Commit 45afdb26 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] remove default algorithm in dnssec-keygen

4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
			the signing algorithm must be specified on
			the command line with the "-a" option.  Signing
			scripts that rely on the existing default behavior
			will break; use "dnssec-keygen -a RSASHA1" to
			repair them. (The goal of this change is to make
			it easier to find scripts using RSASHA1 so they
			can be changed in the event of that algorithm
			being deprecated in the future.) [RT #44755]
parent 2bfc294f
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
the signing algorithm must be specified on
the command line with the "-a" option. Signing
scripts that rely on the existing default behavior
will break; use "dnssec-keygen -a RSASHA1" to
repair them. (The goal of this change is to make
it easier to find scripts using RSASHA1 so they
can be changed in the event of that algorithm
being deprecated in the future.) [RT #44755]
4693. [func] Synthesis of responses from DNSSEC-verified records.
Stage 1 covers NXDOMAIN synthesis from NSEC records.
This is controlled by synth-from-dnssec and is enabled
......
......@@ -46,15 +46,6 @@
const char *program = "dnssec-keyfromlabel";
int verbose;
#define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
" ED25519 | ED448";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
......@@ -68,9 +59,11 @@ usage(void) {
fprintf(stderr, " -l label: label of the key pair\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " (default: RSASHA1, or "
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -a algorithm: \n"
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
" NSEC3DSA | NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 | ECCGOST |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
......@@ -394,16 +387,7 @@ main(int argc, char **argv) {
}
if (algname == NULL) {
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (algname == NULL)
fatal("strdup failed");
freeit = algname;
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
fatal("no algorithm specified");
}
if (strcasecmp(algname, "RSA") == 0) {
......@@ -434,14 +418,28 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
}
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
if (use_nsec3) {
switch (alg) {
case DST_ALG_DSA:
alg = DST_ALG_NSEC3DSA;
break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
break;
default:
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
......
......@@ -104,7 +104,6 @@
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
......@@ -114,11 +113,17 @@
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
</para>
<para>
Note 2: DH automatically sets the -k flag.
As of BIND 9.12.0, this option is mandatory except when using
the <option>-S</option> option (which copies the algorithm from
the predecessory key). Previously, the default for newly
generated keys was RSASHA1.
</para>
</listitem>
</varlistentry>
......@@ -128,9 +133,10 @@
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
specifies the NSEC3RSASHA1 algorithm.
</para>
</listitem>
</varlistentry>
......@@ -454,30 +460,30 @@
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
......
......@@ -61,9 +61,6 @@
const char *program = "dnssec-keygen";
int verbose;
#define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
......@@ -86,8 +83,6 @@ usage(void) {
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " (default: RSASHA1, or "
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
......@@ -110,9 +105,8 @@ usage(void) {
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
fprintf(stderr, " (if using the default algorithm, key size\n"
" defaults to 2048 for KSK, or 1024 for all "
"others)\n");
fprintf(stderr, " (key size defaults are set according to\n"
" algorithm and usage (ZSK or KSK)\n");
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
"USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
......@@ -240,7 +234,7 @@ main(int argc, char **argv) {
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
dns_ttl_t ttl = 0;
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
isc_boolean_t use_nsec3 = ISC_FALSE;
isc_stdtime_t publish = 0, activate = 0, revokekey = 0;
isc_stdtime_t inactive = 0, deltime = 0;
isc_stdtime_t now;
......@@ -537,17 +531,7 @@ main(int argc, char **argv) {
isc_result_totext(ret));
if (algname == NULL) {
use_default = ISC_TRUE;
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (algname == NULL)
fatal("strdup failed");
freeit = algname;
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
fatal("no algorithm specified");
}
if (strcasecmp(algname, "RSA") == 0) {
......@@ -601,14 +585,28 @@ main(int argc, char **argv) {
if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg);
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
if (use_nsec3) {
switch (alg) {
case DST_ALG_DSA:
alg = DST_ALG_NSEC3DSA;
break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
break;
default:
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
......@@ -629,21 +627,31 @@ main(int argc, char **argv) {
}
if (size < 0) {
if (use_default) {
if ((kskflag & DNS_KEYFLAG_KSK) != 0)
switch (alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
size = 2048;
else
} else {
size = 1024;
if (verbose > 0)
}
if (verbose > 0) {
fprintf(stderr, "key size not "
"specified; defaulting"
" to %d\n", size);
} else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 &&
alg != DST_ALG_ED448)
}
break;
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
break;
default:
fatal("key size not specified (-b option)");
}
}
if (!oldstyle && prepub > 0) {
......
......@@ -53,7 +53,7 @@
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-keygen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
......@@ -101,6 +101,13 @@
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</para>
<para>
The <command>dnssec-keymgr</command> command acts as a wrapper
around <command>dnssec-keygen</command>, generating and updating keys
as needed to enforce defined security policies such as key rollover
scheduling. Using <command>dnssec-keymgr</command> may be preferable
to direct use of <command>dnssec-keygen</command>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
......@@ -114,27 +121,26 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
or HMAC-SHA512; specifying any of these algorithms will
automatically set the <option>-T KEY</option> option as well.
(Note: <command>tsig-keygen</command> produces TSIG keys in a
more useful format than <command>dnssec-keygen</command>.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
or NSEC3DSA will be used instead.
</para>
<para>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
As of BIND 9.12.0, this option is mandatory except when using
the <option>-S</option> option (which copies the algorithm from
the predecessor key). Previously, the default for newly
generated keys was RSASHA1.
</para>
</listitem>
</varlistentry>
......@@ -152,13 +158,11 @@
this parameter.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
If the key size is not specified, some algorithms have
pre-defined defaults. For example, RSA keys for use as
DNSSEC zone signing keys have a default size of 1024 bits;
RSA keys for use as key signing keys (KSKs, generated with
<option>-f KSK</option>) default to 2048 bits.
</para>
</listitem>
</varlistentry>
......@@ -169,11 +173,10 @@
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</para>
</listitem>
</varlistentry>
......@@ -183,11 +186,10 @@
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
specifies the NSEC3RSASHA1 algorithm.
</para>
</listitem>
</varlistentry>
......@@ -394,8 +396,8 @@
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
Specifying any TSIG algorithm (HMAC-* or DH) with
<option>-a</option> forces this option to KEY.
</para>
</listitem>
</varlistentry>
......@@ -529,30 +531,30 @@
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
......
......@@ -17,18 +17,18 @@ infile=root.db.in
cat $infile ../ns2/dsset-example$TP > $zonefile
zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone`
zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone`
zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone`
zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone`
zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone`
zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone`
zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
rm $zsknopriv.private
ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone`
kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone`
cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
......
......@@ -23,16 +23,16 @@ zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile dsset-*.example$TP > $zonefile
kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
$DSFROMKEY $kskname.key > dsset-${zone}$TP
# Create keys for a private secure zone.
zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
......@@ -55,5 +55,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
do
cp $i `echo $i | sed s/X/K/`
done
$KEYGEN -q -r $RANDFILE $zone > /dev/null
$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null
$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
......@@ -27,8 +27,8 @@ setup () {
setup secure.example
cp $infile $zonefile
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
......@@ -36,8 +36,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup secure.nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
......@@ -45,8 +45,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup nsec3.nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
......@@ -54,8 +54,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup optout.nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
......@@ -63,8 +63,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup nsec3.example
cat $infile dsset-*.${zone}$TP > $zonefile
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out