1 #include <ldns/config.h>
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
12 /* this entire file is rather useless when you don't have
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
20 #include <openssl/bn.h>
21 #include <openssl/rsa.h>
23 #include <openssl/dsa.h>
27 #define LDNS_SIGN_WITH_ZONEMD ( LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 \
28 | LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 )
31 ldns_create_empty_rrsig(const ldns_rr_list *rrset,
32 const ldns_key *current_key)
35 ldns_rr_class orig_class;
41 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
43 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
44 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0))))
47 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
49 /* set the type on the new signature */
50 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
51 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
53 ldns_rr_set_ttl(current_sig, orig_ttl);
54 ldns_rr_set_class(current_sig, orig_class);
55 ldns_rr_set_owner(current_sig,
58 ldns_rr_list_rr(rrset,
61 /* fill in what we know of the signature */
63 /* set the orig_ttl */
64 (void)ldns_rr_rrsig_set_origttl(
66 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
68 /* the signers name */
69 signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key));
70 ldns_dname2canonical(signame);
71 (void)ldns_rr_rrsig_set_signame(
74 /* label count - get it from the first rr in the rr_list */
75 (void)ldns_rr_rrsig_set_labels(
77 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
79 /* inception, expiration */
81 if (ldns_key_inception(current_key) != 0) {
82 (void)ldns_rr_rrsig_set_inception(
84 ldns_native2rdf_int32(
86 ldns_key_inception(current_key)));
88 (void)ldns_rr_rrsig_set_inception(
90 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
92 if (ldns_key_expiration(current_key) != 0) {
93 (void)ldns_rr_rrsig_set_expiration(
95 ldns_native2rdf_int32(
97 ldns_key_expiration(current_key)));
99 (void)ldns_rr_rrsig_set_expiration(
101 ldns_native2rdf_int32(
103 now + LDNS_DEFAULT_EXP_TIME));
106 (void)ldns_rr_rrsig_set_keytag(
108 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
109 ldns_key_keytag(current_key)));
111 (void)ldns_rr_rrsig_set_algorithm(
113 ldns_native2rdf_int8(
115 ldns_key_algorithm(current_key)));
117 (void)ldns_rr_rrsig_set_typecovered(
119 ldns_native2rdf_int16(
121 ldns_rr_get_type(ldns_rr_list_rr(rrset,
128 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
130 ldns_rdf *b64rdf = NULL;
132 switch(ldns_key_algorithm(current_key)) {
135 case LDNS_SIGN_DSA_NSEC3:
136 b64rdf = ldns_sign_public_evp(
138 ldns_key_evp_key(current_key),
139 # ifdef HAVE_EVP_DSS1
147 case LDNS_SIGN_RSASHA1:
148 case LDNS_SIGN_RSASHA1_NSEC3:
149 b64rdf = ldns_sign_public_evp(
151 ldns_key_evp_key(current_key),
155 case LDNS_SIGN_RSASHA256:
156 b64rdf = ldns_sign_public_evp(
158 ldns_key_evp_key(current_key),
161 case LDNS_SIGN_RSASHA512:
162 b64rdf = ldns_sign_public_evp(
164 ldns_key_evp_key(current_key),
167 #endif /* USE_SHA2 */
169 case LDNS_SIGN_ECC_GOST:
170 b64rdf = ldns_sign_public_evp(
172 ldns_key_evp_key(current_key),
173 EVP_get_digestbyname("md_gost94"));
175 #endif /* USE_GOST */
177 case LDNS_SIGN_ECDSAP256SHA256:
178 b64rdf = ldns_sign_public_evp(
180 ldns_key_evp_key(current_key),
183 case LDNS_SIGN_ECDSAP384SHA384:
184 b64rdf = ldns_sign_public_evp(
186 ldns_key_evp_key(current_key),
191 case LDNS_SIGN_ED25519:
192 b64rdf = ldns_sign_public_evp(
194 ldns_key_evp_key(current_key),
199 case LDNS_SIGN_ED448:
200 b64rdf = ldns_sign_public_evp(
202 ldns_key_evp_key(current_key),
206 case LDNS_SIGN_RSAMD5:
207 b64rdf = ldns_sign_public_evp(
209 ldns_key_evp_key(current_key),
213 /* do _you_ know this alg? */
214 printf("unknown algorithm, ");
215 printf("is the one used available on this system?\n");
223 * use this function to sign with a public/private key alg
224 * return the created signatures
227 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
229 ldns_rr_list *signatures;
230 ldns_rr_list *rrset_clone;
231 ldns_rr *current_sig;
233 ldns_key *current_key;
236 ldns_buffer *sign_buf;
239 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
245 /* prepare a signature and add all the know data
246 * prepare the rrset. Sign this together. */
247 rrset_clone = ldns_rr_list_clone(rrset);
252 /* make it canonical */
253 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
254 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
255 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
256 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
259 ldns_rr_list_sort(rrset_clone);
261 signatures = ldns_rr_list_new();
264 key_count < ldns_key_list_key_count(keys);
266 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
269 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
271 ldns_rr_list_free(rrset_clone);
272 ldns_rr_list_free(signatures);
273 ldns_rdf_free(new_owner);
278 current_key = ldns_key_list_key(keys, key_count);
279 /* sign all RRs with keys that have ZSKbit, !SEPbit.
280 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
281 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) {
282 current_sig = ldns_create_empty_rrsig(rrset_clone,
285 /* right now, we have: a key, a semi-sig and an rrset. For
286 * which we can create the sig and base64 encode that and
287 * add that to the signature */
289 if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
291 ldns_buffer_free(sign_buf);
293 ldns_rr_list_deep_free(rrset_clone);
294 ldns_rr_free(current_sig);
295 ldns_rr_list_deep_free(signatures);
299 /* add the rrset in sign_buf */
300 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
302 ldns_buffer_free(sign_buf);
303 ldns_rr_list_deep_free(rrset_clone);
304 ldns_rr_free(current_sig);
305 ldns_rr_list_deep_free(signatures);
309 b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
312 /* signing went wrong */
313 ldns_rr_list_deep_free(rrset_clone);
314 ldns_rr_free(current_sig);
315 ldns_rr_list_deep_free(signatures);
319 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
321 /* push the signature to the signatures list */
322 ldns_rr_list_push_rr(signatures, current_sig);
324 ldns_buffer_free(sign_buf); /* restart for the next key */
326 ldns_rr_list_deep_free(rrset_clone);
332 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
335 unsigned char *sha1_hash;
336 ldns_rdf *sigdata_rdf;
344 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
349 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
350 ldns_buffer_position(to_sign), NULL);
352 ldns_buffer_free(b64sig);
356 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
358 ldns_buffer_free(b64sig);
362 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
364 ldns_buffer_free(b64sig);
370 # ifdef HAVE_DSA_SIG_GET0
371 DSA_SIG_get0(sig, &R, &S);
376 pad = 20 - (size_t) BN_num_bytes(R);
378 memset(data + 1, 0, pad);
380 BN_bn2bin(R, (unsigned char *) (data + 1) + pad);
382 pad = 20 - (size_t) BN_num_bytes(S);
384 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
386 BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
388 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
389 1 + 2 * SHA_DIGEST_LENGTH,
392 ldns_buffer_free(b64sig);
398 (void)to_sign; (void)key;
405 /** returns the number of bytes per signature-component (i.e. bits/8), or 0. */
407 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
411 #ifdef HAVE_EVP_PKEY_GET_BASE_ID
412 if(EVP_PKEY_get_base_id(pkey) != EVP_PKEY_EC)
414 #elif defined(HAVE_EVP_PKEY_BASE_ID)
415 if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC)
418 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
421 ec = EVP_PKEY_get1_EC_KEY(pkey);
422 g = EC_KEY_get0_group(ec);
427 if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) {
429 return 32; /* 256/8 */
431 if(EC_GROUP_get_curve_name(g) == NID_secp384r1) {
433 return 48; /* 384/8 */
435 /* downref the eckey, the original is still inside the pkey */
440 #endif /* USE_ECDSA */
443 ldns_sign_public_evp(ldns_buffer *to_sign,
445 const EVP_MD *digest_type)
448 ldns_rdf *sigdata_rdf = NULL;
451 const EVP_MD *md_type;
455 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
460 /* initializes a signing context */
461 md_type = digest_type;
463 if(EVP_PKEY_id(key) == NID_ED25519) {
464 /* digest must be NULL for ED25519 sign and verify */
469 if(EVP_PKEY_id(key) == NID_ED448) {
474 /* unknown message digest */
475 ldns_buffer_free(b64sig);
479 #ifdef HAVE_EVP_MD_CTX_NEW
480 ctx = EVP_MD_CTX_new();
482 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
483 if(ctx) EVP_MD_CTX_init(ctx);
486 ldns_buffer_free(b64sig);
490 #if defined(USE_ED25519) || defined(USE_ED448)
491 if(md_type == NULL) {
492 /* for these methods we must use the one-shot DigestSign */
493 r = EVP_DigestSignInit(ctx, NULL, md_type, NULL, key);
495 size_t siglen_sizet = ldns_buffer_capacity(b64sig);
496 r = EVP_DigestSign(ctx,
497 (unsigned char*)ldns_buffer_begin(b64sig),
499 (unsigned char*)ldns_buffer_begin(to_sign),
500 ldns_buffer_position(to_sign));
501 siglen = (unsigned int)siglen_sizet;
506 if(md_type != NULL) {
508 r = EVP_SignInit(ctx, md_type);
510 r = EVP_SignUpdate(ctx, (unsigned char*)
511 ldns_buffer_begin(to_sign),
512 ldns_buffer_position(to_sign));
515 r = EVP_SignFinal(ctx, (unsigned char*)
516 ldns_buffer_begin(b64sig), &siglen, key);
520 ldns_buffer_free(b64sig);
521 EVP_MD_CTX_destroy(ctx);
525 /* OpenSSL output is different, convert it */
529 /* unfortunately, OpenSSL output is different from DNS DSA format */
530 # ifdef HAVE_EVP_PKEY_GET_BASE_ID
531 if (EVP_PKEY_get_base_id(key) == EVP_PKEY_DSA) {
532 # elif defined(HAVE_EVP_PKEY_BASE_ID)
533 if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) {
535 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
538 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
542 #if defined(USE_ECDSA)
544 # ifdef HAVE_EVP_PKEY_GET_BASE_ID
545 EVP_PKEY_get_base_id(key)
546 # elif defined(HAVE_EVP_PKEY_BASE_ID)
547 EVP_PKEY_base_id(key)
549 EVP_PKEY_type(key->type)
553 if(ldns_pkey_is_ecdsa(key)) {
555 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn1len2rdf(
556 b64sig, (long)siglen, ldns_pkey_is_ecdsa(key));
558 # endif /* USE_ECDSA */
562 /* ok output for other types is the same */
563 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
564 ldns_buffer_begin(b64sig));
566 ldns_buffer_free(b64sig);
567 EVP_MD_CTX_destroy(ctx);
572 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
574 unsigned char *sha1_hash;
576 ldns_rdf *sigdata_rdf;
581 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
586 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
587 ldns_buffer_position(to_sign), NULL);
589 ldns_buffer_free(b64sig);
593 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
594 (unsigned char*)ldns_buffer_begin(b64sig),
597 ldns_buffer_free(b64sig);
601 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
602 ldns_buffer_begin(b64sig));
603 ldns_buffer_free(b64sig); /* can't free this buffer ?? */
608 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
610 unsigned char *md5_hash;
612 ldns_rdf *sigdata_rdf;
615 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
620 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
621 ldns_buffer_position(to_sign), NULL);
623 ldns_buffer_free(b64sig);
627 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
628 (unsigned char*)ldns_buffer_begin(b64sig),
631 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
632 ldns_buffer_begin(b64sig));
633 ldns_buffer_free(b64sig);
636 #endif /* HAVE_SSL */
639 * Pushes all rrs from the rrsets of type A and AAAA on gluelist.
642 ldns_dnssec_addresses_on_glue_list(
643 ldns_dnssec_rrsets *cur_rrset,
644 ldns_rr_list *glue_list)
646 ldns_dnssec_rrs *cur_rrs;
648 if (cur_rrset->type == LDNS_RR_TYPE_A
649 || cur_rrset->type == LDNS_RR_TYPE_AAAA) {
650 for (cur_rrs = cur_rrset->rrs;
652 cur_rrs = cur_rrs->next) {
654 if (!ldns_rr_list_push_rr(glue_list,
656 return LDNS_STATUS_MEM_ERR;
657 /* ldns_rr_list_push_rr()
658 * returns false when unable
659 * to increase the capacity
660 * of the ldns_rr_list
666 cur_rrset = cur_rrset->next;
668 return LDNS_STATUS_OK;
672 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone,
673 ldns_rr_list *glue_list)
676 ldns_dnssec_name *name;
678 ldns_rdf *cut = NULL; /* keeps track of zone cuts */
679 /* When the cut is caused by a delegation, below_delegation will be 1.
680 * When caused by a DNAME, below_delegation will be 0.
682 int below_delegation = -1; /* init suppresses compiler warning */
685 if (!zone || !zone->names) {
686 return LDNS_STATUS_NULL;
688 for (node = ldns_rbtree_first(zone->names);
689 node != LDNS_RBTREE_NULL;
690 node = ldns_rbtree_next(node)) {
691 name = (ldns_dnssec_name *) node->data;
692 owner = ldns_dnssec_name_name(name);
695 /* The previous node was a zone cut, or a subdomain
696 * below a zone cut. Is this node (still) a subdomain
697 * below the cut? Then the name is occluded. Unless
698 * the name contains a SOA, after which we are
699 * authoritative again.
701 * FIXME! If there are labels in between the SOA and
702 * the cut, going from the authoritative space (below
703 * the SOA) up into occluded space again, will not be
704 * detected with the construct below!
706 if (ldns_dname_is_subdomain(owner, cut) &&
707 !ldns_dnssec_rrsets_contains_type(
708 name->rrsets, LDNS_RR_TYPE_SOA)) {
710 if (below_delegation && glue_list) {
711 s = ldns_dnssec_addresses_on_glue_list(
712 name->rrsets, glue_list);
713 if (s != LDNS_STATUS_OK) {
717 name->is_glue = true; /* Mark occluded name! */
724 /* The node is not below a zone cut. Is it a zone cut itself?
725 * Everything below a SOA is authoritative of course; Except
726 * when the name also contains a DNAME :).
728 if (ldns_dnssec_rrsets_contains_type(
729 name->rrsets, LDNS_RR_TYPE_NS)
730 && !ldns_dnssec_rrsets_contains_type(
731 name->rrsets, LDNS_RR_TYPE_SOA)) {
733 below_delegation = 1;
734 if (glue_list) { /* record glue on the zone cut */
735 s = ldns_dnssec_addresses_on_glue_list(
736 name->rrsets, glue_list);
737 if (s != LDNS_STATUS_OK) {
741 } else if (ldns_dnssec_rrsets_contains_type(
742 name->rrsets, LDNS_RR_TYPE_DNAME)) {
744 below_delegation = 0;
747 return LDNS_STATUS_OK;
751 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
753 return ldns_dnssec_zone_mark_and_get_glue(zone, NULL);
757 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
759 ldns_rbnode_t *next_node = NULL;
760 ldns_dnssec_name *next_name = NULL;
763 if (node == LDNS_RBTREE_NULL) {
768 if (next_node == LDNS_RBTREE_NULL) {
771 next_name = (ldns_dnssec_name *)next_node->data;
772 if (!next_name->is_glue) {
775 next_node = ldns_rbtree_next(next_node);
783 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
784 ldns_rr_list *new_rrs)
787 ldns_rbnode_t *first_node, *cur_node, *next_node;
788 ldns_dnssec_name *cur_name, *next_name;
791 ldns_dnssec_rrsets *soa;
793 /* The TTL value for any NSEC RR SHOULD be the same TTL value as the
794 * lesser of the MINIMUM field of the SOA record and the TTL of the SOA
795 * itself. This matches the definition of the TTL for negative
796 * responses in [RFC2308]. (draft-ietf-dnsop-nsec-ttl-01 update of
797 * RFC4035 Section 2.3)
799 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
801 /* did the caller actually set it? if not,
802 * fall back to default ttl
804 if (soa && soa->rrs && soa->rrs->rr) {
805 ldns_rr *soa_rr = soa->rrs->rr;
806 ldns_rdf *min_rdf = ldns_rr_rdf(soa_rr, 6);
808 nsec_ttl = min_rdf == NULL
809 || ldns_rr_ttl(soa_rr) < ldns_rdf2native_int32(min_rdf)
810 ? ldns_rr_ttl(soa_rr) : ldns_rdf2native_int32(min_rdf);
812 nsec_ttl = LDNS_DEFAULT_TTL;
815 first_node = ldns_dnssec_name_node_next_nonglue(
816 ldns_rbtree_first(zone->names));
817 cur_node = first_node;
819 next_node = ldns_dnssec_name_node_next_nonglue(
820 ldns_rbtree_next(cur_node));
825 while (cur_node && next_node) {
826 cur_name = (ldns_dnssec_name *)cur_node->data;
827 next_name = (ldns_dnssec_name *)next_node->data;
828 nsec_rr = ldns_dnssec_create_nsec(cur_name,
831 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
832 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
833 ldns_rr_free(nsec_rr);
834 return LDNS_STATUS_ERR;
836 ldns_rr_list_push_rr(new_rrs, nsec_rr);
837 cur_node = next_node;
839 next_node = ldns_dnssec_name_node_next_nonglue(
840 ldns_rbtree_next(cur_node));
844 if (cur_node && !next_node) {
845 cur_name = (ldns_dnssec_name *)cur_node->data;
846 next_name = (ldns_dnssec_name *)first_node->data;
847 nsec_rr = ldns_dnssec_create_nsec(cur_name,
850 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
851 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
852 ldns_rr_free(nsec_rr);
853 return LDNS_STATUS_ERR;
855 ldns_rr_list_push_rr(new_rrs, nsec_rr);
860 return LDNS_STATUS_OK;
865 ldns_hashed_names_node_free(ldns_rbnode_t *node, void *arg) {
871 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone,
872 ldns_rr_list *new_rrs,
880 ldns_rbnode_t *first_name_node;
881 ldns_rbnode_t *current_name_node;
882 ldns_dnssec_name *current_name;
883 ldns_status result = LDNS_STATUS_OK;
885 ldns_rr_list *nsec3_list;
887 ldns_dnssec_rrsets *soa;
888 ldns_rbnode_t *hashmap_node;
890 if (!zone || !new_rrs || !zone->names) {
891 return LDNS_STATUS_ERR;
894 /* The TTL value for any NSEC RR SHOULD be the same TTL value as the
895 * lesser of the MINIMUM field of the SOA record and the TTL of the SOA
896 * itself. This matches the definition of the TTL for negative
897 * responses in [RFC2308]. (draft-ietf-dnsop-nsec-ttl-01 update of
898 * RFC4035 Section 2.3)
900 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
902 /* did the caller actually set it? if not,
903 * fall back to default ttl
905 if (soa && soa->rrs && soa->rrs->rr) {
906 ldns_rr *soa_rr = soa->rrs->rr;
907 ldns_rdf *min_rdf = ldns_rr_rdf(soa_rr, 6);
909 nsec_ttl = min_rdf == NULL
910 || ldns_rr_ttl(soa_rr) < ldns_rdf2native_int32(min_rdf)
911 ? ldns_rr_ttl(soa_rr) : ldns_rdf2native_int32(min_rdf);
913 nsec_ttl = LDNS_DEFAULT_TTL;
916 if (ldns_rdf_size(zone->soa->name) > 222) {
917 return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW;
920 if (zone->hashed_names) {
921 ldns_traverse_postorder(zone->hashed_names,
922 ldns_hashed_names_node_free, NULL);
923 LDNS_FREE(zone->hashed_names);
925 zone->hashed_names = ldns_rbtree_create(ldns_dname_compare_v);
926 if (zone->hashed_names && map) {
927 *map = zone->hashed_names;
930 first_name_node = ldns_dnssec_name_node_next_nonglue(
931 ldns_rbtree_first(zone->names));
933 current_name_node = first_name_node;
935 while (current_name_node && current_name_node != LDNS_RBTREE_NULL &&
936 result == LDNS_STATUS_OK) {
938 current_name = (ldns_dnssec_name *) current_name_node->data;
939 nsec_rr = ldns_dnssec_create_nsec3(current_name,
947 /* by default, our nsec based generator adds rrsigs
948 * remove the bitmap for empty nonterminals */
949 if (!current_name->rrsets) {
950 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
952 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
953 result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
954 ldns_rr_list_push_rr(new_rrs, nsec_rr);
955 if (ldns_rr_owner(nsec_rr)) {
956 hashmap_node = LDNS_MALLOC(ldns_rbnode_t);
957 if (hashmap_node == NULL) {
958 return LDNS_STATUS_MEM_ERR;
960 current_name->hashed_name =
961 ldns_dname_label(ldns_rr_owner(nsec_rr), 0);
963 if (current_name->hashed_name == NULL) {
964 LDNS_FREE(hashmap_node);
965 return LDNS_STATUS_MEM_ERR;
967 hashmap_node->key = current_name->hashed_name;
968 hashmap_node->data = current_name;
970 if (! ldns_rbtree_insert(zone->hashed_names
972 LDNS_FREE(hashmap_node);
975 current_name_node = ldns_dnssec_name_node_next_nonglue(
976 ldns_rbtree_next(current_name_node));
978 if (result != LDNS_STATUS_OK) {
982 /* Make sorted list of nsec3s (via zone->hashed_names)
984 nsec3_list = ldns_rr_list_new();
985 if (nsec3_list == NULL) {
986 return LDNS_STATUS_MEM_ERR;
988 for ( hashmap_node = ldns_rbtree_first(zone->hashed_names)
989 ; hashmap_node != LDNS_RBTREE_NULL
990 ; hashmap_node = ldns_rbtree_next(hashmap_node)
992 nsec_rr = ((ldns_dnssec_name *) hashmap_node->data)->nsec;
994 ldns_rr_list_push_rr(nsec3_list, nsec_rr);
997 result = ldns_dnssec_chain_nsec3_list(nsec3_list);
998 ldns_rr_list_free(nsec3_list);
1004 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
1005 ldns_rr_list *new_rrs,
1008 uint16_t iterations,
1009 uint8_t salt_length,
1012 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm,
1013 flags, iterations, salt_length, salt, NULL);
1016 #endif /* HAVE_SSL */
1019 ldns_dnssec_remove_signatures( ldns_dnssec_rrs *signatures
1020 , ATTR_UNUSED(ldns_key_list *key_list)
1021 , int (*func)(ldns_rr *, void *)
1025 ldns_dnssec_rrs *base_rrs = signatures;
1026 ldns_dnssec_rrs *cur_rr = base_rrs;
1027 ldns_dnssec_rrs *prev_rr = NULL;
1028 ldns_dnssec_rrs *next_rr;
1034 switch(func(NULL, arg)) {
1035 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
1036 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
1038 case LDNS_SIGNATURE_LEAVE_NO_ADD:
1039 case LDNS_SIGNATURE_REMOVE_NO_ADD:
1040 ldns_key_list_set_use(key_list, false);
1044 fprintf(stderr, "[XX] unknown return value from callback\n");
1050 (void)func(cur_rr->rr, arg);
1053 next_rr = cur_rr->next;
1055 switch (func(cur_rr->rr, arg)) {
1056 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
1059 case LDNS_SIGNATURE_LEAVE_NO_ADD:
1060 keytag = ldns_rdf2native_int16(
1061 ldns_rr_rrsig_keytag(cur_rr->rr));
1062 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1063 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
1065 ldns_key_set_use(ldns_key_list_key(key_list, i),
1071 case LDNS_SIGNATURE_REMOVE_NO_ADD:
1072 keytag = ldns_rdf2native_int16(
1073 ldns_rr_rrsig_keytag(cur_rr->rr));
1074 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1075 if (ldns_key_keytag(ldns_key_list_key(key_list, i))
1077 ldns_key_set_use(ldns_key_list_key(key_list, i),
1082 prev_rr->next = next_rr;
1088 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
1090 prev_rr->next = next_rr;
1098 fprintf(stderr, "[XX] unknown return value from callback\n");
1110 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
1111 ldns_rr_list *new_rrs,
1112 ldns_key_list *key_list,
1113 int (*func)(ldns_rr *, void*),
1116 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
1120 /** If there are KSKs use only them and mark ZSKs unused */
1122 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
1129 ldns_signing_algorithm saw_ksk = 0;
1133 if (!ldns_key_list_key_count(key_list))
1137 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1138 key = ldns_key_list_key(key_list, i);
1139 if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1141 saw_ksk = ldns_key_algorithm(key);
1142 algos[ldns_key_algorithm(key)] = true;
1146 return; /* No KSKs means sign using all ZSKs */
1148 /* Deselect the ZSKs so they do not sign DNSKEY RRs.
1149 * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it,
1150 * but only if it has an algorithm for which there is no KSK
1152 for (i =0; i < ldns_key_list_key_count(key_list); i++) {
1153 key = ldns_key_list_key(key_list, i);
1154 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1156 * Still use it if it has a unique algorithm though!
1158 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
1159 !algos[ldns_key_algorithm(key)])
1160 algos[ldns_key_algorithm(key)] = true;
1162 ldns_key_set_use(key, 0);
1167 /** If there are no ZSKs use KSKs as ZSK too */
1169 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
1176 ldns_signing_algorithm saw_zsk = 0;
1180 if (!ldns_key_list_key_count(key_list))
1184 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1185 key = ldns_key_list_key(key_list, i);
1186 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1188 saw_zsk = ldns_key_algorithm(key);
1189 algos[ldns_key_algorithm(key)] = true;
1193 return; /* No ZSKs means sign using all KSKs */
1195 /* Deselect the KSKs so they do not sign non DNSKEY RRs.
1196 * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it,
1197 * but only if it has an algorithm for which there is no ZSK
1199 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1200 key = ldns_key_list_key(key_list, i);
1201 if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1203 * Still use it if it has a unique algorithm though!
1205 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
1206 !algos[ldns_key_algorithm(key)])
1207 algos[ldns_key_algorithm(key)] = true;
1209 ldns_key_set_use(key, 0);
1215 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
1216 , ldns_rr_list *new_rrs
1217 , ldns_key_list *key_list
1218 , int (*func)(ldns_rr *, void*)
1223 ldns_status result = LDNS_STATUS_OK;
1225 ldns_rbnode_t *cur_node;
1226 ldns_rr_list *rr_list;
1228 ldns_dnssec_name *cur_name;
1229 ldns_dnssec_rrsets *cur_rrset;
1230 ldns_dnssec_rrs *cur_rr;
1232 ldns_rr_list *siglist;
1236 int on_delegation_point = 0; /* handle partially occluded names */
1238 ldns_rr_list *pubkey_list = ldns_rr_list_new();
1239 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
1240 ldns_rr_list_push_rr( pubkey_list
1241 , ldns_key2rr(ldns_key_list_key(
1245 /* TODO: callback to see is list should be signed */
1246 /* TODO: remove 'old' signatures from signature list */
1247 cur_node = ldns_rbtree_first(zone->names);
1248 while (cur_node != LDNS_RBTREE_NULL) {
1249 cur_name = (ldns_dnssec_name *) cur_node->data;
1251 if (!cur_name->is_glue) {
1252 on_delegation_point = ldns_dnssec_rrsets_contains_type(
1253 cur_name->rrsets, LDNS_RR_TYPE_NS)
1254 && !ldns_dnssec_rrsets_contains_type(
1255 cur_name->rrsets, LDNS_RR_TYPE_SOA);
1256 cur_rrset = cur_name->rrsets;
1258 /* reset keys to use */
1259 ldns_key_list_set_use(key_list, true);
1261 /* walk through old sigs, remove the old,
1262 and mark which keys (not) to use) */
1263 cur_rrset->signatures =
1264 ldns_dnssec_remove_signatures(cur_rrset->signatures,
1268 if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY ||
1269 cur_rrset->type == LDNS_RR_TYPE_CDNSKEY ||
1270 cur_rrset->type == LDNS_RR_TYPE_CDS) {
1271 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) {
1272 ldns_key_list_filter_for_dnskey(key_list, flags);
1275 ldns_key_list_filter_for_non_dnskey(key_list, flags);
1278 /* TODO: just set count to zero? */
1279 rr_list = ldns_rr_list_new();
1281 cur_rr = cur_rrset->rrs;
1283 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
1284 cur_rr = cur_rr->next;
1287 /* only sign non-delegation RRsets */
1288 /* (glue should have been marked earlier,
1289 * except on the delegation points itself) */
1290 if (!on_delegation_point ||
1291 ldns_rr_list_type(rr_list)
1292 == LDNS_RR_TYPE_DS ||
1293 ldns_rr_list_type(rr_list)
1294 == LDNS_RR_TYPE_NSEC ||
1295 ldns_rr_list_type(rr_list)
1296 == LDNS_RR_TYPE_NSEC3) {
1297 siglist = ldns_sign_public(rr_list, key_list);
1298 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1299 if (cur_rrset->signatures) {
1300 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
1301 ldns_rr_list_rr(siglist,
1304 cur_rrset->signatures = ldns_dnssec_rrs_new();
1305 cur_rrset->signatures->rr =
1306 ldns_rr_list_rr(siglist, i);
1309 ldns_rr_list_push_rr(new_rrs,
1310 ldns_rr_list_rr(siglist,
1314 ldns_rr_list_free(siglist);
1317 ldns_rr_list_free(rr_list);
1319 cur_rrset = cur_rrset->next;
1323 ldns_key_list_set_use(key_list, true);
1324 cur_name->nsec_signatures =
1325 ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
1329 ldns_key_list_filter_for_non_dnskey(key_list, flags);
1331 rr_list = ldns_rr_list_new();
1332 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
1333 siglist = ldns_sign_public(rr_list, key_list);
1335 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1336 if (cur_name->nsec_signatures) {
1337 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
1338 ldns_rr_list_rr(siglist, i));
1340 cur_name->nsec_signatures = ldns_dnssec_rrs_new();
1341 cur_name->nsec_signatures->rr =
1342 ldns_rr_list_rr(siglist, i);
1345 ldns_rr_list_push_rr(new_rrs,
1346 ldns_rr_list_rr(siglist, i));
1350 ldns_rr_list_free(siglist);
1351 ldns_rr_list_free(rr_list);
1353 cur_node = ldns_rbtree_next(cur_node);
1356 ldns_rr_list_deep_free(pubkey_list);
1361 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
1362 ldns_rr_list *new_rrs,
1363 ldns_key_list *key_list,
1364 int (*func)(ldns_rr *, void *),
1367 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
1370 ldns_status dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone,
1371 ldns_rr_list *new_rrs, ldns_key_list *key_list, int flags);
1373 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
1374 ldns_rr_list *new_rrs,
1375 ldns_key_list *key_list,
1376 int (*func)(ldns_rr *, void *),
1380 ldns_status result = LDNS_STATUS_OK;
1381 ldns_dnssec_rrsets zonemd_rrset;
1382 bool zonemd_added = false;
1384 if (!zone || !new_rrs || !key_list) {
1385 return LDNS_STATUS_ERR;
1387 if (flags & LDNS_SIGN_WITH_ZONEMD) {
1388 ldns_dnssec_rrsets **rrsets_ref = &zone->soa->rrsets;
1391 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1392 rrsets_ref = &(*rrsets_ref)->next;
1394 || (*rrsets_ref)->type > LDNS_RR_TYPE_ZONEMD) {
1395 zonemd_rrset.rrs = NULL;
1396 zonemd_rrset.type = LDNS_RR_TYPE_ZONEMD;
1397 zonemd_rrset.signatures = NULL;
1398 zonemd_rrset.next = *rrsets_ref;
1399 *rrsets_ref = &zonemd_rrset;
1400 zonemd_added = true;
1403 /* zone is already sorted */
1404 result = ldns_dnssec_zone_mark_glue(zone);
1405 if (result != LDNS_STATUS_OK) {
1408 /* check whether we need to add nsecs */
1409 if ((flags & LDNS_SIGN_NO_KEYS_NO_NSECS)
1410 && ldns_key_list_key_count(key_list) < 1)
1413 else if (zone->names
1414 && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
1416 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
1417 if (result != LDNS_STATUS_OK) {
1421 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1429 ldns_dnssec_rrsets **rrsets_ref
1430 = &zone->soa->rrsets;
1433 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1434 rrsets_ref = &(*rrsets_ref)->next;
1435 *rrsets_ref = zonemd_rrset.next;
1437 return flags & LDNS_SIGN_WITH_ZONEMD
1438 ? dnssec_zone_equip_zonemd(zone, new_rrs, key_list, flags)
1443 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
1444 ldns_rr_list *new_rrs,
1445 ldns_key_list *key_list,
1446 int (*func)(ldns_rr *, void *),
1450 uint16_t iterations,
1451 uint8_t salt_length,
1454 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1455 func, arg, algorithm, flags, iterations, salt_length, salt, 0,
1460 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
1461 ldns_rr_list *new_rrs,
1462 ldns_key_list *key_list,
1463 int (*func)(ldns_rr *, void *),
1467 uint16_t iterations,
1468 uint8_t salt_length,
1471 ldns_rbtree_t **map)
1473 ldns_rr *nsec3, *nsec3param;
1474 ldns_status result = LDNS_STATUS_OK;
1475 bool zonemd_added = false;
1476 ldns_dnssec_rrsets zonemd_rrset;
1478 /* zone is already sorted */
1479 result = ldns_dnssec_zone_mark_glue(zone);
1480 if (result != LDNS_STATUS_OK) {
1484 /* TODO if there are already nsec3s presents and their
1485 * parameters are the same as these, we don't have to recreate
1488 /* add empty nonterminals */
1489 result = ldns_dnssec_zone_add_empty_nonterminals(zone);
1490 if (result != LDNS_STATUS_OK) {
1494 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1496 /* check whether we need to add nsecs */
1497 if ((signflags & LDNS_SIGN_NO_KEYS_NO_NSECS)
1498 && ldns_key_list_key_count(key_list) < 1)
1501 else if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1502 /* no need to recreate */
1504 if (!ldns_dnssec_zone_find_rrset(zone,
1506 LDNS_RR_TYPE_NSEC3PARAM)) {
1507 /* create and add the nsec3param rr */
1509 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM);
1510 ldns_rr_set_owner(nsec3param,
1511 ldns_rdf_clone(zone->soa->name));
1512 ldns_nsec3_add_param_rdfs(nsec3param,
1518 /* always set bit 7 of the flags to zero, according to
1519 * rfc5155 section 11. The bits are counted from right to left,
1520 * so bit 7 in rfc5155 is bit 0 in ldns */
1521 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
1522 result = ldns_dnssec_zone_add_rr(zone, nsec3param);
1523 if (result != LDNS_STATUS_OK) {
1526 ldns_rr_list_push_rr(new_rrs, nsec3param);
1528 if (signflags & LDNS_SIGN_WITH_ZONEMD) {
1529 ldns_dnssec_rrsets **rrsets_ref
1530 = &zone->soa->rrsets;
1533 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1534 rrsets_ref = &(*rrsets_ref)->next;
1536 || (*rrsets_ref)->type > LDNS_RR_TYPE_ZONEMD) {
1537 zonemd_rrset.rrs = NULL;
1538 zonemd_rrset.type = LDNS_RR_TYPE_ZONEMD;
1539 zonemd_rrset.signatures = NULL;
1540 zonemd_rrset.next = *rrsets_ref;
1541 *rrsets_ref = &zonemd_rrset;
1542 zonemd_added = true;
1545 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone,
1554 ldns_dnssec_rrsets **rrsets_ref
1555 = &zone->soa->rrsets;
1558 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1559 rrsets_ref = &(*rrsets_ref)->next;
1560 *rrsets_ref = zonemd_rrset.next;
1562 if (result != LDNS_STATUS_OK) {
1567 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1574 if (result || !zone->names)
1577 return signflags & LDNS_SIGN_WITH_ZONEMD
1578 ? dnssec_zone_equip_zonemd(zone, new_rrs, key_list, signflags)
1583 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
1584 ldns_rr_list *new_rrs,
1585 ldns_key_list *key_list,
1586 int (*func)(ldns_rr *, void *),
1590 uint16_t iterations,
1591 uint8_t salt_length,
1595 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1596 func, arg, algorithm, flags, iterations, salt_length, salt,
1601 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
1603 ldns_dnssec_zone *dnssec_zone;
1604 ldns_zone *signed_zone;
1605 ldns_rr_list *new_rrs;
1608 signed_zone = ldns_zone_new();
1609 dnssec_zone = ldns_dnssec_zone_new();
1611 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1612 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1614 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1615 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1616 ldns_rr_list_rr(ldns_zone_rrs(zone),
1618 ldns_zone_push_rr(signed_zone,
1619 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1623 new_rrs = ldns_rr_list_new();
1624 (void) ldns_dnssec_zone_sign(dnssec_zone,
1627 ldns_dnssec_default_replace_signatures,
1630 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1631 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1632 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1635 ldns_rr_list_deep_free(new_rrs);
1636 ldns_dnssec_zone_free(dnssec_zone);
1642 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1644 ldns_dnssec_zone *dnssec_zone;
1645 ldns_zone *signed_zone;
1646 ldns_rr_list *new_rrs;
1649 signed_zone = ldns_zone_new();
1650 dnssec_zone = ldns_dnssec_zone_new();
1652 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1653 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1655 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1656 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1657 ldns_rr_list_rr(ldns_zone_rrs(zone),
1659 ldns_zone_push_rr(signed_zone,
1660 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1664 new_rrs = ldns_rr_list_new();
1665 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1668 ldns_dnssec_default_replace_signatures,
1676 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1677 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1678 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1681 ldns_rr_list_deep_free(new_rrs);
1682 ldns_dnssec_zone_free(dnssec_zone);
1686 #endif /* HAVE_SSL */