
 
+		result = setting_update_from_ldap_entry(nsec3param,
+			zone_settings,
+			nsec3paramRecord,
+			entry, task);
+		if (result == ISC_R_SUCCESS)
+			CHECK(zone_master_reconfigure_nsec3param(zone_settings,
+ secure));
+		else if (result == ISC_R_IGNORE)
+			result = ISC_R_SUCCESS;
+		else
+			goto cleanup;
+
 		/* auto-dnssec = maintain */

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

2014-05-21 Thread Tomas Hozza

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/21/2014 11:33 AM, Petr Spacek wrote:
 On 7.5.2014 15:27, Petr Spacek wrote:
 On 29.4.2014 23:34, Petr Spacek wrote:
 This patch set adds support for NSEC3. See commit messages for details.

 Patch 253 was obsoleted by patches 244v2 and 246v2.

 You can download latest  greatest version from dnssec branch on github:

 https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec
 
 Patch 256v2 removes dead code from zone_master_reconfigure_nsec3param()
 function.
 
 You can download latest  greatest version from dnssec branch on github.
 
 This doesn't solve a race condition somewhere in start-up sequence, I'm
 looking into it.
 

Hi.

I tested and reviewed patches 244-256 (all latest versions) and tested
the https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec HEAD.

Everything works as expected in constraints described in commit messages.

There is still a race condition with signing that Petr is aware of and
is working on it. (The zone is sometimes not signed if started using
systemd).

So I'm ACKing the patch-set 244-256

Regards,

Tomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTfJRdAAoJEMWIetUdnzwtzW0H/ifMHoW8p3gapxBxt3nmWtT4
rlGZAU0V9dwO8DAsEM2J73ZIehzoEPOX2c8CGqa3uZwuph9fH4gwqDOfw452ho5B
YqfI84hU18ncOHq5TXtu2SiwFqHWZveFATihx4Ds/Cg01KNSWeZ7bHzaaHQOlFOg
FFl7CAX5raNgIY97H1nJxs1AfmTWGFDC3oRDpbA1NXIYvWFprri/WNnREFNLTwsW
knxdxuS4pVpL9keQJUnQwbFbY12XqdGEhFgT8mwd0B9LEHsk1fTeat/P9rtOPPFF
ot81VoJ3bPs5eUZ9TdiyP4Ur6Y0fGfoIMUXTyDJ5/OarkOi+tAZoPLn1Gz60N3E=
=AWBQ
-END PGP SIGNATURE-

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

2014-05-07 Thread Petr Spacek


On 29.4.2014 23:34, Petr Spacek wrote:

This patch set adds support for NSEC3. See commit messages for details.


Patch 253 was obsoleted by patches 244v2 and 246v2.

You can download latest  greatest version from dnssec branch on github:

https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

4 matches

Site Navigation

Mail list logo

Footer information