[ldns-users] patch for feature, and a bug report :)

Paul Wouters paul at nohats.ca
Mon May 28 03:44:54 UTC 2012 

Hi,

The attached patch adds the -0 option to ldns-read-zone:

This will change an RRSIG line from:

ns2.nohats.ca.	3600	IN	RRSIG	AAAA 8 3 3600 20120606031026 
20120522162451 22195 nohats.ca. r9P+6mryYDK35ZtgGUiWsFaLbPq3d2tNs0hybSD 
iP+f+hrYEchMZuDOTAIm/dypbva0Qw7bJze1yHiwUWTIGPptOx0tkT7kHVIB1wGQjjWoL/ptWDO9zu6lvPCjtbU1RebfcNMjdrN29fV2LGd65dDPjTvDrx2gW4zfzJbH1+CE=

into:

ns2.nohats.ca.	3600	IN	RRSIG	A 8 3 3600 (null)  (null)  22195 
nohats.ca. (null)

This way, you can do some zone comparision between two different signer
systems that use the same keys, but would have different RRSIG output
due different inception/expiring times as a result of jitter or a
slightly different signing time.


Now for the bug, when looking through the ldns-read-zone code, I
noticed:

           case LDNS_RR_TYPE_RRSIG:
               if ((fmt->flags & LDNS_COMMENT_KEY)
                               && (fmt->flags
                                      & LDNS_COMMENT_RRSIGS)
                               && ldns_rr_rdf(rr, 6) != NULL) { ...}
          case LDNS_RR_TYPE_DS:
              if ((fmt->flags & LDNS_COMMENT_BUBBLEBABBLE)

However, I only see a way to set LDNS_COMMENT_BUBBLEBABBLE using "-b". I
am not sure how one would set LDNS_COMMENT_KEY or LDNS_COMMENT_RRSIGS?
In fact, grepping through the source, it seems that no one ever sets
these, so the code is effectively never called.

Paul
-------------- next part --------------
diff -Naur ldns-1.6.13-orig/examples/ldns-read-zone.1 ldns-1.6.13/examples/ldns-read-zone.1
--- ldns-1.6.13-orig/examples/ldns-read-zone.1	2012-01-17 06:18:30.000000000 -0500
+++ ldns-1.6.13/examples/ldns-read-zone.1	2012-05-27 22:46:18.145827465 -0400
@@ -22,6 +22,12 @@
 printed.
 
 .TP
+\fB-0\fR
+Print a (null) for the RRSIG inception, expiry and key data. This option
+can be used when comparing different signing systems that use the same
+DNSKEYs for signing but would have a slightly different timings/jitter.
+
+.TP
 \fB-h\fR
 Show usage and exit
 
diff -Naur ldns-1.6.13-orig/examples/ldns-read-zone.c ldns-1.6.13/examples/ldns-read-zone.c
--- ldns-1.6.13-orig/examples/ldns-read-zone.c	2012-01-06 04:57:03.000000000 -0500
+++ ldns-1.6.13/examples/ldns-read-zone.c	2012-05-27 22:42:44.984403758 -0400
@@ -37,10 +37,12 @@
 	ldns_soa_serial_increment_func_t soa_serial_increment_func = NULL;
 	int soa_serial_increment_func_data = 0;
 
-        while ((c = getopt(argc, argv, "bcdhnsvzS:")) != -1) {
+        while ((c = getopt(argc, argv, "0bcdhnsvzS:")) != -1) {
                 switch(c) {
 			case 'b':
 				fmt = ldns_output_format_bubblebabble;
+			case '0':
+				fmt = ldns_output_format_zeroize;
                 	case 'c':
                 		canonicalize = true;
                 		break;
@@ -55,6 +57,7 @@
 				printf("\tReads the zonefile and prints it.\n");
 				printf("\tThe RR count of the zone is printed to stderr.\n");
 				printf("\t-b include bubblebabble of DS's.\n");
+				printf("\t-0 zeroize timestamps and signature in RRSIG records.\n");
 				printf("\t-c canonicalize all rrs in the zone.\n");
 				printf("\t-d only show DNSSEC data from the zone\n");
 				printf("\t-h show this text\n");
diff -Naur ldns-1.6.13-orig/host2str.c ldns-1.6.13/host2str.c
--- ldns-1.6.13-orig/host2str.c	2012-05-16 03:43:08.000000000 -0400
+++ ldns-1.6.13/host2str.c	2012-05-27 22:42:44.985403770 -0400
@@ -123,12 +123,19 @@
 			= &ldns_output_format_onlykeyids_record;
 const ldns_output_format  *ldns_output_format_default
 			= &ldns_output_format_onlykeyids_record;
+
 const ldns_output_format   ldns_output_format_bubblebabble_record = { 
 	LDNS_COMMENT_KEY | LDNS_COMMENT_BUBBLEBABBLE | LDNS_COMMENT_FLAGS, NULL
 };
 const ldns_output_format  *ldns_output_format_bubblebabble 
 			= &ldns_output_format_bubblebabble_record;
 
+const ldns_output_format   ldns_output_format_zeroize_record = { 
+	LDNS_COMMENT_KEY | LDNS_RRSIGS_ZEROIZE | LDNS_COMMENT_FLAGS, NULL
+};
+const ldns_output_format  *ldns_output_format_zeroize 
+			= &ldns_output_format_zeroize_record;
+
 ldns_status
 ldns_pkt_opcode2buffer_str(ldns_buffer *output, ldns_pkt_opcode opcode)
 {
@@ -1230,6 +1237,12 @@
 
 	for (i = 0; i < ldns_rr_rd_count(rr); i++) {
 		/* ldns_rdf2buffer_str handles NULL input fine! */
+		if ((LDNS_RRSIGS_ZEROIZE & fmt->flags) && (ldns_rr_get_type(rr) == LDNS_RR_TYPE_RRSIG)) {
+			/* zeroize start(5), end(6) and signature(9) */
+			ldns_rr_rrsig_set_expiration(rr,0);
+			ldns_rr_rrsig_set_inception(rr,0);
+			ldns_rr_rrsig_set_sig(rr,0);
+		}
 		status = ldns_rdf2buffer_str(output, ldns_rr_rdf(rr, i));
 		if(status != LDNS_STATUS_OK)
 			return status;
diff -Naur ldns-1.6.13-orig/ldns/host2str.h ldns-1.6.13/ldns/host2str.h
--- ldns-1.6.13-orig/ldns/host2str.h	2011-09-22 06:36:55.000000000 -0400
+++ ldns-1.6.13/ldns/host2str.h	2012-05-27 22:42:44.988403806 -0400
@@ -64,6 +64,7 @@
 #define LDNS_COMMENT_LAYOUT		0x0080
 /** Also comment KEY_ID with RRSIGS **/
 #define LDNS_COMMENT_RRSIGS		0x0100
+#define LDNS_RRSIGS_ZEROIZE		0x0200
 
 /**
  * Output format specifier
@@ -104,6 +105,7 @@
  * bubblebabble representation of DS RR's.
  */
 extern const ldns_output_format *ldns_output_format_bubblebabble;
+extern const ldns_output_format *ldns_output_format_zeroize;
 
 /**
  * Converts an ldns packet opcode value to its mnemonic, and adds that

More information about the ldns-users mailing list