ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]

Browse Source
This commit is contained in:
Mark Andrews
2009-02-04 01:29:29 +00:00
parent b28493b383
commit 7a9d9a7ba7
38 changed files with 604 additions and 3800 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,5 +1,7 @@
2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
2542. [doc] Update the description of dig +adflag. [RT #19290]
2541. [bug] Conditionally update dispatch manager statistics.

49
contrib/zkt/CHANGELOG
View File

@@ -1,4 +1,49 @@
zkt 0.97 --
zkt 0.98 -- 30. Dec 2008
* misc Target "install-man" added to Makefile
man files moved to sub directory "man"
* func If a BIND version greater equal 9.6.0 is used, option -d doesn't
initiate a resigning of a zone. It's just for key rollover.
* func New pseudo algorithms for NSEC3 DNSKEYS added.
Support of NSEC3 hashing if a BIND version greater equal 9.6.0
is used. New parameter "SaltBits" added to the config file to
set the salt length in bits (default is 24 which means 6 hex nibbles).
The number of hash iterations is set to the default value of
dnssec-signzone which depends on key size.
* misc Renaming of all example zone directories so that the directory
name does not end with a dot (Necessary for installing the
source tree in an MS-Windows environment).
str_tolowerdup() renamed to domain_canonicdup() and code added
to append a dot to the domain name if it's not already there.
* misc Add 'sec' (second) qualifier to debug output in kskrollover().
* bug Remove a trailing '/' at the -D argument.
* misc Configure script now uses the BIND_UTIL_PATH out of config_zkt.h
if the BIND dnssec-signzone command is not found
* bug A zone with only a standby key signing key (which means w/o an
active ksk) aborts the dnssec-signer command.
Fixed by Shane Kerr.
* func Changed inc_serial() so that the SOA record parser accepts a label
other than '@' and an optional ttl value before the class and SOA
RR identifier (Both are case insensitive). Thanks to Shane Kerr
for the suggestion.
* bug Change of global configured key liftetime during a zone signing
key rollover results in unnecessary additional pre-published
zone signing keys (Thanks to Frank Behrens for the patch)
* misc Sig_Random config file parameter defaults now to false
* bug The man page refers the wrong licence (GPL instead of BSD)
zkt 0.97 -- 5. Aug 2008
* bug LG_* logging level wasn't mapped to syslog level in lg_mesg().
gettock() in ncparse.c did not recognize C single line comments "//"
@@ -111,7 +156,7 @@ zkt 0.95 -- 19. April 2008
commandline option -O (--option or --config-option)
* misc Function fatal() now has an exit code of 127.
This is neccessary because values from 1 to 64 are
This is necessary because values from 1 to 64 are
reflecting the number of errors occured.
* func Errorlog functionality added

37
contrib/zkt/Makefile.in
View File

@@ -4,9 +4,11 @@
#
#################################################################
INSTALL_DIR ?= $$HOME/bin
prefix = @prefix@
mandir = @mandir@
INSTALL_DIR = $$HOME/bin
CC ?= @CC@
CC = @CC@
PROFILE = # -pg
OPTIM = # -O3 -DNDEBUG
@@ -42,11 +44,11 @@ OBJ_SER = $(SRC_SER:.c=.o)
#MAN_SER = zkt-soaserial.8
PROG_SER= zkt-soaserial
MAN = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
MAN_ALL = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
configure examples
SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(MAN) $(OTHER)
MNTSAVE = $(SAVE) configure.ac config.h.in doc
SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) man $(OTHER)
MNTSAVE = $(SAVE) configure.ac config.h.in doc
all: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
@@ -76,6 +78,11 @@ install: ## install binaries in INSTALL_DIR
install: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(INSTALL_DIR)
install-man: ## install man pages in mandir
install-man:
test -d $(mandir)/man8/ && cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
tags: ## create tags file
tags: $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
ctags $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
@@ -98,16 +105,16 @@ mainttar: $(PROJECT)-maint-$(VERSION).tar.gz
configure: configure.ac
autoconf && autoheader
man: $(MAN_ZKT).html $(MAN_ZKT).pdf $(MAN_SIG).html $(MAN_SIG).pdf
man: man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
$(MAN_ZKT).html: $(MAN_ZKT)
groff -Thtml -man -mhtml $(MAN_ZKT) > $(MAN_ZKT).html
$(MAN_ZKT).pdf: $(MAN_ZKT)
groff -Tps -man $(MAN_ZKT) | ps2pdf - $(MAN_ZKT).pdf
$(MAN_SIG).html: $(MAN_SIG)
groff -Thtml -man -mhtml $(MAN_SIG) > $(MAN_SIG).html
$(MAN_SIG).pdf: $(MAN_SIG)
groff -Tps -man $(MAN_SIG) | ps2pdf - $(MAN_SIG).pdf
man/$(MAN_ZKT).html: man/$(MAN_ZKT)
groff -Thtml -man -mhtml man/$(MAN_ZKT) > man/$(MAN_ZKT).html
man/$(MAN_ZKT).pdf: man/$(MAN_ZKT)
groff -Tps -man man/$(MAN_ZKT) | ps2pdf - man/$(MAN_ZKT).pdf
man/$(MAN_SIG).html: man/$(MAN_SIG)
groff -Thtml -man -mhtml man/$(MAN_SIG) > man/$(MAN_SIG).html
man/$(MAN_SIG).pdf: man/$(MAN_SIG)
groff -Tps -man man/$(MAN_SIG) | ps2pdf - man/$(MAN_SIG).pdf
$(PROJECT)-$(VERSION).tar.gz: $(SAVE)
@@ -119,7 +126,7 @@ $(PROJECT)-$(VERSION).tar.gz: $(SAVE)
$(PROJECT)-maint-$(VERSION).tar.gz: $(MNTSAVE)
( \
distfiles=`ls -d $(SAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
distfiles=`ls -d $(MNTSAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-maint-$(VERSION).tar.gz $$distfiles ;\
)

17
contrib/zkt/README
View File

@@ -1,7 +1,7 @@
#
# README dnssec zone key tool
#
# (c) March 2005 - Aug 2008 by Holger Zuleger hznet
# (c) March 2005 - Dec 2008 by Holger Zuleger hznet
# (c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
# (c) for zconf.c by Jeroen Masar & Holger Zuleger
#
@@ -16,13 +16,13 @@ The complete software stands under BSD licence (see LICENCE file)
To build the software:
a) Get the current version of zkt
$ wget http://www.hznet.de/dns/zkt/zkt-0.97.tar.gz
$ wget http://www.hznet.de/dns/zkt/zkt-0.98.tar.gz
b) Unpack
$ tar xzvf zkt-0.97.tar.gz
$ tar xzvf zkt-0.98.tar.gz
c) Change to dir
$ cd zkt-0.97
$ cd zkt-0.98
d) Run configure script
$ ./configure
@@ -31,10 +31,6 @@ e) (optional) Edit config_zkt.h
f) Compile
$ make
For MAC users: # this should not needed anymore
$ make macos
For Solaris: # this should not needed anymore
$ make solaris
g) Install
$ make install # this will copy the binarys to $HOME/bin
@@ -42,3 +38,8 @@ g) Install
h) (optional) Install and modify the default dnssec.conf file
$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
$ vi /var/named/dnssec.conf
i) Prepare your zones for zkt
Have a look at the presentation I've held at the DE-CIX technical
meeting (http://www.hznet.de/dns/dnssec-decix050916.pdf)
It will give you an overview of how to configure a zone for zkt usage.

17
contrib/zkt/README.logging
View File

@@ -18,15 +18,14 @@ the file or directory name via the commandline option -L (--logfile)
or via the config file parameter "LogFile".
LogFile: ""|"<file>"|"<directory>" (default is "")
If a file is specified, than each run of dnssec-signer will append the
messages to tat file. If a directory is specified, than a file with a
messages to that file. If a directory is specified, than a file with a
name of zkt-<ISOdate&timeUTC>.log" will be created on each dnssec-signer run.
Logging into the syslog channel could be enabled via the config file
parameter "SyslogFacility".
SyslogFacility: NONE|USER|DAEMON|LOCAL0|..|LOCAL7 (default is USER)
For both channels, the log level could be independently set to one
of six log levels:
For both channels, the log level could be set to one of six log levels:
LG_FATAL, LG_ERROR, LG_WARNING
LB_NOTICE, LG_INFO, LG_DEBUG
@@ -38,12 +37,12 @@ and
(default is NOTICE)
All the log parameters are settable on the commandline via the generic
option -O "optstring" (--config-option="opt").
option -O "optstring" (--config-option="optstring").
A verbose message output to stdout could be achieved by the commandline
option -v (or -v -v).
If you want to log the same messages with loglevel LG_DEBUG to a file or
to syslog, you could enable this by setting the config file option
If you like to have this verbose messages also logged with a level of LG_DEBUG
you should enable this by setting the config file option
"VerboseLog" to a value of 1 or 2.
Current logging messages:
@@ -72,7 +71,7 @@ Some recomended and useful logging settings
VerboseLog: 0
- Setting as in version v0.95
LogFile: "zkt-error.log" # or a directory for seperate logfiles
LogFile: "zkt-error.log" # or a directory for separate logfiles
LogLevel: ERROR
SyslogFacility: NONE
VerboseLog: 0
@@ -83,14 +82,14 @@ Some recomended and useful logging settings
VerboseLog: 0
- Recommended setting for normal usage
LogFile: "zkt.log" # or a directory for seperate logfiles
LogFile: "zkt.log" # or a directory for separate logfiles
LogLevel: ERROR
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 0
- Recommended setting for debugging
LogFile: "zkt.log" # or a directory for seperate logfiles
LogFile: "zkt.log" # or a directory for separate logfiles
LogLevel: DEBUG
SyslogFacility: USER
SyslogLevel: NOTICE

12
contrib/zkt/config_zkt.h
View File

@@ -41,10 +41,6 @@
# define HAS_TIMEGM 1
#endif
#ifndef HAS_UTYPES
# define HAS_UTYPES 1
#endif
#ifndef LOG_FNAMETMPL
# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
#endif
@@ -52,6 +48,10 @@
/* don't change anything below this */
/* the values here are determined or settable via the ./configure script */
#ifndef HAS_UTYPES
# define HAS_UTYPES 1
#endif
#ifndef HAVE_GETOPT_LONG
# define HAVE_GETOPT_LONG 1
#endif
@@ -104,9 +104,9 @@
#ifndef ZKT_VERSION
# if defined(USE_TREE) && USE_TREE
# define ZKT_VERSION "vT0.97 (c) Feb 2005 - Aug 2008 Holger Zuleger hznet.de"
# define ZKT_VERSION "vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
# else
# define ZKT_VERSION "v0.97 (c) Feb 2005 - Aug 2008 Holger Zuleger hznet.de"
# define ZKT_VERSION "v0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
# endif
#endif

38
contrib/zkt/configure vendored
View File

@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.59 for ZKT 0.97.
# Generated by GNU Autoconf 2.59 for ZKT 0.98.
#
# Report bugs to <Holger Zuleger hznet.de>.
#
@@ -269,8 +269,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='ZKT'
PACKAGE_TARNAME='zkt'
PACKAGE_VERSION='0.97'
PACKAGE_STRING='ZKT 0.97'
PACKAGE_VERSION='0.98'
PACKAGE_STRING='ZKT 0.98'
PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
ac_unique_file="dnssec-zkt.c"
@@ -780,7 +780,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures ZKT 0.97 to adapt to many kinds of systems.
\`configure' configures ZKT 0.98 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -837,7 +837,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of ZKT 0.97:";;
short | recursive ) echo "Configuration of ZKT 0.98:";;
esac
cat <<\_ACEOF
@@ -964,7 +964,7 @@ fi
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
ZKT configure 0.97
ZKT configure 0.98
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -978,7 +978,7 @@ cat >&5 <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by ZKT $as_me 0.97, which was
It was created by ZKT $as_me 0.98, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -2293,26 +2293,28 @@ else
echo "${ECHO_T}no" >&6
fi
bind_util_path=`dirname $SIGNZONE_PROG`
bind_util_path=`dirname "$SIGNZONE_PROG"`
if test -z "$SIGNZONE_PROG" ; then
{ { echo "$as_me:$LINENO: error: *** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***" >&5
echo "$as_me: error: *** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***" >&2;}
{ (exit 1); exit 1; }; }
fi
# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
{ echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
else
# define BIND_UTIL_PATH in config.h.in
# define BIND_UTIL_PATH in config.h.in
cat >>confdefs.h <<_ACEOF
#define BIND_UTIL_PATH "$bind_util_path/"
_ACEOF
# define BIND_VERSION in config.h.in
bind_version=`$SIGNZONE_PROG 2>&1 | grep Version: | tr -dc 0-9`
# define BIND_VERSION in config.h.in
#bind_version=`$SIGNZONE_PROG 2>&1 | sed -n -e "/Version:/s/Version: \(\[0-9\]\[0-9\.\]*\).*/\1/p" | tr -d "."`
bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
cat >>confdefs.h <<_ACEOF
#define BIND_VERSION $bind_version
_ACEOF
fi
ac_ext=c
@@ -3189,7 +3191,7 @@ _ACEOF
cat >>confdefs.h <<_ACEOF
#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2008 Holger Zuleger hznet.de"
#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
_ACEOF
@@ -6090,7 +6092,7 @@ _ASBOX
} >&5
cat >&5 <<_CSEOF
This file was extended by ZKT $as_me 0.97, which was
This file was extended by ZKT $as_me 0.98, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -6150,7 +6152,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
ZKT config.status 0.97
ZKT config.status 0.98
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"

31
contrib/zkt/dki.c
View File

@@ -625,11 +625,32 @@ char *dki_algo2str (int algo)
{
switch ( algo )
{
case DK_ALGO_RSA: return ("RSAMD5");
case DK_ALGO_DH: return ("DH");
case DK_ALGO_DSA: return ("DSA");
case DK_ALGO_EC: return ("EC");
case DK_ALGO_RSASHA1: return ("RSASHA1");
case DK_ALGO_RSA: return ("RSAMD5");
case DK_ALGO_DH: return ("DH");
case DK_ALGO_DSA: return ("DSA");
case DK_ALGO_EC: return ("EC");
case DK_ALGO_RSASHA1: return ("RSASHA1");
case DK_ALGO_NSEC3DSA: return ("NSEC3DSA");
case DK_ALGO_NSEC3RSASHA1: return ("NSEC3RSASHA1");
}
return ("unknown");
}
/*****************************************************************
** dki_algo2sstr ()
** return a short string describing the key algorithm
*****************************************************************/
char *dki_algo2sstr (int algo)
{
switch ( algo )
{
case DK_ALGO_RSA: return ("RSAMD5");
case DK_ALGO_DH: return ("DH");
case DK_ALGO_DSA: return ("DSA");
case DK_ALGO_EC: return ("EC");
case DK_ALGO_RSASHA1: return ("RSASHA1");
case DK_ALGO_NSEC3DSA: return ("N3DSA");
case DK_ALGO_NSEC3RSASHA1: return ("N3RSA1");
}
return ("unknown");
}

3
contrib/zkt/dki.h
View File

@@ -60,6 +60,8 @@
# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */
# define DK_ALGO_EC 4 /* */
# define DK_ALGO_RSASHA1 5 /* RFC3110 */
# define DK_ALGO_NSEC3DSA 6 /* symlink to alg 3 RFC5155 */
# define DK_ALGO_NSEC3RSASHA1 7 /* symlink to alg 5 RFC5155 */
/* protocol types */
# define DK_PROTO_DNS 3
@@ -180,6 +182,7 @@ extern const dki_t *dki_find (const dki_t *list, int ksk, int status, int first)
extern void dki_free (dki_t *dkp);
extern void dki_freelist (dki_t **listp);
extern char *dki_algo2str (int algo);
extern char *dki_algo2sstr (int algo);
extern const char *dki_geterrstr (void);
#endif

436
contrib/zkt/dnssec-signer.8
View File

@@ -1,436 +0,0 @@
.TH dnssec-signer 8 "June 27, 2008" "ZKT 0.96" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH NAME
dnssec-signer \(em Secure DNS zone signing tool
.SH SYNOPSYS
.na
.B dnssec-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.B \-N
.I "named.conf"
.RI [ zone
.RI "" ... ]
.br
.B dnssec-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.RB [ \-D
.IR "directory" ]
.RI [ zone
.RI "" ... ]
.br
.B dnssec-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.B \-o
.IR "origin"
.RI [ zonefile ]
.SH DESCRIPTION
The
.I dnssec-signer
command is a wrapper around
.I dnssec-signzone(8)
and
.I dnssec-keygen(8)
to sign a zone and manage the necessary zone keys.
It's able to increment the serial number before signing the zone
and can trigger
.I named(8)
to reload the signed zone file.
The command controls several secure zones and, if started in regular
intervals via
.IR cron(8) ,
can do all that stuff automatically.
.PP
In the most useful usage scenario the command will be called with option
.B \-N
to read the secure zones out of the given
.I named.conf
file.
If you have a configuration file with views, you have to use option
-V viewname or --view viewname to specify the name of the view.
Alternatively you could link the executable file to a second name like
.I dnssec-signer-viewname
and use that command to specify the name of the view.
All master zone statements will be scanned for filenames
ending with ".signed".
These zones will be checked if the necessary zone- and key signing keys
are existent and fresh enough to be used in the signing process.
If some out-dated keys where found, new keying material will be generated via
the
.I dnssec-keygen(8)
command and the old ones will be marked as depreciated.
So the command do anything needed for a zone key rollover as defined by [2].
.PP
If the resigning interval is reached or any new key must be announced,
the serial number of the zone will be incremented and the
.I dnssec-signzone(8)
command will be evoked to sign the zone.
After that, if the option
.B \-r
is given, the
.I rndc(8)
command will be called to reload the zone on the
nameserver.
.PP
In the second form of the command it's possible to specify a directory
tree with the option
.B \-D
.IR dir .
Every secure zone found in a subdirectory below
.I dir
will be signed.
However, it's also possible to reduce the signing to those
zones given as arguments.
In directory mode the pre-requisite is, that the directory name is
exactly (including the trailing dot) the same as the zone name.
.PP
In the last form of the command, the functionality is more or less the same
as the
.I dnssec-signzone (8)
command.
The parameter specify the zone file name and the option
.B \-o
takes the name of the zone.
.PP
If neither
.B \-N
nor
.B \-D
nor
.B \-o
is given, then the default directory specified in the
.I dnssec.conf
file by the parameter
.I zonedir
will be used as the top level directory.
.SH OPTIONS
.TP
.BI \-L " file|dir" ", \-\-logfile=" file|dir
Specify the name of a log file or a directory where
logfiles are created with a name like
.fam C
.\"# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
.RI zkt- YYYY-MM-DD T hhmmss Z.log .
.fam T
.\" \&.
If the argument is not an absolute path name and a zone directory
is specified in the config file, this will prepend the given name.
This option is also settable in the dnssec.conf file via the parameter
.BI LogFile .
.br
The default is no file logging, but error logging to syslog with facility
.BI USER
at level
.BI ERROR
is enabled by default.
These parameters are settable via the config file parameter
.BI "SyslogFacility:" ,
.BI "SyslogLevel:" ,
.BI "LogFile:"
and
.BI "Loglevel" .
.br
There is an additional parameter
.BI VerboseLog:
which specifies the verbosity (0|1|2) of messages that will be logged
with level
.BI DEBUG
to file and syslog.
.TP
.BI \-V " view" ", \-\-view=" view
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
it's also possible to create a hard or softlink to the
executable file with an additional name like
.I dnssec-zkt-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read configuration values out of the specified file.
Otherwise the default config file is read or build-in defaults
will be used.
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
Several config file options could be specified at the argument string
but have to be delimited by semicolon (or newline).
.TP
.BR \-f ", " \-\-force
Force a resigning of the zone, regardless if the resigning interval
is reached, or any new keys must be announced.
.TP
.BR \-n ", " \-\-noexec
Don't execute the
.I dnssec-signzone(8)
command.
Currently this option is of very limited usage.
.TP
.BR \-r ", " \-\-reload
Reload the zone via
.I rndc(8)
after successful signing.
In a production environment it's recommended to use this option
to be sure that a freshly signed zone will be immediately propagated.
However, that's only feasable if the named runs on the signing
machine, which is not recommended.
Otherwise the signed zonefile must be copied to the production
server before reloading the zone.
If this is the case, the parameter
.I propagation
in the
.I dnssec.conf
file must be set to a reasonable value.
.TP
.BR \-v ", " \-\-verbose
Verbose mode (recommended).
A second
.B \-v
will be a little more verbose.
.TP
.BR \-h ", " \-\-help
Print out the online help.
.SH SAMPLE USAGE
.TP
.fam C
.B "dnssec-signer \-N /var/named/named.conf \-r \-v \-v
.fam T
Sign all secure zones found in the named.conf file and, if necessary,
trigger a reload of the zone.
Print some explanatory remarks on stdout.
.TP
.fam C
.B "dnssec-signer \-D zonedir/example.net. \-f \-v \-v
.fam T
Force the signing of the zone found in the directory
.I zonedir/example.net .
Do not reload the zone.
.TP
.fam C
.B "dnssec-signer \-D zonedir \-f \-v \-v example.net.
.fam T
Same as above.
.TP
.fam C
.B "dnssec-signer \-f \-v \-v example.net.
.fam T
Same as above if the
.I dnssec.conf
file contains the path of the parent directory of the
.I example.net
zone.
.TP
.fam C
.B "dnssec-signer \-f \-v \-v \-o example.net. zone.db
.fam T
Same as above if we are in the directory containing the
.I example.net
files.
.TP
.fam C
.B "dnssec-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
.fam T
.br
Sign the example.net zone but overwrite some config file values with the parameters
given on the commandline.
.SH Zone setup and initial preparation
.TP
Create a separate directory for every secure zone.
.br
This is useful because there are many additional files needed to
secure a zone.
Besides the zone file
.RI ( zone.db ),
there is a signed zone file
.RI ( zone.db.signed),
a minimum of four files containing the keying material,
a file called
.I dnskey.db
with the current used keys,
and the
.I dsset-
and
.IR keyset- files
created by the
.I dnssec-signzone(8)
command.
So in summary there is a minimum of nine files used per secure zone.
For every additional key there are two extra files and
every delegated subzone creates also two or three files.
.TP
Name the directory just like the zone.
.br
That's only needed if you want to use the dnssec-signer command in
directory mode
.RB ( \-D ).
Then the name of the zone will be parsed out of the directory name.
.TP
Change the name of the zone file to \fIzone.db\fP
Otherwise you have to set the name via the
.I dnssec.conf
parameter
.IR zonefile ,
or you have to use the option
.B \-o
to name the zone and specify the zone file as argument.
.TP
Add the name of the signed zonefile to the \fInamed.conf\fP file
The filename is the name of the zone file with the
extension
.IR .signed .
Create an empty file with the name
.IB zonefile .signed
in the zone directory.
.TP
Include the keyfile in the zone.
The name of the keyfile is settable by the
.I dnssec.conf
parameter
.I keyfile .
The default is
.I dnskey.db .
.br
.if t \{\
.nf
.fam C
...
IN NS ns1.example.net.
IN NS ns2.example.net.
$INCLUDE dnskey.db
...
.fi
.fam T
.\}
.TP
Control the format of the SOA-Record
For automatic incrementation of the serial number, the SOA-Record
must be formated, so that the serial number is on a single line and
left justified in a field of at least 10 spaces!
.if t \{\
.fam C
.fi 0
@ IN SOA ns1.example.net. hostmaster.example.net. (
60 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ); Minimum
.fi
.fam T
.\}
If you use a BIND Verison of 9.4 or greater and
use the unixtime format for the serial number (See parameter
Serialformat in
.IR dnssec.conf )
than this is not necessary.
.TP
Try to sign the zone
If the current working directory is the directory of the zone
.IR example.net ,
use the command
.fam C
.nf
.sp 0.5
$ dnssec-signer \-D .. \-v \-v example.net
$ dnssec-signer \-o example.net.
.sp 0.5
.fi
.fam T
to create the initial keying material and a signed zone file.
Then try to load the file on the name server.
.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
Specifies the name of the default global configuration files.
.SH FILES
.TP
.I /var/named/dnssec.conf
Built-in default global configuration file.
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
Use
.I dnssec-zkt(8)
with option
.B \-Z
to create an initial config file.
.TP
.I /var/named/dnssec-<view>.conf
View specific global configuration file.
.TP
.I ./dnssec.conf
Local configuration file.
.TP
.I dnskey.db
The file contains the currently used key and zone signing keys.
It will be created by
.IR dnsssec-signer(8) .
The name of the file is settable via the dnssec configuration
file (parameter
.IR keyfile ).
.TP
.I zone.db
This is the zone file.
The name of the file is settable via the dnssec configuration
file (parameter
.IR zonefile ).
.SH BUGS
.PP
The zone name given as an argument must be ending with a dot.
.PP
The named.conf parser is a little bit rudimental and not
very well tested.
.SH AUTHOR
Holger Zuleger
.SH COPYRIGHT
Copyright (c) 2005 \- 2008 by Holger Zuleger.
Licensed under the GPL 2. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
.SH SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
.br
RFC4033, RFC4034, RFC4035
.br
[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
.br
(http://www.nlnetlabs.nl/dnssec_howto/)
.br
[2] RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman
.br
(http://www.ietf.org/rfc/rfc4641.txt)

83
contrib/zkt/dnssec-signer.c
View File

@@ -3,7 +3,7 @@
** @(#) dnssec-signer.c (c) Jan 2005 Holger Zuleger hznet.de
**
** A wrapper around the BIND dnssec-signzone command which is able
** to resign a zone if neccessary and doing a zone or key signing key rollover.
** to resign a zone if necessary and doing a zone or key signing key rollover.
**
** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
** This software is open source.
@@ -125,6 +125,12 @@ static int dynamic_zone = 0; /* dynamic zone ? */
static zone_t *zonelist = NULL; /* must be static global because add2zonelist use it */
static zconf_t *config;
/** macros **/
#define set_bind94_dynzone(dz) ((dz) = 1)
#define set_bind96_dynzone(dz) ((dz) = 6)
#define bind94_dynzone(dz) ( (dz) > 0 && (dz) < 6 )
#define bind96_dynzone(dz) ( (dz) >= 6 )
int main (int argc, char *const argv[])
{
int c;
@@ -196,7 +202,11 @@ int main (int argc, char *const argv[])
break;
#if defined(BIND_VERSION) && BIND_VERSION >= 940
case 'd':
dynamic_zone = 1;
#if BIND_VERSION >= 960
set_bind96_dynzone (dynamic_zone);
#else
set_bind94_dynzone(dynamic_zone);
#endif
/* dynamic zone requires a name server reload... */
reloadflag = 0; /* ...but "rndc thaw" reloads the zone anyway */
break;
@@ -242,16 +252,18 @@ int main (int argc, char *const argv[])
if ( origin ) /* option -o ? */
{
int ret;
if ( (argc - optind) <= 0 ) /* no arguments left ? */
zone_readdir (".", origin, NULL, &zonelist, config, dynamic_zone);
ret = zone_readdir (".", origin, NULL, &zonelist, config, dynamic_zone);
else
zone_readdir (".", origin, argv[optind], &zonelist, config, dynamic_zone);
ret = zone_readdir (".", origin, argv[optind], &zonelist, config, dynamic_zone);
/* anyway, "delete" all (remaining) arguments */
optind = argc;
/* complain if nothing could read in */
if ( zonelist == NULL )
if ( ret != 1 || zonelist == NULL )
{
lg_mesg (LG_FATAL, "\"%s\": couldn't read", origin);
fatal ("Couldn't read zone \"%s\"\n", origin);
@@ -271,10 +283,19 @@ int main (int argc, char *const argv[])
}
if ( dirname ) /* option -D ? */
{
if ( !parsedir (dirname, &zonelist, config) )
fatal ("Can't read directory tree %s\n", dirname);
char *dir = strdup (dirname);
p = dir + strlen (dir);
if ( p > dir )
p--;
if ( *p == '/' )
*p = '\0'; /* remove trailing path seperator */
if ( !parsedir (dir, &zonelist, config) )
fatal ("Can't read directory tree %s\n", dir);
if ( zonelist == NULL )
fatal ("No signed zone found in directory tree %s\n", dirname);
fatal ("No signed zone found in directory tree %s\n", dir);
free (dir);
}
/* none of the above: read current directory tree */
@@ -452,13 +473,13 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
zfile_time = file_mtime (path);
currtime = time (NULL);
/* check rfc5011 key signing keys, create new one if neccessary */
/* check rfc5011 key signing keys, create new one if necessary */
dbg_msg("parsezonedir check rfc 5011 ksk ");
newkey = ksk5011status (&zp->keys, zp->dir, zp->zone, zp->conf);
if ( (newkey & 02) != 02 ) /* not a rfc 5011 zone ? */
{
verbmesg (2, zp->conf, "\t\t->not a rfc5011 zone, looking for a regular ksk rollover\n");
/* check key signing keys, create new one if neccessary */
/* check key signing keys, create new one if necessary */
dbg_msg("parsezonedir check ksk ");
newkey |= kskstatus (zonelist, zp);
}
@@ -493,7 +514,7 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
if ( force )
snprintf (mesg, sizeof(mesg), "Option -f");
else if ( newkey )
snprintf (mesg, sizeof(mesg), "New zone key");
snprintf (mesg, sizeof(mesg), "Modfied zone key set");
else if ( newkeysetfile )
snprintf (mesg, sizeof(mesg), "Modified KSK in delegated domain");
else if ( file_mtime (path) > zfilesig_time )
@@ -503,7 +524,7 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
else if ( (currtime - zfilesig_time) > zp->conf->resign - (OFFSET) )
snprintf (mesg, sizeof(mesg), "re-signing interval (%s) reached",
str_delspace (age2str (zp->conf->resign)));
else if ( dynamic_zone )
else if ( bind94_dynzone (dynamic_zone) )
snprintf (mesg, sizeof(mesg), "dynamic zone");
if ( *mesg )
@@ -517,7 +538,8 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
dbg_line ();
if ( !(force || newkey || newkeysetfile || zfile_time > zfilesig_time ||
file_mtime (path) > zfilesig_time ||
(currtime - zfilesig_time) > zp->conf->resign - (OFFSET) || dynamic_zone) )
(currtime - zfilesig_time) > zp->conf->resign - (OFFSET) ||
bind94_dynzone (dynamic_zone)) )
{
verbmesg (2, zp->conf, "\tCheck if there is a parent file to copy\n");
if ( zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
@@ -541,7 +563,7 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
use_unixtime = ( zp->conf->serialform == Unixtime );
dbg_val1 ("Use unixtime = %d\n", use_unixtime);
#if defined(BIND_VERSION) && BIND_VERSION >= 940
if ( !dynamic_zone && !use_unixtime ) /* increment serial no in static zone files */
if ( !dynamic_zone && !use_unixtime ) /* increment serial number in static zone files */
#else
if ( !dynamic_zone ) /* increment serial no in static zone files */
#endif
@@ -746,9 +768,10 @@ static int writekeyfile (const char *fname, const dki_t *list, int key_ttl)
static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)
{
char cmd[1023+1];
char cmd[2047+1];
char str[1023+1];
char rparam[254+1];
char nsec3param[637+1];
char keysetdir[254+1];
const char *gends;
const char *pseudo;
@@ -782,6 +805,32 @@ static int sign_zone (const char *dir, const char *domain, const char *file, con
if ( conf->sig_param && conf->sig_param[0] )
param = conf->sig_param;
nsec3param[0] = '\0';
#if defined(BIND_VERSION) && BIND_VERSION >= 960
if ( conf->z_algo == DK_ALGO_NSEC3DSA || conf->z_algo == DK_ALGO_NSEC3RSASHA1 )
{
static char hexstr[] = "0123456789ABCDEF";
static int seed = 0;
char salt[510+1]; /* salt has a maximum of 255 bytes == 510 hex nibbles */
int saltlen = 0; /* current length of salt in hex nibbles */
int i;
int hex;
if ( seed == 0 )
srandom (seed = (unsigned int)time (NULL));
saltlen = conf->saltbits / 4;
for ( i = 0; i < saltlen; i++ )
{
hex = random () % 16;
assert ( hex >= 0 && hex < 16 );
salt[i] = hexstr[hex];
}
salt[i] = '\0';
snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
}
#endif
dbg_line();
rparam[0] = '\0';
if ( conf->sig_random && conf->sig_random[0] )
@@ -802,8 +851,8 @@ static int sign_zone (const char *dir, const char *domain, const char *file, con
dir, SIGNCMD, param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
else
#endif
snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s-o %s -e +%d %s %s K*.private",
dir, SIGNCMD, param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%d %s %s K*.private",
dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
verbmesg (2, conf, "\t Run cmd \"%s\"\n", cmd);
*str = '\0';
if ( noexec == 0 )

481
contrib/zkt/dnssec-zkt.8
View File

@@ -1,481 +0,0 @@
.TH dnssec-zkt 8 "July 27, 2008" "ZKT 0.97" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH NAME
dnssec-zkt \(em Secure DNS zone key tool
.SH SYNOPSYS
.na
.B dnssec-zkt
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-adefhkLrptz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.BR \-C <label>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-krpz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-create= <label>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-krpz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.BR \- { P | A | D | R } <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-published= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-active= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-depreciate= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-rename= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.BR \-\-destroy= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.B \-T
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.B \-\-list-trustedkeys
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.B \-K
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hkzr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.B \-\-list-dnskeys
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hkzr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.B \-Z
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-\-zone-config
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.B dnssec-zkt
.B \-9 | \-\-ksk-rollover
.br
.B dnssec-zkt
.B \-1 | \-\-ksk-roll-phase1
.I "do.ma.in."
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-2 | \-\-ksk-roll-phase2
.I "do.ma.in."
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-3 | \-\-ksk-roll-phase3
.I do.ma.in.
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-0 | \-\-ksk-roll-stat
.I do.ma.in.
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.ad
.SH DESCRIPTION
The
.I dnssec-zkt
command is a wrapper around
.I dnssec-keygen(8)
to assist in dnssec zone key management.
.PP
In the common usage the command prints out information about
all dnssec (zone) keys found in the given (or predefined default) directory.
It's also possible to specify keyfiles (K*.key) as arguments.
With option
.B \-r
subdirectories will be searched recursively, and all dnssec keys found
will be listed sorted by domain name, key type and generation time.
In that mode the use of the
.B \-p
option may be helpful to find the location of the keyfile in the directory tree.
.PP
Other forms of the command print out keys in a format suitable for
a trusted-key section or as a DNSKEY resource record.
.PP
The command is also useful in dns key management.
It allows key livetime monitoring and status change.
.SH GENERAL OPTIONS
.TP
.BI \-V " view" ", \-\-view=" view
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
it's also possible to create a hard or softlink to the
executable file to give it an additional name like
.I dnssec-zkt-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read default values from the specified config file.
Otherwise the default config file is read or build in defaults
will be used.
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
Several config file options could be specified at the argument string
but have to be delimited by semicolon (or newline).
.TP
.BI \-l " list"
Print out information solely about domains given in the comma or space separated
list.
Take care of, that every domain name has a trailing dot.
.TP
.BR \-d ", " \-\-directory
Skip directory arguments.
This will be useful in combination with wildcard arguments
to prevent dnsssec-zkt to list all keys found in subdirectories.
For example "dnssec-zkt -d *" will print out a list of all keys only found in
the current directory.
Maybe it's easier to use "dnssec-zkt ." instead (without -r set).
The option works similar to the \-d option of
.IR ls(1) .
.TP
.BR \-L ", " \-\-left-justify
Print out the domain name left justified.
.TP
.BR \-k ", " \-\-ksk
Select and print key signing keys only (default depends on command mode).
.TP
.BR \-z ", " \-\-zsk
Select and print zone signing keys only (default depends on command mode).
.TP
.BR \-r ", " \-\-recursive
Recursive mode (default is off).
.br
Also settable in the dnssec.conf file (Parameter: Recursive).
.TP
.BR \-p ", " \-\-path
Print pathname in listing mode.
In -C mode, don't create the new key in the same directory as (already existing)
keys with the same label.
.TP
.BR \-a ", " \-\-age
Print age of key in weeks, days, hours, minutes and seconds (default is off).
.br
Also settable in the dnssec.conf file (Parameter: PrintAge).
.TP
.BR \-f ", " \-\-lifetime
Print the key lifetime.
.TP
.BR \-F ", " \-\-setlifetime
Set the key lifetime of all the selected keys.
Use option -k, -z, -l or the file and dir argument for key selection.
.TP
.BR \-e ", " \-\-exptime
Print the key expiration time.
.TP
.BR \-t ", " \-\-time
Print the key generation time (default is on).
.br
Also settable in the dnssec.conf file (Parameter: PrintTime).
.TP
.B \-h
No header or trusted-key section header and trailer in -T mode
.PP
.SH COMMAND OPTIONS
.TP
.BR \-H ", " \-\-help
Print out the online help.
.TP
.BR \-T ", " \-\-list-trustedkeys
List all key signing keys as a
.I named.conf
trusted-key section.
Use
.B \-h
to supress the section header/trailer.
.TP
.BR \-K ", " \-\-list-dnskeys
List the public part of all the keys in DNSKEY resource record format.
Use
.B \-h
to suppress comment lines.
.TP
.BI \-C " zone" ", \-\-create=" zone
Create a new zone signing key for the given zone.
Add option
.B \-k
to create a key signing key.
The key algorithm and key length will be examined from built-in default values
or from the parameter settings in the
.I dnssec.conf
file.
.br
The keyfile will be created in the current directory if
the
.B \-p
option is specified.
.TP
.BI \-R " keyid" ", \-\-revoke=" keyid
Revoke the key signing key with the given keyid.
A revoked key has bit 8 in the flags filed set (see RFC5011).
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
.TP
.BI \-\-rename=" keyid
Rename the key files of the key with the given keyid
(Look at key file names starting with an lower 'k').
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
.TP
.BI \-\-destroy= keyid
Deletes the key with the given keyid.
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
Beware that this deletes both private and public keyfiles, thus the key is
unrecoverable lost.
.TP
.BI \-P|A|D " keyid," " \-\-published=" keyid, " \-\-active=" keyid, " \-\-depreciated=" keyid
Change the status of the given dnssec key to
published
.RB ( \-P ),
active
.RB ( \-A )
or depreciated
.RB ( \-D ).
The
.I keyid
is the numeric keytag with an optionally added zone name separated by a colon.
Setting the status to "published" or "depreciate" will change the filename
of the private key file to ".published" or ".depreciated" respectivly.
This prevents the usage of the key as a signing key by the use of
.IR dnssec-signzone(8) .
The time of status change will be stored in the 'mtime' field of the corresponding
".key" file.
Key activation via option
.B \-A
will restore the original timestamp and file name (".private").
.TP
.BR \-Z ", " \-\-zone-config
Write all config parameters to stdout.
The output is suitable as a template for the
.I dnssec.conf
file, so the easiest way to create a
.I dnssec.conf
file is to redirect the standard output of the above command.
Pay attention not to overwrite an existing file.
.TP
.BI \-\-ksk-roll-phase[123] " do.ma.in."
Initiate a key signing key rollover of the specified domain.
This feature is currently in experimental status and is mainly for the use
in an hierachical environment.
Use --ksk-rollover for a little more detailed description.
.SH SAMPLE USAGE
.TP
.fam C
.B "dnssec-zkt \-r .
.fam T
Print out a list of all zone keys found below the current directory.
.TP
.fam C
.B "dnssec-zkt \-Z \-c """"
.fam T
Print out the compiled in default parameters.
.TP
.fam C
.B "dnssec-zkt \-C example.net \-k \-r ./zonedir
.fam T
Create a new key signing key for the zone "example.net".
Store the key in the same directory below "zonedir" where the other
"example.net" keys live.
.TP
.fam C
.B "dnssec-zkt \-T ./zonedir/example.net
.fam T
Print out a trusted-key section containing the key signing keys of "example.net".
.TP
.fam C
.B "dnssec-zkt \-D 123245 \-r .
.fam T
Depreciate the key with tag "12345" below the current directory,
.TP
.fam C
.B "dnssec-zkt --view intern
Print out a list of all zone keys found below the directory where all
the zones of view intern live.
There should be a seperate dnssec config file
.I dnssec-intern.conf
with a directory option to take affect of this.
.TP
.fam C
.B "dnssec-zkt-intern
.fam T
Same as above.
The binary file
.I dnssec-zkt
have linked to
.I dnssec-zkt-intern .
.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
Specifies the name of the default global configuration files.
.SH FILES
.TP
.I /var/named/dnssec.conf
Built-in default global configuration file.
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
.TP
.I /var/named/dnssec-<view>.conf
View specific global configuration file.
.TP
.I ./dnssec.conf
Local configuration file (only used in
.B \-C
mode).
.SH BUGS
.PP
Some of the general options will not be meaningful in all of the command modes.
.br
The option
.B \-l
and the ksk rollover options
insist on domain names ending with a dot.
.PP
.SH AUTHOR
Holger Zuleger
.SH COPYRIGHT
Copyright (c) 2005 \- 2007 by Holger Zuleger.
Licensed under the GPL 2. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
.SH SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-signer(8),
.br
RFC4641
"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
.br
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
.br
(http://www.nlnetlabs.nl/dnssec_howto/)

12
contrib/zkt/dnssec-zkt.c
View File

@@ -195,7 +195,7 @@ int main (int argc, char *argv[])
action = c;
if ( !optarg )
usage ("ksk rollover requires an domain argument", config);
kskdomain = str_tolowerdup (optarg);
kskdomain = domain_canonicdup (optarg);
break;
case 'T':
trustedkeyflag = 1;
@@ -218,15 +218,7 @@ int main (int argc, char *argv[])
case 19:
case 20:
if ( (keyname = parsetag (optarg, &searchtag)) != NULL )
{
int len = strlen (keyname);
if ( len > 0 && keyname[len-1] != '.' )
{
snprintf (str, sizeof(str), "%s.", keyname);
keyname = str;
}
}
keyname = str_tolowerdup (keyname);
keyname = domain_canonicdup (keyname);
action = c;
break;
case 'a': /* age */

24
contrib/zkt/examples/dnskey.db
View File

@@ -1,24 +0,0 @@
;
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
; Last generation time Jun 24 2008 09:58:34
;
; *** List of Key Signing Keys ***
; example.net. tag=31674 algo=RSASHA1 generated Jun 24 2008 09:58:34
example.net. 14400 IN DNSKEY 257 3 5 (
BQEAAAABC23icFZAD3DFBLoEw7DWKl8Hig7azmEbpXHYyAV98l+QQaTA
b98Ob3YbrVJ9IU8E0KBFb5iYpHobxowPsI8FjUH2oL/7PfhtN1E3NlL6
Uhbo8Umf6H0UULEsUTlTT8dnX+ikjAr8bN71YJP7BXlszezsFHuMEspN
dOPyMr93230+R2KTEzC2H4CQzSRIr5xXSIq8kkrJ3miGjTyj5awvXfJ+
eQ==
) ; key id = 31674
; *** List of Zone Signing Keys ***
; example.net. tag=33755 algo=RSASHA1 generated Jun 24 2008 09:58:34
example.net. 14400 IN DNSKEY 256 3 5 (
BQEAAAABzN8pvZb5GSy8AozXt4L8HK/x59TQjh9IaZS+mIyyuHDX2iaF
UigOqHixIJtDLD1r/MfelgJ/Mh6+vCu+XmMQuw==
) ; key id = 33755

