summaryrefslogtreecommitdiff
path: root/src/resolve/test-dnssec.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-04 20:38:21 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-04 22:42:10 +0100
commit0c8570287400ba57d3705a2f62dd26039121ea6f (patch)
tree55c02b67868d1777fec53bd476ce52d8e403d496 /src/resolve/test-dnssec.c
parent85aeaccc10b111e8d16d3879b7c30a219ee6e10a (diff)
resolved: partially implement RFC5011 Trust Anchor support
With this patch resolved will properly handle revoked keys, but not augment the locally configured trust anchor database with newly learned keys. Specifically, resolved now refuses validating RRsets with revoked keys, and it will remove revoked keys from the configured trust anchors (only until reboot). This patch does not add logic for adding new keys to the set of trust anchors. This is a deliberate decision as this only can work with persistent disk storage, and would result in a different update logic for stateful and stateless systems. Since we have to support stateless systems anyway, and don't want to encourage two independent upgrade paths we focus on upgrading the trust anchor database via the usual OS upgrade logic. Whenever a trust anchor entry is found revoked and removed from the trust anchor a recognizable log message is written, encouraging the user to update the trust anchor or update his operating system.
Diffstat (limited to 'src/resolve/test-dnssec.c')
-rw-r--r--src/resolve/test-dnssec.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c
index 6104d8b4c0..0c9efde1fe 100644
--- a/src/resolve/test-dnssec.c
+++ b/src/resolve/test-dnssec.c
@@ -107,10 +107,10 @@ static void test_dnssec_verify_rrset2(void) {
assert_se(dnskey->dnskey.key);
log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
- log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey));
+ log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
- assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey) > 0);
+ assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
answer = dns_answer_new(1);
assert_se(answer);
@@ -186,10 +186,10 @@ static void test_dnssec_verify_rrset(void) {
assert_se(dnskey->dnskey.key);
log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
- log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey));
+ log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
- assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey) > 0);
+ assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
answer = dns_answer_new(1);
assert_se(answer);
@@ -268,10 +268,10 @@ static void test_dnssec_verify_dns_key(void) {
assert_se(dnskey->dnskey.key);
log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
- log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey));
+ log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
- assert_se(dnssec_verify_dnskey(dnskey, ds1) > 0);
- assert_se(dnssec_verify_dnskey(dnskey, ds2) > 0);
+ assert_se(dnssec_verify_dnskey(dnskey, ds1, false) > 0);
+ assert_se(dnssec_verify_dnskey(dnskey, ds2, false) > 0);
}
static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {