From d4c4f6a669aa3fc38d00c2b4ebe58407b86e417b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 27 Aug 2020 12:32:41 +0200 Subject: [PATCH] Add '-P ds' and '-D ds' to dnssec-settime Add two more arguments to the dnssec-settime tool. '-P ds' sets the time that the DS was published in the parent, '-D ds' sets the time that the DS was removed from the parent (these times are not accurate, but rely on the user to use them appropriately, and as long as the time is not before actual publication/withdrawal, it is fine). These new arguments are needed for the kasp system test. We want to test when the next key event is once a DS is published, and now that 'parent-registration-delay' is obsoleted, we need a different approach to reliable test the timings. --- CHANGES | 2 ++ bin/dnssec/dnssec-settime.c | 65 +++++++++++++++++++++++++++++++++++ bin/dnssec/dnssec-settime.rst | 27 ++++++++++----- doc/man/dnssec-settime.1in | 27 ++++++++++----- 4 files changed, 103 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index 104b4f88fe..a598e958e7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime. + 5498. [test] The --with-gperftools-profiler configure option was removed. [GL !4045] diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index bf76b97873..41685c66ca 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -75,6 +75,8 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set/unset key " "publication date\n"); + fprintf(stderr, " -P ds date/[+-]offset/none: set/unset " + "DS publication date\n"); fprintf(stderr, " -P sync date/[+-]offset/none: set/unset " "CDS and CDNSKEY publication date\n"); fprintf(stderr, " -A date/[+-]offset/none: set/unset key " @@ -85,6 +87,8 @@ usage(void) { "inactivation date\n"); fprintf(stderr, " -D date/[+-]offset/none: set/unset key " "deletion date\n"); + fprintf(stderr, " -D ds date/[+-]offset/none: set/unset " + "DS deletion date\n"); fprintf(stderr, " -D sync date/[+-]offset/none: set/unset " "CDS and CDNSKEY deletion date\n"); fprintf(stderr, " -S : generate a successor to an existing " @@ -243,6 +247,10 @@ main(int argc, char **argv) { bool unsetsyncadd = false, setsyncadd = false; bool unsetsyncdel = false, setsyncdel = false; bool printsyncadd = false, printsyncdel = false; + isc_stdtime_t dsadd = 0, dsdel = 0; + bool unsetdsadd = false, setdsadd = false; + bool unsetdsdel = false, setdsdel = false; + bool printdsadd = false, printdsdel = false; options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE; @@ -290,6 +298,18 @@ main(int argc, char **argv) { unsetsyncdel = !setsyncdel; break; } + /* -Dds ? */ + if (isoptarg("ds", argv, usage)) { + if (unsetdsdel || setdsdel) { + fatal("-D ds specified more than once"); + } + + changed = true; + dsdel = strtotime(isc_commandline_argument, now, + now, &setdsdel); + unsetdsdel = !setdsdel; + break; + } /* -Ddnskey ? */ (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) { @@ -394,6 +414,19 @@ main(int argc, char **argv) { unsetsyncadd = !setsyncadd; break; } + /* -Pds ? */ + if (isoptarg("ds", argv, usage)) { + if (unsetdsadd || setdsadd) { + fatal("-P ds specified more than once"); + } + + changed = true; + dsadd = strtotime(isc_commandline_argument, now, + now, &setdsadd); + unsetdsadd = !setdsadd; + break; + } + /* -Pdnskey ? */ (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) { fatal("-P specified more than once"); @@ -415,6 +448,8 @@ main(int argc, char **argv) { printdel = true; printsyncadd = true; printsyncdel = true; + printdsadd = true; + printdsdel = true; break; } @@ -432,6 +467,11 @@ main(int argc, char **argv) { printsyncdel = true; break; } + if (!strncmp(p, "ds", 2)) { + p += 2; + printdsdel = true; + break; + } printdel = true; break; case 'I': @@ -443,6 +483,11 @@ main(int argc, char **argv) { printsyncadd = true; break; } + if (!strncmp(p, "ds", 2)) { + p += 2; + printdsadd = true; + break; + } printpub = true; break; case 'R': @@ -777,6 +822,18 @@ main(int argc, char **argv) { dst_key_unsettime(key, DST_TIME_SYNCDELETE); } + if (setdsadd) { + dst_key_settime(key, DST_TIME_DSPUBLISH, dsadd); + } else if (unsetdsadd) { + dst_key_unsettime(key, DST_TIME_DSPUBLISH); + } + + if (setdsdel) { + dst_key_settime(key, DST_TIME_DSDELETE, dsdel); + } else if (unsetdsdel) { + dst_key_unsettime(key, DST_TIME_DSDELETE); + } + if (setttl) { dst_key_setttl(key, ttl); } @@ -894,6 +951,14 @@ main(int argc, char **argv) { stdout); } + if (printdsadd) { + printtime(key, DST_TIME_DSPUBLISH, "DS Publish", epoch, stdout); + } + + if (printdsdel) { + printtime(key, DST_TIME_DSDELETE, "DS Delete", epoch, stdout); + } + if (changed) { writekey(key, directory, write_state); if (predecessor != NULL && prevkey != NULL) { diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index 0be2c3b499..d7420e8fb2 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -29,7 +29,7 @@ dnssec-settime: set the key timing metadata for a DNSSEC key Synopsis ~~~~~~~~ -:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset] +:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset] Description ~~~~~~~~~~~ @@ -126,6 +126,10 @@ explicitly prevent a date from being set, use ``none`` or ``never``. that date, the key is included in the zone but is not used to sign it. +``-P ds date/offset`` + This option sets the date on which DS records that match this key have been + seen in the parent zone. + ``-P sync date/offset`` This option sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. @@ -149,6 +153,10 @@ explicitly prevent a date from being set, use ``none`` or ``never``. key is no longer included in the zone. (However, it may remain in the key repository.) +``-D ds date/offset`` + This option sets the date on which the DS records that match this key have + been seen removed from the parent zone. + ``-D sync date/offset`` This option sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. @@ -215,15 +223,16 @@ associated with a key. ``-u`` This option indicates that times should be printed in Unix epoch format. -``-p C/P/Psync/A/R/I/D/Dsync/all`` - This option prints a specific metadata value or set of metadata values. The ``-p`` - option may be followed by one or more of the following letters or +``-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all`` + This option prints a specific metadata value or set of metadata values. + The ``-p`` option may be followed by one or more of the following letters or strings to indicate which value or values to print: ``C`` for the - creation date, ``P`` for the publication date, ``Psync`` for the CDS - and CDNSKEY publication date, ``A`` for the activation date, ``R`` - for the revocation date, ``I`` for the inactivation date, ``D`` for - the deletion date, and ``Dsync`` for the CDS and CDNSKEY deletion - date. To print all of the metadata, use ``all``. + creation date, ``P`` for the publication date, ``Pds` for the DS publication + date, ``Psync`` for the CDS and CDNSKEY publication date, ``A`` for the + activation date, ``R`` for the revocation date, ``I`` for the inactivation + date, ``D`` for the deletion date, ``Dds`` for the DS deletion date, + and ``Dsync`` for the CDS and CDNSKEY deletion date. To print all of the + metadata, use ``all``. See Also ~~~~~~~~ diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in index 52aa6c01c2..8fc8964523 100644 --- a/doc/man/dnssec-settime.1in +++ b/doc/man/dnssec-settime.1in @@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .. .SH SYNOPSIS .sp -\fBdnssec\-settime\fP [\fB\-f\fP] [\fB\-K\fP directory] [\fB\-L\fP ttl] [\fB\-P\fP date/offset] [\fB\-P\fP sync date/offset] [\fB\-A\fP date/offset] [\fB\-R\fP date/offset] [\fB\-I\fP date/offset] [\fB\-D\fP date/offset] [\fB\-D\fP sync date/offset] [\fB\-S\fP key] [\fB\-i\fP interval] [\fB\-h\fP] [\fB\-V\fP] [\fB\-v\fP level] [\fB\-E\fP engine] {keyfile} [\fB\-s\fP] [\fB\-g\fP state] [\fB\-d\fP state date/offset] [\fB\-k\fP state date/offset] [\fB\-r\fP state date/offset] [\fB\-z\fP state date/offset] +\fBdnssec\-settime\fP [\fB\-f\fP] [\fB\-K\fP directory] [\fB\-L\fP ttl] [\fB\-P\fP date/offset] [\fB\-P\fP ds date/offset] [\fB\-P\fP sync date/offset] [\fB\-A\fP date/offset] [\fB\-R\fP date/offset] [\fB\-I\fP date/offset] [\fB\-D\fP date/offset] [\fB\-D\fP ds date/offset] [\fB\-D\fP sync date/offset] [\fB\-S\fP key] [\fB\-i\fP interval] [\fB\-h\fP] [\fB\-V\fP] [\fB\-v\fP level] [\fB\-E\fP engine] {keyfile} [\fB\-s\fP] [\fB\-g\fP state] [\fB\-d\fP state date/offset] [\fB\-k\fP state date/offset] [\fB\-r\fP state date/offset] [\fB\-z\fP state date/offset] .SH DESCRIPTION .sp \fBdnssec\-settime\fP reads a DNSSEC private key file and sets the key @@ -126,6 +126,10 @@ This option sets the date on which a key is to be published to the zone. After that date, the key is included in the zone but is not used to sign it. .TP +.B \fB\-P ds date/offset\fP +This option sets the date on which DS records that match this key have been +seen in the parent zone. +.TP .B \fB\-P sync date/offset\fP This option sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone. @@ -149,6 +153,10 @@ This option sets the date on which the key is to be deleted. After that date, th key is no longer included in the zone. (However, it may remain in the key repository.) .TP +.B \fB\-D ds date/offset\fP +This option sets the date on which the DS records that match this key have +been seen removed from the parent zone. +.TP .B \fB\-D sync date/offset\fP This option sets the date on which the CDS and CDNSKEY records that match this key are to be deleted. @@ -215,15 +223,16 @@ associated with a key. .B \fB\-u\fP This option indicates that times should be printed in Unix epoch format. .TP -.B \fB\-p C/P/Psync/A/R/I/D/Dsync/all\fP -This option prints a specific metadata value or set of metadata values. The \fB\-p\fP -option may be followed by one or more of the following letters or +.B \fB\-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all\fP +This option prints a specific metadata value or set of metadata values. +The \fB\-p\fP option may be followed by one or more of the following letters or strings to indicate which value or values to print: \fBC\fP for the -creation date, \fBP\fP for the publication date, \fBPsync\fP for the CDS -and CDNSKEY publication date, \fBA\fP for the activation date, \fBR\fP -for the revocation date, \fBI\fP for the inactivation date, \fBD\fP for -the deletion date, and \fBDsync\fP for the CDS and CDNSKEY deletion -date. To print all of the metadata, use \fBall\fP\&. +creation date, \fBP\fP for the publication date, \fBPds\(ga for the DS publication +date, \(ga\(gaPsync\fP for the CDS and CDNSKEY publication date, \fBA\fP for the +activation date, \fBR\fP for the revocation date, \fBI\fP for the inactivation +date, \fBD\fP for the deletion date, \fBDds\fP for the DS deletion date, +and \fBDsync\fP for the CDS and CDNSKEY deletion date. To print all of the +metadata, use \fBall\fP\&. .UNINDENT .SH SEE ALSO .sp