diff --git a/bin/named/control.c b/bin/named/control.c index 8ea363b5bd..7a60bae870 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -228,6 +228,8 @@ named_control_docommand(isccc_sexpr_t *message, bool readonly, result = named_server_flushnode(named_g_server, lex, true); } else if (command_compare(command, NAMED_COMMAND_FREEZE)) { result = named_server_freeze(named_g_server, true, lex, text); + } else if (command_compare(command, NAMED_COMMAND_SKR)) { + result = named_server_skr(named_g_server, lex, text); } else if (command_compare(command, NAMED_COMMAND_LOADKEYS) || command_compare(command, NAMED_COMMAND_SIGN)) { diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h index 6f3660ad0f..c00900847f 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h @@ -61,6 +61,7 @@ #define NAMED_COMMAND_SHOWZONE "showzone" #define NAMED_COMMAND_SIGN "sign" #define NAMED_COMMAND_SIGNING "signing" +#define NAMED_COMMAND_SKR "skr" #define NAMED_COMMAND_STATUS "status" #define NAMED_COMMAND_STOP "stop" #define NAMED_COMMAND_SYNC "sync" diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index 9ad18bde7f..a95c6544fb 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -376,3 +376,9 @@ named_server_servestale(named_server_t *server, isc_lex_t *lex, isc_result_t named_server_fetchlimit(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text); + +/*% + * Import SKR file for offline KSK signing. + */ +isc_result_t +named_server_skr(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text); diff --git a/bin/named/server.c b/bin/named/server.c index bc96a77ce3..6addb6108a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -16667,3 +16667,61 @@ cleanup: return (result); } + +isc_result_t +named_server_skr(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { + isc_result_t result = ISC_R_SUCCESS; + dns_zone_t *zone = NULL; + dns_kasp_t *kasp = NULL; + const char *ptr; + char skrfile[PATH_MAX]; + + /* Skip the command name. */ + ptr = next_token(lex, text); + if (ptr == NULL) { + return (ISC_R_UNEXPECTEDEND); + } + + /* Find out what we are to do. */ + ptr = next_token(lex, text); + if (ptr == NULL) { + return (ISC_R_UNEXPECTEDEND); + } + + if (strcasecmp(ptr, "-import") != 0) { + CHECK(DNS_R_SYNTAX); + } + + ptr = next_token(lex, NULL); + if (ptr == NULL) { + return (ISC_R_UNEXPECTEDEND); + } + (void)snprintf(skrfile, sizeof(skrfile), "%s", ptr); + + CHECK(zone_from_args(server, lex, NULL, &zone, NULL, text, false)); + if (zone == NULL) { + CHECK(ISC_R_UNEXPECTEDEND); + } + kasp = dns_zone_getkasp(zone); + if (kasp == NULL) { + CHECK(putstr(text, "zone does not have a dnssec-policy")); + CHECK(putnull(text)); + goto cleanup; + } + + if (!dns_kasp_offlineksk(kasp)) { + CHECK(putstr(text, "zone does not have offline-ksk enabled")); + CHECK(putnull(text)); + goto cleanup; + } + + CHECK(putstr(text, "import command not implemented")); + CHECK(putnull(text)); + +cleanup: + if (zone != NULL) { + dns_zone_detach(&zone); + } + + return (result); +} diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 0cdc162bb7..d3e14a9c29 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -132,6 +132,9 @@ command is one of the following:\n\ halt Stop the server without saving pending updates.\n\ halt -p Stop the server without saving pending updates reporting\n\ process id.\n\ + skr -import file zone [class [view]]\n\ + Import a SKR file for the specified zone, for offline KSK\n\ + signing.\n\ loadkeys zone [class [view]]\n\ Update keys without signing immediately.\n\ managed-keys refresh [class [view]]\n\ diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 531a56430e..55ea4d3147 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -266,6 +266,11 @@ Currently supported commands are: See also :option:`rndc stop`. +.. option:: skr -import file zone [class [view]] + + This command allows you to import a SKR file for the specified zone, to + support offline KSK signing. + .. option:: loadkeys [zone [class [view]]] This command fetches all DNSSEC keys for the given zone from the key directory. If