Commit 46bc64f4 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] tsig-keygen

3783.	[func]		"tsig-keygen" is now available as an alternate
			command name for "ddns-confgen".  It generates
			a TSIG key in named.conf format without comments.
			[RT #35503]
parent ca7aeeab
3783. [func] "tsig-keygen" is now available as an alternate
command name for "ddns-confgen". It generates
a TSIG key in named.conf format without comments.
[RT #35503]
3782. [func] Specifying "auto" as the salt when using
"rndc signing -nsec3param" causes named to
generate a 64-bit salt at random. [RT #35322]
......
......@@ -54,7 +54,7 @@ SRCS= rndc-confgen.c ddns-confgen.c
SUBDIRS = unix
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
MANPAGES = rndc-confgen.8 ddns-confgen.8
......@@ -82,6 +82,11 @@ ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIB
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
# make a link in the build directory to assist with testing
tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
rm -f tsig-keygen@EXEEXT@
${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
......@@ -96,6 +101,8 @@ install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
clean distclean maintainer-clean::
rm -f ${TARGETS}
......@@ -14,8 +14,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ddns-confgen.c,v 1.11 2011/03/12 04:59:46 tbox Exp $ */
/*! \file */
/**
......@@ -53,20 +51,21 @@
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYNAME "ddns-key"
#define KEYGEN_DEFAULT "tsig-key"
#define CONFGEN_DEFAULT "ddns-key"
static char program[256];
const char *progname;
isc_boolean_t verbose = ISC_FALSE;
static enum { progmode_keygen, progmode_confgen} progmode;
isc_boolean_t verbose = ISC_FALSE; /* needed by util.c but not used here */
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
fprintf(stderr, "\
if (progmode == progmode_confgen) {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
-a alg: algorithm (default hmac-sha256)\n\
......@@ -75,39 +74,65 @@ Usage:\n\
-s name: domain name to be updated using the created key\n\
-z zone: name of the zone as it will be used in named.conf\n\
-q: quiet mode: print the key, with no explanatory text\n",
progname);
progname);
} else {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [-r randomfile] [keyname]\n\
-a alg: algorithm (default hmac-sha256)\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n",
progname);
}
exit (status);
}
int
main(int argc, char **argv) {
isc_result_t result = ISC_R_SUCCESS;
isc_boolean_t show_final_mem = ISC_FALSE;
isc_boolean_t quiet = ISC_FALSE;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
const char *randomfile = NULL;
const char *keyname = NULL;
const char *zone = NULL;
const char *self_domain = NULL;
char *keybuf = NULL;
dns_secalg_t alg = DST_ALG_HMACSHA256;
const char *algname = alg_totext(alg);
const char *algname;
int keysize = 256;
int len = 0;
int ch;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS)
memmove(program, "ddns-confgen", 13);
memmove(program, "tsig-keygen", 11);
progname = program;
/*
* Libtool doesn't preserve the program name prior to final
* installation. Remove the libtool prefix ("lt-").
*/
if (strncmp(progname, "lt-", 3) == 0)
progname += 3;
#define PROGCMP(X) \
(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
if (PROGCMP("tsig-keygen")) {
progmode = progmode_keygen;
quiet = ISC_TRUE;
} else if (PROGCMP("ddns-confgen"))
progmode = progmode_confgen;
else
INSIST(0);
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"a:hk:Mmr:qs:Vy:z:")) != -1) {
"a:hk:Mmr:qs:y:z:")) != -1) {
switch (ch) {
case 'a':
algname = isc_commandline_argument;
......@@ -120,7 +145,10 @@ main(int argc, char **argv) {
usage(0);
case 'k':
case 'y':
keyname = isc_commandline_argument;
if (progmode == progmode_confgen)
keyname = isc_commandline_argument;
else
usage(1);
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
......@@ -129,19 +157,25 @@ main(int argc, char **argv) {
show_final_mem = ISC_TRUE;
break;
case 'q':
quiet = ISC_TRUE;
if (progmode == progmode_confgen)
quiet = ISC_TRUE;
else
usage(1);
break;
case 'r':
randomfile = isc_commandline_argument;
break;
case 's':
self_domain = isc_commandline_argument;
break;
case 'V':
verbose = ISC_TRUE;
if (progmode == progmode_confgen)
self_domain = isc_commandline_argument;
else
usage(1);
break;
case 'z':
zone = isc_commandline_argument;
if (progmode == progmode_confgen)
zone = isc_commandline_argument;
else
usage(1);
break;
case '?':
if (isc_commandline_option != '?') {
......@@ -158,22 +192,28 @@ main(int argc, char **argv) {
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (progmode == progmode_keygen)
keyname = argv[isc_commandline_index++];
POST(argv);
if (self_domain != NULL && zone != NULL)
usage(1); /* -s and -z cannot coexist */
if (argc > 0)
if (argc > isc_commandline_index)
usage(1);
/* Use canonical algorithm name */
algname = alg_totext(alg);
DO("create memory context", isc_mem_create(0, 0, &mctx));
if (keyname == NULL) {
const char *suffix = NULL;
keyname = DEFAULT_KEYNAME;
keyname = ((progmode == progmode_keygen)
? KEYGEN_DEFAULT
: CONFGEN_DEFAULT);
if (self_domain != NULL)
suffix = self_domain;
else if (zone != NULL)
......
......@@ -19,7 +19,7 @@
<refentry id="man.ddns-confgen">
<refentryinfo>
<date>September 18, 2009</date>
<date>March 6, 2014</date>
</refentryinfo>
<refmeta>
......@@ -42,48 +42,64 @@
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>tsig-keygen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg choice="opt">name</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>ddns-confgen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group>
<arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
<arg><option>-q</option></arg>
<arg choice="opt">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>ddns-confgen</command>
generates a key for use by <command>nsupdate</command>
and <command>named</command>. It simplifies configuration
of dynamic zones by generating a key and providing the
<command>nsupdate</command> and <command>named.conf</command>
syntax that will be needed to use it, including an example
<command>update-policy</command> statement.
<para>
<command>tsig-keygen</command> and <command>ddns-confgen</command>
are invokation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<command>rndc</command> command channel.
</para>
<para>
When run as <command>tsig-keygen</command>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <constant>tsig-key</constant>.
</para>
<para>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<command>named.conf</command> syntax. For example,
<command>ddns-confgen example.com</command> would
generate a key called "ddns-key.example.com", and sample
<command>named.conf</command> command that could be used
in the zone definition for "example.com".
When run as <command>ddns-confgen</command>, the generated
key is accompanied by configuration text and instructions
that can be used with <command>nsupdate</command> and
</command>named</command> when setting up dynamic DNS,
including an example <command>update-policy</command>
statement. (This usage similar to the
<command>rndc-confgen</command> command for setting
up command channel security.)
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>.
local DDNS key for use with <command>nsupdate -l</command>:
it does this when a zone is configured with
<command>update-policy local;</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance, if
<command>nsupdate</command> is to be used from a remote system.
more elaborate configuration is required: for instance,
if <command>nsupdate</command> is to be used from a remote
system.
</para>
</refsect1>
......@@ -98,6 +114,8 @@
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</para>
</listitem>
</varlistentry>
......@@ -106,8 +124,7 @@
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>ddns-confgen</command>.
Prints a short summary of options and arguments.
</para>
</listitem>
</varlistentry>
......@@ -133,8 +150,9 @@
<term>-q</term>
<listitem>
<para>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
(<command>ddns-confgen</command> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <command>tsig-keygen</command>.
</para>
</listitem>
</varlistentry>
......@@ -160,11 +178,12 @@
<term>-s <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
Single host mode: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype.
The default key name is
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <command>named.conf</command>
text shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype. The default key name is
ddns-key.<replaceable class="parameter">name</replaceable>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
......@@ -177,12 +196,14 @@
<term>-z <replaceable class="parameter">zone</replaceable></term>
<listitem>
<para>
zone mode: The example <command>named.conf</command> text
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">zone</replaceable>
using the "zonesub" nametype, allowing updates to all subdomain
names within
that <replaceable class="parameter">zone</replaceable>.
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<replaceable class="parameter">zone</replaceable>.
This option cannot be used with the <option>-s</option> option.
</para>
</listitem>
......
......@@ -69,17 +69,21 @@ alg_totext(dns_secalg_t alg) {
*/
dns_secalg_t
alg_fromtext(const char *name) {
if (strcmp(name, "hmac-md5") == 0)
const char *p = name;
if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5];
if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5;
if (strcmp(name, "hmac-sha1") == 0)
if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcmp(name, "hmac-sha224") == 0)
if (strcasecmp(p, "sha224") == 0)
return DST_ALG_HMACSHA224;
if (strcmp(name, "hmac-sha256") == 0)
if (strcasecmp(p, "sha256") == 0)
return DST_ALG_HMACSHA256;
if (strcmp(name, "hmac-sha384") == 0)
if (strcasecmp(p, "sha384") == 0)
return DST_ALG_HMACSHA384;
if (strcmp(name, "hmac-sha512") == 0)
if (strcasecmp(p, "sha512") == 0)
return DST_ALG_HMACSHA512;
return DST_ALG_UNKNOWN;
}
......
......@@ -71,6 +71,12 @@
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
copy /Y ddns-confgen.exe tsig-keygen.exe
copy /Y ddns-confgen.ilk tsig-keygen.ilk
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
<ClCompile>
......@@ -100,6 +106,11 @@
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
copy /Y ddns-confgen.exe tsig-keygen.exe
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\ddns-confgen.c" />
......@@ -107,4 +118,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
\ No newline at end of file
</Project>
......@@ -37,6 +37,7 @@ DELVE=$TOP/bin/delve/delve
RNDC=$TOP/bin/rndc/rndc
NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
......
......@@ -52,12 +52,11 @@ ns2.update.nil. AAAA ::1
EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/sha384.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key
$TSIGKEYGEN -r $RANDFILE -a hmac-md5 md5-key > ns1/md5.key
$TSIGKEYGEN -r $RANDFILE -a hmac-sha1 sha1-key > ns1/sha1.key
$TSIGKEYGEN -r $RANDFILE -a hmac-sha224 sha224-key > ns1/sha224.key
$TSIGKEYGEN -r $RANDFILE -a hmac-sha256 sha256-key > ns1/sha256.key
$TSIGKEYGEN -r $RANDFILE -a hmac-sha384 sha384-key > ns1/sha384.key
$TSIGKEYGEN -r $RANDFILE -a hmac-sha512 sha512-key > ns1/sha512.key
(cd ns3; sh -e sign.sh)
......@@ -171,6 +171,7 @@ const FileData installFiles[] =
{"genrandom.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"rndc-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"ddns-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"tsig-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"dnssec-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"dnssec-signzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"dnssec-dsfromkey.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
......
echo off
rem
rem Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC")
rem Copyright (C) 2005,2013,2014 Internet Systems Consortium, Inc. ("ISC")
rem
rem Permission to use, copy, modify, and distribute this software for any
rem purpose with or without fee is hereby granted, provided that the above
......@@ -23,6 +23,10 @@ copy /Y ..\..\Build\Release\named-checkzone.exe ..\..\Build\Release\named-compil
if exist ..\..\Build\Debug\named-checkzone.exe copy /Y ..\..\Build\Debug\named-checkzone.exe ..\..\Build\Debug\named-compilezone.exe
if exist ..\..\Build\Debug\named-checkzone.ilk copy /Y ..\..\Build\Debug\named-checkzone.ilk ..\..\Build\Debug\named-compilezone.ilk
copy /Y ..\..\Build\Release\ddns-confgen.exe ..\..\Build\Release\tsig-keygen.exe
if exist ..\..\Build\Debug\ddns-confgen.exe copy /Y ..\..\Build\Debug\ddns-confgen.exe ..\..\Build\Debug\tsig-keygen.exe
if exist ..\..\Build\Debug\ddns-confgen.ilk copy /Y ..\..\Build\Debug\ddns-confgen.ilk ..\..\Build\Debug\tsig-keygen.ilk
@IF PYTHON
echo Copying python scripts
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment