Compare commits
460 Commits
v9.4-ESV-R
...
v9.6.1-P2
| Author | SHA1 | Date | |
|---|---|---|---|
|
0ec67eaaa4 | ||
|
f74d0a157b | ||
|
|
bd8302f37d | ||
|
|
38637a6e1d | ||
|
|
a9bc1daf4f | ||
|
|
7dc66d649a | ||
|
|
19e91f021d | ||
|
|
0a2ff2f893 | ||
|
|
eeef28e6d0 | ||
|
|
a65d6dc605 | ||
|
|
9afe470beb | ||
|
|
127820c20f | ||
|
2ac5c5415c | ||
|
|
fa8f5570bc | ||
|
|
6d4ad45aee | ||
|
|
13de8b7015 | ||
|
|
9b6701361e | ||
|
|
b514948e9d | ||
|
|
f0af708359 | ||
|
|
f75c7e218c | ||
|
|
76d66c8e52 | ||
|
|
a1b08748d8 | ||
|
|
450d4ae030 | ||
|
|
fb76b4340c | ||
|
|
1d08fbdc2d | ||
|
|
5211674cef | ||
|
|
ef2dfb76b9 | ||
|
|
e844d1f3a8 | ||
|
|
5f5bb6cba2 | ||
|
|
961ff176c2 | ||
|
|
ef55474f25 | ||
|
|
ad120f93e4 | ||
|
|
368e6fb1e7 | ||
|
|
2ab045d9a6 | ||
|
|
64282ffd6d | ||
|
|
c44709c516 | ||
|
|
4d9b982abf | ||
|
|
de9b26db37 | ||
|
|
afdc7dee62 | ||
|
|
eac1bcca33 | ||
|
|
8371f50c6e | ||
|
|
c363a13c50 | ||
|
|
6833e6ba4c | ||
|
|
cd4d18cfee | ||
|
|
520a24ee91 | ||
|
|
0ddedb1781 | ||
|
|
2a2e4dbefb | ||
|
|
27f8258b13 | ||
|
|
ab23f14a30 | ||
|
|
fff31a08a9 | ||
|
|
e5ad562a79 | ||
|
|
83271977c3 | ||
|
|
799a4ab7d7 | ||
|
|
7cbcbb2938 | ||
|
|
ece0a1d2c8 | ||
|
|
64ebbbcbb1 | ||
|
|
77d2bb78af | ||
|
|
bbf5334896 | ||
|
|
54d1801f14 | ||
|
|
f10e82ecfb | ||
|
|
7115862967 | ||
|
|
a9785879cb | ||
|
|
587355bb62 | ||
|
|
e101c2937c | ||
|
|
a9775fe88d | ||
|
|
b42ba4cace | ||
|
|
b91b3c4f09 | ||
|
|
c459aec591 | ||
|
|
27015815a5 | ||
|
|
e4aad620d2 | ||
|
|
8324731a56 | ||
|
|
02a7cfcc8a | ||
|
|
38a32e22c4 | ||
|
|
5c60871fd9 | ||
|
|
1de271fbae | ||
|
|
001447b3ef | ||
|
|
9f6f43d291 | ||
|
|
895c88905b | ||
|
|
a471195d58 | ||
|
|
10d76890e4 | ||
|
|
7de6178969 | ||
|
|
3a8f5eff97 | ||
|
|
eec72f05ea | ||
|
|
fff59bfeb3 | ||
|
|
d738f55bbf | ||
|
|
f22b76502b | ||
|
|
d6c1bb232c | ||
|
|
7648521c39 | ||
|
|
fe22ed4862 | ||
|
|
ca31221f5b | ||
|
|
fa9ae9dad2 | ||
|
|
55c437ae71 | ||
|
|
b7f5909933 | ||
|
|
6b62b02a83 | ||
|
|
ee73600181 | ||
|
|
f2445757f1 | ||
|
|
2226e9ec25 | ||
|
199726face | ||
|
3894fcbaad | ||
|
|
194d3c5a10 | ||
|
|
69f73c967e | ||
|
|
a73c49b952 | ||
|
|
dbd66db23f | ||
|
|
6bfa073b71 | ||
|
|
c33527c0d2 | ||
|
|
3a6abd091b | ||
|
|
42e5782189 | ||
|
|
2df4d8d3dd | ||
|
|
00d47e05ae | ||
|
|
4f175dc980 | ||
|
|
6e8045d087 | ||
|
|
e1488ac684 | ||
|
|
e28c0fcdfa | ||
|
|
9178588ed0 | ||
|
|
276ae4fe5c | ||
|
|
1c210d73bd | ||
|
|
04f7e40618 | ||
|
|
e08ab67c41 | ||
|
|
af0159c4ee | ||
|
|
3f52bb9498 | ||
|
|
99c0705417 | ||
|
|
e851b0cf9c | ||
|
|
c3bad668ba | ||
|
|
05eeaf4914 | ||
|
|
eaeb251254 | ||
|
|
6a1f2578fc | ||
|
|
ef42c36b22 | ||
|
|
dfc1a21b59 | ||
|
|
3bbcca9d17 | ||
|
|
6b7a9242d6 | ||
|
|
38d8198fd0 | ||
|
|
2ec35a7772 | ||
|
|
d9f13588fd | ||
|
|
644630bb3c | ||
|
|
4a8fa74137 | ||
|
|
de99148154 | ||
|
|
1166ab523b | ||
|
|
c7dd375207 | ||
|
|
f6779c3053 | ||
|
|
a6c4d1405e | ||
|
|
fcf7d085b9 | ||
|
|
cc3984cb3b | ||
|
|
c83d2dbb2b | ||
|
|
23cb85e6e6 | ||
|
|
c5296e040b | ||
|
|
89266715e6 | ||
|
|
59b6d3ae92 | ||
|
|
6e561e503d | ||
|
|
103ebb0f6b | ||
|
|
c93399e357 | ||
|
|
3b0c34c83f | ||
|
|
a2b52a3a7c | ||
|
|
70d6c84aa6 | ||
|
0ea743459d | ||
|
|
785eb615e3 | ||
|
|
49c3a15727 | ||
|
|
b450054488 | ||
|
|
8cd113407a | ||
|
|
7de8e021c2 | ||
|
|
0da8837d0e | ||
|
|
94a70dc397 | ||
|
|
a416993543 | ||
|
|
76728b8bc6 | ||
|
|
9822b878e0 | ||
|
|
ccbc5af870 | ||
|
|
bdc250babc | ||
|
|
cb1356b321 | ||
|
|
e1cc7fc197 | ||
|
|
0e57851625 | ||
|
|
5c677cf208 | ||
|
|
bf06c5e25a | ||
|
|
40da04a139 | ||
|
|
81bae80881 | ||
|
|
be30c7f74e | ||
|
|
99525899e8 | ||
|
|
6500973c26 | ||
|
|
3102b936a1 | ||
|
|
5870f67ab1 | ||
|
|
d1ba1579ee | ||
|
|
6ecf117f14 | ||
|
|
7f2157c848 | ||
|
|
06820a34e3 | ||
|
|
ee93a63b2f | ||
|
|
1862010c83 | ||
|
|
7d543e7b8f | ||
|
|
8ce2b50c32 | ||
|
|
8fa3d35e1b | ||
|
|
d84b71a0a9 | ||
|
|
a1cc5e9289 | ||
|
|
f4dd23b4f4 | ||
|
|
6e67205ba7 | ||
|
|
e6be77a26c | ||
|
|
43dd26f988 | ||
|
|
fb1c018ecc | ||
|
|
7341b65d47 | ||
|
|
0d5a20cb05 | ||
|
|
8649a7a09f | ||
|
|
ed26903938 | ||
|
|
0532b01ed6 | ||
|
|
5eddd1ec39 | ||
|
|
dc653165b0 | ||
|
|
8286a91388 | ||
|
|
277cd95e91 | ||
|
|
7b4d892cb6 | ||
|
|
4acf3ecbc7 | ||
|
|
28318a2528 | ||
|
|
4c505019e1 | ||
|
|
8430d83828 | ||
|
|
3754970367 | ||
|
|
443f232a77 | ||
|
|
2a59ad3b8c | ||
|
|
0aa00c0fbe | ||
|
|
9cd3264af8 | ||
|
|
2d7fc2d5a6 | ||
|
|
4b24acd9f1 | ||
|
|
1f68ff629a | ||
|
|
4d6469ffd8 | ||
|
|
b3def9bbf7 | ||
|
|
d9cf22cc5a | ||
|
|
b13b64028b | ||
|
|
22b2741ede | ||
|
|
a42b13d33c | ||
|
|
442d6ced85 | ||
|
|
e5e510dbab | ||
|
|
91c526913b | ||
|
|
c441671e8f | ||
|
|
ff3c8a493f | ||
|
|
cadd13e50e | ||
|
|
e81bc5977d | ||
|
|
5fa0c17a78 | ||
|
|
a75a29c672 | ||
|
|
64b01fda14 | ||
|
|
0d8b7ca851 | ||
|
|
68a6aa2d6b | ||
|
|
2c0dd6a4a0 | ||
|
|
ba58299f9f | ||
|
|
8e2a60c9be | ||
|
|
2e8bd7f1b7 | ||
|
|
a5e335d7fc | ||
|
|
cb1aa919c6 | ||
|
|
d6b57bc73c | ||
|
|
d329d5aa52 | ||
|
|
a6ddec4212 | ||
|
|
846e500945 | ||
|
|
d34be4f321 | ||
|
|
568a4d27a5 | ||
|
|
b96444c0ea | ||
|
|
b8c73bcafc | ||
|
|
0e8a52d67d | ||
|
|
a9a7328240 | ||
|
|
c5f64b7598 | ||
|
|
b6912ff3a5 | ||
|
|
999be987b8 | ||
|
|
e250e9a4cf | ||
|
|
9076806d8b | ||
|
|
e3de0d3aad | ||
|
|
b0e0a30968 | ||
|
|
be63967070 | ||
|
|
4f732afd9f | ||
|
|
9af3aa4881 | ||
|
|
f87803be34 | ||
|
|
12e4b8f53f | ||
|
|
89d64b1a47 | ||
|
|
92d603dee6 | ||
|
|
6274516032 | ||
|
|
c725b1099d | ||
|
|
f3ed132d3e | ||
|
|
3e132fc2dd | ||
|
|
e53dc99784 | ||
|
|
324ee987c2 | ||
|
|
743fcc320a | ||
|
|
6e988470c5 | ||
|
|
7f798dd711 | ||
|
|
6726b1b9ae | ||
|
|
2eb62acc96 | ||
|
|
b98552bc41 | ||
|
|
2967621174 | ||
|
|
b30361923f | ||
|
|
3143f3898a | ||
|
|
cd456aadac | ||
|
|
83a781a5cb | ||
|
|
bf02e7fc0e | ||
|
|
94b66c797a | ||
|
|
906e5d9a44 | ||
|
|
3586ef316a | ||
|
|
06ae29048d | ||
|
|
c0bb9cf185 | ||
|
|
ebf8257047 | ||
|
|
caf3ffe905 | ||
|
|
7c409af694 | ||
|
|
52bf46a127 | ||
|
|
50b107e596 | ||
|
|
436100336e | ||
|
|
874d2a93ca | ||
|
|
780bc6eec5 | ||
|
|
71255518a1 | ||
|
|
209e3656f4 | ||
|
|
7808280b34 | ||
|
|
97fa54f9ce | ||
|
|
d36d62e4bd | ||
|
|
3cb679d7eb | ||
|
|
88d24b4a1f | ||
|
|
247ec13dca | ||
|
|
d76a60502e | ||
|
|
190bfdeebf | ||
|
|
0accbaef11 | ||
|
|
279b38bba7 | ||
|
|
c5daf291bc | ||
|
|
fa49fa674f | ||
|
|
f9bb7d0c54 | ||
|
|
82494242f6 | ||
|
|
b7e19163d0 | ||
|
|
c4e5249157 | ||
|
|
76ff26a403 | ||
|
|
8e7dd3dc3b | ||
|
|
29066a4d86 | ||
|
|
1d88d93a9f | ||
|
|
09b12d15aa | ||
|
|
5176eed72b | ||
|
|
af9b016643 | ||
|
|
143b2be8af | ||
|
|
337bd0b9a6 | ||
|
|
8a632dc62e | ||
|
|
2eafec42b4 | ||
|
|
8f2f39c7de | ||
|
|
202cfcbd68 | ||
|
|
4e94f97dc3 | ||
|
|
3ce45a6410 | ||
|
|
f0071326b6 | ||
|
|
a69894ef8d | ||
|
|
fd6e014c51 | ||
|
|
9c19f7fb52 | ||
|
|
e48608e085 | ||
|
|
3b14986bdf | ||
|
|
b996c77e49 | ||
|
|
28258cb820 | ||
|
|
f52d07f49d | ||
|
|
6c3042c1c1 | ||
|
|
5c4a9f33ca | ||
|
|
19f6ed9078 | ||
|
|
1f67b99159 | ||
|
|
4225f61923 | ||
|
|
54917c2337 | ||
|
|
d68222d82d | ||
|
|
76da0b0d88 | ||
|
|
5afab04e30 | ||
|
|
b783a1581b | ||
|
|
158f643b1b | ||
|
|
73f5b98c6a | ||
|
|
42bbd88053 | ||
|
|
e3dba335d6 | ||
|
|
869d896a81 | ||
|
|
eeebfdd21a | ||
|
ff176a9e4f | ||
|
|
d64c82f27f | ||
|
|
b20d2886be | ||
|
|
6c12ffeaea | ||
|
|
2c72343b44 | ||
|
|
49d33b4bc7 | ||
|
|
3915248ed4 | ||
|
|
13b0ed0b27 | ||
|
|
5f164676bf | ||
|
|
8c76e41fde | ||
|
|
2e8e9ee1c6 | ||
|
|
b7e3a3f29f | ||
|
|
924fdffe5e | ||
|
|
7a9d9a7ba7 | ||
|
|
b28493b383 | ||
|
|
d784df90b6 | ||
|
|
0b1ac9b978 | ||
|
|
cfe4fac9dd | ||
|
|
d715750881 | ||
|
|
91cf1000ac | ||
|
|
4f65b92f3e | ||
|
|
c95fad6e63 | ||
|
|
a6aa7dd5b9 | ||
|
|
23b633ec92 | ||
|
|
46d48a2f5c | ||
|
|
44f2aedc24 | ||
|
|
4d8d8cde8e | ||
|
|
eba7320df5 | ||
|
|
bad4b4d751 | ||
|
|
4e9f851074 | ||
|
|
809350646f | ||
|
|
957babcb24 | ||
|
|
8c55d10d43 | ||
|
|
063a4dc0ca | ||
|
|
2a238ee552 | ||
|
|
31848f6338 | ||
|
|
fe45df681a | ||
|
|
35c4a601b6 | ||
|
|
71da3b1939 | ||
|
|
9bfde0aa2f | ||
|
|
d838cbc2b6 | ||
|
|
99772d76b0 | ||
|
|
7cf5baf22e | ||
|
|
b9ff1fe73f | ||
|
|
5418be142c | ||
|
|
029d4e2e96 | ||
|
|
3e712d3702 | ||
|
|
0f06d0d648 | ||
|
|
254b0113c3 | ||
|
|
99b63ca8e5 | ||
|
|
41b0f3c45e | ||
|
|
d7900926bf | ||
|
|
55c63a0a2a | ||
|
|
69a03ffca0 | ||
|
|
8425487239 | ||
|
|
27c469af58 | ||
|
|
f0abe76652 | ||
|
|
fc2991c7ef | ||
|
|
651daefa44 | ||
|
|
cce4e4dfd1 | ||
|
|
c41d48e594 | ||
|
|
45821672b8 | ||
|
|
0d394c0384 | ||
|
|
f2a67f7a06 | ||
|
|
eb38c046c2 | ||
|
|
a99459476b | ||
|
|
8bdbeeb578 | ||
|
|
c0ea6ba330 | ||
|
|
37f6a3aa4a | ||
|
|
24857eb4d7 | ||
|
|
55a6083be3 | ||
|
|
0f5bed2b20 | ||
|
|
738f50a3ea | ||
|
|
fada3ef8b4 | ||
|
|
1ff98661fd | ||
|
|
aa581ebea2 | ||
|
|
3dd871586f | ||
|
|
66ca4808dc | ||
|
|
4b5c0b2f7f | ||
|
|
77ba4437d2 | ||
|
|
7170458302 | ||
|
|
a944881a26 | ||
|
|
e7e864a4f7 | ||
|
|
5b66b31816 | ||
|
|
e8fea68e5e | ||
|
|
82a9f3af05 | ||
|
|
8b07cdbf50 | ||
|
|
a48b15f7b5 | ||
|
|
edc82c63e0 | ||
|
|
d28b2fe160 | ||
|
|
b1faf7c293 | ||
|
|
2040cb5d03 | ||
|
|
5c55176815 | ||
|
|
22c656d70e | ||
|
|
c7006f0e70 | ||
|
|
8f7c2b2005 | ||
|
|
733dea75ad | ||
|
|
a4f1719ff3 | ||
|
|
575f111831 | ||
|
|
e07e0b2f56 | ||
|
|
5f0be5b5cd | ||
|
|
c636f4796b | ||
|
|
8c9921ab10 | ||
|
|
772e290caa | ||
|
|
baf58aadc7 | ||
|
|
e8b033871d | ||
|
|
6f6d3c23f4 |
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
$Id: COPYRIGHT,v 1.15 2009/01/05 23:47:53 tbox Exp $
|
||||
$Id: COPYRIGHT,v 1.14.176.1 2009/01/05 23:47:22 tbox Exp $
|
||||
|
||||
Portions Copyright (C) 1996-2001 Nominum, Inc.
|
||||
|
||||
|
||||
29
FAQ
29
FAQ
@@ -153,29 +153,24 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
|
||||
|
||||
Master 10.0.1.1:
|
||||
key "external" {
|
||||
algorithm hmac-sha256;
|
||||
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
|
||||
algorithm hmac-md5;
|
||||
secret "xxxxxxxx";
|
||||
};
|
||||
view "internal" {
|
||||
match-clients { !key external; // reject message ment for the
|
||||
// external view.
|
||||
10.0.1/24; }; // accept from these addresses.
|
||||
match-clients { !key external; 10.0.1/24; };
|
||||
...
|
||||
};
|
||||
view "external" {
|
||||
match-clients { key external; any; };
|
||||
server 10.0.1.2 { keys external; }; // tag messages from the
|
||||
// external view to the
|
||||
// other servers for the
|
||||
// view.
|
||||
server 10.0.1.2 { keys external; };
|
||||
recursion no;
|
||||
...
|
||||
};
|
||||
|
||||
Slave 10.0.1.2:
|
||||
key "external" {
|
||||
algorithm hmac-sha256;
|
||||
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
|
||||
algorithm hmac-md5;
|
||||
secret "xxxxxxxx";
|
||||
};
|
||||
view "internal" {
|
||||
match-clients { !key external; 10.0.1/24; };
|
||||
@@ -225,13 +220,13 @@ A: You choose one view to be master and the second a slave and transfer
|
||||
|
||||
Master 10.0.1.1:
|
||||
key "external" {
|
||||
algorithm hmac-sha256;
|
||||
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
|
||||
algorithm hmac-md5;
|
||||
secret "xxxxxxxx";
|
||||
};
|
||||
|
||||
key "mykey" {
|
||||
algorithm hmac-sha256;
|
||||
secret "yyyyyyyyyyyyyyyyyyyyyyyy";
|
||||
algorithm hmac-md5;
|
||||
secret "yyyyyyyy";
|
||||
};
|
||||
|
||||
view "internal" {
|
||||
@@ -244,7 +239,7 @@ A: You choose one view to be master and the second a slave and transfer
|
||||
type master;
|
||||
file "internal/example.db";
|
||||
allow-update { key mykey; };
|
||||
also-notify { 10.0.1.1; };
|
||||
notify-also { 10.0.1.1; };
|
||||
};
|
||||
};
|
||||
|
||||
@@ -254,7 +249,7 @@ A: You choose one view to be master and the second a slave and transfer
|
||||
type slave;
|
||||
file "external/example.db";
|
||||
masters { 10.0.1.1; };
|
||||
transfer-source 10.0.1.1;
|
||||
transfer-source { 10.0.1.1; };
|
||||
// allow-update-forwarding { any; };
|
||||
// allow-notify { ... };
|
||||
};
|
||||
|
||||
31
FAQ.xml
31
FAQ.xml
@@ -17,7 +17,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: FAQ.xml,v 1.52 2009/11/03 14:02:20 marka Exp $ -->
|
||||
<!-- $Id: FAQ.xml,v 1.46.56.4 2009/02/19 01:51:58 tbox Exp $ -->
|
||||
|
||||
<article class="faq">
|
||||
<title>Frequently Asked Questions about BIND 9</title>
|
||||
@@ -319,29 +319,24 @@ Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
|
||||
<programlisting>
|
||||
Master 10.0.1.1:
|
||||
key "external" {
|
||||
algorithm hmac-sha256;
|
||||
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
|
||||
algorithm hmac-md5;
|
||||
secret "xxxxxxxx";
|
||||
};
|
||||
view "internal" {
|
||||
match-clients { !key external; // reject message ment for the
|
||||
// external view.
|
||||
10.0.1/24; }; // accept from these addresses.
|
||||
match-clients { !key external; 10.0.1/24; };
|
||||
...
|
||||
};
|
||||
view "external" {
|
||||
match-clients { key external; any; };
|
||||
server 10.0.1.2 { keys external; }; // tag messages from the
|
||||
// external view to the
|
||||
// other servers for the
|
||||
// view.
|
||||
server 10.0.1.2 { keys external; };
|
||||
recursion no;
|
||||
...
|
||||
};
|
||||
|
||||
Slave 10.0.1.2:
|
||||
key "external" {
|
||||
algorithm hmac-sha256;
|
||||
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
|
||||
algorithm hmac-md5;
|
||||
secret "xxxxxxxx";
|
||||
};
|
||||
view "internal" {
|
||||
match-clients { !key external; 10.0.1/24; };
|
||||
@@ -429,13 +424,13 @@ named-checkzone example.com tmp</programlisting>
|
||||
<programlisting>
|
||||
Master 10.0.1.1:
|
||||
key "external" {
|
||||
algorithm hmac-sha256;
|
||||
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
|
||||
algorithm hmac-md5;
|
||||
secret "xxxxxxxx";
|
||||
};
|
||||
|
||||
key "mykey" {
|
||||
algorithm hmac-sha256;
|
||||
secret "yyyyyyyyyyyyyyyyyyyyyyyy";
|
||||
algorithm hmac-md5;
|
||||
secret "yyyyyyyy";
|
||||
};
|
||||
|
||||
view "internal" {
|
||||
@@ -448,7 +443,7 @@ Master 10.0.1.1:
|
||||
type master;
|
||||
file "internal/example.db";
|
||||
allow-update { key mykey; };
|
||||
also-notify { 10.0.1.1; };
|
||||
notify-also { 10.0.1.1; };
|
||||
};
|
||||
};
|
||||
|
||||
@@ -458,7 +453,7 @@ Master 10.0.1.1:
|
||||
type slave;
|
||||
file "external/example.db";
|
||||
masters { 10.0.1.1; };
|
||||
transfer-source 10.0.1.1;
|
||||
transfer-source { 10.0.1.1; };
|
||||
// allow-update-forwarding { any; };
|
||||
// allow-notify { ... };
|
||||
};
|
||||
|
||||
15
KNOWN-DEFECTS
Normal file
15
KNOWN-DEFECTS
Normal file
@@ -0,0 +1,15 @@
|
||||
dnssec-signzone was designed so that it could sign a zone partially, using
|
||||
only a subset of the DNSSEC keys needed to produce a fully-signed zone.
|
||||
This permits a zone administrator, for example, to sign a zone with one
|
||||
key on one machine, move the resulting partially-signed zone to a second
|
||||
machine, and sign it again with a second key.
|
||||
|
||||
An unfortunate side-effect of this flexibility is that dnssec-signzone
|
||||
does not check to make sure it's signing a zone with any valid keys at
|
||||
all. An attempt to sign a zone without any keys will appear to succeed,
|
||||
producing a "signed" zone with no signatures. There is no warning issued
|
||||
when a zone is not signed.
|
||||
|
||||
This will be corrected in a future release. In the meantime, ISC
|
||||
recommends examining the output of dnssec-signzone to confirm that
|
||||
the zone is properly signed by all keys before using it.
|
||||
13
Makefile.in
13
Makefile.in
@@ -13,7 +13,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: Makefile.in,v 1.57 2009/09/01 00:22:24 jinmei Exp $
|
||||
# $Id: Makefile.in,v 1.52.48.2 2009/02/20 23:47:23 tbox Exp $
|
||||
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
@@ -21,13 +21,13 @@ top_srcdir = @top_srcdir@
|
||||
|
||||
@BIND9_VERSION@
|
||||
|
||||
SUBDIRS = make lib bin doc @LIBEXPORT@
|
||||
SUBDIRS = make lib bin doc
|
||||
TARGETS =
|
||||
|
||||
MANPAGES = isc-config.sh.1
|
||||
|
||||
|
||||
HTMLPAGES = isc-config.sh.html
|
||||
|
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES}
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
@@ -53,9 +53,8 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
install:: isc-config.sh installdirs
|
||||
${INSTALL_SCRIPT} ${top_srcdir}/isc-config.sh ${DESTDIR}${bindir}
|
||||
${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
|
||||
${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
|
||||
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
|
||||
${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
|
||||
|
||||
tags:
|
||||
rm -f TAGS
|
||||
|
||||
44
NSEC3-NOTES
44
NSEC3-NOTES
@@ -32,38 +32,20 @@ generated as part of the initial signing process.
|
||||
|
||||
While the update request will complete almost immediately the zone
|
||||
will not be completely signed until named has had time to walk the
|
||||
zone and generate the NSEC and RRSIG records. The NSEC record at the
|
||||
apex will be added last to signal that there is a complete NSEC chain.
|
||||
Additionally when the zone is fully signed the private type (default
|
||||
TYPE65534) records will have a non zero value for the final octet for
|
||||
those record with a none zero initial octet.
|
||||
|
||||
The private type record format:
|
||||
If the first octet is non-zero then the record indicates that the zone needs
|
||||
to be signed with the key matching the record or that all signatures that
|
||||
match the record should be removed.
|
||||
zone and generate the NSEC and RRSIG records. Initially the NSEC
|
||||
record at the zone apex will have the OPT bit set. When the NSEC
|
||||
chain is complete the OPT bit will be cleared. Additionally when
|
||||
the zone is fully signed the private type (default TYPE65535) records
|
||||
will have a non zero value for the final octet.
|
||||
|
||||
The private type record has 5 octets.
|
||||
algorithm (octet 1)
|
||||
key id in network order (octet 2 and 3)
|
||||
removal flag (octet 4)
|
||||
complete flag (octet 5)
|
||||
|
||||
Only records with the complete flag set can be removed via nsupdate.
|
||||
Attempts to remove other private type records will be silently ignored.
|
||||
|
||||
If the first octet is zero (this is a reserved algorithm number
|
||||
that should never appear in a DNSKEY record) then the record indicates
|
||||
changes to the NSEC3 chains are in progress. The rest of the record
|
||||
contains a NSEC3PARAM record. The flag field tells what operation
|
||||
to perform based on the flag bits.
|
||||
|
||||
0x01 OPTOUT
|
||||
0x80 CREATE
|
||||
0x40 REMOVE
|
||||
0x20 NONSEC
|
||||
|
||||
If you wish to go straight to a secure zone using NSEC3 you should
|
||||
also add a NSEC3PARAM record to the update request with the flags
|
||||
also add a NSECPARAM record to the update request with the flags
|
||||
field set to indicate whether the NSEC3 chain will have the OPTOUT
|
||||
bit set or not.
|
||||
|
||||
@@ -74,11 +56,10 @@ bit set or not.
|
||||
> update add example.net NSEC3PARAM 1 1 100 1234567890
|
||||
> send
|
||||
|
||||
Again the update request will complete almost immediately however
|
||||
the record won't show up or be deleted until named has had a chance
|
||||
to build/remove the relevent chain. A private type record will be
|
||||
created to record the operatation and will be removed once the
|
||||
operation completes.
|
||||
Again the update request will complete almost immediately however the
|
||||
NSEC3PARAM record will have additional flag bits set indicating that the
|
||||
NSEC3 chain is under construction. When the NSEC3 chain is complete the
|
||||
flags field will be set to zero.
|
||||
|
||||
While the initial signing and NSEC/NSEC3 chain generation is happening
|
||||
other updates are possible.
|
||||
@@ -128,8 +109,7 @@ NSEC chain will be generated before the NSEC3 chain is removed.
|
||||
|
||||
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
|
||||
will be removed as well as associated NSEC3PARAM records. This will
|
||||
take place after the update requests completes. This requires
|
||||
secure-to-insecure to be set in named.conf.
|
||||
take place after the update requests completes.
|
||||
|
||||
Periodic re-signing.
|
||||
|
||||
|
||||
38
README
38
README
@@ -42,42 +42,6 @@ BIND 9
|
||||
Stichting NLnet - NLnet Foundation
|
||||
Nominum, Inc.
|
||||
|
||||
BIND 9.7.0
|
||||
|
||||
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
|
||||
releases. Most are intended to simplify DNSSEC configuration.
|
||||
|
||||
New features include:
|
||||
|
||||
- Fully automatic signing of zones by "named".
|
||||
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
|
||||
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
|
||||
command line tool or the "local" update-policy option. (As a side
|
||||
effect, this also makes it easier to configure automatic zone
|
||||
re-signing.)
|
||||
- New named option "attach-cache" that allows multiple views to
|
||||
share a single cache.
|
||||
- DNS rebinding attack prevention.
|
||||
- New default values for dnssec-keygen parameters.
|
||||
- Support for RFC 5011 automated trust anchor maintenance
|
||||
(see README.rfc5011 for additional details).
|
||||
- Smart signing: simplified tools for zone signing and key
|
||||
maintenance.
|
||||
- The "statistics-channels" option is now available on Windows.
|
||||
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
|
||||
(see README.libdns for details).
|
||||
- On some platforms, named and other binaries can now print out
|
||||
a stack backtrace on assertion failure, to aid in debugging.
|
||||
- A "tools only" installation mode on Windows, which only installs
|
||||
dig, host, nslookup and nsupdate.
|
||||
- Improved PKCS#11 support, including Keyper support and explicit
|
||||
OpenSSL engine selection (see README.pkcs11 for additional details).
|
||||
|
||||
Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
|
||||
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
|
||||
you should ensure that all changes that are in progress have completed
|
||||
prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
|
||||
|
||||
BIND 9.6.0
|
||||
|
||||
BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
|
||||
@@ -426,7 +390,7 @@ Building
|
||||
FreeBSD 4.10, 5.2.1, 6.2
|
||||
HP-UX 11.11
|
||||
Mac OS X 10.5
|
||||
NetBSD 3.x, 4.0-beta, 5.0-beta
|
||||
NetBSD 3.x and 4.0-beta
|
||||
OpenBSD 3.3 and up
|
||||
Solaris 8, 9, 9 (x86), 10
|
||||
Ubuntu 7.04, 7.10
|
||||
|
||||
@@ -109,4 +109,4 @@ about idnkit and this patch.
|
||||
Bug reports and comments on this kit should be sent to
|
||||
mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
|
||||
|
||||
; $Id: README.idnkit,v 1.3 2009/01/17 09:43:50 fdupont Exp $
|
||||
; $Id: README.idnkit,v 1.2.762.1 2009/01/18 23:25:14 marka Exp $
|
||||
|
||||
275
README.libdns
275
README.libdns
@@ -1,275 +0,0 @@
|
||||
|
||||
BIND-9 DNS Library Support
|
||||
|
||||
This version of BIND9 "exports" its internal libraries so that they
|
||||
can be used by third-party applications more easily (we call them
|
||||
"export" libraries in this document). In addition to all major
|
||||
DNS-related APIs BIND9 is currently using, the export libraries
|
||||
provide the following features:
|
||||
|
||||
- The newly created "DNS client" module. This is a higher level API
|
||||
that provides an interface to name resolution, single DNS
|
||||
transaction with a particular server, and dynamic update. Regarding
|
||||
name resolution, it supports advanced features such as DNSSEC
|
||||
validation and caching. This module supports both synchronous and
|
||||
asynchronous mode.
|
||||
- The new "IRS" (Information Retrieval System) library. It provides
|
||||
an interface to parse the traditional resolv.conf file and more
|
||||
advanced, DNS-specific configuration file for the rest of this
|
||||
package (see the description for the dns.conf file below).
|
||||
- As part of the IRS library, newly implemented standard address-name
|
||||
mapping functions, getaddrinfo() and getnameinfo(), are provided.
|
||||
They use the DNSSEC-aware validating resolver backend, and could use
|
||||
other advanced features of the BIND9 libraries such as caching. The
|
||||
getaddrinfo() function resolves both A and AAAA RRs concurrently
|
||||
(when the address family is unspecified).
|
||||
- An experimental framework to support other event libraries than
|
||||
BIND9's internal event task system.
|
||||
|
||||
* Prerequisite
|
||||
|
||||
GNU make is required to build the export libraries (other part of
|
||||
BIND9 can still be built with other types of make). In the reminder
|
||||
of this document, "make" means GNU make. Note that in some platforms
|
||||
you may need to invoke a different command name than "make"
|
||||
(e.g. "gmake") to indicate it's GNU make.
|
||||
|
||||
* Compilation
|
||||
|
||||
1. ./configure --enable-exportlib [other flags]
|
||||
2. make
|
||||
|
||||
This will create (in addition to usual BIND9 programs) and a separate
|
||||
set of libraries under the lib/export directory. For example,
|
||||
lib/export/dns/libdns.a is the archive file of the export version of
|
||||
the BIND9 DNS library.
|
||||
|
||||
Sample application programs using the libraries will also be built
|
||||
under the lib/export/samples directory (see below).
|
||||
|
||||
* Installation
|
||||
|
||||
1. cd lib/export
|
||||
2. make install (root privilege is normally required)
|
||||
(make install at the top directory will do the same)
|
||||
|
||||
This will install library object files under the directory specified
|
||||
by the --with-export-libdir configure option (default:
|
||||
EPREFIX/lib/bind9), and header files under the directory specified by
|
||||
the --with-export-includedir configure option (default:
|
||||
PREFIX/include/bind9).
|
||||
|
||||
To see how to build your own application after the installation, see
|
||||
lib/export/samples/Makefile-postinstall.in
|
||||
|
||||
* Known Defects/Restrictions
|
||||
|
||||
- Currently, win32 is not supported for the export library. (Normal
|
||||
BIND9 application can be built as before).
|
||||
- The "fixed" RRset order is not (currently) supported in the export
|
||||
library. If you want to use "fixed" RRset order for, e.g. named
|
||||
while still building the export library even without the fixed
|
||||
order support, build them separately:
|
||||
% ./configure --enable-fixed-rrset [other flags, but not --enable-exportlib]
|
||||
% make (this doesn't have to be make)
|
||||
% ./configure --enable-exportlib [other flags, but not --enable-fixed-rrset]
|
||||
% cd lib/export
|
||||
% make
|
||||
- The client module and the IRS library currently do not support
|
||||
DNSSEC validation using DLV (the underlying modules can handle it,
|
||||
but there is no tunable interface to enable the feature).
|
||||
- RFC5011 is not supported in the validating stub resolver of the
|
||||
export library. In fact, it is not clear whether it should: trust
|
||||
anchors would be a system-wide configuration which would be managed
|
||||
by an administrator, while the stub resolver will be used by
|
||||
ordinary applications run by a normal user.
|
||||
- Not all common /etc/resolv.conf options are supported in the IRS library.
|
||||
The only available options in this version are "debug" and "ndots".
|
||||
|
||||
* The dns.conf File
|
||||
|
||||
The IRS library supports an "advanced" configuration file related to
|
||||
the DNS library for configuration parameters that would be beyond the
|
||||
capability of the resolv.conf file. Specifically, it is intended to
|
||||
provide DNSSEC related configuration parameters.
|
||||
|
||||
By default the path to this configuration file is /etc/dns.conf.
|
||||
|
||||
This module is very experimental and the configuration syntax or
|
||||
library interfaces may change in future versions. Currently, only the
|
||||
'trusted-keys' statement is supported, whose syntax is the same as the
|
||||
same name of statement for named.conf.
|
||||
|
||||
* Sample Applications
|
||||
|
||||
Some sample application programs using this API are provided for
|
||||
reference. The following is a brief description of these
|
||||
applications.
|
||||
|
||||
- sample: a simple stub resolver utility.
|
||||
|
||||
It sends a query of a given name (of a given optional RR type)
|
||||
to a specified recursive server, and prints the result as a list of
|
||||
RRs. It can also act as a validating stub resolver if a trust
|
||||
anchor is given via a set of command line options.
|
||||
|
||||
Usage: sample [options] server_address hostname
|
||||
|
||||
Options and Arguments:
|
||||
-t RRtype
|
||||
specify the RR type of the query. The default is the A RR.
|
||||
[-a algorithm] [-e] -k keyname -K keystring
|
||||
specify a command-line DNS key to validate the answer. For
|
||||
example, to specify the following DNSKEY of example.com:
|
||||
example.com. 3600 IN DNSKEY 257 3 5 xxx
|
||||
specify the options as follows:
|
||||
-e -k example.com -K "xxx"
|
||||
-e means that this key is a zone's "key signing key" (as known
|
||||
as "secure Entry point").
|
||||
when -a is omitted rsasha1 will be used by default.
|
||||
-s domain:alt_server_address
|
||||
specify a separate recursive server address for the specific
|
||||
"domain". Example: -s example.com:2001:db8::1234
|
||||
server_address
|
||||
an IP(v4/v6) address of the recursive server to which queries
|
||||
are sent.
|
||||
hostname
|
||||
the domain name for the query
|
||||
|
||||
- sample-async: a simple stub resolver, working asynchronously.
|
||||
|
||||
Similar to "sample", but accepts a list of (query) domain names as a
|
||||
separate file and resolves the names asynchronously.
|
||||
|
||||
Usage: sample-async [-s server_address] [-t RR_type] input_file
|
||||
Options and Arguments:
|
||||
-s server_address
|
||||
an IPv4 address of the recursive server to which queries are
|
||||
sent. (IPv6 addresses are not supported in this implementation)
|
||||
-t RR_type
|
||||
specify the RR type of the queries. The default is the A RR.
|
||||
input_file
|
||||
a list of domain names to be resolved. each line consists of a
|
||||
single domain name. Example:
|
||||
www.example.com
|
||||
mx.examle.net
|
||||
ns.xxx.example
|
||||
|
||||
- sample-request: a simple DNS transaction client.
|
||||
|
||||
It sends a query to a specified server, and prints the response with
|
||||
minimal processing. It doesn't act as a "stub resolver": it stops
|
||||
the processing once it gets any response from the server, whether
|
||||
it's a referral or an alias (CNAME or DNAME) that would require
|
||||
further queries to get the ultimate answer. In other words, this
|
||||
utility acts as a very simplified dig.
|
||||
|
||||
Usage: sample-request [-t RRtype] server_address hostname
|
||||
Options and Arguments:
|
||||
-t RRtype
|
||||
specify the RR type of the queries. The default is the A RR.
|
||||
server_address
|
||||
an IP(v4/v6) address of the recursive server to which the query is
|
||||
sent.
|
||||
hostname
|
||||
the domain name for the query
|
||||
|
||||
- sample-gai: getaddrinfo() and getnameinfo() test code.
|
||||
|
||||
This is a test program to check getaddrinfo() and getnameinfo()
|
||||
behavior. It takes a host name as an argument, calls getaddrinfo()
|
||||
with the given host name, and calls getnameinfo() with the resulting
|
||||
IP addresses returned by getaddrinfo(). If the dns.conf file exists
|
||||
and defines a trust anchor, the underlying resolver will act as a
|
||||
validating resolver, and getaddrinfo()/getnameinfo() will fail with
|
||||
an EAI_INSECUREDATA error when DNSSEC validation fails.
|
||||
|
||||
Usage: sample-gai hostname
|
||||
|
||||
- sample-update: a simple dynamic update client program
|
||||
|
||||
It accepts a single update command as a command-line argument, sends
|
||||
an update request message to the authoritative server, and shows the
|
||||
response from the server. In other words, this is a simplified
|
||||
nsupdate.
|
||||
|
||||
Usage: sample-update [options] (add|delete) "update data"
|
||||
Options and Arguments:
|
||||
-a auth_server
|
||||
An IP address of the authoritative server that has authority
|
||||
for the zone containing the update name. This should normally
|
||||
be the primary authoritative server that accepts dynamic
|
||||
updates. It can also be a secondary server that is configured
|
||||
to forward update requests to the primary server.
|
||||
-k keyfile
|
||||
A TSIG key file to secure the update transaction. The keyfile
|
||||
format is the same as that for the nsupdate utility.
|
||||
-p prerequisite
|
||||
A prerequisite for the update (only one prerequisite can be
|
||||
specified). The prerequisite format is the same as that is
|
||||
accepted by the nsupdate utility.
|
||||
-r recursive_server
|
||||
An IP address of a recursive server that this utility will
|
||||
use. A recursive server may be necessary to identify the
|
||||
authoritative server address to which the update request is
|
||||
sent.
|
||||
-z zonename
|
||||
The domain name of the zone that contains
|
||||
(add|delete)
|
||||
Specify the type of update operation. Either "add" or "delete"
|
||||
must be specified.
|
||||
"update data"
|
||||
Specify the data to be updated. A typical example of the data
|
||||
would look like "name TTL RRtype RDATA".
|
||||
|
||||
Note: in practice, either -a or -r must be specified. Others can
|
||||
be optional; the underlying library routine tries to identify the
|
||||
appropriate server and the zone name for the update.
|
||||
|
||||
Examples: assuming the primary authoritative server of the
|
||||
dynamic.example.com zone has an IPv6 address 2001:db8::1234,
|
||||
+ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"
|
||||
adds an A RR for foo.dynamic.example.com using the given key.
|
||||
+ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"
|
||||
removes all A RRs for foo.dynamic.example.com using the given key.
|
||||
+ sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"
|
||||
removes all RRs for foo.dynamic.example.com using the given key.
|
||||
|
||||
- nsprobe: domain/name server checker in terms of RFC4074.
|
||||
|
||||
It checks a set of domains to see the name servers of the domains
|
||||
behave correctly in terms of RFC4074. This is included in the set
|
||||
of sample programs to show how the export library can be used in a
|
||||
DNS-related application.
|
||||
|
||||
Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
|
||||
Options
|
||||
-d
|
||||
run in the "debug" mode. with this option nsprobe will dump
|
||||
every RRs it receives.
|
||||
-v
|
||||
increase verbosity of other normal log messages. This can be
|
||||
specified multiple times
|
||||
-c cache_address
|
||||
specify an IP address of a recursive (caching) name server.
|
||||
nsprobe uses this server to get the NS RRset of each domain and
|
||||
the A and/or AAAA RRsets for the name servers. The default
|
||||
value is 127.0.0.1.
|
||||
input_file
|
||||
a file name containing a list of domain (zone) names to be
|
||||
probed. when omitted the standard input will be used. Each
|
||||
line of the input file specifies a single domain name such as
|
||||
"example.com". In general this domain name must be the apex
|
||||
name of some DNS zone (unlike normal "host names" such as
|
||||
"www.example.com"). nsprobe first identifies the NS RRsets for
|
||||
the given domain name, and sends A and AAAA queries to these
|
||||
servers for some "widely used" names under the zone;
|
||||
specifically, adding "www" and "ftp" to the zone name.
|
||||
|
||||
* Library References
|
||||
|
||||
As of this writing, there is no formal "manual" of the libraries,
|
||||
except this document, header files (some of them provide pretty
|
||||
detailed explanations), and sample application programs.
|
||||
|
||||
; $Id: README.libdns,v 1.3 2009/09/15 19:12:03 jinmei Exp $
|
||||
338
README.pkcs11
338
README.pkcs11
@@ -1,309 +1,61 @@
|
||||
|
||||
BIND 9 PKCS #11 (Cryptoki) support
|
||||
BIND-9 PKCS#11 support
|
||||
|
||||
INTRODUCTION
|
||||
Prerequisite
|
||||
|
||||
PKCS #11 (Public Key Cryptography Standard #11) defines a platform-
|
||||
independent API for the control of hardware security modules (HSMs)
|
||||
and other cryptographic support devices.
|
||||
The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
|
||||
released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
|
||||
and some improvements, including user friendly PIN management.
|
||||
|
||||
BIND 9 is known to work with two HSMs: The Sun SCA 6000 cryptographic
|
||||
acceleration board, tested under Solaris x86, and the AEP Keyper
|
||||
network-attached key storage device, tested with Debian Linux,
|
||||
Solaris x86 and Windows Server 2003.
|
||||
Compilation
|
||||
|
||||
PREREQUISITES
|
||||
"configure --with-pkcs11 ..."
|
||||
|
||||
See the HSM vendor documentation for information about installing,
|
||||
initializing, testing and troubleshooting the HSM.
|
||||
PKCS#11 Libraries
|
||||
|
||||
BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not
|
||||
yet fully support PKCS #11. However, a PKCS #11 engine for OpenSSL
|
||||
is available from the OpenSolaris project. It has been modified by
|
||||
ISC to work with with BIND 9, and to provide new features such as
|
||||
PIN management and key by reference.
|
||||
Tested with Solaris one with a SCA board and with openCryptoki with the
|
||||
software token.
|
||||
|
||||
The patched OpenSSL depends on a "PKCS #11 provider". This is a shared
|
||||
library object, providing a low-level PKCS #11 interface to the HSM
|
||||
hardware. It is dynamically loaded by OpenSSL at runtime. The PKCS #11
|
||||
provider comes from the HSM vendor, and and is specific to the HSM to be
|
||||
controlled.
|
||||
OpenSSL Engines
|
||||
|
||||
There are two "flavors" of PKCS #11 support provided by the patched
|
||||
OpenSSL, one of which must be chosen at configuration time. The correct
|
||||
choice depends on the HSM hardware:
|
||||
With PKCS#11 support the PKCS#11 engine is statically loaded but at its
|
||||
initialization it dynamically loads the PKCS#11 objects.
|
||||
Even the pre commands are therefore unused they are defined with:
|
||||
SO_PATH:
|
||||
define: PKCS11_SO_PATH
|
||||
default: /usr/local/lib/engines/engine_pkcs11.so
|
||||
MODULE_PATH:
|
||||
define: PKCS11_MODULE_PATH
|
||||
default: /usr/lib/libpkcs11.so
|
||||
Without PKCS#11 support, a specific OpenSSL engine can be still used
|
||||
by defining ENGINE_ID at compile time.
|
||||
|
||||
- Use 'crypto-accelerator' with HSMs that have hardware cryptographic
|
||||
acceleration features, such as the SCA 6000 board. This causes OpenSSL
|
||||
to run all supported cryptographic operations in the HSM.
|
||||
PKCS#11 tools
|
||||
|
||||
- Use 'sign-only' with HSMs that are designed to function primarily as
|
||||
secure key storage devices, but lack hardware acceleration. These
|
||||
devices are highly secure, but are not necessarily any faster at
|
||||
cryptography than the system CPU--often, they are slower. It is
|
||||
therefore most efficient to use them only for those cryptographic
|
||||
functions that require access to the secured private key, such as
|
||||
zone signing, and to use the system CPU for all other computationally-
|
||||
intensive operations. The AEP Keyper is an example of such a device.
|
||||
The contrib/pkcs11-keygen directory contains a set of experimental tools
|
||||
to handle keys stored in a Hardware Security Module at the benefit of BIND.
|
||||
|
||||
The modified OpenSSL code is included in the BIND 9.7.0b1 release, in the
|
||||
form of a context diff against OpenSSL 0.9.8l. Before building BIND 9
|
||||
with PKCS #11 support, it will be necessary to build OpenSSL with this
|
||||
patch in place and inform it of the path to the HSM-specific PKCS #11
|
||||
provider library.
|
||||
The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
|
||||
for the way to use it (these are the original notes so with the original
|
||||
path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
|
||||
|
||||
Obtain OpenSSL 0.9.8l:
|
||||
PIN management
|
||||
|
||||
wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
|
||||
With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
|
||||
each time it is required. With the improved engine, the PIN should be
|
||||
entered the first time it is required or can be configured in the
|
||||
OpenSSL configuration file (aka. openssl.cnf) by adding in it:
|
||||
- at the beginning:
|
||||
openssl_conf = openssl_def
|
||||
- at any place these sections:
|
||||
[ openssl_def ]
|
||||
engines = engine_section
|
||||
[ engine_section ]
|
||||
pkcs11 = pkcs11_section
|
||||
[ pkcs11_section ]
|
||||
PIN = put__your__pin__value__here
|
||||
|
||||
Extract the tarball:
|
||||
Note
|
||||
|
||||
tar zxf openssl-0.9.8l.tar.gz
|
||||
|
||||
Apply the patch from the BIND 9 release:
|
||||
|
||||
patch -p1 -d openssl-0.9.8l \
|
||||
< bind-9.7.0b1/bin/pkcs11/openssl-0.9.8l-patch
|
||||
|
||||
(Note that the patch file may not be compatible with the "patch"
|
||||
utility on all operating systems. You may need to install GNU patch.)
|
||||
|
||||
When building OpenSSL, place it in a non-standard location so that it
|
||||
does not interfere with OpenSSL libraries elsewhere on the system.
|
||||
In the following examples, we choose to install into "/opt/pkcs11/usr".
|
||||
We will use this location when we configure BIND 9.
|
||||
|
||||
EXAMPLE 1--BUILDING OPENSSL FOR THE AEP KEYPER ON LINUX:
|
||||
|
||||
The AEP Keyper is a highly secure key storage device, but does
|
||||
not provide hardware cryptographic acceleration. It can carry out
|
||||
cryptographic operations, but it is probably slower than your
|
||||
system's CPU. Therefore, we choose the 'sign-only' flavor when
|
||||
building OpenSSL.
|
||||
|
||||
The Keyper-specific PKCS #11 provider library is delivered with the
|
||||
Keyper software. In this example, we place it /opt/pkcs11/usr/lib:
|
||||
|
||||
cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
|
||||
|
||||
This library is only available for Linux as a 32-bit binary. If we are
|
||||
compiling on a 64-bit Linux system, it is necessary to force a 32-bit
|
||||
build, by specifying -m32 in the build options.
|
||||
|
||||
Finally, the Keyper library requires threads, so we must specify -pthread.
|
||||
|
||||
cd openssl-0.9.8l
|
||||
./Configure linux-generic32 -m32 -pthread \
|
||||
--pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
|
||||
--pk11-flavor=sign-only \
|
||||
--prefix=/opt/pkcs11/usr
|
||||
|
||||
After configuring, run "make" and "make test". If "make test" fails
|
||||
with "pthread_atfork() not found", you forgot to add the -pthread
|
||||
above.
|
||||
|
||||
EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS:
|
||||
|
||||
The SCA-6000 PKCS #11 provider is installed as a system library,
|
||||
libpkcs11. It is a true crypto accelerator, up to 4 times faster
|
||||
than any CPU, so the flavor shall be 'crypto-accelerator'.
|
||||
|
||||
In this example, we are building on Solaris x86 on an AMD64 system.
|
||||
|
||||
cd openssl-0.9.8l
|
||||
./Configure solaris64-x86_64-cc \
|
||||
--pk11-libname=/usr/lib/64/libpkcs11.so \
|
||||
--pk11-flavor=crypto-accelerator \
|
||||
--prefix=/opt/pkcs11/usr
|
||||
|
||||
(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
|
||||
|
||||
After configuring, run "make" and "make test".
|
||||
|
||||
Once you have built OpenSSL, run "apps/openssl engine pkcs11" to confirm
|
||||
that PKCS #11 support was compiled in correctly. The output should be
|
||||
one of the following lines, depending on the flavor selected:
|
||||
|
||||
(pkcs11) PKCS #11 engine support (sign only)
|
||||
|
||||
Or:
|
||||
|
||||
(pkcs11) PKCS #11 engine support (crypto accelerator)
|
||||
|
||||
Next, run "apps/openssl engine pkcs11 -t". This will attempt to initialize
|
||||
the PKCS #11 engine. If it is able to do so successfully, it will report
|
||||
"[ available ]".
|
||||
|
||||
If the output is correct, run "make install".
|
||||
|
||||
BUILDING BIND 9
|
||||
|
||||
When building BIND 9, the location of the custom-built OpenSSL
|
||||
library must be specified via configure.
|
||||
|
||||
EXAMPLE 3--CONFIGURING BIND 9 FOR LINUX
|
||||
|
||||
To link with the PKCS #11 provider, threads must be enabled in the
|
||||
BIND 9 build.
|
||||
|
||||
The PKCS #11 library for the AEP Keyper is currently only available as
|
||||
a 32-bit binary. If we are building on a 64-bit host, we must force a
|
||||
32-bit build by adding "-m32" to the CC options on the "configure"
|
||||
command line.
|
||||
|
||||
cd ../bind-9.7.0b1
|
||||
./configure CC="gcc -m32" --enable-threads \
|
||||
--with-openssl=/opt/pkcs11/usr \
|
||||
--with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
|
||||
|
||||
EXAMPLE 4--CONFIGURING BIND 9 FOR SOLARIS
|
||||
|
||||
To link with the PKCS #11 provider, threads must be enabled in the
|
||||
BIND 9 build.
|
||||
|
||||
cd ../bind-9.7.0b1
|
||||
./configure CC="cc -xarch=amd64" --enable-threads \
|
||||
--with-openssl=/opt/pkcs11/usr \
|
||||
--with-pkcs11=/usr/lib/64/libpkcs11.so
|
||||
|
||||
(For a 32-bit build, omit CC="cc -xarch=amd64".)
|
||||
|
||||
If configure complains about OpenSSL not working, you may have a 32/64-bit
|
||||
architecture mismatch. Or, you may have incorrectly specified the path to
|
||||
OpenSSL (it should be the same as the --prefix argument to the OpenSSL
|
||||
Configure).
|
||||
|
||||
After configuring, run "make", "make test" and "make install".
|
||||
|
||||
PKCS #11 TOOLS
|
||||
|
||||
BIND 9 includes a minimal set of tools to operate the HSM, including
|
||||
"pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list"
|
||||
to list objects currently available, and "pkcs11-destroy" to remove
|
||||
objects.
|
||||
|
||||
In UNIX/Linux builds, these tools are built only if BIND 9 is configured
|
||||
with the --with-pkcs11 option. (NOTE: If --with-pkcs11 is set to "yes",
|
||||
rather than to the path of the PKCS #11 provider, then the tools will be
|
||||
built but the provider will be left undefined. Use the -m option or the
|
||||
PKCS11_PROVIDER environment variable to specify the path to the provider.)
|
||||
|
||||
USING THE HSM
|
||||
|
||||
First, we must set up the runtime environment so the OpenSSL and PKCS #11
|
||||
libraries can be loaded:
|
||||
|
||||
export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
|
||||
|
||||
When operating an AEP Keyper, it is also necessary to specify the
|
||||
location of the "machine" file, which stores information about the Keyper
|
||||
for use by PKCS #11 provider library. If the machine file is in
|
||||
/opt/Keyper/PKCS11Provider/machine, use:
|
||||
|
||||
export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
|
||||
|
||||
These environment variables must be set whenever running any tool
|
||||
that uses the HSM, including pkcs11-keygen, pkcs11-list, pkcs11-destroy,
|
||||
dnssec-keyfromlabel, dnssec-signzone, dnssec-keygen (which will use
|
||||
the HSM for random number generation), and named.
|
||||
|
||||
We can now create and use keys in the HSM. In this case, we will
|
||||
create a 2048 bit key and give it the label "sample-ksk":
|
||||
|
||||
pkcs11-keygen -b 2048 -l sample-ksk
|
||||
|
||||
To confirm that the key exists:
|
||||
|
||||
pkcs11-list
|
||||
Enter PIN:
|
||||
object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
|
||||
object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
|
||||
|
||||
Before using this key to sign a zone, we must create a pair of BIND 9
|
||||
key files. The "dnssec-keyfromlabel" utility does this. In this case,
|
||||
we will be using the HSM key "sample-ksk" as the key-signing key for
|
||||
"example.net":
|
||||
|
||||
dnssec-keyfromlabel -l sample-ksk -f KSK example.net
|
||||
|
||||
The resulting K*.key and K*.private files can now be used to sign the
|
||||
zone. Unlike normal K* files, which contain both public and private
|
||||
key data, these files will contain only the public key data, plus an
|
||||
identifier for the private key which remains stored within the HSM.
|
||||
The HSM handles signing with the private key.
|
||||
|
||||
If you wish to generate a second key in the HSM for use as a zone-signing
|
||||
key, follow the same procedure above, using a different keylabel, a
|
||||
smaller key size, and omitting "-f KSK" from the dnssec-keyfromlabel
|
||||
arguments:
|
||||
|
||||
pkcs11-keygen -b 1024 -l sample-zsk
|
||||
dnssec-keyfromlabel -l sample-zsk example.net
|
||||
|
||||
Alternatively, you may prefer to generate a conventional on-disk key,
|
||||
using dnssec-keygen:
|
||||
|
||||
dnssec-keygen example.net
|
||||
|
||||
This provides less security than an HSM key, but since HSMs can be
|
||||
slow or cumbersome to use for security reasons, it may be more
|
||||
efficient to reserve HSM keys for use in the less frequent
|
||||
key-signing operation. The zone-signing key can be rolled more
|
||||
frequently, if you wish, to compensate for a reduction in key
|
||||
security.
|
||||
|
||||
Now you can sign the zone. (Note: If not using the -S option to
|
||||
dnssec-signzone, it will be necessary to add the contents of both
|
||||
K*.key files to the zone master file before signing it.)
|
||||
|
||||
dnssec-signzone -S example.net
|
||||
Enter PIN:
|
||||
Verifying the zone using the following algorithms: NSEC3RSASHA1.
|
||||
Zone signing complete:
|
||||
Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
|
||||
example.net.signed
|
||||
|
||||
SPECIFYING THE ENGINE ON THE COMMAND LINE
|
||||
|
||||
The OpenSSL engine can be specified in named and all of the dnssec-*
|
||||
tools by using the "-E <engine>" command line option. If BIND 9 is built
|
||||
with the --with-pkcs11 option, this option defaults to "pkcs11".
|
||||
Specifying the engine will generally not be necessary unless for
|
||||
some reason you wish to use a different OpenSSL engine.
|
||||
|
||||
If you wish to disable use of the "pkcs11" engine--for troubleshooting
|
||||
purposes, or because the HSM is unavailable--set the engine to the empty
|
||||
string. For example:
|
||||
|
||||
dnssec-signzone -E '' -S example.net
|
||||
|
||||
This causes dnssec-signzone to run as if it were compiled without the
|
||||
--with-pkcs11 option.
|
||||
|
||||
RUNNING NAMED WITH AUTOMATIC ZONE RE-SIGNING
|
||||
|
||||
If you want named to dynamically re-sign zones using HSM keys, and/or to
|
||||
to sign new records inserted via nsupdate, then named must have access
|
||||
to the HSM PIN. This can be accomplished by placing the PIN into the
|
||||
openssl.cnf file (in the above examples, /opt/pkcs11/usr/ssl/openssl.cnf).
|
||||
|
||||
The location of the openssl.cnf file can be overridden by setting the
|
||||
OPENSSL_CONF environment variable before running named.
|
||||
|
||||
Sample openssl.cnf:
|
||||
|
||||
openssl_conf = openssl_def
|
||||
[ openssl_def ]
|
||||
engines = engine_section
|
||||
[ engine_section ]
|
||||
pkcs11 = pkcs11_section
|
||||
[ pkcs11_section ]
|
||||
PIN = <PLACE PIN HERE>
|
||||
|
||||
This will also allow the dnssec-* tools to access the HSM without
|
||||
PIN entry. (The pkcs11-* tools access the HSM directly, not via
|
||||
OpenSSL, so a PIN will still be required to use them.)
|
||||
|
||||
PLEASE NOTE: Placing the HSM's PIN in a text file in this manner
|
||||
may reduce the security advantage of using an HSM. Be sure this
|
||||
is what you want to do before configuring BIND 9 in this way.
|
||||
Some names here are registered trademarks, at least Solaris is a trademark
|
||||
of Sun Microsystems Inc...
|
||||
|
||||
@@ -1,57 +0,0 @@
|
||||
|
||||
BIND 9 RFC 5011 support
|
||||
|
||||
BIND 9.7.0 introduces support for RFC 5011, dynamic trust anchor
|
||||
management. Using this feature allows named to keep track of changes to
|
||||
critical DNSSEC keys without any need for the operator to make changes to
|
||||
configuration files.
|
||||
|
||||
VALIDATING RESOLVER
|
||||
-------------------
|
||||
|
||||
To configure a validating resolver to use RFC5011 to maintain a trust
|
||||
anchor, configure the trust anchor using a "managed-keys" statement.
|
||||
Information about this can be found in the ARM, in the section titled
|
||||
"managed-keys Statement Definition".
|
||||
|
||||
AUTHORITATIVE SERVER
|
||||
--------------------
|
||||
|
||||
To set up an authoritative zone for RFC5011 trust anchor maintenance,
|
||||
generate two (or more) key signing keys (KSKs) for the zone. Sign the zone
|
||||
with one of them; this is the "active" KSK. All KSK's which do not sign
|
||||
the zone are "stand-by" keys.
|
||||
|
||||
Any validating resolver which is configured to use the active KSK as an
|
||||
RFC5011-managed trust anchor will take note of the stand-by KSKs in the
|
||||
zone's DNSKEY RRset, and store them for future reference. The resolver
|
||||
will recheck the zone periodically, and after 30 days, if the new key is
|
||||
still there, then the key will be accepted by the resolver as a valid
|
||||
trust anchor for the zone.
|
||||
|
||||
The easiest way to place a stand-by key in a zone is to use the "smart
|
||||
signing" features of dnssec-signzone. If a key with a publication date
|
||||
in the past, but an activation date in the future, "dnssec-signzone -S"
|
||||
will include the DNSKEY record in the zone, but will not sign with it:
|
||||
|
||||
$ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
|
||||
$ dnssec-signzone -S -K keys example.net
|
||||
|
||||
At any time after this 30-day acceptance timer has expired, the active
|
||||
KSK can be revoked and the zone can be "rolled over" to one of the
|
||||
standby KSKs.
|
||||
|
||||
To revoke a key, the new command "dnssec-revoke" has been added. This adds
|
||||
the REVOKED bit to the key flags and re-generates the K*.key and K*.private
|
||||
files.
|
||||
|
||||
After revoking the active key, the zone must be signed with both the
|
||||
revoked KSK and the new active KSK. (Smart signing takes care of this
|
||||
automatically.)
|
||||
|
||||
Once a key has been revoked and used to sign the DNSKEY RRset in which it
|
||||
appears, that key will never again be accepted as a valid trust anchor by
|
||||
the resolver. However, validation can proceed using the new active key
|
||||
(which had been accepted by the resolver when it was a stand-by key).
|
||||
|
||||
See RFC 5011 for more details on key rollover scenarios.
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 1999-2003 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
|
||||
/* $Id: acconfig.h,v 1.51.334.2 2009/02/16 23:47:15 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 1998-2001 Internet Software Consortium.
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -13,14 +13,13 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
|
||||
# $Id: Makefile.in,v 1.25 2007/06/19 23:46:59 tbox Exp $
|
||||
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
SUBDIRS = named rndc dig dnssec tests tools nsupdate \
|
||||
check confgen @PKCS11_TOOLS@
|
||||
SUBDIRS = named rndc dig dnssec tests nsupdate check
|
||||
TARGETS =
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -13,7 +13,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: Makefile.in,v 1.35 2009/09/02 23:48:01 tbox Exp $
|
||||
# $Id: Makefile.in,v 1.32 2007/06/19 23:46:59 tbox Exp $
|
||||
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
@@ -26,13 +26,12 @@ top_srcdir = @top_srcdir@
|
||||
CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
|
||||
${ISC_INCLUDES}
|
||||
|
||||
CDEFINES = -DBIND9 -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
|
||||
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
|
||||
CWARNINGS =
|
||||
|
||||
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
|
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
@@ -40,8 +39,7 @@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
LIBS = ${ISCLIBS} @LIBS@
|
||||
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
|
||||
LIBS = @LIBS@
|
||||
|
||||
SUBDIRS =
|
||||
|
||||
@@ -71,14 +69,14 @@ named-checkzone.@O@: named-checkzone.c
|
||||
|
||||
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
|
||||
${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
|
||||
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
|
||||
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
|
||||
${DNSLIBS} ${ISCLIBS} ${LIBS}
|
||||
|
||||
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
|
||||
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
|
||||
export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
|
||||
${ISCLIBS} ${LIBS}
|
||||
|
||||
doc man:: ${MANOBJS}
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: check-tool.c,v 1.39 2009/09/01 00:22:24 jinmei Exp $ */
|
||||
/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -597,7 +597,8 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
|
||||
isc_buffer_add(&buffer, strlen(zonename));
|
||||
dns_fixedname_init(&fixorigin);
|
||||
origin = dns_fixedname_name(&fixorigin);
|
||||
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
|
||||
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
|
||||
ISC_FALSE, NULL));
|
||||
CHECK(dns_zone_setorigin(zone, origin));
|
||||
CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
|
||||
CHECK(dns_zone_setfile2(zone, filename, fileformat));
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -13,7 +13,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: named-checkconf.8,v 1.32 2009/07/14 01:13:07 tbox Exp $
|
||||
.\" $Id: named-checkconf.8,v 1.30 2007/06/20 02:27:32 marka Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
@@ -33,7 +33,7 @@
|
||||
named\-checkconf \- named configuration file syntax checking tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 16
|
||||
\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR]
|
||||
\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBnamed\-checkconf\fR
|
||||
@@ -59,13 +59,6 @@ Print the version of the
|
||||
program and exit.
|
||||
.RE
|
||||
.PP
|
||||
\-p
|
||||
.RS 4
|
||||
Print out the
|
||||
\fInamed.conf\fR
|
||||
and included files in canonical form if no errors were detected.
|
||||
.RE
|
||||
.PP
|
||||
\-z
|
||||
.RS 4
|
||||
Perform a test load of all master zones found in
|
||||
@@ -95,7 +88,7 @@ BIND 9 Administrator Reference Manual.
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
Copyright \(co 2000\-2002 Internet Software Consortium.
|
||||
.br
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named-checkconf.c,v 1.50 2009/09/29 15:06:05 fdupont Exp $ */
|
||||
/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -59,9 +59,6 @@ isc_log_t *logc = NULL;
|
||||
} while (0)
|
||||
|
||||
/*% usage */
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
|
||||
@@ -390,15 +387,6 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
|
||||
return (result);
|
||||
}
|
||||
|
||||
static void
|
||||
output(void *closure, const char *text, int textlen) {
|
||||
UNUSED(closure);
|
||||
if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
|
||||
perror("fwrite");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
/*% The main processing routine */
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
@@ -411,11 +399,10 @@ main(int argc, char **argv) {
|
||||
int exit_status = 0;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
isc_boolean_t load_zones = ISC_FALSE;
|
||||
isc_boolean_t print = ISC_FALSE;
|
||||
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
|
||||
while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
|
||||
switch (c) {
|
||||
case 'd':
|
||||
debug++;
|
||||
@@ -434,10 +421,6 @@ main(int argc, char **argv) {
|
||||
}
|
||||
break;
|
||||
|
||||
case 'p':
|
||||
print = ISC_TRUE;
|
||||
break;
|
||||
|
||||
case 'v':
|
||||
printf(VERSION "\n");
|
||||
exit(0);
|
||||
@@ -498,8 +481,6 @@ main(int argc, char **argv) {
|
||||
exit_status = 1;
|
||||
}
|
||||
|
||||
if (print && exit_status == 0)
|
||||
cfg_print(config, output, NULL);
|
||||
cfg_obj_destroy(parser, &config);
|
||||
|
||||
cfg_parser_destroy(&parser);
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -18,7 +18,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: named-checkconf.docbook,v 1.21 2009/07/13 23:47:42 tbox Exp $ -->
|
||||
<!-- $Id: named-checkconf.docbook,v 1.19 2007/06/19 06:58:03 marka Exp $ -->
|
||||
<refentry id="man.named-checkconf">
|
||||
<refentryinfo>
|
||||
<date>June 14, 2000</date>
|
||||
@@ -35,7 +35,6 @@
|
||||
<year>2004</year>
|
||||
<year>2005</year>
|
||||
<year>2007</year>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
<copyright>
|
||||
@@ -59,7 +58,6 @@
|
||||
<arg><option>-j</option></arg>
|
||||
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg choice="req">filename</arg>
|
||||
<arg><option>-p</option></arg>
|
||||
<arg><option>-z</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
@@ -89,7 +87,8 @@
|
||||
<term>-t <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Chroot to <filename>directory</filename> so that include
|
||||
Chroot to <filename>directory</filename> so that
|
||||
include
|
||||
directives in the configuration file are processed as if
|
||||
run by a similarly chrooted named.
|
||||
</para>
|
||||
@@ -106,16 +105,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-p</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Print out the <filename>named.conf</filename> and included files
|
||||
in canonical form if no errors were detected.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-z</term>
|
||||
<listitem>
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
<!--
|
||||
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -14,7 +14,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: named-checkconf.html,v 1.32 2009/07/14 01:13:07 tbox Exp $ -->
|
||||
<!-- $Id: named-checkconf.html,v 1.30 2007/06/20 02:27:32 marka Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
@@ -29,17 +29,17 @@
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543395"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2543387"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">named-checkconf</strong></span>
|
||||
checks the syntax, but not the semantics, of a named
|
||||
configuration file.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543406"></a><h2>OPTIONS</h2>
|
||||
<a name="id2543399"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
@@ -47,7 +47,8 @@
|
||||
</p></dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Chroot to <code class="filename">directory</code> so that include
|
||||
Chroot to <code class="filename">directory</code> so that
|
||||
include
|
||||
directives in the configuration file are processed as if
|
||||
run by a similarly chrooted named.
|
||||
</p></dd>
|
||||
@@ -56,11 +57,6 @@
|
||||
Print the version of the <span><strong class="command">named-checkconf</strong></span>
|
||||
program and exit.
|
||||
</p></dd>
|
||||
<dt><span class="term">-p</span></dt>
|
||||
<dd><p>
|
||||
Print out the <code class="filename">named.conf</code> and included files
|
||||
in canonical form if no errors were detected.
|
||||
</p></dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
Perform a test load of all master zones found in
|
||||
@@ -78,21 +74,21 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543530"></a><h2>RETURN VALUES</h2>
|
||||
<a name="id2543507"></a><h2>RETURN VALUES</h2>
|
||||
<p><span><strong class="command">named-checkconf</strong></span>
|
||||
returns an exit status of 1 if
|
||||
errors were detected and 0 otherwise.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543542"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2543518"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543572"></a><h2>AUTHOR</h2>
|
||||
<a name="id2543548"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
.\" Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -13,7 +13,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: named-checkzone.8,v 1.45 2009/11/11 01:14:41 tbox Exp $
|
||||
.\" $Id: named-checkzone.8,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
@@ -33,9 +33,9 @@
|
||||
named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 16
|
||||
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
|
||||
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
|
||||
.HP 18
|
||||
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
|
||||
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBnamed\-checkzone\fR
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named-checkzone.c,v 1.57 2009/11/10 21:30:42 each Exp $ */
|
||||
/* $Id: named-checkzone.c,v 1.51.34.3 2009/05/29 02:17:43 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -70,22 +70,17 @@ static enum { progmode_check, progmode_compile } progmode;
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr,
|
||||
"usage: %s [-djqvD] [-c class] "
|
||||
"usage: %s [-djqvD] [-c class] [-o output] "
|
||||
"[-f inputformat] [-F outputformat] "
|
||||
"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
|
||||
"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
|
||||
"[-i (full|full-sibling|local|local-sibling|none)] "
|
||||
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
|
||||
"[-W (ignore|warn)] "
|
||||
"%s zonename filename\n",
|
||||
prog_name,
|
||||
progmode == progmode_check ? "[-o filename]" : "-o filename");
|
||||
"zonename filename\n", prog_name);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: named-checkzone.docbook,v 1.37 2009/11/10 20:02:01 each Exp $ -->
|
||||
<!-- $Id: named-checkzone.docbook,v 1.34.334.2 2009/01/22 23:47:04 tbox Exp $ -->
|
||||
<refentry id="man.named-checkzone">
|
||||
<refentryinfo>
|
||||
<date>June 13, 2000</date>
|
||||
@@ -69,6 +69,7 @@
|
||||
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
|
||||
<arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
|
||||
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
|
||||
<arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
|
||||
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
|
||||
<arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
|
||||
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
@@ -98,7 +99,6 @@
|
||||
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-D</option></arg>
|
||||
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
|
||||
<arg choice="req"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
|
||||
<arg choice="req">zonename</arg>
|
||||
<arg choice="req">filename</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -14,7 +14,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: named-checkzone.html,v 1.45 2009/11/11 01:14:41 tbox Exp $ -->
|
||||
<!-- $Id: named-checkzone.html,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
@@ -29,11 +29,11 @@
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543674"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2543672"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">named-checkzone</strong></span>
|
||||
checks the syntax and integrity of a zone file. It performs the
|
||||
same checks as <span><strong class="command">named</strong></span> does when loading a
|
||||
@@ -53,7 +53,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543709"></a><h2>OPTIONS</h2>
|
||||
<a name="id2543707"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-d</span></dt>
|
||||
<dd><p>
|
||||
@@ -239,14 +239,14 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544330"></a><h2>RETURN VALUES</h2>
|
||||
<a name="id2544328"></a><h2>RETURN VALUES</h2>
|
||||
<p><span><strong class="command">named-checkzone</strong></span>
|
||||
returns an exit status of 1 if
|
||||
errors were detected and 0 otherwise.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544342"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2544340"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
|
||||
<em class="citetitle">RFC 1035</em>,
|
||||
@@ -254,7 +254,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544375"></a><h2>AUTHOR</h2>
|
||||
<a name="id2544373"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -43,7 +43,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdchecktool
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdchecktool
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
@@ -70,7 +70,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdchecktool
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdchecktool
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
|
||||
@@ -42,7 +42,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
@@ -66,7 +66,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
|
||||
@@ -138,7 +138,7 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc"
|
||||
BSC32_SBRS= \
|
||||
@@ -203,7 +203,7 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc"
|
||||
BSC32_SBRS= \
|
||||
|
||||
@@ -42,7 +42,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c
|
||||
# SUBTRACT CPP /Fr
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
@@ -67,7 +67,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
|
||||
@@ -130,7 +130,7 @@ CLEAN :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP=cl.exe
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
|
||||
.c{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
@@ -221,7 +221,7 @@ CLEAN :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP=cl.exe
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
|
||||
.c{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
Makefile
|
||||
ddns-confgen
|
||||
rndc-confgen
|
||||
@@ -1,101 +0,0 @@
|
||||
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: Makefile.in,v 1.7 2009/09/22 08:47:55 fdupont Exp $
|
||||
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
|
||||
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
|
||||
|
||||
CDEFINES = -DBIND9
|
||||
CWARNINGS =
|
||||
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
|
||||
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
|
||||
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
|
||||
|
||||
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
|
||||
|
||||
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
|
||||
|
||||
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
|
||||
|
||||
SRCS= rndc-confgen.c ddns-confgen.c
|
||||
|
||||
SUBDIRS = unix
|
||||
|
||||
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
|
||||
|
||||
MANPAGES = rndc-confgen.8 ddns-confgen.8
|
||||
|
||||
HTMLPAGES = rndc-confgen.html ddns-confgen.html
|
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES}
|
||||
|
||||
UOBJS = unix/os.@O@
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
rndc-confgen.@O@: rndc-confgen.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
|
||||
-c ${srcdir}/rndc-confgen.c
|
||||
|
||||
ddns-confgen.@O@: ddns-confgen.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
|
||||
|
||||
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
|
||||
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
|
||||
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
doc man:: ${MANOBJS}
|
||||
|
||||
docclean manclean maintainer-clean::
|
||||
rm -f ${MANOBJS}
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
|
||||
${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
|
||||
|
||||
clean distclean maintainer-clean::
|
||||
rm -f ${TARGETS}
|
||||
@@ -1,143 +0,0 @@
|
||||
.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: ddns-confgen.8,v 1.10 2009/09/19 01:14:52 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
.\" Title: ddns\-confgen
|
||||
.\" Author:
|
||||
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
|
||||
.\" Date: Jan 29, 2009
|
||||
.\" Manual: BIND9
|
||||
.\" Source: BIND9
|
||||
.\"
|
||||
.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
|
||||
.\" disable hyphenation
|
||||
.nh
|
||||
.\" disable justification (adjust text to left margin only)
|
||||
.ad l
|
||||
.SH "NAME"
|
||||
ddns\-confgen \- ddns key generation tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 13
|
||||
\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBddns\-confgen\fR
|
||||
generates a key for use by
|
||||
\fBnsupdate\fR
|
||||
and
|
||||
\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
|
||||
\fBnsupdate\fR
|
||||
and
|
||||
\fBnamed.conf\fR
|
||||
syntax that will be needed to use it, including an example
|
||||
\fBupdate\-policy\fR
|
||||
statement.
|
||||
.PP
|
||||
If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
|
||||
\fBnamed.conf\fR
|
||||
syntax. For example,
|
||||
\fBddns\-confgen example.com\fR
|
||||
would generate a key called "ddns\-key.example.com", and sample
|
||||
\fBnamed.conf\fR
|
||||
command that could be used in the zone definition for "example.com".
|
||||
.PP
|
||||
Note that
|
||||
\fBnamed\fR
|
||||
itself can configure a local DDNS key for use with
|
||||
\fBnsupdate \-l\fR.
|
||||
\fBddns\-confgen\fR
|
||||
is only needed when a more elaborate configuration is required: for instance, if
|
||||
\fBnsupdate\fR
|
||||
is to be used from a remote system.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
\-a \fIalgorithm\fR
|
||||
.RS 4
|
||||
Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
|
||||
.RE
|
||||
.PP
|
||||
\-h
|
||||
.RS 4
|
||||
Prints a short summary of the options and arguments to
|
||||
\fBddns\-confgen\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-k \fIkeyname\fR
|
||||
.RS 4
|
||||
Specifies the key name of the DDNS authentication key. The default is
|
||||
\fBddns\-key\fR
|
||||
when neither the
|
||||
\fB\-s\fR
|
||||
nor
|
||||
\fB\-z\fR
|
||||
option is specified; otherwise, the default is
|
||||
\fBddns\-key\fR
|
||||
as a separate label followed by the argument of the option, e.g.,
|
||||
\fBddns\-key.example.com.\fR
|
||||
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
|
||||
.RE
|
||||
.PP
|
||||
\-q
|
||||
.RS 4
|
||||
Quiet mode: Print only the key, with no explanatory text or usage examples.
|
||||
.RE
|
||||
.PP
|
||||
\-r \fIrandomfile\fR
|
||||
.RS 4
|
||||
Specifies a source of random data for generating the authorization. If the operating system does not provide a
|
||||
\fI/dev/random\fR
|
||||
or equivalent device, the default source of randomness is keyboard input.
|
||||
\fIrandomdev\fR
|
||||
specifies the name of a character device or file containing random data to be used instead of the default. The special value
|
||||
\fIkeyboard\fR
|
||||
indicates that keyboard input should be used.
|
||||
.RE
|
||||
.PP
|
||||
\-s \fIname\fR
|
||||
.RS 4
|
||||
Single host mode: The example
|
||||
\fBnamed.conf\fR
|
||||
text shows how to set an update policy for the specified
|
||||
\fIname\fR
|
||||
using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
|
||||
\fB\-z\fR
|
||||
option.
|
||||
.RE
|
||||
.PP
|
||||
\-z \fIzone\fR
|
||||
.RS 4
|
||||
zone mode: The example
|
||||
\fBnamed.conf\fR
|
||||
text shows how to set an update policy for the specified
|
||||
\fIzone\fR
|
||||
using the "zonesub" nametype, allowing updates to all subdomain names within that
|
||||
\fIzone\fR. This option cannot be used with the
|
||||
\fB\-s\fR
|
||||
option.
|
||||
.RE
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBnsupdate\fR(1),
|
||||
\fBnamed.conf\fR(5),
|
||||
\fBnamed\fR(8),
|
||||
BIND 9 Administrator Reference Manual.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
@@ -1,257 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: ddns-confgen.c,v 1.9 2009/09/29 15:06:05 fdupont Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
/**
|
||||
* ddns-confgen generates configuration files for dynamic DNS. It can
|
||||
* be used as a convenient alternative to writing the ddns.key file
|
||||
* and the corresponding key and update-policy statements in named.conf.
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include <isc/assertions.h>
|
||||
#include <isc/base64.h>
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/commandline.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/file.h>
|
||||
#include <isc/keyboard.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/result.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/time.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dns/keyvalues.h>
|
||||
#include <dns/name.h>
|
||||
|
||||
#include <dst/dst.h>
|
||||
#include <confgen/os.h>
|
||||
|
||||
#include "util.h"
|
||||
#include "keygen.h"
|
||||
|
||||
#define DEFAULT_KEYNAME "ddns-key"
|
||||
|
||||
static char program[256];
|
||||
const char *progname;
|
||||
|
||||
isc_boolean_t verbose = ISC_FALSE;
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(int status) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(int status) {
|
||||
|
||||
fprintf(stderr, "\
|
||||
Usage:\n\
|
||||
%s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
|
||||
-a alg: algorithm (default hmac-sha256)\n\
|
||||
-k keyname: name of the key as it will be used in named.conf\n\
|
||||
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
|
||||
-s name: domain name to be updated using the created key\n\
|
||||
-z zone: name of the zone as it will be used in named.conf\n\
|
||||
-q: quiet mode: print the key, with no explanatory text\n",
|
||||
progname);
|
||||
|
||||
exit (status);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
isc_boolean_t show_final_mem = ISC_FALSE;
|
||||
isc_boolean_t quiet = ISC_FALSE;
|
||||
isc_buffer_t key_txtbuffer;
|
||||
char key_txtsecret[256];
|
||||
isc_mem_t *mctx = NULL;
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
const char *randomfile = NULL;
|
||||
const char *keyname = NULL;
|
||||
const char *zone = NULL;
|
||||
const char *self_domain = NULL;
|
||||
char *keybuf = NULL;
|
||||
dns_secalg_t alg = DST_ALG_HMACSHA256;
|
||||
const char *algname = alg_totext(alg);
|
||||
int keysize = 256;
|
||||
int len = 0;
|
||||
int ch;
|
||||
|
||||
result = isc_file_progname(*argv, program, sizeof(program));
|
||||
if (result != ISC_R_SUCCESS)
|
||||
memcpy(program, "ddns-confgen", 13);
|
||||
progname = program;
|
||||
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv,
|
||||
"a:hk:Mmr:qs:Vy:z:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
algname = isc_commandline_argument;
|
||||
alg = alg_fromtext(algname);
|
||||
if (alg == DST_ALG_UNKNOWN)
|
||||
fatal("Unsupported algorithm '%s'", algname);
|
||||
keysize = alg_bits(alg);
|
||||
break;
|
||||
case 'h':
|
||||
usage(0);
|
||||
case 'k':
|
||||
case 'y':
|
||||
keyname = isc_commandline_argument;
|
||||
break;
|
||||
case 'M':
|
||||
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
|
||||
break;
|
||||
case 'm':
|
||||
show_final_mem = ISC_TRUE;
|
||||
break;
|
||||
case 'q':
|
||||
quiet = ISC_TRUE;
|
||||
break;
|
||||
case 'r':
|
||||
randomfile = isc_commandline_argument;
|
||||
break;
|
||||
case 's':
|
||||
self_domain = isc_commandline_argument;
|
||||
break;
|
||||
case 'V':
|
||||
verbose = ISC_TRUE;
|
||||
break;
|
||||
case 'z':
|
||||
zone = isc_commandline_argument;
|
||||
break;
|
||||
case '?':
|
||||
if (isc_commandline_option != '?') {
|
||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||
program, isc_commandline_option);
|
||||
usage(1);
|
||||
} else
|
||||
usage(0);
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr, "%s: unhandled option -%c\n",
|
||||
program, isc_commandline_option);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
argc -= isc_commandline_index;
|
||||
argv += isc_commandline_index;
|
||||
|
||||
if (self_domain != NULL && zone != NULL)
|
||||
usage(1); /* -s and -z cannot coexist */
|
||||
|
||||
if (argc > 0)
|
||||
usage(1);
|
||||
|
||||
DO("create memory context", isc_mem_create(0, 0, &mctx));
|
||||
|
||||
if (keyname == NULL) {
|
||||
const char *suffix = NULL;
|
||||
|
||||
keyname = DEFAULT_KEYNAME;
|
||||
if (self_domain != NULL)
|
||||
suffix = self_domain;
|
||||
else if (zone != NULL)
|
||||
suffix = zone;
|
||||
if (suffix != NULL) {
|
||||
len = strlen(keyname) + strlen(suffix) + 2;
|
||||
keybuf = isc_mem_get(mctx, len);
|
||||
if (keybuf == NULL)
|
||||
fatal("failed to allocate memory for keyname");
|
||||
snprintf(keybuf, len, "%s.%s", keyname, suffix);
|
||||
keyname = (const char *) keybuf;
|
||||
}
|
||||
}
|
||||
|
||||
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
|
||||
|
||||
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
|
||||
|
||||
|
||||
if (!quiet)
|
||||
printf("\
|
||||
# To activate this key, place the following in named.conf, and\n\
|
||||
# in a separate keyfile on the system or systems from which nsupdate\n\
|
||||
# will be run:\n");
|
||||
|
||||
printf("\
|
||||
key \"%s\" {\n\
|
||||
algorithm %s;\n\
|
||||
secret \"%.*s\";\n\
|
||||
};\n",
|
||||
keyname, algname,
|
||||
(int)isc_buffer_usedlength(&key_txtbuffer),
|
||||
(char *)isc_buffer_base(&key_txtbuffer));
|
||||
|
||||
if (!quiet) {
|
||||
if (self_domain != NULL) {
|
||||
printf("\n\
|
||||
# Then, in the \"zone\" statement for the zone containing the\n\
|
||||
# name \"%s\", place an \"update-policy\" statement\n\
|
||||
# like this one, adjusted as needed for your preferred permissions:\n\
|
||||
update-policy {\n\
|
||||
grant %s name %s ANY;\n\
|
||||
};\n",
|
||||
self_domain, keyname, self_domain);
|
||||
} else if (zone != NULL) {
|
||||
printf("\n\
|
||||
# Then, in the \"zone\" definition statement for \"%s\",\n\
|
||||
# place an \"update-policy\" statement like this one, adjusted as \n\
|
||||
# needed for your preferred permissions:\n\
|
||||
update-policy {\n\
|
||||
grant %s zonesub ANY;\n\
|
||||
};\n",
|
||||
zone, keyname);
|
||||
} else {
|
||||
printf("\n\
|
||||
# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
|
||||
# update, place an \"update-policy\" statement granting update permission\n\
|
||||
# to this key. For example, the following statement grants this key\n\
|
||||
# permission to update any name within the zone:\n\
|
||||
update-policy {\n\
|
||||
grant %s zonesub ANY;\n\
|
||||
};\n",
|
||||
keyname);
|
||||
}
|
||||
|
||||
printf("\n\
|
||||
# After the keyfile has been placed, the following command will\n\
|
||||
# execute nsupdate using this key:\n\
|
||||
nsupdate -k <keyfile>\n");
|
||||
|
||||
}
|
||||
|
||||
if (keybuf != NULL)
|
||||
isc_mem_put(mctx, keybuf, len);
|
||||
|
||||
if (show_final_mem)
|
||||
isc_mem_stats(mctx, stderr);
|
||||
|
||||
isc_mem_destroy(&mctx);
|
||||
|
||||
return (0);
|
||||
}
|
||||
@@ -1,218 +0,0 @@
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: ddns-confgen.docbook,v 1.6 2009/09/18 22:08:55 fdupont Exp $ -->
|
||||
<refentry id="man.ddns-confgen">
|
||||
<refentryinfo>
|
||||
<date>Jan 29, 2009</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle><application>ddns-confgen</application></refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
<refmiscinfo>BIND9</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname><application>ddns-confgen</application></refname>
|
||||
<refpurpose>ddns key generation tool</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<docinfo>
|
||||
<copyright>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
</docinfo>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>ddns-confgen</command>
|
||||
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||||
<arg><option>-h</option></arg>
|
||||
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
|
||||
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
|
||||
<group>
|
||||
<arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
|
||||
<arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
|
||||
</group>
|
||||
<arg><option>-q</option></arg>
|
||||
<arg choice="opt">name</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>DESCRIPTION</title>
|
||||
<para><command>ddns-confgen</command>
|
||||
generates a key for use by <command>nsupdate</command>
|
||||
and <command>named</command>. It simplifies configuration
|
||||
of dynamic zones by generating a key and providing the
|
||||
<command>nsupdate</command> and <command>named.conf</command>
|
||||
syntax that will be needed to use it, including an example
|
||||
<command>update-policy</command> statement.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If a domain name is specified on the command line, it will
|
||||
be used in the name of the generated key and in the sample
|
||||
<command>named.conf</command> syntax. For example,
|
||||
<command>ddns-confgen example.com</command> would
|
||||
generate a key called "ddns-key.example.com", and sample
|
||||
<command>named.conf</command> command that could be used
|
||||
in the zone definition for "example.com".
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Note that <command>named</command> itself can configure a
|
||||
local DDNS key for use with <command>nsupdate -l</command>.
|
||||
<command>ddns-confgen</command> is only needed when a
|
||||
more elaborate configuration is required: for instance, if
|
||||
<command>nsupdate</command> is to be used from a remote system.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>OPTIONS</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the algorithm to use for the TSIG key. Available
|
||||
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
|
||||
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-h</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Prints a short summary of the options and arguments to
|
||||
<command>ddns-confgen</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-k <replaceable class="parameter">keyname</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the key name of the DDNS authentication key.
|
||||
The default is <constant>ddns-key</constant> when neither
|
||||
the <option>-s</option> nor <option>-z</option> option is
|
||||
specified; otherwise, the default
|
||||
is <constant>ddns-key</constant> as a separate label
|
||||
followed by the argument of the option, e.g.,
|
||||
<constant>ddns-key.example.com.</constant>
|
||||
The key name must have the format of a valid domain name,
|
||||
consisting of letters, digits, hyphens and periods.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-q</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Quiet mode: Print only the key, with no explanatory text or
|
||||
usage examples.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-r <replaceable class="parameter">randomfile</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies a source of random data for generating the
|
||||
authorization. If the operating system does not provide a
|
||||
<filename>/dev/random</filename> or equivalent device, the
|
||||
default source of randomness is keyboard input.
|
||||
<filename>randomdev</filename> specifies the name of a
|
||||
character device or file containing random data to be used
|
||||
instead of the default. The special value
|
||||
<filename>keyboard</filename> indicates that keyboard input
|
||||
should be used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-s <replaceable class="parameter">name</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Single host mode: The example <command>named.conf</command> text
|
||||
shows how to set an update policy for the specified
|
||||
<replaceable class="parameter">name</replaceable>
|
||||
using the "name" nametype.
|
||||
The default key name is
|
||||
ddns-key.<replaceable class="parameter">name</replaceable>.
|
||||
Note that the "self" nametype cannot be used, since
|
||||
the name to be updated may differ from the key name.
|
||||
This option cannot be used with the <option>-z</option> option.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-z <replaceable class="parameter">zone</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
zone mode: The example <command>named.conf</command> text
|
||||
shows how to set an update policy for the specified
|
||||
<replaceable class="parameter">zone</replaceable>
|
||||
using the "zonesub" nametype, allowing updates to all subdomain
|
||||
names within
|
||||
that <replaceable class="parameter">zone</replaceable>.
|
||||
This option cannot be used with the <option>-s</option> option.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>SEE ALSO</title>
|
||||
<para><citerefentry>
|
||||
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>AUTHOR</title>
|
||||
<para><corpauthor>Internet Systems Consortium</corpauthor>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry><!--
|
||||
- Local variables:
|
||||
- mode: sgml
|
||||
- End:
|
||||
-->
|
||||
@@ -1,141 +0,0 @@
|
||||
<!--
|
||||
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: ddns-confgen.html,v 1.10 2009/09/19 01:14:52 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>ddns-confgen</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
|
||||
</head>
|
||||
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
|
||||
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">ddns-confgen</span> — ddns key generation tool</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543395"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">ddns-confgen</strong></span>
|
||||
generates a key for use by <span><strong class="command">nsupdate</strong></span>
|
||||
and <span><strong class="command">named</strong></span>. It simplifies configuration
|
||||
of dynamic zones by generating a key and providing the
|
||||
<span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
|
||||
syntax that will be needed to use it, including an example
|
||||
<span><strong class="command">update-policy</strong></span> statement.
|
||||
</p>
|
||||
<p>
|
||||
If a domain name is specified on the command line, it will
|
||||
be used in the name of the generated key and in the sample
|
||||
<span><strong class="command">named.conf</strong></span> syntax. For example,
|
||||
<span><strong class="command">ddns-confgen example.com</strong></span> would
|
||||
generate a key called "ddns-key.example.com", and sample
|
||||
<span><strong class="command">named.conf</strong></span> command that could be used
|
||||
in the zone definition for "example.com".
|
||||
</p>
|
||||
<p>
|
||||
Note that <span><strong class="command">named</strong></span> itself can configure a
|
||||
local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
|
||||
<span><strong class="command">ddns-confgen</strong></span> is only needed when a
|
||||
more elaborate configuration is required: for instance, if
|
||||
<span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543454"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the algorithm to use for the TSIG key. Available
|
||||
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
|
||||
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
|
||||
</p></dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
Prints a short summary of the options and arguments to
|
||||
<span><strong class="command">ddns-confgen</strong></span>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the key name of the DDNS authentication key.
|
||||
The default is <code class="constant">ddns-key</code> when neither
|
||||
the <code class="option">-s</code> nor <code class="option">-z</code> option is
|
||||
specified; otherwise, the default
|
||||
is <code class="constant">ddns-key</code> as a separate label
|
||||
followed by the argument of the option, e.g.,
|
||||
<code class="constant">ddns-key.example.com.</code>
|
||||
The key name must have the format of a valid domain name,
|
||||
consisting of letters, digits, hyphens and periods.
|
||||
</p></dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
Quiet mode: Print only the key, with no explanatory text or
|
||||
usage examples.
|
||||
</p></dd>
|
||||
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies a source of random data for generating the
|
||||
authorization. If the operating system does not provide a
|
||||
<code class="filename">/dev/random</code> or equivalent device, the
|
||||
default source of randomness is keyboard input.
|
||||
<code class="filename">randomdev</code> specifies the name of a
|
||||
character device or file containing random data to be used
|
||||
instead of the default. The special value
|
||||
<code class="filename">keyboard</code> indicates that keyboard input
|
||||
should be used.
|
||||
</p></dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
|
||||
<dd><p>
|
||||
Single host mode: The example <span><strong class="command">named.conf</strong></span> text
|
||||
shows how to set an update policy for the specified
|
||||
<em class="replaceable"><code>name</code></em>
|
||||
using the "name" nametype.
|
||||
The default key name is
|
||||
ddns-key.<em class="replaceable"><code>name</code></em>.
|
||||
Note that the "self" nametype cannot be used, since
|
||||
the name to be updated may differ from the key name.
|
||||
This option cannot be used with the <code class="option">-z</code> option.
|
||||
</p></dd>
|
||||
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
|
||||
<dd><p>
|
||||
zone mode: The example <span><strong class="command">named.conf</strong></span> text
|
||||
shows how to set an update policy for the specified
|
||||
<em class="replaceable"><code>zone</code></em>
|
||||
using the "zonesub" nametype, allowing updates to all subdomain
|
||||
names within
|
||||
that <em class="replaceable"><code>zone</code></em>.
|
||||
This option cannot be used with the <code class="option">-s</code> option.
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543642"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543681"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
</div></body>
|
||||
</html>
|
||||
@@ -1,39 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#ifndef RNDC_OS_H
|
||||
#define RNDC_OS_H 1
|
||||
|
||||
#include <isc/lang.h>
|
||||
#include <stdio.h>
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
int set_user(FILE *fd, const char *user);
|
||||
/*%<
|
||||
* Set the owner of the file referenced by 'fd' to 'user'.
|
||||
* Returns:
|
||||
* 0 success
|
||||
* -1 insufficient permissions, or 'user' does not exist.
|
||||
*/
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
|
||||
#endif
|
||||
@@ -1,218 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include <isc/base64.h>
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/file.h>
|
||||
#include <isc/keyboard.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/result.h>
|
||||
#include <isc/string.h>
|
||||
|
||||
#include <dns/keyvalues.h>
|
||||
#include <dns/name.h>
|
||||
|
||||
#include <dst/dst.h>
|
||||
#include <confgen/os.h>
|
||||
|
||||
#include "util.h"
|
||||
#include "keygen.h"
|
||||
|
||||
/*%
|
||||
* Convert algorithm type to string.
|
||||
*/
|
||||
const char *
|
||||
alg_totext(dns_secalg_t alg) {
|
||||
switch (alg) {
|
||||
case DST_ALG_HMACMD5:
|
||||
return "hmac-md5";
|
||||
case DST_ALG_HMACSHA1:
|
||||
return "hmac-sha1";
|
||||
case DST_ALG_HMACSHA224:
|
||||
return "hmac-sha224";
|
||||
case DST_ALG_HMACSHA256:
|
||||
return "hmac-sha256";
|
||||
case DST_ALG_HMACSHA384:
|
||||
return "hmac-sha384";
|
||||
case DST_ALG_HMACSHA512:
|
||||
return "hmac-sha512";
|
||||
default:
|
||||
return "(unknown)";
|
||||
}
|
||||
}
|
||||
|
||||
/*%
|
||||
* Convert string to algorithm type.
|
||||
*/
|
||||
dns_secalg_t
|
||||
alg_fromtext(const char *name) {
|
||||
if (strcmp(name, "hmac-md5") == 0)
|
||||
return DST_ALG_HMACMD5;
|
||||
if (strcmp(name, "hmac-sha1") == 0)
|
||||
return DST_ALG_HMACSHA1;
|
||||
if (strcmp(name, "hmac-sha224") == 0)
|
||||
return DST_ALG_HMACSHA224;
|
||||
if (strcmp(name, "hmac-sha256") == 0)
|
||||
return DST_ALG_HMACSHA256;
|
||||
if (strcmp(name, "hmac-sha384") == 0)
|
||||
return DST_ALG_HMACSHA384;
|
||||
if (strcmp(name, "hmac-sha512") == 0)
|
||||
return DST_ALG_HMACSHA512;
|
||||
return DST_ALG_UNKNOWN;
|
||||
}
|
||||
|
||||
/*%
|
||||
* Return default keysize for a given algorithm type.
|
||||
*/
|
||||
int
|
||||
alg_bits(dns_secalg_t alg) {
|
||||
switch (alg) {
|
||||
case DST_ALG_HMACMD5:
|
||||
return 128;
|
||||
case DST_ALG_HMACSHA1:
|
||||
return 160;
|
||||
case DST_ALG_HMACSHA224:
|
||||
return 224;
|
||||
case DST_ALG_HMACSHA256:
|
||||
return 256;
|
||||
case DST_ALG_HMACSHA384:
|
||||
return 384;
|
||||
case DST_ALG_HMACSHA512:
|
||||
return 512;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/*%
|
||||
* Generate a key of size 'keysize' using entropy source 'randomfile',
|
||||
* and place it in 'key_txtbuffer'
|
||||
*/
|
||||
void
|
||||
generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
|
||||
int keysize, isc_buffer_t *key_txtbuffer) {
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
isc_entropysource_t *entropy_source = NULL;
|
||||
int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
|
||||
int entropy_flags = 0;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
isc_buffer_t key_rawbuffer;
|
||||
isc_region_t key_rawregion;
|
||||
char key_rawsecret[64];
|
||||
dst_key_t *key = NULL;
|
||||
|
||||
switch (alg) {
|
||||
case DST_ALG_HMACMD5:
|
||||
if (keysize < 1 || keysize > 512)
|
||||
fatal("keysize %d out of range (must be 1-512)\n",
|
||||
keysize);
|
||||
break;
|
||||
case DST_ALG_HMACSHA256:
|
||||
if (keysize < 1 || keysize > 256)
|
||||
fatal("keysize %d out of range (must be 1-256)\n",
|
||||
keysize);
|
||||
break;
|
||||
default:
|
||||
fatal("unsupported algorithm %d\n", alg);
|
||||
}
|
||||
|
||||
|
||||
DO("create entropy context", isc_entropy_create(mctx, &ectx));
|
||||
|
||||
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
|
||||
randomfile = NULL;
|
||||
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
|
||||
}
|
||||
DO("start entropy source", isc_entropy_usebestsource(ectx,
|
||||
&entropy_source,
|
||||
randomfile,
|
||||
open_keyboard));
|
||||
|
||||
entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
|
||||
|
||||
DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
|
||||
|
||||
DO("generate key", dst_key_generate(dns_rootname, alg,
|
||||
keysize, 0, 0,
|
||||
DNS_KEYPROTO_ANY,
|
||||
dns_rdataclass_in, mctx, &key));
|
||||
|
||||
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
|
||||
|
||||
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
|
||||
|
||||
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
|
||||
|
||||
DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
|
||||
key_txtbuffer));
|
||||
|
||||
/*
|
||||
* Shut down the entropy source now so the "stop typing" message
|
||||
* does not muck with the output.
|
||||
*/
|
||||
if (entropy_source != NULL)
|
||||
isc_entropy_destroysource(&entropy_source);
|
||||
|
||||
if (key != NULL)
|
||||
dst_key_free(&key);
|
||||
|
||||
isc_entropy_detach(&ectx);
|
||||
dst_lib_destroy();
|
||||
}
|
||||
|
||||
/*%
|
||||
* Write a key file to 'keyfile'. If 'user' is non-NULL,
|
||||
* make that user the owner of the file. The key will have
|
||||
* the name 'keyname' and the secret in the buffer 'secret'.
|
||||
*/
|
||||
void
|
||||
write_key_file(const char *keyfile, const char *user,
|
||||
const char *keyname, isc_buffer_t *secret,
|
||||
dns_secalg_t alg) {
|
||||
isc_result_t result;
|
||||
const char *algname = alg_totext(alg);
|
||||
FILE *fd = NULL;
|
||||
|
||||
DO("create keyfile", isc_file_safecreate(keyfile, &fd));
|
||||
|
||||
if (user != NULL) {
|
||||
if (set_user(fd, user) == -1)
|
||||
fatal("unable to set file owner\n");
|
||||
}
|
||||
|
||||
fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
|
||||
"\tsecret \"%.*s\";\n};\n",
|
||||
keyname, algname,
|
||||
(int)isc_buffer_usedlength(secret),
|
||||
(char *)isc_buffer_base(secret));
|
||||
fflush(fd);
|
||||
if (ferror(fd))
|
||||
fatal("write to %s failed\n", keyfile);
|
||||
if (fclose(fd))
|
||||
fatal("fclose(%s) failed\n", keyfile);
|
||||
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
|
||||
}
|
||||
|
||||
@@ -1,41 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
|
||||
|
||||
#ifndef RNDC_KEYGEN_H
|
||||
#define RNDC_KEYGEN_H 1
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <isc/lang.h>
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
|
||||
int keysize, isc_buffer_t *key_txtbuffer);
|
||||
|
||||
void write_key_file(const char *keyfile, const char *user,
|
||||
const char *keyname, isc_buffer_t *secret,
|
||||
dns_secalg_t alg);
|
||||
|
||||
const char *alg_totext(dns_secalg_t alg);
|
||||
dns_secalg_t alg_fromtext(const char *name);
|
||||
int alg_bits(dns_secalg_t alg);
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
|
||||
#endif /* RNDC_KEYGEN_H */
|
||||
@@ -1 +0,0 @@
|
||||
Makefile
|
||||
@@ -1,56 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include <isc/boolean.h>
|
||||
|
||||
#include "util.h"
|
||||
|
||||
extern isc_boolean_t verbose;
|
||||
extern const char *progname;
|
||||
|
||||
void
|
||||
notify(const char *fmt, ...) {
|
||||
va_list ap;
|
||||
|
||||
if (verbose) {
|
||||
va_start(ap, fmt);
|
||||
vfprintf(stderr, fmt, ap);
|
||||
va_end(ap);
|
||||
fputs("\n", stderr);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
fatal(const char *format, ...) {
|
||||
va_list args;
|
||||
|
||||
fprintf(stderr, "%s: ", progname);
|
||||
va_start(args, format);
|
||||
vfprintf(stderr, format, args);
|
||||
va_end(args);
|
||||
fprintf(stderr, "\n");
|
||||
exit(1);
|
||||
}
|
||||
@@ -1,52 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */
|
||||
|
||||
#ifndef RNDC_UTIL_H
|
||||
#define RNDC_UTIL_H 1
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <isc/lang.h>
|
||||
#include <isc/platform.h>
|
||||
|
||||
#include <isc/formatcheck.h>
|
||||
|
||||
#define NS_CONTROL_PORT 953
|
||||
|
||||
#undef DO
|
||||
#define DO(name, function) \
|
||||
do { \
|
||||
result = function; \
|
||||
if (result != ISC_R_SUCCESS) \
|
||||
fatal("%s: %s", name, isc_result_totext(result)); \
|
||||
else \
|
||||
notify("%s", name); \
|
||||
} while (0)
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
void
|
||||
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE void
|
||||
fatal(const char *format, ...)
|
||||
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
|
||||
#endif /* RNDC_UTIL_H */
|
||||
@@ -1,135 +0,0 @@
|
||||
# Microsoft Developer Studio Project File - Name="confgentool" - Package Owner=<4>
|
||||
# Microsoft Developer Studio Generated Build File, Format Version 6.00
|
||||
# ** DO NOT EDIT **
|
||||
|
||||
# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104
|
||||
|
||||
CFG=confgentool - Win32 Debug
|
||||
!MESSAGE This is not a valid makefile. To build this project using NMAKE,
|
||||
!MESSAGE use the Export Makefile command and run
|
||||
!MESSAGE
|
||||
!MESSAGE NMAKE /f "confgentool.mak".
|
||||
!MESSAGE
|
||||
!MESSAGE You can specify a configuration when running NMAKE
|
||||
!MESSAGE by defining the macro CFG on the command line. For example:
|
||||
!MESSAGE
|
||||
!MESSAGE NMAKE /f "confgentool.mak" CFG="confgentool - Win32 Debug"
|
||||
!MESSAGE
|
||||
!MESSAGE Possible choices for configuration are:
|
||||
!MESSAGE
|
||||
!MESSAGE "confgentool - Win32 Release" (based on "Win32 (x86) Static-Link Library")
|
||||
!MESSAGE "confgentool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")
|
||||
!MESSAGE
|
||||
|
||||
# Begin Project
|
||||
# PROP AllowPerConfigDependencies 0
|
||||
# PROP Scc_ProjName ""
|
||||
# PROP Scc_LocalPath ""
|
||||
CPP=cl.exe
|
||||
MTL=midl.exe
|
||||
RSC=rc.exe
|
||||
|
||||
!IF "$(CFG)" == "confgentool - Win32 Release"
|
||||
|
||||
# PROP BASE Use_MFC 0
|
||||
# PROP BASE Use_Debug_Libraries 0
|
||||
# PROP BASE Output_Dir "Release"
|
||||
# PROP BASE Intermediate_Dir "Release"
|
||||
# PROP BASE Target_Dir ""
|
||||
# PROP Use_MFC 0
|
||||
# PROP Use_Debug_Libraries 0
|
||||
# PROP Output_Dir "Release"
|
||||
# PROP Intermediate_Dir "Release"
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdconfgentool
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
# ADD BASE BSC32 /nologo
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32
|
||||
# ADD LINK32 /out:"Release/confgentool.lib"
|
||||
LIB32=lib.exe
|
||||
# ADD BASE LIB32
|
||||
# ADD LIB32 /out:"Release/confgentool.lib"
|
||||
|
||||
!ELSEIF "$(CFG)" == "confgentool - Win32 Debug"
|
||||
|
||||
# PROP BASE Use_MFC 0
|
||||
# PROP BASE Use_Debug_Libraries 1
|
||||
# PROP BASE Output_Dir "Debug"
|
||||
# PROP BASE Intermediate_Dir "Debug"
|
||||
# PROP BASE Target_Dir ""
|
||||
# PROP Use_MFC 0
|
||||
# PROP Use_Debug_Libraries 1
|
||||
# PROP Output_Dir "Debug"
|
||||
# PROP Intermediate_Dir "Debug"
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdconfgentool
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
BSC32=bscmake.exe
|
||||
# ADD BASE BSC32 /nologo
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32
|
||||
# ADD LINK32 /debug /out:"Debug/confgentool.lib"
|
||||
LIB32=lib.exe
|
||||
# ADD BASE LIB32
|
||||
# ADD LIB32 /out:"Debug/confgentool.lib"
|
||||
|
||||
!ENDIF
|
||||
|
||||
# Begin Target
|
||||
|
||||
# Name "confgentool - Win32 Release"
|
||||
# Name "confgentool - Win32 Debug"
|
||||
# Begin Group "Source Files"
|
||||
|
||||
# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
|
||||
# End Group
|
||||
# Begin Group "Header Files"
|
||||
|
||||
# PROP Default_Filter "h;hpp;hxx;hm;inl"
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\keygen.h
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\util.h
|
||||
# End Source File
|
||||
# End Group
|
||||
# Begin Group "Resource Files"
|
||||
|
||||
# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
|
||||
# End Group
|
||||
# Begin Group "Main Dns Lib"
|
||||
|
||||
# PROP Default_Filter "c"
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\keygen.c
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\util.c
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=.\os.c
|
||||
# End Source File
|
||||
# End Group
|
||||
# End Target
|
||||
# End Project
|
||||
@@ -1,29 +0,0 @@
|
||||
Microsoft Developer Studio Workspace File, Format Version 6.00
|
||||
# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
|
||||
|
||||
###############################################################################
|
||||
|
||||
Project: "confgentool"=".\confgentool.dsp" - Package Owner=<4>
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
Package=<4>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
###############################################################################
|
||||
|
||||
Global:
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
Package=<3>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -1,103 +0,0 @@
|
||||
# Microsoft Developer Studio Project File - Name="ddnsconfgen" - Package Owner=<4>
|
||||
# Microsoft Developer Studio Generated Build File, Format Version 6.00
|
||||
# ** DO NOT EDIT **
|
||||
|
||||
# TARGTYPE "Win32 (x86) Console Application" 0x0103
|
||||
|
||||
CFG=ddnsconfgen - Win32 Debug
|
||||
!MESSAGE This is not a valid makefile. To build this project using NMAKE,
|
||||
!MESSAGE use the Export Makefile command and run
|
||||
!MESSAGE
|
||||
!MESSAGE NMAKE /f "ddnsconfgen.mak".
|
||||
!MESSAGE
|
||||
!MESSAGE You can specify a configuration when running NMAKE
|
||||
!MESSAGE by defining the macro CFG on the command line. For example:
|
||||
!MESSAGE
|
||||
!MESSAGE NMAKE /f "ddnsconfgen.mak" CFG="ddnsconfgen - Win32 Debug"
|
||||
!MESSAGE
|
||||
!MESSAGE Possible choices for configuration are:
|
||||
!MESSAGE
|
||||
!MESSAGE "ddnsconfgen - Win32 Release" (based on "Win32 (x86) Console Application")
|
||||
!MESSAGE "ddnsconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")
|
||||
!MESSAGE
|
||||
|
||||
# Begin Project
|
||||
# PROP AllowPerConfigDependencies 0
|
||||
# PROP Scc_ProjName ""
|
||||
# PROP Scc_LocalPath ""
|
||||
CPP=cl.exe
|
||||
RSC=rc.exe
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
|
||||
# PROP BASE Use_MFC 0
|
||||
# PROP BASE Use_Debug_Libraries 0
|
||||
# PROP BASE Output_Dir "Release"
|
||||
# PROP BASE Intermediate_Dir "Release"
|
||||
# PROP BASE Target_Dir ""
|
||||
# PROP Use_MFC 0
|
||||
# PROP Use_Debug_Libraries 0
|
||||
# PROP Output_Dir "Release"
|
||||
# PROP Intermediate_Dir "Release"
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
# ADD BASE BSC32 /nologo
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/confgentool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/ddns-confgen.exe"
|
||||
|
||||
!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
|
||||
# PROP BASE Use_MFC 0
|
||||
# PROP BASE Use_Debug_Libraries 1
|
||||
# PROP BASE Output_Dir "Debug"
|
||||
# PROP BASE Intermediate_Dir "Debug"
|
||||
# PROP BASE Target_Dir ""
|
||||
# PROP Use_MFC 0
|
||||
# PROP Use_Debug_Libraries 1
|
||||
# PROP Output_Dir "Debug"
|
||||
# PROP Intermediate_Dir "Debug"
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
BSC32=bscmake.exe
|
||||
# ADD BASE BSC32 /nologo
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/confgentool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/ddns-confgen.exe" /pdbtype:sept
|
||||
|
||||
!ENDIF
|
||||
|
||||
# Begin Target
|
||||
|
||||
# Name "ddnsconfgen - Win32 Release"
|
||||
# Name "ddnsconfgen - Win32 Debug"
|
||||
# Begin Group "Source Files"
|
||||
|
||||
# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
|
||||
# Begin Source File
|
||||
|
||||
SOURCE="..\ddns-confgen.c"
|
||||
# End Source File
|
||||
# End Group
|
||||
# Begin Group "Header Files"
|
||||
|
||||
# PROP Default_Filter "h;hpp;hxx;hm;inl"
|
||||
# End Group
|
||||
# Begin Group "Resource Files"
|
||||
|
||||
# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
|
||||
# End Group
|
||||
# End Target
|
||||
# End Project
|
||||
@@ -1,29 +0,0 @@
|
||||
Microsoft Developer Studio Workspace File, Format Version 6.00
|
||||
# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
|
||||
|
||||
###############################################################################
|
||||
|
||||
Project: "ddnsconfgen"=".\ddnsconfgen.dsp" - Package Owner=<4>
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
Package=<4>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
###############################################################################
|
||||
|
||||
Global:
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
Package=<3>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -1,337 +0,0 @@
|
||||
# Microsoft Developer Studio Generated NMAKE File, Based on ddnsconfgen.dsp
|
||||
!IF "$(CFG)" == ""
|
||||
CFG=ddnsconfgen - Win32 Debug
|
||||
!MESSAGE No configuration specified. Defaulting to ddnsconfgen - Win32 Debug.
|
||||
!ENDIF
|
||||
|
||||
!IF "$(CFG)" != "ddnsconfgen - Win32 Release" && "$(CFG)" != "ddnsconfgen - Win32 Debug"
|
||||
!MESSAGE Invalid configuration "$(CFG)" specified.
|
||||
!MESSAGE You can specify a configuration when running NMAKE
|
||||
!MESSAGE by defining the macro CFG on the command line. For example:
|
||||
!MESSAGE
|
||||
!MESSAGE NMAKE /f "ddnsconfgen.mak" CFG="ddnsconfgen - Win32 Debug"
|
||||
!MESSAGE
|
||||
!MESSAGE Possible choices for configuration are:
|
||||
!MESSAGE
|
||||
!MESSAGE "ddnsconfgen - Win32 Release" (based on "Win32 (x86) Console Application")
|
||||
!MESSAGE "ddnsconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")
|
||||
!MESSAGE
|
||||
!ERROR An invalid configuration is specified.
|
||||
!ENDIF
|
||||
|
||||
!IF "$(OS)" == "Windows_NT"
|
||||
NULL=
|
||||
!ELSE
|
||||
NULL=nul
|
||||
!ENDIF
|
||||
|
||||
CPP=cl.exe
|
||||
RSC=rc.exe
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
_VC_MANIFEST_INC=0
|
||||
_VC_MANIFEST_BASENAME=__VC80
|
||||
!ELSE
|
||||
_VC_MANIFEST_INC=1
|
||||
_VC_MANIFEST_BASENAME=__VC80.Debug
|
||||
!ENDIF
|
||||
|
||||
####################################################
|
||||
# Specifying name of temporary resource file used only in incremental builds:
|
||||
|
||||
!if "$(_VC_MANIFEST_INC)" == "1"
|
||||
_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
|
||||
!else
|
||||
_VC_MANIFEST_AUTO_RES=
|
||||
!endif
|
||||
|
||||
####################################################
|
||||
# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
|
||||
|
||||
!if "$(_VC_MANIFEST_INC)" == "1"
|
||||
|
||||
#MT_SPECIAL_RETURN=1090650113
|
||||
#MT_SPECIAL_SWITCH=-notify_resource_update
|
||||
MT_SPECIAL_RETURN=0
|
||||
MT_SPECIAL_SWITCH=
|
||||
_VC_MANIFEST_EMBED_EXE= \
|
||||
if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
|
||||
if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
|
||||
rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
|
||||
link $** /out:$@ $(LFLAGS)
|
||||
|
||||
!else
|
||||
|
||||
_VC_MANIFEST_EMBED_EXE= \
|
||||
if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
|
||||
|
||||
!endif
|
||||
|
||||
####################################################
|
||||
# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
|
||||
|
||||
!if "$(_VC_MANIFEST_INC)" == "1"
|
||||
|
||||
#MT_SPECIAL_RETURN=1090650113
|
||||
#MT_SPECIAL_SWITCH=-notify_resource_update
|
||||
MT_SPECIAL_RETURN=0
|
||||
MT_SPECIAL_SWITCH=
|
||||
_VC_MANIFEST_EMBED_EXE= \
|
||||
if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
|
||||
if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
|
||||
rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
|
||||
link $** /out:$@ $(LFLAGS)
|
||||
|
||||
!else
|
||||
|
||||
_VC_MANIFEST_EMBED_EXE= \
|
||||
if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
|
||||
|
||||
!endif
|
||||
####################################################
|
||||
# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
|
||||
|
||||
!if "$(_VC_MANIFEST_INC)" == "1"
|
||||
|
||||
_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
|
||||
$(_VC_MANIFEST_BASENAME).auto.rc \
|
||||
$(_VC_MANIFEST_BASENAME).auto.manifest
|
||||
|
||||
!else
|
||||
|
||||
_VC_MANIFEST_CLEAN=
|
||||
|
||||
!endif
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
|
||||
OUTDIR=.\Release
|
||||
INTDIR=.\Release
|
||||
|
||||
ALL : "..\..\..\Build\Release\ddns-confgen.exe"
|
||||
|
||||
|
||||
CLEAN :
|
||||
-@erase "$(INTDIR)\os.obj"
|
||||
-@erase "$(INTDIR)\ddns-confgen.obj"
|
||||
-@erase "$(INTDIR)\keygen.obj"
|
||||
-@erase "$(INTDIR)\util.obj"
|
||||
-@erase "$(INTDIR)\vc60.idb"
|
||||
-@erase "..\..\..\Build\Release\ddns-confgen.exe"
|
||||
-@$(_VC_MANIFEST_CLEAN)
|
||||
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\ddnsconfgen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\ddnsconfgen.bsc"
|
||||
BSC32_SBRS= \
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\ddns-confgen.pdb" /machine:I386 /out:"../../../Build/Release/ddns-confgen.exe"
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\os.obj" \
|
||||
"$(INTDIR)\ddns-confgen.obj" \
|
||||
"$(INTDIR)\keygen.obj" \
|
||||
"$(INTDIR)\util.obj"
|
||||
|
||||
"..\..\..\Build\Release\ddns-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
|
||||
$(LINK32) @<<
|
||||
$(LINK32_FLAGS) $(LINK32_OBJS)
|
||||
<<
|
||||
$(_VC_MANIFEST_EMBED_EXE)
|
||||
|
||||
!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
|
||||
OUTDIR=.\Debug
|
||||
INTDIR=.\Debug
|
||||
# Begin Custom Macros
|
||||
OutDir=.\Debug
|
||||
# End Custom Macros
|
||||
|
||||
ALL : "..\..\..\Build\Debug\ddns-confgen.exe" "$(OUTDIR)\ddnsconfgen.bsc"
|
||||
|
||||
|
||||
CLEAN :
|
||||
-@erase "$(INTDIR)\os.obj"
|
||||
-@erase "$(INTDIR)\os.sbr"
|
||||
-@erase "$(INTDIR)\ddns-confgen.obj"
|
||||
-@erase "$(INTDIR)\ddns-confgen.sbr"
|
||||
-@erase "$(INTDIR)\keygen.obj"
|
||||
-@erase "$(INTDIR)\keygen.sbr"
|
||||
-@erase "$(INTDIR)\util.obj"
|
||||
-@erase "$(INTDIR)\util.sbr"
|
||||
-@erase "$(INTDIR)\vc60.idb"
|
||||
-@erase "$(INTDIR)\vc60.pdb"
|
||||
-@erase "$(OUTDIR)\ddnsconfgen.bsc"
|
||||
-@erase "$(OUTDIR)\ddns-confgen.pdb"
|
||||
-@erase "..\..\..\Build\Debug\ddns-confgen.exe"
|
||||
-@erase "..\..\..\Build\Debug\ddns-confgen.ilk"
|
||||
-@$(_VC_MANIFEST_CLEAN)
|
||||
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\ddnsconfgen.bsc"
|
||||
BSC32_SBRS= \
|
||||
"$(INTDIR)\os.sbr" \
|
||||
"$(INTDIR)\ddns-confgen.sbr" \
|
||||
"$(INTDIR)\keygen.sbr" \
|
||||
"$(INTDIR)\util.sbr"
|
||||
|
||||
"$(OUTDIR)\ddnsconfgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
|
||||
$(BSC32) @<<
|
||||
$(BSC32_FLAGS) $(BSC32_SBRS)
|
||||
<<
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\ddns-confgen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/ddns-confgen.exe" /pdbtype:sept
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\os.obj" \
|
||||
"$(INTDIR)\ddns-confgen.obj" \
|
||||
"$(INTDIR)\keygen.obj" \
|
||||
"$(INTDIR)\util.obj"
|
||||
|
||||
"..\..\..\Build\Debug\ddns-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
|
||||
$(LINK32) @<<
|
||||
$(LINK32_FLAGS) $(LINK32_OBJS)
|
||||
<<
|
||||
$(_VC_MANIFEST_EMBED_EXE)
|
||||
|
||||
!ENDIF
|
||||
|
||||
.c{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
$(CPP_PROJ) $<
|
||||
<<
|
||||
|
||||
.cpp{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
$(CPP_PROJ) $<
|
||||
<<
|
||||
|
||||
.cxx{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
$(CPP_PROJ) $<
|
||||
<<
|
||||
|
||||
.c{$(INTDIR)}.sbr::
|
||||
$(CPP) @<<
|
||||
$(CPP_PROJ) $<
|
||||
<<
|
||||
|
||||
.cpp{$(INTDIR)}.sbr::
|
||||
$(CPP) @<<
|
||||
$(CPP_PROJ) $<
|
||||
<<
|
||||
|
||||
.cxx{$(INTDIR)}.sbr::
|
||||
$(CPP) @<<
|
||||
$(CPP_PROJ) $<
|
||||
<<
|
||||
|
||||
|
||||
!IF "$(NO_EXTERNAL_DEPS)" != "1"
|
||||
!IF EXISTS("ddnsconfgen.dep")
|
||||
!INCLUDE "ddnsconfgen.dep"
|
||||
!ELSE
|
||||
!MESSAGE Warning: cannot find "ddnsconfgen.dep"
|
||||
!ENDIF
|
||||
!ENDIF
|
||||
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release" || "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
SOURCE=.\os.c
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
|
||||
|
||||
"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"
|
||||
|
||||
|
||||
!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
|
||||
|
||||
"$(INTDIR)\os.obj" "$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE="..\ddns-confgen.c"
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
|
||||
|
||||
"$(INTDIR)\ddns-confgen.obj" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
|
||||
|
||||
"$(INTDIR)\ddns-confgen.obj" "$(INTDIR)\ddns-confgen.sbr" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE=..\keygen.c
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
|
||||
|
||||
"$(INTDIR)\keygen.obj" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
|
||||
|
||||
"$(INTDIR)\keygen.obj" "$(INTDIR)\keygen.sbr" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE=..\util.c
|
||||
|
||||
!IF "$(CFG)" == "ddnsconfgen - Win32 Release"
|
||||
|
||||
|
||||
"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"
|
||||
|
||||
|
||||
"$(INTDIR)\util.obj" "$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
####################################################
|
||||
# Commands to generate initial empty manifest file and the RC file
|
||||
# that references it, and for generating the .res file:
|
||||
|
||||
$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
|
||||
|
||||
$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
|
||||
type <<$@
|
||||
#include <winuser.h>
|
||||
1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
|
||||
<< KEEP
|
||||
|
||||
$(_VC_MANIFEST_BASENAME).auto.manifest :
|
||||
type <<$@
|
||||
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
|
||||
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
|
||||
</assembly>
|
||||
<< KEEP
|
||||
@@ -1,29 +0,0 @@
|
||||
Microsoft Developer Studio Workspace File, Format Version 6.00
|
||||
# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
|
||||
|
||||
###############################################################################
|
||||
|
||||
Project: "rndconfgen"=".\rndconfgen.dsp" - Package Owner=<4>
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
Package=<4>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
###############################################################################
|
||||
|
||||
Global:
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
Package=<3>
|
||||
{{{
|
||||
}}}
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -13,7 +13,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: Makefile.in,v 1.46 2009/09/22 08:47:55 fdupont Exp $
|
||||
# $Id: Makefile.in,v 1.41 2007/06/19 23:46:59 tbox Exp $
|
||||
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
@@ -24,16 +24,15 @@ top_srcdir = @top_srcdir@
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
|
||||
${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
|
||||
${ISC_INCLUDES} ${LWRES_INCLUDES}
|
||||
|
||||
CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\"
|
||||
CDEFINES = -DVERSION=\"${VERSION}\"
|
||||
CWARNINGS =
|
||||
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
|
||||
LWRESLIBS = ../../lib/lwres/liblwres.@A@
|
||||
|
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
@@ -45,11 +44,8 @@ LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
|
||||
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
|
||||
${LWRESDEPLIBS}
|
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
|
||||
${ISCLIBS} @IDNLIBS@ @LIBS@
|
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
|
||||
${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
|
||||
${ISCCFGLIBS} @IDNLIBS@ @LIBS@
|
||||
|
||||
SUBDIRS =
|
||||
|
||||
@@ -70,16 +66,16 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
|
||||
|
||||
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
|
||||
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
|
||||
|
||||
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
|
||||
export BASEOBJS="nslookup.@O@ dighost.@O@ ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
|
||||
|
||||
doc man:: ${MANOBJS}
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -13,7 +13,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dig.1,v 1.53 2009/07/11 01:12:45 tbox Exp $
|
||||
.\" $Id: dig.1,v 1.50.44.2 2009/02/03 01:52:10 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
|
||||
165
bin/dig/dig.c
165
bin/dig/dig.c
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dig.c,v 1.233 2009/10/03 18:03:53 each Exp $ */
|
||||
/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -138,9 +138,6 @@ print_usage(FILE *fp) {
|
||||
" [ host [@local-server] {local-d-opt} [...]]\n", fp);
|
||||
}
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
print_usage(stderr);
|
||||
@@ -674,6 +671,19 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
|
||||
}
|
||||
}
|
||||
|
||||
static isc_uint32_t
|
||||
parse_uint(char *arg, const char *desc, isc_uint32_t max) {
|
||||
isc_result_t result;
|
||||
isc_uint32_t tmp;
|
||||
|
||||
result = isc_parse_uint32(&tmp, arg, 10);
|
||||
if (result == ISC_R_SUCCESS && tmp > max)
|
||||
result = ISC_R_RANGE;
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
|
||||
return (tmp);
|
||||
}
|
||||
|
||||
/*%
|
||||
* We're not using isc_commandline_parse() here since the command line
|
||||
* syntax of dig is quite a bit different from that which can be described
|
||||
@@ -685,10 +695,8 @@ static void
|
||||
plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
dig_lookup_t *lookup)
|
||||
{
|
||||
isc_result_t result;
|
||||
char option_store[256];
|
||||
char *cmd, *value, *ptr;
|
||||
isc_uint32_t num;
|
||||
isc_boolean_t state = ISC_TRUE;
|
||||
#ifdef DIG_SIGCHASE
|
||||
size_t n;
|
||||
@@ -736,7 +744,6 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
lookup->section_additional = state;
|
||||
break;
|
||||
case 'f': /* adflag */
|
||||
case '\0': /* +ad is a synonym for +adflag */
|
||||
FULLCHECK("adflag");
|
||||
lookup->adflag = state;
|
||||
break;
|
||||
@@ -778,11 +785,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
goto need_value;
|
||||
if (!state)
|
||||
goto invalid_option;
|
||||
result = parse_uint(&num, value, COMMSIZE,
|
||||
"buffer size");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse buffer size");
|
||||
lookup->udpsize = num;
|
||||
lookup->udpsize = (isc_uint16_t) parse_uint(value,
|
||||
"buffer size", COMMSIZE);
|
||||
break;
|
||||
default:
|
||||
goto invalid_option;
|
||||
@@ -791,15 +795,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
case 'c':
|
||||
switch (cmd[1]) {
|
||||
case 'd':/* cdflag */
|
||||
switch (cmd[2]) {
|
||||
case 'f': /* cdflag */
|
||||
case '\0': /* +cd is a synonym for +cdflag */
|
||||
FULLCHECK("cdflag");
|
||||
lookup->cdflag = state;
|
||||
break;
|
||||
default:
|
||||
goto invalid_option;
|
||||
}
|
||||
FULLCHECK("cdflag");
|
||||
lookup->cdflag = state;
|
||||
break;
|
||||
case 'l': /* cl */
|
||||
FULLCHECK("cl");
|
||||
@@ -854,10 +851,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
}
|
||||
if (value == NULL)
|
||||
goto need_value;
|
||||
result = parse_uint(&num, value, 255, "edns");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse edns");
|
||||
lookup->edns = num;
|
||||
lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
|
||||
break;
|
||||
case 'f': /* fail */
|
||||
FULLCHECK("fail");
|
||||
@@ -887,10 +881,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
goto need_value;
|
||||
if (!state)
|
||||
goto invalid_option;
|
||||
result = parse_uint(&num, value, MAXNDOTS, "ndots");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse ndots");
|
||||
ndots = num;
|
||||
ndots = parse_uint(value, "ndots", MAXNDOTS);
|
||||
break;
|
||||
case 's':
|
||||
switch (cmd[2]) {
|
||||
@@ -955,10 +946,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
goto need_value;
|
||||
if (!state)
|
||||
goto invalid_option;
|
||||
result = parse_uint(&lookup->retries, value,
|
||||
MAXTRIES - 1, "retries");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse retries");
|
||||
lookup->retries = parse_uint(value, "retries",
|
||||
MAXTRIES - 1);
|
||||
lookup->retries++;
|
||||
break;
|
||||
default:
|
||||
@@ -1034,10 +1023,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
goto need_value;
|
||||
if (!state)
|
||||
goto invalid_option;
|
||||
result = parse_uint(&timeout, value, MAXTIMEOUT,
|
||||
"timeout");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse timeout");
|
||||
timeout = parse_uint(value, "timeout", MAXTIMEOUT);
|
||||
if (timeout == 0)
|
||||
timeout = 1;
|
||||
break;
|
||||
@@ -1070,10 +1056,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
|
||||
goto need_value;
|
||||
if (!state)
|
||||
goto invalid_option;
|
||||
result = parse_uint(&lookup->retries, value,
|
||||
MAXTRIES, "tries");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse tries");
|
||||
lookup->retries = parse_uint(value, "tries",
|
||||
MAXTRIES);
|
||||
if (lookup->retries == 0)
|
||||
lookup->retries = 1;
|
||||
break;
|
||||
@@ -1139,7 +1123,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
struct in6_addr in6;
|
||||
in_port_t srcport;
|
||||
char *hash, *cmd;
|
||||
isc_uint32_t num;
|
||||
|
||||
while (strpbrk(option, single_dash_opts) == &option[0]) {
|
||||
/*
|
||||
@@ -1155,7 +1138,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
have_ipv6 = ISC_FALSE;
|
||||
} else {
|
||||
fatal("can't find IPv4 networking");
|
||||
/* NOTREACHED */
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
break;
|
||||
@@ -1165,7 +1147,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
have_ipv4 = ISC_FALSE;
|
||||
} else {
|
||||
fatal("can't find IPv6 networking");
|
||||
/* NOTREACHED */
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
break;
|
||||
@@ -1216,11 +1197,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
case 'b':
|
||||
hash = strchr(value, '#');
|
||||
if (hash != NULL) {
|
||||
result = parse_uint(&num, hash + 1, MAXPORT,
|
||||
"port number");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse port number");
|
||||
srcport = num;
|
||||
srcport = (in_port_t)
|
||||
parse_uint(hash + 1,
|
||||
"port number", MAXPORT);
|
||||
*hash = '\0';
|
||||
} else
|
||||
srcport = 0;
|
||||
@@ -1264,10 +1243,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
keyfile[sizeof(keyfile)-1]=0;
|
||||
return (value_from_next);
|
||||
case 'p':
|
||||
result = parse_uint(&num, value, MAXPORT, "port number");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse port number");
|
||||
port = num;
|
||||
port = (in_port_t) parse_uint(value, "port number", MAXPORT);
|
||||
return (value_from_next);
|
||||
case 'q':
|
||||
if (!config_only) {
|
||||
@@ -1310,14 +1286,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
"extra type option\n");
|
||||
}
|
||||
if (rdtype == dns_rdatatype_ixfr) {
|
||||
isc_uint32_t serial;
|
||||
(*lookup)->rdtype = dns_rdatatype_ixfr;
|
||||
(*lookup)->rdtypeset = ISC_TRUE;
|
||||
result = parse_uint(&serial, &value[5],
|
||||
MAXSERIAL, "serial number");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse serial number");
|
||||
(*lookup)->ixfr_serial = serial;
|
||||
(*lookup)->ixfr_serial =
|
||||
parse_uint(&value[5], "serial number",
|
||||
MAXSERIAL);
|
||||
(*lookup)->section_question = plusquest;
|
||||
(*lookup)->comments = pluscomm;
|
||||
(*lookup)->tcp_mode = ISC_TRUE;
|
||||
@@ -1345,7 +1318,65 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
usage();
|
||||
ptr3 = next_token(&value,":"); /* secret or NULL */
|
||||
if (ptr3 != NULL) {
|
||||
parse_hmac(ptr);
|
||||
if (strcasecmp(ptr, "hmac-md5") == 0) {
|
||||
hmacname = DNS_TSIG_HMACMD5_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
|
||||
hmacname = DNS_TSIG_HMACMD5_NAME;
|
||||
digestbits = parse_uint(&ptr[9],
|
||||
"digest-bits [0..128]",
|
||||
128);
|
||||
digestbits = (digestbits + 7) & ~0x7U;
|
||||
} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA1_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA1_NAME;
|
||||
digestbits = parse_uint(&ptr[10],
|
||||
"digest-bits [0..160]",
|
||||
160);
|
||||
digestbits = (digestbits + 7) & ~0x7U;
|
||||
} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA224_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA224_NAME;
|
||||
digestbits = parse_uint(&ptr[12],
|
||||
"digest-bits [0..224]",
|
||||
224);
|
||||
digestbits = (digestbits + 7) & ~0x7U;
|
||||
} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA256_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA256_NAME;
|
||||
digestbits = parse_uint(&ptr[12],
|
||||
"digest-bits [0..256]",
|
||||
256);
|
||||
digestbits = (digestbits + 7) & ~0x7U;
|
||||
} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA384_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA384_NAME;
|
||||
digestbits = parse_uint(&ptr[12],
|
||||
"digest-bits [0..384]",
|
||||
384);
|
||||
digestbits = (digestbits + 7) & ~0x7U;
|
||||
} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA512_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA512_NAME;
|
||||
digestbits = parse_uint(&ptr[12],
|
||||
"digest-bits [0..512]",
|
||||
512);
|
||||
digestbits = (digestbits + 7) & ~0x7U;
|
||||
} else {
|
||||
fprintf(stderr, ";; Warning, ignoring "
|
||||
"invalid TSIG algorithm %s\n", ptr);
|
||||
return (value_from_next);
|
||||
}
|
||||
ptr = ptr2;
|
||||
ptr2 = ptr3;
|
||||
} else {
|
||||
@@ -1389,7 +1420,6 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
|
||||
fprintf(stderr, "Invalid option: -%s\n", option);
|
||||
usage();
|
||||
}
|
||||
/* NOTREACHED */
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
@@ -1594,18 +1624,13 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
|
||||
"extra type option\n");
|
||||
}
|
||||
if (rdtype == dns_rdatatype_ixfr) {
|
||||
isc_uint32_t serial;
|
||||
lookup->rdtype =
|
||||
dns_rdatatype_ixfr;
|
||||
lookup->rdtypeset = ISC_TRUE;
|
||||
result = parse_uint(&serial,
|
||||
&rv[0][5],
|
||||
MAXSERIAL,
|
||||
"serial number");
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Couldn't parse "
|
||||
"serial number");
|
||||
lookup->ixfr_serial = serial;
|
||||
lookup->ixfr_serial =
|
||||
parse_uint(&rv[0][5],
|
||||
"serial number",
|
||||
MAXSERIAL);
|
||||
lookup->section_question =
|
||||
plusquest;
|
||||
lookup->comments = pluscomm;
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dig.docbook,v 1.45 2009/02/02 04:41:28 marka Exp $ -->
|
||||
<!-- $Id: dig.docbook,v 1.42.44.3 2009/02/02 04:42:48 marka Exp $ -->
|
||||
<refentry id="man.dig">
|
||||
|
||||
<refentryinfo>
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -14,7 +14,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: dig.html,v 1.48 2009/07/11 01:12:45 tbox Exp $ -->
|
||||
<!-- $Id: dig.html,v 1.45.44.2 2009/02/03 01:52:10 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dighost.c,v 1.328 2009/11/10 17:27:40 each Exp $ */
|
||||
/* $Id: dighost.c,v 1.311.70.8 2009/02/25 02:39:21 marka Exp $ */
|
||||
|
||||
/*! \file
|
||||
* \note
|
||||
@@ -53,7 +53,6 @@
|
||||
#include <ctype.h>
|
||||
#endif
|
||||
#include <dns/fixedname.h>
|
||||
#include <dns/log.h>
|
||||
#include <dns/message.h>
|
||||
#include <dns/name.h>
|
||||
#include <dns/rdata.h>
|
||||
@@ -72,12 +71,10 @@
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/file.h>
|
||||
#include <isc/lang.h>
|
||||
#include <isc/log.h>
|
||||
#include <isc/netaddr.h>
|
||||
#ifdef DIG_SIGCHASE
|
||||
#include <isc/netdb.h>
|
||||
#endif
|
||||
#include <isc/parseint.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/random.h>
|
||||
#include <isc/result.h>
|
||||
@@ -87,8 +84,6 @@
|
||||
#include <isc/types.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <isccfg/namedconf.h>
|
||||
|
||||
#include <lwres/lwres.h>
|
||||
#include <lwres/net.h>
|
||||
|
||||
@@ -126,7 +121,6 @@ in_port_t port = 53;
|
||||
unsigned int timeout = 0;
|
||||
unsigned int extrabytes;
|
||||
isc_mem_t *mctx = NULL;
|
||||
isc_log_t *lctx = NULL;
|
||||
isc_taskmgr_t *taskmgr = NULL;
|
||||
isc_task_t *global_task = NULL;
|
||||
isc_timermgr_t *timermgr = NULL;
|
||||
@@ -399,7 +393,7 @@ count_dots(char *string) {
|
||||
|
||||
static void
|
||||
hex_dump(isc_buffer_t *b) {
|
||||
unsigned int len, i;
|
||||
unsigned int len;
|
||||
isc_region_t r;
|
||||
|
||||
isc_buffer_usedregion(b, &r);
|
||||
@@ -407,29 +401,11 @@ hex_dump(isc_buffer_t *b) {
|
||||
printf("%d bytes\n", r.length);
|
||||
for (len = 0; len < r.length; len++) {
|
||||
printf("%02x ", r.base[len]);
|
||||
if (len % 16 == 15) {
|
||||
fputs(" ", stdout);
|
||||
for (i = len - 15; i <= len; i++) {
|
||||
if (r.base[i] >= '!' && r.base[i] <= '}')
|
||||
putchar(r.base[i]);
|
||||
else
|
||||
putchar('.');
|
||||
}
|
||||
if (len % 16 == 15)
|
||||
printf("\n");
|
||||
}
|
||||
}
|
||||
if (len % 16 != 0) {
|
||||
for (i = len; (i % 16) != 0; i++)
|
||||
fputs(" ", stdout);
|
||||
fputs(" ", stdout);
|
||||
for (i = ((len>>4)<<4); i < len; i++) {
|
||||
if (r.base[i] >= '!' && r.base[i] <= '}')
|
||||
putchar(r.base[i]);
|
||||
else
|
||||
putchar('.');
|
||||
}
|
||||
if (len % 16 != 0)
|
||||
printf("\n");
|
||||
}
|
||||
}
|
||||
|
||||
/*%
|
||||
@@ -927,7 +903,9 @@ setup_text_key(void) {
|
||||
|
||||
secretsize = isc_buffer_usedlength(&secretbuf);
|
||||
|
||||
result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
|
||||
result = dns_name_fromtext(&keyname, namebuf,
|
||||
dns_rootname, ISC_FALSE,
|
||||
namebuf);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto failure;
|
||||
|
||||
@@ -946,164 +924,14 @@ setup_text_key(void) {
|
||||
isc_buffer_free(&namebuf);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
|
||||
const char *desc) {
|
||||
isc_uint32_t n;
|
||||
isc_result_t result = isc_parse_uint32(&n, value, 10);
|
||||
if (result == ISC_R_SUCCESS && n > max)
|
||||
result = ISC_R_RANGE;
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
printf("invalid %s '%s': %s\n", desc,
|
||||
value, isc_result_totext(result));
|
||||
return (result);
|
||||
}
|
||||
*uip = n;
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static isc_uint32_t
|
||||
parse_bits(char *arg, const char *desc, isc_uint32_t max) {
|
||||
isc_result_t result;
|
||||
isc_uint32_t tmp;
|
||||
|
||||
result = parse_uint(&tmp, arg, max, desc);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("couldn't parse digest bits");
|
||||
tmp = (tmp + 7) & ~0x7U;
|
||||
return (tmp);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Parse HMAC algorithm specification
|
||||
*/
|
||||
void
|
||||
parse_hmac(const char *hmac) {
|
||||
char buf[20];
|
||||
int len;
|
||||
|
||||
REQUIRE(hmac != NULL);
|
||||
|
||||
len = strlen(hmac);
|
||||
if (len >= (int) sizeof(buf))
|
||||
fatal("unknown key type '%.*s'", len, hmac);
|
||||
strncpy(buf, hmac, sizeof(buf));
|
||||
|
||||
digestbits = 0;
|
||||
|
||||
if (strcasecmp(buf, "hmac-md5") == 0) {
|
||||
hmacname = DNS_TSIG_HMACMD5_NAME;
|
||||
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
|
||||
hmacname = DNS_TSIG_HMACMD5_NAME;
|
||||
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
|
||||
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA1_NAME;
|
||||
digestbits = 0;
|
||||
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA1_NAME;
|
||||
digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
|
||||
} else if (strcasecmp(buf, "hmac-sha224") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA224_NAME;
|
||||
} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA224_NAME;
|
||||
digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
|
||||
} else if (strcasecmp(buf, "hmac-sha256") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA256_NAME;
|
||||
} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA256_NAME;
|
||||
digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
|
||||
} else if (strcasecmp(buf, "hmac-sha384") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA384_NAME;
|
||||
} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA384_NAME;
|
||||
digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
|
||||
} else if (strcasecmp(buf, "hmac-sha512") == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA512_NAME;
|
||||
} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
|
||||
hmacname = DNS_TSIG_HMACSHA512_NAME;
|
||||
digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
|
||||
} else {
|
||||
fprintf(stderr, ";; Warning, ignoring "
|
||||
"invalid TSIG algorithm %s\n", buf);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Get a key from a named.conf format keyfile
|
||||
*/
|
||||
static isc_result_t
|
||||
read_confkey(void) {
|
||||
isc_log_t *lctx = NULL;
|
||||
cfg_parser_t *pctx = NULL;
|
||||
cfg_obj_t *file = NULL;
|
||||
const cfg_obj_t *key = NULL;
|
||||
const cfg_obj_t *secretobj = NULL;
|
||||
const cfg_obj_t *algorithmobj = NULL;
|
||||
const char *keyname;
|
||||
const char *secretstr;
|
||||
const char *algorithm;
|
||||
isc_result_t result;
|
||||
|
||||
if (! isc_file_exists(keyfile))
|
||||
return (ISC_R_FILENOTFOUND);
|
||||
|
||||
result = cfg_parser_create(mctx, lctx, &pctx);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
|
||||
result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
|
||||
&file);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
|
||||
result = cfg_map_get(file, "key", &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
|
||||
(void) cfg_map_get(key, "secret", &secretobj);
|
||||
(void) cfg_map_get(key, "algorithm", &algorithmobj);
|
||||
if (secretobj == NULL || algorithmobj == NULL)
|
||||
fatal("key must have algorithm and secret");
|
||||
|
||||
keyname = cfg_obj_asstring(cfg_map_getname(key));
|
||||
secretstr = cfg_obj_asstring(secretobj);
|
||||
algorithm = cfg_obj_asstring(algorithmobj);
|
||||
|
||||
strncpy(keynametext, keyname, sizeof(keynametext));
|
||||
strncpy(keysecret, secretstr, sizeof(keysecret));
|
||||
parse_hmac(algorithm);
|
||||
setup_text_key();
|
||||
|
||||
cleanup:
|
||||
if (pctx != NULL) {
|
||||
if (file != NULL)
|
||||
cfg_obj_destroy(pctx, &file);
|
||||
cfg_parser_destroy(&pctx);
|
||||
}
|
||||
|
||||
return (result);
|
||||
}
|
||||
|
||||
static void
|
||||
setup_file_key(void) {
|
||||
isc_result_t result;
|
||||
dst_key_t *dstkey = NULL;
|
||||
|
||||
debug("setup_file_key()");
|
||||
|
||||
/* Try reading the key from a K* pair */
|
||||
result = dst_key_fromnamedfile(keyfile, NULL,
|
||||
DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
|
||||
&dstkey);
|
||||
|
||||
/* If that didn't work, try reading it as a session.key keyfile */
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
result = read_confkey();
|
||||
if (result == ISC_R_SUCCESS)
|
||||
return;
|
||||
}
|
||||
|
||||
result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
|
||||
mctx, &dstkey);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
fprintf(stderr, "Couldn't read key from %s: %s\n",
|
||||
keyfile, isc_result_totext(result));
|
||||
@@ -1220,9 +1048,7 @@ setup_system(void) {
|
||||
debug("ndots is %d.", ndots);
|
||||
}
|
||||
|
||||
/* If user doesn't specify server use nameservers from resolv.conf. */
|
||||
if (ISC_LIST_EMPTY(server_list))
|
||||
copy_server_list(lwconf, &server_list);
|
||||
copy_server_list(lwconf, &server_list);
|
||||
|
||||
/* If we don't find a nameserver fall back to localhost */
|
||||
if (ISC_LIST_EMPTY(server_list)) {
|
||||
@@ -1292,7 +1118,6 @@ set_search_domain(char *domain) {
|
||||
void
|
||||
setup_libs(void) {
|
||||
isc_result_t result;
|
||||
isc_logconfig_t *logconfig = NULL;
|
||||
|
||||
debug("setup_libs()");
|
||||
|
||||
@@ -1309,18 +1134,6 @@ setup_libs(void) {
|
||||
result = isc_mem_create(0, 0, &mctx);
|
||||
check_result(result, "isc_mem_create");
|
||||
|
||||
result = isc_log_create(mctx, &lctx, &logconfig);
|
||||
check_result(result, "isc_log_create");
|
||||
|
||||
isc_log_setcontext(lctx);
|
||||
dns_log_init(lctx);
|
||||
dns_log_setcontext(lctx);
|
||||
|
||||
result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
|
||||
check_result(result, "isc_log_usechannel");
|
||||
|
||||
isc_log_setdebuglevel(lctx, 0);
|
||||
|
||||
result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
|
||||
check_result(result, "isc_taskmgr_create");
|
||||
|
||||
@@ -2056,7 +1869,7 @@ setup_lookup(dig_lookup_t *lookup) {
|
||||
isc_buffer_init(&b, lookup->origin->origin, len);
|
||||
isc_buffer_add(&b, len);
|
||||
result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
|
||||
0, &lookup->onamebuf);
|
||||
ISC_FALSE, &lookup->onamebuf);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_message_puttempname(lookup->sendmsg,
|
||||
&lookup->name);
|
||||
@@ -2073,7 +1886,7 @@ setup_lookup(dig_lookup_t *lookup) {
|
||||
isc_buffer_init(&b, lookup->textname, len);
|
||||
isc_buffer_add(&b, len);
|
||||
result = dns_name_fromtext(lookup->name, &b,
|
||||
lookup->oname, 0,
|
||||
lookup->oname, ISC_FALSE,
|
||||
&lookup->namebuf);
|
||||
}
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
@@ -2097,14 +1910,16 @@ setup_lookup(dig_lookup_t *lookup) {
|
||||
isc_buffer_init(&b, idn_textname, len);
|
||||
isc_buffer_add(&b, len);
|
||||
result = dns_name_fromtext(lookup->name, &b,
|
||||
dns_rootname, 0,
|
||||
dns_rootname,
|
||||
ISC_FALSE,
|
||||
&lookup->namebuf);
|
||||
#else
|
||||
len = strlen(lookup->textname);
|
||||
isc_buffer_init(&b, lookup->textname, len);
|
||||
isc_buffer_add(&b, len);
|
||||
result = dns_name_fromtext(lookup->name, &b,
|
||||
dns_rootname, 0,
|
||||
dns_rootname,
|
||||
ISC_FALSE,
|
||||
&lookup->namebuf);
|
||||
#endif
|
||||
}
|
||||
@@ -2582,9 +2397,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
|
||||
if (!l->tcp_mode)
|
||||
send_udp(ISC_LIST_NEXT(cq, link));
|
||||
else {
|
||||
if (query->sock != NULL)
|
||||
isc_socket_cancel(query->sock, NULL,
|
||||
ISC_SOCKCANCEL_ALL);
|
||||
isc_socket_cancel(query->sock, NULL,
|
||||
ISC_SOCKCANCEL_ALL);
|
||||
isc_socket_detach(&query->sock);
|
||||
sockcount--;
|
||||
debug("sockcount=%d", sockcount);
|
||||
send_tcp_connect(ISC_LIST_NEXT(cq, link));
|
||||
}
|
||||
UNLOCK_LOOKUP;
|
||||
@@ -2788,8 +2605,8 @@ connect_done(isc_task_t *task, isc_event_t *event) {
|
||||
if (sevent->result == ISC_R_CANCELED) {
|
||||
debug("in cancel handler");
|
||||
isc_socket_detach(&query->sock);
|
||||
INSIST(sockcount > 0);
|
||||
sockcount--;
|
||||
INSIST(sockcount >= 0);
|
||||
debug("sockcount=%d", sockcount);
|
||||
query->waiting_connect = ISC_FALSE;
|
||||
isc_event_free(&event);
|
||||
@@ -3723,11 +3540,9 @@ destroy_libs(void) {
|
||||
free_name(&chase_signame, mctx);
|
||||
#endif
|
||||
|
||||
#endif
|
||||
debug("Removing log context");
|
||||
isc_log_destroy(&lctx);
|
||||
|
||||
debug("Destroy memory");
|
||||
|
||||
#endif
|
||||
if (memdebugging != 0)
|
||||
isc_mem_stats(mctx, stderr);
|
||||
if (mctx != NULL)
|
||||
@@ -4216,7 +4031,7 @@ get_trusted_key(isc_mem_t *mctx)
|
||||
return (ISC_R_FAILURE);
|
||||
}
|
||||
fclose(fptemp);
|
||||
result = dst_key_fromnamedfile(filetemp, NULL, DST_TYPE_PUBLIC,
|
||||
result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
|
||||
mctx, &key);
|
||||
removetmpkey(mctx, filetemp);
|
||||
isc_mem_free(mctx, filetemp);
|
||||
@@ -4249,7 +4064,7 @@ nameFromString(const char *str, dns_name_t *p_ret) {
|
||||
|
||||
dns_fixedname_init(&fixedname);
|
||||
result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
|
||||
dns_rootname, DNS_NAME_DOWNCASE, NULL);
|
||||
dns_rootname, ISC_TRUE, NULL);
|
||||
check_result(result, "nameFromString");
|
||||
|
||||
if (dns_name_dynamic(p_ret))
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -13,7 +13,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: host.1,v 1.31 2009/07/11 01:12:45 tbox Exp $
|
||||
.\" $Id: host.1,v 1.29.114.1 2009/01/23 01:53:33 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: host.c,v 1.120 2009/09/29 15:06:05 fdupont Exp $ */
|
||||
/* $Id: host.c,v 1.116.216.2 2009/05/06 23:47:18 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -141,9 +141,6 @@ rcode_totext(dns_rcode_t rcode)
|
||||
return totext.deconsttext;
|
||||
}
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
show_usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
show_usage(void) {
|
||||
fputs(
|
||||
@@ -842,10 +839,11 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
|
||||
} else {
|
||||
strncpy(lookup->textname, hostname, sizeof(lookup->textname));
|
||||
lookup->textname[sizeof(lookup->textname)-1]=0;
|
||||
usesearch = ISC_TRUE;
|
||||
}
|
||||
lookup->new_search = ISC_TRUE;
|
||||
ISC_LIST_APPEND(lookup_list, lookup, link);
|
||||
|
||||
usesearch = ISC_TRUE;
|
||||
}
|
||||
|
||||
int
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: host.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
|
||||
<!-- $Id: host.docbook,v 1.18.114.2 2009/01/22 23:47:05 tbox Exp $ -->
|
||||
<refentry id="man.host">
|
||||
|
||||
<refentryinfo>
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -14,7 +14,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: host.html,v 1.30 2009/07/11 01:12:45 tbox Exp $ -->
|
||||
<!-- $Id: host.html,v 1.28.114.1 2009/01/23 01:53:33 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dig.h,v 1.111 2009/09/29 15:06:06 fdupont Exp $ */
|
||||
/* $Id: dig.h,v 1.107.120.2 2009/01/06 23:47:26 tbox Exp $ */
|
||||
|
||||
#ifndef DIG_H
|
||||
#define DIG_H
|
||||
@@ -292,9 +292,8 @@ isc_result_t
|
||||
get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
|
||||
isc_boolean_t strict);
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE void
|
||||
fatal(const char *format, ...)
|
||||
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
|
||||
void
|
||||
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
|
||||
|
||||
void
|
||||
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
|
||||
@@ -326,13 +325,6 @@ setup_libs(void);
|
||||
void
|
||||
setup_system(void);
|
||||
|
||||
isc_result_t
|
||||
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
|
||||
const char *desc);
|
||||
|
||||
void
|
||||
parse_hmac(const char *hmacstr);
|
||||
|
||||
dig_lookup_t *
|
||||
requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -12,7 +12,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: nslookup.1,v 1.15 2009/07/11 01:12:45 tbox Exp $
|
||||
.\" $Id: nslookup.1,v 1.14 2007/05/16 06:12:01 marka Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: nslookup.c,v 1.124 2009/10/20 01:04:03 marka Exp $ */
|
||||
/* $Id: nslookup.c,v 1.117.334.4 2009/05/06 11:41:57 fdupont Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
@@ -373,7 +373,6 @@ detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
|
||||
printrdata(&rdata);
|
||||
}
|
||||
dns_rdata_reset(&rdata);
|
||||
printf("\tttl = %u\n", rdataset->ttl);
|
||||
loopresult = dns_rdataset_next(rdataset);
|
||||
}
|
||||
}
|
||||
@@ -541,6 +540,22 @@ safecpy(char *dest, char *src, int size) {
|
||||
dest[size-1] = 0;
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
|
||||
const char *desc) {
|
||||
isc_uint32_t n;
|
||||
isc_result_t result = isc_parse_uint32(&n, value, 10);
|
||||
if (result == ISC_R_SUCCESS && n > max)
|
||||
result = ISC_R_RANGE;
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
printf("invalid %s '%s': %s\n", desc,
|
||||
value, isc_result_totext(result));
|
||||
return result;
|
||||
}
|
||||
*uip = n;
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static void
|
||||
set_port(const char *value) {
|
||||
isc_uint32_t n;
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
<!--
|
||||
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -13,7 +13,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: nslookup.html,v 1.22 2009/07/11 01:12:45 tbox Exp $ -->
|
||||
<!-- $Id: nslookup.html,v 1.21 2007/05/16 06:12:01 marka Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
|
||||
@@ -42,7 +42,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
|
||||
|
||||
!ELSEIF "$(CFG)" == "dig - Win32 Debug"
|
||||
|
||||
@@ -66,7 +66,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /u /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
|
||||
|
||||
!ENDIF
|
||||
|
||||
|
||||
@@ -132,19 +132,18 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc"
|
||||
BSC32_SBRS= \
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dig.pdb" /machine:I386 /out:"../../../Build/Release/dig.exe"
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dig.pdb" /machine:I386 /out:"../../../Build/Release/dig.exe"
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\dig.obj" \
|
||||
"$(INTDIR)\dighost.obj" \
|
||||
"..\..\..\lib\dns\win32\Release\libdns.lib" \
|
||||
"..\..\..\lib\isc\win32\Release\libisc.lib" \
|
||||
"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
|
||||
"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
|
||||
"..\..\..\lib\lwres\win32\Release\liblwres.lib"
|
||||
|
||||
@@ -192,7 +191,7 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc"
|
||||
BSC32_SBRS= \
|
||||
@@ -205,13 +204,12 @@ BSC32_SBRS= \
|
||||
<<
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dig.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dig.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\dig.obj" \
|
||||
"$(INTDIR)\dighost.obj" \
|
||||
"..\..\..\lib\dns\win32\Debug\libdns.lib" \
|
||||
"..\..\..\lib\isc\win32\Debug\libisc.lib" \
|
||||
"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
|
||||
"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
|
||||
"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
|
||||
|
||||
|
||||
@@ -43,7 +43,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddighost
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddighost
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
@@ -70,7 +70,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddighost
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddighost
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
|
||||
@@ -42,7 +42,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
|
||||
|
||||
!ELSEIF "$(CFG)" == "host - Win32 Debug"
|
||||
|
||||
@@ -66,7 +66,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /u /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
|
||||
|
||||
!ENDIF
|
||||
|
||||
|
||||
@@ -132,19 +132,18 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc"
|
||||
BSC32_SBRS= \
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\host.pdb" /machine:I386 /out:"../../../Build/Release/host.exe"
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\host.pdb" /machine:I386 /out:"../../../Build/Release/host.exe"
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\dighost.obj" \
|
||||
"$(INTDIR)\host.obj" \
|
||||
"..\..\..\lib\dns\win32\Release\libdns.lib" \
|
||||
"..\..\..\lib\isc\win32\Release\libisc.lib" \
|
||||
"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
|
||||
"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
|
||||
"..\..\..\lib\lwres\win32\Release\liblwres.lib"
|
||||
|
||||
@@ -192,7 +191,7 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc"
|
||||
BSC32_SBRS= \
|
||||
@@ -205,13 +204,12 @@ BSC32_SBRS= \
|
||||
<<
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\host.pdb" /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\host.pdb" /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\dighost.obj" \
|
||||
"$(INTDIR)\host.obj" \
|
||||
"..\..\..\lib\dns\win32\Debug\libdns.lib" \
|
||||
"..\..\..\lib\isc\win32\Debug\libisc.lib" \
|
||||
"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
|
||||
"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
|
||||
"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nslookup.exe"
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nslookup.exe"
|
||||
|
||||
!ELSEIF "$(CFG)" == "nslookup - Win32 Debug"
|
||||
|
||||
@@ -66,7 +66,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /u /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
|
||||
# ADD BSC32 /nologo
|
||||
LINK32=link.exe
|
||||
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
|
||||
# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
|
||||
|
||||
!ENDIF
|
||||
|
||||
|
||||
@@ -132,19 +132,18 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc"
|
||||
BSC32_SBRS= \
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nslookup.pdb" /machine:I386 /out:"../../../Build/Release/nslookup.exe"
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nslookup.pdb" /machine:I386 /out:"../../../Build/Release/nslookup.exe"
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\dighost.obj" \
|
||||
"$(INTDIR)\nslookup.obj" \
|
||||
"..\..\..\lib\dns\win32\Release\libdns.lib" \
|
||||
"..\..\..\lib\isc\win32\Release\libisc.lib" \
|
||||
"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
|
||||
"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
|
||||
"..\..\..\lib\lwres\win32\Release\liblwres.lib"
|
||||
|
||||
@@ -192,7 +191,7 @@ CLEAN :
|
||||
"$(OUTDIR)" :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
BSC32=bscmake.exe
|
||||
BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc"
|
||||
BSC32_SBRS= \
|
||||
@@ -205,13 +204,12 @@ BSC32_SBRS= \
|
||||
<<
|
||||
|
||||
LINK32=link.exe
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nslookup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
|
||||
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nslookup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
|
||||
LINK32_OBJS= \
|
||||
"$(INTDIR)\dighost.obj" \
|
||||
"$(INTDIR)\nslookup.obj" \
|
||||
"..\..\..\lib\dns\win32\Debug\libdns.lib" \
|
||||
"..\..\..\lib\isc\win32\Debug\libisc.lib" \
|
||||
"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
|
||||
"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
|
||||
"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
|
||||
|
||||
|
||||
@@ -3,8 +3,6 @@ dnssec-dsfromkey
|
||||
dnssec-keyfromlabel
|
||||
dnssec-keygen
|
||||
dnssec-makekeyset
|
||||
dnssec-revoke
|
||||
dnssec-settime
|
||||
dnssec-signkey
|
||||
dnssec-signzone
|
||||
*.lo
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2000-2002 Internet Software Consortium.
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -13,7 +13,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: Makefile.in,v 1.41 2009/10/05 17:30:49 fdupont Exp $
|
||||
# $Id: Makefile.in,v 1.35 2008/11/07 02:28:49 marka Exp $
|
||||
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
@@ -25,12 +25,11 @@ top_srcdir = @top_srcdir@
|
||||
|
||||
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
|
||||
|
||||
CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\" @USE_PKCS11@
|
||||
CDEFINES = -DVERSION=\"${VERSION}\"
|
||||
CWARNINGS =
|
||||
|
||||
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
|
||||
|
||||
DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
@@ -39,56 +38,44 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
|
||||
|
||||
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
|
||||
|
||||
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
|
||||
|
||||
# Alphabetically
|
||||
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
|
||||
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
|
||||
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@
|
||||
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@
|
||||
|
||||
OBJS = dnssectool.@O@
|
||||
|
||||
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
|
||||
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c dnssectool.c
|
||||
dnssec-signzone.c dnssectool.c
|
||||
|
||||
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
|
||||
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8
|
||||
dnssec-signzone.8
|
||||
|
||||
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
|
||||
dnssec-keygen.html dnssec-revoke.html \
|
||||
dnssec-settime.html dnssec-signzone.html
|
||||
dnssec-keygen.html dnssec-signzone.html
|
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES}
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-keygen.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
dnssec-signzone.@O@: dnssec-signzone.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||
-c ${srcdir}/dnssec-signzone.c
|
||||
|
||||
dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-revoke.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-settime.@O@ ${OBJS} ${LIBS}
|
||||
dnssec-signzone.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
doc man:: ${MANOBJS}
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
.\" Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -12,18 +12,18 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-dsfromkey.8,v 1.11 2009/08/27 01:14:39 tbox Exp $
|
||||
.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
.\" Title: dnssec\-dsfromkey
|
||||
.\" Author:
|
||||
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
|
||||
.\" Date: August 26, 2009
|
||||
.\" Date: November 29, 2008
|
||||
.\" Manual: BIND9
|
||||
.\" Source: BIND9
|
||||
.\"
|
||||
.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
|
||||
.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
|
||||
.\" disable hyphenation
|
||||
.nh
|
||||
.\" disable justification (adjust text to left margin only)
|
||||
@@ -32,9 +32,9 @@
|
||||
dnssec\-dsfromkey \- DNSSEC DS RR generation tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 17
|
||||
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] {keyfile}
|
||||
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
|
||||
.HP 17
|
||||
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
|
||||
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec\-dsfromkey\fR
|
||||
@@ -58,46 +58,28 @@ Select the digest algorithm. The value of
|
||||
must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
|
||||
.RE
|
||||
.PP
|
||||
\-K \fIdirectory\fR
|
||||
\-v \fIlevel\fR
|
||||
.RS 4
|
||||
Look for key files (or, in keyset mode,
|
||||
\fIkeyset\-\fR
|
||||
files) in
|
||||
\fBdirectory\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-f \fIfile\fR
|
||||
.RS 4
|
||||
Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
|
||||
\fBfile\fR. If the zone name is the same as
|
||||
\fBfile\fR, then it may be omitted.
|
||||
.RE
|
||||
.PP
|
||||
\-A
|
||||
.RS 4
|
||||
Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
|
||||
.RE
|
||||
.PP
|
||||
\-l \fIdomain\fR
|
||||
.RS 4
|
||||
Generate a DLV set instead of a DS set. The specified
|
||||
\fBdomain\fR
|
||||
is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
|
||||
Sets the debugging level.
|
||||
.RE
|
||||
.PP
|
||||
\-s
|
||||
.RS 4
|
||||
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
|
||||
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
|
||||
.RE
|
||||
.PP
|
||||
\-c \fIclass\fR
|
||||
.RS 4
|
||||
Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
|
||||
Specifies the DNS class (default is IN), useful only in the keyset mode.
|
||||
.RE
|
||||
.PP
|
||||
\-v \fIlevel\fR
|
||||
\-d \fIdirectory\fR
|
||||
.RS 4
|
||||
Sets the debugging level.
|
||||
Look for
|
||||
\fIkeyset\fR
|
||||
files in
|
||||
\fBdirectory\fR
|
||||
as the directory, ignored when not in the keyset mode.
|
||||
.RE
|
||||
.SH "EXAMPLE"
|
||||
.PP
|
||||
@@ -133,11 +115,10 @@ A keyfile error can give a "file not found" even if the file exists.
|
||||
\fBdnssec\-signzone\fR(8),
|
||||
BIND 9 Administrator Reference Manual,
|
||||
RFC 3658,
|
||||
RFC 4431.
|
||||
RFC 4509.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-dsfromkey.c,v 1.16 2009/10/12 20:48:10 each Exp $ */
|
||||
/* $Id: dnssec-dsfromkey.c,v 1.2.14.3 2009/03/02 02:54:15 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -36,8 +36,6 @@
|
||||
#include <dns/ds.h>
|
||||
#include <dns/fixedname.h>
|
||||
#include <dns/log.h>
|
||||
#include <dns/keyvalues.h>
|
||||
#include <dns/master.h>
|
||||
#include <dns/name.h>
|
||||
#include <dns/rdata.h>
|
||||
#include <dns/rdataclass.h>
|
||||
@@ -50,40 +48,46 @@
|
||||
|
||||
#include "dnssectool.h"
|
||||
|
||||
#ifndef PATH_MAX
|
||||
#define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
|
||||
#endif
|
||||
|
||||
const char *program = "dnssec-dsfromkey";
|
||||
int verbose;
|
||||
|
||||
static dns_rdataclass_t rdclass;
|
||||
static dns_fixedname_t fixed;
|
||||
static dns_name_t *name = NULL;
|
||||
static isc_mem_t *mctx = NULL;
|
||||
static dns_fixedname_t fixed;
|
||||
static dns_name_t *name = NULL;
|
||||
static dns_db_t *db = NULL;
|
||||
static dns_dbnode_t *node = NULL;
|
||||
static dns_rdataset_t keyset;
|
||||
static isc_mem_t *mctx = NULL;
|
||||
|
||||
static isc_result_t
|
||||
initname(char *setname) {
|
||||
isc_result_t result;
|
||||
isc_buffer_t buf;
|
||||
static void
|
||||
loadkeys(char *dirname, char *setname)
|
||||
{
|
||||
isc_result_t result;
|
||||
char filename[1024];
|
||||
isc_buffer_t buf;
|
||||
|
||||
dns_rdataset_init(&keyset);
|
||||
dns_fixedname_init(&fixed);
|
||||
name = dns_fixedname_name(&fixed);
|
||||
|
||||
isc_buffer_init(&buf, setname, strlen(setname));
|
||||
isc_buffer_add(&buf, strlen(setname));
|
||||
result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
|
||||
return (result);
|
||||
}
|
||||
result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't convert DNS name %s", setname);
|
||||
|
||||
static isc_result_t
|
||||
loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
|
||||
isc_result_t result;
|
||||
dns_db_t *db = NULL;
|
||||
dns_dbnode_t *node = NULL;
|
||||
char setname[DNS_NAME_FORMATSIZE];
|
||||
|
||||
dns_name_format(name, setname, sizeof(setname));
|
||||
isc_buffer_init(&buf, filename, sizeof(filename));
|
||||
if (dirname != NULL) {
|
||||
isc_buffer_putstr(&buf, dirname);
|
||||
if (dirname[strlen(dirname) - 1] != '/')
|
||||
isc_buffer_putstr(&buf, "/");
|
||||
}
|
||||
isc_buffer_putstr(&buf, "keyset-");
|
||||
result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
|
||||
check_result(result, "dns_name_tofilenametext()");
|
||||
if (isc_buffer_availablelength(&buf) == 0)
|
||||
fatal("name %s too long", setname);
|
||||
isc_buffer_putuint8(&buf, 0);
|
||||
|
||||
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
|
||||
rdclass, 0, NULL, &db);
|
||||
@@ -99,49 +103,11 @@ loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
|
||||
fatal("can't find %s node in %s", setname, filename);
|
||||
|
||||
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
|
||||
0, 0, rdataset, NULL);
|
||||
|
||||
0, 0, &keyset, NULL);
|
||||
if (result == ISC_R_NOTFOUND)
|
||||
fatal("no DNSKEY RR for %s in %s", setname, filename);
|
||||
else if (result != ISC_R_SUCCESS)
|
||||
fatal("dns_db_findrdataset");
|
||||
|
||||
if (node != NULL)
|
||||
dns_db_detachnode(db, &node);
|
||||
if (db != NULL)
|
||||
dns_db_detach(&db);
|
||||
return (result);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
|
||||
isc_result_t result;
|
||||
char filename[PATH_MAX + 1];
|
||||
isc_buffer_t buf;
|
||||
|
||||
dns_rdataset_init(rdataset);
|
||||
|
||||
isc_buffer_init(&buf, filename, sizeof(filename));
|
||||
if (dirname != NULL) {
|
||||
/* allow room for a trailing slash */
|
||||
if (strlen(dirname) >= isc_buffer_availablelength(&buf))
|
||||
return (ISC_R_NOSPACE);
|
||||
isc_buffer_putstr(&buf, dirname);
|
||||
if (dirname[strlen(dirname) - 1] != '/')
|
||||
isc_buffer_putstr(&buf, "/");
|
||||
}
|
||||
|
||||
if (isc_buffer_availablelength(&buf) < 7)
|
||||
return (ISC_R_NOSPACE);
|
||||
isc_buffer_putstr(&buf, "keyset-");
|
||||
|
||||
result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
|
||||
check_result(result, "dns_name_tofilenametext()");
|
||||
if (isc_buffer_availablelength(&buf) == 0)
|
||||
return (ISC_R_NOSPACE);
|
||||
isc_buffer_putuint8(&buf, 0);
|
||||
|
||||
return (loadsetfromfile(filename, rdataset));
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -153,20 +119,20 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
|
||||
isc_buffer_t keyb;
|
||||
isc_region_t r;
|
||||
|
||||
dns_rdataset_init(&keyset);
|
||||
dns_rdata_init(rdata);
|
||||
|
||||
isc_buffer_init(&keyb, key_buf, key_buf_size);
|
||||
|
||||
result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
|
||||
mctx, &key);
|
||||
result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("invalid keyfile name %s: %s",
|
||||
filename, isc_result_totext(result));
|
||||
|
||||
if (verbose > 2) {
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fprintf(stderr, "%s: %s\n", program, keystr);
|
||||
}
|
||||
|
||||
@@ -195,7 +161,7 @@ logkey(dns_rdata_t *rdata)
|
||||
isc_result_t result;
|
||||
dst_key_t *key = NULL;
|
||||
isc_buffer_t buf;
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
|
||||
isc_buffer_init(&buf, rdata->data, rdata->length);
|
||||
isc_buffer_add(&buf, rdata->length);
|
||||
@@ -203,132 +169,89 @@ logkey(dns_rdata_t *rdata)
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return;
|
||||
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fprintf(stderr, "%s: %s\n", program, keystr);
|
||||
|
||||
dst_key_free(&key);
|
||||
}
|
||||
|
||||
static void
|
||||
emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
|
||||
dns_rdata_t *rdata)
|
||||
emitds(unsigned int dtype, dns_rdata_t *rdata)
|
||||
{
|
||||
isc_result_t result;
|
||||
unsigned char buf[DNS_DS_BUFFERSIZE];
|
||||
char text_buf[DST_KEY_MAXTEXTSIZE];
|
||||
char name_buf[DNS_NAME_MAXWIRE];
|
||||
char class_buf[10];
|
||||
isc_buffer_t textb, nameb, classb;
|
||||
isc_region_t r;
|
||||
dns_rdata_t ds;
|
||||
dns_rdata_dnskey_t dnskey;
|
||||
isc_result_t result;
|
||||
unsigned char buf[DNS_DS_BUFFERSIZE];
|
||||
char text_buf[DST_KEY_MAXTEXTSIZE];
|
||||
char class_buf[10];
|
||||
isc_buffer_t textb, classb;
|
||||
isc_region_t r;
|
||||
dns_rdata_t ds;
|
||||
|
||||
isc_buffer_init(&textb, text_buf, sizeof(text_buf));
|
||||
isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
|
||||
isc_buffer_init(&classb, class_buf, sizeof(class_buf));
|
||||
|
||||
dns_rdata_init(&ds);
|
||||
|
||||
result = dns_rdata_tostruct(rdata, &dnskey, NULL);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't convert DNSKEY");
|
||||
|
||||
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
|
||||
return;
|
||||
|
||||
result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't build record");
|
||||
|
||||
result = dns_name_totext(name, ISC_FALSE, &nameb);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't print name");
|
||||
|
||||
/* Add lookaside origin, if set */
|
||||
if (lookaside != NULL) {
|
||||
if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
|
||||
fatal("DLV origin '%s' is too long", lookaside);
|
||||
isc_buffer_putstr(&nameb, lookaside);
|
||||
if (lookaside[strlen(lookaside) - 1] != '.') {
|
||||
if (isc_buffer_availablelength(&nameb) < 1)
|
||||
fatal("DLV origin '%s' is too long", lookaside);
|
||||
isc_buffer_putstr(&nameb, ".");
|
||||
}
|
||||
}
|
||||
fatal("can't build DS");
|
||||
|
||||
result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't print rdata");
|
||||
fatal("can't print DS rdata");
|
||||
|
||||
result = dns_rdataclass_totext(rdclass, &classb);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't print class");
|
||||
fatal("can't print DS class");
|
||||
|
||||
isc_buffer_usedregion(&nameb, &r);
|
||||
fwrite(r.base, 1, r.length, stdout);
|
||||
result = dns_name_print(name, stdout);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("can't print DS name");
|
||||
|
||||
putchar(' ');
|
||||
|
||||
isc_buffer_usedregion(&classb, &r);
|
||||
fwrite(r.base, 1, r.length, stdout);
|
||||
|
||||
if (lookaside == NULL)
|
||||
printf(" DS ");
|
||||
else
|
||||
printf(" DLV ");
|
||||
printf(" DS ");
|
||||
|
||||
isc_buffer_usedregion(&textb, &r);
|
||||
fwrite(r.base, 1, r.length, stdout);
|
||||
putchar('\n');
|
||||
}
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
|
||||
fprintf(stderr, " %s options [-K dir] [-c class] -s dnsname\n\n",
|
||||
fprintf(stderr, " %s options keyfile\n\n", program);
|
||||
fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n",
|
||||
program);
|
||||
fprintf(stderr, " %s options -f zonefile (as zone name)\n\n", program);
|
||||
fprintf(stderr, " %s options -f zonefile zonename\n\n", program);
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
fprintf(stderr, "Options:\n");
|
||||
fprintf(stderr, " -v <verbose level>\n");
|
||||
fprintf(stderr, " -K <directory>: directory in which to find "
|
||||
"key file or keyset file\n");
|
||||
fprintf(stderr, " -a algorithm: digest algorithm "
|
||||
"(SHA-1 or SHA-256)\n");
|
||||
fprintf(stderr, " -1: use SHA-1\n");
|
||||
fprintf(stderr, " -2: use SHA-256\n");
|
||||
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
|
||||
fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
|
||||
fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
|
||||
fprintf(stderr, " -f file: read keyset from zone file\n");
|
||||
fprintf(stderr, " -A: when used with -f, "
|
||||
"include all keys in DS set, not just KSKs\n");
|
||||
fprintf(stderr, "Output: DS or DLV RRs\n");
|
||||
fprintf(stderr, " -a algorithm: use algorithm\n");
|
||||
fprintf(stderr, "Keyset options:\n");
|
||||
fprintf(stderr, " -s: keyset mode\n");
|
||||
fprintf(stderr, " -c class\n");
|
||||
fprintf(stderr, " -d directory\n");
|
||||
fprintf(stderr, "Output: DS RRs\n");
|
||||
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
char *algname = NULL, *classname = NULL;
|
||||
char *filename = NULL, *dir = NULL, *namestr;
|
||||
char *lookaside = NULL;
|
||||
char *endp;
|
||||
int ch;
|
||||
unsigned int dtype = DNS_DSDIGEST_SHA1;
|
||||
isc_boolean_t both = ISC_TRUE;
|
||||
isc_boolean_t usekeyset = ISC_FALSE;
|
||||
isc_boolean_t showall = ISC_FALSE;
|
||||
isc_result_t result;
|
||||
isc_log_t *log = NULL;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdata_t rdata;
|
||||
char *algname = NULL, *classname = NULL, *dirname = NULL;
|
||||
char *endp;
|
||||
int ch;
|
||||
unsigned int dtype = DNS_DSDIGEST_SHA1;
|
||||
isc_boolean_t both = ISC_TRUE;
|
||||
isc_boolean_t usekeyset = ISC_FALSE;
|
||||
isc_result_t result;
|
||||
isc_log_t *log = NULL;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
dns_rdata_t rdata;
|
||||
|
||||
dns_rdata_init(&rdata);
|
||||
|
||||
@@ -344,7 +267,7 @@ main(int argc, char **argv) {
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv,
|
||||
"12Aa:c:d:Ff:K:l:sv:h")) != -1) {
|
||||
"12a:c:d:sv:h")) != -1) {
|
||||
switch (ch) {
|
||||
case '1':
|
||||
dtype = DNS_DSDIGEST_SHA1;
|
||||
@@ -354,9 +277,6 @@ main(int argc, char **argv) {
|
||||
dtype = DNS_DSDIGEST_SHA256;
|
||||
both = ISC_FALSE;
|
||||
break;
|
||||
case 'A':
|
||||
showall = ISC_TRUE;
|
||||
break;
|
||||
case 'a':
|
||||
algname = isc_commandline_argument;
|
||||
both = ISC_FALSE;
|
||||
@@ -365,21 +285,7 @@ main(int argc, char **argv) {
|
||||
classname = isc_commandline_argument;
|
||||
break;
|
||||
case 'd':
|
||||
fprintf(stderr, "%s: the -d option is deprecated; "
|
||||
"use -K\n", program);
|
||||
/* fall through */
|
||||
case 'K':
|
||||
dir = isc_commandline_argument;
|
||||
if (strlen(dir) == 0U)
|
||||
fatal("directory must be non-empty string");
|
||||
break;
|
||||
case 'f':
|
||||
filename = isc_commandline_argument;
|
||||
break;
|
||||
case 'l':
|
||||
lookaside = isc_commandline_argument;
|
||||
if (strlen(lookaside) == 0U)
|
||||
fatal("lookaside must be a non-empty string");
|
||||
dirname = isc_commandline_argument;
|
||||
break;
|
||||
case 's':
|
||||
usekeyset = ISC_TRUE;
|
||||
@@ -389,14 +295,11 @@ main(int argc, char **argv) {
|
||||
if (*endp != '\0')
|
||||
fatal("-v must be followed by a number");
|
||||
break;
|
||||
case 'F':
|
||||
/* Reserved for FIPS mode */
|
||||
/* FALLTHROUGH */
|
||||
case '?':
|
||||
if (isc_commandline_option != '?')
|
||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||
program, isc_commandline_option);
|
||||
/* FALLTHROUGH */
|
||||
/* Falls into */
|
||||
case 'h':
|
||||
usage();
|
||||
|
||||
@@ -420,14 +323,7 @@ main(int argc, char **argv) {
|
||||
|
||||
rdclass = strtoclass(classname);
|
||||
|
||||
if (usekeyset && filename != NULL)
|
||||
fatal("cannot use both -s and -f");
|
||||
|
||||
/* When not using -f, -A is implicit */
|
||||
if (filename == NULL)
|
||||
showall = ISC_TRUE;
|
||||
|
||||
if (argc < isc_commandline_index + 1 && filename == NULL)
|
||||
if (argc < isc_commandline_index + 1)
|
||||
fatal("the key file name was not specified");
|
||||
if (argc > isc_commandline_index + 1)
|
||||
fatal("extraneous arguments");
|
||||
@@ -440,50 +336,28 @@ main(int argc, char **argv) {
|
||||
result = dst_lib_init(mctx, ectx,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("could not initialize dst: %s",
|
||||
isc_result_totext(result));
|
||||
fatal("could not initialize dst");
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
setup_logging(verbose, mctx, &log);
|
||||
|
||||
dns_rdataset_init(&rdataset);
|
||||
if (usekeyset) {
|
||||
loadkeys(dirname, argv[isc_commandline_index]);
|
||||
|
||||
if (usekeyset || filename != NULL) {
|
||||
if (argc < isc_commandline_index + 1 && filename != NULL) {
|
||||
/* using zone name as the zone file name */
|
||||
namestr = filename;
|
||||
} else
|
||||
namestr = argv[isc_commandline_index];
|
||||
|
||||
result = initname(namestr);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("could not initialize name %s", namestr);
|
||||
|
||||
if (usekeyset)
|
||||
result = loadkeyset(dir, &rdataset);
|
||||
else
|
||||
result = loadsetfromfile(filename, &rdataset);
|
||||
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("could not load DNSKEY set: %s\n",
|
||||
isc_result_totext(result));
|
||||
|
||||
for (result = dns_rdataset_first(&rdataset);
|
||||
for (result = dns_rdataset_first(&keyset);
|
||||
result == ISC_R_SUCCESS;
|
||||
result = dns_rdataset_next(&rdataset)) {
|
||||
result = dns_rdataset_next(&keyset)) {
|
||||
dns_rdata_init(&rdata);
|
||||
dns_rdataset_current(&rdataset, &rdata);
|
||||
dns_rdataset_current(&keyset, &rdata);
|
||||
|
||||
if (verbose > 2)
|
||||
logkey(&rdata);
|
||||
|
||||
if (both) {
|
||||
emit(DNS_DSDIGEST_SHA1, showall, lookaside,
|
||||
&rdata);
|
||||
emit(DNS_DSDIGEST_SHA256, showall, lookaside,
|
||||
&rdata);
|
||||
emitds(DNS_DSDIGEST_SHA1, &rdata);
|
||||
emitds(DNS_DSDIGEST_SHA256, &rdata);
|
||||
} else
|
||||
emit(dtype, showall, lookaside, &rdata);
|
||||
emitds(dtype, &rdata);
|
||||
}
|
||||
} else {
|
||||
unsigned char key_buf[DST_KEY_MAXSIZE];
|
||||
@@ -492,14 +366,18 @@ main(int argc, char **argv) {
|
||||
DST_KEY_MAXSIZE, &rdata);
|
||||
|
||||
if (both) {
|
||||
emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
|
||||
emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
|
||||
emitds(DNS_DSDIGEST_SHA1, &rdata);
|
||||
emitds(DNS_DSDIGEST_SHA256, &rdata);
|
||||
} else
|
||||
emit(dtype, showall, lookaside, &rdata);
|
||||
emitds(dtype, &rdata);
|
||||
}
|
||||
|
||||
if (dns_rdataset_isassociated(&rdataset))
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
if (dns_rdataset_isassociated(&keyset))
|
||||
dns_rdataset_disassociate(&keyset);
|
||||
if (node != NULL)
|
||||
dns_db_detachnode(db, &node);
|
||||
if (db != NULL)
|
||||
dns_db_detach(&db);
|
||||
cleanup_logging(&log);
|
||||
dst_lib_destroy();
|
||||
isc_hash_destroy();
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -17,10 +17,10 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-dsfromkey.docbook,v 1.10 2009/08/26 21:56:05 jreed Exp $ -->
|
||||
<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
|
||||
<refentry id="man.dnssec-dsfromkey">
|
||||
<refentryinfo>
|
||||
<date>August 26, 2009</date>
|
||||
<date>November 29, 2008</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
@@ -37,7 +37,6 @@
|
||||
<docinfo>
|
||||
<copyright>
|
||||
<year>2008</year>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
</docinfo>
|
||||
@@ -49,22 +48,17 @@
|
||||
<arg><option>-1</option></arg>
|
||||
<arg><option>-2</option></arg>
|
||||
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
|
||||
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
|
||||
<arg choice="req">keyfile</arg>
|
||||
</cmdsynopsis>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-dsfromkey</command>
|
||||
<arg choice="req">-s</arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg><option>-1</option></arg>
|
||||
<arg><option>-2</option></arg>
|
||||
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
|
||||
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
|
||||
<arg><option>-s</option></arg>
|
||||
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
|
||||
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
|
||||
<arg><option>-A</option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
|
||||
<arg choice="req">dnsname</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
@@ -112,48 +106,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-K <replaceable class="parameter">directory</replaceable></term>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Look for key files (or, in keyset mode,
|
||||
<filename>keyset-</filename> files) in
|
||||
<option>directory</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-f <replaceable class="parameter">file</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Zone file mode: in place of the keyfile name, the argument is
|
||||
the DNS domain name of a zone master file, which can be read
|
||||
from <option>file</option>. If the zone name is the same as
|
||||
<option>file</option>, then it may be omitted.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-A</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Include ZSK's when generating DS records. Without this option,
|
||||
only keys which have the KSK flag set will be converted to DS
|
||||
records and printed. Useful only in zone file mode.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-l <replaceable class="parameter">domain</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Generate a DLV set instead of a DS set. The specified
|
||||
<option>domain</option> is appended to the name for each
|
||||
record in the set.
|
||||
The DNSSEC Lookaside Validation (DLV) RR is described
|
||||
in RFC 4431.
|
||||
Sets the debugging level.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -163,7 +119,8 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Keyset mode: in place of the keyfile name, the argument is
|
||||
the DNS domain name of a keyset file.
|
||||
the DNS domain name of a keyset file. Following options make sense
|
||||
only in this mode.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -172,20 +129,23 @@
|
||||
<term>-c <replaceable class="parameter">class</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the DNS class (default is IN). Useful only
|
||||
in keyset or zone file mode.
|
||||
Specifies the DNS class (default is IN), useful only
|
||||
in the keyset mode.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<term>-d <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the debugging level.
|
||||
Look for <filename>keyset</filename> files in
|
||||
<option>directory</option> as the directory, ignored when
|
||||
not in the keyset mode.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
@@ -237,7 +197,6 @@
|
||||
</citerefentry>,
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
||||
<citetitle>RFC 3658</citetitle>,
|
||||
<citetitle>RFC 4431</citetitle>.
|
||||
<citetitle>RFC 4509</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
<!--
|
||||
- Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -14,7 +14,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-dsfromkey.html,v 1.11 2009/08/27 01:14:39 tbox Exp $ -->
|
||||
<!-- $Id: dnssec-dsfromkey.html,v 1.5 2008/11/08 01:11:47 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
@@ -29,18 +29,18 @@
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543461"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2543424"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
|
||||
outputs the Delegation Signer (DS) resource record (RR), as defined in
|
||||
RFC 3658 and RFC 4509, for the given key(s).
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543473"></a><h2>OPTIONS</h2>
|
||||
<a name="id2543435"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-1</span></dt>
|
||||
<dd><p>
|
||||
@@ -57,51 +57,31 @@
|
||||
<code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
|
||||
SHA-256 (SHA256). These values are case insensitive.
|
||||
</p></dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Look for key files (or, in keyset mode,
|
||||
<code class="filename">keyset-</code> files) in
|
||||
<code class="option">directory</code>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
|
||||
<dd><p>
|
||||
Zone file mode: in place of the keyfile name, the argument is
|
||||
the DNS domain name of a zone master file, which can be read
|
||||
from <code class="option">file</code>. If the zone name is the same as
|
||||
<code class="option">file</code>, then it may be omitted.
|
||||
</p></dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd><p>
|
||||
Include ZSK's when generating DS records. Without this option,
|
||||
only keys which have the KSK flag set will be converted to DS
|
||||
records and printed. Useful only in zone file mode.
|
||||
</p></dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
|
||||
<dd><p>
|
||||
Generate a DLV set instead of a DS set. The specified
|
||||
<code class="option">domain</code> is appended to the name for each
|
||||
record in the set.
|
||||
The DNSSEC Lookaside Validation (DLV) RR is described
|
||||
in RFC 4431.
|
||||
</p></dd>
|
||||
<dt><span class="term">-s</span></dt>
|
||||
<dd><p>
|
||||
Keyset mode: in place of the keyfile name, the argument is
|
||||
the DNS domain name of a keyset file.
|
||||
</p></dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the DNS class (default is IN). Useful only
|
||||
in keyset or zone file mode.
|
||||
</p></dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
<dt><span class="term">-s</span></dt>
|
||||
<dd><p>
|
||||
Keyset mode: in place of the keyfile name, the argument is
|
||||
the DNS domain name of a keyset file. Following options make sense
|
||||
only in this mode.
|
||||
</p></dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the DNS class (default is IN), useful only
|
||||
in the keyset mode.
|
||||
</p></dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Look for <code class="filename">keyset</code> files in
|
||||
<code class="option">directory</code> as the directory, ignored when
|
||||
not in the keyset mode.
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543659"></a><h2>EXAMPLE</h2>
|
||||
<a name="id2543563"></a><h2>EXAMPLE</h2>
|
||||
<p>
|
||||
To build the SHA-256 DS RR from the
|
||||
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
|
||||
@@ -116,7 +96,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543689"></a><h2>FILES</h2>
|
||||
<a name="id2543593"></a><h2>FILES</h2>
|
||||
<p>
|
||||
The keyfile can be designed by the key identification
|
||||
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
|
||||
@@ -130,23 +110,22 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543724"></a><h2>CAVEAT</h2>
|
||||
<a name="id2543628"></a><h2>CAVEAT</h2>
|
||||
<p>
|
||||
A keyfile error can give a "file not found" even if the file exists.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543734"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2543638"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 3658</em>,
|
||||
<em class="citetitle">RFC 4431</em>.
|
||||
<em class="citetitle">RFC 4509</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543773"></a><h2>AUTHOR</h2>
|
||||
<a name="id2543674"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -12,7 +12,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-keyfromlabel.8,v 1.16 2009/11/03 21:58:30 tbox Exp $
|
||||
.\" $Id: dnssec-keyfromlabel.8,v 1.6 2008/11/08 01:11:47 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
@@ -32,47 +32,27 @@
|
||||
dnssec\-keyfromlabel \- DNSSEC key generation tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 20
|
||||
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
|
||||
\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec\-keyfromlabel\fR
|
||||
gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
|
||||
.PP
|
||||
The
|
||||
\fBname\fR
|
||||
of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
\-a \fIalgorithm\fR
|
||||
.RS 4
|
||||
Selects the cryptographic algorithm. The value of
|
||||
\fBalgorithm\fR
|
||||
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. These values are case insensitive.
|
||||
.sp
|
||||
If no algorithm is specified, then RSASHA1 will be used by default, unless the
|
||||
\fB\-3\fR
|
||||
option is specified, in which case NSEC3RSASHA1 will be used instead. (If
|
||||
\fB\-3\fR
|
||||
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
|
||||
must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
|
||||
.sp
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
|
||||
.sp
|
||||
Note 2: DH automatically sets the \-k flag.
|
||||
.RE
|
||||
.PP
|
||||
\-3
|
||||
.RS 4
|
||||
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
|
||||
.RE
|
||||
.PP
|
||||
\-E \fIengine\fR
|
||||
.RS 4
|
||||
Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11".
|
||||
.RE
|
||||
.PP
|
||||
\-l \fIlabel\fR
|
||||
.RS 4
|
||||
Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
|
||||
Specifies the label of keys in the crypto hardware (PKCS#11 device).
|
||||
.RE
|
||||
.PP
|
||||
\-n \fInametype\fR
|
||||
@@ -82,15 +62,6 @@ Specifies the owner type of the key. The value of
|
||||
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
|
||||
.RE
|
||||
.PP
|
||||
\-C
|
||||
.RS 4
|
||||
Compatibility mode: generates an old\-style key, without any metadata. By default,
|
||||
\fBdnssec\-keyfromlabel\fR
|
||||
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
|
||||
\fB\-C\fR
|
||||
option suppresses them.
|
||||
.RE
|
||||
.PP
|
||||
\-c \fIclass\fR
|
||||
.RS 4
|
||||
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
|
||||
@@ -98,23 +69,13 @@ Indicates that the DNS record containing the key should have the specified class
|
||||
.PP
|
||||
\-f \fIflag\fR
|
||||
.RS 4
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
.RE
|
||||
.PP
|
||||
\-G
|
||||
.RS 4
|
||||
Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
||||
.RE
|
||||
.PP
|
||||
\-h
|
||||
.RS 4
|
||||
Prints a short summary of the options and arguments to
|
||||
\fBdnssec\-keyfromlabel\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-K \fIdirectory\fR
|
||||
.RS 4
|
||||
Sets the directory in which the key files are to be written.
|
||||
\fBdnssec\-keygen\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-k
|
||||
@@ -124,7 +85,7 @@ Generate KEY records rather than DNSKEY records.
|
||||
.PP
|
||||
\-p \fIprotocol\fR
|
||||
.RS 4
|
||||
Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
|
||||
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
|
||||
.RE
|
||||
.PP
|
||||
\-t \fItype\fR
|
||||
@@ -138,34 +99,6 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
|
||||
.RS 4
|
||||
Sets the debugging level.
|
||||
.RE
|
||||
.SH "TIMING OPTIONS"
|
||||
.PP
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
|
||||
.PP
|
||||
\-P \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
|
||||
.RE
|
||||
.PP
|
||||
\-A \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
|
||||
.RE
|
||||
.PP
|
||||
\-R \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-U \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-D \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
|
||||
.RE
|
||||
.SH "GENERATED KEY FILES"
|
||||
.PP
|
||||
When
|
||||
@@ -199,16 +132,18 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
|
||||
.PP
|
||||
The
|
||||
\fI.private\fR
|
||||
file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
|
||||
file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBdnssec\-keygen\fR(8),
|
||||
\fBdnssec\-signzone\fR(8),
|
||||
BIND 9 Administrator Reference Manual,
|
||||
RFC 4034.
|
||||
RFC 2539,
|
||||
RFC 2845,
|
||||
RFC 4033.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -14,13 +14,12 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-keyfromlabel.c,v 1.26 2009/11/06 01:06:38 each Exp $ */
|
||||
/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <isc/buffer.h>
|
||||
@@ -28,7 +27,6 @@
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/region.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
@@ -49,59 +47,34 @@
|
||||
const char *program = "dnssec-keyfromlabel";
|
||||
int verbose;
|
||||
|
||||
#define DEFAULT_ALGORITHM "RSASHA1"
|
||||
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
|
||||
|
||||
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
|
||||
" NSEC3DSA | NSEC3RSASHA1 |"
|
||||
" RSASHA256 | RSASHA512";
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
" NSEC3DSA | NSEC3RSASHA1";
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, " %s -l label [options] name\n\n",
|
||||
fprintf(stderr, " %s -a alg -l label [options] name\n\n",
|
||||
program);
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
fprintf(stderr, "Required options:\n");
|
||||
fprintf(stderr, " -l label: label of the key pair\n");
|
||||
fprintf(stderr, " -a algorithm: %s\n", algs);
|
||||
fprintf(stderr, " -l label: label of the key\n");
|
||||
fprintf(stderr, " name: owner of the key\n");
|
||||
fprintf(stderr, "Other options:\n");
|
||||
fprintf(stderr, " -a algorithm: %s\n", algs);
|
||||
fprintf(stderr, " (default: RSASHA1, or "
|
||||
"NSEC3RSASHA1 if using -3)\n");
|
||||
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
||||
fprintf(stderr, " -c class (default: IN)\n");
|
||||
#ifdef USE_PKCS11
|
||||
fprintf(stderr, " -E enginename (default: pkcs11)\n");
|
||||
#else
|
||||
fprintf(stderr, " -E enginename\n");
|
||||
#endif
|
||||
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
|
||||
fprintf(stderr, " -K directory: directory in which to place "
|
||||
"key files\n");
|
||||
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
|
||||
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
|
||||
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
|
||||
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
|
||||
fprintf(stderr, " -t type: "
|
||||
fprintf(stderr, " -c <class> (default: IN)\n");
|
||||
fprintf(stderr, " -f keyflag: KSK\n");
|
||||
fprintf(stderr, " -t <type>: "
|
||||
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
|
||||
"(default: AUTHCONF)\n");
|
||||
fprintf(stderr, " -v verbose level\n");
|
||||
fprintf(stderr, "Date options:\n");
|
||||
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
|
||||
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
|
||||
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
|
||||
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
|
||||
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
|
||||
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
|
||||
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
|
||||
" all dates\n");
|
||||
fprintf(stderr, " -p <protocol>: "
|
||||
"default: 3 [dnssec]\n");
|
||||
fprintf(stderr, " -v <verbose level>\n");
|
||||
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
|
||||
fprintf(stderr, "Output:\n");
|
||||
fprintf(stderr, " K<name>+<alg>+<id>.key, "
|
||||
"K<name>+<alg>+<id>.private\n");
|
||||
"K<name>+<alg>+<id>.private\n");
|
||||
|
||||
exit (-1);
|
||||
}
|
||||
@@ -109,20 +82,14 @@ usage(void) {
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
char *algname = NULL, *nametype = NULL, *type = NULL;
|
||||
const char *directory = NULL;
|
||||
#ifdef USE_PKCS11
|
||||
const char *engine = "pkcs11";
|
||||
#else
|
||||
const char *engine = NULL;
|
||||
#endif
|
||||
char *classname = NULL;
|
||||
char *endp;
|
||||
dst_key_t *key = NULL, *oldkey = NULL;
|
||||
dst_key_t *key = NULL, *oldkey;
|
||||
dns_fixedname_t fname;
|
||||
dns_name_t *name;
|
||||
isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
|
||||
isc_uint16_t flags = 0, ksk = 0;
|
||||
dns_secalg_t alg;
|
||||
isc_boolean_t oldstyle = ISC_FALSE;
|
||||
isc_boolean_t null_key = ISC_FALSE;
|
||||
isc_mem_t *mctx = NULL;
|
||||
int ch;
|
||||
int protocol = -1, signatory = 0;
|
||||
@@ -135,17 +102,6 @@ main(int argc, char **argv) {
|
||||
dns_rdataclass_t rdclass;
|
||||
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
|
||||
char *label = NULL;
|
||||
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
|
||||
isc_stdtime_t inactive = 0, delete = 0;
|
||||
isc_stdtime_t now;
|
||||
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
|
||||
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
|
||||
isc_boolean_t setdel = ISC_FALSE;
|
||||
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
|
||||
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
|
||||
isc_boolean_t unsetdel = ISC_FALSE;
|
||||
isc_boolean_t genonly = ISC_FALSE;
|
||||
isc_boolean_t use_nsec3 = ISC_FALSE;
|
||||
|
||||
if (argc == 1)
|
||||
usage();
|
||||
@@ -156,48 +112,28 @@ main(int argc, char **argv) {
|
||||
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv,
|
||||
"3a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
|
||||
"a:c:f:kl:n:p:t:v:h")) != -1)
|
||||
{
|
||||
switch (ch) {
|
||||
case '3':
|
||||
use_nsec3 = ISC_TRUE;
|
||||
break;
|
||||
case 'a':
|
||||
algname = isc_commandline_argument;
|
||||
break;
|
||||
case 'C':
|
||||
oldstyle = ISC_TRUE;
|
||||
break;
|
||||
case 'c':
|
||||
classname = isc_commandline_argument;
|
||||
break;
|
||||
case 'E':
|
||||
engine = isc_commandline_argument;
|
||||
break;
|
||||
case 'f':
|
||||
if (toupper(isc_commandline_argument[0]) == 'K')
|
||||
kskflag = DNS_KEYFLAG_KSK;
|
||||
else if (toupper(isc_commandline_argument[0]) == 'R')
|
||||
revflag = DNS_KEYFLAG_REVOKE;
|
||||
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
|
||||
ksk = DNS_KEYFLAG_KSK;
|
||||
else
|
||||
fatal("unknown flag '%s'",
|
||||
isc_commandline_argument);
|
||||
break;
|
||||
case 'K':
|
||||
directory = isc_commandline_argument;
|
||||
ret = try_dir(directory);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
fatal("cannot open directory %s: %s",
|
||||
directory, isc_result_totext(ret));
|
||||
break;
|
||||
case 'k':
|
||||
options |= DST_TYPE_KEY;
|
||||
break;
|
||||
case 'l':
|
||||
label = isc_mem_strdup(mctx, isc_commandline_argument);
|
||||
label = isc_commandline_argument;
|
||||
break;
|
||||
case 'n':
|
||||
nametype = isc_commandline_argument;
|
||||
@@ -216,77 +152,11 @@ main(int argc, char **argv) {
|
||||
if (*endp != '\0')
|
||||
fatal("-v must be followed by a number");
|
||||
break;
|
||||
case 'G':
|
||||
genonly = ISC_TRUE;
|
||||
break;
|
||||
case 'P':
|
||||
if (setpub || unsetpub)
|
||||
fatal("-P specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setpub = ISC_TRUE;
|
||||
publish = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetpub = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'A':
|
||||
if (setact || unsetact)
|
||||
fatal("-A specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setact = ISC_TRUE;
|
||||
activate = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetact = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'R':
|
||||
if (setrev || unsetrev)
|
||||
fatal("-R specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setrev = ISC_TRUE;
|
||||
revoke = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetrev = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'I':
|
||||
if (setinact || unsetinact)
|
||||
fatal("-I specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setinact = ISC_TRUE;
|
||||
inactive = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetinact = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'D':
|
||||
if (setdel || unsetdel)
|
||||
fatal("-D specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setdel = ISC_TRUE;
|
||||
delete = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetdel = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'F':
|
||||
/* Reserved for FIPS mode */
|
||||
/* FALLTHROUGH */
|
||||
case '?':
|
||||
if (isc_commandline_option != '?')
|
||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||
program, isc_commandline_option);
|
||||
/* FALLTHROUGH */
|
||||
case 'h':
|
||||
usage();
|
||||
|
||||
@@ -299,11 +169,10 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
ret = dst_lib_init2(mctx, ectx, engine,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
ret = dst_lib_init(mctx, ectx,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
fatal("could not initialize dst: %s",
|
||||
isc_result_totext(ret));
|
||||
fatal("could not initialize dst");
|
||||
|
||||
setup_logging(verbose, mctx, &log);
|
||||
|
||||
@@ -314,30 +183,8 @@ main(int argc, char **argv) {
|
||||
if (argc > isc_commandline_index + 1)
|
||||
fatal("extraneous arguments");
|
||||
|
||||
if (strchr(label, ':') == NULL &&
|
||||
engine != NULL && strlen(engine) != 0U) {
|
||||
char *l;
|
||||
int len;
|
||||
|
||||
len = strlen(label) + strlen(engine) + 2;
|
||||
l = isc_mem_allocate(mctx, len);
|
||||
if (l == NULL)
|
||||
fatal("cannot allocate memory");
|
||||
snprintf(l, len, "%s:%s", engine, label);
|
||||
isc_mem_free(mctx, label);
|
||||
label = l;
|
||||
}
|
||||
|
||||
if (algname == NULL) {
|
||||
if (use_nsec3)
|
||||
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
|
||||
else
|
||||
algname = strdup(DEFAULT_ALGORITHM);
|
||||
if (verbose > 0)
|
||||
fprintf(stderr, "no algorithm specified; "
|
||||
"defaulting to %s\n", algname);
|
||||
}
|
||||
|
||||
if (algname == NULL)
|
||||
fatal("no algorithm was specified");
|
||||
if (strcasecmp(algname, "RSA") == 0) {
|
||||
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
|
||||
"If you still wish to use RSA (RSAMD5) please "
|
||||
@@ -353,12 +200,6 @@ main(int argc, char **argv) {
|
||||
options |= DST_TYPE_KEY;
|
||||
}
|
||||
|
||||
if (use_nsec3 &&
|
||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
|
||||
fatal("%s is incompatible with NSEC3; "
|
||||
"do not use the -3 option", algname);
|
||||
}
|
||||
|
||||
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
||||
if (strcasecmp(type, "NOAUTH") == 0)
|
||||
flags |= DNS_KEYTYPE_NOAUTH;
|
||||
@@ -392,15 +233,10 @@ main(int argc, char **argv) {
|
||||
|
||||
rdclass = strtoclass(classname);
|
||||
|
||||
if (directory == NULL)
|
||||
directory = ".";
|
||||
|
||||
if ((options & DST_TYPE_KEY) != 0) /* KEY */
|
||||
flags |= signatory;
|
||||
else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
|
||||
flags |= kskflag;
|
||||
flags |= revflag;
|
||||
}
|
||||
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
|
||||
flags |= ksk;
|
||||
|
||||
if (protocol == -1)
|
||||
protocol = DNS_KEYPROTO_DNSSEC;
|
||||
@@ -423,96 +259,53 @@ main(int argc, char **argv) {
|
||||
isc_buffer_init(&buf, argv[isc_commandline_index],
|
||||
strlen(argv[isc_commandline_index]));
|
||||
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
|
||||
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
|
||||
ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
fatal("invalid key name %s: %s", argv[isc_commandline_index],
|
||||
isc_result_totext(ret));
|
||||
|
||||
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
|
||||
null_key = ISC_TRUE;
|
||||
|
||||
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
|
||||
|
||||
/* associate the key */
|
||||
ret = dst_key_fromlabel(name, alg, flags, protocol,
|
||||
rdclass, engine, label, NULL, mctx, &key);
|
||||
rdclass, "", label, NULL, mctx, &key);
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
char namestr[DNS_NAME_FORMATSIZE];
|
||||
char algstr[DNS_SECALG_FORMATSIZE];
|
||||
char algstr[ALG_FORMATSIZE];
|
||||
dns_name_format(name, namestr, sizeof(namestr));
|
||||
dns_secalg_format(alg, algstr, sizeof(algstr));
|
||||
fatal("failed to get key %s/%s: %s\n",
|
||||
alg_format(alg, algstr, sizeof(algstr));
|
||||
fatal("failed to generate key %s/%s: %s\n",
|
||||
namestr, algstr, isc_result_totext(ret));
|
||||
/* NOTREACHED */
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Set key timing metadata (unless using -C)
|
||||
*
|
||||
* Publish and activation dates are set to "now" by default, but
|
||||
* can be overridden. Creation date is always set to "now".
|
||||
*/
|
||||
if (!oldstyle) {
|
||||
dst_key_settime(key, DST_TIME_CREATED, now);
|
||||
|
||||
if (genonly && (setpub || setact))
|
||||
fatal("cannot use -G together with -P or -A options");
|
||||
|
||||
if (setpub)
|
||||
dst_key_settime(key, DST_TIME_PUBLISH, publish);
|
||||
else if (!genonly)
|
||||
dst_key_settime(key, DST_TIME_PUBLISH, now);
|
||||
|
||||
if (setact)
|
||||
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
|
||||
else if (!genonly)
|
||||
dst_key_settime(key, DST_TIME_ACTIVATE, now);
|
||||
|
||||
if (setrev) {
|
||||
if (kskflag == 0)
|
||||
fprintf(stderr, "%s: warning: Key is "
|
||||
"not flagged as a KSK, but -R "
|
||||
"was used. Revoking a ZSK is "
|
||||
"legal, but undefined.\n",
|
||||
program);
|
||||
dst_key_settime(key, DST_TIME_REVOKE, revoke);
|
||||
}
|
||||
|
||||
if (setinact)
|
||||
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
|
||||
|
||||
if (setdel)
|
||||
dst_key_settime(key, DST_TIME_DELETE, delete);
|
||||
} else {
|
||||
if (setpub || setact || setrev || setinact ||
|
||||
setdel || unsetpub || unsetact ||
|
||||
unsetrev || unsetinact || unsetdel || genonly)
|
||||
fatal("cannot use -C together with "
|
||||
"-P, -A, -R, -I, -D, or -G options");
|
||||
/*
|
||||
* Compatibility mode: Private-key-format
|
||||
* should be set to 1.2.
|
||||
*/
|
||||
dst_key_setprivateformat(key, 1, 2);
|
||||
}
|
||||
|
||||
/*
|
||||
* Try to read a key with the same name, alg and id from disk.
|
||||
* If there is one we must return failure.
|
||||
* If there is one we must continue generating a new one
|
||||
* unless we were asked to generate a null key, in which
|
||||
* case we return failure.
|
||||
*/
|
||||
ret = dst_key_fromfile(name, dst_key_id(key), alg,
|
||||
DST_TYPE_PRIVATE, directory, mctx, &oldkey);
|
||||
DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
|
||||
/* do not overwrite an existing key */
|
||||
if (ret == ISC_R_SUCCESS) {
|
||||
isc_buffer_clear(&buf);
|
||||
ret = dst_key_buildfilename(key, 0, directory, &buf);
|
||||
fatal("%s: %s already exists\n", program, filename);
|
||||
ret = dst_key_buildfilename(key, 0, NULL, &buf);
|
||||
fprintf(stderr, "%s: %s already exists\n",
|
||||
program, filename);
|
||||
dst_key_free(&key);
|
||||
exit (1);
|
||||
}
|
||||
|
||||
ret = dst_key_tofile(key, options, directory);
|
||||
ret = dst_key_tofile(key, options, NULL);
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fatal("failed to write key %s: %s\n", keystr,
|
||||
isc_result_totext(ret));
|
||||
}
|
||||
@@ -528,7 +321,6 @@ main(int argc, char **argv) {
|
||||
dns_name_destroy();
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
isc_mem_free(mctx, label);
|
||||
isc_mem_destroy(&mctx);
|
||||
|
||||
return (0);
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -17,7 +17,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.15 2009/11/03 21:44:46 each Exp $ -->
|
||||
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
|
||||
<refentry id="man.dnssec-keyfromlabel">
|
||||
<refentryinfo>
|
||||
<date>February 8, 2008</date>
|
||||
@@ -37,7 +37,6 @@
|
||||
<docinfo>
|
||||
<copyright>
|
||||
<year>2008</year>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
</docinfo>
|
||||
@@ -45,22 +44,13 @@
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-keyfromlabel</command>
|
||||
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
|
||||
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
|
||||
<arg><option>-3</option></arg>
|
||||
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||||
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
|
||||
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
|
||||
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
|
||||
<arg><option>-G</option></arg>
|
||||
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-k</option></arg>
|
||||
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
|
||||
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
|
||||
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg choice="req">name</arg>
|
||||
@@ -74,11 +64,6 @@
|
||||
key files for DNSSEC (Secure DNS), as defined in RFC 2535
|
||||
and RFC 4034.
|
||||
</para>
|
||||
<para>
|
||||
The <option>name</option> of the key is specified on the command
|
||||
line. This must match the name of the zone for which the key is
|
||||
being generated.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@@ -90,17 +75,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Selects the cryptographic algorithm. The value of
|
||||
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
|
||||
<option>algorithm</option> must be one of RSAMD5 (RSA)
|
||||
or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
|
||||
These values are case insensitive.
|
||||
</para>
|
||||
<para>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
default, unless the <option>-3</option> option is specified,
|
||||
in which case NSEC3RSASHA1 will be used instead. (If
|
||||
<option>-3</option> is used and an algorithm is specified,
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
</para>
|
||||
<para>
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
||||
algorithm, and DSA is recommended.
|
||||
@@ -111,35 +89,12 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-3</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-E <replaceable class="parameter">engine</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the name of the crypto hardware (OpenSSL engine).
|
||||
When compiled with PKCS#11 support it defaults to "pkcs11".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-l <replaceable class="parameter">label</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the label of the key pair in the crypto hardware.
|
||||
The label may be preceded by an optional OpenSSL engine name,
|
||||
separated by a colon, as in "pkcs11:keylabel".
|
||||
Specifies the label of keys in the crypto hardware
|
||||
(PKCS#11 device).
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -153,22 +108,8 @@
|
||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
|
||||
a host (KEY)),
|
||||
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
|
||||
These values are case insensitive.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-C</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Compatibility mode: generates an old-style key, without
|
||||
any metadata. By default, <command>dnssec-keyfromlabel</command>
|
||||
will include the key's creation date in the metadata stored
|
||||
with the private key, and other dates may be set there as well
|
||||
(publication date, activation date, etc). Keys that include
|
||||
this data may be incompatible with older versions of BIND; the
|
||||
<option>-C</option> option suppresses them.
|
||||
These values are
|
||||
case insensitive.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -188,17 +129,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
||||
The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-G</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Generate a key, but do not publish it or sign with it. This
|
||||
option is incompatible with -P and -A.
|
||||
The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -208,16 +139,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Prints a short summary of the options and arguments to
|
||||
<command>dnssec-keyfromlabel</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-K <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the directory in which the key files are to be written.
|
||||
<command>dnssec-keygen</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -235,7 +157,7 @@
|
||||
<term>-p <replaceable class="parameter">protocol</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the protocol value for the key. The protocol
|
||||
Sets the protocol value for the generated key. The protocol
|
||||
is a number between 0 and 255. The default is 3 (DNSSEC).
|
||||
Other possible values for this argument are listed in
|
||||
RFC 2535 and its successors.
|
||||
@@ -267,80 +189,6 @@
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>TIMING OPTIONS</title>
|
||||
|
||||
<para>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
|
||||
then the offset is computed in years (defined as 365 24-hour days,
|
||||
ignoring leap years), months (defined as 30 24-hour days), weeks,
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it. If not set, and if the -G option has
|
||||
not been used, the default is "now".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it. If not set, and if the -G option has not been used, the
|
||||
default is "now".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>GENERATED KEY FILES</title>
|
||||
<para>
|
||||
@@ -357,7 +205,8 @@
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>aaa</filename> is the numeric representation
|
||||
of the algorithm.
|
||||
of the
|
||||
algorithm.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
@@ -371,7 +220,8 @@
|
||||
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
|
||||
contains the public key, and
|
||||
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
|
||||
private key.
|
||||
private
|
||||
key.
|
||||
</para>
|
||||
<para>
|
||||
The <filename>.key</filename> file contains a DNS KEY record
|
||||
@@ -380,8 +230,8 @@
|
||||
statement).
|
||||
</para>
|
||||
<para>
|
||||
The <filename>.private</filename> file contains
|
||||
algorithm-specific
|
||||
The <filename>.private</filename> file contains algorithm
|
||||
specific
|
||||
fields. For obvious security reasons, this file does not have
|
||||
general read permission.
|
||||
</para>
|
||||
@@ -396,7 +246,9 @@
|
||||
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
||||
<citetitle>RFC 4034</citetitle>.
|
||||
<citetitle>RFC 2539</citetitle>,
|
||||
<citetitle>RFC 2845</citetitle>,
|
||||
<citetitle>RFC 4033</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
<!--
|
||||
- Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -13,7 +13,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: dnssec-keyfromlabel.html,v 1.15 2009/11/03 21:58:30 tbox Exp $ -->
|
||||
<!-- $Id: dnssec-keyfromlabel.html,v 1.5 2008/10/15 01:11:35 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
@@ -28,39 +28,27 @@
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543483"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2543413"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
|
||||
gets keys with the given label from a crypto hardware and builds
|
||||
key files for DNSSEC (Secure DNS), as defined in RFC 2535
|
||||
and RFC 4034.
|
||||
</p>
|
||||
<p>
|
||||
The <code class="option">name</code> of the key is specified on the command
|
||||
line. This must match the name of the zone for which the key is
|
||||
being generated.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543501"></a><h2>OPTIONS</h2>
|
||||
<a name="id2543425"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Selects the cryptographic algorithm. The value of
|
||||
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
|
||||
<code class="option">algorithm</code> must be one of RSAMD5 (RSA)
|
||||
or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
|
||||
These values are case insensitive.
|
||||
</p>
|
||||
<p>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
default, unless the <code class="option">-3</code> option is specified,
|
||||
in which case NSEC3RSASHA1 will be used instead. (If
|
||||
<code class="option">-3</code> is used and an algorithm is specified,
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
</p>
|
||||
<p>
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
||||
algorithm, and DSA is recommended.
|
||||
@@ -69,23 +57,10 @@
|
||||
Note 2: DH automatically sets the -k flag.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-3</span></dt>
|
||||
<dd><p>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default.
|
||||
</p></dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the name of the crypto hardware (OpenSSL engine).
|
||||
When compiled with PKCS#11 support it defaults to "pkcs11".
|
||||
</p></dd>
|
||||
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the label of the key pair in the crypto hardware.
|
||||
The label may be preceded by an optional OpenSSL engine name,
|
||||
separated by a colon, as in "pkcs11:keylabel".
|
||||
Specifies the label of keys in the crypto hardware
|
||||
(PKCS#11 device).
|
||||
</p></dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -94,17 +69,8 @@
|
||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
|
||||
a host (KEY)),
|
||||
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
|
||||
These values are case insensitive.
|
||||
</p></dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
Compatibility mode: generates an old-style key, without
|
||||
any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
|
||||
will include the key's creation date in the metadata stored
|
||||
with the private key, and other dates may be set there as well
|
||||
(publication date, activation date, etc). Keys that include
|
||||
this data may be incompatible with older versions of BIND; the
|
||||
<code class="option">-C</code> option suppresses them.
|
||||
These values are
|
||||
case insensitive.
|
||||
</p></dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -114,21 +80,12 @@
|
||||
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
|
||||
<dd><p>
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
||||
The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
</p></dd>
|
||||
<dt><span class="term">-G</span></dt>
|
||||
<dd><p>
|
||||
Generate a key, but do not publish it or sign with it. This
|
||||
option is incompatible with -P and -A.
|
||||
The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
||||
</p></dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
Prints a short summary of the options and arguments to
|
||||
<span><strong class="command">dnssec-keyfromlabel</strong></span>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the directory in which the key files are to be written.
|
||||
<span><strong class="command">dnssec-keygen</strong></span>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-k</span></dt>
|
||||
<dd><p>
|
||||
@@ -136,7 +93,7 @@
|
||||
</p></dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the protocol value for the key. The protocol
|
||||
Sets the protocol value for the generated key. The protocol
|
||||
is a number between 0 and 255. The default is 3 (DNSSEC).
|
||||
Other possible values for this argument are listed in
|
||||
RFC 2535 and its successors.
|
||||
@@ -155,54 +112,7 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543852"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
|
||||
then the offset is computed in years (defined as 365 24-hour days,
|
||||
ignoring leap years), months (defined as 30 24-hour days), weeks,
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds.
|
||||
</p>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it. If not set, and if the -G option has
|
||||
not been used, the default is "now".
|
||||
</p></dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it. If not set, and if the -G option has not been used, the
|
||||
default is "now".
|
||||
</p></dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544019"></a><h2>GENERATED KEY FILES</h2>
|
||||
<a name="id2543619"></a><h2>GENERATED KEY FILES</h2>
|
||||
<p>
|
||||
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
|
||||
successfully,
|
||||
@@ -214,7 +124,8 @@
|
||||
<li><p><code class="filename">nnnn</code> is the key name.
|
||||
</p></li>
|
||||
<li><p><code class="filename">aaa</code> is the numeric representation
|
||||
of the algorithm.
|
||||
of the
|
||||
algorithm.
|
||||
</p></li>
|
||||
<li><p><code class="filename">iiiii</code> is the key identifier (or
|
||||
footprint).
|
||||
@@ -225,7 +136,8 @@
|
||||
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
|
||||
contains the public key, and
|
||||
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
|
||||
private key.
|
||||
private
|
||||
key.
|
||||
</p>
|
||||
<p>
|
||||
The <code class="filename">.key</code> file contains a DNS KEY record
|
||||
@@ -234,22 +146,24 @@
|
||||
statement).
|
||||
</p>
|
||||
<p>
|
||||
The <code class="filename">.private</code> file contains
|
||||
algorithm-specific
|
||||
The <code class="filename">.private</code> file contains algorithm
|
||||
specific
|
||||
fields. For obvious security reasons, this file does not have
|
||||
general read permission.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544091"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2543691"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 4034</em>.
|
||||
<em class="citetitle">RFC 2539</em>,
|
||||
<em class="citetitle">RFC 2845</em>,
|
||||
<em class="citetitle">RFC 4033</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544124"></a><h2>AUTHOR</h2>
|
||||
<a name="id2543731"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -13,7 +13,7 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-keygen.8,v 1.53 2009/11/03 21:58:30 tbox Exp $
|
||||
.\" $Id: dnssec-keygen.8,v 1.40 2008/10/15 01:11:35 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
@@ -33,43 +33,27 @@
|
||||
dnssec\-keygen \- DNSSEC key generation tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 14
|
||||
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
|
||||
\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec\-keygen\fR
|
||||
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
|
||||
.PP
|
||||
The
|
||||
\fBname\fR
|
||||
of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
|
||||
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
\-a \fIalgorithm\fR
|
||||
.RS 4
|
||||
Selects the cryptographic algorithm. For DNSSEC keys, the value of
|
||||
Selects the cryptographic algorithm. The value of
|
||||
\fBalgorithm\fR
|
||||
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
|
||||
.sp
|
||||
If no algorithm is specified, then RSASHA1 will be used by default, unless the
|
||||
\fB\-3\fR
|
||||
option is specified, in which case NSEC3RSASHA1 will be used instead. (If
|
||||
\fB\-3\fR
|
||||
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
|
||||
must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
|
||||
.sp
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
|
||||
.sp
|
||||
Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
|
||||
Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
|
||||
.RE
|
||||
.PP
|
||||
\-b \fIkeysize\fR
|
||||
.RS 4
|
||||
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.
|
||||
.sp
|
||||
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
|
||||
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
|
||||
\fB\-a\fR, then there is no default key size, and the
|
||||
\fB\-b\fR
|
||||
must be used.
|
||||
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
|
||||
.RE
|
||||
.PP
|
||||
\-n \fInametype\fR
|
||||
@@ -79,30 +63,11 @@ Specifies the owner type of the key. The value of
|
||||
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
|
||||
.RE
|
||||
.PP
|
||||
\-3
|
||||
.RS 4
|
||||
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and RSASHA512 algorithms are NSEC3\-capable.
|
||||
.RE
|
||||
.PP
|
||||
\-C
|
||||
.RS 4
|
||||
Compatibility mode: generates an old\-style key, without any metadata. By default,
|
||||
\fBdnssec\-keygen\fR
|
||||
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
|
||||
\fB\-C\fR
|
||||
option suppresses them.
|
||||
.RE
|
||||
.PP
|
||||
\-c \fIclass\fR
|
||||
.RS 4
|
||||
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
|
||||
.RE
|
||||
.PP
|
||||
\-E \fIengine\fR
|
||||
.RS 4
|
||||
Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
|
||||
.RE
|
||||
.PP
|
||||
\-e
|
||||
.RS 4
|
||||
If generating an RSAMD5/RSASHA1 key, use a large exponent.
|
||||
@@ -110,12 +75,7 @@ If generating an RSAMD5/RSASHA1 key, use a large exponent.
|
||||
.PP
|
||||
\-f \fIflag\fR
|
||||
.RS 4
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
.RE
|
||||
.PP
|
||||
\-G
|
||||
.RS 4
|
||||
Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
||||
.RE
|
||||
.PP
|
||||
\-g \fIgenerator\fR
|
||||
@@ -129,14 +89,9 @@ Prints a short summary of the options and arguments to
|
||||
\fBdnssec\-keygen\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-K \fIdirectory\fR
|
||||
.RS 4
|
||||
Sets the directory in which the key files are to be written.
|
||||
.RE
|
||||
.PP
|
||||
\-k
|
||||
.RS 4
|
||||
Deprecated in favor of \-T KEY.
|
||||
Generate KEY records rather than DNSKEY records.
|
||||
.RE
|
||||
.PP
|
||||
\-p \fIprotocol\fR
|
||||
@@ -144,15 +99,6 @@ Deprecated in favor of \-T KEY.
|
||||
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
|
||||
.RE
|
||||
.PP
|
||||
\-q
|
||||
.RS 4
|
||||
Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
|
||||
\fBdnssec\-keygen\fR
|
||||
is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
|
||||
\fIstderr\fR
|
||||
indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
|
||||
.RE
|
||||
.PP
|
||||
\-r \fIrandomdev\fR
|
||||
.RS 4
|
||||
Specifies the source of randomness. If the operating system does not provide a
|
||||
@@ -169,14 +115,6 @@ indicates that keyboard input should be used.
|
||||
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
|
||||
.RE
|
||||
.PP
|
||||
\-T \fIrrtype\fR
|
||||
.RS 4
|
||||
Specifies the resource record type to use for the key.
|
||||
\fBrrtype\fR
|
||||
must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
|
||||
Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
|
||||
.RE
|
||||
.PP
|
||||
\-t \fItype\fR
|
||||
.RS 4
|
||||
Indicates the use of the key.
|
||||
@@ -188,34 +126,6 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
|
||||
.RS 4
|
||||
Sets the debugging level.
|
||||
.RE
|
||||
.SH "TIMING OPTIONS"
|
||||
.PP
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
|
||||
.PP
|
||||
\-P \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
|
||||
.RE
|
||||
.PP
|
||||
\-A \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
|
||||
.RE
|
||||
.PP
|
||||
\-R \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-I \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-D \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
|
||||
.RE
|
||||
.SH "GENERATED KEYS"
|
||||
.PP
|
||||
When
|
||||
@@ -279,12 +189,12 @@ and
|
||||
BIND 9 Administrator Reference Manual,
|
||||
RFC 2539,
|
||||
RFC 2845,
|
||||
RFC 4034.
|
||||
RFC 4033.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
Copyright \(co 2000\-2003 Internet Software Consortium.
|
||||
.br
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -29,15 +29,13 @@
|
||||
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-keygen.c,v 1.106 2009/10/28 00:27:10 marka Exp $ */
|
||||
/* $Id: dnssec-keygen.c,v 1.81 2008/09/25 04:02:38 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/commandline.h>
|
||||
@@ -64,211 +62,101 @@
|
||||
const char *program = "dnssec-keygen";
|
||||
int verbose;
|
||||
|
||||
#define DEFAULT_ALGORITHM "RSASHA1"
|
||||
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
|
||||
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |"
|
||||
" NSEC3RSASHA1 | HMAC-MD5 |"
|
||||
" HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
|
||||
" HMAC-SHA384 | HMAC-SHA512";
|
||||
|
||||
static isc_boolean_t
|
||||
dsa_size_ok(int size) {
|
||||
return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
|
||||
}
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void progress(int p);
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, " %s [options] name\n\n", program);
|
||||
fprintf(stderr, " %s -a alg -b bits [-n type] [options] name\n\n",
|
||||
program);
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
fprintf(stderr, "Required options:\n");
|
||||
fprintf(stderr, " -a algorithm: %s\n", algs);
|
||||
fprintf(stderr, " -b key size, in bits:\n");
|
||||
fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " DH:\t\t[128..4096]\n");
|
||||
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
|
||||
fprintf(stderr, " NSEC3DSA:\t\t[512..1024] and divisible by 64\n");
|
||||
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
|
||||
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
|
||||
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
|
||||
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
|
||||
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
|
||||
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
|
||||
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
|
||||
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
|
||||
fprintf(stderr, " name: owner of the key\n");
|
||||
fprintf(stderr, "Options:\n");
|
||||
fprintf(stderr, " -K <directory>: write keys into directory\n");
|
||||
fprintf(stderr, " -a <algorithm>:\n");
|
||||
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
|
||||
" | NSEC3DSA |\n");
|
||||
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
|
||||
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
|
||||
"HMAC-SHA256 | \n");
|
||||
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
|
||||
fprintf(stderr, " (default: RSASHA1, or "
|
||||
"NSEC3RSASHA1 if using -3)\n");
|
||||
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
||||
fprintf(stderr, " -b <key size in bits>:\n");
|
||||
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
|
||||
fprintf(stderr, " DH:\t\t[128..4096]\n");
|
||||
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
|
||||
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
|
||||
"by 64\n");
|
||||
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
|
||||
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
|
||||
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
|
||||
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
|
||||
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
|
||||
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
|
||||
fprintf(stderr, " (if using the default algorithm, key size\n"
|
||||
" defaults to 2048 for KSK, or 1024 for all "
|
||||
"others)\n");
|
||||
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
|
||||
"USER | OTHER\n");
|
||||
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
|
||||
fprintf(stderr, " -c <class>: (default: IN)\n");
|
||||
fprintf(stderr, "Other options:\n");
|
||||
fprintf(stderr, " -c <class> (default: IN)\n");
|
||||
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
|
||||
#ifdef USE_PKCS11
|
||||
fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n");
|
||||
#else
|
||||
fprintf(stderr, " -E <engine name>\n");
|
||||
#endif
|
||||
fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n");
|
||||
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
|
||||
fprintf(stderr, " -g <generator>: use specified generator "
|
||||
"(DH only)\n");
|
||||
fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
|
||||
fprintf(stderr, " -s <strength>: strength value this key signs DNS "
|
||||
"records with (default: 0)\n");
|
||||
fprintf(stderr, " -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
|
||||
"use KEY for SIG(0))\n");
|
||||
fprintf(stderr, " -e use large exponent (RSAMD5/RSASHA1 only)\n");
|
||||
fprintf(stderr, " -f keyflag: KSK\n");
|
||||
fprintf(stderr, " -g <generator> use specified generator "
|
||||
"(DH only)\n");
|
||||
fprintf(stderr, " -t <type>: "
|
||||
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
|
||||
"(default: AUTHCONF)\n");
|
||||
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
|
||||
"(default: AUTHCONF)\n");
|
||||
fprintf(stderr, " -p <protocol>: "
|
||||
"default: 3 [dnssec]\n");
|
||||
fprintf(stderr, " -s <strength> strength value this key signs DNS "
|
||||
"records with (default: 0)\n");
|
||||
fprintf(stderr, " -r <randomdev>: a file containing random data\n");
|
||||
|
||||
fprintf(stderr, " -h: print usage and exit\n");
|
||||
fprintf(stderr, " -m <memory debugging mode>:\n");
|
||||
fprintf(stderr, " usage | trace | record | size | mctx\n");
|
||||
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
|
||||
fprintf(stderr, "Date options:\n");
|
||||
fprintf(stderr, " -P date/[+-]offset: set key publication date "
|
||||
"(default: now)\n");
|
||||
fprintf(stderr, " -A date/[+-]offset: set key activation date "
|
||||
"(default: now)\n");
|
||||
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
|
||||
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
|
||||
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
|
||||
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
|
||||
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
|
||||
"all dates\n");
|
||||
fprintf(stderr, " -v <verbose level>\n");
|
||||
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
|
||||
fprintf(stderr, "Output:\n");
|
||||
fprintf(stderr, " K<name>+<alg>+<id>.key, "
|
||||
"K<name>+<alg>+<id>.private\n");
|
||||
"K<name>+<alg>+<id>.private\n");
|
||||
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
static void
|
||||
progress(int p)
|
||||
{
|
||||
char c = '*';
|
||||
|
||||
switch (p) {
|
||||
case 0:
|
||||
c = '.';
|
||||
break;
|
||||
case 1:
|
||||
c = '+';
|
||||
break;
|
||||
case 2:
|
||||
c = '*';
|
||||
break;
|
||||
case 3:
|
||||
c = ' ';
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
(void) putc(c, stderr);
|
||||
(void) fflush(stderr);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
char *algname = NULL, *nametype = NULL, *type = NULL;
|
||||
char *algname = NULL, *nametype = NULL, *type = NULL;
|
||||
char *classname = NULL;
|
||||
char *endp;
|
||||
dst_key_t *key = NULL, *oldkey;
|
||||
dns_fixedname_t fname;
|
||||
dns_name_t *name;
|
||||
isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
|
||||
isc_uint16_t flags = 0, ksk = 0;
|
||||
dns_secalg_t alg;
|
||||
isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE;
|
||||
isc_boolean_t oldstyle = ISC_FALSE;
|
||||
isc_mem_t *mctx = NULL;
|
||||
int ch, rsa_exp = 0, generator = 0, param = 0;
|
||||
int protocol = -1, size = -1, signatory = 0;
|
||||
isc_result_t ret;
|
||||
isc_textregion_t r;
|
||||
char filename[255];
|
||||
const char *directory = NULL;
|
||||
isc_buffer_t buf;
|
||||
isc_log_t *log = NULL;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
#ifdef USE_PKCS11
|
||||
const char *engine = "pkcs11";
|
||||
#else
|
||||
const char *engine = NULL;
|
||||
#endif
|
||||
dns_rdataclass_t rdclass;
|
||||
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
|
||||
int dbits = 0;
|
||||
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
|
||||
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
|
||||
isc_stdtime_t inactive = 0, delete = 0;
|
||||
isc_stdtime_t now;
|
||||
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
|
||||
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
|
||||
isc_boolean_t setdel = ISC_FALSE;
|
||||
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
|
||||
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
|
||||
isc_boolean_t unsetdel = ISC_FALSE;
|
||||
isc_boolean_t genonly = ISC_FALSE;
|
||||
isc_boolean_t quiet = ISC_FALSE;
|
||||
isc_boolean_t show_progress = ISC_FALSE;
|
||||
|
||||
if (argc == 1)
|
||||
usage();
|
||||
|
||||
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
|
||||
|
||||
dns_result_register();
|
||||
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
/*
|
||||
* Process memory debugging argument first.
|
||||
*/
|
||||
#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:qr:s:T:t:v:hGP:A:R:I:D:"
|
||||
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
|
||||
switch (ch) {
|
||||
case 'm':
|
||||
if (strcasecmp(isc_commandline_argument, "record") == 0)
|
||||
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
|
||||
if (strcasecmp(isc_commandline_argument, "trace") == 0)
|
||||
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
|
||||
if (strcasecmp(isc_commandline_argument, "usage") == 0)
|
||||
isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
|
||||
if (strcasecmp(isc_commandline_argument, "size") == 0)
|
||||
isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
|
||||
if (strcasecmp(isc_commandline_argument, "mctx") == 0)
|
||||
isc_mem_debugging |= ISC_MEM_DEBUGCTX;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
isc_commandline_reset = ISC_TRUE;
|
||||
|
||||
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
|
||||
while ((ch = isc_commandline_parse(argc, argv,
|
||||
"a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
|
||||
{
|
||||
switch (ch) {
|
||||
case '3':
|
||||
use_nsec3 = ISC_TRUE;
|
||||
break;
|
||||
case 'a':
|
||||
algname = isc_commandline_argument;
|
||||
break;
|
||||
@@ -277,9 +165,6 @@ main(int argc, char **argv) {
|
||||
if (*endp != '\0' || size < 0)
|
||||
fatal("-b requires a non-negative number");
|
||||
break;
|
||||
case 'C':
|
||||
oldstyle = ISC_TRUE;
|
||||
break;
|
||||
case 'c':
|
||||
classname = isc_commandline_argument;
|
||||
break;
|
||||
@@ -288,17 +173,12 @@ main(int argc, char **argv) {
|
||||
if (*endp != '\0' || dbits < 0)
|
||||
fatal("-d requires a non-negative number");
|
||||
break;
|
||||
case 'E':
|
||||
engine = isc_commandline_argument;
|
||||
break;
|
||||
case 'e':
|
||||
rsa_exp = 1;
|
||||
break;
|
||||
case 'f':
|
||||
if (toupper(isc_commandline_argument[0]) == 'K')
|
||||
kskflag = DNS_KEYFLAG_KSK;
|
||||
else if (toupper(isc_commandline_argument[0]) == 'R')
|
||||
revflag = DNS_KEYFLAG_REVOKE;
|
||||
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
|
||||
ksk = DNS_KEYFLAG_KSK;
|
||||
else
|
||||
fatal("unknown flag '%s'",
|
||||
isc_commandline_argument);
|
||||
@@ -309,22 +189,14 @@ main(int argc, char **argv) {
|
||||
if (*endp != '\0' || generator <= 0)
|
||||
fatal("-g requires a positive number");
|
||||
break;
|
||||
case 'K':
|
||||
directory = isc_commandline_argument;
|
||||
ret = try_dir(directory);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
fatal("cannot open directory %s: %s",
|
||||
directory, isc_result_totext(ret));
|
||||
break;
|
||||
case 'k':
|
||||
fatal("The -k option has been deprecated.\n"
|
||||
"To generate a key-signing key, use -f KSK.\n"
|
||||
"To generate a key with TYPE=KEY, use -T KEY.\n");
|
||||
options |= DST_TYPE_KEY;
|
||||
break;
|
||||
case 'n':
|
||||
nametype = isc_commandline_argument;
|
||||
break;
|
||||
case 'm':
|
||||
case 't':
|
||||
type = isc_commandline_argument;
|
||||
break;
|
||||
case 'p':
|
||||
protocol = strtol(isc_commandline_argument, &endp, 10);
|
||||
@@ -332,12 +204,6 @@ main(int argc, char **argv) {
|
||||
fatal("-p must be followed by a number "
|
||||
"[0..255]");
|
||||
break;
|
||||
case 'q':
|
||||
quiet = ISC_TRUE;
|
||||
break;
|
||||
case 'r':
|
||||
setup_entropy(mctx, isc_commandline_argument, &ectx);
|
||||
break;
|
||||
case 's':
|
||||
signatory = strtol(isc_commandline_argument,
|
||||
&endp, 10);
|
||||
@@ -345,19 +211,8 @@ main(int argc, char **argv) {
|
||||
fatal("-s must be followed by a number "
|
||||
"[0..15]");
|
||||
break;
|
||||
case 'T':
|
||||
if (strcasecmp(isc_commandline_argument, "KEY") == 0)
|
||||
options |= DST_TYPE_KEY;
|
||||
else if (strcasecmp(isc_commandline_argument,
|
||||
"DNSKEY") == 0)
|
||||
/* default behavior */
|
||||
;
|
||||
else
|
||||
fatal("unknown type '%s'",
|
||||
isc_commandline_argument);
|
||||
break;
|
||||
case 't':
|
||||
type = isc_commandline_argument;
|
||||
case 'r':
|
||||
setup_entropy(mctx, isc_commandline_argument, &ectx);
|
||||
break;
|
||||
case 'v':
|
||||
endp = NULL;
|
||||
@@ -365,80 +220,11 @@ main(int argc, char **argv) {
|
||||
if (*endp != '\0')
|
||||
fatal("-v must be followed by a number");
|
||||
break;
|
||||
case 'z':
|
||||
/* already the default */
|
||||
break;
|
||||
case 'G':
|
||||
genonly = ISC_TRUE;
|
||||
break;
|
||||
case 'P':
|
||||
if (setpub || unsetpub)
|
||||
fatal("-P specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setpub = ISC_TRUE;
|
||||
publish = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetpub = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'A':
|
||||
if (setact || unsetact)
|
||||
fatal("-A specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setact = ISC_TRUE;
|
||||
activate = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetact = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'R':
|
||||
if (setrev || unsetrev)
|
||||
fatal("-R specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setrev = ISC_TRUE;
|
||||
revoke = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetrev = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'I':
|
||||
if (setinact || unsetinact)
|
||||
fatal("-I specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setinact = ISC_TRUE;
|
||||
inactive = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetinact = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'D':
|
||||
if (setdel || unsetdel)
|
||||
fatal("-D specified more than once");
|
||||
|
||||
if (strcasecmp(isc_commandline_argument, "none")) {
|
||||
setdel = ISC_TRUE;
|
||||
delete = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
} else {
|
||||
unsetdel = ISC_TRUE;
|
||||
}
|
||||
break;
|
||||
case 'F':
|
||||
/* Reserved for FIPS mode */
|
||||
/* FALLTHROUGH */
|
||||
case '?':
|
||||
if (isc_commandline_option != '?')
|
||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||
program, isc_commandline_option);
|
||||
/* FALLTHROUGH */
|
||||
case 'h':
|
||||
usage();
|
||||
|
||||
@@ -449,16 +235,12 @@ main(int argc, char **argv) {
|
||||
}
|
||||
}
|
||||
|
||||
if (!isatty(0))
|
||||
quiet = ISC_TRUE;
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
ret = dst_lib_init2(mctx, ectx, engine,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
ret = dst_lib_init(mctx, ectx,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
fatal("could not initialize dst: %s",
|
||||
isc_result_totext(ret));
|
||||
fatal("could not initialize dst");
|
||||
|
||||
setup_logging(verbose, mctx, &log);
|
||||
|
||||
@@ -467,17 +249,8 @@ main(int argc, char **argv) {
|
||||
if (argc > isc_commandline_index + 1)
|
||||
fatal("extraneous arguments");
|
||||
|
||||
if (algname == NULL) {
|
||||
use_default = ISC_TRUE;
|
||||
if (use_nsec3)
|
||||
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
|
||||
else
|
||||
algname = strdup(DEFAULT_ALGORITHM);
|
||||
if (verbose > 0)
|
||||
fprintf(stderr, "no algorithm specified; "
|
||||
"defaulting to %s\n", algname);
|
||||
}
|
||||
|
||||
if (algname == NULL)
|
||||
fatal("no algorithm was specified");
|
||||
if (strcasecmp(algname, "RSA") == 0) {
|
||||
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
|
||||
"If you still wish to use RSA (RSAMD5) please "
|
||||
@@ -511,13 +284,6 @@ main(int argc, char **argv) {
|
||||
options |= DST_TYPE_KEY;
|
||||
}
|
||||
|
||||
if (use_nsec3 &&
|
||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
||||
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
|
||||
fatal("%s is incompatible with NSEC3; "
|
||||
"do not use the -3 option", algname);
|
||||
}
|
||||
|
||||
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
||||
if (strcasecmp(type, "NOAUTH") == 0)
|
||||
flags |= DNS_KEYTYPE_NOAUTH;
|
||||
@@ -534,29 +300,16 @@ main(int argc, char **argv) {
|
||||
fatal("invalid type %s", type);
|
||||
}
|
||||
|
||||
if (size < 0) {
|
||||
if (use_default) {
|
||||
size = ((kskflag & DNS_KEYFLAG_KSK) != 0) ? 2048 : 1024;
|
||||
if (verbose > 0)
|
||||
fprintf(stderr, "key size not specified; "
|
||||
"defaulting to %d\n", size);
|
||||
} else {
|
||||
fatal("key size not specified (-b option)");
|
||||
}
|
||||
}
|
||||
if (size < 0)
|
||||
fatal("key size not specified (-b option)");
|
||||
|
||||
switch (alg) {
|
||||
case DNS_KEYALG_RSAMD5:
|
||||
case DNS_KEYALG_RSASHA1:
|
||||
case DNS_KEYALG_NSEC3RSASHA1:
|
||||
case DNS_KEYALG_RSASHA256:
|
||||
if (size != 0 && (size < 512 || size > MAX_RSA))
|
||||
fatal("RSA key size %d out of range", size);
|
||||
break;
|
||||
case DNS_KEYALG_RSASHA512:
|
||||
if (size != 0 && (size < 1024 || size > MAX_RSA))
|
||||
fatal("RSA key size %d out of range", size);
|
||||
break;
|
||||
case DNS_KEYALG_DH:
|
||||
if (size != 0 && (size < 128 || size > 4096))
|
||||
fatal("DH key size %d out of range", size);
|
||||
@@ -623,8 +376,7 @@ main(int argc, char **argv) {
|
||||
}
|
||||
|
||||
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
|
||||
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
|
||||
alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
|
||||
alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
|
||||
fatal("specified RSA exponent for a non-RSA key");
|
||||
|
||||
if (alg != DNS_KEYALG_DH && generator != 0)
|
||||
@@ -649,15 +401,10 @@ main(int argc, char **argv) {
|
||||
|
||||
rdclass = strtoclass(classname);
|
||||
|
||||
if (directory == NULL)
|
||||
directory = ".";
|
||||
|
||||
if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
|
||||
flags |= signatory;
|
||||
else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
|
||||
flags |= kskflag;
|
||||
flags |= revflag;
|
||||
}
|
||||
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
|
||||
flags |= ksk;
|
||||
|
||||
if (protocol == -1)
|
||||
protocol = DNS_KEYPROTO_DNSSEC;
|
||||
@@ -685,7 +432,7 @@ main(int argc, char **argv) {
|
||||
isc_buffer_init(&buf, argv[isc_commandline_index],
|
||||
strlen(argv[isc_commandline_index]));
|
||||
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
|
||||
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
|
||||
ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
fatal("invalid key name %s: %s", argv[isc_commandline_index],
|
||||
isc_result_totext(ret));
|
||||
@@ -693,22 +440,12 @@ main(int argc, char **argv) {
|
||||
switch(alg) {
|
||||
case DNS_KEYALG_RSAMD5:
|
||||
case DNS_KEYALG_RSASHA1:
|
||||
case DNS_KEYALG_NSEC3RSASHA1:
|
||||
case DNS_KEYALG_RSASHA256:
|
||||
case DNS_KEYALG_RSASHA512:
|
||||
param = rsa_exp;
|
||||
show_progress = ISC_TRUE;
|
||||
break;
|
||||
|
||||
case DNS_KEYALG_DH:
|
||||
param = generator;
|
||||
break;
|
||||
|
||||
case DNS_KEYALG_DSA:
|
||||
case DNS_KEYALG_NSEC3DSA:
|
||||
show_progress = ISC_TRUE;
|
||||
/* fall through */
|
||||
|
||||
case DST_ALG_HMACMD5:
|
||||
case DST_ALG_HMACSHA1:
|
||||
case DST_ALG_HMACSHA224:
|
||||
@@ -728,97 +465,31 @@ main(int argc, char **argv) {
|
||||
conflict = ISC_FALSE;
|
||||
oldkey = NULL;
|
||||
|
||||
if (!quiet && show_progress) {
|
||||
fprintf(stderr, "Generating key pair.");
|
||||
ret = dst_key_generate2(name, alg, size, param, flags,
|
||||
protocol, rdclass, mctx, &key,
|
||||
&progress);
|
||||
putc('\n', stderr);
|
||||
fflush(stderr);
|
||||
} else {
|
||||
ret = dst_key_generate2(name, alg, size, param, flags,
|
||||
protocol, rdclass, mctx, &key,
|
||||
NULL);
|
||||
}
|
||||
|
||||
/* generate the key */
|
||||
ret = dst_key_generate(name, alg, size, param, flags, protocol,
|
||||
rdclass, mctx, &key);
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
char namestr[DNS_NAME_FORMATSIZE];
|
||||
char algstr[DNS_SECALG_FORMATSIZE];
|
||||
char algstr[ALG_FORMATSIZE];
|
||||
dns_name_format(name, namestr, sizeof(namestr));
|
||||
dns_secalg_format(alg, algstr, sizeof(algstr));
|
||||
alg_format(alg, algstr, sizeof(algstr));
|
||||
fatal("failed to generate key %s/%s: %s\n",
|
||||
namestr, algstr, isc_result_totext(ret));
|
||||
/* NOTREACHED */
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
dst_key_setbits(key, dbits);
|
||||
|
||||
/*
|
||||
* Set key timing metadata (unless using -C)
|
||||
*
|
||||
* Publish and activation dates are set to "now" by default,
|
||||
* but can be overridden. Creation date is always set to
|
||||
* "now".
|
||||
*/
|
||||
if (!oldstyle) {
|
||||
dst_key_settime(key, DST_TIME_CREATED, now);
|
||||
|
||||
if (genonly && (setpub || setact))
|
||||
fatal("cannot use -G together with "
|
||||
"-P or -A options");
|
||||
|
||||
if (setpub)
|
||||
dst_key_settime(key, DST_TIME_PUBLISH, publish);
|
||||
else if (!genonly && !setact)
|
||||
dst_key_settime(key, DST_TIME_PUBLISH, now);
|
||||
|
||||
if (setact)
|
||||
dst_key_settime(key, DST_TIME_ACTIVATE,
|
||||
activate);
|
||||
else if (!genonly && !setpub)
|
||||
dst_key_settime(key, DST_TIME_ACTIVATE, now);
|
||||
|
||||
if (setrev) {
|
||||
if (kskflag == 0)
|
||||
fprintf(stderr, "%s: warning: Key is "
|
||||
"not flagged as a KSK, but -R "
|
||||
"was used. Revoking a ZSK is "
|
||||
"legal, but undefined.\n",
|
||||
program);
|
||||
dst_key_settime(key, DST_TIME_REVOKE, revoke);
|
||||
}
|
||||
|
||||
if (setinact)
|
||||
dst_key_settime(key, DST_TIME_INACTIVE,
|
||||
inactive);
|
||||
|
||||
if (setdel)
|
||||
dst_key_settime(key, DST_TIME_DELETE, delete);
|
||||
} else {
|
||||
if (setpub || setact || setrev || setinact ||
|
||||
setdel || unsetpub || unsetact ||
|
||||
unsetrev || unsetinact || unsetdel || genonly)
|
||||
fatal("cannot use -C together with "
|
||||
"-P, -A, -R, -I, -D, or -G options");
|
||||
/*
|
||||
* Compatibility mode: Private-key-format
|
||||
* should be set to 1.2.
|
||||
*/
|
||||
dst_key_setprivateformat(key, 1, 2);
|
||||
}
|
||||
|
||||
/*
|
||||
* Try to read a key with the same name, alg and id from disk.
|
||||
* If there is one we must continue generating a different
|
||||
* key unless we were asked to generate a null key, in which
|
||||
* If there is one we must continue generating a new one
|
||||
* unless we were asked to generate a null key, in which
|
||||
* case we return failure.
|
||||
*/
|
||||
ret = dst_key_fromfile(name, dst_key_id(key), alg,
|
||||
DST_TYPE_PRIVATE, directory,
|
||||
mctx, &oldkey);
|
||||
DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
|
||||
/* do not overwrite an existing key */
|
||||
if (ret == ISC_R_SUCCESS) {
|
||||
dst_key_free(&oldkey);
|
||||
@@ -829,7 +500,7 @@ main(int argc, char **argv) {
|
||||
if (conflict == ISC_TRUE) {
|
||||
if (verbose > 0) {
|
||||
isc_buffer_clear(&buf);
|
||||
dst_key_buildfilename(key, 0, directory, &buf);
|
||||
ret = dst_key_buildfilename(key, 0, NULL, &buf);
|
||||
fprintf(stderr,
|
||||
"%s: %s already exists, "
|
||||
"generating a new key\n",
|
||||
@@ -837,16 +508,17 @@ main(int argc, char **argv) {
|
||||
}
|
||||
dst_key_free(&key);
|
||||
}
|
||||
|
||||
} while (conflict == ISC_TRUE);
|
||||
|
||||
if (conflict)
|
||||
fatal("cannot generate a null key when a key with id 0 "
|
||||
"already exists");
|
||||
|
||||
ret = dst_key_tofile(key, options, directory);
|
||||
ret = dst_key_tofile(key, options, NULL);
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fatal("failed to write key %s: %s\n", keystr,
|
||||
isc_result_totext(ret));
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -18,7 +18,7 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-keygen.docbook,v 1.33 2009/11/03 21:44:46 each Exp $ -->
|
||||
<!-- $Id: dnssec-keygen.docbook,v 1.22 2008/10/14 14:32:50 jreed Exp $ -->
|
||||
<refentry id="man.dnssec-keygen">
|
||||
<refentryinfo>
|
||||
<date>June 30, 2000</date>
|
||||
@@ -41,7 +41,6 @@
|
||||
<year>2005</year>
|
||||
<year>2007</year>
|
||||
<year>2008</year>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
<copyright>
|
||||
@@ -56,32 +55,20 @@
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-keygen</command>
|
||||
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||||
<arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
||||
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
|
||||
<arg><option>-3</option></arg>
|
||||
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-C</option></arg>
|
||||
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
|
||||
<arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
|
||||
<arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
|
||||
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
|
||||
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
|
||||
<arg><option>-e</option></arg>
|
||||
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
|
||||
<arg><option>-G</option></arg>
|
||||
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
|
||||
<arg><option>-h</option></arg>
|
||||
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-k</option></arg>
|
||||
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
|
||||
<arg><option>-q</option></arg>
|
||||
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
|
||||
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
|
||||
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg><option>-z</option></arg>
|
||||
<arg choice="req">name</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
@@ -91,13 +78,7 @@
|
||||
<para><command>dnssec-keygen</command>
|
||||
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
|
||||
and RFC 4034. It can also generate keys for use with
|
||||
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
|
||||
(Transaction Key) as defined in RFC 2930.
|
||||
</para>
|
||||
<para>
|
||||
The <option>name</option> of the key is specified on the command
|
||||
line. For DNSSEC keys, this must match the name of the zone for
|
||||
which the key is being generated.
|
||||
TSIG (Transaction Signatures), as defined in RFC 2845.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
@@ -109,20 +90,10 @@
|
||||
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
||||
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
|
||||
For TSIG/TKEY, the value must
|
||||
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
|
||||
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
|
||||
case insensitive.
|
||||
</para>
|
||||
<para>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
default, unless the <option>-3</option> option is specified,
|
||||
in which case NSEC3RSASHA1 will be used instead. (If
|
||||
<option>-3</option> is used and an algorithm is specified,
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
Selects the cryptographic algorithm. The value of
|
||||
<option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
|
||||
These values are case insensitive.
|
||||
</para>
|
||||
<para>
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
||||
@@ -130,8 +101,7 @@
|
||||
mandatory.
|
||||
</para>
|
||||
<para>
|
||||
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
|
||||
automatically set the -T KEY option.
|
||||
Note 2: HMAC-MD5 and DH automatically set the -k flag.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -141,21 +111,13 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the number of bits in the key. The choice of key
|
||||
size depends on the algorithm used. RSA keys must be
|
||||
between 512 and 2048 bits. Diffie Hellman keys must be between
|
||||
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
|
||||
between
|
||||
512 and 2048 bits. Diffie Hellman keys must be between
|
||||
128 and 4096 bits. DSA keys must be between 512 and 1024
|
||||
bits and an exact multiple of 64. HMAC keys must be
|
||||
bits and an exact multiple of 64. HMAC-MD5 keys must be
|
||||
between 1 and 512 bits.
|
||||
</para>
|
||||
<para>
|
||||
The key size does not need to be specified if using a default
|
||||
algorithm. The default key size is 1024 bits for zone signing
|
||||
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
|
||||
generated with <option>-f KSK</option>). However, if an
|
||||
algorithm is explicitly specified with the <option>-a</option>,
|
||||
then there is no default key size, and the <option>-b</option>
|
||||
must be used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -174,34 +136,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-3</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default. Note that RSASHA256 and RSASHA512 algorithms
|
||||
are NSEC3-capable.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-C</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Compatibility mode: generates an old-style key, without
|
||||
any metadata. By default, <command>dnssec-keygen</command>
|
||||
will include the key's creation date in the metadata stored
|
||||
with the private key, and other dates may be set there as well
|
||||
(publication date, activation date, etc). Keys that include
|
||||
this data may be incompatible with older versions of BIND; the
|
||||
<option>-C</option> option suppresses them.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-c <replaceable class="parameter">class</replaceable></term>
|
||||
<listitem>
|
||||
@@ -212,18 +146,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-E <replaceable class="parameter">engine</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Uses a crypto hardware (OpenSSL engine) for random number
|
||||
and, when supported, key generation. When compiled with PKCS#11
|
||||
support it defaults to pkcs11; the empty name resets it to
|
||||
no engine.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-e</term>
|
||||
<listitem>
|
||||
@@ -238,17 +160,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
||||
The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-G</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Generate a key, but do not publish it or sign with it. This
|
||||
option is incompatible with -P and -A.
|
||||
The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -275,20 +187,11 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-K <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the directory in which the key files are to be written.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-k</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Deprecated in favor of -T KEY.
|
||||
Generate KEY records rather than DNSKEY records.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -305,25 +208,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-q</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Quiet mode: Suppresses unnecessary output, including
|
||||
progress indication. Without this option, when
|
||||
<command>dnssec-keygen</command> is run interactively
|
||||
to generate an RSA or DSA key pair, it will print a string
|
||||
of symbols to <filename>stderr</filename> indicating the
|
||||
progress of the key generation. A '.' indicates that a
|
||||
random number has been found which passed an initial
|
||||
sieve test; '+' means a number has passed a single
|
||||
round of the Miller-Rabin primality test; a space
|
||||
means that the number has passed all the tests and is
|
||||
a satisfactory key.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
@@ -352,22 +236,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the resource record type to use for the key.
|
||||
<option>rrtype</option> must be either DNSKEY or KEY. The
|
||||
default is DNSKEY when using a DNSSEC algorithm, but it can be
|
||||
overridden to KEY for use with SIG(0).
|
||||
<para>
|
||||
</para>
|
||||
Using any TSIG algorithm (HMAC-* or DH) forces this option
|
||||
to KEY.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-t <replaceable class="parameter">type</replaceable></term>
|
||||
<listitem>
|
||||
@@ -392,81 +260,6 @@
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>TIMING OPTIONS</title>
|
||||
|
||||
<para>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
|
||||
then the offset is computed in years (defined as 365 24-hour days,
|
||||
ignoring leap years), months (defined as 30 24-hour days), weeks,
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it. If not set, and if the -G option has
|
||||
not been used, the default is "now".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it. If not set, and if the -G option has not been used, the
|
||||
default is "now".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
<refsect1>
|
||||
<title>GENERATED KEYS</title>
|
||||
<para>
|
||||
@@ -550,7 +343,7 @@
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
||||
<citetitle>RFC 2539</citetitle>,
|
||||
<citetitle>RFC 2845</citetitle>,
|
||||
<citetitle>RFC 4034</citetitle>.
|
||||
<citetitle>RFC 4033</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
<!--
|
||||
- Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -14,7 +14,7 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: dnssec-keygen.html,v 1.45 2009/11/03 21:58:30 tbox Exp $ -->
|
||||
<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
@@ -29,42 +29,26 @@
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543558"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id2543477"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">dnssec-keygen</strong></span>
|
||||
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
|
||||
and RFC 4034. It can also generate keys for use with
|
||||
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
|
||||
(Transaction Key) as defined in RFC 2930.
|
||||
</p>
|
||||
<p>
|
||||
The <code class="option">name</code> of the key is specified on the command
|
||||
line. For DNSSEC keys, this must match the name of the zone for
|
||||
which the key is being generated.
|
||||
TSIG (Transaction Signatures), as defined in RFC 2845.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543576"></a><h2>OPTIONS</h2>
|
||||
<a name="id2543489"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
||||
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
|
||||
For TSIG/TKEY, the value must
|
||||
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
|
||||
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
|
||||
case insensitive.
|
||||
</p>
|
||||
<p>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
default, unless the <code class="option">-3</code> option is specified,
|
||||
in which case NSEC3RSASHA1 will be used instead. (If
|
||||
<code class="option">-3</code> is used and an algorithm is specified,
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
Selects the cryptographic algorithm. The value of
|
||||
<code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
|
||||
These values are case insensitive.
|
||||
</p>
|
||||
<p>
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
||||
@@ -72,30 +56,19 @@
|
||||
mandatory.
|
||||
</p>
|
||||
<p>
|
||||
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
|
||||
automatically set the -T KEY option.
|
||||
Note 2: HMAC-MD5 and DH automatically set the -k flag.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
<dd><p>
|
||||
Specifies the number of bits in the key. The choice of key
|
||||
size depends on the algorithm used. RSA keys must be
|
||||
between 512 and 2048 bits. Diffie Hellman keys must be between
|
||||
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
|
||||
between
|
||||
512 and 2048 bits. Diffie Hellman keys must be between
|
||||
128 and 4096 bits. DSA keys must be between 512 and 1024
|
||||
bits and an exact multiple of 64. HMAC keys must be
|
||||
bits and an exact multiple of 64. HMAC-MD5 keys must be
|
||||
between 1 and 512 bits.
|
||||
</p>
|
||||
<p>
|
||||
The key size does not need to be specified if using a default
|
||||
algorithm. The default key size is 1024 bits for zone signing
|
||||
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
|
||||
generated with <code class="option">-f KSK</code>). However, if an
|
||||
algorithm is explicitly specified with the <code class="option">-a</code>,
|
||||
then there is no default key size, and the <code class="option">-b</code>
|
||||
must be used.
|
||||
</p>
|
||||
</dd>
|
||||
</p></dd>
|
||||
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the owner type of the key. The value of
|
||||
@@ -106,36 +79,11 @@
|
||||
These values are case insensitive. Defaults to ZONE for DNSKEY
|
||||
generation.
|
||||
</p></dd>
|
||||
<dt><span class="term">-3</span></dt>
|
||||
<dd><p>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default. Note that RSASHA256 and RSASHA512 algorithms
|
||||
are NSEC3-capable.
|
||||
</p></dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
Compatibility mode: generates an old-style key, without
|
||||
any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
|
||||
will include the key's creation date in the metadata stored
|
||||
with the private key, and other dates may be set there as well
|
||||
(publication date, activation date, etc). Keys that include
|
||||
this data may be incompatible with older versions of BIND; the
|
||||
<code class="option">-C</code> option suppresses them.
|
||||
</p></dd>
|
||||
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
|
||||
<dd><p>
|
||||
Indicates that the DNS record containing the key should have
|
||||
the specified class. If not specified, class IN is used.
|
||||
</p></dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd><p>
|
||||
Uses a crypto hardware (OpenSSL engine) for random number
|
||||
and, when supported, key generation. When compiled with PKCS#11
|
||||
support it defaults to pkcs11; the empty name resets it to
|
||||
no engine.
|
||||
</p></dd>
|
||||
<dt><span class="term">-e</span></dt>
|
||||
<dd><p>
|
||||
If generating an RSAMD5/RSASHA1 key, use a large exponent.
|
||||
@@ -143,12 +91,7 @@
|
||||
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
|
||||
<dd><p>
|
||||
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
||||
The only recognized flags are KSK (Key Signing Key) and REVOKE.
|
||||
</p></dd>
|
||||
<dt><span class="term">-G</span></dt>
|
||||
<dd><p>
|
||||
Generate a key, but do not publish it or sign with it. This
|
||||
option is incompatible with -P and -A.
|
||||
The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
||||
</p></dd>
|
||||
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -162,13 +105,9 @@
|
||||
Prints a short summary of the options and arguments to
|
||||
<span><strong class="command">dnssec-keygen</strong></span>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the directory in which the key files are to be written.
|
||||
</p></dd>
|
||||
<dt><span class="term">-k</span></dt>
|
||||
<dd><p>
|
||||
Deprecated in favor of -T KEY.
|
||||
Generate KEY records rather than DNSKEY records.
|
||||
</p></dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -177,20 +116,6 @@
|
||||
Other possible values for this argument are listed in
|
||||
RFC 2535 and its successors.
|
||||
</p></dd>
|
||||
<dt><span class="term">-q</span></dt>
|
||||
<dd><p>
|
||||
Quiet mode: Suppresses unnecessary output, including
|
||||
progress indication. Without this option, when
|
||||
<span><strong class="command">dnssec-keygen</strong></span> is run interactively
|
||||
to generate an RSA or DSA key pair, it will print a string
|
||||
of symbols to <code class="filename">stderr</code> indicating the
|
||||
progress of the key generation. A '.' indicates that a
|
||||
random number has been found which passed an initial
|
||||
sieve test; '+' means a number has passed a single
|
||||
round of the Miller-Rabin primality test; a space
|
||||
means that the number has passed all the tests and is
|
||||
a satisfactory key.
|
||||
</p></dd>
|
||||
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the source of randomness. If the operating
|
||||
@@ -209,21 +134,6 @@
|
||||
a number between 0 and 15, and currently has no defined
|
||||
purpose in DNSSEC.
|
||||
</p></dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Specifies the resource record type to use for the key.
|
||||
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
|
||||
default is DNSKEY when using a DNSSEC algorithm, but it can be
|
||||
overridden to KEY for use with SIG(0).
|
||||
</p>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
Using any TSIG algorithm (HMAC-* or DH) forces this option
|
||||
to KEY.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
|
||||
<dd><p>
|
||||
Indicates the use of the key. <code class="option">type</code> must be
|
||||
@@ -238,54 +148,7 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544128"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
|
||||
then the offset is computed in years (defined as 365 24-hour days,
|
||||
ignoring leap years), months (defined as 30 24-hour days), weeks,
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds.
|
||||
</p>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it. If not set, and if the -G option has
|
||||
not been used, the default is "now".
|
||||
</p></dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it. If not set, and if the -G option has not been used, the
|
||||
default is "now".
|
||||
</p></dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544226"></a><h2>GENERATED KEYS</h2>
|
||||
<a name="id2543824"></a><h2>GENERATED KEYS</h2>
|
||||
<p>
|
||||
When <span><strong class="command">dnssec-keygen</strong></span> completes
|
||||
successfully,
|
||||
@@ -331,7 +194,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544308"></a><h2>EXAMPLE</h2>
|
||||
<a name="id2543906"></a><h2>EXAMPLE</h2>
|
||||
<p>
|
||||
To generate a 768-bit DSA key for the domain
|
||||
<strong class="userinput"><code>example.com</code></strong>, the following command would be
|
||||
@@ -352,16 +215,16 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544352"></a><h2>SEE ALSO</h2>
|
||||
<a name="id2543949"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 2539</em>,
|
||||
<em class="citetitle">RFC 2845</em>,
|
||||
<em class="citetitle">RFC 4034</em>.
|
||||
<em class="citetitle">RFC 4033</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544451"></a><h2>AUTHOR</h2>
|
||||
<a name="id2544049"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -1,83 +0,0 @@
|
||||
.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-revoke.8,v 1.8 2009/11/03 21:58:30 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
.\" Title: dnssec\-revoke
|
||||
.\" Author:
|
||||
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
|
||||
.\" Date: June 1, 2009
|
||||
.\" Manual: BIND9
|
||||
.\" Source: BIND9
|
||||
.\"
|
||||
.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
|
||||
.\" disable hyphenation
|
||||
.nh
|
||||
.\" disable justification (adjust text to left margin only)
|
||||
.ad l
|
||||
.SH "NAME"
|
||||
dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
|
||||
.SH "SYNOPSIS"
|
||||
.HP 14
|
||||
\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile}
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec\-revoke\fR
|
||||
reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
\-h
|
||||
.RS 4
|
||||
Emit usage message and exit.
|
||||
.RE
|
||||
.PP
|
||||
\-K \fIdirectory\fR
|
||||
.RS 4
|
||||
Sets the directory in which the key files are to reside.
|
||||
.RE
|
||||
.PP
|
||||
\-r
|
||||
.RS 4
|
||||
After writing the new keyset files remove the original keyset files.
|
||||
.RE
|
||||
.PP
|
||||
\-v \fIlevel\fR
|
||||
.RS 4
|
||||
Sets the debugging level.
|
||||
.RE
|
||||
.PP
|
||||
\-E \fIengine\fR
|
||||
.RS 4
|
||||
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
|
||||
.RE
|
||||
.PP
|
||||
\-f
|
||||
.RS 4
|
||||
Force overwrite: Causes
|
||||
\fBdnssec\-revoke\fR
|
||||
to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
|
||||
.RE
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBdnssec\-keygen\fR(8),
|
||||
BIND 9 Administrator Reference Manual,
|
||||
RFC 5011.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
@@ -1,267 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-revoke.c,v 1.18 2009/10/27 18:56:48 each Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <libgen.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/commandline.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/file.h>
|
||||
#include <isc/hash.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dns/keyvalues.h>
|
||||
#include <dns/result.h>
|
||||
|
||||
#include <dst/dst.h>
|
||||
|
||||
#include "dnssectool.h"
|
||||
|
||||
const char *program = "dnssec-revoke";
|
||||
int verbose;
|
||||
|
||||
static isc_mem_t *mctx = NULL;
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, " %s [options] keyfile\n\n", program);
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
fprintf(stderr, "\t-E engine:\n");
|
||||
#ifdef USE_PKCS11
|
||||
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
|
||||
"(default is \"pkcs11\")\n");
|
||||
#else
|
||||
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
|
||||
#endif
|
||||
fprintf(stderr, " -f: force overwrite\n");
|
||||
fprintf(stderr, " -K directory: use directory for key files\n");
|
||||
fprintf(stderr, " -h: help\n");
|
||||
fprintf(stderr, " -r: remove old keyfiles after "
|
||||
"creating revoked version\n");
|
||||
fprintf(stderr, " -v level: set level of verbosity\n");
|
||||
fprintf(stderr, "Output:\n");
|
||||
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
|
||||
"K<name>+<alg>+<new id>.private\n");
|
||||
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
isc_result_t result;
|
||||
#ifdef USE_PKCS11
|
||||
const char *engine = "pkcs11";
|
||||
#else
|
||||
const char *engine = NULL;
|
||||
#endif
|
||||
char *filename = NULL, *dir = NULL;
|
||||
char newname[1024], oldname[1024];
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
char *endp;
|
||||
int ch;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
dst_key_t *key = NULL;
|
||||
isc_uint32_t flags;
|
||||
isc_buffer_t buf;
|
||||
isc_boolean_t force = ISC_FALSE;
|
||||
isc_boolean_t remove = ISC_FALSE;
|
||||
|
||||
if (argc == 1)
|
||||
usage();
|
||||
|
||||
result = isc_mem_create(0, 0, &mctx);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Out of memory");
|
||||
|
||||
dns_result_register();
|
||||
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'E':
|
||||
engine = isc_commandline_argument;
|
||||
break;
|
||||
case 'f':
|
||||
force = ISC_TRUE;
|
||||
break;
|
||||
case 'K':
|
||||
/*
|
||||
* We don't have to copy it here, but do it to
|
||||
* simplify cleanup later
|
||||
*/
|
||||
dir = isc_mem_strdup(mctx, isc_commandline_argument);
|
||||
if (dir == NULL) {
|
||||
fatal("Failed to allocate memory for "
|
||||
"directory");
|
||||
}
|
||||
break;
|
||||
case 'r':
|
||||
remove = ISC_TRUE;
|
||||
break;
|
||||
case 'v':
|
||||
verbose = strtol(isc_commandline_argument, &endp, 0);
|
||||
if (*endp != '\0')
|
||||
fatal("-v must be followed by a number");
|
||||
break;
|
||||
case '?':
|
||||
if (isc_commandline_option != '?')
|
||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||
program, isc_commandline_option);
|
||||
/* Falls into */
|
||||
case 'h':
|
||||
usage();
|
||||
|
||||
default:
|
||||
fprintf(stderr, "%s: unhandled option -%c\n",
|
||||
program, isc_commandline_option);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
if (argc < isc_commandline_index + 1 ||
|
||||
argv[isc_commandline_index] == NULL)
|
||||
fatal("The key file name was not specified");
|
||||
if (argc > isc_commandline_index + 1)
|
||||
fatal("Extraneous arguments");
|
||||
|
||||
if (dir != NULL) {
|
||||
filename = argv[isc_commandline_index];
|
||||
} else {
|
||||
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
|
||||
&dir, &filename);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("cannot process filename %s: %s",
|
||||
argv[isc_commandline_index],
|
||||
isc_result_totext(result));
|
||||
}
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Could not initialize hash");
|
||||
result = dst_lib_init2(mctx, ectx, engine,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Could not initialize dst: %s",
|
||||
isc_result_totext(result));
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
result = dst_key_fromnamedfile(filename, dir,
|
||||
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
|
||||
mctx, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Invalid keyfile name %s: %s",
|
||||
filename, isc_result_totext(result));
|
||||
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
|
||||
if (verbose > 2)
|
||||
fprintf(stderr, "%s: %s\n", program, keystr);
|
||||
|
||||
if (force)
|
||||
set_keyversion(key);
|
||||
else
|
||||
check_keyversion(key, keystr);
|
||||
|
||||
|
||||
flags = dst_key_flags(key);
|
||||
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
|
||||
isc_stdtime_t now;
|
||||
|
||||
if ((flags & DNS_KEYFLAG_KSK) == 0)
|
||||
fprintf(stderr, "%s: warning: Key is not flagged "
|
||||
"as a KSK. Revoking a ZSK is "
|
||||
"legal, but undefined.\n",
|
||||
program);
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
dst_key_settime(key, DST_TIME_REVOKE, now);
|
||||
|
||||
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
|
||||
|
||||
isc_buffer_init(&buf, newname, sizeof(newname));
|
||||
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
|
||||
|
||||
if (access(newname, F_OK) == 0 && !force) {
|
||||
fatal("Key file %s already exists; "
|
||||
"use -f to force overwrite", newname);
|
||||
}
|
||||
|
||||
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
|
||||
dir);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
fatal("Failed to write key %s: %s", keystr,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
|
||||
printf("%s\n", newname);
|
||||
|
||||
isc_buffer_clear(&buf);
|
||||
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
|
||||
printf("%s\n", newname);
|
||||
|
||||
/*
|
||||
* Remove old key file, if told to (and if
|
||||
* it isn't the same as the new file)
|
||||
*/
|
||||
if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
|
||||
isc_buffer_init(&buf, oldname, sizeof(oldname));
|
||||
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
|
||||
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
|
||||
if (strcmp(oldname, newname) == 0)
|
||||
goto cleanup;
|
||||
if (access(oldname, F_OK) == 0)
|
||||
unlink(oldname);
|
||||
isc_buffer_clear(&buf);
|
||||
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
|
||||
if (access(oldname, F_OK) == 0)
|
||||
unlink(oldname);
|
||||
}
|
||||
} else {
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
fatal("Key %s is already revoked", keystr);
|
||||
}
|
||||
|
||||
cleanup:
|
||||
dst_key_free(&key);
|
||||
dst_lib_destroy();
|
||||
isc_hash_destroy();
|
||||
cleanup_entropy(&ectx);
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
isc_mem_free(mctx, dir);
|
||||
isc_mem_destroy(&mctx);
|
||||
|
||||
return (0);
|
||||
}
|
||||
@@ -1,149 +0,0 @@
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-revoke.docbook,v 1.7 2009/11/03 21:44:46 each Exp $ -->
|
||||
<refentry id="man.dnssec-revoke">
|
||||
<refentryinfo>
|
||||
<date>June 1, 2009</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle><application>dnssec-revoke</application></refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
<refmiscinfo>BIND9</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname><application>dnssec-revoke</application></refname>
|
||||
<refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<docinfo>
|
||||
<copyright>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
</docinfo>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-revoke</command>
|
||||
<arg><option>-hr</option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
|
||||
<arg><option>-f</option></arg>
|
||||
<arg choice="req">keyfile</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>DESCRIPTION</title>
|
||||
<para><command>dnssec-revoke</command>
|
||||
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
|
||||
in RFC 5011, and creates a new pair of key files containing the
|
||||
now-revoked key.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>OPTIONS</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-h</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Emit usage message and exit.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-K <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-r</term>
|
||||
<listitem>
|
||||
<para>
|
||||
After writing the new keyset files remove the original keyset
|
||||
files.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the debugging level.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-E <replaceable class="parameter">engine</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Use the given OpenSSL engine. When compiled with PKCS#11 support
|
||||
it defaults to pkcs11; the empty name resets it to no engine.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-f</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Force overwrite: Causes <command>dnssec-revoke</command> to
|
||||
write the new key pair even if a file already exists matching
|
||||
the algorithm and key ID of the revoked key.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>SEE ALSO</title>
|
||||
<para><citerefentry>
|
||||
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
||||
<citetitle>RFC 5011</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>AUTHOR</title>
|
||||
<para><corpauthor>Internet Systems Consortium</corpauthor>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry><!--
|
||||
- Local variables:
|
||||
- mode: sgml
|
||||
- End:
|
||||
-->
|
||||
@@ -1,88 +0,0 @@
|
||||
<!--
|
||||
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-revoke.html,v 1.8 2009/11/03 21:58:30 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-revoke</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
|
||||
</head>
|
||||
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
|
||||
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-revoke</span> — Set the REVOKED bit on a DNSSEC key</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543373"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">dnssec-revoke</strong></span>
|
||||
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
|
||||
in RFC 5011, and creates a new pair of key files containing the
|
||||
now-revoked key.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543385"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
Emit usage message and exit.
|
||||
</p></dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</p></dd>
|
||||
<dt><span class="term">-r</span></dt>
|
||||
<dd><p>
|
||||
After writing the new keyset files remove the original keyset
|
||||
files.
|
||||
</p></dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd><p>
|
||||
Use the given OpenSSL engine. When compiled with PKCS#11 support
|
||||
it defaults to pkcs11; the empty name resets it to no engine.
|
||||
</p></dd>
|
||||
<dt><span class="term">-f</span></dt>
|
||||
<dd><p>
|
||||
Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
|
||||
write the new key pair even if a file already exists matching
|
||||
the algorithm and key ID of the revoked key.
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543491"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5011</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543515"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
</div></body>
|
||||
</html>
|
||||
@@ -1,152 +0,0 @@
|
||||
.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-settime.8,v 1.9 2009/11/03 21:58:30 tbox Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
.\" Title: dnssec\-settime
|
||||
.\" Author:
|
||||
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
|
||||
.\" Date: July 15, 2009
|
||||
.\" Manual: BIND9
|
||||
.\" Source: BIND9
|
||||
.\"
|
||||
.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
|
||||
.\" disable hyphenation
|
||||
.nh
|
||||
.\" disable justification (adjust text to left margin only)
|
||||
.ad l
|
||||
.SH "NAME"
|
||||
dnssec\-settime \- Set the key timing metadata for a DNSSEC key
|
||||
.SH "SYNOPSIS"
|
||||
.HP 15
|
||||
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec\-settime\fR
|
||||
reads a DNSSEC private key file and sets the key timing metadata as specified by the
|
||||
\fB\-P\fR,
|
||||
\fB\-A\fR,
|
||||
\fB\-R\fR,
|
||||
\fB\-I\fR, and
|
||||
\fB\-D\fR
|
||||
options. The metadata can then be used by
|
||||
\fBdnssec\-signzone\fR
|
||||
or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
|
||||
.PP
|
||||
If none of these options is set on the command line, then
|
||||
\fBdnssec\-settime\fR
|
||||
simply prints the key timing metadata already stored in the key.
|
||||
.PP
|
||||
When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
|
||||
and
|
||||
\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
\-f
|
||||
.RS 4
|
||||
Force an update of an old\-format key with no metadata fields. Without this option,
|
||||
\fBdnssec\-settime\fR
|
||||
will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time.
|
||||
.RE
|
||||
.PP
|
||||
\-K \fIdirectory\fR
|
||||
.RS 4
|
||||
Sets the directory in which the key files are to reside.
|
||||
.RE
|
||||
.PP
|
||||
\-h
|
||||
.RS 4
|
||||
Emit usage message and exit.
|
||||
.RE
|
||||
.PP
|
||||
\-v \fIlevel\fR
|
||||
.RS 4
|
||||
Sets the debugging level.
|
||||
.RE
|
||||
.PP
|
||||
\-E \fIengine\fR
|
||||
.RS 4
|
||||
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
|
||||
.RE
|
||||
.SH "TIMING OPTIONS"
|
||||
.PP
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
|
||||
.PP
|
||||
\-P \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-A \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-R \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-I \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
|
||||
.RE
|
||||
.PP
|
||||
\-D \fIdate/offset\fR
|
||||
.RS 4
|
||||
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
|
||||
.RE
|
||||
.SH "PRINTING OPTIONS"
|
||||
.PP
|
||||
\fBdnssec\-settime\fR
|
||||
can also be used to print the timing metadata associated with a key.
|
||||
.PP
|
||||
\-u
|
||||
.RS 4
|
||||
Print times in UNIX epoch format.
|
||||
.RE
|
||||
.PP
|
||||
\-p \fIC/P/A/R/U/D/all\fR
|
||||
.RS 4
|
||||
Print a specific metadata value or set of metadata values. The
|
||||
\fB\-p\fR
|
||||
option may be followed by one or more of the following letters to indicate which value or values to print:
|
||||
\fBC\fR
|
||||
for the creation date,
|
||||
\fBP\fR
|
||||
for the publication date,
|
||||
\fBA\fR
|
||||
for the activation date,
|
||||
\fBR\fR
|
||||
for the revokation date,
|
||||
\fBU\fR
|
||||
for the unpublication date, or
|
||||
\fBD\fR
|
||||
for the deletion date. To print all of the metadata, use
|
||||
\fB\-p all\fR.
|
||||
.RE
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBdnssec\-keygen\fR(8),
|
||||
\fBdnssec\-signzone\fR(8),
|
||||
BIND 9 Administrator Reference Manual,
|
||||
RFC 5011.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
@@ -1,464 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-settime.c,v 1.19 2009/10/27 18:56:49 each Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <libgen.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <time.h>
|
||||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/commandline.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/file.h>
|
||||
#include <isc/hash.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dns/keyvalues.h>
|
||||
#include <dns/result.h>
|
||||
|
||||
#include <dst/dst.h>
|
||||
|
||||
#include "dnssectool.h"
|
||||
|
||||
const char *program = "dnssec-settime";
|
||||
int verbose;
|
||||
|
||||
static isc_mem_t *mctx = NULL;
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, " %s [options] keyfile\n\n", program);
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
fprintf(stderr, "General options:\n");
|
||||
#ifdef USE_PKCS11
|
||||
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
|
||||
"(default is \"pkcs11\")\n");
|
||||
#else
|
||||
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
|
||||
#endif
|
||||
fprintf(stderr, " -f: force update of old-style "
|
||||
"keys\n");
|
||||
fprintf(stderr, " -K directory: set key file location\n");
|
||||
fprintf(stderr, " -v level: set level of verbosity\n");
|
||||
fprintf(stderr, " -h: help\n");
|
||||
fprintf(stderr, "Timing options:\n");
|
||||
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
|
||||
"publication date\n");
|
||||
fprintf(stderr, " -A date/[+-]offset/none: set key "
|
||||
"activation date\n");
|
||||
fprintf(stderr, " -R date/[+-]offset/none: set key "
|
||||
"revocation date\n");
|
||||
fprintf(stderr, " -I date/[+-]offset/none: set key "
|
||||
"inactivation date\n");
|
||||
fprintf(stderr, " -D date/[+-]offset/none: set key "
|
||||
"deletion date\n");
|
||||
fprintf(stderr, "Printing options:\n");
|
||||
fprintf(stderr, " -p C/P/A/R/U/D/all: print a particular time "
|
||||
"value or values "
|
||||
"[default: all]\n");
|
||||
fprintf(stderr, " -u: print times in unix epoch "
|
||||
"format\n");
|
||||
fprintf(stderr, "Output:\n");
|
||||
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
|
||||
"K<name>+<alg>+<new id>.private\n");
|
||||
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
static void
|
||||
printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
|
||||
FILE *stream)
|
||||
{
|
||||
isc_result_t result;
|
||||
const char *output = NULL;
|
||||
isc_stdtime_t when;
|
||||
|
||||
if (tag != NULL)
|
||||
fprintf(stream, "%s: ", tag);
|
||||
|
||||
result = dst_key_gettime(key, type, &when);
|
||||
if (result == ISC_R_NOTFOUND) {
|
||||
fprintf(stream, "UNSET\n");
|
||||
} else if (epoch) {
|
||||
fprintf(stream, "%d\n", (int) when);
|
||||
} else {
|
||||
time_t time = when;
|
||||
output = ctime(&time);
|
||||
fprintf(stream, "%s", output);
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
isc_result_t result;
|
||||
#ifdef USE_PKCS11
|
||||
const char *engine = "pkcs11";
|
||||
#else
|
||||
const char *engine = NULL;
|
||||
#endif
|
||||
char *filename = NULL, *directory = NULL;
|
||||
char newname[1024];
|
||||
char keystr[DST_KEY_FORMATSIZE];
|
||||
char *endp, *p;
|
||||
int ch;
|
||||
isc_entropy_t *ectx = NULL;
|
||||
dst_key_t *key = NULL;
|
||||
isc_buffer_t buf;
|
||||
isc_stdtime_t now;
|
||||
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
|
||||
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
|
||||
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
|
||||
isc_boolean_t setdel = ISC_FALSE;
|
||||
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
|
||||
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
|
||||
isc_boolean_t unsetdel = ISC_FALSE;
|
||||
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
|
||||
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
|
||||
isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
|
||||
isc_boolean_t force = ISC_FALSE;
|
||||
isc_boolean_t epoch = ISC_FALSE;
|
||||
isc_boolean_t changed = ISC_FALSE;
|
||||
|
||||
if (argc == 1)
|
||||
usage();
|
||||
|
||||
result = isc_mem_create(0, 0, &mctx);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Out of memory");
|
||||
|
||||
dns_result_register();
|
||||
|
||||
isc_commandline_errprint = ISC_FALSE;
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv,
|
||||
"E:fK:uhp:v:P:A:R:I:D:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'E':
|
||||
engine = isc_commandline_argument;
|
||||
break;
|
||||
case 'f':
|
||||
force = ISC_TRUE;
|
||||
break;
|
||||
case 'p':
|
||||
p = isc_commandline_argument;
|
||||
if (!strcasecmp(p, "all")) {
|
||||
printcreate = ISC_TRUE;
|
||||
printpub = ISC_TRUE;
|
||||
printact = ISC_TRUE;
|
||||
printrev = ISC_TRUE;
|
||||
printinact = ISC_TRUE;
|
||||
printdel = ISC_TRUE;
|
||||
break;
|
||||
}
|
||||
|
||||
do {
|
||||
switch (*p++) {
|
||||
case 'C':
|
||||
printcreate = ISC_TRUE;
|
||||
break;
|
||||
case 'P':
|
||||
printpub = ISC_TRUE;
|
||||
break;
|
||||
case 'A':
|
||||
printact = ISC_TRUE;
|
||||
break;
|
||||
case 'R':
|
||||
printrev = ISC_TRUE;
|
||||
break;
|
||||
case 'I':
|
||||
printinact = ISC_TRUE;
|
||||
break;
|
||||
case 'D':
|
||||
printdel = ISC_TRUE;
|
||||
break;
|
||||
case ' ':
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
break;
|
||||
}
|
||||
} while (*p != '\0');
|
||||
break;
|
||||
case 'u':
|
||||
epoch = ISC_TRUE;
|
||||
break;
|
||||
case 'K':
|
||||
/*
|
||||
* We don't have to copy it here, but do it to
|
||||
* simplify cleanup later
|
||||
*/
|
||||
directory = isc_mem_strdup(mctx,
|
||||
isc_commandline_argument);
|
||||
if (directory == NULL) {
|
||||
fatal("Failed to allocate memory for "
|
||||
"directory");
|
||||
}
|
||||
break;
|
||||
case 'v':
|
||||
verbose = strtol(isc_commandline_argument, &endp, 0);
|
||||
if (*endp != '\0')
|
||||
fatal("-v must be followed by a number");
|
||||
break;
|
||||
case 'P':
|
||||
if (setpub || unsetpub)
|
||||
fatal("-P specified more than once");
|
||||
|
||||
changed = ISC_TRUE;
|
||||
if (!strcasecmp(isc_commandline_argument, "none")) {
|
||||
unsetpub = ISC_TRUE;
|
||||
} else {
|
||||
setpub = ISC_TRUE;
|
||||
pub = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
}
|
||||
break;
|
||||
case 'A':
|
||||
if (setact || unsetact)
|
||||
fatal("-A specified more than once");
|
||||
|
||||
changed = ISC_TRUE;
|
||||
if (!strcasecmp(isc_commandline_argument, "none")) {
|
||||
unsetact = ISC_TRUE;
|
||||
} else {
|
||||
setact = ISC_TRUE;
|
||||
act = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
}
|
||||
break;
|
||||
case 'R':
|
||||
if (setrev || unsetrev)
|
||||
fatal("-R specified more than once");
|
||||
|
||||
changed = ISC_TRUE;
|
||||
if (!strcasecmp(isc_commandline_argument, "none")) {
|
||||
unsetrev = ISC_TRUE;
|
||||
} else {
|
||||
setrev = ISC_TRUE;
|
||||
rev = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
}
|
||||
break;
|
||||
case 'I':
|
||||
if (setinact || unsetinact)
|
||||
fatal("-I specified more than once");
|
||||
|
||||
changed = ISC_TRUE;
|
||||
if (!strcasecmp(isc_commandline_argument, "none")) {
|
||||
unsetinact = ISC_TRUE;
|
||||
} else {
|
||||
setinact = ISC_TRUE;
|
||||
inact = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
}
|
||||
break;
|
||||
case 'D':
|
||||
if (setdel || unsetdel)
|
||||
fatal("-D specified more than once");
|
||||
|
||||
changed = ISC_TRUE;
|
||||
if (!strcasecmp(isc_commandline_argument, "none")) {
|
||||
unsetdel = ISC_TRUE;
|
||||
} else {
|
||||
setdel = ISC_TRUE;
|
||||
del = strtotime(isc_commandline_argument,
|
||||
now, now);
|
||||
}
|
||||
break;
|
||||
case '?':
|
||||
if (isc_commandline_option != '?')
|
||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||
program, isc_commandline_option);
|
||||
/* Falls into */
|
||||
case 'h':
|
||||
usage();
|
||||
|
||||
default:
|
||||
fprintf(stderr, "%s: unhandled option -%c\n",
|
||||
program, isc_commandline_option);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
if (argc < isc_commandline_index + 1 ||
|
||||
argv[isc_commandline_index] == NULL)
|
||||
fatal("The key file name was not specified");
|
||||
if (argc > isc_commandline_index + 1)
|
||||
fatal("Extraneous arguments");
|
||||
|
||||
if (directory != NULL) {
|
||||
filename = argv[isc_commandline_index];
|
||||
} else {
|
||||
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
|
||||
&directory, &filename);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("cannot process filename %s: %s",
|
||||
argv[isc_commandline_index],
|
||||
isc_result_totext(result));
|
||||
}
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Could not initialize hash");
|
||||
result = dst_lib_init2(mctx, ectx, engine,
|
||||
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Could not initialize dst: %s",
|
||||
isc_result_totext(result));
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
result = dst_key_fromnamedfile(filename, directory,
|
||||
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
|
||||
mctx, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Invalid keyfile %s: %s",
|
||||
filename, isc_result_totext(result));
|
||||
|
||||
if (!dst_key_isprivate(key))
|
||||
fatal("%s is not a private key", filename);
|
||||
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
|
||||
if (force)
|
||||
set_keyversion(key);
|
||||
else
|
||||
check_keyversion(key, keystr);
|
||||
|
||||
if (verbose > 2)
|
||||
fprintf(stderr, "%s: %s\n", program, keystr);
|
||||
|
||||
/*
|
||||
* Set time values.
|
||||
*/
|
||||
if (setpub)
|
||||
dst_key_settime(key, DST_TIME_PUBLISH, pub);
|
||||
else if (unsetpub)
|
||||
dst_key_unsettime(key, DST_TIME_PUBLISH);
|
||||
|
||||
if (setact)
|
||||
dst_key_settime(key, DST_TIME_ACTIVATE, act);
|
||||
else if (unsetact)
|
||||
dst_key_unsettime(key, DST_TIME_ACTIVATE);
|
||||
|
||||
if (setrev) {
|
||||
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
|
||||
fprintf(stderr, "%s: warning: Key %s is already "
|
||||
"revoked; changing the revocation date "
|
||||
"will not affect this.\n",
|
||||
program, keystr);
|
||||
if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
|
||||
fprintf(stderr, "%s: warning: Key %s is not flagged as "
|
||||
"a KSK, but -R was used. Revoking a "
|
||||
"ZSK is legal, but undefined.\n",
|
||||
program, keystr);
|
||||
dst_key_settime(key, DST_TIME_REVOKE, rev);
|
||||
} else if (unsetrev) {
|
||||
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
|
||||
fprintf(stderr, "%s: warning: Key %s is already "
|
||||
"revoked; removing the revocation date "
|
||||
"will not affect this.\n",
|
||||
program, keystr);
|
||||
dst_key_unsettime(key, DST_TIME_REVOKE);
|
||||
}
|
||||
|
||||
if (setinact)
|
||||
dst_key_settime(key, DST_TIME_INACTIVE, inact);
|
||||
else if (unsetinact)
|
||||
dst_key_unsettime(key, DST_TIME_INACTIVE);
|
||||
|
||||
if (setdel)
|
||||
dst_key_settime(key, DST_TIME_DELETE, del);
|
||||
else if (unsetdel)
|
||||
dst_key_unsettime(key, DST_TIME_DELETE);
|
||||
|
||||
/*
|
||||
* Print out time values, if -p was used.
|
||||
*/
|
||||
if (printcreate)
|
||||
printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
|
||||
|
||||
if (printpub)
|
||||
printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
|
||||
|
||||
if (printact)
|
||||
printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
|
||||
|
||||
if (printrev)
|
||||
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
|
||||
|
||||
if (printinact)
|
||||
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
|
||||
|
||||
if (printdel)
|
||||
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
|
||||
|
||||
if (changed) {
|
||||
isc_buffer_init(&buf, newname, sizeof(newname));
|
||||
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
|
||||
&buf);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
fatal("Failed to build public key filename: %s",
|
||||
isc_result_totext(result));
|
||||
}
|
||||
|
||||
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
|
||||
directory);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dst_key_format(key, keystr, sizeof(keystr));
|
||||
fatal("Failed to write key %s: %s", keystr,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
|
||||
printf("%s\n", newname);
|
||||
|
||||
isc_buffer_clear(&buf);
|
||||
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
|
||||
&buf);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
fatal("Failed to build private key filename: %s",
|
||||
isc_result_totext(result));
|
||||
}
|
||||
printf("%s\n", newname);
|
||||
}
|
||||
|
||||
dst_key_free(&key);
|
||||
dst_lib_destroy();
|
||||
isc_hash_destroy();
|
||||
cleanup_entropy(&ectx);
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
isc_mem_free(mctx, directory);
|
||||
isc_mem_destroy(&mctx);
|
||||
|
||||
return (0);
|
||||
}
|
||||
@@ -1,277 +0,0 @@
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||||
[<!ENTITY mdash "—">]>
|
||||
<!--
|
||||
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-settime.docbook,v 1.7 2009/11/03 21:44:46 each Exp $ -->
|
||||
<refentry id="man.dnssec-settime">
|
||||
<refentryinfo>
|
||||
<date>July 15, 2009</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle><application>dnssec-settime</application></refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
<refmiscinfo>BIND9</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname><application>dnssec-settime</application></refname>
|
||||
<refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<docinfo>
|
||||
<copyright>
|
||||
<year>2009</year>
|
||||
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||||
</copyright>
|
||||
</docinfo>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-settime</command>
|
||||
<arg><option>-f</option></arg>
|
||||
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
|
||||
<arg><option>-h</option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
|
||||
<arg choice="req">keyfile</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>DESCRIPTION</title>
|
||||
<para><command>dnssec-settime</command>
|
||||
reads a DNSSEC private key file and sets the key timing metadata
|
||||
as specified by the <option>-P</option>, <option>-A</option>,
|
||||
<option>-R</option>, <option>-I</option>, and <option>-D</option>
|
||||
options. The metadata can then be used by
|
||||
<command>dnssec-signzone</command> or other signing software to
|
||||
determine when a key is to be published, whether it should be
|
||||
used for signing a zone, etc.
|
||||
</para>
|
||||
<para>
|
||||
If none of these options is set on the command line,
|
||||
then <command>dnssec-settime</command> simply prints the key timing
|
||||
metadata already stored in the key.
|
||||
</para>
|
||||
<para>
|
||||
When key metadata fields are changed, both files of a key
|
||||
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
|
||||
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
|
||||
Metadata fields are stored in the private file. A human-readable
|
||||
description of the metadata is also placed in comments in the key
|
||||
file.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>OPTIONS</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-f</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Force an update of an old-format key with no metadata fields.
|
||||
Without this option, <command>dnssec-settime</command> will
|
||||
fail when attempting to update a legacy key. With this option,
|
||||
the key will be recreated in the new format, but with the
|
||||
original key data retained. The key's creation date will be
|
||||
set to the present time.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-K <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-h</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Emit usage message and exit.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the debugging level.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-E <replaceable class="parameter">engine</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Use the given OpenSSL engine. When compiled with PKCS#11 support
|
||||
it defaults to pkcs11; the empty name resets it to no engine.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>TIMING OPTIONS</title>
|
||||
<para>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
|
||||
then the offset is computed in years (defined as 365 24-hour days,
|
||||
ignoring leap years), months (defined as 30 24-hour days), weeks,
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds. To unset a date, use 'none'.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>PRINTING OPTIONS</title>
|
||||
<para>
|
||||
<command>dnssec-settime</command> can also be used to print the
|
||||
timing metadata associated with a key.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-u</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Print times in UNIX epoch format.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Print a specific metadata value or set of metadata values.
|
||||
The <option>-p</option> option may be followed by one or more
|
||||
of the following letters to indicate which value or values to print:
|
||||
<option>C</option> for the creation date,
|
||||
<option>P</option> for the publication date,
|
||||
<option>A</option> for the activation date,
|
||||
<option>R</option> for the revokation date,
|
||||
<option>U</option> for the unpublication date, or
|
||||
<option>D</option> for the deletion date.
|
||||
To print all of the metadata, use <option>-p all</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>SEE ALSO</title>
|
||||
<para><citerefentry>
|
||||
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
||||
<citetitle>RFC 5011</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>AUTHOR</title>
|
||||
<para><corpauthor>Internet Systems Consortium</corpauthor>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry><!--
|
||||
- Local variables:
|
||||
- mode: sgml
|
||||
- End:
|
||||
-->
|
||||
@@ -1,175 +0,0 @@
|
||||
<!--
|
||||
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-settime.html,v 1.9 2009/11/03 21:58:30 tbox Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-settime</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
|
||||
</head>
|
||||
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
|
||||
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
|
||||
<div class="refnamediv">
|
||||
<h2>Name</h2>
|
||||
<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543416"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">dnssec-settime</strong></span>
|
||||
reads a DNSSEC private key file and sets the key timing metadata
|
||||
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
|
||||
<code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
|
||||
options. The metadata can then be used by
|
||||
<span><strong class="command">dnssec-signzone</strong></span> or other signing software to
|
||||
determine when a key is to be published, whether it should be
|
||||
used for signing a zone, etc.
|
||||
</p>
|
||||
<p>
|
||||
If none of these options is set on the command line,
|
||||
then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
|
||||
metadata already stored in the key.
|
||||
</p>
|
||||
<p>
|
||||
When key metadata fields are changed, both files of a key
|
||||
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
|
||||
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
|
||||
Metadata fields are stored in the private file. A human-readable
|
||||
description of the metadata is also placed in comments in the key
|
||||
file.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543464"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-f</span></dt>
|
||||
<dd><p>
|
||||
Force an update of an old-format key with no metadata fields.
|
||||
Without this option, <span><strong class="command">dnssec-settime</strong></span> will
|
||||
fail when attempting to update a legacy key. With this option,
|
||||
the key will be recreated in the new format, but with the
|
||||
original key data retained. The key's creation date will be
|
||||
set to the present time.
|
||||
</p></dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the directory in which the key files are to reside.
|
||||
</p></dd>
|
||||
<dt><span class="term">-h</span></dt>
|
||||
<dd><p>
|
||||
Emit usage message and exit.
|
||||
</p></dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd><p>
|
||||
Use the given OpenSSL engine. When compiled with PKCS#11 support
|
||||
it defaults to pkcs11; the empty name resets it to no engine.
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543556"></a><h2>TIMING OPTIONS</h2>
|
||||
<p>
|
||||
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
|
||||
If the argument begins with a '+' or '-', it is interpreted as
|
||||
an offset from the present time. For convenience, if such an offset
|
||||
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
|
||||
then the offset is computed in years (defined as 365 24-hour days,
|
||||
ignoring leap years), months (defined as 30 24-hour days), weeks,
|
||||
days, hours, or minutes, respectively. Without a suffix, the offset
|
||||
is computed in seconds. To unset a date, use 'none'.
|
||||
</p>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which a key is to be published to the zone.
|
||||
After that date, the key will be included in the zone but will
|
||||
not be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be activated. After that
|
||||
date, the key will be included in the zone and used to sign
|
||||
it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be revoked. After that
|
||||
date, the key will be flagged as revoked. It will be included
|
||||
in the zone and will be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be retired. After that
|
||||
date, the key will still be included in the zone, but it
|
||||
will not be used to sign it.
|
||||
</p></dd>
|
||||
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the date on which the key is to be deleted. After that
|
||||
date, the key will no longer be included in the zone. (It
|
||||
may remain in the key repository, however.)
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543654"></a><h2>PRINTING OPTIONS</h2>
|
||||
<p>
|
||||
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
|
||||
timing metadata associated with a key.
|
||||
</p>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-u</span></dt>
|
||||
<dd><p>
|
||||
Print times in UNIX epoch format.
|
||||
</p></dd>
|
||||
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/U/D/all</code></em></span></dt>
|
||||
<dd><p>
|
||||
Print a specific metadata value or set of metadata values.
|
||||
The <code class="option">-p</code> option may be followed by one or more
|
||||
of the following letters to indicate which value or values to print:
|
||||
<code class="option">C</code> for the creation date,
|
||||
<code class="option">P</code> for the publication date,
|
||||
<code class="option">A</code> for the activation date,
|
||||
<code class="option">R</code> for the revokation date,
|
||||
<code class="option">U</code> for the unpublication date, or
|
||||
<code class="option">D</code> for the deletion date.
|
||||
To print all of the metadata, use <code class="option">-p all</code>.
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543732"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 5011</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543765"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
</div></body>
|
||||
</html>
|
||||
@@ -1,7 +1,7 @@
|
||||
.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
@@ -13,372 +13,163 @@
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-signzone.8,v 1.58 2009/11/03 21:58:30 tbox Exp $
|
||||
.\" $Id: dnssec-signzone.8,v 1.47.44.4 2009/06/09 01:47:19 each Exp $
|
||||
.\"
|
||||
.hy 0
|
||||
.ad l
|
||||
.\" Title: dnssec\-signzone
|
||||
.\" Author:
|
||||
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
|
||||
.\" Date: June 05, 2009
|
||||
.\" Manual: BIND9
|
||||
.\" Source: BIND9
|
||||
.\"
|
||||
.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
|
||||
.\" disable hyphenation
|
||||
.nh
|
||||
.\" disable justification (adjust text to left margin only)
|
||||
.ad l
|
||||
.SH "NAME"
|
||||
dnssec\-signzone \- DNSSEC zone signing tool
|
||||
.\"Generated by db2man.xsl. Don't modify this, modify the source.
|
||||
.de Sh \" Subsection
|
||||
.br
|
||||
.if t .Sp
|
||||
.ne 5
|
||||
.PP
|
||||
\fB\\$1\fR
|
||||
.PP
|
||||
..
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Ip \" List item
|
||||
.br
|
||||
.ie \\n(.$>=3 .ne \\$3
|
||||
.el .ne 3
|
||||
.IP "\\$1" \\$2
|
||||
..
|
||||
.TH "DNSSEC-SIGNZONE" 8 "June 08, 2009" "" ""
|
||||
.SH NAME
|
||||
dnssec-signzone \- DNSSEC zone signing tool
|
||||
.SH "SYNOPSIS"
|
||||
.HP 16
|
||||
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
|
||||
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fIclass\fR\fR] [\fB\-d\ \fIdirectory\fR\fR] [\fB\-e\ \fIend\-time\fR\fR] [\fB\-f\ \fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fIkey\fR\fR] [\fB\-l\ \fIdomain\fR\fR] [\fB\-i\ \fIinterval\fR\fR] [\fB\-I\ \fIinput\-format\fR\fR] [\fB\-j\ \fIjitter\fR\fR] [\fB\-N\ \fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fIorigin\fR\fR] [\fB\-O\ \fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fIrandomdev\fR\fR] [\fB\-s\ \fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fIsalt\fR\fR] [\fB\-H\ \fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec\-signzone\fR
|
||||
signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
|
||||
\fIkeyset\fR
|
||||
file for each child zone.
|
||||
\fBdnssec\-signzone\fR signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a \fIkeyset\fR file for each child zone\&.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
.TP
|
||||
\-a
|
||||
.RS 4
|
||||
Verify all generated signatures.
|
||||
.RE
|
||||
.PP
|
||||
Verify all generated signatures\&.
|
||||
.TP
|
||||
\-c \fIclass\fR
|
||||
.RS 4
|
||||
Specifies the DNS class of the zone.
|
||||
.RE
|
||||
.PP
|
||||
\-C
|
||||
.RS 4
|
||||
Compatibility mode: Generate a
|
||||
\fIkeyset\-\fR\fI\fIzonename\fR\fR
|
||||
file in addition to
|
||||
\fIdsset\-\fR\fI\fIzonename\fR\fR
|
||||
when signing a zone, for use by older versions of
|
||||
\fBdnssec\-signzone\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-d \fIdirectory\fR
|
||||
.RS 4
|
||||
Look for
|
||||
\fIdsset\-\fR
|
||||
or
|
||||
\fIkeyset\-\fR
|
||||
files in
|
||||
\fBdirectory\fR.
|
||||
.RE
|
||||
.PP
|
||||
\-E \fIengine\fR
|
||||
.RS 4
|
||||
Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
|
||||
.RE
|
||||
.PP
|
||||
\-g
|
||||
.RS 4
|
||||
Generate DS records for child zones from
|
||||
\fIdsset\-\fR
|
||||
or
|
||||
\fIkeyset\-\fR
|
||||
file. Existing DS records will be removed.
|
||||
.RE
|
||||
.PP
|
||||
\-K \fIdirectory\fR
|
||||
.RS 4
|
||||
Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory.
|
||||
.RE
|
||||
.PP
|
||||
Specifies the DNS class of the zone\&.
|
||||
.TP
|
||||
\-k \fIkey\fR
|
||||
.RS 4
|
||||
Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
|
||||
.RE
|
||||
.PP
|
||||
Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
|
||||
.TP
|
||||
\-l \fIdomain\fR
|
||||
.RS 4
|
||||
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
|
||||
.RE
|
||||
.PP
|
||||
Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
|
||||
.TP
|
||||
\-d \fIdirectory\fR
|
||||
Look for \fIkeyset\fR files in \fBdirectory\fR as the directory
|
||||
.TP
|
||||
\-g
|
||||
Generate DS records for child zones from keyset files\&. Existing DS records will be removed\&.
|
||||
.TP
|
||||
\-s \fIstart\-time\fR
|
||||
.RS 4
|
||||
Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
|
||||
\fBstart\-time\fR
|
||||
is specified, the current time minus 1 hour (to allow for clock skew) is used.
|
||||
.RE
|
||||
.PP
|
||||
Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
|
||||
.TP
|
||||
\-e \fIend\-time\fR
|
||||
.RS 4
|
||||
Specify the date and time when the generated RRSIG records expire. As with
|
||||
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
|
||||
\fBend\-time\fR
|
||||
is specified, 30 days from the start time is used as a default.
|
||||
\fBend\-time\fR
|
||||
must be later than
|
||||
\fBstart\-time\fR.
|
||||
.RE
|
||||
.PP
|
||||
Specify the date and time when the generated RRSIG records expire\&. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default\&.
|
||||
.TP
|
||||
\-f \fIoutput\-file\fR
|
||||
.RS 4
|
||||
The name of the output file containing the signed zone. The default is to append
|
||||
\fI.signed\fR
|
||||
to the input filename.
|
||||
.RE
|
||||
.PP
|
||||
The name of the output file containing the signed zone\&. The default is to append \fI\&.signed\fR to the input filename\&.
|
||||
.TP
|
||||
\-h
|
||||
.RS 4
|
||||
Prints a short summary of the options and arguments to
|
||||
\fBdnssec\-signzone\fR.
|
||||
.RE
|
||||
.PP
|
||||
Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR\&.
|
||||
.TP
|
||||
\-i \fIinterval\fR
|
||||
.RS 4
|
||||
When a previously\-signed zone is passed as input, records may be resigned. The
|
||||
\fBinterval\fR
|
||||
option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
|
||||
.sp
|
||||
The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
|
||||
\fBend\-time\fR
|
||||
or
|
||||
\fBstart\-time\fR
|
||||
are specified,
|
||||
\fBdnssec\-signzone\fR
|
||||
generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
|
||||
.RE
|
||||
.PP
|
||||
When a previously\-signed zone is passed as input, records may be resigned\&. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
|
||||
The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither \fBend\-time\fR or \fBstart\-time\fR are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
|
||||
.TP
|
||||
\-I \fIinput\-format\fR
|
||||
.RS 4
|
||||
The format of the input zone file. Possible formats are
|
||||
\fB"text"\fR
|
||||
(default) and
|
||||
\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
|
||||
.RE
|
||||
.PP
|
||||
The format of the input zone file\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
|
||||
.TP
|
||||
\-j \fIjitter\fR
|
||||
.RS 4
|
||||
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
|
||||
\fBjitter\fR
|
||||
option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
|
||||
.sp
|
||||
Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
|
||||
.RE
|
||||
.PP
|
||||
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The \fBjitter\fR option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
|
||||
Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
|
||||
.TP
|
||||
\-n \fIncpus\fR
|
||||
.RS 4
|
||||
Specifies the number of threads to use. By default, one thread is started for each detected CPU.
|
||||
.RE
|
||||
.PP
|
||||
Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
|
||||
.TP
|
||||
\-N \fIsoa\-serial\-format\fR
|
||||
.RS 4
|
||||
The SOA serial number format of the signed zone. Possible formats are
|
||||
The SOA serial number format of the signed zone\&. Possible formats are \fB"keep"\fR (default), \fB"increment"\fR and \fB"unixtime"\fR\&.
|
||||
.RS
|
||||
.TP
|
||||
\fB"keep"\fR
|
||||
(default),
|
||||
Do not modify the SOA serial number\&.
|
||||
.TP
|
||||
\fB"increment"\fR
|
||||
and
|
||||
\fB"unixtime"\fR.
|
||||
.RS 4
|
||||
.PP
|
||||
\fB"keep"\fR
|
||||
.RS 4
|
||||
Do not modify the SOA serial number.
|
||||
.RE
|
||||
.PP
|
||||
\fB"increment"\fR
|
||||
.RS 4
|
||||
Increment the SOA serial number using RFC 1982 arithmetics.
|
||||
.RE
|
||||
.PP
|
||||
Increment the SOA serial number using RFC 1982 arithmetics\&.
|
||||
.TP
|
||||
\fB"unixtime"\fR
|
||||
.RS 4
|
||||
Set the SOA serial number to the number of seconds since epoch.
|
||||
Set the SOA serial number to the number of seconds since epoch\&.
|
||||
.RE
|
||||
.RE
|
||||
.RE
|
||||
.PP
|
||||
.IP
|
||||
.TP
|
||||
\-o \fIorigin\fR
|
||||
.RS 4
|
||||
The zone origin. If not specified, the name of the zone file is assumed to be the origin.
|
||||
.RE
|
||||
.PP
|
||||
The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
|
||||
.TP
|
||||
\-O \fIoutput\-format\fR
|
||||
.RS 4
|
||||
The format of the output file containing the signed zone. Possible formats are
|
||||
\fB"text"\fR
|
||||
(default) and
|
||||
\fB"raw"\fR.
|
||||
.RE
|
||||
.PP
|
||||
The format of the output file containing the signed zone\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&.
|
||||
.TP
|
||||
\-p
|
||||
.RS 4
|
||||
Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
|
||||
.RE
|
||||
.PP
|
||||
\-P
|
||||
.RS 4
|
||||
Disable post sign verification tests.
|
||||
.sp
|
||||
The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
|
||||
.RE
|
||||
.PP
|
||||
Use pseudo\-random data when signing the zone\&. This is faster, but less secure, than using real random data\&. This option may be useful when signing large zones or when the entropy source is limited\&.
|
||||
.TP
|
||||
\-r \fIrandomdev\fR
|
||||
.RS 4
|
||||
Specifies the source of randomness. If the operating system does not provide a
|
||||
\fI/dev/random\fR
|
||||
or equivalent device, the default source of randomness is keyboard input.
|
||||
\fIrandomdev\fR
|
||||
specifies the name of a character device or file containing random data to be used instead of the default. The special value
|
||||
\fIkeyboard\fR
|
||||
indicates that keyboard input should be used.
|
||||
.RE
|
||||
.PP
|
||||
\-S
|
||||
.RS 4
|
||||
Smart signing: Instructs
|
||||
\fBdnssec\-signzone\fR
|
||||
to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.
|
||||
.sp
|
||||
When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:
|
||||
.RS 4
|
||||
.PP
|
||||
.RS 4
|
||||
If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.
|
||||
.RE
|
||||
.PP
|
||||
.RS 4
|
||||
If the key's publication date is set and is in the past, the key is published in the zone.
|
||||
.RE
|
||||
.PP
|
||||
.RS 4
|
||||
If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.
|
||||
.RE
|
||||
.PP
|
||||
.RS 4
|
||||
If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.
|
||||
.RE
|
||||
.PP
|
||||
.RS 4
|
||||
If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.
|
||||
.RE
|
||||
.RE
|
||||
.RE
|
||||
.PP
|
||||
\-T \fIttl\fR
|
||||
.RS 4
|
||||
Specifies the TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the minimum TTL value from the zone's SOA record. This option is ignored when signing without
|
||||
\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them.
|
||||
.RE
|
||||
.PP
|
||||
Specifies the source of randomness\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
|
||||
.TP
|
||||
\-t
|
||||
.RS 4
|
||||
Print statistics at completion.
|
||||
.RE
|
||||
.PP
|
||||
\-u
|
||||
.RS 4
|
||||
Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
|
||||
\fBdnssec\-signzone\fR
|
||||
will retain the existing chain when re\-signing.
|
||||
.RE
|
||||
.PP
|
||||
Print statistics at completion\&.
|
||||
.TP
|
||||
\-v \fIlevel\fR
|
||||
.RS 4
|
||||
Sets the debugging level.
|
||||
.RE
|
||||
.PP
|
||||
\-x
|
||||
.RS 4
|
||||
Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
|
||||
\fBdnskey\-ksk\-only yes;\fR
|
||||
zone option in
|
||||
\fBnamed\fR.)
|
||||
.RE
|
||||
.PP
|
||||
Sets the debugging level\&.
|
||||
.TP
|
||||
\-z
|
||||
.RS 4
|
||||
Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
|
||||
\fBupdate\-check\-ksk no;\fR
|
||||
zone option in
|
||||
\fBnamed\fR.)
|
||||
.RE
|
||||
.PP
|
||||
Ignore KSK flag on key when determining what to sign\&.
|
||||
.TP
|
||||
\-3 \fIsalt\fR
|
||||
.RS 4
|
||||
Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
|
||||
.RE
|
||||
.PP
|
||||
Generate a NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
|
||||
.TP
|
||||
\-H \fIiterations\fR
|
||||
.RS 4
|
||||
When generating an NSEC3 chain, use this many interations. The default is 10.
|
||||
.RE
|
||||
.PP
|
||||
When generating a NSEC3 chain use this many interations\&. The default is 100\&.
|
||||
.TP
|
||||
\-A
|
||||
.RS 4
|
||||
When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
|
||||
.sp
|
||||
Using this option twice (i.e.,
|
||||
\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
|
||||
\fB\-u\fR
|
||||
option to modify an NSEC3 chain which previously had OPTOUT set.
|
||||
.RE
|
||||
.PP
|
||||
When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
|
||||
.TP
|
||||
zonefile
|
||||
.RS 4
|
||||
The file containing the zone to be signed.
|
||||
.RE
|
||||
.PP
|
||||
The file containing the zone to be signed\&.
|
||||
.TP
|
||||
key
|
||||
.RS 4
|
||||
Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
|
||||
.RE
|
||||
Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
|
||||
.SH "EXAMPLE"
|
||||
.PP
|
||||
The following command signs the
|
||||
\fBexample.com\fR
|
||||
zone with the DSA key generated by
|
||||
\fBdnssec\-keygen\fR
|
||||
(Kexample.com.+003+17247). Because the
|
||||
\fB\-S\fR
|
||||
option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
|
||||
\fIdsset\fR
|
||||
files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
|
||||
.sp
|
||||
.RS 4
|
||||
The following command signs the \fBexample\&.com\fR zone with the DSA key generated by \fBdnssec\-keygen\fR (Kexample\&.com\&.+003+17247)\&. The zone's keys must be in the master file (\fIdb\&.example\&.com\fR)\&. This invocation looks for \fIkeyset\fR files, in the current directory, so that DS records can be generated from them (\fB\-g\fR)\&.
|
||||
.nf
|
||||
% dnssec\-signzone \-g \-o example.com db.example.com \\
|
||||
Kexample.com.+003+17247
|
||||
db.example.com.signed
|
||||
% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \\
|
||||
Kexample\&.com\&.+003+17247
|
||||
db\&.example\&.com\&.signed
|
||||
%
|
||||
.fi
|
||||
.RE
|
||||
.PP
|
||||
In the above example,
|
||||
\fBdnssec\-signzone\fR
|
||||
creates the file
|
||||
\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
|
||||
\fInamed.conf\fR
|
||||
file.
|
||||
In the above example, \fBdnssec\-signzone\fR creates the file \fIdb\&.example\&.com\&.signed\fR\&. This file should be referenced in a zone statement in a \fInamed\&.conf\fR file\&.
|
||||
.PP
|
||||
This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
|
||||
.sp
|
||||
.RS 4
|
||||
This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
|
||||
.nf
|
||||
% cp db.example.com.signed db.example.com
|
||||
% dnssec\-signzone \-o example.com db.example.com
|
||||
db.example.com.signed
|
||||
% cp db\&.example\&.com\&.signed db\&.example\&.com
|
||||
% dnssec\-signzone \-o example\&.com db\&.example\&.com
|
||||
db\&.example\&.com\&.signed
|
||||
%
|
||||
.fi
|
||||
.RE
|
||||
.SH "KNOWN BUGS"
|
||||
.PP
|
||||
\fBdnssec\-signzone\fR was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone\&. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key\&.
|
||||
.PP
|
||||
An unfortunate side\-effect of this flexibility is that \fBdnssec\-signzone\fR does not check to make sure it's signing a zone with any valid keys at all\&. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures\&. There is no warning issued when a zone is not fully signed\&.
|
||||
.PP
|
||||
This will be corrected in a future release\&. In the meantime, ISC recommends examining the output of \fBdnssec\-signzone\fR to confirm that the zone is properly signed by all keys before using it\&.
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBdnssec\-keygen\fR(8),
|
||||
BIND 9 Administrator Reference Manual,
|
||||
RFC 4033.
|
||||
\fBdnssec\-keygen\fR(8), BIND 9 Administrator Reference Manual, RFC 4033\&.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Systems Consortium
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
Copyright \(co 2000\-2003 Internet Software Consortium.
|
||||
.br
|
||||
Internet Systems Consortium
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -18,10 +18,10 @@
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-signzone.docbook,v 1.43 2009/11/03 21:44:46 each Exp $ -->
|
||||
<!-- $Id: dnssec-signzone.docbook,v 1.31.44.6 2009/06/09 01:47:19 each Exp $ -->
|
||||
<refentry id="man.dnssec-signzone">
|
||||
<refentryinfo>
|
||||
<date>June 05, 2009</date>
|
||||
<date>June 08, 2009</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
@@ -60,12 +60,10 @@
|
||||
<arg><option>-a</option></arg>
|
||||
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
|
||||
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
|
||||
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
|
||||
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
|
||||
<arg><option>-g</option></arg>
|
||||
<arg><option>-h</option></arg>
|
||||
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
|
||||
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
|
||||
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
|
||||
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
|
||||
@@ -75,15 +73,10 @@
|
||||
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
|
||||
<arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
|
||||
<arg><option>-p</option></arg>
|
||||
<arg><option>-P</option></arg>
|
||||
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
|
||||
<arg><option>-S</option></arg>
|
||||
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
|
||||
<arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
|
||||
<arg><option>-t</option></arg>
|
||||
<arg><option>-u</option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg><option>-x</option></arg>
|
||||
<arg><option>-z</option></arg>
|
||||
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
|
||||
<arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
|
||||
@@ -127,63 +120,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-C</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Compatibility mode: Generate a
|
||||
<filename>keyset-<replaceable>zonename</replaceable></filename>
|
||||
file in addition to
|
||||
<filename>dsset-<replaceable>zonename</replaceable></filename>
|
||||
when signing a zone, for use by older versions of
|
||||
<command>dnssec-signzone</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-d <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Look for <filename>dsset-</filename> or
|
||||
<filename>keyset-</filename> files in <option>directory</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-E <replaceable class="parameter">engine</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Uses a crypto hardware (OpenSSL engine) for the crypto operations
|
||||
it supports, for instance signing with private keys from
|
||||
a secure key store. When compiled with PKCS#11 support
|
||||
it defaults to pkcs11; the empty name resets it to no engine.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-g</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Generate DS records for child zones from
|
||||
<filename>dsset-</filename> or <filename>keyset-</filename>
|
||||
file. Existing DS records will be removed.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-K <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Key repository: Specify a directory to search for DNSSEC keys.
|
||||
If not specified, defaults to the current directory.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-k <replaceable class="parameter">key</replaceable></term>
|
||||
<listitem>
|
||||
@@ -204,6 +140,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-d <replaceable class="parameter">directory</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Look for <filename>keyset</filename> files in
|
||||
<option>directory</option> as the directory
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-g</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Generate DS records for child zones from keyset files.
|
||||
Existing DS records will be removed.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-s <replaceable class="parameter">start-time</replaceable></term>
|
||||
<listitem>
|
||||
@@ -231,8 +187,6 @@
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no <option>end-time</option> is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
<option>end-time</option> must be later than
|
||||
<option>start-time</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -405,22 +359,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-P</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Disable post sign verification tests.
|
||||
</para>
|
||||
<para>
|
||||
The post sign verification test ensures that for each algorithm
|
||||
in use there is at least one non revoked self signed KSK key,
|
||||
that all revoked KSK keys are self signed, and that all records
|
||||
in the zone are signed by the algorithm.
|
||||
This option skips these tests.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
@@ -438,89 +376,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-S</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Smart signing: Instructs <command>dnssec-signzone</command> to
|
||||
search the key repository for keys that match the zone being
|
||||
signed, and to include them in the zone if appropriate.
|
||||
</para>
|
||||
<para>
|
||||
When a key is found, its timing metadata is examined to
|
||||
determine how it should be used, according to the following
|
||||
rules. Each successive rule takes priority over the prior
|
||||
ones:
|
||||
</para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<listitem>
|
||||
<para>
|
||||
If no timing metadata has been set for the key, the key is
|
||||
published in the zone and used to sign the zone.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<listitem>
|
||||
<para>
|
||||
If the key's publication date is set and is in the past, the
|
||||
key is published in the zone.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<listitem>
|
||||
<para>
|
||||
If the key's activation date is set and in the past, the
|
||||
key is published (regardless of publication date) and
|
||||
used to sign the zone.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<listitem>
|
||||
<para>
|
||||
If the key's revocation date is set and in the past, and the
|
||||
key is published, then the key is revoked, and the revoked key
|
||||
is used to sign the zone.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<listitem>
|
||||
<para>
|
||||
If either of the key's unpublication or deletion dates are set
|
||||
and in the past, the key is NOT published or used to sign the
|
||||
zone, regardless of any other metadata.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-T <replaceable class="parameter">ttl</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the TTL to be used for new DNSKEY records imported
|
||||
into the zone from the key repository. If not specified,
|
||||
the default is the minimum TTL value from the zone's SOA
|
||||
record. This option is ignored when signing without
|
||||
<option>-S</option>, since DNSKEY records are not imported
|
||||
from the key repository in that case. It is also ignored if
|
||||
there are any pre-existing DNSKEY records at the zone apex,
|
||||
in which case new records' TTL values will be set to match
|
||||
them.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-t</term>
|
||||
<listitem>
|
||||
@@ -530,20 +385,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-u</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Update NSEC/NSEC3 chain when re-signing a previously signed
|
||||
zone. With this option, a zone signed with NSEC can be
|
||||
switched to NSEC3, or a zone signed with NSEC3 can
|
||||
be switch to NSEC or to NSEC3 with different parameters.
|
||||
Without this option, <command>dnssec-signzone</command> will
|
||||
retain the existing chain when re-signing.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<listitem>
|
||||
@@ -553,27 +394,11 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-x</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Only sign the DNSKEY RRset with key-signing keys, and omit
|
||||
signatures from zone-signing keys. (This is similar to the
|
||||
<command>dnskey-ksk-only yes;</command> zone option in
|
||||
<command>named</command>.)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-z</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Ignore KSK flag on key when determining what to sign. This
|
||||
causes KSK-flagged keys to sign all records, not just the
|
||||
DNSKEY RRset. (This is similar to the
|
||||
<command>update-check-ksk no;</command> zone option in
|
||||
<command>named</command>.)
|
||||
Ignore KSK flag on key when determining what to sign.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -582,7 +407,7 @@
|
||||
<term>-3 <replaceable class="parameter">salt</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Generate an NSEC3 chain with the given hex encoded salt.
|
||||
Generate a NSEC3 chain with the given hex encoded salt.
|
||||
A dash (<replaceable class="parameter">salt</replaceable>) can
|
||||
be used to indicate that no salt is to be used when generating the NSEC3 chain.
|
||||
</para>
|
||||
@@ -593,8 +418,8 @@
|
||||
<term>-H <replaceable class="parameter">iterations</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
When generating an NSEC3 chain, use this many interations. The
|
||||
default is 10.
|
||||
When generating a NSEC3 chain use this many interations. The
|
||||
default is 100.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -603,16 +428,10 @@
|
||||
<term>-A</term>
|
||||
<listitem>
|
||||
<para>
|
||||
When generating an NSEC3 chain set the OPTOUT flag on all
|
||||
When generating a NSEC3 chain set the OPTOUT flag on all
|
||||
NSEC3 records and do not generate NSEC3 records for insecure
|
||||
delegations.
|
||||
</para>
|
||||
<para>
|
||||
Using this option twice (i.e., <option>-AA</option>)
|
||||
turns the OPTOUT flag off for all records. This is useful
|
||||
when using the <option>-u</option> option to modify an NSEC3
|
||||
chain which previously had OPTOUT set.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -646,11 +465,10 @@
|
||||
<para>
|
||||
The following command signs the <userinput>example.com</userinput>
|
||||
zone with the DSA key generated by <command>dnssec-keygen</command>
|
||||
(Kexample.com.+003+17247). Because the <command>-S</command> option
|
||||
is not being used, the zone's keys must be in the master file
|
||||
(<filename>db.example.com</filename>). This invocation looks
|
||||
for <filename>dsset</filename> files, in the current directory,
|
||||
so that DS records can be imported from them (<command>-g</command>).
|
||||
(Kexample.com.+003+17247). The zone's keys must be in the master
|
||||
file (<filename>db.example.com</filename>). This invocation looks
|
||||
for <filename>keyset</filename> files, in the current directory,
|
||||
so that DS records can be generated from them (<command>-g</command>).
|
||||
</para>
|
||||
<programlisting>% dnssec-signzone -g -o example.com db.example.com \
|
||||
Kexample.com.+003+17247
|
||||
@@ -672,6 +490,33 @@ db.example.com.signed
|
||||
%</programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>KNOWN BUGS</title>
|
||||
<para>
|
||||
<command>dnssec-signzone</command> was designed so that it could
|
||||
sign a zone partially, using only a subset of the DNSSEC keys
|
||||
needed to produce a fully-signed zone. This permits a zone
|
||||
administrator, for example, to sign a zone with one key on one
|
||||
machine, move the resulting partially-signed zone to a second
|
||||
machine, and sign it again with a second key.
|
||||
</para>
|
||||
<para>
|
||||
An unfortunate side-effect of this flexibility is that
|
||||
<command>dnssec-signzone</command> does not check to make sure
|
||||
it's signing a zone with any valid keys at all. An attempt to
|
||||
sign a zone without any keys will appear to succeed, producing
|
||||
a "signed" zone with no signatures. There is no warning issued
|
||||
when a zone is not fully signed.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This will be corrected in a future release. In the meantime, ISC
|
||||
recommends examining the output of <command>dnssec-signzone</command>
|
||||
to confirm that the zone is properly signed by all keys before
|
||||
using it.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>SEE ALSO</title>
|
||||
<para><citerefentry>
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and/or distribute this software for any
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
@@ -14,12 +14,12 @@
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
<!-- $Id: dnssec-signzone.html,v 1.44 2009/11/03 21:58:30 tbox Exp $ -->
|
||||
<!-- $Id: dnssec-signzone.html,v 1.33.44.4 2009/06/09 01:47:19 each Exp $ -->
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<title>dnssec-signzone</title>
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
|
||||
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
|
||||
</head>
|
||||
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
|
||||
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
|
||||
@@ -29,10 +29,10 @@
|
||||
</div>
|
||||
<div class="refsynopsisdiv">
|
||||
<h2>Synopsis</h2>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
|
||||
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543596"></a><h2>DESCRIPTION</h2>
|
||||
<a name="id215236"></a><h2>DESCRIPTION</h2>
|
||||
<p><span><strong class="command">dnssec-signzone</strong></span>
|
||||
signs a zone. It generates
|
||||
NSEC and RRSIG records and produces a signed version of the
|
||||
@@ -43,7 +43,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2543611"></a><h2>OPTIONS</h2>
|
||||
<a name="id215253"></a><h2>OPTIONS</h2>
|
||||
<div class="variablelist"><dl>
|
||||
<dt><span class="term">-a</span></dt>
|
||||
<dd><p>
|
||||
@@ -53,38 +53,6 @@
|
||||
<dd><p>
|
||||
Specifies the DNS class of the zone.
|
||||
</p></dd>
|
||||
<dt><span class="term">-C</span></dt>
|
||||
<dd><p>
|
||||
Compatibility mode: Generate a
|
||||
<code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
|
||||
file in addition to
|
||||
<code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
|
||||
when signing a zone, for use by older versions of
|
||||
<span><strong class="command">dnssec-signzone</strong></span>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Look for <code class="filename">dsset-</code> or
|
||||
<code class="filename">keyset-</code> files in <code class="option">directory</code>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
|
||||
<dd><p>
|
||||
Uses a crypto hardware (OpenSSL engine) for the crypto operations
|
||||
it supports, for instance signing with private keys from
|
||||
a secure key store. When compiled with PKCS#11 support
|
||||
it defaults to pkcs11; the empty name resets it to no engine.
|
||||
</p></dd>
|
||||
<dt><span class="term">-g</span></dt>
|
||||
<dd><p>
|
||||
Generate DS records for child zones from
|
||||
<code class="filename">dsset-</code> or <code class="filename">keyset-</code>
|
||||
file. Existing DS records will be removed.
|
||||
</p></dd>
|
||||
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Key repository: Specify a directory to search for DNSSEC keys.
|
||||
If not specified, defaults to the current directory.
|
||||
</p></dd>
|
||||
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
|
||||
<dd><p>
|
||||
Treat specified key as a key signing key ignoring any
|
||||
@@ -95,6 +63,16 @@
|
||||
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
|
||||
The domain is appended to the name of the records.
|
||||
</p></dd>
|
||||
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
|
||||
<dd><p>
|
||||
Look for <code class="filename">keyset</code> files in
|
||||
<code class="option">directory</code> as the directory
|
||||
</p></dd>
|
||||
<dt><span class="term">-g</span></dt>
|
||||
<dd><p>
|
||||
Generate DS records for child zones from keyset files.
|
||||
Existing DS records will be removed.
|
||||
</p></dd>
|
||||
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specify the date and time when the generated RRSIG records
|
||||
@@ -115,8 +93,6 @@
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no <code class="option">end-time</code> is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
<code class="option">end-time</code> must be later than
|
||||
<code class="option">start-time</code>.
|
||||
</p></dd>
|
||||
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
|
||||
<dd><p>
|
||||
@@ -226,19 +202,6 @@
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
</p></dd>
|
||||
<dt><span class="term">-P</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Disable post sign verification tests.
|
||||
</p>
|
||||
<p>
|
||||
The post sign verification test ensures that for each algorithm
|
||||
in use there is at least one non revoked self signed KSK key,
|
||||
that all revoked KSK keys are self signed, and that all records
|
||||
in the zone are signed by the algorithm.
|
||||
This option skips these tests.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the source of randomness. If the operating
|
||||
@@ -251,119 +214,35 @@
|
||||
<code class="filename">keyboard</code> indicates that keyboard
|
||||
input should be used.
|
||||
</p></dd>
|
||||
<dt><span class="term">-S</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
|
||||
search the key repository for keys that match the zone being
|
||||
signed, and to include them in the zone if appropriate.
|
||||
</p>
|
||||
<p>
|
||||
When a key is found, its timing metadata is examined to
|
||||
determine how it should be used, according to the following
|
||||
rules. Each successive rule takes priority over the prior
|
||||
ones:
|
||||
</p>
|
||||
<div class="variablelist"><dl>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
If no timing metadata has been set for the key, the key is
|
||||
published in the zone and used to sign the zone.
|
||||
</p></dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
If the key's publication date is set and is in the past, the
|
||||
key is published in the zone.
|
||||
</p></dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
If the key's activation date is set and in the past, the
|
||||
key is published (regardless of publication date) and
|
||||
used to sign the zone.
|
||||
</p></dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
If the key's revocation date is set and in the past, and the
|
||||
key is published, then the key is revoked, and the revoked key
|
||||
is used to sign the zone.
|
||||
</p></dd>
|
||||
<dt></dt>
|
||||
<dd><p>
|
||||
If either of the key's unpublication or deletion dates are set
|
||||
and in the past, the key is NOT published or used to sign the
|
||||
zone, regardless of any other metadata.
|
||||
</p></dd>
|
||||
</dl></div>
|
||||
</dd>
|
||||
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
|
||||
<dd><p>
|
||||
Specifies the TTL to be used for new DNSKEY records imported
|
||||
into the zone from the key repository. If not specified,
|
||||
the default is the minimum TTL value from the zone's SOA
|
||||
record. This option is ignored when signing without
|
||||
<code class="option">-S</code>, since DNSKEY records are not imported
|
||||
from the key repository in that case. It is also ignored if
|
||||
there are any pre-existing DNSKEY records at the zone apex,
|
||||
in which case new records' TTL values will be set to match
|
||||
them.
|
||||
</p></dd>
|
||||
<dt><span class="term">-t</span></dt>
|
||||
<dd><p>
|
||||
Print statistics at completion.
|
||||
</p></dd>
|
||||
<dt><span class="term">-u</span></dt>
|
||||
<dd><p>
|
||||
Update NSEC/NSEC3 chain when re-signing a previously signed
|
||||
zone. With this option, a zone signed with NSEC can be
|
||||
switched to NSEC3, or a zone signed with NSEC3 can
|
||||
be switch to NSEC or to NSEC3 with different parameters.
|
||||
Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
|
||||
retain the existing chain when re-signing.
|
||||
</p></dd>
|
||||
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
|
||||
<dd><p>
|
||||
Sets the debugging level.
|
||||
</p></dd>
|
||||
<dt><span class="term">-x</span></dt>
|
||||
<dd><p>
|
||||
Only sign the DNSKEY RRset with key-signing keys, and omit
|
||||
signatures from zone-signing keys. (This is similar to the
|
||||
<span><strong class="command">dnskey-ksk-only yes;</strong></span> zone option in
|
||||
<span><strong class="command">named</strong></span>.)
|
||||
</p></dd>
|
||||
<dt><span class="term">-z</span></dt>
|
||||
<dd><p>
|
||||
Ignore KSK flag on key when determining what to sign. This
|
||||
causes KSK-flagged keys to sign all records, not just the
|
||||
DNSKEY RRset. (This is similar to the
|
||||
<span><strong class="command">update-check-ksk no;</strong></span> zone option in
|
||||
<span><strong class="command">named</strong></span>.)
|
||||
Ignore KSK flag on key when determining what to sign.
|
||||
</p></dd>
|
||||
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
|
||||
<dd><p>
|
||||
Generate an NSEC3 chain with the given hex encoded salt.
|
||||
Generate a NSEC3 chain with the given hex encoded salt.
|
||||
A dash (<em class="replaceable"><code>salt</code></em>) can
|
||||
be used to indicate that no salt is to be used when generating the NSEC3 chain.
|
||||
</p></dd>
|
||||
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
|
||||
<dd><p>
|
||||
When generating an NSEC3 chain, use this many interations. The
|
||||
default is 10.
|
||||
When generating a NSEC3 chain use this many interations. The
|
||||
default is 100.
|
||||
</p></dd>
|
||||
<dt><span class="term">-A</span></dt>
|
||||
<dd>
|
||||
<p>
|
||||
When generating an NSEC3 chain set the OPTOUT flag on all
|
||||
<dd><p>
|
||||
When generating a NSEC3 chain set the OPTOUT flag on all
|
||||
NSEC3 records and do not generate NSEC3 records for insecure
|
||||
delegations.
|
||||
</p>
|
||||
<p>
|
||||
Using this option twice (i.e., <code class="option">-AA</code>)
|
||||
turns the OPTOUT flag off for all records. This is useful
|
||||
when using the <code class="option">-u</code> option to modify an NSEC3
|
||||
chain which previously had OPTOUT set.
|
||||
</p>
|
||||
</dd>
|
||||
</p></dd>
|
||||
<dt><span class="term">zonefile</span></dt>
|
||||
<dd><p>
|
||||
The file containing the zone to be signed.
|
||||
@@ -379,15 +258,14 @@
|
||||
</dl></div>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2544896"></a><h2>EXAMPLE</h2>
|
||||
<a name="id216044"></a><h2>EXAMPLE</h2>
|
||||
<p>
|
||||
The following command signs the <strong class="userinput"><code>example.com</code></strong>
|
||||
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
|
||||
(Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
|
||||
is not being used, the zone's keys must be in the master file
|
||||
(<code class="filename">db.example.com</code>). This invocation looks
|
||||
for <code class="filename">dsset</code> files, in the current directory,
|
||||
so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
|
||||
(Kexample.com.+003+17247). The zone's keys must be in the master
|
||||
file (<code class="filename">db.example.com</code>). This invocation looks
|
||||
for <code class="filename">keyset</code> files, in the current directory,
|
||||
so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
|
||||
</p>
|
||||
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
|
||||
Kexample.com.+003+17247
|
||||
@@ -409,14 +287,39 @@ db.example.com.signed
|
||||
%</pre>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2545019"></a><h2>SEE ALSO</h2>
|
||||
<a name="id216098"></a><h2>KNOWN BUGS</h2>
|
||||
<p>
|
||||
<span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
|
||||
sign a zone partially, using only a subset of the DNSSEC keys
|
||||
needed to produce a fully-signed zone. This permits a zone
|
||||
administrator, for example, to sign a zone with one key on one
|
||||
machine, move the resulting partially-signed zone to a second
|
||||
machine, and sign it again with a second key.
|
||||
</p>
|
||||
<p>
|
||||
An unfortunate side-effect of this flexibility is that
|
||||
<span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
|
||||
it's signing a zone with any valid keys at all. An attempt to
|
||||
sign a zone without any keys will appear to succeed, producing
|
||||
a "signed" zone with no signatures. There is no warning issued
|
||||
when a zone is not fully signed.
|
||||
</p>
|
||||
<p>
|
||||
This will be corrected in a future release. In the meantime, ISC
|
||||
recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
|
||||
to confirm that the zone is properly signed by all keys before
|
||||
using it.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id216132"></a><h2>SEE ALSO</h2>
|
||||
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
|
||||
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
|
||||
<em class="citetitle">RFC 4033</em>.
|
||||
</p>
|
||||
</div>
|
||||
<div class="refsect1" lang="en">
|
||||
<a name="id2545044"></a><h2>AUTHOR</h2>
|
||||
<a name="id216155"></a><h2>AUTHOR</h2>
|
||||
<p><span class="corpauthor">Internet Systems Consortium</span>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssectool.c,v 1.58 2009/10/26 23:47:35 tbox Exp $ */
|
||||
/* $Id: dnssectool.c,v 1.45.334.4 2009/06/08 23:47:00 tbox Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -28,7 +28,6 @@
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/dir.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/list.h>
|
||||
#include <isc/mem.h>
|
||||
@@ -66,7 +65,7 @@ void
|
||||
fatal(const char *format, ...) {
|
||||
va_list args;
|
||||
|
||||
fprintf(stderr, "%s: fatal: ", program);
|
||||
fprintf(stderr, "%s: ", program);
|
||||
va_start(args, format);
|
||||
vfprintf(stderr, format, args);
|
||||
va_end(args);
|
||||
@@ -111,16 +110,39 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
|
||||
r.base[r.length] = 0;
|
||||
}
|
||||
|
||||
void
|
||||
alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
|
||||
isc_buffer_t b;
|
||||
isc_region_t r;
|
||||
isc_result_t result;
|
||||
|
||||
isc_buffer_init(&b, cp, size - 1);
|
||||
result = dns_secalg_totext(alg, &b);
|
||||
check_result(result, "dns_secalg_totext()");
|
||||
isc_buffer_usedregion(&b, &r);
|
||||
r.base[r.length] = 0;
|
||||
}
|
||||
|
||||
void
|
||||
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
|
||||
char namestr[DNS_NAME_FORMATSIZE];
|
||||
char algstr[DNS_NAME_FORMATSIZE];
|
||||
|
||||
dns_name_format(&sig->signer, namestr, sizeof(namestr));
|
||||
dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
|
||||
alg_format(sig->algorithm, algstr, sizeof(algstr));
|
||||
snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
|
||||
}
|
||||
|
||||
void
|
||||
key_format(const dst_key_t *key, char *cp, unsigned int size) {
|
||||
char namestr[DNS_NAME_FORMATSIZE];
|
||||
char algstr[DNS_NAME_FORMATSIZE];
|
||||
|
||||
dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
|
||||
alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
|
||||
snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
|
||||
}
|
||||
|
||||
void
|
||||
setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
|
||||
isc_result_t result;
|
||||
@@ -243,92 +265,32 @@ cleanup_entropy(isc_entropy_t **ectx) {
|
||||
isc_entropy_detach(ectx);
|
||||
}
|
||||
|
||||
static isc_stdtime_t
|
||||
time_units(isc_stdtime_t offset, char *suffix, const char *str) {
|
||||
switch (suffix[0]) {
|
||||
case 'Y': case 'y':
|
||||
return (offset * (365 * 24 * 3600));
|
||||
case 'M': case 'm':
|
||||
switch (suffix[1]) {
|
||||
case 'O': case 'o':
|
||||
return (offset * (30 * 24 * 3600));
|
||||
case 'I': case 'i':
|
||||
return (offset * 60);
|
||||
case '\0':
|
||||
fatal("'%s' ambiguous: use 'mi' for minutes "
|
||||
"or 'mo' for months", str);
|
||||
default:
|
||||
fatal("time value %s is invalid", str);
|
||||
}
|
||||
/* NOTREACHED */
|
||||
break;
|
||||
case 'W': case 'w':
|
||||
return (offset * (7 * 24 * 3600));
|
||||
case 'D': case 'd':
|
||||
return (offset * (24 * 3600));
|
||||
case 'H': case 'h':
|
||||
return (offset * 3600);
|
||||
case 'S': case 's': case '\0':
|
||||
return (offset);
|
||||
default:
|
||||
fatal("time value %s is invalid", str);
|
||||
}
|
||||
/* NOTREACHED */
|
||||
return(0); /* silence compiler warning */
|
||||
}
|
||||
|
||||
dns_ttl_t
|
||||
strtottl(const char *str) {
|
||||
const char *orig = str;
|
||||
dns_ttl_t ttl;
|
||||
char *endp;
|
||||
|
||||
ttl = strtol(str, &endp, 0);
|
||||
if (ttl == 0 && endp == str)
|
||||
fatal("TTL must be numeric");
|
||||
ttl = time_units(ttl, endp, orig);
|
||||
return (ttl);
|
||||
}
|
||||
|
||||
isc_stdtime_t
|
||||
strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
|
||||
isc_int64_t val, offset;
|
||||
isc_result_t result;
|
||||
const char *orig = str;
|
||||
char *endp;
|
||||
|
||||
if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
|
||||
return ((isc_stdtime_t) 0);
|
||||
|
||||
if (strncmp(str, "now", 3) == 0) {
|
||||
base = now;
|
||||
str += 3;
|
||||
}
|
||||
|
||||
if (str[0] == '\0')
|
||||
return ((isc_stdtime_t) base);
|
||||
else if (str[0] == '+') {
|
||||
if (str[0] == '+') {
|
||||
offset = strtol(str + 1, &endp, 0);
|
||||
offset = time_units((isc_stdtime_t) offset, endp, orig);
|
||||
if (*endp != '\0')
|
||||
fatal("time value %s is invalid", str);
|
||||
val = base + offset;
|
||||
} else if (str[0] == '-') {
|
||||
offset = strtol(str + 1, &endp, 0);
|
||||
offset = time_units((isc_stdtime_t) offset, endp, orig);
|
||||
val = base - offset;
|
||||
} else if (strncmp(str, "now+", 4) == 0) {
|
||||
offset = strtol(str + 4, &endp, 0);
|
||||
if (*endp != '\0')
|
||||
fatal("time value %s is invalid", str);
|
||||
val = now + offset;
|
||||
} else if (strlen(str) == 8U) {
|
||||
char timestr[15];
|
||||
sprintf(timestr, "%s000000", str);
|
||||
result = dns_time64_fromtext(timestr, &val);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("time value %s is invalid: %s", orig,
|
||||
isc_result_totext(result));
|
||||
} else if (strlen(str) > 14U) {
|
||||
fatal("time value %s is invalid", orig);
|
||||
fatal("time value %s is invalid", str);
|
||||
} else {
|
||||
result = dns_time64_fromtext(str, &val);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("time value %s is invalid: %s", orig,
|
||||
isc_result_totext(result));
|
||||
fatal("time value %s is invalid", str);
|
||||
}
|
||||
|
||||
return ((isc_stdtime_t) val);
|
||||
@@ -349,56 +311,3 @@ strtoclass(const char *str) {
|
||||
fatal("unknown class %s", str);
|
||||
return (rdclass);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
try_dir(const char *dirname) {
|
||||
isc_result_t result;
|
||||
isc_dir_t d;
|
||||
|
||||
isc_dir_init(&d);
|
||||
result = isc_dir_open(&d, dirname);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
isc_dir_close(&d);
|
||||
}
|
||||
return (result);
|
||||
}
|
||||
|
||||
/*
|
||||
* Check private key version compatibility.
|
||||
*/
|
||||
void
|
||||
check_keyversion(dst_key_t *key, char *keystr) {
|
||||
int major, minor;
|
||||
dst_key_getprivateformat(key, &major, &minor);
|
||||
INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
|
||||
|
||||
if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
|
||||
fatal("Key %s has incompatible format version %d.%d, "
|
||||
"use -f to force upgrade to new version.",
|
||||
keystr, major, minor);
|
||||
if (minor > DST_MINOR_VERSION)
|
||||
fatal("Key %s has incompatible format version %d.%d, "
|
||||
"use -f to force downgrade to current version.",
|
||||
keystr, major, minor);
|
||||
}
|
||||
|
||||
void
|
||||
set_keyversion(dst_key_t *key) {
|
||||
int major, minor;
|
||||
dst_key_getprivateformat(key, &major, &minor);
|
||||
INSIST(major <= DST_MAJOR_VERSION);
|
||||
|
||||
if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
|
||||
dst_key_setprivateformat(key, DST_MAJOR_VERSION,
|
||||
DST_MINOR_VERSION);
|
||||
|
||||
/*
|
||||
* If the key is from a version older than 1.3, set
|
||||
* set the creation date
|
||||
*/
|
||||
if (major < 1 || (major == 1 && minor <= 2)) {
|
||||
isc_stdtime_t now;
|
||||
isc_stdtime_get(&now);
|
||||
dst_key_settime(key, DST_TIME_CREATED, now);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for any
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssectool.h,v 1.29 2009/10/26 21:18:24 each Exp $ */
|
||||
/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */
|
||||
|
||||
#ifndef DNSSECTOOL_H
|
||||
#define DNSSECTOOL_H 1
|
||||
@@ -27,9 +27,8 @@
|
||||
|
||||
typedef void (fatalcallback_t)(void);
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE void
|
||||
fatal(const char *format, ...)
|
||||
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
|
||||
void
|
||||
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
|
||||
|
||||
void
|
||||
setfatalcallback(fatalcallback_t *callback);
|
||||
@@ -44,9 +43,17 @@ void
|
||||
type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
|
||||
#define TYPE_FORMATSIZE 20
|
||||
|
||||
void
|
||||
alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
|
||||
#define ALG_FORMATSIZE 10
|
||||
|
||||
void
|
||||
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
|
||||
#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
|
||||
#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
|
||||
|
||||
void
|
||||
key_format(const dst_key_t *key, char *cp, unsigned int size);
|
||||
#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
|
||||
|
||||
void
|
||||
setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
|
||||
@@ -60,20 +67,10 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
|
||||
void
|
||||
cleanup_entropy(isc_entropy_t **ectx);
|
||||
|
||||
dns_ttl_t strtottl(const char *str);
|
||||
|
||||
isc_stdtime_t
|
||||
strtotime(const char *str, isc_int64_t now, isc_int64_t base);
|
||||
|
||||
dns_rdataclass_t
|
||||
strtoclass(const char *str);
|
||||
|
||||
isc_result_t
|
||||
try_dir(const char *dirname);
|
||||
|
||||
void
|
||||
check_keyversion(dst_key_t *key, char *keystr);
|
||||
|
||||
void
|
||||
set_keyversion(dst_key_t *key);
|
||||
#endif /* DNSSEC_DNSSECTOOL_H */
|
||||
|
||||
@@ -43,7 +43,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddnssectool
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddnssectool
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
|
||||
@@ -70,7 +70,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddnssectool
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddnssectool
|
||||
# SUBTRACT CPP /X
|
||||
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
|
||||
|
||||
@@ -3,7 +3,7 @@ Microsoft Developer Studio Workspace File, Format Version 6.00
|
||||
|
||||
###############################################################################
|
||||
|
||||
Project: "dnssectool"=".\dnssectool.dsp" - Package Owner=<4>
|
||||
Project: "dighost"=".\dnssectool.dsp" - Package Owner=<4>
|
||||
|
||||
Package=<5>
|
||||
{{{
|
||||
|
||||
@@ -42,7 +42,7 @@ RSC=rc.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
|
||||
# ADD BASE RSC /l 0x409 /d "NDEBUG"
|
||||
# ADD RSC /l 0x409 /d "NDEBUG"
|
||||
BSC32=bscmake.exe
|
||||
@@ -66,7 +66,7 @@ LINK32=link.exe
|
||||
# PROP Ignore_Export_Lib 0
|
||||
# PROP Target_Dir ""
|
||||
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
|
||||
# SUBTRACT CPP /X /YX
|
||||
# ADD BASE RSC /l 0x409 /d "_DEBUG"
|
||||
# ADD RSC /l 0x409 /d "_DEBUG"
|
||||
|
||||
@@ -119,7 +119,7 @@ CLEAN :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP=cl.exe
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dsfromkey.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dsfromkey.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
|
||||
|
||||
.c{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
@@ -196,7 +196,7 @@ CLEAN :
|
||||
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
|
||||
|
||||
CPP=cl.exe
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
|
||||
|
||||
.c{$(INTDIR)}.obj::
|
||||
$(CPP) @<<
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user