diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index b0f531e41d..52a13d5658 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -65,6 +65,7 @@ struct named_server { dns_zonemgr_t *zonemgr; dns_viewlist_t viewlist; dns_kasplist_t kasplist; + dns_keystorelist_t keystorelist; ns_interfacemgr_t *interfacemgr; dns_db_t *in_roothints; diff --git a/bin/named/server.c b/bin/named/server.c index 062f021c57..d506c56e47 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -79,6 +79,7 @@ #include #include #include +#include #include #include #include @@ -8129,10 +8130,14 @@ load_configuration(const char *filename, named_server_t *server, const cfg_obj_t *options; const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports; const cfg_obj_t *kasps; + const cfg_obj_t *keystores; dns_kasp_t *kasp = NULL; dns_kasp_t *kasp_next = NULL; dns_kasp_t *default_kasp = NULL; dns_kasplist_t tmpkasplist, kasplist; + dns_keystore_t *keystore = NULL; + dns_keystore_t *keystore_next = NULL; + dns_keystorelist_t tmpkeystorelist, keystorelist; const cfg_obj_t *views; dns_view_t *view_next = NULL; @@ -8171,6 +8176,7 @@ load_configuration(const char *filename, named_server_t *server, REQUIRE(isc_loop_current(named_g_loopmgr) == named_g_mainloop); ISC_LIST_INIT(kasplist); + ISC_LIST_INIT(keystorelist); ISC_LIST_INIT(viewlist); ISC_LIST_INIT(builtin_viewlist); ISC_LIST_INIT(cachelist); @@ -8882,6 +8888,29 @@ load_configuration(const char *filename, named_server_t *server, */ (void)configure_session_key(maps, server, named_g_mctx, first_time); + /* + * Create the DNSSEC key stores. + */ + keystores = NULL; + (void)cfg_map_get(config, "key-store", &keystores); + for (element = cfg_list_first(keystores); element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *kconfig = cfg_listelt_value(element); + keystore = NULL; + result = cfg_keystore_fromconfig(kconfig, named_g_mctx, + named_g_lctx, &keystorelist, + &keystore)); + if (result != ISC_R_SUCCESS) { + goto cleanup_keystorelist; + } + INSIST(keystore != NULL); + dns_keystore_detach(&keystore); + } + tmpkeystorelist = server->keystorelist; + server->keystorelist = keystorelist; + keystorelist = tmpkeystorelist; + /* * Create the built-in kasp policies ("default", "insecure"). */ @@ -9585,6 +9614,15 @@ cleanup_kasplist: dns_kasp_detach(&kasp); } +cleanup_keystorelist: + for (keystore = ISC_LIST_HEAD(keystorelist); keystore != NULL; + keystore = keystore_next) + { + keystore_next = ISC_LIST_NEXT(keystore, link); + ISC_LIST_UNLINK(keystorelist, keystore, link); + dns_keystore_detach(&keystore); + } + cleanup_v6portset: isc_portset_destroy(named_g_mctx, &v6portset); @@ -9849,6 +9887,7 @@ shutdown_server(void *arg) { named_server_t *server = (named_server_t *)arg; dns_view_t *view = NULL, *view_next = NULL; dns_kasp_t *kasp = NULL, *kasp_next = NULL; + dns_keystore_t *keystore = NULL, *keystore_next = NULL; bool flush = server->flushonshutdown; named_cache_t *nsc = NULL; @@ -9895,6 +9934,14 @@ shutdown_server(void *arg) { dns_kasp_detach(&kasp); } + for (keystore = ISC_LIST_HEAD(server->keystorelist); keystore != NULL; + keystore = keystore_next) + { + keystore_next = ISC_LIST_NEXT(keystore, link); + ISC_LIST_UNLINK(server->keystorelist, keystore, link); + dns_keystore_detach(&keystore); + } + for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = view_next) { @@ -10001,6 +10048,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { /* Initialize server data structures. */ ISC_LIST_INIT(server->kasplist); + ISC_LIST_INIT(server->keystorelist); ISC_LIST_INIT(server->viewlist); /* Must be first. */ @@ -10109,6 +10157,7 @@ named_server_destroy(named_server_t **serverp) { dst_lib_destroy(); INSIST(ISC_LIST_EMPTY(server->kasplist)); + INSIST(ISC_LIST_EMPTY(server->keystorelist)); INSIST(ISC_LIST_EMPTY(server->viewlist)); INSIST(ISC_LIST_EMPTY(server->cachelist)); diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 9a32f586b2..92bf406c98 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -51,6 +51,7 @@ struct dns_kasp_key { ISC_LINK(struct dns_kasp_key) link; /* Configuration */ + char *keystore; uint32_t lifetime; uint8_t algorithm; int length; diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 639811bf4e..aa6637f594 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -385,21 +385,20 @@ dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) { isc_result_t dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) { - dns_kasp_key_t *key; + dns_kasp_key_t *key = NULL; + dns_kasp_key_t k = { .length = -1 }; REQUIRE(DNS_KASP_VALID(kasp)); REQUIRE(keyp != NULL && *keyp == NULL); key = isc_mem_get(kasp->mctx, sizeof(*key)); + *key = k; + key->mctx = NULL; isc_mem_attach(kasp->mctx, &key->mctx); ISC_LINK_INIT(key, link); - key->lifetime = 0; - key->algorithm = 0; - key->length = -1; - key->role = 0; *keyp = key; return (ISC_R_SUCCESS); } @@ -408,6 +407,10 @@ void dns_kasp_key_destroy(dns_kasp_key_t *key) { REQUIRE(key != NULL); + if (key->keystore != NULL) { + isc_mem_free(key->mctx, key->keystore); + key->keystore = NULL; + } isc_mem_putanddetach(&key->mctx, key, sizeof(*key)); } diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 2757209cdc..bb0aa46f0e 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -145,6 +145,12 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, key->role |= DNS_KASP_KEY_ROLE_ZSK; } + obj = cfg_tuple_get(config, "keystorage"); + if (cfg_obj_isstring(obj)) { + key->keystore = isc_mem_strdup(key->mctx, + cfg_obj_asstring(obj)); + } + key->lifetime = 0; /* unlimited */ obj = cfg_tuple_get(config, "lifetime"); if (cfg_obj_isduration(obj)) {