Check and set Security=TypeNSEC
When signing with Sign() only a unsecured or a TypeNSEC zone can be signed. An NSEC3 type zone must be signed with Sign3()
This commit is contained in:
parent
b4bec99970
commit
6a6367fa91
15
zone.go
15
zone.go
|
@ -7,6 +7,7 @@ package dns
|
||||||
// A structure for handling zone data
|
// A structure for handling zone data
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"runtime"
|
"runtime"
|
||||||
"sort"
|
"sort"
|
||||||
|
@ -91,6 +92,7 @@ func newSignatureConfig() *SignatureConfig {
|
||||||
var DefaultSignatureConfig = newSignatureConfig()
|
var DefaultSignatureConfig = newSignatureConfig()
|
||||||
|
|
||||||
// NewZone creates an initialized zone with Origin set to the lower cased origin.
|
// NewZone creates an initialized zone with Origin set to the lower cased origin.
|
||||||
|
// The Security is set to TypeNone.
|
||||||
func NewZone(origin string) *Zone {
|
func NewZone(origin string) *Zone {
|
||||||
if origin == "" {
|
if origin == "" {
|
||||||
origin = "."
|
origin = "."
|
||||||
|
@ -370,8 +372,13 @@ func compareLabelsSlice(l1 []string, s2 string) (n int) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sign (re)signs the zone z with the given keys.
|
// Sign (re)signs the zone z with the given keys.
|
||||||
// NSECs and RRSIGs are added as needed.
|
// NSECs and RRSIGs are added as needed. The zone's Security must be TypeNone
|
||||||
// The public keys themselves are not added to the zone.
|
// or TypeNSEC.
|
||||||
|
// After the signing the Security is set to TypeNSEC. Signing an NSEC3
|
||||||
|
// zone with this function will lead to undesirable results, i.e. a zone with NSEC and
|
||||||
|
// NSEC3 records in it.
|
||||||
|
//
|
||||||
|
// The public keys are not added to the zone.
|
||||||
// If config is nil DefaultSignatureConfig is used. The signatureConfig
|
// If config is nil DefaultSignatureConfig is used. The signatureConfig
|
||||||
// describes how the zone must be signed and if the SEP flag (for KSK)
|
// describes how the zone must be signed and if the SEP flag (for KSK)
|
||||||
// should be honored. If signatures approach their expriration time, they
|
// should be honored. If signatures approach their expriration time, they
|
||||||
|
@ -389,6 +396,9 @@ func (z *Zone) Sign(keys map[*DNSKEY]PrivateKey, config *SignatureConfig) error
|
||||||
z.Lock()
|
z.Lock()
|
||||||
z.ModTime = time.Now().UTC()
|
z.ModTime = time.Now().UTC()
|
||||||
defer z.Unlock()
|
defer z.Unlock()
|
||||||
|
if z.Security != TypeNone || z.Security != TypeNSEC {
|
||||||
|
return errors.New("dns: bad authenticated denial of existence type")
|
||||||
|
}
|
||||||
if config == nil {
|
if config == nil {
|
||||||
config = DefaultSignatureConfig
|
config = DefaultSignatureConfig
|
||||||
}
|
}
|
||||||
|
@ -429,6 +439,7 @@ Sign:
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
wg.Wait()
|
wg.Wait()
|
||||||
|
z.Security = TypeNSEC
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue