Commit e939674d authored by Mark Andrews's avatar Mark Andrews
Browse files

4252. [func] Add support for automating the generation CDS and

                        CDNSKEY rrsets to named and dnssec-signzone.
                        [RT #40424]
parent 2b39e7bd
4252. [func] Add support for automating the generation CDS and
CDNSKEY rrsets to named and dnssec-signzone.
[RT #40424]
4251. [bug] NTAs were deleted when the server was reconfigured 4251. [bug] NTAs were deleted when the server was reconfigured
or reloaded. [RT #41058] or reloaded. [RT #41058]
......
...@@ -96,85 +96,85 @@ ...@@ -96,85 +96,85 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>-1</term> <term>-1</term>
<listitem> <listitem>
<para> <para>
Use SHA-1 as the digest algorithm (the default is to use Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256). both SHA-1 and SHA-256).
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-2</term> <term>-2</term>
<listitem> <listitem>
<para> <para>
Use SHA-256 as the digest algorithm. Use SHA-256 as the digest algorithm.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term> <term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem> <listitem>
<para> <para>
Select the digest algorithm. The value of Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1), <option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384). SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive. These values are case insensitive.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-C</term> <term>-C</term>
<listitem> <listitem>
<para> <para>
Generate CDS records rather than DS records. This is mutually Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records. exclusive with generating lookaside records.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term> <term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem> <listitem>
<para> <para>
Specifies the TTL of the DS records. Specifies the TTL of the DS records.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term> <term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem> <listitem>
<para> <para>
Look for key files (or, in keyset mode, Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in <filename>keyset-</filename> files) in
<option>directory</option>. <option>directory</option>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term> <term>-f <replaceable class="parameter">file</replaceable></term>
<listitem> <listitem>
<para> <para>
Zone file mode: in place of the keyfile name, the argument is Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted. <option>file</option>, then it may be omitted.
</para> </para>
<para> <para>
If <option>file</option> is set to <literal>"-"</literal>, then If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command> possible to use the output of the <command>dig</command>
command as input, as in: command as input, as in:
</para> </para>
<para> <para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput> <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
...@@ -189,64 +189,64 @@ ...@@ -189,64 +189,64 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term> <term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem> <listitem>
<para> <para>
Generate a DLV set instead of a DS set. The specified Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each <option>domain</option> is appended to the name for each
record in the set. record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating in RFC 4431. This is mutually exclusive with generating
CDS records. CDS records.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-s</term> <term>-s</term>
<listitem> <listitem>
<para> <para>
Keyset mode: in place of the keyfile name, the argument is Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file. the DNS domain name of a keyset file.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term> <term>-c <replaceable class="parameter">class</replaceable></term>
<listitem> <listitem>
<para> <para>
Specifies the DNS class (default is IN). Useful only Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode. in keyset or zone file mode.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term> <term>-v <replaceable class="parameter">level</replaceable></term>
<listitem> <listitem>
<para> <para>
Sets the debugging level. Sets the debugging level.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-h</term> <term>-h</term>
<listitem> <listitem>
<para> <para>
Prints usage information. Prints usage information.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-V</term> <term>-V</term>
<listitem> <listitem>
<para> <para>
Prints version information. Prints version information.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsection> </refsection>
...@@ -292,10 +292,10 @@ ...@@ -292,10 +292,10 @@
<refsection><info><title>SEE ALSO</title></info> <refsection><info><title>SEE ALSO</title></info>
<para><citerefentry> <para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>, </citerefentry>,
<citerefentry> <citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>, </citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>, <citetitle>RFC 3658</citetitle>,
......
