aboutsummaryrefslogtreecommitdiff
path: root/plugin/sign/signer.go (follow)
AgeCommit message (Collapse)AuthorFilesLines
2022-02-14Fix security scans by cleaning up file path (#5185)Gravatar Yong Tang 1-1/+1
While performing security scans there were several issue raised as G304 (CWE-22): Potential file inclusion via variable. As some files path are taken from user input, it is possible the filepath passed by user may have unintended effect if not properly formed. This fix add Clean to remove the security warning and address some potential issue. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2021-03-15Revert "plugin/sign: track zone file's mtime (#4431)" (#4511)Gravatar Miek Gieben 1-12/+0
This reverts commit c4720b8ad238fc5e0603c7f96fdd5982024404a2.
2021-02-10plugin/sign: track zone file's mtime (#4431)Gravatar Miek Gieben 1-0/+12
* plugin/sign: track zone file's mtime Resign if the original zone's mtime is change in some way. Closes #4407 Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/sign/README.md Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Yong Tang <yong.tang.github@outlook.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
2020-01-12sign: add expiration jitter (#3588)Gravatar Miek Gieben 1-15/+16
* add expiration jitter Signed-off-by: Miek Gieben <miek@miek.nl> * sign: add expiration jitter This PR adds a expiration jitter to spread out zone re-signing even more. The max is 5 extra days added when creating the signer for a specific zone. Also make the duration* constants private to clean up the godoc for this plugin. Signed-off-by: Miek Gieben <miek@miek.nl>
2019-12-06plugin/sign: fix signing of authoritative data (#3479)Gravatar Miek Gieben 1-32/+19
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl> Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
2019-08-29plugin/sign: a plugin that signs zone (#2993)Gravatar Miek Gieben 1-0/+222
* plugin/sign: a plugin that signs zones Sign is a plugin that signs zone data (on disk). The README.md details what exactly happens to should be accurate related to the code. Signs are signed with a CSK, resigning and first time signing is all handled by *sign* plugin. Logging with a test zone looks something like this: ~~~ txt [INFO] plugin/sign: Signing "miek.nl." because open plugin/sign/testdata/db.miek.nl.signed: no such file or directory [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 11.670985ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T15:49:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563636548 [INFO] plugin/sign: Signing "miek.nl." because resign was: 10m0s ago [INFO] plugin/sign: Signed "miek.nl." with key tags "59725" in 2.055895ms, saved in "plugin/sign/testdata/db.miek.nl.signed". Next: 2019-07-20T16:09:06.560Z [INFO] plugin/file: Successfully reloaded zone "miek.nl." in "plugin/sign/testdata/db.miek.nl.signed" with serial 1563637748 ~~~ Signed-off-by: Miek Gieben <miek@miek.nl> * Adjust readme and remove timestamps Signed-off-by: Miek Gieben <miek@miek.nl> * Comment on the newline Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/sign/README.md Co-Authored-By: Michael Grosser <development@stp-ip.net>
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-03 19:08:01 +0000