- added a debug message to rrset_new()

Refs #4

Key algorithm and used NSEC type must match:

RFC 5155 states, that for compatibility with old resolvers, NSEC3
must be used only with NSEC3 algorithms.

It makes no sense to sign NSEC with NSEC3 keys, because it will make
the validation impossible on NSEC3-unaware resolvers. This is stricter
than what dnssec-signzone from ISC does.

refs #4

(at least for now)

refs #4

refs #4

- previous code constructed new RRSIG and populated it with extracted
  and processed data taken from the RRSIG which was validated
- new code uses RDATA directly from the RRSIG which is validated

refs #4

- uses knot_dnssec_sign_verify() instead of string comparison
  and therefore OpenSSL EVP_VerifyFinal()
- previous approach could not work e.g. for DSA based ciphers

refs #4

- tests are failing, public key is required for signature verification
- OpenSSL fails with invalid parameters error when doing verification

refs #4

- very similar to problem which was fixed recently with DSA

- do not propagate OpenSSL errors as invalid signature

refs #4

refs #4

- separate key manipulation and signing tests
- tests should be failing now as DSA verification is not implemented
- tests for ECDSA are missing

refs #4

Values R and S from DSA signatures could be probably shorter than 20 bytes.
In that case, some bytes of the memory with signature would be left untouched
by the write function.

Added memset() should fix that.

- add API function knot_dnssec_sign_verify()
- works only for RSA based ciphers, format conversion needed for others

refs #4

Saving now done in store-apply-commit sequence. This ensures that
changes are not saved to journal if something went wrong.

There is still one problem about this - we apply only the DNSSEC
changeset and even if it's wrong, the changeset from zone diff
should be saved to the journal. Should fix this later.

refs #4

Added some more ugly hacks to properly use SOAs from the two
changesets.

refs #4

refs #4

refs #4

refs #4

refs #4

refs #4

When happening during reload, there may be some readers.

refs #4

There are however a lot other problems related to NSEC.

refs #4

refs #4

Fixed leaks from load signing. Other cases must be checked.

refs #4

- Added new field to dnssec policy structure (SOA serial increment
  policy)
- Removed debug code
- Added some info messages after succcesful signing

Refs #4

Refs #4

- preparation for non-forced zone sing planning
- added a posibility not to wait for readers in changeset application when applying DNSSEC changes upon load/reload (there should be no readers, since the zone is not in the zonedb)
- fixes in changeset merging (SOAs and serials were wrong - SOAs might still be wrong, when me merge the changesets, we do *NOT* want to update the serial, since the user already did that)

Refs #4

Refs #4

- First store merge changesets, then apply signatures
- Added pretty print function to dump changesets, HAS TO BE REMOVED!!!
- some fixes, mainly in signature checking
- fails to save to journal for same reason
- deliberate leaks - malformed changesets, needs custom freeing function

Refs #4

- Zones are now automatically (re)signed when server starts/reloads
- Signature validity check now calculates the signature as well - this is used to detect changes to RRs themselves
- 'knotc signzone' issues a force signing of zone - all RRSIGs are dropped and recreated
- Some leaks and bugs still present, but the code is commitable now

Refs #4

Refs #4

refs #4

It should be called always when adjusting is called (i.e. always
when new zone contents are created).

refs #4

refs #4