...@@ -68,6 +68,9 @@ static isc_boolean_t setpub = ISC_FALSE, setdel = ISC_FALSE; ...@@ -68,6 +68,9 @@ static isc_boolean_t setpub = ISC_FALSE, setdel = ISC_FALSE;
static isc_boolean_t setttl = ISC_FALSE; static isc_boolean_t setttl = ISC_FALSE;
static isc_stdtime_t pub = 0, del = 0; static isc_stdtime_t pub = 0, del = 0;
static dns_ttl_t ttl = 0; static dns_ttl_t ttl = 0;
static isc_stdtime_t syncadd = 0, syncdel = 0;
static isc_boolean_t setsyncadd = ISC_FALSE;
static isc_boolean_t setsyncdel = ISC_FALSE;
static isc_result_t static isc_result_t
initname(char *setname) { initname(char *setname) {
...@@ -236,6 +239,11 @@ emit(const char *dir, dns_rdata_t *rdata) { ...@@ -236,6 +239,11 @@ emit(const char *dir, dns_rdata_t *rdata) {
dst_key_settime(key, DST_TIME_PUBLISH, pub); dst_key_settime(key, DST_TIME_PUBLISH, pub);
if (setdel) if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del); dst_key_settime(key, DST_TIME_DELETE, del);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
if (setttl) if (setttl)
dst_key_setttl(key, ttl); dst_key_setttl(key, ttl);
...@@ -278,8 +286,12 @@ usage(void) { ...@@ -278,8 +286,12 @@ usage(void) {
fprintf(stderr, "Timing options:\n"); fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key " fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n"); "publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key " fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n"); "deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
exit (-1); exit (-1);
} }
...@@ -318,6 +330,18 @@ main(int argc, char **argv) { ...@@ -318,6 +330,18 @@ main(int argc, char **argv) {
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) { switch (ch) {
case 'D': case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel) if (setdel)
fatal("-D specified more than once"); fatal("-D specified more than once");
...@@ -334,6 +358,18 @@ main(int argc, char **argv) { ...@@ -334,6 +358,18 @@ main(int argc, char **argv) {
setttl = ISC_TRUE; setttl = ISC_TRUE;
break; break;
case 'P': case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub) if (setpub)
fatal("-P specified more than once"); fatal("-P specified more than once");
......
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
<date>2014-02-20</date> <date>2014-02-20</date>
</info> </info>
<refentryinfo> <refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname> <corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor> <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo> </refentryinfo>
...@@ -50,7 +51,9 @@ ...@@ -50,7 +51,9 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg> <arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg> <arg choice="opt" rep="norepeat"><option>-V</option></arg>
...@@ -62,7 +65,9 @@ ...@@ -62,7 +65,9 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg> <arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg> <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg> <arg choice="opt" rep="norepeat"><option>-V</option></arg>
...@@ -97,68 +102,68 @@ ...@@ -97,68 +102,68 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>-f <replaceable class="parameter">filename</replaceable></term> <term>-f <replaceable class="parameter">filename</replaceable></term>
<listitem> <listitem>
<para> <para>
Zone file mode: instead of a public keyfile name, the argument Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read is the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the domain name is the same as from <option>file</option>. If the domain name is the same as
<option>file</option>, then it may be omitted. <option>file</option>, then it may be omitted.
</para> </para>
<para> <para>
If <option>file</option> is set to <literal>"-"</literal>, then If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. the zone data is read from the standard input.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term> <term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem> <listitem>
<para> <para>
Sets the directory in which the key files are to reside. Sets the directory in which the key files are to reside.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term> <term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem> <listitem>
<para> <para>
Sets the default TTL to use for this key when it is converted Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone, into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it. <literal>0</literal> or <literal>none</literal> removes it.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-h</term> <term>-h</term>
<listitem> <listitem>
<para> <para>
Emit usage message and exit. Emit usage message and exit.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term> <term>-v <replaceable class="parameter">level</replaceable></term>
<listitem> <listitem>
<para> <para>
Sets the debugging level. Sets the debugging level.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-V</term> <term>-V</term>
<listitem> <listitem>
<para> <para>
Prints version information. Prints version information.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
...@@ -180,25 +185,45 @@ ...@@ -180,25 +185,45 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term> <term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem> <listitem>
<para> <para>
Sets the date on which a key is to be published to the zone. Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will After that date, the key will be included in the zone but will
not be used to sign it. not be used to sign it.
</para> </para>
</listitem> </listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term> <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem> <listitem>
<para> <para>
Sets the date on which the key is to be deleted. After that Sets the date on which the CDS and CDNSKEY records that match
date, the key will no longer be included in the zone. (It this key are to be deleted.
may remain in the key repository, however.)