1. 28 Jan, 2020 6 commits
    • Tony Finch's avatar
      dnssec-checkds CDS support, and other improvements · 4a2f72fb
      Tony Finch authored
      * Use `dnssec-dsfromkey -p` to work out what the delegation records
        should be, based on CDS records.
      
      * Better error checking for failures by `dig`.
      
      * Add a --every mode for checking all the parent name servers. This is
        for extra protection against long propagation delays.
      
      * Add a --quiet mode to avoid unwanted cronspam. There is still output
        if something unexpected happens, so --quiet mode is better for cron
        jobs than just redirecting the output.
      
      * Explain how this tool relates to other tools. The current strict
        consistency logic was introduced when SHA-1 was deprecated, but it
        wasn't documented. The manual has now been updated. (Users who want
        checks based on validation semantics should use something like
        zonemaster or dnsviz instead.)
      4a2f72fb
    • Tony Finch's avatar
      dnssec-dsfromkey: optionally output the DNSKEY as well as its DS · 5971eed2
      Tony Finch authored
      This is for use with tools that manage a zone's delegation,
      when the parent domain registry does not accept DS records.
      5971eed2
    • Tony Finch's avatar
      dnssec-dsfromkey: allow CDNSKEY and CDS as input records · 6b32561b
      Tony Finch authored
      There are a couple of situations where this is useful:
      
        * `dnssec-checkds` will need to know what the zone's DS records
          should be, when it is running in exact-match mode to verify that
          the parent zone is in sync with a KSK rollover.
      
        * Third party tools that push DS records to parent zones that do not
          implement CDS checking also need to know what the DS records
          should be. It is helpful to have this logic easily reusable.
      
      The logic here is more lenient than in `dnssec-cds`: we have
      privileged access to the child zone's authoritative data, so we know
      what the DS records should be without validation.
      
      This will fall back to using DNSKEY records, for zones that don't have
      CDS or CDNSKEY records.
      
      This does not (yet) implement RFC 8078 for going insecure.
      6b32561b
    • Tony Finch's avatar
    • Tony Finch's avatar
      dnssec: warn if a key is to be revoked too early · 386d239c
      Tony Finch authored
      A key should not be revoked before it is removed from the DS records,
      so its scheduled revocation time should be after the CDS/CDNSKEY
      records are to be deleted.
      386d239c
    • Tony Finch's avatar
      dnssec-settime: tidy up variable declarations · d91539ba
      Tony Finch authored
      No functional change.
      d91539ba
  2. 24 Jan, 2020 2 commits
  3. 23 Jan, 2020 11 commits
  4. 22 Jan, 2020 13 commits
  5. 21 Jan, 2020 8 commits