8
contrib/zkt/examples/flat/dnssec.conf
View File

@@ -1,5 +1,5 @@
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
# @(#) dnssec.conf vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
@@ -26,16 +26,18 @@ ZSK_lifetime: 2w # (1209600 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
SaltBits: 24
# dnssec-signer options
LogFile: "zkt.log"
LogLevel: debug
LogLevel: DEBUG
SyslogFacility: USER
SyslogLevel: notice
SyslogLevel: NOTICE
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
KeySetDir: "../keysets"
DLV_Domain: ""
Sig_Pseudorand: True
Sig_Parameter: ""
Distribute_Cmd: "./dist.sh"

4
contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
View File

@@ -1,2 +1,2 @@
sub.example.net.dlv.trusted-keys.de. IN DLV 54876 5 1 CAB6127E303A8A8D7D5A29AE05DB60F4C5060B10
sub.example.net.dlv.trusted-keys.de. IN DLV 54876 5 2 7C8CAF1844479F3600213173BB5D1E2A44143D63B6E0B3E10D8C5310 ADF84D30
sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC

4
contrib/zkt/examples/flat/keysets/dsset-example.net.
View File

@@ -1,4 +1,4 @@
example.net. IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
example.net. IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
example.net. IN DS 41151 5 1 BBB692EA07571E412F9385A618C1CAD9BFC1469A
example.net. IN DS 41151 5 2 4D22B44C3DC09BD9EEADFFB917EFCE8E45F22E89FF0C096CD14F4405 CA1CAE3F
example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E

4
contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
View File

@@ -1,2 +1,2 @@
sub.example.net. IN DS 54876 5 1 CAB6127E303A8A8D7D5A29AE05DB60F4C5060B10
sub.example.net. IN DS 54876 5 2 7C8CAF1844479F3600213173BB5D1E2A44143D63B6E0B3E10D8C5310 ADF84D30
sub.example.net. IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
sub.example.net. IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC

16
contrib/zkt/examples/flat/keysets/keyset-example.net.
View File

@@ -1,13 +1,13 @@
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 5 (
BQEAAAABDAnSCbSyScZdP2M6OQTbTGvZRD5a
vmDYgAwXv0EsnNautYn7kzDGwY3oVTXWDTdI
I+syK0pt0unjUn2ActoXtyFzIk61VRKDroAN
M9/WO0PO/y50vNIGMJUL1TiMR6jCp23eSxQ3
9/1A+BeiU+fMjoJK0/Yc7hbMHWwD8myU0IEX
8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjK
T1YYVnoQqw==
) ; key id = 41151
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
7200 IN DNSKEY 257 3 5 (
BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2

14
contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
View File

@@ -1,8 +1,8 @@
$ORIGIN .
sub.example.net 7200 IN DNSKEY 257 3 5 (
AQOjGNN0/hLA20+W2qo0sktVActYKf1Opnx+
bmkWSrsmJHMBHlT8hL507pGTmDoyH0Ae9+3M
ZSTBL1S+HhA12B0htiTp8IbtN/gZOBbwD36c
BpPe72uDQoUy/TdSn1HLtoqUSMTB+saqCTZW
CfIEqcbHRn0T6PhgqLyCvLzbZ/avYw==
) ; key id = 54876
sub.example.net 7200 IN DNSKEY 257 3 7 (
AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
) ; key id = 18846

2640
contrib/zkt/examples/flat/zkt.log
View File

File diff suppressed because it is too large Load Diff

4
contrib/zkt/examples/flat/zone.conf
View File

@@ -1,10 +1,10 @@
zone "example.NET." in {
type master;
file "example.net./zone.db.signed";
file "example.net/zone.db.signed";
};
zone "sub.example.NET." in {
type master;
file "sub.example.net./zone.db.signed";
file "sub.example.net/zone.db.signed";
};

4
contrib/zkt/examples/hierarchical/zone.conf
View File

@@ -1,10 +1,10 @@
zone "example.de." in {
type master;
file "de./example.de./zone.db.signed";
file "de/example.de/zone.db.signed";
};
zone "sub.example.de." in {
type master;
file "de./example.de./sub.example.de./zone.db.signed";
file "de/example.de/sub.example.de/zone.db.signed";
};

23
contrib/zkt/examples/views/extern/zkt-ext.log vendored
View File

@@ -26,3 +26,26 @@
2008-06-12 18:00:39.020: debug: Check ksk status
2008-06-12 18:00:39.020: debug: Re-signing not necessary!
2008-06-12 18:00:39.020: notice: end of run: 0 errors occured
2008-10-03 01:00:45.544: notice: ------------------------------------------------------------
2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v
2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net"
2008-10-03 01:00:45.545: debug: Check RFC5011 status
2008-10-03 01:00:45.545: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2008-10-03 01:00:45.545: debug: Check KSK status
2008-10-03 01:00:45.545: debug: Check ZSK status
2008-10-03 01:00:45.545: debug: Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec)
2008-10-03 01:00:45.546: debug: ->depreciate it
2008-10-03 01:00:45.546: debug: ->activate published key 10367
2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done
2008-10-03 01:00:45.546: debug: New key for publishing needed
2008-10-03 01:00:45.614: debug: ->creating new key 14714
2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing
2008-10-03 01:00:45.614: debug: Re-signing necessary: New zone key
2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key
2008-10-03 01:00:45.614: debug: Writing key file "extern/example.net/dnskey.db"
2008-10-03 01:00:45.614: debug: Signing zone "example.net"
2008-10-03 01:00:45.614: debug: Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +864000 -N unixtime zone.db K*.private"
2008-10-03 01:00:46.114: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-10-03 01:00:46.114: debug: Signing completed after 1s.
2008-10-03 01:00:46.114: debug:
2008-10-03 01:00:46.114: notice: end of run: 0 errors occured

23
contrib/zkt/examples/views/intern/zkt-int.log
View File

@@ -167,3 +167,26 @@
2008-06-12 18:13:43.262: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
2008-06-12 18:13:43.273: debug:
2008-06-12 18:13:43.273: notice: end of run: 0 errors occured
2008-10-03 01:00:38.404: notice: ------------------------------------------------------------
2008-10-03 01:00:38.404: notice: running ../../dnssec-signer -V intern
2008-10-03 01:00:38.405: debug: parsing zone "example.net" in dir "intern/example.net"
2008-10-03 01:00:38.405: debug: Check RFC5011 status
2008-10-03 01:00:38.405: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2008-10-03 01:00:38.405: debug: Check KSK status
2008-10-03 01:00:38.405: debug: Check ZSK status
2008-10-03 01:00:38.405: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (5018321 sec)
2008-10-03 01:00:38.405: debug: ->depreciate it
2008-10-03 01:00:38.405: debug: ->activate published key 23375
2008-10-03 01:00:38.405: notice: "example.net": lifetime of zone signing key 5972 exceeded: ZSK rollover done
2008-10-03 01:00:38.405: debug: New key for publishing needed
2008-10-03 01:00:38.491: debug: ->creating new key 55745
2008-10-03 01:00:38.492: info: "example.net": new key 55745 generated for publishing
2008-10-03 01:00:38.492: debug: Re-signing necessary: New zone key
2008-10-03 01:00:38.492: notice: "example.net": re-signing triggered: New zone key
2008-10-03 01:00:38.492: debug: Writing key file "intern/example.net/dnskey.db"
2008-10-03 01:00:38.492: debug: Signing zone "example.net"
2008-10-03 01:00:38.492: debug: Run cmd "cd intern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +86400 -N unixtime zone.db K*.private"
2008-10-03 01:00:38.796: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-10-03 01:00:38.796: debug: Signing completed after 0s.
2008-10-03 01:00:38.796: debug:
2008-10-03 01:00:38.796: notice: end of run: 0 errors occured

4
contrib/zkt/examples/views/named.conf
View File

@@ -75,7 +75,7 @@ view "intern" {
zone "example.net" in {
type master;
file "intern/example.net./zone.db.signed";
file "intern/example.net/zone.db.signed";
};
};
@@ -92,6 +92,6 @@ view "extern" {
zone "example.net" in {
type master;
file "extern/example.net./zone.db.signed";
file "extern/example.net/zone.db.signed";
};
};

45
contrib/zkt/examples/zone.db
View File

@@ -1,45 +0,0 @@
;-----------------------------------------------------------------
;
; @(#) example.net/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
; Be sure that the serial number below is left
; justified in a field of at least 10 chars!!
; 0123456789;
; It's also possible to use the date form e.g. 2005040101
@ IN SOA ns1.example.net. hostmaster.example.net. (
263 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.net.
IN NS ns2.example.net.
ns1 IN A 1.0.0.5
IN AAAA 2001:db8::53
ns2 IN A 1.2.0.6
localhost IN A 127.0.0.1
a IN A 1.2.3.1
b IN MX 10 a
;c IN A 1.2.3.2
d IN A 1.2.3.3
IN AAAA 2001:0db8::3
; Delegation to secure zone; The DS resource record will
; be added by dnssec-signzone automatically if the
; keyset-sub.example.net file is present (run dnssec-signzone
; with option -g or use the dnssec-signer tool) ;-)
sub IN NS ns1.example.net.
sub IN DS 54876 5 1 CAB6127E303A8A8D7D5A29AE05DB60F4C5060B10
sub IN DS 54876 5 2 7C8CAF1844479F3600213173BB5D1E2A44143D63B6E0B3E10D8C5310 ADF84D30
; this file will have all the zone keys
$INCLUDE dnskey.db

146
contrib/zkt/examples/zone.db.signed
View File

@@ -1,146 +0,0 @@
; File written on Tue Jun 24 10:00:31 2008
; dnssec_signzone version 9.5.0
example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
263 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 5 2 7200 20080724070030 (
20080624070030 33755 example.net.
FFUGR4+nzjZbpDT/RAncV7dNvBy1xil4MO17
DU+gotHHV1Yq+4RRqEnRhOSWydDC9ENAjH7W
lmzr+igFHp8qiw== )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
7200 RRSIG NS 5 2 7200 20080724070030 (
20080624070030 33755 example.net.
mpT5zY57UtLMdl6iKVtvr78vINyaA3NkZ0af
E/TtUUBJeIEjLauzxA5jJBGqLWAiLj8HKWhS
dq1VfORhRh/Xng== )
7200 NSEC a.example.net. NS SOA RRSIG NSEC DNSKEY
7200 RRSIG NSEC 5 2 7200 20080724070030 (
20080624070030 33755 example.net.
Q5yxSoL+Df3UbGe1RSFFj01SoBGLgjXvgLd5
wKota7wnjO8CxidmrN+qcKQHjF+R+mH8GeQ7
xL1qZxKLQqxmwA== )
14400 DNSKEY 256 3 5 (
BQEAAAABzN8pvZb5GSy8AozXt4L8HK/x59TQ
jh9IaZS+mIyyuHDX2iaFUigOqHixIJtDLD1r
/MfelgJ/Mh6+vCu+XmMQuw==
) ; key id = 33755
14400 DNSKEY 257 3 5 (
BQEAAAABC23icFZAD3DFBLoEw7DWKl8Hig7a
zmEbpXHYyAV98l+QQaTAb98Ob3YbrVJ9IU8E
0KBFb5iYpHobxowPsI8FjUH2oL/7PfhtN1E3
NlL6Uhbo8Umf6H0UULEsUTlTT8dnX+ikjAr8
bN71YJP7BXlszezsFHuMEspNdOPyMr93230+
R2KTEzC2H4CQzSRIr5xXSIq8kkrJ3miGjTyj
5awvXfJ+eQ==
) ; key id = 31674
14400 RRSIG DNSKEY 5 2 14400 20080724070030 (
20080624070030 31674 example.net.
BGed6Vivkmx/SM7HuXMy9ex+p0fDWcXW6uTH
SZLs9oAZMSkm8Xh2RNNI1sgZefGpsOc7AZJE
JuIWttqKm5VL57qpEKeTxZ9oE6Vpk4ko5lMo
yTJUoih7lTXo7a1OsNHMFZadE7Fu4Q8pjGUZ
ZJI4zBrT7JmgyPNCkgn1JdC2qJlc6ClHEb4E
6pQyH3BnSOFudZDz8MdVQnqdxpShGwucnf2i
oA== )
14400 RRSIG DNSKEY 5 2 14400 20080724070030 (
20080624070030 33755 example.net.
f03G7Cq3CwWz7Lbe7cl61ciSsdEYv4heYnR3
binJ3xWO7jSiRAvUAfkIYDspdlF/PCOnv8sr
id8TL8q/qQ0MCg== )
a.example.net. 7200 IN A 1.2.3.1
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
VuIrcft9jvWKORJy2SQ4UgWwRnUL4gIiaVpy
3i5hfjM6X38FHsy0SvGrjxQqiurwZZS4NxXG
ljUerawxMdHWWw== )
7200 NSEC b.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
yc/tsRYQRaYsPp+5jPUj2NR0R3zHKvXBQ/RO
14b/eKL9i4NnuzS50qFZwzpcOBOJd6XITO4p
yJNZQKtryRJuSg== )
b.example.net. 7200 IN MX 10 a.example.net.
7200 RRSIG MX 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
xVjOhCO2zJVp1SsoMdM6ePCZUkittsqEP7rI
7j8r2S1j4oiIdXaxCBBVwddhS/x1eziI/a2S
/HwVRJThIYIKnQ== )
7200 NSEC d.example.net. MX RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
jC171VBU0dqcI1NnMUUqrUIjq09sVHnFo9CH
0jKNwxkj+K1Zkr7CBm6htH+EkKKhqKFW8kz7
b2r05FL1xakcnQ== )
d.example.net. 7200 IN A 1.2.3.3
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
Q4C7HCpDR6fxIczzqGDnkpXUL5oxdPDYWF2H
vmAalL++9A5hVGz8S5IfX87dZAg71c1j8ZAe
5oS0pvLQnweoIw== )
7200 AAAA 2001:db8::3
7200 RRSIG AAAA 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
ECjxqQpJCbL6A9iBk/bImgzDNevUXFjq8n2L
14ewG5zQSz/0l0NqcHKtCiruBjHd+DEXjTEI
Qo8RvMm7Rn8OsA== )
7200 NSEC localhost.example.net. A AAAA RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
k+AhslVfBZgXkTaWjDVB+3nLm2ye8UOGMNhY
QcKxJZaVYKnUZfyX1sJONN4UdFjmnkdNcRVC
6ouWrLbIwslqIQ== )
localhost.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
wZjK9o3CElHLPSzynvzft/nQAEeBpNOj22vq
3TWa9HWQ0RqL55NRmzxuDtyMtPOFQpniVxgV
jizb8X3SPJ5V1g== )
7200 NSEC ns1.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
e4nOW7PuqCQBYgSCBQH06V2XB7SF85jmfFIc
dSMbsLRK+1tN/Y2+85WKVSQrXZzWRHgjQ+Hw
iL/FWK5Zfq7ixg== )
ns1.example.net. 7200 IN A 1.0.0.5
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
tTfMDk2ww2uWutlhjRMDPGo9ZPugjJqSbdyP
6cJcCDJUBce0UZFxjvDBZhfG7O2XUscooUjp
JpXsJ54ksPugXA== )
7200 AAAA 2001:db8::53
7200 RRSIG AAAA 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
x8iMgcICSOxgx4biLForfZxgMbMVpzwMQR6n
naFVK79GOwFFT8krAfo6K6Rg7Fyu0jSE/59H
3Y15F0ju6YvbAg== )
7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
EYof9XuXHXuWgRF0MzgO/Z8FGYJEfLlJKWCV
IWh+b8XJejLO1Tt0vlJZl0orrs6yam/B8CWb
dgq8ktbqpNHmvg== )
ns2.example.net. 7200 IN A 1.2.0.6
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
Uh93B1J7mOqBcW8sXWHA6vmeGszGJGE/BtFV
cdO4tBNoIDbIdkzBUJZphc6HfK7/gu7WFhAo
5v6cZr4bRDOf6A== )
7200 NSEC sub.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
xOkV3aTsgrP7ZyaHfKhLmjJfhboQJpDYFdqV
y0zzZuGQr7Yr4PxWED5WJhm4fFf48agNWBmm
rk1OaFadv6m2uw== )
sub.example.net. 7200 IN NS ns1.example.net.
7200 NSEC example.net. NS RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
Pr8KFvU/Fr2lp9W6Wqqq47VKrnh3tL90S8Eu
KIPsfmBE00g7eGPVswJUWShXMBZFLtfqI8z/
UBM6VzROSTtryA== )

102
contrib/zkt/misc.c
View File

@@ -62,6 +62,8 @@
extern const char *progname;
static int inc_soa_serial (FILE *fp, int use_unixtime);
static int is_soa_rr (const char *line);
static const char *strfindstr (const char *str, const char *search);
/*****************************************************************
** getnameappendix (progname, basename)
@@ -94,7 +96,8 @@ const char *getnameappendix (const char *progname, const char *basename)
/*****************************************************************
** getdefconfname (view)
** returns the default configuration file name
** returns a pointer to a dynamic string containing the
** default configuration file name
*****************************************************************/
const char *getdefconfname (const char *view)
{
@@ -105,13 +108,14 @@ const char *getdefconfname (const char *view)
if ( (file = getenv ("ZKT_CONFFILE")) == NULL )
file = CONFIG_FILE;
dbg_val2 ("getdefconfname (%s) file = %s\n", view ? view : "NULL", file);
if ( view == NULL || *view == '\0' || (p = strrchr (file, '.')) == NULL )
return strdup (file);
size = strlen (file) + strlen (view) + 1 + 1;
if ( (buf = malloc (size)) == NULL )
return file;
return strdup (file);
dbg_val1 ("0123456789o123456789o123456789\tsize=%d\n", size);
dbg_val4 ("%.*s-%s%s\n", p - file, file, view, p);
@@ -120,6 +124,40 @@ const char *getdefconfname (const char *view)
return buf;
}
#if 1
/*****************************************************************
** domain_canonicdup (s)
** returns NULL or a pointer to a dynamic string containing the
** canonic (all lower case letters and ending with a '.')
** domain name
*****************************************************************/
char *domain_canonicdup (const char *s)
{
char *new;
char *p;
int len;
int add_dot;
if ( s == NULL )
return NULL;
add_dot = 0;
len = strlen (s);
if ( len > 0 && s[len-1] != '.' )
add_dot = len++;
if ( (new = p = malloc (len + 1)) == NULL )
return NULL;
while ( *s )
*p++ = tolower (*s++);
if ( add_dot )
*p++ = '.';
*p = '\0';
return new;
}
#else
/*****************************************************************
** str_tolowerdup (s)
*****************************************************************/
@@ -137,6 +175,7 @@ char *str_tolowerdup (const char *s)
return new;
}
#endif
/*****************************************************************
** str_delspace (s)
@@ -956,7 +995,7 @@ time_t stop_timer (time_t start)
**
** To match the SOA record, the SOA RR must be formatted
** like this:
** @ IN SOA <master.fq.dn.> <hostmaster.fq.dn.> (
** @ [ttl] IN SOA <master.fq.dn.> <hostmaster.fq.dn.> (
** <SPACEes or TABs> 1234567890; serial number
** <SPACEes or TABs> 86400 ; other values
** ...
@@ -972,7 +1011,6 @@ int inc_serial (const char *fname, int use_unixtime)
{
FILE *fp;
char buf[4095+1];
char master[254+1];
int error;
/**
@@ -988,8 +1026,7 @@ int inc_serial (const char *fname, int use_unixtime)
return -1;
/* read until the line matches the beginning of a soa record ... */
while ( fgets (buf, sizeof buf, fp) &&
sscanf (buf, "@ IN SOA %255s %*s (\n", master) != 1 )
while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
;
if ( feof (fp) )
@@ -1005,6 +1042,54 @@ int inc_serial (const char *fname, int use_unixtime)
return error;
}
/*****************************************************************
** check if line is the beginning of a SOA RR record, thus
** containing the string "IN .* SOA" and ends with a '('
** returns 1 if true
*****************************************************************/
static int is_soa_rr (const char *line)
{
const char *p;
assert ( line != NULL );
if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") ) /* line contains "IN" and "SOA" */
{
p = line + strlen (line) - 1;
while ( p > line && isspace (*p) )
p--;
if ( *p == '(' ) /* last character have to be a '(' to start a multi line record */
return 1;
}
return 0;
}
/*****************************************************************
** Find string 'search' in 'str' and ignore case in comparison.
** returns the position of 'search' in 'str' or NULL if not found.
*****************************************************************/
static const char *strfindstr (const char *str, const char *search)
{
const char *p;
int c;
assert ( str != NULL );
assert ( search != NULL );
c = tolower (*search);
p = str;
do {
while ( *p && tolower (*p) != c )
p++;
if ( strncasecmp (p, search, strlen (search)) == 0 )
return p;
p++;
} while ( *p );
return NULL;
}
/*****************************************************************
** return the serial number of the current day in the form
** of YYYYmmdd00
@@ -1100,8 +1185,11 @@ main (int argc, char *argv[])
now = today_serialtime ();
printf ("now = %lu\n", now);
if ( (err = inc_serial (argv[1]), 0) < 0 )
if ( (err = inc_serial (argv[1], 0)) <= 0 )
{
error ("can't change serial errno=%d\n", err);
exit (1);
}
snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
system (cmd);

4
contrib/zkt/misc.h
View File

@@ -56,7 +56,11 @@ extern int copyfile (const char *fromfile, const char *tofile, const char *dnske
extern int copyzonefile (const char *fromfile, const char *tofile, const char *dnskeyfile);
extern int cmpfile (const char *file1, const char *file2);
extern char *str_delspace (char *s);
#if 1
extern char *domain_canonicdup (const char *s);
#else
extern char *str_tolowerdup (const char *s);
#endif
extern int in_strarr (const char *str, char *const arr[], int cnt);
extern const char *splitpath (char *path, size_t size, const char *filename);
extern char *pathname (char *name, size_t size, const char *path, const char *file, const char *ext);

27
contrib/zkt/rollover.c
View File

@@ -276,7 +276,7 @@ static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
parfile_age = file_age (path);
/* TODO: Set these values to the one found in the parent dnssec.conf file */
parent_propagation = 5 * MINSEC;
parent_propagation = PARENT_PROPAGATION;
parent_resign = z->resign;
parent_keyttl = z->key_ttl;
@@ -293,7 +293,7 @@ static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
return 1;
}
else
verbmesg (2, z, "\t\tkskrollover: we are in state 1 and waiting for propagation of the new key (parentfile %d < prop %d + keyttl %d\n", parfile_age, z->proptime, z->key_ttl);
verbmesg (2, z, "\t\tkskrollover: we are in state 1 and waiting for propagation of the new key (parentfile %dsec < prop %dsec + keyttl %dsec\n", parfile_age, z->proptime, z->key_ttl);
break;
case 2: /* we are currently in state two (propagation of new key to the parent) */
#if 0
@@ -318,7 +318,7 @@ static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
#if 0
verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %d < parentprop %d + parentresig %d + parentkeyttl %d\n", parfile_age, parent_propagation, parent_resign, parent_keyttl);
#else
verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %d < parentprop %d + parentkeyttl %d\n", parfile_age, parent_propagation, parent_keyttl);
verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %dsec < parentprop %dsec + parentkeyttl %dsec\n", parfile_age, parent_propagation, parent_keyttl);
#endif
break;
default:
@@ -373,10 +373,10 @@ int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
{
exptime = get_exptime (dkp, z);
if ( dki_isrevoked (dkp) )
lg_mesg (LG_DEBUG, "Rev Exptime: %s", time2str (exptime, 's'));
lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key with exptime of: %s", domain, time2str (exptime, 's'));
/* revoked key is older than 30 days? */
if ( dki_isrevoked (dkp) && currtime > exptime + (DAYSEC * 30) )
if ( dki_isrevoked (dkp) && currtime > exptime + REMOVE_HOLD_DOWN )
{
verbmesg (1, z, "\tRemove revoked key %d which is older than 30 days\n", dkp->tag);
lg_mesg (LG_NOTICE, "zone \"%s\": removing revoked key %d", domain, dkp->tag);
@@ -387,7 +387,7 @@ int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
else /* anywhere in the middle of the list */
prev->next = dki_remove (dkp);
ret |= 01; /* from now on a resigning is neccessary */
ret |= 01; /* from now on a resigning is necessary */
}
/* remember oldest standby and active key */
@@ -396,8 +396,8 @@ int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
if ( dki_status (dkp) == DKI_ACTIVE )
activekey = dkp;
}
if ( standbykey == NULL && ret == 0 ) /* no standby key and also no revoked key found ? */
/* no activekey or no standby key and also no revoked key found ? */
if ( activekey == NULL || (standbykey == NULL && ret == 0) )
return ret; /* Seems that this is a non rfc5011 zone! */
ret |= 02; /* Zone looks like a rfc5011 zone */
@@ -410,7 +410,7 @@ int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
#endif
/* At the time we first introduce a standby key, the lifetime of the current KSK should not be expired, */
/* otherwise we run into an (nearly) immediate key rollover! */
if ( currtime > exptime && currtime > dki_time (standbykey) + min (DAYSEC * 30, z->key_ttl) )
if ( currtime > exptime && currtime > dki_time (standbykey) + min (ADD_HOLD_DOWN, z->key_ttl) )
{
lg_mesg (LG_NOTICE, "\"%s\": starting rfc5011 rollover", domain);
verbmesg (1, z, "\tLifetime of Key Signing Key %d exceeded (%s): Starting rfc5011 rollover!\n",
@@ -434,7 +434,7 @@ int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
dki_setstatus (activekey, DKI_REVOKED);
dki_setexptime (activekey, currtime); /* now the key is expired */
ret |= 01; /* resigning neccessary */
ret |= 01; /* resigning necessary */
}
return ret;
@@ -446,7 +446,7 @@ int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
** If there is no key signing key present create a new one.
** Prints out a warning message if the lifetime of the current
** key signing key is over.
** Returns 1 if a resigning of the zone is neccessary, otherwise
** Returns 1 if a resigning of the zone is necessary, otherwise
** the function returns 0.
*****************************************************************/
int kskstatus (zone_t *zonelist, zone_t *zp)
@@ -486,7 +486,7 @@ int kskstatus (zone_t *zonelist, zone_t *zp)
/*****************************************************************
** zskstatus ()
** Check the zsk status of a zone.
** Returns 1 if a resigning of the zone is neccessary, otherwise
** Returns 1 if a resigning of the zone is necessary, otherwise
** the function returns 0.
*****************************************************************/
int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)
@@ -576,6 +576,7 @@ int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
lg_mesg (LG_NOTICE, "\"%s\": lifetime of zone signing key %d exceeded: ZSK rollover done", domain, akey->tag);
akey = nextkey;
nextkey = NULL;
lifetime = dki_lifetime (akey); /* set lifetime to lt of the new active key (F. Behrens) */
}
else
{
@@ -585,7 +586,7 @@ int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
}
}
}
/* Should we add a new publish key? This is neccessary if the active
/* Should we add a new publish key? This is necessary if the active
* key will be expired at the next re-signing interval (The published
* time will be checked just before the active key will be removed.
* See above).

9
contrib/zkt/rollover.h
View File

@@ -44,7 +44,14 @@
# include "zconf.h"
#endif
# define OFFSET ((int) (2.5 * MINSEC))
# define OFFSET ((int) (2.5 * MINSEC))
# define PARENT_PROPAGATION (5 * MINSEC)
# define ADD_HOLD_DOWN (30 * DAYSEC)
#if 0
# define REMOVE_HOLD_DOWN (30 * DAYSEC)
#else
# define REMOVE_HOLD_DOWN (10 * DAYSEC) /* reduced for testiing purposes */
#endif
extern int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z);
extern int kskstatus (zone_t *zonelist, zone_t *zp);

2
contrib/zkt/strlist.c
View File

@@ -49,7 +49,7 @@
/*****************************************************************
** prepstrlist (str, delim)
** prepare a string with delimeters to a so called strlist.
** prepare a string with delimiters to a so called strlist.
** 'str' is a list of substrings delimeted by 'delim'
** The # of strings is stored at the first byte of the allocated
** memory. Every substring is stored as a '\0' terminated C-String.

32
contrib/zkt/tags
View File

@@ -17,10 +17,10 @@ CONF_TIMEINT zconf.c /^ CONF_TIMEINT,$/;" e file:
ISCOMMENT zconf.c 68;" d file:
ISDELIM zconf.c 70;" d file:
ISTRUE zconf.c 66;" d file:
KEYSET_FILE_PFX dnssec-signer.c 669;" d file:
KEYSET_FILE_PFX dnssec-signer.c 691;" d file:
KeyWords ncparse.c /^static struct KeyWords {$/;" s file:
MAXFNAME log.c 97;" d file:
STRCONFIG_DELIMITER zconf.c 505;" d file:
STRCONFIG_DELIMITER zconf.c 513;" d file:
TAINTEDCHARS misc.c 60;" d file:
TOK_DELEGATION ncparse.c 59;" d file:
TOK_DIR ncparse.c 49;" d file:
@@ -41,6 +41,8 @@ add2zonelist dnssec-signer.c /^static int add2zonelist (const char *dir, const c
age2str misc.c /^char *age2str (time_t sec)$/;" f
ageflag dnssec-zkt.c /^int ageflag = 0;$/;" v
b domaincmp.c /^ char *b;$/;" m file:
bind94_dynzone dnssec-signer.c 131;" d file:
bind96_dynzone dnssec-signer.c 132;" d file:
bool2str zconf.c /^static const char *bool2str (int val)$/;" f file:
check_keydb_timestamp dnssec-signer.c /^static int check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;" f file:
checkconfig zconf.c /^int checkconfig (const zconf_t *z)$/;" f
@@ -62,6 +64,7 @@ dirname dnssec-signer.c /^const char *dirname = NULL;$/;" v
dist_and_reload dnssec-signer.c /^static int dist_and_reload (const zone_t *zp)$/;" f file:
dki_add dki.c /^dki_t *dki_add (dki_t **list, dki_t *new)$/;" f
dki_age dki.c /^int dki_age (const dki_t *dkp, time_t curr)$/;" f
dki_algo2sstr dki.c /^char *dki_algo2sstr (int algo)$/;" f
dki_algo2str dki.c /^char *dki_algo2str (int algo)$/;" f
dki_allcmp dki.c /^int dki_allcmp (const dki_t *a, const dki_t *b)$/;" f
dki_alloc dki.c /^static dki_t *dki_alloc ()$/;" f file:
@@ -110,6 +113,7 @@ dki_timecmp dki.c /^int dki_timecmp (const dki_t *a, const dki_t *b)$/;" f
dki_tsearch dki.c /^const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name)$/;" f
dki_unsetflag dki.c /^dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag)$/;" f
dki_writeinfo dki.c /^static int dki_writeinfo (const dki_t *dkp, const char *path)$/;" f file:
domain_canonicdup misc.c /^char *domain_canonicdup (const char *s)$/;" f
domaincmp domaincmp.c /^int domaincmp (const char *a, const char *b)$/;" f
dosigning dnssec-signer.c /^static int dosigning (zone_t *zonelist, zone_t *zp)$/;" f file:
dupconfig zconf.c /^zconf_t *dupconfig (const zconf_t *conf)$/;" f
@@ -160,6 +164,7 @@ is_dotfile misc.c /^int is_dotfile (const char *name)$/;" f
is_exec_ok misc.c /^int is_exec_ok (const char *prog)$/;" f
is_keyfilename misc.c /^int is_keyfilename (const char *name)$/;" f
is_parentdirsigned rollover.c /^static int is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;" f file:
is_soa_rr misc.c /^static int is_soa_rr (const char *line)$/;" f file:
isinlist strlist.c /^int isinlist (const char *str, const char *list)$/;" f
ksk5011status rollover.c /^int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;" f
ksk_roll dnssec-zkt.c /^static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;" f file:
@@ -204,14 +209,14 @@ logflush misc.c /^void logflush ()$/;" f
logmesg misc.c /^void logmesg (char *fmt, ...)$/;" f
long_options dnssec-signer.c /^static struct option long_options[] = {$/;" v file:
long_options dnssec-zkt.c /^static struct option long_options[] = {$/;" v file:
lopt_usage dnssec-signer.c 302;" d file:
lopt_usage dnssec-signer.c 305;" d file:
lopt_usage dnssec-zkt.c 410;" d file:
lopt_usage dnssec-zkt.c 413;" d file:
loptstr dnssec-signer.c 303;" d file:
loptstr dnssec-signer.c 306;" d file:
loptstr dnssec-zkt.c 411;" d file:
loptstr dnssec-zkt.c 414;" d file:
lopt_usage dnssec-signer.c 323;" d file:
lopt_usage dnssec-signer.c 326;" d file:
lopt_usage dnssec-zkt.c 402;" d file:
lopt_usage dnssec-zkt.c 405;" d file:
loptstr dnssec-signer.c 324;" d file:
loptstr dnssec-signer.c 327;" d file:
loptstr dnssec-zkt.c 403;" d file:
loptstr dnssec-zkt.c 406;" d file:
main dnssec-signer.c /^int main (int argc, char *const argv[])$/;" f
main dnssec-zkt.c /^int main (int argc, char *argv[])$/;" f
main domaincmp.c /^main (int argc, char *argv[])$/;" f
@@ -259,6 +264,8 @@ searchitem zkt.c /^static int searchitem;$/;" v file:
searchkw ncparse.c /^static int searchkw (const char *keyword)$/;" f file:
searchresult zkt.c /^static const dki_t *searchresult;$/;" v file:
set_all_varptr zconf.c /^static void set_all_varptr (zconf_t *cp)$/;" f file:
set_bind94_dynzone dnssec-signer.c 129;" d file:
set_bind96_dynzone dnssec-signer.c 130;" d file:
set_keylifetime zkt.c /^static void set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
set_varptr zconf.c /^static int set_varptr (char *entry, void *ptr)$/;" f file:
setconfigpar zconf.c /^int setconfigpar (zconf_t *config, char *entry, const void *pval)$/;" f
@@ -267,8 +274,8 @@ short_options dnssec-signer.c 66;" d file:
short_options dnssec-signer.c 68;" d file:
short_options dnssec-zkt.c 89;" d file:
sign_zone dnssec-signer.c /^static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;" f file:
sopt_usage dnssec-signer.c 300;" d file:
sopt_usage dnssec-zkt.c 408;" d file:
sopt_usage dnssec-signer.c 321;" d file:
sopt_usage dnssec-zkt.c 400;" d file:
splitpath misc.c /^const char *splitpath (char *path, size_t size, const char *filename)$/;" f
start_timer misc.c /^time_t start_timer ()$/;" f
stop_timer misc.c /^time_t stop_timer (time_t start)$/;" f
@@ -277,6 +284,7 @@ str_chop misc.c /^char *str_chop (char *str, char c)$/;" f
str_delspace misc.c /^char *str_delspace (char *s)$/;" f
str_tolowerdup misc.c /^char *str_tolowerdup (const char *s)$/;" f
str_untaint misc.c /^char *str_untaint (char *str)$/;" f
strfindstr misc.c /^static const char *strfindstr (const char *str, const char *search)$/;" f file:
symtbl log.c /^static lg_symtbl_t symtbl[] = {$/;" v file:
syslog_level log.c /^ int syslog_level;$/;" m file:
tag_search zkt.c /^static void tag_search (const dki_t **nodep, const VISIT which, int depth)$/;" f file:

34
contrib/zkt/zconf.c
View File

@@ -93,6 +93,7 @@ static zconf_t def = {
RESIGN_INT,
KSK_LIFETIME, KSK_ALGO, KSK_BITS, KSK_RANDOM,
ZSK_LIFETIME, ZSK_ALGO, ZSK_BITS, ZSK_RANDOM,
SALTLEN,
NULL, /* viewname cmdline paramter */
LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
DNSKEYFILE, ZONEFILE, KEYSETDIR,
@@ -143,6 +144,7 @@ static zconf_para_t confpara[] = {
{ "ZSK_algo", 0, CONF_ALGO, &def.z_algo },
{ "ZSK_bits", 0, CONF_INT, &def.z_bits },
{ "ZSK_randfile", 0, CONF_STRING, &def.z_random },
{ "SaltBits", 0, CONF_INT, &def.saltbits },
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "dnssec-signer options"},
@@ -236,6 +238,7 @@ static void set_all_varptr (zconf_t *cp)
set_varptr ("zsk_algo", &cp->z_algo);
set_varptr ("zsk_bits", &cp->z_bits);
set_varptr ("zsk_randfile", &cp->z_random);
set_varptr ("saltbits", &cp->saltbits);
set_varptr ("--view", &cp->view);
set_varptr ("logfile", &cp->logfile);
@@ -262,6 +265,8 @@ static void parseconfigline (char *buf, unsigned int line, zconf_t *z)
unsigned int len, found;
zconf_para_t *c;
assert (buf[0] != '\0');
p = &buf[strlen(buf)-1]; /* Chop off white space at eol */
while ( p >= buf && isspace (*p) )
*p-- = '\0';
@@ -357,6 +362,12 @@ static void parseconfigline (char *buf, unsigned int line, zconf_t *z)
*((int *)c->var) = DK_ALGO_DSA;
else if ( strcasecmp (val, "rsasha1") == 0 )
*((int *)c->var) = DK_ALGO_RSASHA1;
else if ( strcasecmp (val, "nsec3dsa") == 0 ||
strcasecmp (val, "n3dsa") == 0 )
*((int *)c->var) = DK_ALGO_NSEC3DSA;
else if ( strcasecmp (val, "nsec3rsasha1") == 0 ||
strcasecmp (val, "n3rsasha1") == 0 )
*((int *)c->var) = DK_ALGO_NSEC3RSASHA1;
else
error ("Illegal algorithm \"%s\" "
"in line %d.\n" , val, line);
@@ -475,13 +486,13 @@ zconf_t *loadconfig (const char *filename, zconf_t *z)
return NULL;
if ( filename && *filename )
memcpy (z, &def, sizeof (*z)); /* init new struct with defaults */
memcpy (z, &def, sizeof (zconf_t)); /* init new struct with defaults */
}
if ( filename == NULL || *filename == '\0' ) /* no file name given... */
{
dbg_val0("loadconfig (NULL)\n");
memcpy (z, &def, sizeof (*z)); /* ..then init with defaults */
memcpy (z, &def, sizeof (zconf_t)); /* ..then init with defaults */
return z;
}
@@ -493,11 +504,8 @@ zconf_t *loadconfig (const char *filename, zconf_t *z)
line = 0;
while (fgets(buf, sizeof(buf), fp))
{
line++;
parseconfigline (buf, ++line, z);
parseconfigline (buf, line, z);
}
fclose(fp);
return z;
}
@@ -513,13 +521,13 @@ zconf_t *loadconfig_fromstr (const char *str, zconf_t *z)
{
if ( (z = calloc (1, sizeof (zconf_t))) == NULL )
return NULL;
memcpy (z, &def, sizeof (*z)); /* init with defaults */
memcpy (z, &def, sizeof (zconf_t)); /* init with defaults */
}
if ( str == NULL || *str == '\0' )
{
dbg_val0("loadconfig_fromstr (NULL)\n");
memcpy (z, &def, sizeof (*z)); /* init with defaults */
memcpy (z, &def, sizeof (zconf_t)); /* init with defaults */
return z;
}
@@ -555,7 +563,7 @@ zconf_t *dupconfig (const zconf_t *conf)
if ( (z = calloc (1, sizeof (zconf_t))) == NULL )
return NULL;
memcpy (z, conf, sizeof (*conf));
memcpy (z, conf, sizeof (zconf_t));
return z;
}
@@ -698,6 +706,14 @@ int checkconfig (const zconf_t *z)
if ( z == NULL )
return 1;
if ( z->saltbits < 4 )
fprintf (stderr, "Saltlength must be at least 4 bits\n");
if ( z->saltbits > 128 )
{
fprintf (stderr, "While the maximum is 520 bits of salt, it's not recommended to use more than 128 bits.\n");
fprintf (stderr, "The current value is %d bits\n", z->saltbits);
}
if ( z->sigvalidity < (1 * DAYSEC) || z->sigvalidity > (12 * WEEKSEC) )
{
fprintf (stderr, "Signature should be valid for at least 1 day and no longer than 3 month (12 weeks)\n");

4
contrib/zkt/zconf.h
View File

@@ -73,6 +73,7 @@
# define ZSK_ALGO (DK_ALGO_RSASHA1)
# define ZSK_BITS (512)
# define ZSK_RANDOM "/dev/urandom"
# define SALTLEN 24 /* salt length in bits (resolution is 4 bits)*/
# define ZONEDIR "."
# define RECURSIVE 0
@@ -89,7 +90,7 @@
# define DNSKEYFILE "dnskey.db"
# define LOOKASIDEDOMAIN "" /* "dlv.trusted-keys.de" */
# define SIG_RANDOM NULL /* "/dev/urandom" */
# define SIG_PSEUDO 1
# define SIG_PSEUDO 0
# define SIG_GENDS 1
# define SIG_PARAM ""
# define DIST_CMD NULL /* default is to run "rndc reload" */
@@ -143,6 +144,7 @@ typedef struct zconf {
int z_algo;
int z_bits;
char *z_random;
int saltbits;
char *view;
// char *errlog;

2
contrib/zkt/zkt.c
View File

@@ -100,7 +100,7 @@ static void printkeyinfo (const dki_t *dkp, const char *oldpath)
printf ("%05d ", dkp->tag);
printf ("%3s ", dki_isksk (dkp) ? "KSK" : "ZSK");
printf ("%-3.3s ", dki_statusstr (dkp) );
printf ("%-7s", dki_algo2str(dkp->algo));
printf ("%-7s", dki_algo2sstr(dkp->algo));
if ( timeflag )
printf (" %-20s", time2str (dkp->gentime ? dkp->gentime: dkp->time, 's'));
if ( exptimeflag )

7
contrib/zkt/zone.c
View File

@@ -166,7 +166,7 @@ zone_t *zone_new (zone_t **zp, const char *zone, const char *dir, const char *fi
{
char *p;
new->zone = str_tolowerdup (zone);
new->zone = domain_canonicdup (zone);
new->dir = strdup (dir);
new->file = strdup (file);
/* check if file ends with ".signed" ? */
@@ -208,7 +208,10 @@ int zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t *
else
zone = dir;
}
dbg_val4 ("zone_readdir: (dir: %s, zone: %s, zfile: %s zp, cp, dyn_zone = %d)\n",
if ( zone == NULL ) /* zone name still null ? */
return 0;
dbg_val4 ("zone_readdir: (dir: \"%s\", zone: \"%s\", zfile: \"%s\", zp, cp, dyn_zone = %d)\n",
dir, zone, zfile ? zfile: "NULL", dyn_zone);
if ( dyn_zone )