upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-13 02:10:01 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[v9_11] remove nslint, query-loc and zkt from contrib

Browse source 
4753.	[contrib]	Software obtainable from known upstream locations
			(i.e., zkt, nslint, query-loc) has been removed.
			Links to these and other packages can be found at
			https://www.isc.org/community/tools [RT #46182]

(cherry picked from commit 319aad330d)
This commit is contained in:
Evan Hunt 2017-10-04 16:39:56 -07:00
parent a564a0a6d0
commit 24ffba17f0
169 changed files with 14 additions and 54495 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,3 +1,8 @@
4753. [contrib] Software obtainable from known upstream locations
(i.e., zkt, nslint, query-loc) has been removed.
Links to these and other packages can be found at
https://www.isc.org/community/tools [RT #46182]
4752. [test] Add unit test for isc_net_pton. [RT #46171]
4749. [func] The ISC DLV service has been shut down, and all

22
contrib/README
View file

@ -50,21 +50,17 @@ but reported bugs will be fixed as time permits.
Internationalized Domain Name processing.
- dnsperf-2.1.0.0-1/
- dnsperf-patches/
DNS server performance testing tools, like 'queryperf' but more
advanced: 'dnsperf' focuses on authoritative server performance
and 'resperf' on recursive server performance.
and 'resperf' on recursive server performance. The patch that
adds support for EDNS Client Subnet can be found in dnsperf-patches
directory.
- nslint-3.0a2
A lint-like tool for checking DNS files
- query-loc-0.4.0
A tool for retrieving location information stored in the DNS
- zkt-1.1.2
DNSSEC Zone Key Tools, an alternate method for managing keys
and signatures
Formerly, there was more software included in this directory, but we
have removed it in favour of using canonical upstream locations. You
can find the links to the nslint, query-loc and zkt, and other software
we find useful but do not necessarily support, at:
https://www.isc.org/community/tools/

3
contrib/nslint-3.0a2/.gitignore vendored
View file

@ -1,3 +0,0 @@
/gnuc.h
/nslint
/version.c

208
contrib/nslint-3.0a2/CHANGES
View file

@ -1,208 +0,0 @@
@(#) $Id: CHANGES 250 2009-10-16 23:26:47Z leres $ (LBL)
v3.0 Fri Oct 16 16:26:04 PDT 2009
- Add IPv6 support.
v2.2 Fri Mar 13 22:29:52 PDT 2009
- Convert source tree to subversion
v2.1 Fri Feb 15 20:45:01 PST 2008
- Handle "srv" records.
- Fix some ttl parsing problems.
- Add "ignore" option
- Hack in support for "view"
- Check for duplicate "cname" records.
- Upgrade to autoconf 2.61
v2.0.2 Tue Mar 20 17:49:13 PST 2001
- Allow missing trailing dot in certain special cases.
- Include zone names when checking NS records.
- Document nslint.conf network keyword.
- Sort the network list so that we always pick the right network/mask
when the overlap.
v2.0.1 Tue Dec 14 11:24:31 PST 1999
- Handle $ttl.
- Fix some minor portability/compiler problems for OSF 4.
- Correctly detect mx records that point to themselves but not a
real "a" record.
- Fix file descriptor leak in doconf(). Thanks to Paul McIlfatrick
(paul.mcilfatrick@bt.com)
v2.0 Wed Dec 9 16:48:54 PST 1998
- Add support for BIND 8 named.conf file.
- Support protocols in addition to tcp and udp for WKS records.
Resulted from a bug report from Petter Reinholdtsen (pere@td.org.uit.no)
- Support dotted serial numbers in SOA records. Resulted from a
bug report from Frank Ederveen (frank@our.domaintje.com)
- Ignore unknown statements and options in named.boot and named.conf
(instead of issuing warnings).
- Handle '#' and C style named.conf comments.
- Handle optional "in" in named.conf zone statements. Reported by
DJ Coster (djc@discoverbrokerage.com)
- Add support for include directives in named.boot and named.conf.
- Redo differing ttls check and do mx records in addition to a
records. Change place where soa values gets zeroed so they don't
get clobbered when we use includes.
- Allow "@" abbr. for ptr, mx, cname and ns records.
- Detect cname referenced by another cname or mx record.
- Handle chaos records (to some minor extent).
v1.7 Tue Jul 22 14:26:21 PDT 1997
- Report differing ttls in A records. Check SOA records.
- Detect hosts with more than one ip address on a subnet.
v1.6.1 Sat Jun 7 03:12:01 PDT 1997
- Fix "unknown service" printf format.
- Fix off-by-one error in the ptr parsing code. Thanks to Andreas
Lamprecht (andreas.lamprecht@siemens.at)
- Fix broken $origin code.
v1.6 Mon Apr 7 19:09:52 PDT 1997
- Add support for classless delegation.
- Fix some case sensitive bugs.
- Report domain names outside the current zone.
- Fixed off-by-one bug that broke single character hostnames.
- Increase size of hash table.
- Make tcp and udp service name tables dynamic.
- Improved error message for garbage in /etc/services.
v1.5.1 Thu Jul 18 21:44:44 PDT 1996
- Use $CC when checking gcc version. Thanks to Carl Lindberg
(carl_lindberg@blacksmith.com)
- Raise size of hash table to 65K.
v1.5 Fri Jul 12 18:58:47 PDT 1996
- Detect extra octets and other garbage in PTR records.
- Handle multi-line WKS records.
- Allow multple WKS records (since we can have udp and tcp).
- Convert to autoconf.
- Declare optarg, optind and opterr extern. Thanks to Howard Moftich
(howardm@lsil.com).
- BS/DOS does not have malloc.h. Thanks to Jordan Hayes
(jordan@thinkbank.com).
- Correctly handle named.boot comments with leading whitespace.
- Handle fully specified in-addr.arpa records. Resulted from a bug
report from Joe Kelly (joe@gol.com).
- Fix endian problems. Thanks to Carl Lindberg (carl_lindberg@blacksmith.com).
- Fixed some mixed case problems.
- Update man page to describe how nslint.boot works.
v1.4 Sat Jun 3 23:38:14 PDT 1995
- Allow TXT records to exist with no other records.
- Full system prototypes.
- Complain about extra arguments.
- Detect MX record chains.
- Handle single line SOA records correctly. Thanks to Edward J. O'Brien
(ejobrie@sam.wal-mart.com)
v1.3 Wed Mar 8 17:27:20 PST 1995
- Add "allowdupa" record type for use with nslint.boot. This allows ip
addresses to have multiple A records.
- Fixed bug that caused dangling cname references to not be reported
properly. Thanks to Edward J. O'Brien (ejobrie@sam.wal-mart.com).
v1.2 Thu Sep 1 15:55:38 PDT 1994
- Allow hostnames with a leading numeric as per rfc1123. Thanks to Bill
Gianopoulos (wag@sccux1.msd.ray.com).
- Remove (undocumented) -u flag and allow uppercase.
- Support TXT records. Thanks to Paul Pomes (paul@uxc.cso.uiuc.edu).
- Support RP records.
- Ignore new bind keywords.
- Fix bug where we could exit with a zero status even though errors had
been detected
- Complain about hosts that have smtp/tcp WKS entries but no MX records.
- Add -B flag to handle PTR records that point outside the domains
listed in named.boot.
v1.1 Sun May 22 20:43:03 PDT 1994
- Allow ns records with no a records (the preferred way to go).
- Fix typos in the sawstr array.
- Use string.h instead of strings.h and add rindex(), index() and
bzero() macros for SYSV compatibility. Thanks to Bill King
(wrk@cle.ab.com).
- Handle $origin directives. Thanks to Bill Gianopoulos
(wag@sccux1.msd.ray.com).
- Fix add_domain() to work for the root. Thanks to Bill Gianopoulos.
- Handle quotes in hinfo records. Thanks to Bill Gianopoulos.
- Fix endian problems in parseinaddr() and parseptr().
- Check non in-addr.arpa names for cname conflicts.
v1.0 Thu Apr 21 11:02:59 PDT 1994
- Initial release.

20
contrib/nslint-3.0a2/FILES
View file

@ -1,20 +0,0 @@
CHANGES
FILES
INSTALL
Makefile.in
README
VERSION
aclocal.m4
config.guess
config.sub
configure
configure.in
install-sh
lbl/gnuc.h
mkdep
nslint.8
nslint.c
savestr.c
savestr.h
strerror.c
version.h

42
contrib/nslint-3.0a2/INSTALL
View file

@ -1,42 +0,0 @@
@(#) $Id: INSTALL 238 2009-03-14 05:43:37Z leres $ (LBL)
You will need an ANSI C compiler to build nslint. The configure
script will abort if your compiler is not ANSI compliant. If this
happens, use the GNU C compiler, available via anonymous ftp:
ftp://prep.ai.mit.edu/pub/gnu/gcc.tar.gz
If necessary, edit the BINDEST and MANDEST paths in Makefile.in
and run ./configure (a shell script). "configure" will determine
your system attributes and generate an appropriate Makefile from
Makefile.in. Now build nslint by running "make".
If everything builds ok, su and type "make install" (and optionally
"make install-man). This will install nslint and its manual entry.
If your system is not one which we have tested nslint on, you may
have to modify the configure script and Makefile.in. Please send
us patches for any modifications you need to make.
FILES
-----
CHANGES - description of differences between releases
FILES - list of files exported as part of the distribution
INSTALL - this file
Makefile.in - compilation rules (input to the configure script)
README - description of distribution
VERSION - version of this release
aclocal.m4 - autoconf macros
config.guess - autoconf support
config.sub - autoconf support
configure - configure script (run this first)
configure.in - configure script source
install-sh - BSD style install script
lbl/gnuc.h - gcc macros and defines
mkdep - construct Makefile dependency list
nslint.8 - manual entry
nslint.c - main program
savestr.c - strdup() replacement
savestr.h - savestr prototypes
strerror.c - missing routine
version.h - prototypes, defines and struct definitions

135
contrib/nslint-3.0a2/Makefile.in
View file

@ -1,135 +0,0 @@
# Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997, 2000, 2008, 2009
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that: (1) source code distributions
# retain the above copyright notice and this paragraph in its entirety, (2)
# distributions including binary code include the above copyright notice and
# this paragraph in its entirety in the documentation or other materials
# provided with the distribution, and (3) all advertising materials mentioning
# features or use of this software display the following acknowledgement:
# ``This product includes software developed by the University of California,
# Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
# the University nor the names of its contributors may be used to endorse
# or promote products derived from this software without specific prior
# written permission.
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
# @(#) $Id: Makefile.in 242 2009-10-14 08:30:03Z leres $ (LBL)
#
# Various configurable paths (remember to edit Makefile.in, not Makefile)
#
# Top level hierarchy
prefix = @prefix@
exec_prefix = @exec_prefix@
# Pathname of directory to install the binary
BINDEST = @bindir@
# Pathname of directory to install the man page
MANDEST = @prefix@/man
# The root of the directory tree for read-only
datarootdir = @datarootdir@
# VPATH
srcdir = @srcdir@
VPATH = @srcdir@
#
# You shouldn't need to edit anything below here.
#
PROG = nslint
CC = @CC@
CCOPT = @V_CCOPT@
INCLS = @V_INCLS@
DEFS = @DEFS@
# Standard CFLAGS
CFLAGS = $(CCOPT) $(DEFS) $(INCLS)
# Standard LDFLAGS
LDFLAGS = @LDFLAGS@
# Standard LIBS
LIBS = @LIBS@
INSTALL = @INSTALL@
# Explicitly define compilation rule since SunOS 4's make doesn't like gcc.
# Also, gcc does not remove the .o before forking 'as', which can be a
# problem if you don't own the file but can write to the directory.
.c.o:
@rm -f $@
$(CC) $(CFLAGS) -c $(srcdir)/$*.c
CSRC = nslint.c savestr.c
GENSRC = version.c
SRC = $(CSRC) $(GENSRC)
# We would like to say "OBJS = $(SRC:.c=.o)" but Ultrix's make cannot
# hack the extra indirection
OBJS = $(CSRC:.c=.o) $(GENSRC:.c=.o) @LIBOBJS@
TAGHDR = \
/usr/include/sys/types.h \
/usr/include/netinet/in.h
TAGFILES = $(SRC) $(TAGHDR)
CLEANFILES = $(PROG) $(OBJS) $(GENSRC) purify $(OBJS:.o=_pure_*.o)
$(PROG): $(OBJS)
@rm -f $@
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
purify: $(OBJS)
@rm -f $@
purify $(CC) $(CFLAGS) $(LDFLAGS) -static -o purify $(OBJS) $(LIBS)
version.o: version.c
version.c: $(srcdir)/VERSION
@rm -f $@
sed -e 's/.*/char version[] = "&";/' $(srcdir)/VERSION > $@
install: force
$(INSTALL) -m 555 -o bin -g bin $(PROG) $(DESTDIR)$(BINDEST)/$(PROG)
@diff $(srcdir)/$(PROG).8 $(DESTDIR)$(MANDEST)/man8 >/dev/null 2>&1 || \
$(INSTALL) -m 444 -o bin -g bin $(srcdir)/$(PROG).8 $(DESTDIR)$(MANDEST)/man8/
clean: force
rm -f $(CLEANFILES)
distclean: force
rm -rf $(CLEANFILES) Makefile config.cache config.log config.status \
gnuc.h os-proto.h autom4te.cache
tags: $(TAGFILES)
ctags -wtd $(TAGFILES)
tar: force
@cwd=`pwd` ; name=$(PROG)-`cat VERSION` ; \
list="" ; tar="tar chf" ; temp="$$name.tar.gz" ; \
for i in `cat FILES` ; do list="$$list $$name/$$i" ; done; \
echo \
"rm -f $$name; ln -s . $$name" ; \
rm -f $$name; ln -s . $$name ; \
echo \
"$$tar - [lots of files] | gzip > $$temp" ; \
$$tar - $$list | gzip > $$temp ; \
echo \
"rm -f $$name" ; \
rm -f $$name
sign:
@name=${PROG}-`cat VERSION`.tar.gz; \
set -x; \
rm -f $${name}.asc; \
gpg --armor --detach-sign $${name}
force: /tmp
depend: $(GENSRC) force
./mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC)

14
contrib/nslint-3.0a2/README
View file

@ -1,14 +0,0 @@
@(#) $Id: README 237 2009-03-14 05:38:15Z leres $ (LBL)
NSLINT 2.0
Lawrence Berkeley National Laboratory
Network Research Group
nslint@ee.lbl.gov
ftp://ftp.ee.lbl.gov/nslint.tar.gz
This directory contains source code for nslint, a lint program for dns
files.
Please send bugs and comments to nslint@ee.lbl.gov.
- Craig Leres

1
contrib/nslint-3.0a2/VERSION
View file

@ -1 +0,0 @@
3.0a2

978
contrib/nslint-3.0a2/aclocal.m4 vendored
View file

@ -1,978 +0,0 @@
dnl @(#) $Id: aclocal.m4 616 2009-10-10 00:08:08Z leres $ (LBL)
dnl
dnl Copyright (c) 2008, 2009
dnl The Regents of the University of California. All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
dnl modification, are permitted provided that: (1) source code distributions
dnl retain the above copyright notice and this paragraph in its entirety, (2)
dnl distributions including binary code include the above copyright notice and
dnl this paragraph in its entirety in the documentation or other materials
dnl provided with the distribution, and (3) all advertising materials mentioning
dnl features or use of this software display the following acknowledgement:
dnl ``This product includes software developed by the University of California,
dnl Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
dnl the University nor the names of its contributors may be used to endorse
dnl or promote products derived from this software without specific prior
dnl written permission.
dnl THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
dnl WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
dnl
dnl LBL autoconf macros
dnl
dnl
dnl Determine which compiler we're using (cc or gcc)
dnl If using gcc, determine the version number
dnl If using cc, require that it support ansi prototypes
dnl If using gcc, use -O3 (otherwise use -O)
dnl If using cc, explicitly specify /usr/local/include
dnl
dnl usage:
dnl
dnl AC_LBL_C_INIT(copt, incls)
dnl
dnl results:
dnl
dnl $1 (copt set)
dnl $2 (incls set)
dnl CC
dnl LDFLAGS set
dnl
AC_DEFUN(AC_LBL_C_INIT,
[AC_PREREQ(2.12)
AC_ARG_ENABLE([optimization],
[AS_HELP_STRING([--disable-optimization],
[turn off gcc optimization])],
ac_cv_without_optimization=${withval})
AC_BEFORE([$0], [AC_PROG_CC])
AC_BEFORE([$0], [AC_LBL_FIXINCLUDES])
AC_BEFORE([$0], [AC_LBL_DEVEL])
AC_ARG_WITH(gcc, [ --without-gcc don't use gcc])
AC_USE_SYSTEM_EXTENSIONS
$1=""
if test "${ac_cv_without_optimization+set}" != set; then
$1="-O"
fi
$2=""
if test "${srcdir}" != "." ; then
$2="-I\$\(srcdir\)"
fi
if test -z "$CC" ; then
case "$target_os" in
bsdi*)
AC_CHECK_PROG(SHLICC2, shlicc2, yes, no)
if test $SHLICC2 = yes ; then
CC=shlicc2
export CC
fi
;;
esac
fi
if test -z "$CC" -a "$with_gcc" = no ; then
CC=cc
export CC
fi
AC_PROG_CC
AC_SYS_LARGEFILE
if test "$GCC" != yes ; then
AC_MSG_CHECKING(that $CC handles ansi prototypes)
AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes,
AC_TRY_COMPILE(
[#include <sys/types.h>],
[int frob(int, char *)],
ac_cv_lbl_cc_ansi_prototypes=yes,
ac_cv_lbl_cc_ansi_prototypes=no))
AC_MSG_RESULT($ac_cv_lbl_cc_ansi_prototypes)
if test $ac_cv_lbl_cc_ansi_prototypes = no ; then
case "$target_os" in
hpux*)
AC_MSG_CHECKING(for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE))
savedcflags="$CFLAGS"
CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS"
AC_CACHE_VAL(ac_cv_lbl_cc_hpux_cc_aa,
AC_TRY_COMPILE(
[#include <sys/types.h>],
[int frob(int, char *)],
ac_cv_lbl_cc_hpux_cc_aa=yes,
ac_cv_lbl_cc_hpux_cc_aa=no))
AC_MSG_RESULT($ac_cv_lbl_cc_hpux_cc_aa)
if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then
AC_MSG_ERROR(see the INSTALL doc for more info)
fi
CFLAGS="$savedcflags"
$1="-Aa $$1"
AC_DEFINE(_HPUX_SOURCE,,[HP-UX ansi compiler])
;;
*)
AC_MSG_ERROR(see the INSTALL doc for more info)
;;
esac
fi
$2="$$2 -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
case "$target_os" in
irix*)
$1="$$1 -xansi -signed -g3"
;;
osf*)
$1="$$1 -std1 -g3"
;;
ultrix*)
AC_MSG_CHECKING(that Ultrix $CC hacks const in prototypes)
AC_CACHE_VAL(ac_cv_lbl_cc_const_proto,
AC_TRY_COMPILE(
[#include <sys/types.h>],
[struct a { int b; };
void c(const struct a *)],
ac_cv_lbl_cc_const_proto=yes,
ac_cv_lbl_cc_const_proto=no))
AC_MSG_RESULT($ac_cv_lbl_cc_const_proto)
if test $ac_cv_lbl_cc_const_proto = no ; then
AC_DEFINE(const,,[ultrix can't hack const])
fi
;;
esac
fi
])
AC_LBL_ENABLE_CHECK(brov6 activemapping expire-dfa-states)
dnl
dnl This allows us to check for bogus configure enable/disable
dnl command line options
dnl
dnl usage:
dnl
dnl AC_LBL_ENABLE_CHECK(opt ...)
dnl
AC_DEFUN(AC_LBL_ENABLE_CHECK,
[set |
sed -n -e 's/^enable_\([[^=]]*\)=[[^=]]*$/\1/p' |
while read var; do
ok=0
for o in $1; do
if test "${o}" = "${var}" ; then
ok=1
break
fi
done
if test ${ok} -eq 0 ; then
# It's hard to kill configure script from subshell!
AC_MSG_ERROR(unknown enable option: ${var})
exit 1
fi
done
if test $? -ne 0 ; then
exit 1
fi])
dnl
dnl Use pfopen.c if available and pfopen() not in standard libraries
dnl Require libpcap
dnl Look for libpcap in ..
dnl Use the installed libpcap if there is no local version
dnl
dnl usage:
dnl
dnl AC_LBL_LIBPCAP(pcapdep, incls)
dnl
dnl results:
dnl
dnl $1 (pcapdep set)
dnl $2 (incls appended)
dnl LIBS
dnl LDFLAGS
dnl LBL_LIBS
dnl
AC_DEFUN(AC_LBL_LIBPCAP,
[AC_REQUIRE([AC_LBL_LIBRARY_NET])
dnl
dnl save a copy before locating libpcap.a
dnl
LBL_LIBS="$LIBS"
pfopen=/usr/examples/packetfilter/pfopen.c
if test -f $pfopen ; then
AC_CHECK_FUNCS(pfopen)
if test $ac_cv_func_pfopen = "no" ; then
AC_MSG_RESULT(Using $pfopen)
LIBS="$LIBS $pfopen"
fi
fi
AC_MSG_CHECKING(for local pcap library)
libpcap=FAIL
lastdir=FAIL
places=`ls .. | sed -e 's,/$,,' -e 's,^,../,' | \
egrep '/libpcap-[[0-9]]*\.[[0-9]]*(\.[[0-9]]*)?([[ab]][[0-9]]*)?$'`
for dir in $places ../libpcap libpcap ; do
basedir=`echo $dir | sed -e 's/[[ab]][[0-9]]*$//'`
if test $lastdir = $basedir ; then
dnl skip alphas when an actual release is present
continue;
fi
lastdir=$dir
if test -r $dir/pcap.c ; then
libpcap=$dir/libpcap.a
d=$dir
dnl continue and select the last one that exists
fi
done
if test "x$libpcap" = xFAIL ; then
AC_MSG_RESULT(not found)
AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
unset ac_cv_lib_pcap_pcap_open_live
if test "x$libpcap" = xFAIL ; then
CFLAGS="$CFLAGS -I/usr/local/include"
LIBS="$LIBS -L/usr/local/lib"
AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
unset ac_cv_lib_pcap_pcap_open_live
if test "x$libpcap" = xFAIL ; then
AC_MSG_ERROR(see the INSTALL doc for more info)
fi
$2="$$2 -I/usr/local/include"
fi
LIBS="$LIBS -lpcap"
else
$1=$libpcap
$2="-I$d $$2"
AC_MSG_RESULT($libpcap)
fi
if test "x$libpcap" != "x-lpcap" ; then
LIBS="$libpcap $LIBS"
fi
case "$target_os" in
aix*)
pseexe="/lib/pse.exp"
AC_MSG_CHECKING(for $pseexe)
if test -f $pseexe ; then
AC_MSG_RESULT(yes)
LIBS="$LIBS -I:$pseexe"
fi
;;
esac])
dnl
dnl Define RETSIGTYPE and RETSIGVAL
dnl
dnl usage:
dnl
dnl AC_LBL_TYPE_SIGNAL
dnl
dnl results:
dnl
dnl RETSIGTYPE (defined)
dnl RETSIGVAL (defined)
dnl
AC_DEFUN(AC_LBL_TYPE_SIGNAL,
[AC_BEFORE([$0], [AC_LBL_LIBPCAP])
AC_TYPE_SIGNAL
if test "$ac_cv_type_signal" = void ; then
AC_DEFINE(RETSIGVAL,,[signal function return value])
else
AC_DEFINE(RETSIGVAL,(0))
fi
case "$target_os" in
irix*)
AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals])
;;
*)
dnl prefer sigset() to sigaction()
AC_CHECK_FUNCS(sigset)
if test $ac_cv_func_sigset = yes ; then
AC_DEFINE(signal,sigset,[use sigset() instead of signal()])
else
AC_CHECK_FUNCS(sigaction)
fi
;;
esac])
dnl
dnl If using gcc, make sure we have ANSI ioctl definitions
dnl
dnl usage:
dnl
dnl AC_LBL_FIXINCLUDES
dnl
AC_DEFUN(AC_LBL_FIXINCLUDES,
[if test "$GCC" = yes ; then
AC_MSG_CHECKING(for ANSI ioctl definitions)
AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes,
AC_TRY_COMPILE(
[/*
* This generates a "duplicate case value" when fixincludes
* has not be run.
*/
# include <sys/types.h>
# include <sys/time.h>
# include <sys/ioctl.h>
# ifdef HAVE_SYS_IOCCOM_H
# include <sys/ioccom.h>
# endif],
[switch (0) {
case _IO('A', 1):;
case _IO('B', 1):;
}],
ac_cv_lbl_gcc_fixincludes=yes,
ac_cv_lbl_gcc_fixincludes=no))
AC_MSG_RESULT($ac_cv_lbl_gcc_fixincludes)
if test $ac_cv_lbl_gcc_fixincludes = no ; then
# Don't cache failure
unset ac_cv_lbl_gcc_fixincludes
AC_MSG_ERROR(see the INSTALL for more info)
fi
fi])
dnl
dnl Check for flex, default to lex
dnl Require flex 2.4 or higher
dnl Check for bison, default to yacc
dnl Default to lex/yacc if both flex and bison are not available
dnl Define the yy prefix string if using flex and bison
dnl
dnl usage:
dnl
dnl AC_LBL_LEX_AND_YACC(lex, yacc, yyprefix)
dnl
dnl results:
dnl
dnl $1 (lex set)
dnl $2 (yacc appended)
dnl $3 (optional flex and bison -P prefix)
dnl
AC_DEFUN(AC_LBL_LEX_AND_YACC,
[AC_ARG_WITH(flex, [ --without-flex don't use flex])
AC_ARG_WITH(bison, [ --without-bison don't use bison])
if test "$with_flex" = no ; then
$1=lex
else
AC_CHECK_PROGS($1, flex, lex)
fi
if test "$$1" = flex ; then
# The -V flag was added in 2.4
AC_MSG_CHECKING(for flex 2.4 or higher)
AC_CACHE_VAL(ac_cv_lbl_flex_v24,
if flex -V >/dev/null 2>&1; then
ac_cv_lbl_flex_v24=yes
else
ac_cv_lbl_flex_v24=no
fi)
AC_MSG_RESULT($ac_cv_lbl_flex_v24)
if test $ac_cv_lbl_flex_v24 = no ; then
s="2.4 or higher required"
AC_MSG_WARN(ignoring obsolete flex executable ($s))
$1=lex
fi
fi
if test "$with_bison" = no ; then
$2=yacc
else
AC_CHECK_PROGS($2, bison, yacc)
fi
if test "$$2" = bison ; then
$2="$$2 -y"
fi
if test "$$1" != lex -a "$$2" = yacc -o "$$1" = lex -a "$$2" != yacc ; then
AC_MSG_WARN(don't have both flex and bison; reverting to lex/yacc)
$1=lex
$2=yacc
fi
if test "$$1" = flex -a -n "$3" ; then
$1="$$1 -P$3"
$2="$$2 -p $3"
fi])
dnl
dnl Checks to see if union wait is used with WEXITSTATUS()
dnl
dnl usage:
dnl
dnl AC_LBL_UNION_WAIT
dnl
dnl results:
dnl
dnl DECLWAITSTATUS (defined)
dnl
AC_DEFUN(AC_LBL_UNION_WAIT,
[AC_MSG_CHECKING(if union wait is used)
AC_CACHE_VAL(ac_cv_lbl_union_wait,
AC_TRY_COMPILE([
# include <sys/types.h>
# include <sys/wait.h>],
[int status;
u_int i = WEXITSTATUS(status);
u_int j = waitpid(0, &status, 0);],
ac_cv_lbl_union_wait=no,
ac_cv_lbl_union_wait=yes))
AC_MSG_RESULT($ac_cv_lbl_union_wait)
if test $ac_cv_lbl_union_wait = yes ; then
AC_DEFINE(DECLWAITSTATUS,union wait)
else
AC_DEFINE(DECLWAITSTATUS,int)
fi])
dnl
dnl Checks to see if the sockaddr struct has the 4.4 BSD sa_len member
dnl
dnl usage:
dnl
dnl AC_LBL_SOCKADDR_SA_LEN
dnl
dnl results:
dnl
dnl HAVE_SOCKADDR_SA_LEN (defined)
dnl
AC_DEFUN(AC_LBL_SOCKADDR_SA_LEN,
[AC_CHECK_MEMBERS(struct sockaddr.sa_len,,,[
# include <sys/types.h>
# include <sys/socket.h>])])
dnl
dnl Makes sure socklen_t is defined
dnl
dnl usage:
dnl
dnl AC_LBL_SOCKLEN_T
dnl
dnl results:
dnl
dnl socklen_t (defined if missing)
dnl
AC_DEFUN(AC_LBL_SOCKLEN_T,
[AC_MSG_CHECKING(for socklen_t in sys/socket.h using $CC)
AC_CACHE_VAL(ac_cv_lbl_socklen_t,
AC_TRY_COMPILE([
# include "confdefs.h"
# include <sys/types.h>
# include <sys/socket.h>
# if STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
# endif],
[socklen_t i],
ac_cv_lbl_socklen_t=yes,
ac_cv_lbl_socklen_t=no))
AC_MSG_RESULT($ac_cv_lbl_socklen_t)
if test $ac_cv_lbl_socklen_t = no ; then
AC_DEFINE(socklen_t, int, [Define socklen_t if missing])
fi])
dnl
dnl Checks to see if the IFF_LOOPBACK exists as a define or enum
dnl
dnl (stupidly some versions of linux use an enum...)
dnl
dnl usage:
dnl
dnl AC_LBL_IFF_LOOPBACK
dnl
dnl results:
dnl
dnl HAVE_IFF_LOOPBACK (defined)
dnl
AC_DEFUN(AC_LBL_IFF_LOOPBACK,
[AC_MSG_CHECKING(for IFF_LOOPBACK define/enum)
AC_CACHE_VAL(ac_cv_lbl_have_iff_loopback,
AC_TRY_COMPILE([
# include <sys/param.h>
# include <sys/file.h>
# include <sys/ioctl.h>
# include <sys/socket.h>
# ifdef HAVE_SYS_SOCKIO_H
# include <sys/sockio.h>
# endif
# include <sys/time.h>
# include <net/if.h>
# include <netinet/in.h>],
[int i = IFF_LOOPBACK],
ac_cv_lbl_have_iff_loopback=yes,
ac_cv_lbl_have_iff_loopback=no))
AC_MSG_RESULT($ac_cv_lbl_have_iff_loopback)
if test $ac_cv_lbl_have_iff_loopback = yes ; then
AC_DEFINE(HAVE_IFF_LOOPBACK,, [Have IFF_LOOPBACK define/enum])
fi])
dnl
dnl Due to the stupid way it's implemented, AC_CHECK_TYPE is nearly useless.
dnl
dnl usage:
dnl
dnl AC_LBL_CHECK_TYPE
dnl
dnl results:
dnl
dnl int32_t (defined)
dnl u_int32_t (defined)
dnl
AC_DEFUN(AC_LBL_CHECK_TYPE,
[AC_MSG_CHECKING(for $1 using $CC)
AC_CACHE_VAL(ac_cv_lbl_have_$1,
AC_TRY_COMPILE([
# include "confdefs.h"
# include <sys/types.h>
# if STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
# endif],
[$1 i],
ac_cv_lbl_have_$1=yes,
ac_cv_lbl_have_$1=no))
AC_MSG_RESULT($ac_cv_lbl_have_$1)
if test $ac_cv_lbl_have_$1 = no ; then
AC_DEFINE($1, $2, Define $1)
fi])
dnl
dnl Checks to see if unaligned memory accesses fail
dnl
dnl usage:
dnl
dnl AC_LBL_UNALIGNED_ACCESS
dnl
dnl results:
dnl
dnl LBL_ALIGN (DEFINED)
dnl
AC_DEFUN(AC_LBL_UNALIGNED_ACCESS,
[AC_MSG_CHECKING(if unaligned accesses fail)
AC_CACHE_VAL(ac_cv_lbl_unaligned_fail,
[case "$target_cpu" in
alpha|hp*|mips|sparc)
ac_cv_lbl_unaligned_fail=yes
;;
*)
cat >conftest.c <<EOF
# include <sys/types.h>
# include <sys/wait.h>
# include <stdio.h>
unsigned char a[[5]] = { 1, 2, 3, 4, 5 };
main() {
unsigned int i;
pid_t pid;
int status;
/* avoid "core dumped" message */
pid = fork();
if (pid < 0)
exit(2);
if (pid > 0) {
/* parent */
pid = waitpid(pid, &status, 0);
if (pid < 0)
exit(3);
exit(!WIFEXITED(status));
}
/* child */
i = *(unsigned int *)&a[[1]];
printf("%d\n", i);
exit(0);
}
EOF
${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \
conftest.c $LIBS >/dev/null 2>&1
if test ! -x conftest ; then
dnl failed to compile for some reason
ac_cv_lbl_unaligned_fail=yes
else
./conftest >conftest.out
if test ! -s conftest.out ; then
ac_cv_lbl_unaligned_fail=yes
else
ac_cv_lbl_unaligned_fail=no
fi
fi
rm -f conftest* core core.conftest
;;
esac])
AC_MSG_RESULT($ac_cv_lbl_unaligned_fail)
if test $ac_cv_lbl_unaligned_fail = yes ; then
AC_DEFINE(LBL_ALIGN)
fi])
dnl
dnl add all warning option to CFLAGS
dnl
dnl usage:
dnl
dnl AC_LBL_CHECK_WALL(copt)
dnl
dnl results:
dnl
dnl $1 (copt appended)
dnl ac_cv_lbl_gcc_vers
dnl
AC_DEFUN(AC_LBL_CHECK_WALL,
[ if test "$GCC" = yes ; then
if test "$SHLICC2" = yes ; then
ac_cv_lbl_gcc_vers=2
$1="`echo $$1 | sed -e 's/-O/-O3/'`"
else
AC_MSG_CHECKING(gcc version)
AC_CACHE_VAL(ac_cv_lbl_gcc_vers,
# Gag, the gcc folks keep changing the output...
# try to grab N.N.N
ac_cv_lbl_gcc_vers=`$CC --version 2>&1 |
sed -e '1!d' -e 's/[[[^0-9]]]*\([[[0-9]]][[[0-9]]]*\)\.[[[0-9\]]][[[0-9]]]*\.[[[0-9]]][[[0-9]]]*.*/\1/'`)
AC_MSG_RESULT($ac_cv_lbl_gcc_vers)
if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then
$1="`echo $$1 | sed -e 's/-O/-O3/'`"
fi
fi
if test "$ac_cv_prog_cc_g" = yes ; then
$1="-g $$1"
fi
$1="$$1 -Wall"
if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then
$1="$$1 -Wmissing-prototypes -Wstrict-prototypes"
if [[ "`uname -s`" = "FreeBSD" ]]; then
$1="$$1 -Werror"
fi
fi
else
case "$target_os" in
irix6*)
$1="$$1 -fullwarn -n32"
;;
*)
;;
esac
fi])
dnl
dnl If using gcc and the file .devel exists:
dnl Compile with -g (if supported) and -Wall
dnl If using gcc 2, do extra prototype checking
dnl If an os prototype include exists, symlink os-proto.h to it
dnl
dnl usage:
dnl
dnl AC_LBL_DEVEL(copt)
dnl
dnl results:
dnl
dnl $1 (copt appended)
dnl HAVE_OS_PROTO_H (defined)
dnl os-proto.h (symlinked)
dnl
AC_DEFUN(AC_LBL_DEVEL,[
AC_BEFORE([$0], [AC_LBL_LD_RUN_PATH])
rm -f os-proto.h
if test -f .devel ; then
AC_LBL_CHECK_WALL($1)
os=`echo $target_os | sed -e 's/\([[0-9]][[0-9]]*\)[[^0-9]].*$/\1/'`
name="lbl/os-$os.h"
if test -f $name ; then
ln -s $name os-proto.h
AC_DEFINE(HAVE_OS_PROTO_H,,[have os-proto.h])
else
AC_MSG_WARN(can't find $name)
fi
fi])
dnl
dnl Improved version of AC_CHECK_LIB
dnl
dnl Thanks to John Hawkinson (jhawk@mit.edu)
dnl
dnl usage:
dnl
dnl AC_LBL_CHECK_LIB(LIBRARY, FUNCTION [, ACTION-IF-FOUND [,
dnl ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]])
dnl
dnl results:
dnl
dnl LIBS
dnl
define(AC_LBL_CHECK_LIB,
[AC_MSG_CHECKING([for $2 in -l$1])
dnl Use a cache variable name containing both the library and function name,
dnl because the test really is for library $1 defining function $2, not
dnl just for library $1. Separate tests with the same $1 and different $2's
dnl may have different results.
ac_lib_var=`echo $1['_']$2['_']$5 | sed 'y%./+- %__p__%'`
AC_CACHE_VAL(ac_cv_lbl_lib_$ac_lib_var,
[ac_save_LIBS="$LIBS"
LIBS="-l$1 $5 $LIBS"
AC_TRY_LINK(dnl
ifelse([$2], [main], , dnl Avoid conflicting decl of main.
[/* Override any gcc2 internal prototype to avoid an error. */
]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus
extern "C"
#endif
])dnl
[/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char $2();
]),
[$2()],
eval "ac_cv_lbl_lib_$ac_lib_var=yes",
eval "ac_cv_lbl_lib_$ac_lib_var=no")
LIBS="$ac_save_LIBS"
])dnl
if eval "test \"`echo '$ac_cv_lbl_lib_'$ac_lib_var`\" = yes"; then
AC_MSG_RESULT(yes)
ifelse([$3], ,
[changequote(, )dnl
ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \
-e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
changequote([, ])dnl
AC_DEFINE_UNQUOTED($ac_tr_lib)
LIBS="-l$1 $LIBS"
], [$3])
else
AC_MSG_RESULT(no)
ifelse([$4], , , [$4
])dnl
fi
])
dnl
dnl AC_LBL_LIBRARY_NET
dnl
dnl This test is for network applications that need socket() and
dnl gethostbyname() -ish functions. Under Solaris, those applications
dnl need to link with "-lsocket -lnsl". Under IRIX, they need to link
dnl with "-lnsl" but should *not* link with "-lsocket" because
dnl libsocket.a breaks a number of things (for instance:
dnl gethostbyname() under IRIX 5.2, and snoop sockets under most
dnl versions of IRIX).
dnl
dnl Unfortunately, many application developers are not aware of this,
dnl and mistakenly write tests that cause -lsocket to be used under
dnl IRIX. It is also easy to write tests that cause -lnsl to be used
dnl under operating systems where neither are necessary (or useful),
dnl such as SunOS 4.1.4, which uses -lnsl for TLI.
dnl
dnl This test exists so that every application developer does not test
dnl this in a different, and subtly broken fashion.
dnl It has been argued that this test should be broken up into two
dnl seperate tests, one for the resolver libraries, and one for the
dnl libraries necessary for using Sockets API. Unfortunately, the two
dnl are carefully intertwined and allowing the autoconf user to use
dnl them independantly potentially results in unfortunate ordering
dnl dependancies -- as such, such component macros would have to
dnl carefully use indirection and be aware if the other components were
dnl executed. Since other autoconf macros do not go to this trouble,
dnl and almost no applications use sockets without the resolver, this
dnl complexity has not been implemented.
dnl
dnl The check for libresolv is in case you are attempting to link
dnl statically and happen to have a libresolv.a lying around (and no
dnl libnsl.a).
dnl
AC_DEFUN(AC_LBL_LIBRARY_NET, [
# Most operating systems have gethostbyname() in the default searched
# libraries (i.e. libc):
AC_CHECK_FUNC(gethostbyname, ,
# Some OSes (eg. Solaris) place it in libnsl:
AC_CHECK_LIB(nsl, gethostbyname, ,
# Some strange OSes (SINIX) have it in libsocket:
AC_CHECK_LIB(socket, gethostbyname, ,
# Unfortunately libsocket sometimes depends on libnsl.
# AC_CHECK_LIB's API is essentially broken so the
# following ugliness is necessary:
AC_CHECK_LIB(socket, gethostbyname,
LIBS="-lsocket -lnsl $LIBS",
AC_CHECK_LIB(resolv, gethostbyname),
-lnsl))))
AC_CHECK_FUNC(socket, , AC_CHECK_LIB(socket, socket, ,
AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", ,
-lnsl)))
# DLPI needs putmsg under HPUX so test for -lstr while we're at it
AC_CHECK_LIB(str, putmsg)
])
dnl
dnl AC_LBL_RUN_PATH
dnl
dnl Extracts -L directories from LIBS; if any are found they are
dnl converted to a LD_RUN_PATH and put in V_ENVIRONMENT
dnl
dnl usage:
dnl
dnl AC_LBL_RUN_PATH
dnl
dnl results:
dnl
dnl V_ENVIRONMENT
dnl
AC_DEFUN(AC_LBL_LD_RUN_PATH, [
AC_MSG_CHECKING(LD_RUN_PATH)
AC_SUBST(V_ENVIRONMENT)
dnl
dnl Split out -L directories
dnl
ldirs=""
for x in ${LIBS}; do
case x${x} in
x-L*)
ldirs="${ldirs} ${x}"
;;
*)
;;
esac
done
dnl
dnl Build LD_RUN_PATH
dnl
if test -n "${ldirs}"; then
V_ENVIRONMENT="LD_RUN_PATH=\"`echo \"${ldirs}\" | sed -e 's,-L,,g' -e 's,^ *,,' -e 's, ,:,g'`\""
AC_MSG_RESULT(${V_ENVIRONMENT})
else
AC_MSG_RESULT(empty)
fi])
dnl
dnl AC_LBL_BROCCOLI
dnl
dnl Include Broccoli support
dnl
dnl usage:
dnl
dnl AC_LBL_BROCCOLI(copt, incls, [min-vers])
dnl
dnl results:
dnl
dnl $1 (copt variable appended)
dnl $2 (incls variable appended)
dnl $3 minimum version (optional)
dnl
AC_DEFUN(AC_LBL_BROCCOLI, [
AC_BEFORE([$0], [AC_LBL_LD_RUN_PATH])
dnl
dnl configure flags
dnl
AC_ARG_WITH([broccoli],
[AS_HELP_STRING([--without-broccoli],
[disable Broccoli support @<:@default=check@:>@])],
ac_cv_with_broccoli=${withval})
dnl
dnl Network application libraries
dnl
AC_LBL_LIBRARY_NET
AC_MSG_CHECKING(for broccoli)
if test "${ac_cv_with_broccoli}" = "" -o \
"${ac_cv_with_broccoli}" = yes ; then
cflags=""
libs=""
dnl
dnl Our entire path
dnl
dirs="`echo ${PATH} | sed -e 's/:/ /g'`"
dnl
dnl Add in default Bro install bin directory
dnl
dirs="${dirs} /usr/local/bro/bin"
for d in ${dirs}; do
if test -x ${d}/broccoli-config ; then
broccoli_config_path="${d}/broccoli-config"
cflags="`${broccoli_config_path} --cflags`"
libs="`${broccoli_config_path} --libs`"
break
fi
done
if test -n "${cflags}" ; then
ac_cv_have_broccoli=yes
else
ac_cv_have_broccoli=no
fi
AC_MSG_RESULT($ac_cv_have_broccoli)
if test "${ac_cv_with_broccoli}" = yes -a \
${ac_cv_have_broccoli} = "no" ; then
AC_MSG_ERROR(Broccoli explicitly enabled but not supported)
fi
else
AC_MSG_RESULT([disabled])
fi
dnl
dnl Optionally check for minimum Broccoli version
dnl
if test "$ac_cv_have_broccoli" = yes -a -n "$3"; then
AC_MSG_CHECKING(Broccoli >= $3)
BROCCOLI_VERSION="`${broccoli_config_path} --version`"
AC_MSG_RESULT(${BROCCOLI_VERSION})
dnl
dnl Sort the two versions; the desired version should
dnl appear first (or perhaps 1st and 2nd)
dnl
tvers="`(echo "$3" ; echo ${BROCCOLI_VERSION}) |
sort -t. +0 -1n +1 -2n +2 -3n +3 -4n |
head -1`"
if test "${tvers}" != "$3"; then
if test "${ac_cv_with_broccoli}" = yes; then
AC_MSG_ERROR(Broccoli $3 or higher is required)
fi
AC_MSG_NOTICE(Broccoli support disabled)
ac_cv_have_broccoli="no"
fi
fi
dnl
dnl Broccoli ho!
dnl
if test "$ac_cv_have_broccoli" = yes ; then
AC_DEFINE(HAVE_BROCCOLI)
dnl
dnl Split out -I directories
dnl
for x in ${cflags}; do
case x${x} in
x-I*)
eval "$2=\"\$$2 ${x}\""
;;
*)
eval "$1=\"\$$1 ${x}\""
;;
esac
done
dnl
dnl Add in Broccoli libs
dnl
LIBS="$LIBS ${libs}"
dnl
dnl Look for the libs in DIR or DIR/lib
dnl
AC_ARG_WITH([openssl],
[AS_HELP_STRING([--with-openssl=DIR],
[Use OpenSSL installation in DIR])],
[eval "$2=\"-I${withval}/include \$$2\""
for x in ${withval}/lib ${withval}; do
if test -r ${x}/libssl.a; then
LIBS="-L${x} ${LIBS}"
break
fi
done])
dnl
dnl -lssl needs to come first on some systems!
dnl
AC_CHECK_LIB(ssl, OPENSSL_add_all_algorithms_conf,
[LIBS="${LIBS} -lssl -lcrypto"],,-lcrypto)
dnl
dnl Newer versions of 1.4.0 and anything higher needs bro_init()
dnl
AC_CHECK_LIB(broccoli, bro_init, [AC_DEFINE(HAVE_BRO_INIT)])
fi])

1407
contrib/nslint-3.0a2/config.guess vendored
View file

File diff suppressed because it is too large Load diff

1504
contrib/nslint-3.0a2/config.sub vendored
View file

File diff suppressed because it is too large Load diff

6885
contrib/nslint-3.0a2/configure vendored
View file

File diff suppressed because it is too large Load diff

51
contrib/nslint-3.0a2/configure.in
View file

@ -1,51 +0,0 @@
AC_REVISION([@(#) $Id: configure.in 241 2009-10-10 23:31:13Z leres $ (LBL)])
dnl
AC_COPYRIGHT([Copyright (c) 1995, 1996, 1997, 2006, 2009
The Regents of the University of California. All rights reserved.])
dnl
dnl Process this file with autoconf to produce a configure script.
dnl
AC_INIT
AC_CONFIG_SRCDIR(nslint.c)
AC_CANONICAL_TARGET
umask 002
if test -z "$PWD" ; then
PWD=`pwd`
fi
AC_LBL_C_INIT(V_CCOPT, V_INCLS)
AC_PROG_INSTALL
AC_CHECK_HEADERS(fcntl.h memory.h)
AC_REPLACE_FUNCS(strerror)
AC_CHECK_LIB(nsl, main)
AC_CHECK_LIB(socket, main)
AC_LBL_CHECK_TYPE(int32_t, int)
AC_LBL_CHECK_TYPE(u_int32_t, u_int)
AC_LBL_DEVEL(V_CCOPT)
if test -r lbl/gnuc.h ; then
rm -f gnuc.h
ln -s lbl/gnuc.h gnuc.h
fi
AC_SUBST(CFLAGS)
AC_SUBST(LDFLAGS)
AC_SUBST(LIBS)
AC_SUBST(V_CCOPT)
AC_SUBST(V_INCLS)
AC_CONFIG_FILES(Makefile)
AC_OUTPUT
if test -f .devel ; then
make depend
fi
exit 0

519
contrib/nslint-3.0a2/install-sh
View file

@ -1,519 +0,0 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2006-12-25.00
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
nl='
'
IFS=" "" $nl"
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit=${DOITPROG-}
if test -z "$doit"; then
doit_exec=exec
else
doit_exec=$doit
fi
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_glob='?'
initialize_posix_glob='
test "$posix_glob" != "?" || {
if (set -f) 2>/dev/null; then
posix_glob=
else
posix_glob=:
fi
}
'
posix_mkdir=
# Desired mode of installed file.
mode=0755
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
stripcmd=
src=
dst=
dir_arg=
dst_arg=
copy_on_change=false
no_target_directory=
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
Options:
--help display this help and exit.
--version display version info and exit.
-c (ignored)
-C install only if different (preserve the last data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-s $stripprog installed files.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
"
while test $# -ne 0; do
case $1 in
-c) ;;
-C) copy_on_change=true;;
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *' '* | *'
'* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
shift;;
-T) no_target_directory=true;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dst_arg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dst_arg"
shift # fnord
fi
shift # arg
dst_arg=$arg
done
fi
if test $# -eq 0; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call `install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
trap '(exit $?); exit' 1 2 13 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
case $mode in
# Optimize common cases.
*644) cp_umask=133;;
*755) cp_umask=22;;
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
fi
for src
do
# Protect names starting with `-'.
case $src in
-*) src=./$src;;
esac
if test -n "$dir_arg"; then
dst=$src
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dst_arg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# Protect names starting with `-'.
case $dst in
-*) dst=./$dst;;
esac
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test -n "$no_target_directory"; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
# Prefer dirname, but fall back on a substitute if dirname fails.
dstdir=`
(dirname "$dst") 2>/dev/null ||
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$dst" : 'X\(//\)[^/]' \| \
X"$dst" : 'X\(//\)$' \| \
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$dst" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'
`
test -d "$dstdir"
dstdir_status=$?
fi
fi
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writeable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/d" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
fi
trap '' 0;;
esac;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
# The umask is ridiculous, or mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
-*) prefix='./';;
*) prefix='';;
esac
eval "$initialize_posix_glob"
oIFS=$IFS
IFS=/
$posix_glob set -f
set fnord $dstdir
shift
$posix_glob set +f
IFS=$oIFS
prefixes=
for d
do
test -z "$d" && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
if test -n "$dir_arg"; then
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
else
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
eval "$initialize_posix_glob" &&
$posix_glob set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
$posix_glob set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
rm -f "$dsttmp"
else
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
trap '' 0
fi
done
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

49
contrib/nslint-3.0a2/lbl/gnuc.h
View file

@ -1,49 +0,0 @@
/* @(#) $Id: gnuc.h,v 1.4 2006/04/30 03:58:45 leres Exp $ (LBL) */
/* Define __P() macro, if necessary */
#ifndef __P
#if __STDC__
#define __P(protos) protos
#else
#define __P(protos) ()
#endif
#endif
/* inline foo */
#ifdef __GNUC__
#define inline __inline
#else
#define inline
#endif
/*
* Handle new and old "dead" routine prototypes
*
* For example:
*
* __dead void foo(void) __attribute__((noreturn));
*
*/
#ifdef __GNUC__
#ifndef __dead
#if __GNUC__ >= 4
#define __dead
#define noreturn __noreturn__
#else
#define __dead volatile
#define noreturn volatile
#endif
#endif
#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
#ifndef __attribute__
#define __attribute__(args)
#endif
#endif
#else
#ifndef __dead
#define __dead
#endif
#ifndef __attribute__
#define __attribute__(args)
#endif
#endif

109
contrib/nslint-3.0a2/mkdep
View file

@ -1,109 +0,0 @@
#!/bin/sh -
#
# Copyright (c) 1994, 1996
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and that due credit is given
# to the University of California at Berkeley. The name of the University
# may not be used to endorse or promote products derived from this
# software without specific prior written permission. This software
# is provided ``as is'' without express or implied warranty.
#
# @(#)mkdep.sh 5.11 (Berkeley) 5/5/88
#
PATH=/bin:/usr/bin:/usr/ucb:/usr/local:/usr/local/bin
export PATH
MAKE=Makefile # default makefile name is "Makefile"
CC=cc # default C compiler is "cc"
while :
do case "$1" in
# -c allows you to specify the C compiler
-c)
CC=$2
shift; shift ;;
# -f allows you to select a makefile name
-f)
MAKE=$2
shift; shift ;;
# the -p flag produces "program: program.c" style dependencies
# so .o's don't get produced
-p)
SED='s;\.o;;'
shift ;;
*)
break ;;
esac
done
if [ $# = 0 ] ; then
echo 'usage: mkdep [-p] [-c cc] [-f makefile] [flags] file ...'
exit 1
fi
if [ ! -w $MAKE ]; then
echo "mkdep: no writeable file \"$MAKE\""
exit 1
fi
TMP=/tmp/mkdep$$
trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
cp $MAKE ${MAKE}.bak
sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
cat << _EOF_ >> $TMP
# DO NOT DELETE THIS LINE -- mkdep uses it.
# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
_EOF_
# If your compiler doesn't have -M, add it. If you can't, the next two
# lines will try and replace the "cc -M". The real problem is that this
# hack can't deal with anything that requires a search path, and doesn't
# even try for anything using bracket (<>) syntax.
#
# egrep '^#include[ ]*".*"' /dev/null $* |
# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
# XXX this doesn't work with things like "-DDECLWAITSTATUS=union\ wait"
$CC -M $* |
sed "
s; \./; ;g
$SED" |
awk '{
if ($1 != prev) {
if (rec != "")
print rec;
rec = $0;
prev = $1;
}
else {
if (length(rec $2) > 78) {
print rec;
rec = $0;
}
else
rec = rec " " $2
}
}
END {
print rec
}' >> $TMP
cat << _EOF_ >> $TMP
# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
_EOF_
# copy to preserve permissions
cp $TMP $MAKE
rm -f ${MAKE}.bak $TMP
exit 0

497
contrib/nslint-3.0a2/nslint.8
View file

@ -1,497 +0,0 @@
.\" @(#) $Id: nslint.8 238 2009-03-14 05:43:37Z leres $ (LBL)
.\"
.\" Copyright (c) 1994, 1996, 1997, 1999, 2001, 2002, 2009
.\" The Regents of the University of California. All rights reserved.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH nslint 8 "2 May 2002"
.UC 4
.SH NAME
nslint - perform consistency checks on dns files
.SH SYNOPSIS
.B nslint
[
.B -d
] [
.B -c
.I named.conf
] [
.B -C
.I nslint.conf
]
.br
.B nslint
[
.B -d
] [
.B -b
.I named.boot
] [
.B -B
.I nslint.boot
]
.SH DESCRIPTION
.B Nslint
reads the nameserver configuration files and performs a number of
consistency checks on the dns records. If any problems are discovered,
error messages are displayed on
.I stderr
and
.B nslint
exits with a non-zero status.
.LP
Here is a partial list of errors
.B nslint
detects:
.IP
Records that are malformed.
.IP
Names that contain dots but are missing a trailing dot.
.IP
.B PTR
records with names that are missing a trailing dot.
.IP
Names that contain illegal characters (rfc1034).
.IP
.B A
records
without matching
.B PTR
records
.IP
.B PTR
records
without matching
.B A
records
.IP
Names with more than one address on the same subnet.
.IP
Addresses in use by more than one name.
.IP
Names with
.B CNAME
and other records (rfc1033).
.IP
Unknown service and/or protocol keywords in
.B WKS
records.
.IP
Missing semicolons and quotes.
.LP
.SH OPTIONS
.TP
.B -b
Specify an alternate
.I named.boot
file. The default is
.IR /etc/named.boot .
.TP
.TP
.B -c
Specify an alternate
.I named.conf
file. The default is
.IR /etc/named.conf .
.TP
.B -B
Specify an alternate
.I nslint.boot
file. The default is
.I nslint.boot
in the last
.B directory
line processed in
.I named.boot
(or the current working directory).
This file is processed like a second
.IR named.boot .
The most common use is to tell
.B nslint
about
.B A
records that match
.B PTR
records that point outside the domains listed in
.IR named.boot .
.TP
.B -C
Specify an alternate
.I nslint.conf
file. The default is
.I nslint.conf
in the last
.B directory
line processed in
.I named.conf
(or the current working directory).
This file is processed like a second
.IR named.conf .
.TP
.B -d
Raise the debugging level. Debugging information is
displayed on
.IR stdout .
.LP
.B Nslint
knows how to read
BIND 8 and 9's
.I named.conf
configuration file and also
older BIND's
.I named.boot
file. If both files exist,
.B nslint
will prefer
.I named.conf
(on the theory that you forgot to delete
.I named.boot
when you upgraded BIND).
.LP
.SH "ADVANCED CONFIGURATION"
There are some cases where it is necessary to use the
advanced configuration features of
.BR nslint .
Advanced configuration is done with the
.I nslint.conf
file. (You can also use
.I nslint.boot
which has a syntax similar to
.I named.boot
but is not described here.)
.LP
The most common is when a site has a demilitarized zone (DMZ).
The problem here is that the DMZ network will have
.B PTR
records for hosts outside its domain. For example lets say
we have
.I 128.0.rev
with:
.LP
.RS
.nf
.sp .5
1.1 604800 in ptr gateway.lbl.gov.
2.1 604800 in ptr gateway.es.net.
.sp .5
.fi
.RE
.LP
Obviously we will define an
.B A
record for
.I gateway.lbl.gov
pointing to
.I 128.0.1.1
but we will get errors because there is no
.B A
record defined for
.IR gateway.es.net .
The solution is to create a
.I nslint.conf
file (in the same directory as the other dns files)
with:
.LP
.RS
.nf
.sp .5
zone "es.net" {
.RS
type master;
file "nslint.es.net";
.RE
};
.sp .5
.fi
.RE
.LP
And then create the file
.I nslint.es.net
with:
.LP
.RS
.nf
.sp .5
gateway 1 in a 128.0.1.2
.sp .5
.fi
.RE
.LP
Another problem occurs when there is a
.B CNAME
that points to a host outside the local domains. Let's say we have
.I info.lbl.gov
pointing to
.IR larry.es.net :
.LP
.RS
.nf
.sp .5
info 604800 in cname larry.es.net.
.sp .5
.fi
.RE
.LP
In this case we would need:
.LP
.RS
.nf
.sp .5
zone "es.net" {
.RS
type master;
file "nslint.es.net";
.RE
};
.sp .5
.fi
.RE
.LP
in
.I nslint.boot
and:
.LP
.RS
.nf
.sp .5
larry 1 in txt "place holder"
.sp .5
.fi
.RE
.LP
.IR nslint.es.net .
.LP
One last problem
when a pseudo host is setup to allow two more
more actual hosts provide a service. For, let's say that
.I lbl.gov
contains:
.LP
.RS
.nf
.sp .5
server 604800 in a 128.0.6.6
server 604800 in a 128.0.6.94
;
tom 604800 in a 128.0.6.6
tom 604800 in mx 0 lbl.gov.
;
jerry 604800 in a 128.0.6.94
jerry 604800 in mx 0 lbl.gov.
.sp .5
.fi
.RE
.LP
In this case
.B nslint
would complain about missing
.B PTR
records and ip addresses in use by more than one host.
To suppress these warnings, add you would the lines:
.LP
.RS
.nf
.sp .5
zone "lbl.gov" {
.RS
type master;
file "nslint.lbl.gov";
.RE
};
.LP
zone "0.128.in-addr.arpa" {
.RS
type master;
file "nslint.128.0.rev";
.RE
};
.sp .5
.fi
.RE
.LP
to
.I nslint.conf
and create
.I nslint.lbl.gov
with:
.LP
.RS
.nf
.sp .5
server 1 in allowdupa 128.0.6.6
server 1 in allowdupa 128.0.6.94
.sp .5
.fi
.RE
.LP
and create
.I nslint.128.0.rev
with:
.LP
.RS
.nf
.sp .5
6.6 604800 in ptr server.lbl.gov.
94.6 604800 in ptr server.lbl.gov.
.sp .5
.fi
.RE
.LP
In this example, the
.B allowdupa
keyword tells
.B nslint
that it's ok for
.I 128.0.6.6
and
.I 128.0.6.94
to be shared by
.IR server.lbl.gov ,
.IR tom.lbl.gov ,
and
.IR jerry.lbl.gov .
.LP
Another
.B nslint
feature helps detect hosts that have mistakenly had two ip addresses
assigned on the same subnet. This can happen when two different
people request an ip address for the same hostname or when someone
forgets an address has been assigned and requests a new number.
.LP
To detect such
.B A
records, add a
.B nslint
section to your
.I nslint.conf
containing something similar to:
.LP
.RS
.nf
.sp .5
nslint {
.RS
network "128.0.6/22";
.RE
};
.sp .5
.fi
.RE
.LP
or:
.LP
.RS
.nf
.sp .5
nslint {
.RS
network "128.0.6 255.255.252.0";
.RE
};
.sp .5
.fi
.RE
.LP
These two examples are are equivalent ways of saying the same thing;
that subnet
.I 128.0.6
has a 22 bit wide subnet mask.
.LP
Using information from the above
.B network
statement,
.B nslint
would would flag the following
.B A
records as being in error:
.LP
.RS
.nf
.sp .5
server 1 in a 128.0.6.48
server 1 in a 128.0.7.16
.sp .5
.fi
.RE
.LP
Note that if you specify any
.B network
lines in your
.I nslint.conf
file,
.B nslint
requires you to include lines for all networks;
otherwise you might forget to add
.B network
lines for new networks.
.LP
Sometimes you have a zone that
.B nslint
just can't deal with. A good example is
a dynamic dns zone. To handle this, you can
add the following to
.IB nslint.com :
.LP
.RS
.nf
.sp .5
nslint {
.RS
ignorezone "dhcp.lbl.gov";
.RE
};
.sp .5
.fi
.RE
.LP
This will suppress "name referenced without other records" warnings.
.LP
.SH FILES
.na
.nh
.nf
/etc/named.conf - default named configuration file
/etc/named.boot - old style named configuration file
nslint.conf - default nslint configuration file
nslint.boot - old style nslint configuration file
.ad
.hy
.fi
.LP
.SH "SEE ALSO"
.na
.nh
.IR named (8),
rfc1033,
rfc1034
.ad
.hy
.SH AUTHOR
Craig Leres of the
Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
.LP
The current version is available via anonymous ftp:
.LP
.RS
.I ftp://ftp.ee.lbl.gov/nslint.tar.gz
.RE
.SH BUGS
Please send bug reports to nslint@ee.lbl.gov.
.LP
Not everyone is guaranteed to agree with all the checks done.

2971
contrib/nslint-3.0a2/nslint.c
View file

File diff suppressed because it is too large Load diff

64
contrib/nslint-3.0a2/savestr.c
View file

@ -1,64 +0,0 @@
/*
* Copyright (c) 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#ifndef lint
static const char rcsid[] =
"@(#) $Id: savestr.c,v 1.2 2006/03/09 02:27:11 leres Exp $ (LBL)";
#endif
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include "gnuc.h"
#ifdef HAVE_OS_PROTO_H
#include "os-proto.h"
#endif
#include "savestr.h"
/* A replacement for strdup() that cuts down on malloc() overhead */
char *
savestr(register const char *str)
{
register u_int size;
register char *p;
static char *strptr = NULL;
static u_int strsize = 0;
size = strlen(str) + 1;
if (size > strsize) {
strsize = 1024;
if (strsize < size)
strsize = size;
strptr = (char *)malloc(strsize);
if (strptr == NULL) {
fprintf(stderr, "savestr: malloc\n");
exit(1);
}
}
(void)strcpy(strptr, str);
p = strptr;
strptr += size;
strsize -= size;
return (p);
}

24
contrib/nslint-3.0a2/savestr.h
View file

@ -1,24 +0,0 @@
/*
* Copyright (c) 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* @(#) $Header: savestr.h,v 1.1 97/04/22 13:30:21 leres Exp $ (LBL)
*/
extern char *savestr(const char *);

71
contrib/nslint-3.0a2/strerror.c
View file

@ -1,71 +0,0 @@
/*
* Copyright (c) 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static const char sccsid[] = "@(#)strerror.c 8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */
#include <sys/types.h>
#include <string.h>
#include "gnuc.h"
#ifdef HAVE_OS_PROTO_H
#include "os-proto.h"
#endif
char *
strerror(num)
int num;
{
extern int sys_nerr;
extern char *sys_errlist[];
#define UPREFIX "Unknown error: "
static char ebuf[40] = UPREFIX; /* 64-bit number + slop */
register unsigned int errnum;
register char *p, *t;
char tmp[40];
errnum = num; /* convert to unsigned */
if (errnum < sys_nerr)
return(sys_errlist[errnum]);
/* Do this by hand, so we don't include stdio(3). */
t = tmp;
do {
*t++ = "0123456789"[errnum % 10];
} while (errnum /= 10);
for (p = ebuf + sizeof(UPREFIX) - 1;;) {
*p++ = *--t;
if (t <= tmp)
break;
}
*p = '\0';
return(ebuf);
}

3
contrib/nslint-3.0a2/version.h
View file

@ -1,3 +0,0 @@
/* @(#) $Id: version.h 239 2009-03-14 05:44:54Z leres $ (LBL) */
extern const char version[];

16
contrib/query-loc-0.4.0/ADDRESSES
View file

@ -1,16 +0,0 @@
The following machines, at least today seem to have LOC
records:
147.210.73.0/24 (note the two /25 have different LOC, inherited differently)
130.104.3.*
Melanie.Tolna.Net
204.92.254.*
alink.net
caida.org
ckdhr.com
distributed.net (rc5stats.distributed.net)
nikhef.nl
yahoo.com
nic.af
$Id: ADDRESSES,v 1.1 2008/02/15 01:47:15 marka Exp $

48
contrib/query-loc-0.4.0/ALGO
View file

@ -1,48 +0,0 @@
Just for info, can be out of date.
RFC 1876, 5.2, specially 5.2.3
Important points:
- LOC RRs are always attached to a *name*.
- we can have two (or more) RRs for one address, one more specific than the other
main
if (host is a name)
getLOCbyname
else # host is an IP address
gethostbyaddr
if (name)
getLOCbyname
# If there is none, do not search. We assume the above was sufficient # (But check 5.2.2)
else
getLOCbyaddress
getLOCbyname (host)
get LOC for host
if (it exists)
OK
else
get all A records of the name
foreach A record
getLOCbyaddress
OK at the first one found
# we assume they are consistent
END
getLOCbyaddress (address)
# May receive a mask. Otherwise, deduce it from the class
makeNetAddress
getLOCbynetwork
getLOCbynetwork
get PTR and A for it
if (exist)
getLOCbyname
******* DIFFICULT : we have to manage a stack. See the code
makeNetAddress (level--)
getLOCbynetwork
else
END

9
contrib/query-loc-0.4.0/INSTALL
View file

@ -1,9 +0,0 @@
Type './configure', then 'make' and (as root if necessary) 'make
install'.
It requires a recent libresolv, with loc_ntoa, but use an alternative
which I provide, if not found.
Tested on Linux (i386 and Alpha), Solaris (Sparc) and Digital Unix (Alpha).
$Id: INSTALL,v 1.1 2008/02/15 01:47:15 marka Exp $

42
contrib/query-loc-0.4.0/Makefile.in
View file

@ -1,42 +0,0 @@
# $Id: Makefile.in,v 1.1 2008/02/15 01:47:15 marka Exp $
CC=@CC@
CFLAGS=@CFLAGS@
LIBS=@LIBS@
DESTDIR=@prefix@
BINDIR=@prefix@/bin
MANDIR=@prefix@/share/man/man1
DISTRIB= README INSTALL ALGO USAGE ADDRESSES Makefile.in configure configure.in config.h.in install-sh loc.h loc.c query-loc.c loc_ntoa.c query-loc.1 reconf
OBJS=query-loc.o loc.o @LOC_NTOA@
VERSION=`grep VERSION loc.h | cut -d ' ' -f 3 | sed s/\"//g`
all: query-loc
query-loc: $(OBJS)
$(CC) -o $@ $(OBJS) $(LIBS)
%.o: %.c loc.h
$(CC) $(CFLAGS) -c $<
clean:
rm -f *.o query-loc *~
distclean: clean
rm -f config.h config.cache config.log config.status Makefile
dist: distrib
distrib: clean
./reconf
@(echo Query-Loc is version ${VERSION}; \
mkdir query-loc-${VERSION}; \
cp $(DISTRIB) query-loc-${VERSION};\
tar cvf query-loc-${VERSION}.tar query-loc-${VERSION}; \
rm -rf query-loc-${VERSION}; \
gzip -v -9 -f query-loc-${VERSION}.tar);
install:
@INSTALL@ -m 0755 query-loc $(BINDIR)
if [ ! -d $(MANDIR) ]; then \
mkdir $(MANDIR); \
fi
@INSTALL@ -m 0644 query-loc.1 $(MANDIR)

21
contrib/query-loc-0.4.0/README
View file

@ -1,21 +0,0 @@
query-loc: a program to retrieve and display the location
information in the DNS.
It uses the algorithms described in
RFC 1876 (and RFC 1101 to get the network names).
You can find examples of networks wchich implement this scheme
in the ADDRESSES file.
It is under the General Public Licence (GPL, which
you can fetch from <http://www.gnu.org/copyleft/gpl.html>.
Copyright Stéphane Bortzmeyer <bortzmeyer@sources.org>, 1998-2007.
Thanks to Paul Vixie for the RFC and its encouragements. Thanks
to Björn Augustsson for the xtraceroute program
<http://www.dtek.chalmers.se/~d3august/xt/>. Thanks to Roland
Dirlewanger for extensive patching.
$Id: README,v 1.1 2008/02/15 01:47:15 marka Exp $

7
contrib/query-loc-0.4.0/USAGE
View file

@ -1,7 +0,0 @@
query-loc [-v] [-d nnn] host-name-or-address
Examples of hosts with LOCation info (quite uncommon, if you know more,
please tell me):
See the ADDRESSES file

73
contrib/query-loc-0.4.0/config.h.in
View file

@ -1,73 +0,0 @@
/* config.h.in. Generated from configure.in by autoheader. */
/* Define to 1 if you have the <arpa/nameser_compat.h> header file. */
#undef HAVE_ARPA_NAMESER_COMPAT_H
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
/* Is there a loc_ntoa on this system? */
#undef HAVE_LOC_NTOA
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the home page for this package. */
#undef PACKAGE_URL
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* The size of `char', as computed by sizeof. */
#undef SIZEOF_CHAR
/* The size of `int', as computed by sizeof. */
#undef SIZEOF_INT
/* The size of `long', as computed by sizeof. */
#undef SIZEOF_LONG
/* The size of `short', as computed by sizeof. */
#undef SIZEOF_SHORT
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to empty if `const' does not conform to ANSI C. */
#undef const

5165
contrib/query-loc-0.4.0/configure vendored
View file

File diff suppressed because it is too large Load diff

66
contrib/query-loc-0.4.0/configure.in
View file

@ -1,66 +0,0 @@
dnl Process this file with autoconf to produce a configure script.
AC_RELEASE("$Id: configure.in,v 1.1 2008/02/15 01:47:15 marka Exp $")
AC_INIT(query-loc.c)
dnl Checks for programs.
AC_PROG_CC
if test "$GCC" = "yes"; then
CFLAGS="${CFLAGS} -Wall"
fi
AC_PROG_INSTALL
dnl Checks for libraries.
AC_CHECK_LIB(resolv, res_query)
dnl Checks for header files.
AC_HEADER_STDC
AC_CONFIG_HEADER(config.h)
AC_CHECK_HEADER(resolv.h, , AC_MSG_ERROR("No headers for name service applications"))
AC_CHECK_HEADER(arpa/nameser.h, , AC_MSG_ERROR("No headers for name service applications"))
AC_CHECK_HEADERS(arpa/nameser_compat.h)
AC_CHECK_HEADER(sys/time.h, , AC_MSG_ERROR("Mandatory header missing on your system"))
AC_CHECK_HEADER(unistd.h, , AC_MSG_ERROR("Mandatory header missing on your system"))
dnl This one is only useful for Solaris?
AC_MSG_CHECKING(if libnsl is mandatory)
AC_TRY_LINK([#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#ifdef HAVE_ARPA_NAMESER_COMPAT_H
#include <arpa/nameser_compat.h>
#endif
#include <resolv.h>
union
{
HEADER hdr;
u_char buf[4096]; /* With RFC 2671, otherwise 512 is enough */
}
response;
char *domain;
int requested_type; ],
[res_query(domain,
C_IN,
requested_type,
(u_char *) & response,
sizeof (response)) ],
[AC_MSG_RESULT(no)],
[AC_MSG_RESULT(yes); LIBS="${LIBS} -lnsl"])
dnl Check for the loc_ntoa macro/function
AC_MSG_CHECKING(loc_ntoa)
AC_TRY_LINK([#include <resolv.h>],
[u_char *cp; char *result; loc_ntoa(cp, result)],
[AC_MSG_RESULT(yes); AC_DEFINE(HAVE_LOC_NTOA,,[Is there a loc_ntoa on this system?])],
[AC_MSG_RESULT([no, using the alternative]); LOC_NTOA=loc_ntoa.o])
AC_SUBST(LOC_NTOA)
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_CHECK_SIZEOF(long)
AC_CHECK_SIZEOF(int)
AC_CHECK_SIZEOF(short)
AC_CHECK_SIZEOF(char)
dnl Misc.
AC_OUTPUT(Makefile)

323
contrib/query-loc-0.4.0/install-sh
View file

@ -1,323 +0,0 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2005-02-02.21
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch. It can only install one file at a time, a restriction
# shared with many OS's install programs.
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit="${DOITPROG-}"
# put in absolute paths if you don't have them in your path; or use env. vars.
mvprog="${MVPROG-mv}"
cpprog="${CPPROG-cp}"
chmodprog="${CHMODPROG-chmod}"
chownprog="${CHOWNPROG-chown}"
chgrpprog="${CHGRPPROG-chgrp}"
stripprog="${STRIPPROG-strip}"
rmprog="${RMPROG-rm}"
mkdirprog="${MKDIRPROG-mkdir}"
chmodcmd="$chmodprog 0755"
chowncmd=
chgrpcmd=
stripcmd=
rmcmd="$rmprog -f"
mvcmd="$mvprog"
src=
dst=
dir_arg=
dstarg=
no_target_directory=
usage="Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
Options:
-c (ignored)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-s $stripprog installed files.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
--help display this help and exit.
--version display version info and exit.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG
"
while test -n "$1"; do
case $1 in
-c) shift
continue;;
-d) dir_arg=true
shift
continue;;
-g) chgrpcmd="$chgrpprog $2"
shift
shift
continue;;
--help) echo "$usage"; exit $?;;
-m) chmodcmd="$chmodprog $2"
shift
shift
continue;;
-o) chowncmd="$chownprog $2"
shift
shift
continue;;
-s) stripcmd=$stripprog
shift
continue;;
-t) dstarg=$2
shift
shift
continue;;
-T) no_target_directory=true
shift
continue;;
--version) echo "$0 $scriptversion"; exit $?;;
*) # When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
test -n "$dir_arg$dstarg" && break
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dstarg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dstarg"
shift # fnord
fi
shift # arg
dstarg=$arg
done
break;;
esac
done
if test -z "$1"; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call `install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
for src
do
# Protect names starting with `-'.
case $src in
-*) src=./$src ;;
esac
if test -n "$dir_arg"; then
dst=$src
src=
if test -d "$dst"; then
mkdircmd=:
chmodcmd=
else
mkdircmd=$mkdirprog
fi
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dstarg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dstarg
# Protect names starting with `-'.
case $dst in
-*) dst=./$dst ;;
esac
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test -n "$no_target_directory"; then
echo "$0: $dstarg: Is a directory" >&2
exit 1
fi
dst=$dst/`basename "$src"`
fi
fi
# This sed command emulates the dirname command.
dstdir=`echo "$dst" | sed -e 's,/*$,,;s,[^/]*$,,;s,/*$,,;s,^$,.,'`
# Make sure that the destination directory exists.
# Skip lots of stat calls in the usual case.
if test ! -d "$dstdir"; then
defaultIFS='
'
IFS="${IFS-$defaultIFS}"
oIFS=$IFS
# Some sh's can't handle IFS=/ for some reason.
IFS='%'
set x `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'`
shift
IFS=$oIFS
pathcomp=
while test $# -ne 0 ; do
pathcomp=$pathcomp$1
shift
if test ! -d "$pathcomp"; then
$mkdirprog "$pathcomp"
# mkdir can fail with a `File exist' error in case several
# install-sh are creating the directory concurrently. This
# is OK.
test -d "$pathcomp" || exit
fi
pathcomp=$pathcomp/
done
fi
if test -n "$dir_arg"; then
$doit $mkdircmd "$dst" \
&& { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
&& { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
&& { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
&& { test -z "$chmodcmd" || $doit $chmodcmd "$dst"; }
else
dstfile=`basename "$dst"`
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
trap '(exit $?); exit' 1 2 13 15
# Copy the file name to the temp name.
$doit $cpprog "$src" "$dsttmp" &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \
&& { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \
&& { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \
&& { test -z "$chmodcmd" || $doit $chmodcmd "$dsttmp"; } &&
# Now rename the file to the real destination.
{ $doit $mvcmd -f "$dsttmp" "$dstdir/$dstfile" 2>/dev/null \
|| {
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
if test -f "$dstdir/$dstfile"; then
$doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null \
|| $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null \
|| {
echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2
(exit 1); exit 1
}
else
:
fi
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dstdir/$dstfile"
}
}
fi || { (exit 1); exit 1; }
done
# The final little trick to "correctly" pass the exit status to the exit trap.
{
(exit 0); exit 0
}
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

602
contrib/query-loc-0.4.0/loc.c
View file

@ -1,602 +0,0 @@
#include "loc.h"
/* $Id: loc.c,v 1.1 2008/02/15 01:47:15 marka Exp $ */
/* Global variables */
short rr_errno;
/*
Prints the actual usage
*/
void
usage ()
{
(void) fprintf (stderr,
"Usage: %s: [-v] [-d nnn] hostname\n", progname);
exit (2);
}
/*
Panics
*/
void
panic (message)
char *message;
{
(void) fprintf (stderr,
"%s: %s\n", progname, message);
exit (2);
}
/*
** IN_ADDR_ARPA -- Convert dotted quad string to reverse in-addr.arpa
** ------------------------------------------------------------------
**
** Returns:
** Pointer to appropriate reverse in-addr.arpa name
** with trailing dot to force absolute domain name.
** NULL in case of invalid dotted quad input string.
*/
#ifndef ARPA_ROOT
#define ARPA_ROOT "in-addr.arpa"
#endif
char *
in_addr_arpa (dottedquad)
char *dottedquad; /* input string with dotted quad */
{
static char addrbuf[4 * 4 + sizeof (ARPA_ROOT) + 2];
unsigned int a[4];
register int n;
n = sscanf (dottedquad, "%u.%u.%u.%u", &a[0], &a[1], &a[2], &a[3]);
switch (n)
{
case 4:
(void) sprintf (addrbuf, "%u.%u.%u.%u.%s.",
a[3] & 0xff, a[2] & 0xff, a[1] & 0xff, a[0] & 0xff, ARPA_ROOT);
break;
case 3:
(void) sprintf (addrbuf, "%u.%u.%u.%s.",
a[2] & 0xff, a[1] & 0xff, a[0] & 0xff, ARPA_ROOT);
break;
case 2:
(void) sprintf (addrbuf, "%u.%u.%s.",
a[1] & 0xff, a[0] & 0xff, ARPA_ROOT);
break;
case 1:
(void) sprintf (addrbuf, "%u.%s.",
a[0] & 0xff, ARPA_ROOT);
break;
default:
return (NULL);
}
while (--n >= 0)
if (a[n] > 255)
return (NULL);
return (addrbuf);
}
/*
Returns a human-readable version of the LOC information or
NULL if it failed. Argument is a name (of a network or a machine)
and a boolean telling is it is a network name or a machine name.
*/
char *
getlocbyname (name, is_network)
const char *name;
short is_network;
{
char *result;
struct list_in_addr *list, *p;
result = findRR (name, T_LOC);
if (result != NULL)
{
if (debug >= 2)
printf ("LOC record found for the name %s\n", name);
return result;
}
else
{
if (!is_network)
{
list = findA (name);
if (debug >= 2)
printf ("No LOC record found for the name %s, trying addresses\n", name);
if (list != NULL)
{
for (p = list; p != NULL; p = p->next)
{
if (debug >= 2)
printf ("Trying address %s\n", inet_ntoa (p->addr));
result = getlocbyaddr (p->addr, NULL);
if (result != NULL)
return result;
}
return NULL;
}
else
{
if (debug >= 2)
printf (" No A record found for %s\n", name);
return NULL;
}
}
else
{
if (debug >= 2)
printf ("No LOC record found for the network name %s\n", name);
return NULL;
}
}
}
/*
Returns a human-readable version of the LOC information or
NULL if it failed. Argument is an IP address.
*/
char *
getlocbyaddr (addr, mask)
const struct in_addr addr;
const struct in_addr *mask;
{
struct in_addr netaddr;
u_int32_t a;
struct in_addr themask;
char text_addr[sizeof("255.255.255.255")],
text_mask[sizeof("255.255.255.255")];
if (mask == NULL)
{
themask.s_addr = (u_int32_t) 0;
}
else
{
themask = *mask;
}
strcpy (text_addr, inet_ntoa (addr));
strcpy (text_mask, inet_ntoa (themask));
if (debug >= 2)
printf ("Testing address %s/%s\n", text_addr, text_mask);
if (mask == NULL)
{
a = ntohl (addr.s_addr);
if (IN_CLASSA (a))
{
netaddr.s_addr = htonl (a & IN_CLASSA_NET);
themask.s_addr = htonl(IN_CLASSA_NET);
}
else if (IN_CLASSB (a))
{
netaddr.s_addr = htonl (a & IN_CLASSB_NET);
themask.s_addr = htonl(IN_CLASSB_NET);
}
else if (IN_CLASSC (a))
{
netaddr.s_addr = htonl (a & IN_CLASSC_NET);
themask.s_addr = htonl(IN_CLASSC_NET);
}
else
{
/* Error */
return NULL;
}
return getlocbynet (in_addr_arpa (inet_ntoa (netaddr)), addr, &themask);
}
else
{
netaddr.s_addr = addr.s_addr & themask.s_addr;
return getlocbynet (in_addr_arpa (inet_ntoa (netaddr)), addr, mask);
}
}
/*
Returns a human-readable LOC.
Argument is a network name in the 0.z.y.x.in-addr.arpa format
and the original address
*/
char *
getlocbynet (name, addr, mask)
char *name;
struct in_addr addr;
struct in_addr *mask;
{
char *network;
char *result;
struct list_in_addr *list;
struct in_addr newmask;
u_int32_t a;
char newname[4 * 4 + sizeof (ARPA_ROOT) + 2];
if (debug >= 2)
printf ("Testing network %s with mask %s\n", name, inet_ntoa(*mask));
/* Check if this network has an A RR */
list = findA (name);
if (list != NULL)
{
/* Yes, it does. This A record will be used as the
* new mask for recursion if it is longer than
* the actual mask. */
if (mask != NULL && mask->s_addr < list->addr.s_addr)
{
/* compute the new arguments for recursion
* - compute the new network by applying the new mask
* to the address and get the in_addr_arpa representation
* of it.
* - the address remains unchanged
* - the new mask is the one given in the A record
*/
a = ntohl(addr.s_addr); /* start from host address */
a &= ntohl(list->addr.s_addr); /* apply new mask */
newname[sizeof newname - 1] = 0;
strncpy(
newname,
in_addr_arpa(inet_ntoa(inet_makeaddr(a, 0))),
sizeof newname);
newmask = inet_makeaddr(ntohl(list->addr.s_addr), 0);
result = getlocbynet (newname, addr, &newmask);
if (result != NULL)
{
return result;
}
}
/* couldn't find a LOC. Fall through and try with name */
}
/* Check if this network has a name */
network = findRR (name, T_PTR);
if (network == NULL)
{
if (debug >= 2)
printf ("No name for network %s\n", name);
return NULL;
}
else
{
return getlocbyname (network, TRUE);
}
}
/*
The code for these two functions is stolen from the examples in Liu and Albitz
book "DNS and BIND" (O'Reilly).
*/
/****************************************************************
* skipName -- This routine skips over a domain name. If the *
* domain name expansion fails, it crashes. *
* dn_skipname() is probably not on your manual *
* page; it is similar to dn_expand() except that it just *
* skips over the name. dn_skipname() is in res_comp.c if *
* you need to find it. *
****************************************************************/
int
skipName (cp, endOfMsg)
u_char *cp;
u_char *endOfMsg;
{
int n;
if ((n = dn_skipname (cp, endOfMsg)) < 0)
{
panic ("dn_skipname failed\n");
}
return (n);
}
/****************************************************************
* skipToData -- This routine advances the cp pointer to the *
* start of the resource record data portion. On the way, *
* it fills in the type, class, ttl, and data length *
****************************************************************/
int
skipToData (cp, type, class, ttl, dlen, endOfMsg)
u_char *cp;
u_short *type;
u_short *class;
u_int32_t *ttl;
u_short *dlen;
u_char *endOfMsg;
{
u_char *tmp_cp = cp; /* temporary version of cp */
/* Skip the domain name; it matches the name we looked up */
tmp_cp += skipName (tmp_cp, endOfMsg);
/*
* Grab the type, class, and ttl. GETSHORT and GETLONG
* are macros defined in arpa/nameser.h.
*/
GETSHORT (*type, tmp_cp);
GETSHORT (*class, tmp_cp);
GETLONG (*ttl, tmp_cp);
GETSHORT (*dlen, tmp_cp);
return (tmp_cp - cp);
}
/*
Returns a human-readable version of a DNS RR (resource record)
associated with the name 'domain'.
If it does not find, ir returns NULL and sets rr_errno to explain why.
The code for this function is stolen from the examples in Liu and Albitz
book "DNS and BIND" (O'Reilly).
*/
char *
findRR (domain, requested_type)
char *domain;
int requested_type;
{
char *result, *message;
union
{
HEADER hdr; /* defined in resolv.h */
u_char buf[PACKETSZ]; /* defined in arpa/nameser.h */
}
response; /* response buffers */
short found = 0;
int responseLen; /* buffer length */
u_char *cp; /* character pointer to parse DNS packet */
u_char *endOfMsg; /* need to know the end of the message */
u_short class; /* classes defined in arpa/nameser.h */
u_short type; /* types defined in arpa/nameser.h */
u_int32_t ttl; /* resource record time to live */
u_short dlen; /* size of resource record data */
int i, count, dup; /* misc variables */
char *ptrList[1];
int ptrNum = 0;
struct in_addr addr;
result = (char *) malloc (256);
message = (char *) malloc (256);
if (result == NULL || message == NULL)
{
panic ("Malloc failed");
}
/*
* Look up the records for the given domain name.
* We expect the domain to be a fully qualified name, so
* we use res_query(). If we wanted the resolver search
* algorithm, we would have used res_search() instead.
*/
if ((responseLen =
res_query (domain, /* the domain we care about */
C_IN, /* Internet class records */
requested_type, /* Look up name server records */
(u_char *) & response, /*response buffer */
sizeof (response))) /*buffer size */
< 0)
{ /*If negative */
rr_errno = h_errno;
return NULL;
}
/*
* Keep track of the end of the message so we don't
* pass it while parsing the response. responseLen is
* the value returned by res_query.
*/
endOfMsg = response.buf + responseLen;
/*
* Set a pointer to the start of the question section,
* which begins immediately AFTER the header.
*/
cp = response.buf + sizeof (HEADER);
/*
* Skip over the whole question section. The question
* section is comprised of a name, a type, and a class.
* QFIXEDSZ (defined in arpa/nameser.h) is the size of
* the type and class portions, which is fixed. Therefore,
* we can skip the question section by skipping the
* name (at the beginning) and then advancing QFIXEDSZ.
* After this calculation, cp points to the start of the
* answer section, which is a list of NS records.
*/
cp += skipName (cp, endOfMsg) + QFIXEDSZ;
count = ntohs (response.hdr.ancount) +
ntohs (response.hdr.nscount);
while ((--count >= 0) /* still more records */
&& (cp < endOfMsg))
{ /* still inside the packet */
/* Skip to the data portion of the resource record */
cp += skipToData (cp, &type, &class, &ttl, &dlen, endOfMsg);
if (type == requested_type)
{
switch (requested_type)
{
case (T_LOC):
loc_ntoa (cp, result);
return result;
break;
case (T_PTR):
ptrList[ptrNum] = (char *) malloc (MAXDNAME);
if (ptrList[ptrNum] == NULL)
{
panic ("Malloc failed");
}
if (dn_expand (response.buf, /* Start of the packet */
endOfMsg, /* End of the packet */
cp, /* Position in the packet */
(char *) ptrList[ptrNum], /* Result */
MAXDNAME) /* size of ptrList buffer */
< 0)
{ /* Negative: error */
panic ("dn_expand failed");
}
/*
* Check the name we've just unpacked and add it to
* the list if it is not a duplicate.
* If it is a duplicate, just ignore it.
*/
for (i = 0, dup = 0; (i < ptrNum) && !dup; i++)
dup = !strcasecmp (ptrList[i], ptrList[ptrNum]);
if (dup)
free (ptrList[ptrNum]);
else
ptrNum++;
strcpy (result, ptrList[0]);
return result;
break;
case (T_A):
bcopy ((char *) cp, (char *) &addr, INADDRSZ);
strcat (result, " ");
strcat (result, inet_ntoa (addr));
found = 1;
break;
default:
sprintf (message, "Unexpected type %u", requested_type);
panic (message);
}
}
/* Advance the pointer over the resource record data */
cp += dlen;
} /* end of while */
if (found)
return result;
else
return NULL;
}
struct list_in_addr *
findA (domain)
char *domain;
{
struct list_in_addr *result, *end;
union
{
HEADER hdr; /* defined in resolv.h */
u_char buf[PACKETSZ]; /* defined in arpa/nameser.h */
}
response; /* response buffers */
int responseLen; /* buffer length */
u_char *cp; /* character pointer to parse DNS packet */
u_char *endOfMsg; /* need to know the end of the message */
u_short class; /* classes defined in arpa/nameser.h */
u_short type; /* types defined in arpa/nameser.h */
u_int32_t ttl; /* resource record time to live */
u_short dlen; /* size of resource record data */
int count; /* misc variables */
struct in_addr addr;
end = NULL;
result = NULL;
/*
* Look up the records for the given domain name.
* We expect the domain to be a fully qualified name, so
* we use res_query(). If we wanted the resolver search
* algorithm, we would have used res_search() instead.
*/
if ((responseLen =
res_query (domain, /* the domain we care about */
C_IN, /* Internet class records */
T_A,
(u_char *) & response, /*response buffer */
sizeof (response))) /*buffer size */
< 0)
{ /*If negative */
rr_errno = h_errno;
return NULL;
}
/*
* Keep track of the end of the message so we don't
* pass it while parsing the response. responseLen is
* the value returned by res_query.
*/
endOfMsg = response.buf + responseLen;
/*
* Set a pointer to the start of the question section,
* which begins immediately AFTER the header.
*/
cp = response.buf + sizeof (HEADER);
/*
* Skip over the whole question section. The question
* section is comprised of a name, a type, and a class.
* QFIXEDSZ (defined in arpa/nameser.h) is the size of
* the type and class portions, which is fixed. Therefore,
* we can skip the question section by skipping the
* name (at the beginning) and then advancing QFIXEDSZ.
* After this calculation, cp points to the start of the
* answer section, which is a list of NS records.
*/
cp += skipName (cp, endOfMsg) + QFIXEDSZ;
count = ntohs (response.hdr.ancount) +
ntohs (response.hdr.nscount);
while ((--count >= 0) /* still more records */
&& (cp < endOfMsg))
{ /* still inside the packet */
/* Skip to the data portion of the resource record */
cp += skipToData (cp, &type, &class, &ttl, &dlen, endOfMsg);
if (type == T_A)
{
bcopy ((char *) cp, (char *) &addr, INADDRSZ);
if (end == NULL)
{
result = (void *) malloc (sizeof (struct list_in_addr));
if (result == NULL)
{
panic ("Malloc failed");
}
result->addr = addr;
result->next = NULL;
end = result;
}
else
{
end->next = (void *) malloc (sizeof (struct list_in_addr));
if (end->next == NULL)
{
panic ("Malloc failed");
}
end = end->next;
end->addr = addr;
end->next = NULL;
}
}
/* Advance the pointer over the resource record data */
cp += dlen;
} /* end of while */
return result;
}

81
contrib/query-loc-0.4.0/loc.h
View file

@ -1,81 +0,0 @@
/* $Id: loc.h,v 1.1 2008/02/15 01:47:15 marka Exp $ */
#define VERSION "0.4.0"
#include "config.h"
/* Probably too many inclusions but this is to keep 'gcc -Wall' happy... */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <arpa/nameser.h>
#ifdef HAVE_ARPA_NAMESER_COMPAT_H
#include <arpa/nameser_compat.h>
#endif
#include <resolv.h>
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
#if SIZEOF_LONG == 4
#define u_int32_t unsigned long
#ifndef int32_t
#define int32_t long
#endif
#else
#define u_int32_t unsigned int
#ifndef int32_t
#define int32_t int
#endif
#endif
#if SIZEOF_CHAR == 1
#define u_int8_t unsigned char
#ifndef int8_t
#define int8_t char
#endif
#else
#if SIZEOF_SHORT == 1
#define u_int8_t unsigned short
#ifndef int8_t
#define int8_t short
#endif
#else
#error "No suitable native type for storing bytes"
#endif
#endif
#ifndef INADDR_NONE
#define INADDR_NONE (in_addr_t)-1
#endif
struct list_in_addr
{
struct in_addr addr;
void *next;
};
void usage ();
void panic ();
char *getlocbyname ();
char *getlocbyaddr ();
char *getlocbynet ();
char *findRR ();
struct list_in_addr *findA ();
extern char *progname;
extern short debug;

235
contrib/query-loc-0.4.0/loc_ntoa.c
View file

@ -1,235 +0,0 @@
/* Stolen from BIND */
/*
* Copyright (c) 1985
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* Portions Copyright (c) 1993 by Digital Equipment Corporation.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies, and that
* the name of Digital Equipment Corporation not be used in advertising or
* publicity pertaining to distribution of the document or software without
* specific, written prior permission.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
* WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
* CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
/*
* Portions Copyright (c) 1995 by International Business Machines, Inc.
*
* International Business Machines, Inc. (hereinafter called IBM) grants
* permission under its copyrights to use, copy, modify, and distribute this
* Software with or without fee, provided that the above copyright notice and
* all paragraphs of this notice appear in all copies, and that the name of IBM
* not be used in connection with the marketing of any product incorporating
* the Software or modifications thereof, without specific, written prior
* permission.
*
* To the extent it has a right to do so, IBM grants an immunity from suit
* under its patents, if any, for the use, sale or manufacture of products to
* the extent that such products are used for performing Domain Name System
* dynamic updates in TCP/IP networks by means of the Software. No immunity is
* granted for any product per se or for any other function of any product.
*
* THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
* DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
/*
* Copyright (C) 1996-1999, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <ctype.h>
#include <errno.h>
#include <math.h>
#include <netdb.h>
#include <resolv.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "loc.h"
const char *precsize_ntoa();
/* takes an on-the-wire LOC RR and formats it in a human readable format. */
const char *
loc_ntoa(binary, ascii)
const u_char *binary;
char *ascii;
{
static char *error = "?";
static char tmpbuf[sizeof
"1000 60 60.000 N 1000 60 60.000 W -12345678.00m 90000000.00m 90000000.00m 90000000.00m"];
const u_char *cp = binary;
int latdeg, latmin, latsec, latsecfrac;
int longdeg, longmin, longsec, longsecfrac;
char northsouth, eastwest;
int altmeters, altfrac, altsign;
const u_int32_t referencealt = 100000 * 100;
int32_t latval, longval, altval;
u_int32_t templ;
u_int8_t sizeval, hpval, vpval, versionval;
char *sizestr, *hpstr, *vpstr;
versionval = *cp++;
if (ascii == NULL)
ascii = tmpbuf;
if (versionval) {
(void) sprintf(ascii, "; error: unknown LOC RR version");
return (ascii);
}
sizeval = *cp++;
hpval = *cp++;
vpval = *cp++;
GETLONG(templ, cp);
latval = (templ - ((unsigned)1<<31));
GETLONG(templ, cp);
longval = (templ - ((unsigned)1<<31));
GETLONG(templ, cp);
if (templ < referencealt) { /* below WGS 84 spheroid */
altval = referencealt - templ;
altsign = -1;
} else {
altval = templ - referencealt;
altsign = 1;
}
if (latval < 0) {
northsouth = 'S';
latval = -latval;
} else
northsouth = 'N';
latsecfrac = latval % 1000;
latval = latval / 1000;
latsec = latval % 60;
latval = latval / 60;
latmin = latval % 60;
latval = latval / 60;
latdeg = latval;
if (longval < 0) {
eastwest = 'W';
longval = -longval;
} else
eastwest = 'E';
longsecfrac = longval % 1000;
longval = longval / 1000;
longsec = longval % 60;
longval = longval / 60;
longmin = longval % 60;
longval = longval / 60;
longdeg = longval;
altfrac = altval % 100;
altmeters = (altval / 100) * altsign;
if ((sizestr = strdup(precsize_ntoa(sizeval))) == NULL)
sizestr = error;
if ((hpstr = strdup(precsize_ntoa(hpval))) == NULL)
hpstr = error;
if ((vpstr = strdup(precsize_ntoa(vpval))) == NULL)
vpstr = error;
sprintf(ascii,
"%d %.2d %.2d.%.3d %c %d %.2d %.2d.%.3d %c %d.%.2dm %sm %sm %sm",
latdeg, latmin, latsec, latsecfrac, northsouth,
longdeg, longmin, longsec, longsecfrac, eastwest,
altmeters, altfrac, sizestr, hpstr, vpstr);
if (sizestr != error)
free(sizestr);
if (hpstr != error)
free(hpstr);
if (vpstr != error)
free(vpstr);
return (ascii);
}
static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
1000000,10000000,100000000,1000000000};
/* takes an XeY precision/size value, returns a string representation. */
const char *
precsize_ntoa(prec)
u_int8_t prec;
{
static char retbuf[sizeof "90000000.00"]; /* XXX nonreentrant */
unsigned long val;
int mantissa, exponent;
mantissa = (int)((prec >> 4) & 0x0f) % 10;
exponent = (int)((prec >> 0) & 0x0f) % 10;
val = mantissa * poweroften[exponent];
(void) sprintf(retbuf, "%ld.%.2ld", val/100, val%100);
return (retbuf);
}

55
contrib/query-loc-0.4.0/query-loc.1
View file

@ -1,55 +0,0 @@
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH QUERY-LOC 1 "January 11, 2005"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
query-loc \- to retrieve and display the location information in the DNS
.SH SYNOPSIS
.B query-loc
.RI [-v] [-d nnn] " host"
.SH DESCRIPTION
This manual page documents briefly the
.B query-loc
command.
.PP
.\" TeX users may be more comfortable with the \fB<whatever>\fP and
.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
.\" respectively.
\fBquery-loc\fP is a program to retrieve and display the location
information in the DNS.
It uses the algorithms described in
RFC 1876 (and RFC 1101 to get the network names).
You can find examples of networks wchich implement this scheme
in the ADDRESSES file.
.SH OPTIONS
.TP
.B \-v
Verbose mode.
.TP
.B \-d nnn
Debug mode. Displays the RFC's algorithm
.SH BUGS
Very few hosts have location information.
.SH AUTHOR
This manual page was written by Stephane Bortzmeyer
<bortzmeyer@debian.org>.
.\" $Id: query-loc.1,v 1.1 2008/02/15 01:47:15 marka Exp $

98
contrib/query-loc-0.4.0/query-loc.c
View file

@ -1,98 +0,0 @@
#include "loc.h"
/* $Id: query-loc.c,v 1.1 2008/02/15 01:47:15 marka Exp $ */
/* Global variables */
char *progname;
short debug;
int
main (argc, argv)
int argc;
char *argv[];
{
extern char *optarg;
extern int optind;
short verbose = FALSE;
char *host;
char ch;
char *loc = NULL;
struct in_addr addr;
struct hostent *hp;
progname = argv[0];
while ((ch = getopt (argc, argv, "vd:")) != EOF)
{
switch (ch)
{
case 'v':
verbose = TRUE;
break;
case 'd':
debug = atoi (optarg);
if (debug <= 0)
{
(void) fprintf (stderr,
"%s: illegal debug value.\n", progname);
exit (2);
}
break;
default:
usage ();
}
}
argc -= optind;
argv += optind;
if (argc != 1)
{
usage ();
}
if (verbose || debug)
{
printf ("\nThis is %s, version %s.\n\n", progname, VERSION);
}
host = argv[0];
(void) res_init ();
if ((addr.s_addr = inet_addr (host)) == INADDR_NONE)
{
if (debug >= 1)
printf ("%s is a name\n", host);
loc = getlocbyname (host, FALSE);
}
else
{
if (debug >= 1)
printf ("%s is an IP address ", host);
hp = (struct hostent *) gethostbyaddr
((char *) &addr, sizeof (addr), AF_INET);
if (hp)
{
if (debug >= 1)
printf ("and %s is its official name\n",
hp->h_name);
loc = getlocbyname (hp->h_name, FALSE);
}
else
{
if (debug >= 1)
printf ("which has no name\n");
loc = getlocbyaddr (addr, NULL);
}
}
if (loc == NULL)
{
printf ("No LOCation found for %s\n", host);
exit (1);
}
else
{
if (verbose || debug)
printf ("LOCation for %s is ", host);
printf ("%s\n", loc);
exit (0);
}
}

8
contrib/query-loc-0.4.0/reconf
View file

@ -1,8 +0,0 @@
#!/bin/sh
# $Id: reconf,v 1.1 2008/02/15 01:47:15 marka Exp $
autoreconf
# We do not use automake but we need its install-sh file. We do not
# care about the exit code.
automake --add-missing || true

5
contrib/zkt-1.1.3/.gitignore vendored
View file

@ -1,5 +0,0 @@
/zkt-conf
/zkt-keyman
/zkt-ls
/zkt-signer
/zkt-soaserial

741
contrib/zkt-1.1.3/CHANGELOG
View file

@ -1,741 +0,0 @@
zkt 1.1.3 -- 21. Nov 2014
* func New Config Parameter DependFiles added.
Contains a (comma separated) list of files which are
included into the ZoneFile. The timestamps of this files
are checked additional to the timestamp of the ZoneFile.
Based on a suggestion from Sven Strickroth
* misc Makefile changed to build tar file out of git repository
* misc Minimum supported BIND version is now 9.8
* bug Fixed bug in BIND version parsing (9.10.1 was parsed as 910
which is similar to 9.1.0)
Version 9.10.1 is parsed now as 091001
* misc Remove flag to request large exponent when creating keys
(BIND always creates keys with large exponents since BIND 9.5.0)
* misc Project moved to github
Thanks to Jakob Schlyter for doing the initial stuff
zkt 1.1.2 -- 05. Dec 2012
* bug Fixed bug introduced by changes on inc_soa_serial()
zkt 1.1.1 -- 27. Nov 2012
* bug Error fixed in zkt-conf in parsing the version number
* misc inc_soa_serial() now returns 0 on success
* bug Fixed bug in inc_serial()
The zone file wasn't closed on succesful change of the soa record.
Many thanks to Frederik Soderblom for fixing this.
zkt 1.1 -- 30. Jan 2012
* misc Release numbering changed to three level "major.minor.revison" scheme
* bug REMOVE_HOLD_TIME was set to 10 days only (Thanks to Chris Thompson)
* doc Improved README file (Thanks to Jan-Piet Mens)
* misc Fixed some typos in log messages
* bug Fixed error in rollover.c (return code of genfirstkey() wasn't checked)
* misc Default of KeySetDir changed from NULL to ".." (best for hierarchical mode)
Default Sig Lifetime changed from 10 days to 3 weeks (21 days)
Default ZSK lifetime changed from 3 months to 4 times the sig lifetime
Default KSK lifetime changed from 1 year to 2 years
Parameter checks in checkconfig() adapted.
KSK random device changed back from /dev/urandom to BIND default
(Be aware of some possibly long delay in key generation)
* func New configure option to set the bind utility path manually (--enable-bindutil_path)
BIND_UTIL_PATH in config_zkt.h will no longer used
(Thanks to Mans Nilsson)
* bug If nsec3 is turned on and KeyAlgo (or AddKeyAlgo) is RSHASHA1
or DSA, genkey() uses algorithm type NSECRSASHA1 or NSEC3DSA instead.
(Thanks to Holger Wirtz)
* bug Error in printconfigdiff() fixed. (Thanks to Holger Wirtz)
* func Description added to (some of the) dnssec.conf parameters
* func Adding a patch from Hrant Dadivanyan to always pre-publish ZSKs
* misc Config file syntax changed to parameter names without underscores.
zkt-conf uses ZKT_VERSION string as config version
* bug "make install-man" now installs all man page
* bug Bug fixed in zfparse.c. zkt-conf was unable to detect an already
included dnskey.db file if another file was included.
* misc destination dnssec-zkt removed from Makefile.in
* func dki_prt_managedkeys() added to dki.c
zkt_list_managedkeys() added to zkt.c
zkt-ls has new option -M to print out a list of managed-keys
* bug Bug fixed in the config parser (zconf.c). Couldn't parse
agorithm RSASHA512 correctly (Thanks to Michael Sinatra)
zkt 1.0 -- 15. June 2010
* func "/dev/urandom" check added to checkconfig()
* func Config compability switch (-C) added to zkt-conf
* func zkt-ls has a new switch -s to change sorting of domains from
subdomain before parent to subdomain below the parent
* func "zkt-ls -T" prints only parent trust anchor
zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
* func Several config parameter are printed now in a more consistent and
user friendly form.
SerialFormat "Incremental" could be abbreviated as "inc" on input.
* bug use of AC_ARG_ENABLE macros changed in a way that it is possible
to use it as a "--disable-FEATURE" switch.
* port no longer checking for malloc() in configue script.
Mainly because it checks only if malloc(0) is allowed and we do
not need this.
* port --disable-color-mode added to configure script
* bug Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac
* misc man page zkt-keyman added
* misc New command zkt-keyman added as replacement for dnssec-zkt's key
management functionality
* misc man page zkt-ls added
* port Check for ncurses added to Makefile.in
* misc Color mode (Option -C) added to zkt-ls (experimental)
New source file tcap.c.
* misc Deprecate "single linked list" version of ZKT. The binary tree
version is the default for years, so the VERSION string does no
longer contain a "T". Now, if someone insist on the single link
list version (configure --disable-tree) a "S" is added to the
version string.
Anyway, the code for the single link list version does no longer
have the same functionality and will be removed in one of the later
releases.
* misc New command zkt-ls added as replacement for dnssec-zkt's key
listing functionality
* func New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
and zconf.c
New parameter NSEC3 added. Now it's possible to configure
an NSEC3_OPTOUT zone.
* bug Token parsing function gettok() fixed to recognize tokens
with dashes ("zone-statistics" was seen as "zone").
Thanks to Andreas Baess for finding this bug.
* bug Fixed bug in (re)salting dynamic zones.
sig_zone() and gensalt() needs parameter change for this
* func New option -a added to zkt-conf
* func In zconf.c CONF_TIMEINT parameter are now able to recognize
"unset" values (which is represented internaly as 0)
* func Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
is less than 1.
max_ttl checks in checkconfig() fixed.
* func printconfigdiff() added to zconf.c and used by zkt-conf.
Now local configs are printed as diff to site wide config.
* misc man page zkt-signer.8 changed to new command syntax
* func Per domain logging added. Use parameter LogDomainDir to
enable it. For more details see file README.logging.
* func distribute.sh supports new action type "distkeys" but is
currently not used
* misc LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
* misc Default soa serial format changed from "Incremental"
to "Unixtime"
* func dnssec-signer command renamed to zkt-signer. Man page updated.
* func New command zkt-conf added as replacement for dnssec-zkt -Z
* misc timeint2str() is now global (zconf.c)
* func zfparse.c - a rudimentary zone file parser
scans minimum and maximum ttl values; adds $INCLUDE dnskey.db
zkt 0.99d -- Not released
* func Option SIG_DnsKeyKSK for DNSKEY signing with KSK only
added (only useful with BIND9.7)
* misc For BIND 9.7 compability:
Run dnssec-signzone in compability mode ("-C") if
SigGenerateDS is true.
Run dnssec-keygen in compability mode ("-C -q")
Add option -u to dnssec-signzone if NSEC3 chaining is requested
zkt 0.99c -- 1. Aug 2009
* misc dnssec-signer command line option vars changed to storage
class static.
* port setenv() replaced by putenv() in misc.c
* misc Install binaries in prefix/bin instead of $HOME/bin.
Fixing some spelling errors in dnssec-signzone.8 and
dnssec-zkt.8.
Thanks to Mans Nilsson.
* port timegm() check added to configure.ac
* misc configure.ac, Makefile.in, and doc is now part of distribution
* bug off by one error fixed in splitpath()
* misc is_dotfile() renamed to is_dotfilename() (misc.c)
* misc inc_soaserial() sourced out to soaserial.c
* misc reload() functions sourced out to nscomm.c
* bug Introducing parameter "KeyAlgorithm" for both ZSK and
KSK keys instead of separate KSK and ZSK algorithms.
New functions dki_algo() and dki_findalgo().
* bug Redirect stderr message (additionally to stdout) of
dnssec-signzone command to pipe.
Pick up last line of output for logging.
* misc "Sig_GenerateDS" is no longer a hidden parameter.
* misc "make clean" now remove the binary files
New target "distclean" added to Makefile
* bug Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
Soderblum and Peter Norin for the patch)
Changed all TIMEINT parameter values to long.
* bug If someone changes the zone.db file in dynamic mode, this will be treated
the same way as an initial setup, so the zone.db file will be used as new
input file (Thanks to Shane Wegner for this patch)
* bug Option nsec3_param added to dnssec-signzone command for dynamic zones.
* func New option "NamedChrootDir" added to dnssec.conf to specify the
directory of a chrooted named. Without such an option
"dnssec-signer -N named.conf" couldn't find the zone file directory.
* misc Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
suppress the warning message about ZSK keysize of 512 bits.
zkt 0.98 -- 28. Dec 2008
* misc Target "install-man" added to Makefile
man files moved to sub directory "man"
* func If a BIND version greater equal 9.6.0 is used, option -d doesn't
initiate a resigning of a zone. It's just for key rollover.
* func New pseudo algorithms for NSEC3 DNSKEYS added.
Support of NSEC3 hashing if a BIND version greater equal 9.6.0
is used. New parameter "SaltBits" added to the config file to
set the salt length in bits (default is 24 which means 6 hex nibbles).
The number of hash iterations is set to the default value of
dnssec-signzone which depends on key size.
* misc Renaming of all example zone directories so that the directory
name does not end with a dot (Necessary for installing the
source tree in an MS-Windows environment).
str_tolowerdup() renamed to domain_canonicdup() and code added
to append a dot to the domain name if it's not already there.
* misc Add 'sec' (second) qualifier to debug output in kskrollover().
* bug Remove a trailing '/' at the -D argument.
* misc Configure script now uses the BIND_UTIL_PATH out of config_zkt.h
if the BIND dnssec-signzone command is not found
* bug A zone with only a standby key signing key (which means w/o an
active ksk) aborts the dnssec-signer command.
Fixed by Shane Kerr.
* func Changed inc_serial() so that the SOA record parser accepts a label
other than '@' and an optional ttl value before the class and SOA
RR identifier (Both are case insensitive). Thanks to Shane Kerr
for the suggestion.
* bug Change of global configured key liftetime during a zone signing
key rollover results in unnecessary additional pre-published
zone signing keys (Thanks to Frank Behrens for the patch)
* misc Sig_Random config file parameter defaults now to false
* bug The man page refers the wrong licence (GPL instead of BSD)
zkt 0.97 -- 5. Aug 2008
* bug LG_* logging level wasn't mapped to syslog level in lg_mesg().
gettock() in ncparse.c did not recognize C single line comments "//"
(Thanks to Frank Behrens for finding this out)
* misc dist_and_reload () now calls the "Distribute_Cmd" twice:
First with argument "distribute" for signed zone file distribution,
second with argument "reload" to initiate a reload.
Again see example/flat/dist.sh for an example script.
* bug full KSK rollover will (mostly) also work for dynamic zones
This is a hack and requires further investigation. Currently
it will not work if someone is using non standard zone file
names.
* misc default ZSK lifetime set to 3 month
* misc get_mtime() renamed to file_mtime()
* func is_exec_ok() added and called in dist_and_reload ()
* func New parameter "Distribute_Cmd" added for specifing a user
defined distribution (and reload) command (See example/flat/dist.sh).
* misc Changed wording to be a bit more consistent to
draft-gudmundsson-life-of-dnskey-00.txt
- State of published key will be print as "pub" instead of "pre"
by dnssec-zkt.
- Option --pre-publish of dnssec-zkt changed to --published.
- Changed wording in all comments and log message from "pre-publish"
to "published".
* func Highly experimental code to do a full automatic ksk rollover
in hierachical mode.
ksk_rollover() added in rollover.c; parameter change for ksk_status()
* misc Changed name of "dnssec-soaserial" to "zkt-soaserial"
* bug Fixed verbose logging error if -N or -D option was used
* func Some LG_INFO messages added about key status change
* func Remove of function to register a new ksk (zktr.[ch])
* misc Changed licence from GNU GPLv2 to BSD licence
* bug Fixed bug in logging of ZSK rollover
* misc Changed tar file to zipped one and archive the files with
toplevel directory
* bug Fixed use of uninitialized vars in zconf.c (line)
* port Preparation for use of autoconf
- config.h renamed to config_zkt.h and change of include directives
- conditional include of config.h
- ./configure script is able to determine BIND utility path
(BIND_UTIL_PATH) and version (BIND_VERSION)
- compile time options are settable via configure script (--enable-xxx)
- For now, the configure script is not able to set the install dir.
* bug ksk rollover phase2 did not trigger resigning of parent
(the parent file was copied to the parent directory only
after child zone resigning)
* bug fixed bad notice message in zskstatus ()
* func dnssec-zkt -Z print out syslog facility & level with
upper case letter and without quotation marks
* func Syslog facility DAEMON added
zkt 0.96 -- 19. June 2008
* func Config file option "SIG_Parameter" added.
* func Function verbmesg() added and used for verbose logging
to stdout and/or to syslog resp. file.
Config file parameter VerboseLog added to config file.
* bug Option -O wasn't recognized by dnssec-signer
* func Better support of initial setup of dynamic signed
zones (just create an empty "zone.db.dsigned" file
and run dnssec-signer with option -d).
* func Improved error logging; incr_soa() errors are written
as clear text message instead of error number
* func elog_mesg() function replaced by a more general
logging mechanism.
ErrorLog config parameter replaced by LogFile,
LogLevel and SyslogFacility, SyslogLevel parameter
* func New function filesize() added
* func dki_prt_trustedkey print out old key id if key
is revoked
* func dki_new() writes gentime (GMT) and proposed key
lifetime (days) as comment into the *.key file
* bug Doing some housekeeping
zkt 0.95 -- 19. April 2008
* misc This is not a public released version of zkt.
* func All config file option are now settable via
commandline option -O (--option or --config-option)
* misc Function fatal() now has an exit code of 127.
This is necessary because values from 1 to 64 are
reflecting the number of errors occured.
* func Errorlog functionality added
All dnssec-signer errors will be logged in the file
specified by the Errorlog config file parameter or
specified by the command line option -L (--errorlog).
If a directory is given, then the logging will occur
in a file within this directory which is named
like "zkt-<current-date>.log".
The dnssec-signer command has an exit code of 0 if
no error occured, an exit code of 127 on fatal errors,
an exit code from 1 to 63 reflecting the number of errors
occured, or an exit code of 64 if more than 63 errors
occured.
* func dnssec-signer: Introducing long options
* bug New skript added to example/views directory to
read in the right config file
* func New option -f (--lifetime) and -F (--setlifetime)
added to dnssec-zkt.
* func New option -e (--expire) added to dnssec-zkt.
(Seems to be that the dnssec-zkt command is a little
bit overloaded with options.)
* func dki.c and zkt.c supports storage of key lifetime,
generation time and expiration time as a comment in the
.key file. With this, it's possible to change the default
lifetime without any impact on already used keys.
zkt 0.94 -- 6. Dec 2007
* bug Case mismatch of zone name and key file name prevent
dki_read() from reading the key.
Thanks to Alan Clegg for finding this out.
Added some additional error processing and convert
zone name to lower case.
* misc Builtin default for KSK_randfile changed
from NULL to "/dev/urandom".
* bug dnssec-signer has to use private keys for signing
even if the revoke bit is set.
To achieve this the file pattern K*.private is added
to the dnssec-signzone run.
* bug Uninitialized variable "len" in sign_zone().
* func Default config file is settable via environment
variable ZKT_CONFFILE
* func Support of views added
Link dnssec-zkt to dnssec-zkt-<view> and
dnssec-signer to dnssec-signer-<view>.
Option -V and --view added to dnssec-zkt.
Option -V added to dnssec-signer.
View support added to parse_namedconf().
zkt 0.93 -- 1. Nov 2007
* func The ksk registration mechanism is disabled by
default (see REG_URL in config.h).
* func Basic support for revoke flag added (RFC5011).
Semantic of option -R of dnssec-zkt changed.
* func Undocumented option -S changed to lower case.
Pre-pulished KSK will be shown as "standby" key.
New Option -S (standby) for pre-publish KSK.
* func New command dnssec-soaserial added.
* bug dnssec-signer do not print the incremented serial
number anymore.
time2str() fixed bug in time format (HAS_STRFTIME=0).
* port New build dependencies "solaris", "macos" and "help"
added to Makefile.
zkt 0.92 -- 1. Oct 2007
* func Parameter "Serialformat" in dnssec.conf added .
Now it is possible to use the unixtime format for
the SOA serial number. If you use BIND 9.4 or
greater in conjunction with this, than there is no
need for the special SOA serial formating in
the zonefile. (Thanks to Jakob Schlyter for the
-N option of dnssec-signzone and the suggestion to
add the unixtime support to zkt)
* func Option --ksk-roll-stat added.
* port Added macro HAS_GETOPT_LONG to support OS with
lack of getopt_long() (e.g. solaris).
Options -[01239] added.
* misc Unused macro HAS_ULONG removed from config.h.
Deklaration of unsigned types moved from dki.h to
config.h (so it will be available in _all_ source
files). Thanks to Mans Nilsson.
Unused macro isblank() (ncparse.c) removed.
* bug In dosigning(): freeze the dynamic zone _before_ copying
the zone file.
zkt 0.91 -- 1. Apr 2007
* doc --ksk-rollover option added to usage().
* func some experimental code for dynamic zones added.
new functions added: copyzonefile(), dyn_update_freeze().
New option "-d" added.
zkt 0.90 -- 6. Dec 2006
* func CHECK_RESIGN interval added to config.h.
This is the dnssec-signer calling interval (at least 1 day or 86400 sec).
* func new function dki_destroy() added; semantic of dk_remove()
changed to rename the key files instead of physical deletion.
* doc Setup of new example directory (flat and hierarchical).
* doc dnssec-zkt man page updated.
Added some comments in misc.c
* misc function strtaint() renamed to str_untaint(),
dki_keycmp() renamed to dki_tagcmp().
* func New parameter key_ttl added to dnssec.conf.
New func dki_prt_dnskeyttl () added.
Now dnskey.db is written with key_ttl value.
* func dnssec-signer: In hierarchical mode sign_zone() copies the
parent-file (if such a file exist) instead of the
keyset-file to the parent directory.
* func dnssec-zkt: Option --ksk-roll-phase[123] and function
ksk_rollover() added.
* misc zconf: default values for sigvalidity, resign_int etc. changed,
new dnssec.conf example file created.
* func dnssec-zkt: Long option support added.
zkt 0.83 -- 11. Sep 2006
* bug dosigning(): Fixed bug in the bug fixing of printing undefined
serial number if incr_serial() failed. (Thanks to Randy McCasskill).
zkt 0.82 -- 8. Sep 2006
* bug Use option -e for dnssec-keygen calls in dki_new(), because
an RSA exponent of 3 is vulnerable.
* bug dosigning(): Fixed bug in printing undefined serial
number if incr_serial() failed.
an RSA exponent of 3 is vulnerable.
* bug dosigning(): Fixed bug in printing undefined serial
number if incr_serial() failed.
zkt 0.81 -- 13. July 2006
* bug The function ceatekey() won't work with USE_TREE.
Size of MAX_DNAME increased.
zkt 0.8 -- 09. July 2006
* func Now a hierarchical directory structure with subdomains stored in
subfolders of the parent domain are allowed. Added copyfile(),
cmpfile() and new_keysetfiles() for that.
* func Config parameter added to choose if the domain name is
right or left justified listed by dnssec-zkt (printkeyinfo).
* func New class of key added ("sep"). A SEP key is a (public) key file
without the private counterpart. So we could use the key solely
as an secure entry point. (dki.h, dki_read).
zkt 0.70 -- 15. Sep 2005
* func Experimental code added to use a binary search tree instead of a
single linked list. This is mainly for performance improvement for large
sites. If you don't want to use it, set USE_TREE in config.h to zero.
In the first step only dnssec-zkt use the new data structure.
The tree is build over the domain names and each node is the starting point
of a linked list of keys.
As a result, it's not possible anymore to search on key tags only. You have
to specify the domain name plus the tag. :-(
* func Function parseurl added.
* func Experimental code to register a new ksk. Currently it's more like
a key announcement because of the lack of identification and
authentication.
zkt 0.65 -- 22. Aug 2005
* misc Rewrite of the domaincmp() function. Now it's round about 2 times faster.
After some additional changes and the compiler option -O3 the dnssec-zkt
on the ~ 12000 zones requires only a minute
$ time dnssec-zkt -z -r sec > /dev/null
real 0m58.287s
user 0m54.610s
sys 0m3.680s
* func A keyset directory is introduced (experimental)
The parameter -d is added to the call of the dnssec-signzone command
if the config option KeySetDir is set.
As a result, all dsset-, keyset- and dlvset- files are stored in one directory.
The advantage is, that the chain of trust of all local subzone is build
automatically (This is the reason why we sort the zones with the child zones
first).
The disadvantage is that we store many files in single directory (3 files
per zone).
zkt 0.64 -- 1. Aug 2005
* bug The code for option -Z of dnssec-zkt should be executed before we read the
complete directory tree. This is usefull if we have a very deep directory
structure and the recursive flag is switched on.
* func SIG_Pseudorand parameter added.
* func ([KZ]SK)|(SIG)_randfile parameter added.
* func measure the time used for signing of each zone.
* bug function logflush() added to misc.c and called by dosigning().
* misc some perfomance test made:
- Directory structure "sec/<firstletter>/domain" with round about 12200 domains
- One of the domain is a big one (~ 820000 RRs), the others are mostly very small ones
- We use a dsa with 704 bits as ksk and a rsamd5 with 512 bits as zsk on each domain.
- All test made on Sun Fire V440 with 4 CPU and 4x2GB main memory
# sequential signing of all zones
$ time dnssec-signer -v -v -f -D sec
real 434m (~ 7h 14min)
user 188
sys 175
# with option -p and -r /dev/urandom
$ time dnssec-signer -v -v -f -D sec > log
real 96m28.306s
user 290m41.980s
sys 6m13.790s
# one process for each firstletter subdirectory
$ time par_signer.sh
real 394m12.334s
user 295m58.390s
sys 786m42.479s
# with option -p and -r /dev/urandom
$ time par_signer.sh
real 78m49.323s
user 284m58.350s
sys 5m39.340s
$ time dnssec-zkt -z -r sec > /dev/null
real 2m5.722s
user 2m0.060s
sys 0m4.510s
# signing the big (820000 RR) domain only
$ time dnssec-signer -v -v -f -D sec/b/big-domain
real 196m23.165 (~ 3h 16min)
user 176m57.610
sys 167m27.570
# with option -p and -r /dev/urandom
$ time dnssec-signer -v -v -f -D sec/b/big-domain
real 49m53.152
user 173m59.520
sys 1m40.150
zkt 0.63 -- 14. June 2005
* bug allow TTL value in keyfiles (see TTL_IN_KEYFILES_ALLOWED
in dki_readfile()).
* misc function strchop() added to misc.c.
zkt 0.62 -- 13. May 2005
* func dnssec-signer: Option -o added.
Now it works a bit more like dnssec-signzone.
* func strlist.c: prepstrlist and unprepstrlist functions get a
second parameter for the delimiter.
* bug fixed some typos and inaccurate usage of symbolic constants.
Doing some housekeeping.
zkt 0.61 -- 3. May 2005
* bug local config file will not be mentioned if -N switch is used.
zkt 0.6 -- 1. May 2005
* doc dnssec-signer: man page added.
* func dnssec-signer: Print out a warning message if ksk lifetime is exceeded.
* func dnssec-signer: Remaining arguments will be interpreted as zone names
(in_strarr () added).
* func dnssec-signer: Option -D added.
zkt 0.51 -- 8. April 2005
* func dnssec-signer: Option -N added.
* func dnssec-signer: change of keystatus from pre-published to active
resets timestamp of key, thus age of active key counts 0.
* bug prepstrlist: resulting string was not terminated with '\0'.
* bug dnssec-signer: do signing if there are additional keys, or the
status of any key is changed (function check_keytimestamp).
* func dnssec-zkt: -l <list> option added.
* func dnssec-zkt: -p flag defaults to on in key creation mode (-C).

30
contrib/zkt-1.1.3/LICENSE
View file

@ -1,30 +0,0 @@
Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
This software is open source.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
Neither the name of Holger Zuleger HZnet nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

203
contrib/zkt-1.1.3/Makefile.in
View file

@ -1,203 +0,0 @@
#################################################################
#
# @(#) Makefile for dnssec zone key tool (c) Mar 2005 hoz
#
#################################################################
prefix = @prefix@
mandir = @mandir@
CC = @CC@
PROFILE = # -pg
OPTIM = # -O3 -DNDEBUG
#CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@
CFLAGS += -g @DEFS@ -I@top_srcdir@
CFLAGS += -Wall #-DDBG
CFLAGS += -Wmissing-prototypes
CFLAGS += $(PROFILE) $(OPTIM)
LDFLAGS += $(PROFILE)
LIBS = @LIBS@
PROJECT = @PACKAGE_TARNAME@
VERSION = @PACKAGE_VERSION@
HEADER = dki.h misc.h domaincmp.h zconf.h config_zkt.h \
config.h.in strlist.h zone.h zkt.h debug.h \
ncparse.h log.h rollover.h nscomm.h soaserial.h \
zfparse.h tcap.h
SRC_ALL = dki.c misc.c domaincmp.c zconf.c log.c
OBJ_ALL = $(SRC_ALL:.c=.o)
SRC_SIG = zkt-signer.c zone.c ncparse.c rollover.c \
nscomm.c soaserial.c
OBJ_SIG = $(SRC_SIG:.c=.o)
MAN_SIG = zkt-signer.8
PROG_SIG= zkt-signer
SRC_CNF = zkt-conf.c zfparse.c
OBJ_CNF = $(SRC_CNF:.c=.o)
MAN_CNF = zkt-conf.8
PROG_CNF= zkt-conf
# shared sources
SRC_KLS = strlist.c zkt.c tcap.c
OBJ_KLS = $(SRC_KLS:.c=.o)
SRC_KEY = zkt-keyman.c
OBJ_KEY = $(SRC_KEY:.c=.o) $(OBJ_KLS)
MAN_KEY = zkt-keyman.8
PROG_KEY= zkt-keyman
SRC_LS = zkt-ls.c
OBJ_LS = $(SRC_LS:.c=.o) $(OBJ_KLS)
MAN_LS = zkt-ls.8
PROG_LS= zkt-ls
SRC_SER = zkt-soaserial.c
OBJ_SER = $(SRC_SER:.c=.o)
#MAN_SER = zkt-soaserial.8
PROG_SER= zkt-soaserial
SRC_PRG = $(SRC_SIG) $(SRC_CNF) $(SRC_LS) $(SRC_SER) $(SRC_KEY)
OBJ_PRG = $(SRC_PRG:.c=.o)
PROG_PRG= $(PROG_SIG) $(PROG_CNF) $(PROG_LS) $(PROG_SER) $(PROG_KEY)
MAN_ALL = $(MAN_SIG) $(MAN_LS) $(MAN_CNF) $(MAN_KEY)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
configure distribute.sh examples
SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KLS) \
$(SRC_LS) $(SRC_KEY) $(SRC_SER) $(OTHER) \
man configure.ac config.h.in doc
#MNTSAVE = $(SAVE) configure.ac config.h.in doc
all: $(PROG_CNF) $(PROG_LS) $(PROG_SIG) $(PROG_SER) $(PROG_KEY)
macos: ## for MAC OS (depreciated)
macos:
$(MAKE) CFLAGS="$(CFLAGS) -D HAS_UTYPES=0" all
solaris: ## for solaris (depreciated)
solaris:
@$(MAKE) CFLAGS="$(CFLAGS) -D HAVE_GETOPT_LONG=0" all
linux: ## for linux (default)
linux:
@$(MAKE) all
$(PROG_SIG): $(OBJ_SIG) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_SIG) $(OBJ_ALL) -o $(PROG_SIG)
$(PROG_CNF): $(OBJ_CNF) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_CNF) $(OBJ_ALL) -o $(PROG_CNF)
$(PROG_KEY): $(OBJ_KEY) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(LIBS) $(OBJ_KEY) $(OBJ_ALL) -o $(PROG_KEY)
$(PROG_LS): $(OBJ_LS) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(LIBS) $(OBJ_LS) $(OBJ_ALL) -o $(PROG_LS)
$(PROG_SER): $(OBJ_SER) Makefile
$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
install: ## install binaries in prefix/bin
install: $(PROG_PRG)
test -d $(prefix)/bin || mkdir -p $(prefix)/bin
cp $(PROG_PRG) $(prefix)/bin/
install-man: ## install man pages in mandir
install-man:
test -d $(mandir)/man8/ || mkdir -p $(mandir)/man8/
cp -p man/$(MAN_LS) man/$(MAN_SIG) man/$(MAN_KEY) man/$(MAN_CNF) $(mandir)/man8/
tags: ## create tags file
#tags: $(SRC_ALL) $(SRC_PRG)
tags: $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS)
ctags $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS)
clean: ## remove objectfiles and binaries
clean:
-rm -f $(OBJ_PRG) $(OBJ_ALL) $(PROG_PRG)
distclean: ## remove objectfiles, binaries and distribution files
distclean: clean
-rm -f Makefile config.h config.log config.status config.cache \
$(PROJECT)-$(VERSION).tar.gz
tar: ## create tar file for distribution
tar: $(PROJECT)-$(VERSION).tar.gz
configure: ## create configure script
configure: configure.ac Makefile.in
autoconf && autoheader
man: man/$(MAN_KEY).html man/$(MAN_KEY).pdf \
man/$(MAN_SIG).html man/$(MAN_SIG).pdf \
man/$(MAN_LS).html man/$(MAN_LS).pdf \
man/$(MAN_CNF).html man/$(MAN_CNF).pdf
man/$(MAN_KEY).html: man/$(MAN_KEY)
groff -Thtml -man -mhtml man/$(MAN_KEY) > man/$(MAN_KEY).html
man/$(MAN_KEY).pdf: man/$(MAN_KEY)
groff -Tps -man man/$(MAN_KEY) | ps2pdf - man/$(MAN_KEY).pdf
man/$(MAN_LS).html: man/$(MAN_LS)
groff -Thtml -man -mhtml man/$(MAN_LS) > man/$(MAN_LS).html
man/$(MAN_LS).pdf: man/$(MAN_LS)
groff -Tps -man man/$(MAN_LS) | ps2pdf - man/$(MAN_LS).pdf
man/$(MAN_SIG).html: man/$(MAN_SIG)
groff -Thtml -man -mhtml man/$(MAN_SIG) > man/$(MAN_SIG).html
man/$(MAN_SIG).pdf: man/$(MAN_SIG)
groff -Tps -man man/$(MAN_SIG) | ps2pdf - man/$(MAN_SIG).pdf
man/$(MAN_CNF).html: man/$(MAN_CNF)
groff -Thtml -man -mhtml man/$(MAN_CNF) > man/$(MAN_CNF).html
man/$(MAN_CNF).pdf: man/$(MAN_CNF)
groff -Tps -man man/$(MAN_CNF) | ps2pdf - man/$(MAN_CNF).pdf
# generation of tar file out of the git archive
# (use v$(VERSION) instead of HEAD if the tar file should depend on a tagged revision)
$(PROJECT)-$(VERSION).tar.gz: $(SAVE)
@test "`git tag -l $(VERSION)`" != $(VERSION) && echo "no tag $(VERSION) found in repository" && exit
git archive --format=tar --prefix="$(PROJECT)-$(VERSION)/" $(VERSION) | \
gzip > $(PROJECT)-$(VERSION).tar.gz
# git archive --format=tar --prefix="$(PROJECT)-$(VERSION)/" HEAD | \
# cat > $(PROJECT)-$(VERSION).tar
depend:
$(CC) -MM $(CFLAGS) $(SRC_PRG) $(SRC_ALL)
help:
@grep "^.*:[ ]*##" Makefile
## all dependicies
#:r !make depend
#gcc -MM -g -DHAVE_CONFIG_H -I. -Wall -Wmissing-prototypes zkt-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c zkt-conf.c zfparse.c zkt-ls.c zkt-soaserial.c zkt-keyman.c dki.c misc.c domaincmp.c zconf.c log.c
zkt-signer.o: zkt-signer.c config.h config_zkt.h zconf.h debug.h misc.h \
ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
zone.o: zone.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
dki.h zone.h
ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
rollover.o: rollover.c config.h config_zkt.h zconf.h debug.h misc.h \
zone.h dki.h log.h rollover.h
nscomm.o: nscomm.c config.h config_zkt.h zconf.h nscomm.h zone.h dki.h \
log.h misc.h debug.h
soaserial.o: soaserial.c config.h config_zkt.h zconf.h log.h debug.h \
soaserial.h
zkt-conf.o: zkt-conf.c config.h config_zkt.h debug.h misc.h zconf.h \
zfparse.h
zfparse.o: zfparse.c config.h config_zkt.h zconf.h log.h debug.h \
zfparse.h
zkt-ls.o: zkt-ls.c config.h config_zkt.h debug.h misc.h zconf.h strlist.h \
dki.h tcap.h zkt.h
zkt-soaserial.o: zkt-soaserial.c config.h config_zkt.h
zkt-keyman.o: zkt-keyman.c config.h config_zkt.h debug.h misc.h zconf.h \
strlist.h dki.h zkt.h
dki.o: dki.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
dki.h
misc.o: misc.c config.h config_zkt.h zconf.h log.h debug.h misc.h
domaincmp.o: domaincmp.c domaincmp.h
zconf.o: zconf.c config.h config_zkt.h debug.h misc.h zconf.h dki.h
log.o: log.c config.h config_zkt.h misc.h zconf.h debug.h log.h

64
contrib/zkt-1.1.3/README
View file

@ -1,64 +0,0 @@
#
# README dnssec zone key tool
#
# (c) March 2005 - Aug 2014 by Holger Zuleger hznet
# (c) domaincmp() Aug 2005 by Karle Boss & H. Zuleger (kaho)
# (c) zconf.c by Jeroen Masar & Holger Zuleger
#
For more information about the DNSSEC Zone Key Tool please
have a look at "http://www.hznet.de/dns/zkt/"
You can also subscribe to the zkt-users@sourceforge.net mailing list
on the following website: https://lists.sourceforge.net/lists/listinfo/zkt-users
The ZKT software is licenced under BSD (see LICENCE file)
To build the software:
a) Get the current version of zkt
$ wget http://www.hznet.de/dns/zkt/zkt-1.1.tar.gz
b) Unpack
$ tar xzvf zkt-1.1.tar.gz
c) Change to source directory
$ cd zkt-1.1
d) Run configure script
$ ./configure
e) Compile
$ make
f) Install
# make install
# make install-man
Prepare your setup:
a) (optional) Install or rebuild the default dnssec.conf file
$ zkt-conf -d -w # Install new file
or
$ zkt-conf -s -w # rebuild existing file
b) (optional) Change default parameters
$ zkt-conf -s -O "Zonedir: /var/named/zones" -w
or use your prefered editor
$ vi /var/named/dnssec.conf
(optional) You'll probably want to have zkt-ls work recursively
$ zkt-conf -s -O "Recursive: True" -w
c) Prepare one of your zone for zkt
$ cd /var/named/zones/net/example.net # change dir to zone directory
$ cp <zonefile> zone.db # copy and rename existing zone file to "zone.db"
$ zkt-conf -w zone.db # create local dnssec.conf file and include dnskey.db into zone file
d) Prepare for initial signing
$ cd /var/named/zones/net/example.net
$ touch zone.db.signed
$ zkt-signer -v -v -o example.net # -o is ORIGIN (i.e. zone name)
e) Publish your zone
@ add `zone.db.signed' as zone file to your name server
@ publish DS contained in `dsset-example.net.' at your zone's parent

103
contrib/zkt-1.1.3/README.logging
View file

@ -1,103 +0,0 @@
#
# README.logging
#
# Introduction into the new logging feature
# available since v0.96
# Per domain logging is enabled since v1.0
#
In previous version of dnssec-signer every message was written
to the default stdout and stderr channels, and the logging itself
was handled by a redirection of those chanels to the logger command
or to a file.
Since v0.96, the dnssec-signer command is able to log all messages
by itself. File and SYSLOG logging is supported.
To enable the logging into a file channel, you have to specify
the file or directory name via the commandline option -L (--logfile)
or via the config file parameter "LogFile".
LogFile: ""|"<file>"|"<directory>" (default is "")
If a file is specified, than each run of dnssec-signer will append the
messages to that file. If a directory is specified, than a file with a
name of zkt-<ISOdate&timeUTC>+log" will be created on each dnssec-signer run.
Since v1.0 per domain logging is possible.
If the parameter "LogDomainDir:" is not empty, than the domain specific messages
are written to a separate log file with a name like "zkt-<domainname>+log" in the
directory specified by the parameter.
If "LogDomainDir:" is set to ".", then the logfile will be created in the domain
directory of the zone.
Logging into the syslog channel could be enabled via the config file
parameter "SyslogFacility".
SyslogFacility: NONE|USER|DAEMON|LOCAL0|..|LOCAL7 (default is USER)
For both channels, the log level could be set to one of six log levels:
LG_FATAL, LG_ERROR, LG_WARNING
LB_NOTICE, LG_INFO, LG_DEBUG
The loglevel is settable via the config file parameter :
SyslogLevel: FATAL|ERROR|WARNING|NOTICE|INFO|DEBUG
(default is ERROR)
and
LogLevel: FATAL|ERROR|WARNING|NOTICE|INFO|DEBUG
(default is NOTICE)
All the log parameters are settable on the commandline via the generic
option -O "optstring" (--config-option="optstring").
A verbose message output to stdout could be achieved by the commandline
option -v (or -v -v).
If you like to have this verbose messages also logged with a level of LG_DEBUG
you should enable this by setting the config file option
"VerboseLog" to a value of 1 or 2.
Current logging messages:
LG_FATAL: Not all of the fatal errors are logged
(e.g.: config file or command line option fatal errors are
not logged)
LG_ERROR: All error messages will be logged
LG_WARNING: KSK lifetime expiration
LG_NOTICE:
Start and stop of dnssec-signer
Re-signing events
Key rollover events
KSK key generation and revoking
Zone reload resp. freeze/thaw of dynamic zone
LG_INFO:
Messages for key generation/removal and ksk rollover
LG_DEBUG: all "verbose" (-v) and "very verbose" (-v -v) messages
Some recomended and useful logging settings
- The default setting
LogFile: ""
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 0
- Setting as in version v0.95
LogFile: "zkt-error.log" # or a directory for separate logfiles
LogLevel: ERROR
SyslogFacility: NONE
VerboseLog: 0
- Setting as in previous versions
LogFile: ""
SyslogFacility: NONE
VerboseLog: 0
- Recommended setting for normal usage
LogFile: "zkt.log" # or a directory for separate logfiles
LogLevel: ERROR
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 0
- Recommended setting for debugging
LogFile: "zkt.log" # or a directory for separate logfiles
LogLevel: DEBUG
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 2

32
contrib/zkt-1.1.3/TODO
View file

@ -1,32 +0,0 @@
TODO list as of zkt-1.1
zkt-ls:
feat option to specify the key age as remaining lifetime
(Option -i inverse age ?).
zkt-signer:
bug Distribute_Cmd wouldn't work properly on dynamic zones
(missing freeze, thaw; copy Keyfiles instead of signed zone file)
bug Automatic KSK rollover of dynamic zones will only work if the parent
uses the standard name for the signed zonefile (zonefile.db.signed).
bug Phase3 of manual ksk rollover do not trigger a resigning of the zone
(Key removal is not recognized by dosigning () function )
bug There is no online checking of the key material by design.
The signer command checks the status of the key as they
are represented in the file system and not in the zone.
The dnssec maintainer is responsible for the lifeliness of the
data in the hosted domain.
In other words: It's highly recommended to use the
option -r when you use zkt-signer on a production zone.
Than the time of propagation is (more or less) equal to the timestamp
of the zone.db.signed file.
zkt-rollover:
feat New command to roll keys independent of zone signing
(Usefull for dynamic zones managed by BIND9.7)
dki:
feat Use dynamic memory for dname in dki_t

234
contrib/zkt-1.1.3/config.h.in
View file

@ -1,234 +0,0 @@
/* config.h.in. Generated from configure.ac by autoheader. */
/* Path to BIND utilities */
#undef BIND_UTIL_PATH
/* BIND version as integer number without dots */
#undef BIND_VERSION
/* Define to 1 if the `closedir' function returns void instead of `int'. */
#undef CLOSEDIR_VOID
/* zkt-ls with colors */
#undef COLOR_MODE
/* set path of config file (defaults to /var/named) */
#undef CONFIG_PATH
/* Define to 1 if you have the `alarm' function. */
#undef HAVE_ALARM
/* Define to 1 if you have the <curses.h> header file. */
#undef HAVE_CURSES_H
/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
*/
#undef HAVE_DIRENT_H
/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
#undef HAVE_DOPRNT
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
/* Define to 1 if you have the <getopt.h> header file. */
#undef HAVE_GETOPT_H
/* Define to 1 if you have the `getopt_long' function. */
#undef HAVE_GETOPT_LONG
/* Define to 1 if you have the `gettimeofday' function. */
#undef HAVE_GETTIMEOFDAY
/* Define to 1 if you have the `getuid' function. */
#undef HAVE_GETUID
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the `ncurses' library (-lncurses). */
#undef HAVE_LIBNCURSES
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the `memset' function. */
#undef HAVE_MEMSET
/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
#undef HAVE_NDIR_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the `putenv' function. */
#undef HAVE_PUTENV
/* Define to 1 if you have the `socket' function. */
#undef HAVE_SOCKET
/* Define to 1 if `stat' has the bug that it succeeds when given the
zero-length file name argument. */
#undef HAVE_STAT_EMPTY_STRING_BUG
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the `strcasecmp' function. */
#undef HAVE_STRCASECMP
/* Define to 1 if you have the `strchr' function. */
#undef HAVE_STRCHR
/* Define to 1 if you have the `strdup' function. */
#undef HAVE_STRDUP
/* Define to 1 if you have the `strerror' function. */
#undef HAVE_STRERROR
/* Define to 1 if you have the `strftime' function. */
#undef HAVE_STRFTIME
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the `strncasecmp' function. */
#undef HAVE_STRNCASECMP
/* Define to 1 if you have the `strrchr' function. */
#undef HAVE_STRRCHR
/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
*/
#undef HAVE_SYS_DIR_H
/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
*/
#undef HAVE_SYS_NDIR_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/time.h> header file. */
#undef HAVE_SYS_TIME_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the <term.h> header file. */
#undef HAVE_TERM_H
/* Define to 1 if you have the `timegm' function. */
#undef HAVE_TIMEGM
/* Define to 1 if you have the `tzset' function. */
#undef HAVE_TZSET
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the `utime' function. */
#undef HAVE_UTIME
/* Define to 1 if you have the <utime.h> header file. */
#undef HAVE_UTIME_H
/* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */
#undef HAVE_UTIME_NULL
/* Define to 1 if you have the `vprintf' function. */
#undef HAVE_VPRINTF
/* log with level */
#undef LOG_WITH_LEVEL
/* log with progname */
#undef LOG_WITH_PROGNAME
/* log with timestamp */
#undef LOG_WITH_TIMESTAMP
/* Define to 1 if `lstat' dereferences a symlink specified with a trailing
slash. */
#undef LSTAT_FOLLOWS_SLASHED_SYMLINK
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the home page for this package. */
#undef PACKAGE_URL
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* print age with year */
#undef PRINT_AGE_WITH_YEAR
/* print out timezone */
#undef PRINT_TIMEZONE
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
#undef TIME_WITH_SYS_TIME
/* Define to 1 if your <sys/time.h> declares `struct tm'. */
#undef TM_IN_SYS_TIME
/* TTL in keyfiles allowed */
#undef TTL_IN_KEYFILE_ALLOWED
/* Use TREE data structure for dnssec-zkt */
#undef USE_TREE
/* ZKT copyright string */
#undef ZKT_COPYRIGHT
/* ZKT version string */
#undef ZKT_VERSION
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Define to `unsigned char' if <sys/types.h> does not define. */
#undef uchar
/* Define to `int' if <sys/types.h> doesn't define. */
#undef uid_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef uint
/* Define to `unsigned long' if <sys/types.h> does not define. */
#undef ulong
/* Define to `unsigned short' if <sys/types.h> does not define. */
#undef ushort

120
contrib/zkt-1.1.3/config_zkt.h
View file

@ -1,120 +0,0 @@
/*****************************************************************
**
** @(#) config_zkt.h -- config options for ZKT
**
** Copyright (c) Aug 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef CONFIG_ZKT_H
# define CONFIG_ZKT_H
/* don't change anything below this */
/* the values here are determined or settable via the ./configure script */
#ifndef HAS_UTYPES
# define HAS_UTYPES 1
#endif
/* # define HAVE_TIMEGM 1 */
/* # define HAVE_GETOPT_LONG 1 */
/* # define HAVE_STRFTIME 1 */
#ifndef COLOR_MODE
# define COLOR_MODE 1
#endif
#ifndef TTL_IN_KEYFILE_ALLOWED
# define TTL_IN_KEYFILE_ALLOWED 1
#endif
#ifndef PRINT_TIMEZONE
# define PRINT_TIMEZONE 0
#endif
#ifndef PRINT_AGE_WITH_YEAR
# define PRINT_AGE_WITH_YEAR 0
#endif
#ifndef LOG_WITH_PROGNAME
# define LOG_WITH_PROGNAME 0
#endif
#ifndef LOG_WITH_TIMESTAMP
# define LOG_WITH_TIMESTAMP 1
#endif
#ifndef LOG_WITH_LEVEL
# define LOG_WITH_LEVEL 1
#endif
#ifndef ALWAYS_CHECK_KEYSETFILES
# define ALWAYS_CHECK_KEYSETFILES 1
#endif
#ifndef ALLOW_ALWAYS_PREPUBLISH_ZSK
# define ALLOW_ALWAYS_PREPUBLISH_ZSK 1
#endif
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
#endif
/* tree usage is setable by configure script parameter */
#ifndef USE_TREE
# define USE_TREE 1
#endif
/* BIND version and utility path *must* be set by ./configure script */
#ifndef BIND_UTIL_PATH
# error ("BIND_UTIL_PATH not set. Please run configure with --enable-bind_util_path=");
#endif
#ifndef BIND_VERSION
# define BIND_VERSION 980
#endif
#ifndef ZKT_VERSION
# if defined(USE_TREE) && USE_TREE
# define ZKT_VERSION "vT1.1.0 (c) Feb 2005 - Jan 2012 Holger Zuleger hznet.de"
# else
# define ZKT_VERSION "v1.1.0 (c) Feb 2005 - Jan 2012 Holger Zuleger hznet.de"
# endif
#endif
#if !defined(HAS_UTYPES) || !HAS_UTYPES
typedef unsigned long ulong;
typedef unsigned int uint;
typedef unsigned short ushort;
typedef unsigned char uchar;
#endif
#endif

6078
contrib/zkt-1.1.3/configure vendored
View file

File diff suppressed because it is too large Load diff

183
contrib/zkt-1.1.3/configure.ac
View file

@ -1,183 +0,0 @@
# -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.
#
# @(#) configure.ac
#
# 2008-06-27 initial setup
# 2008-06-29 add of BIND path checking
# 2008-06-30 add of arg checkings
# 2008-07-02 additional arg checkings
# 2008-07-04 check for getopt_long() added
# 2008-08-30 check for unsigned integer types
# 2008-10-01 if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
# 2009-07-30 check for timegm() added
# 2009-12-02 the tr command in bind_version= didn't work well under solaris
# 2010-10-14 new option to specify BIND_UTIL_PATH on command line (thanks to Mans Nilsson)
# No build in default BIND_UTIL_PATH used anymore
#
dnl AC_PREREQ(2.59)
### Package name and current version
AC_INIT(ZKT, 1.1.3, Holger Zuleger hznet.de)
dnl AC_REVISION($Revision: 1.397 $)
### Files to test to check if src dir contains the package
AC_CONFIG_SRCDIR([zkt-signer.c])
AC_CONFIG_HEADER([config.h])
### Checks for programs.
AC_PROG_CC
### find out the path to BIND utils and version
AC_ARG_ENABLE([bind_util_path], AS_HELP_STRING( [--enable-bind_util_path=PATH], [Define path to BIND utilities, default is path to dnssec-signzone]), [bind_util_path=$enableval])
if test -n "$bind_util_path"
then
if test -x "$bind_util_path/dnssec-signzone"
then
AC_MSG_NOTICE([BIND utilities path successfully set to $bind_util_path.])
SIGNZONE_PROG=$bind_util_path/dnssec-signzone
else
AC_MSG_ERROR([*** 'BIND utility not found in $bind_util_path, please use --enable-bind_util_path= to set it manually' ***])
fi
else
AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
AC_MSG_NOTICE([BIND utility $SIGNZONE_PROG found])
if test -n "$SIGNZONE_PROG"
then
bind_util_path=`dirname "$SIGNZONE_PROG"`
AC_MSG_NOTICE([BIND utilities path automatically set to $bind_util_path.])
else
AC_MSG_ERROR([*** 'could not determine BIND utility path, please use --enable-bind_util_path= ' to set it manually ***])
fi
fi
### By now, we have a path. We'll use it.
# define BIND_UTIL_PATH in config.h.in
AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
# define BIND_VERSION in config.h.in
bind_version=`$SIGNZONE_PROG 2>&1 | awk -F: '/^Version:/ { split ($2, v, "."); printf ("%2d%02d%02d\n", atoi (v[[1]]), atoi (v[[2]]), atoi (v[[3]])); };'`
AC_MSG_NOTICE([BIND_VERSION string set to $bind_version.])
AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
if test $bind_version -lt "90800"
then
AC_MSG_ERROR([*** 'This version of ZKT requires a BIND version greater 9.7' ***])
fi
AC_CHECK_TYPE(uint, unsigned int)
AC_CHECK_TYPE(ulong, unsigned long)
AC_CHECK_TYPE(ushort, unsigned short)
AC_CHECK_TYPE(uchar, unsigned char)
### define configure arguments
AC_ARG_ENABLE([color_mode], AS_HELP_STRING([--disable-color-mode], [zkt without colors]))
color_mode=1
AS_IF([test "$enable_color_mode" = "no"], [color_mode=0])
AC_ARG_WITH([curses],
AS_HELP_STRING([--without-curses], [Ignore presence of curses and disable color mode]))
AS_IF([test "x$with_curses" != "xno"],
[AC_CHECK_LIB([ncurses],[tgetent])],
[HAVE_LIB_NCURSES=0; color_mode=0])
AC_DEFINE_UNQUOTED(COLOR_MODE, $color_mode, zkt-ls with colors)
dnl printtimezone is a default-disabled feature
AC_ARG_ENABLE([printtimezone], AS_HELP_STRING( [--enable-print-timezone], [print out timezone]))
printtimezone=0
AS_IF([test "$enable_printtimezone" = "yes"], [printtimezone=1])
AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
AC_ARG_ENABLE([printyear], AS_HELP_STRING( [--enable-print-age], [print age with year]))
printyear=0
AS_IF([test "$enable_printyear" = "yes"], [printyear=1])
AC_DEFINE_UNQUOTED(PRINT_AGE_WITH_YEAR, $printyear, print age with year)
AC_ARG_ENABLE([logprogname], AS_HELP_STRING( [--enable-log-progname], [log with progname]))
logprogname=0
AS_IF([test "$enable_logprogname" = "yes"], [logprogname=1])
AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
dnl logtimestamp is a default-enabled feature
AC_ARG_ENABLE([logtimestamp], AS_HELP_STRING([--disable-log-timestamp], [do not log with timestamp]))
logtimestamp=1
AS_IF([test "$enable_logtimestamp" = "no"], [logtimestamp=0])
AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
AC_ARG_ENABLE([loglevel], AS_HELP_STRING([--disable-log-level], [do not log with level]))
loglevel=1
AS_IF([test "$enable_loglevel" = "no"], [loglevel=0])
AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
AC_ARG_ENABLE([ttl_in_keyfile], AS_HELP_STRING([--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]))
ttl_in_keyfile=1
AS_IF([test "$enable_ttl_in_keyfile" = "no"], [ttl_in_keyfile=0])
AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
configpath="/var/named"
AC_ARG_ENABLE([configpath],
AS_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
[configpath=$enableval])
case "$configpath" in
yes)
configpath="/var/named"
;;
no)
configpath=""
;;
*)
;;
esac
AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
usetree=1
t=""
AC_ARG_ENABLE([tree],
AS_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
[usetree=$enableval])
if test "$usetree" = no
then
usetree=0
t="S"
fi
AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
AC_DEFINE_UNQUOTED(ZKT_VERSION, "$t$PACKAGE_VERSION", ZKT version string)
AC_DEFINE_UNQUOTED(ZKT_COPYRIGHT, "(c) Feb 2005 - Nov 2012 Holger Zuleger hznet.de", ZKT copyright string)
### Checks for libraries.
### Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_STDC
AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h])
### Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_TYPE_SIZE_T
AC_HEADER_TIME
AC_STRUCT_TM
AC_TYPE_UID_T
### Checks for library functions.
dnl AC_FUNC_MALLOC
AC_FUNC_CLOSEDIR_VOID
AC_FUNC_ERROR_AT_LINE
AC_FUNC_MKTIME
AC_FUNC_STAT
AC_FUNC_STRFTIME
AC_FUNC_UTIME_NULL
AC_FUNC_VPRINTF
# 2008-07-04 getopt_long added
# 2009-07-30 timegm added
AC_CHECK_FUNCS([getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT

66
contrib/zkt-1.1.3/debug.h
View file

@ -1,66 +0,0 @@
/*****************************************************************
**
** @(#) debug.h -- macros for debug messages
**
** compile with cc -DDBG to activate
**
** Copyright (c) Jan 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef DEBUG_H
# define DEBUG_H
# ifdef DBG
# define dbg_line() fprintf (stderr, "DBG: %s(%d) reached\n", __FILE__, __LINE__)
# define dbg_msg(msg) fprintf (stderr, "DBG: %s(%d) %s\n", __FILE__, __LINE__, msg)
# define dbg_val0(text) fprintf (stderr, "DBG: %s(%d) %s", __FILE__, __LINE__, text)
# define dbg_val1(fmt, var) dbg_val (fmt, var)
# define dbg_val(fmt, var) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, var)
# define dbg_val2(fmt, v1, v2) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2)
# define dbg_val3(fmt, v1, v2, v3) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3)
# define dbg_val4(fmt, v1, v2, v3, v4) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3, v4)
# define dbg_val5(fmt, v1, v2, v3, v4, v5) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3, v4, v5)
# define dbg_val6(fmt, v1, v2, v3, v4, v5, v6) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3, v4, v5, v6)
# else
# define dbg_line()
# define dbg_msg(msg)
# define dbg_val0(text)
# define dbg_val1(fmt, var)
# define dbg_val(fmt, str)
# define dbg_val2(fmt, v1, v2)
# define dbg_val3(fmt, v1, v2, v3)
# define dbg_val4(fmt, v1, v2, v3, v4)
# define dbg_val5(fmt, v1, v2, v3, v4, v5)
# define dbg_val6(fmt, v1, v2, v3, v4, v5, v6)
# endif
#endif

82
contrib/zkt-1.1.3/distribute.sh
View file

@ -1,82 +0,0 @@
#################################################################
#
# @(#) distribute.sh -- distribute and reload command for dnssec-signer
#
# (c) Jul 2008 Holger Zuleger hznet.de
#
# Feb 2010 action "distkeys" added but currently not used
#
# This shell script will be run by zkt-signer as a distribution
# and reload command if:
#
# a) the dnssec.conf file parameter Distribute_Cmd: points
# to this file
# and
# b) the user running the zkt-signer command is not
# root (uid==0)
# and
# c) the owner of this shell script is the same as the
# running user and the access rights don't allow writing
# for anyone except the owner
# or
# d) the group of this shell script is the same as the
# running user and the access rights don't allow writing
# for anyone except the group
#
#################################################################
# set path to rndc and scp
PATH="/bin:/usr/bin:/usr/local/sbin"
# remote server and directory
server=localhost # fqdn of remote name server
dir=/var/named # zone directory on remote name server
progname=$0
usage()
{
echo "usage: $progname distkeys|distribute|reload <zone> <path_to_zonefile> [<viewname>]" 1>&2
test $# -gt 0 && echo $* 1>&2
exit 1
}
if test $# -lt 3
then
usage
fi
action="$1"
zone="$2"
zonefile="$3"
view=""
test $# -gt 3 && view="$4"
case $action in
distkeys)
if test -n "$view"
then
: echo "scp K$zone+* $server:$dir/$view/$zone/"
scp K$zone+* $server:$dir/$view/$zone/
else
: echo "scp K$zone+* $server:$dir/$zone/"
scp K$zone+* $server:$dir/$zone/
fi
;;
distribute)
if test -n "$view"
then
: echo "scp $zonefile $server:$dir/$view/$zone/"
scp $zonefile $server:$dir/$view/$zone/
else
: echo "scp $zonefile $server:$dir/$zone/"
scp $zonefile $server:$dir/$zone/
fi
;;
reload)
: echo "rndc $action $zone $view"
rndc $action $zone $view
;;
*)
usage "illegal action $action"
;;
esac

1256
contrib/zkt-1.1.3/dki.c
View file

File diff suppressed because it is too large Load diff

196
contrib/zkt-1.1.3/dki.h
View file

@ -1,196 +0,0 @@
/*****************************************************************
**
** @(#) dki.h -- Header file for DNSsec Key info/manipulation
**
** Copyright (c) July 2004 - Jan 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef DKI_H
# define DKI_H
# ifndef TYPES_H
# include <sys/types.h>
# include <stdio.h>
# include <time.h>
# endif
# define MAX_LABELSIZE (255)
# define MAX_FNAMESIZE (1+255+2+3+1+5+1+11)
/* Kdomain.+ALG+KEYID.type */
/* domain == FQDN (max 255) */
/* ALG == 3; KEYID == 5 chars */
/* type == key||published|private|depreciated == 11 chars */
//# define MAX_DNAMESIZE (254)
# define MAX_DNAMESIZE (1023)
/* /path/name / filename */
# define MAX_PATHSIZE (MAX_DNAMESIZE + 1 + MAX_FNAMESIZE)
/* algorithm types */
# define DK_ALGO_RSA 1 /* RFC2537 */
# define DK_ALGO_DH 2 /* RFC2539 */
# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */
# define DK_ALGO_EC 4 /* */
# define DK_ALGO_RSASHA1 5 /* RFC3110 */
# define DK_ALGO_NSEC3DSA 6 /* symlink to alg 3 RFC5155 */
# define DK_ALGO_NSEC3RSASHA1 7 /* symlink to alg 5 RFC5155 */
# define DK_ALGO_RSASHA256 8 /* RFCxxx */
# define DK_ALGO_RSASHA512 10 /* RFCxxx */
# define DK_ALGO_NSEC3RSASHA256 DK_ALGO_RSASHA256 /* same as non nsec algorithm RFCxxx */
# define DK_ALGO_NSEC3RSASHA512 DK_ALGO_RSASHA512 /* same as non nsec algorithm RFCxxx */
/* protocol types */
# define DK_PROTO_DNS 3
/* flag bits */
typedef enum { /* 11 1111 */
/* 0123 4567 8901 2345 */
DK_FLAG_KSK= 01, /* 0000 0000 0000 0001 Bit 15 RFC4034/RFC3757 */
DK_FLAG_REVOKE= 0200, /* 0000 0000 1000 0000 Bit 8 RFC5011 */
DK_FLAG_ZONE= 0400, /* 0000 0001 0000 0000 Bit 7 RFC4034 */
} dk_flag_t;
/* status types */
typedef enum {
DKI_SEP= 'e',
DKI_SECUREENTRYPOINT= 'e',
DKI_PUB= 'p',
DKI_PUBLISHED= 'p',
DKI_ACT= 'a',
DKI_ACTIVE= 'a',
DKI_DEP= 'd',
DKI_DEPRECIATED= 'd',
DKI_REV= 'r',
DKI_REVOKED= 'r',
} dk_status_t;
# define DKI_KEY_FILEEXT ".key"
# define DKI_PUB_FILEEXT ".published"
# define DKI_ACT_FILEEXT ".private"
# define DKI_DEP_FILEEXT ".depreciated"
# define DKI_KSK 1
# define DKI_ZSK 0
typedef struct dki {
char dname[MAX_DNAMESIZE+1]; /* directory */
char fname[MAX_FNAMESIZE+1]; /* file name without extension */
char name[MAX_LABELSIZE+1]; /* domain name or label */
ushort algo; /* key algorithm */
ushort proto; /* must be 3 (DNSSEC) */
dk_flag_t flags; /* ZONE, optional SEP or REVOKE flag */
time_t time; /* key file time */
time_t gentime; /* key generation time (will be set on key generation and never changed) */
time_t exptime; /* time the key was expired (0L if not) */
ulong lifetime; /* proposed key life time at time of generation */
uint tag; /* key id */
dk_status_t status; /* key exist (".key") and name of private */
/* key file is ".published", ".private" */
/* or ".depreciated" */
char *pubkey; /* base64 public key */
struct dki *next; /* ptr to next entry in list */
} dki_t;
#if defined(USE_TREE) && USE_TREE
/*
* Instead of including <search.h>, which contains horrible false function
* declarations, we declared it for our usage (Yes, these functions return
* the adress of a pointer variable)
*/
typedef enum
{
/* we change the naming to the new, and more predictive one, used by Knuth */
PREORDER, /* preorder, */
INORDER, /* postorder, */
POSTORDER, /* endorder, */
LEAF /* leaf */
}
VISIT;
dki_t **tsearch (const dki_t *dkp, dki_t **tree, int(*compar)(const dki_t *, const dki_t *));
dki_t **tfind (const dki_t *dkp, const dki_t **tree, int(*compar)(const dki_t *, const dki_t *));
dki_t **tdelete (const dki_t *dkp, dki_t **tree, int(*compar)(const dki_t *, const dki_t *));
void twalk (const dki_t *root, void (*action)(const dki_t **nodep, VISIT which, int depth));
extern void dki_tfree (dki_t **tree);
extern dki_t *dki_tadd (dki_t **tree, dki_t *new, int sub_before);
extern int dki_tagcmp (const dki_t *a, const dki_t *b);
extern int dki_namecmp (const dki_t *a, const dki_t *b);
extern int dki_revnamecmp (const dki_t *a, const dki_t *b);
extern int dki_allcmp (const dki_t *a, const dki_t *b);
#endif
extern dki_t *dki_read (const char *dir, const char *fname);
extern int dki_readdir (const char *dir, dki_t **listp, int recursive);
extern int dki_prt_trustedkey (const dki_t *dkp, FILE *fp);
extern int dki_prt_managedkey (const dki_t *dkp, FILE *fp);
extern int dki_prt_dnskey (const dki_t *dkp, FILE *fp);
extern int dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl);
extern int dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp);
extern int dki_prt_comment (const dki_t *dkp, FILE *fp);
extern int dki_cmp (const dki_t *a, const dki_t *b);
extern int dki_timecmp (const dki_t *a, const dki_t *b);
extern int dki_age (const dki_t *dkp, time_t curr);
extern dk_flag_t dki_getflag (const dki_t *dkp, time_t curr);
extern dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag);
extern dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag);
extern dk_status_t dki_status (const dki_t *dkp);
extern const char *dki_statusstr (const dki_t *dkp);
extern int dki_isksk (const dki_t *dkp);
extern int dki_isdepreciated (const dki_t *dkp);
extern int dki_isrevoked (const dki_t *dkp);
extern int dki_isactive (const dki_t *dkp);
extern int dki_ispublished (const dki_t *dkp);
extern time_t dki_algo (const dki_t *dkp);
extern time_t dki_time (const dki_t *dkp);
extern time_t dki_exptime (const dki_t *dkp);
extern time_t dki_gentime (const dki_t *dkp);
extern time_t dki_lifetime (const dki_t *dkp);
extern ushort dki_lifetimedays (const dki_t *dkp);
extern ushort dki_setlifetime (dki_t *dkp, int days);
extern time_t dki_setexptime (dki_t *dkp, time_t sec);
extern dki_t *dki_new (const char *dir, const char *name, int ksk, int algo, int bitsize, const char *rfile, int lf_days);
extern dki_t *dki_remove (dki_t *dkp);
extern dki_t *dki_destroy (dki_t *dkp);
extern int dki_setstatus (dki_t *dkp, int status);
extern int dki_setstatus_preservetime (dki_t *dkp, int status);
extern dki_t *dki_add (dki_t **dkp, dki_t *new);
extern const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name);
extern const dki_t *dki_search (const dki_t *list, int tag, const char *name);
extern const dki_t *dki_find (const dki_t *list, int ksk, int status, int first);
extern const dki_t *dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no);
extern void dki_free (dki_t *dkp);
extern void dki_freelist (dki_t **listp);
extern char *dki_algo2str (int algo);
extern char *dki_algo2sstr (int algo);
extern const char *dki_geterrstr (void);
#endif

95
contrib/zkt-1.1.3/doc/KeyRollover.ms
View file

@ -1,95 +0,0 @@
.NH 1
DNS Key Status Types and Filenames
.PP
.TS
cfB | cfB s | cfB s | cfB | cfB
cfB | cfB | cfB | cfB | cfB | cfB | cfB
l | l | n | l | l | c | lfCW .
Status Key Filename used for dnssec-zkt
\^ Type Flags public private signing? label
_
active ZSK 256 .key .private y act ive
KSK 257 .key .private y act ive
.sp 0.2
published ZSK 256 .key .published n pub lished
KSK 257 .key .private n sta ndby
.sp 0.2
depreciated (retired) ZSK 256 .key .depreciated n dep reciated
.sp 0.2
revoked KSK 385 .key .private y rev oked
.sp 0.2
removed KSK 257 k*.key k*.private n -
.sp 0.2
sep KSK 257 .key - n sep
.ig
.sp 0.2
(master KSK 257 M...key .private n -)
..
.TE
.SP 2
.NH 1
Key rollover
.PP
.NH 2
Zone signing key rollover (pre-publish RFC4641)
.PP
.TS
rfB cfB |cfB |cfB |cfB
lfB |cfB |cfB |cfB |cfB
l |l |l |l |l .
action create change remove
keys newkey sig key old key
_
zsk1 active active depreciated
zsk2 published active active
.sp 0.3
RRSIG zsk1 zsk1 zsk2 zsk2
.TE
.SP 2
.NH 2
Key signing key rollover (double signature RFC4641)
.PP
.TS
rfB cfB |cfB |cfB |cfB
lfB |cfB |cfB |cfB |cfB
l |l |l |l |l .
action create change remove
keys newkey delegation old key
_
ksk\d1\u active active active
ksk\d2\u active active active
.sp 0.3
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk1,ksk2 ksk2
.sp 0.3
DS at parent DS\d1\u DS\d1\u DS\d2\u DS\d2\u
.TE
.\"RRSIG DNSKEY\dksk1\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk2\u
.SP 2
.NH 2
Key signing key rollover (rfc5011)
.PP
.TS
rfB cfB |cfB |cfB
lfB |cfB |cfB |cfB
l |l |l |l .
action newkey change delegation
keys & rollover & remove old key
_
ksk\d1\u active revoke\v'-0.2'\(dg\v'+0.2'
ksk\d2\u standby active active
ksk\d3\u standby\v'-0.2'\(dd\v'+0.2' standby
.sp 0.3
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk2
.sp 0.3
Parent DS DS\d1\u DS\d1\u DS\d2\u
DS\d2\u DS\d2\u DS\d3\u
.TE
.LP
\v'-0.2'\(dg\v'0.2'
Have to remain until the remove hold-down time is expired,
which is 30days at a minimum.
.LP
\v'-0.2'\(dd\v'0.2'
Will be the standby key after the hold-down time is expired
.br
Add holdtime \(eq max(30days, TTL of DNSKEY)

304
contrib/zkt-1.1.3/doc/KeyRollover.ps
View file

@ -1,304 +0,0 @@
%!PS-Adobe-3.0
%%Creator: groff version 1.19.2
%%CreationDate: Mon Jul 14 23:23:30 2008
%%DocumentNeededResources: font Times-Bold
%%+ font Times-Roman
%%+ font Courier
%%+ font Symbol
%%DocumentSuppliedResources: procset grops 1.19 2
%%Pages: 1
%%PageOrder: Ascend
%%DocumentMedia: Default 595 842 0 () ()
%%Orientation: Portrait
%%EndComments
%%BeginDefaults
%%PageMedia: Default
%%EndDefaults
%%BeginProlog
%%BeginResource: procset grops 1.19 2
%!PS-Adobe-3.0 Resource-ProcSet
/setpacking where{
pop
currentpacking
true setpacking
}if
/grops 120 dict dup begin
/SC 32 def
/A/show load def
/B{0 SC 3 -1 roll widthshow}bind def
/C{0 exch ashow}bind def
/D{0 exch 0 SC 5 2 roll awidthshow}bind def
/E{0 rmoveto show}bind def
/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
/G{0 rmoveto 0 exch ashow}bind def
/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/I{0 exch rmoveto show}bind def
/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
/K{0 exch rmoveto 0 exch ashow}bind def
/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/M{rmoveto show}bind def
/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
/O{rmoveto 0 exch ashow}bind def
/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/Q{moveto show}bind def
/R{moveto 0 SC 3 -1 roll widthshow}bind def
/S{moveto 0 exch ashow}bind def
/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/SF{
findfont exch
[exch dup 0 exch 0 exch neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/MF{
findfont
[5 2 roll
0 3 1 roll
neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/level0 0 def
/RES 0 def
/PL 0 def
/LS 0 def
/MANUAL{
statusdict begin/manualfeed true store end
}bind def
/PLG{
gsave newpath clippath pathbbox grestore
exch pop add exch pop
}bind def
/BP{
/level0 save def
1 setlinecap
1 setlinejoin
72 RES div dup scale
LS{
90 rotate
}{
0 PL translate
}ifelse
1 -1 scale
}bind def
/EP{
level0 restore
showpage
}def
/DA{
newpath arcn stroke
}bind def
/SN{
transform
.25 sub exch .25 sub exch
round .25 add exch round .25 add exch
itransform
}bind def
/DL{
SN
moveto
SN
lineto stroke
}bind def
/DC{
newpath 0 360 arc closepath
}bind def
/TM matrix def
/DE{
TM currentmatrix pop
translate scale newpath 0 0 .5 0 360 arc closepath
TM setmatrix
}bind def
/RC/rcurveto load def
/RL/rlineto load def
/ST/stroke load def
/MT/moveto load def
/CL/closepath load def
/Fr{
setrgbcolor fill
}bind def
/setcmykcolor where{
pop
/Fk{
setcmykcolor fill
}bind def
}if
/Fg{
setgray fill
}bind def
/FL/fill load def
/LW/setlinewidth load def
/Cr/setrgbcolor load def
/setcmykcolor where{
pop
/Ck/setcmykcolor load def
}if
/Cg/setgray load def
/RE{
findfont
dup maxlength 1 index/FontName known not{1 add}if dict begin
{
1 index/FID ne{def}{pop pop}ifelse
}forall
/Encoding exch def
dup/FontName exch def
currentdict end definefont pop
}bind def
/DEFS 0 def
/EBEGIN{
moveto
DEFS begin
}bind def
/EEND/end load def
/CNT 0 def
/level1 0 def
/PBEGIN{
/level1 save def
translate
div 3 1 roll div exch scale
neg exch neg exch translate
0 setgray
0 setlinecap
1 setlinewidth
0 setlinejoin
10 setmiterlimit
[]0 setdash
/setstrokeadjust where{
pop
false setstrokeadjust
}if
/setoverprint where{
pop
false setoverprint
}if
newpath
/CNT countdictstack def
userdict begin
/showpage{}def
/setpagedevice{}def
}bind def
/PEND{
countdictstack CNT sub{end}repeat
level1 restore
}bind def
end def
/setpacking where{
pop
setpacking
}if
%%EndResource
%%EndProlog
%%BeginSetup
%%BeginFeature: *PageSize Default
<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
%%EndFeature
%%IncludeResource: font Times-Bold
%%IncludeResource: font Times-Roman
%%IncludeResource: font Courier
%%IncludeResource: font Symbol
grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
/Times-Bold@0 ENC0/Times-Bold RE
%%EndSetup
%%Page: 1 1
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
-.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
-.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
-64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
-.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
-2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
-.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
-.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
-.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
-.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
-.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
-.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
%%Trailer
end
%%EOF

616
contrib/zkt-1.1.3/doc/draft-gudmundsson-life-of-dnskey-00.txt
View file

@ -1,616 +0,0 @@
Intended Status: Informational O. Gudmundsson
Network Working Group OGUD Consulting LLC
Internet-Draft J. Ihren
Expires: August 21, 2008 AAB
February 18, 2008
Names of States in the life of a DNSKEY
draft-gudmundsson-life-of-dnskey-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 21, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2008).
Gudmundsson & Ihren Expires August 21, 2008 [Page 1]
Internet-Draft DNSSEC Key life stages. February 2008
Abstract
This document recommends a specific terminology to use when
expressing the state that a DNSKEY is in at particular time. This
does not affect how the protocol operates in any way.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. DNSKEY timeline . . . . . . . . . . . . . . . . . . . . . . . 4
3. Life stages of a DNSKEY . . . . . . . . . . . . . . . . . . . 5
3.1. Generated . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Published . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.1. Pre-Publication . . . . . . . . . . . . . . . . . . . 5
3.2.2. Out-Of-Band Publication . . . . . . . . . . . . . . . 5
3.3. Active . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.4. Retired . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.5. Removed . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5.1. Lame . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5.2. Stale . . . . . . . . . . . . . . . . . . . . . . . . 6
3.6. Revoked . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
6.2. Informative References . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . . . . 11
Gudmundsson & Ihren Expires August 21, 2008 [Page 2]
Internet-Draft DNSSEC Key life stages. February 2008
1. Introduction
When the editors of this document where comparing their DNSSEC key
management projects they discovered that they where discussing
roughly the same thing but using different terminology.
This document presents a unified terminology to use when describing
the current state of a DNSKEY.
The DNSSEC standards documents ([1], [2] and [3]) do not address the
required states for the key management of a DNSSEC key. The DNSSEC
Operational Practices [4] document does propose that keys be
published before use but uses inconsistent or confusing terms. This
document assumes basic understanding of DNSSEC and key management.
The terms proposed in this document attempt to avoid any confusion
and make the states of keys to be as clear as possible. The terms
used in this document are intended as a operational supplement to the
terms defined in Section 2 of [1].
To large extent this discussion is motivated by Trust anchor keys but
the same terminology can be used for zone signing keys.
Gudmundsson & Ihren Expires August 21, 2008 [Page 3]
Internet-Draft DNSSEC Key life stages. February 2008
2. DNSKEY timeline
The model in this document is that keys progress through a state
machine along a one-way path, keys never move to an earlier states.
GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
| ^ | | | ^
| | | | v |
+--> Pre-PUBLISHED--+ +--------+---------> REVOKED ---+
DNSKEY time line.
There are few more states that are defined below but these apply only
to the publisher of TA's and the consumer of TA's. Two of these are
sub-sets of the Published state, the other two are error states.
Gudmundsson & Ihren Expires August 21, 2008 [Page 4]
Internet-Draft DNSSEC Key life stages. February 2008
3. Life stages of a DNSKEY
3.1. Generated
Once a key is generated it enters state Generated and stays there
until the next state. While in this state only the owner of the key
is aware of its existence and can prepare for its future use.
3.2. Published
Once the key is added to the DNSKEY set of a zone the key is there
for the world to see, or published. The key needs to remain in this
state for some time to propagate to all validators that have cached
the prior version of the DNSKEY set. In the case of KSK the key
should remain in this state for a longer time as documented in DNSSEC
Timers RFC [5].
3.2.1. Pre-Publication
In certain circumstances a zone owner may want to give out a new
Trust Anchor before exposing the actual public key. In this case the
zone can publish a DS record of the key. This allows others to
configure the trust anchor but will not be able to use the key until
the key is published in the DNSKEY RRset.
3.2.2. Out-Of-Band Publication
In certain circumstances a domain may want to give out a new Trust
Anchor outside DNS to give others a long lead time to configure the
new key as trust anchor. The reason people may want to do this is to
keep the size of the DNSKEY set smaller and only add new trust anchor
just before the key goes into use. One likely use for this is the
DNS "." root key as it does not have a parent that can publish a DS
record for it. The publication mechanism does not matter it can be
any one of web-site, advertisement in Financial Times and other
international publication, e-mail to DNS related mailing lists, etc..
3.3. Active
The key is in ACTIVE state while it is actively signing data in the
zone it resides in. It is one of the the keys that are signing the
zone or parts of the zone.
3.4. Retired
When the key is no longer used for signing the zone it enters state
Retired. In this state there may still be signatures by the key in
cached data from the zone available at recursive servers, but the
Gudmundsson & Ihren Expires August 21, 2008 [Page 5]
Internet-Draft DNSSEC Key life stages. February 2008
authoritative servers for the zone do no longer carry any signatures
generated by the key.
3.5. Removed
Once the key is removed from the DNSKEY RRset it enters the state
Removed. At this point all signatures by the key that may still be
temporarily valid will fail to verify once the validator refreshes
the DNSKEY RRset in its memory.
Therefore "removal" of a key is typically not done until all the
cached signatures have expired. Entering this state too early may
cause number of validators to end up with STALE Trust Anchors.
3.5.1. Lame
A Trust Anchor is Lame if the parent continues to publish DS pointing
to the key after it has been removed from the DNSKEY RRset. A Trust
Anchor is arguably Lame if there are no signatures by a Retired KSK
in the zone.
3.5.2. Stale
A Stale Trust Anchor is an old TA that remains in a validators list
of active key(s) after the key has been removed from the zone's
DNSKEY RRset.
3.6. Revoked
There are times when a zone wants to signal that a particular key
should not be used at all. The mechanism to do this is to set the
REVOKE bit [5]. Any key in any of the while the key is the DNSSKEY
set can be exited to Revoked state. After some time in the Revoke
state the key will be Removed.
Gudmundsson & Ihren Expires August 21, 2008 [Page 6]
Internet-Draft DNSSEC Key life stages. February 2008
4. Security considerations
TBD
Gudmundsson & Ihren Expires August 21, 2008 [Page 7]
Internet-Draft DNSSEC Key life stages. February 2008
5. IANA considerations
This document does not have any IANA actions.
Gudmundsson & Ihren Expires August 21, 2008 [Page 8]
Internet-Draft DNSSEC Key life stages. February 2008
6. References
6.1. Normative References
6.2. Informative References
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
March 2005.
[2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005.
[3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Protocol Modifications for the DNS Security Extensions",
RFC 4035, March 2005.
[4] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
RFC 4641, September 2006.
[5] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
Anchors", RFC 5011, September 2007.
Gudmundsson & Ihren Expires August 21, 2008 [Page 9]
Internet-Draft DNSSEC Key life stages. February 2008
Authors' Addresses
Olafur Gudmundsson
OGUD Consulting LLC
3821 Village Park Drive
Chevy Chase, MD 20815
USA
Email: ogud@ogud.com
Johan Ihren
Automatica, AB
Bellmansgatan 30
Stockholm, SE-118 47
Sweden
Email: johani@automatica.se
Gudmundsson & Ihren Expires August 21, 2008 [Page 10]
Internet-Draft DNSSEC Key life stages. February 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Gudmundsson & Ihren Expires August 21, 2008 [Page 11]

2128
contrib/zkt-1.1.3/doc/draft-ietf-dnsop-rfc4641bis-01.txt
View file

File diff suppressed because it is too large Load diff

1963
contrib/zkt-1.1.3/doc/rfc4641.txt
View file

File diff suppressed because it is too large Load diff

787
contrib/zkt-1.1.3/doc/rfc5011.txt
View file

@ -1,787 +0,0 @@
Network Working Group M. StJohns
Request for Comments: 5011 Independent
Category: Standards Track September 2007
Automated Updates of DNS Security (DNSSEC) Trust Anchors
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This document describes a means for automated, authenticated, and
authorized updating of DNSSEC "trust anchors". The method provides
protection against N-1 key compromises of N keys in the trust point
key set. Based on the trust established by the presence of a current
anchor, other anchors may be added at the same place in the
hierarchy, and, ultimately, supplant the existing anchor(s).
This mechanism will require changes to resolver management behavior
(but not resolver resolution behavior), and the addition of a single
flag bit to the DNSKEY record.
StJohns Standards Track [Page 1]
RFC 5011 Trust Anchor Update September 2007
Table of Contents
1. Introduction ....................................................2
1.1. Compliance Nomenclature ....................................3
2. Theory of Operation .............................................3
2.1. Revocation .................................................4
2.2. Add Hold-Down ..............................................4
2.3. Active Refresh .............................................5
2.4. Resolver Parameters ........................................6
2.4.1. Add Hold-Down Time ..................................6
2.4.2. Remove Hold-Down Time ...............................6
2.4.3. Minimum Trust Anchors per Trust Point ...............6
3. Changes to DNSKEY RDATA Wire Format .............................6
4. State Table .....................................................6
4.1. Events .....................................................7
4.2. States .....................................................7
5. Trust Point Deletion ............................................8
6. Scenarios - Informative .........................................9
6.1. Adding a Trust Anchor ......................................9
6.2. Deleting a Trust Anchor ....................................9
6.3. Key Roll-Over .............................................10
6.4. Active Key Compromised ....................................10
6.5. Stand-by Key Compromised ..................................10
6.6. Trust Point Deletion ......................................10
7. IANA Considerations ............................................11
8. Security Considerations ........................................11
8.1. Key Ownership vs. Acceptance Policy .......................11
8.2. Multiple Key Compromise ...................................12
8.3. Dynamic Updates ...........................................12
9. Normative References ...........................................12
10. Informative References ........................................12
1. Introduction
As part of the reality of fielding DNSSEC (Domain Name System
Security Extensions) [RFC4033] [RFC4034] [RFC4035], the community has
come to the realization that there will not be one signed name space,
but rather islands of signed name spaces each originating from
specific points (i.e., 'trust points') in the DNS tree. Each of
those islands will be identified by the trust point name, and
validated by at least one associated public key. For the purpose of
this document, we'll call the association of that name and a
particular key a 'trust anchor'. A particular trust point can have
more than one key designated as a trust anchor.
For a DNSSEC-aware resolver to validate information in a DNSSEC
protected branch of the hierarchy, it must have knowledge of a trust
anchor applicable to that branch. It may also have more than one
StJohns Standards Track [Page 2]
RFC 5011 Trust Anchor Update September 2007
trust anchor for any given trust point. Under current rules, a chain
of trust for DNSSEC-protected data that chains its way back to ANY
known trust anchor is considered 'secure'.
Because of the probable balkanization of the DNSSEC tree due to
signing voids at key locations, a resolver may need to know literally
thousands of trust anchors to perform its duties (e.g., consider an
unsigned ".COM"). Requiring the owner of the resolver to manually
manage these many relationships is problematic. It's even more
problematic when considering the eventual requirement for key
replacement/update for a given trust anchor. The mechanism described
herein won't help with the initial configuration of the trust anchors
in the resolvers, but should make trust point key
replacement/rollover more viable.
As mentioned above, this document describes a mechanism whereby a
resolver can update the trust anchors for a given trust point, mainly
without human intervention at the resolver. There are some corner
cases discussed (e.g., multiple key compromise) that may require
manual intervention, but they should be few and far between. This
document DOES NOT discuss the general problem of the initial
configuration of trust anchors for the resolver.
1.1. Compliance Nomenclature
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, [RFC2119].
2. Theory of Operation
The general concept of this mechanism is that existing trust anchors
can be used to authenticate new trust anchors at the same point in
the DNS hierarchy. When a zone operator adds a new SEP key (i.e., a
DNSKEY with the Secure Entry Point bit set) (see [RFC4034], Section
2.1.1) to a trust point DNSKEY RRSet, and when that RRSet is
validated by an existing trust anchor, then the resolver can add the
new key to its set of valid trust anchors for that trust point.
There are some issues with this approach that need to be mitigated.
For example, a compromise of one of the existing keys could allow an
attacker to add their own 'valid' data. This implies a need for a
method to revoke an existing key regardless of whether or not that
key is compromised. As another example, assuming a single key
compromise, we need to prevent an attacker from adding a new key and
revoking all the other old keys.
StJohns Standards Track [Page 3]
RFC 5011 Trust Anchor Update September 2007
2.1. Revocation
Assume two trust anchor keys A and B. Assume that B has been
compromised. Without a specific revocation bit, B could invalidate A
simply by sending out a signed trust point key set that didn't
contain A. To fix this, we add a mechanism that requires knowledge
of the private key of a DNSKEY to revoke that DNSKEY.
A key is considered revoked when the resolver sees the key in a
self-signed RRSet and the key has the REVOKE bit (see Section 7
below) set to '1'. Once the resolver sees the REVOKE bit, it MUST
NOT use this key as a trust anchor or for any other purpose except to
validate the RRSIG it signed over the DNSKEY RRSet specifically for
the purpose of validating the revocation. Unlike the 'Add' operation
below, revocation is immediate and permanent upon receipt of a valid
revocation at the resolver.
A self-signed RRSet is a DNSKEY RRSet that contains the specific
DNSKEY and for which there is a corresponding validated RRSIG record.
It's not a special DNSKEY RRSet, just a way of describing the
validation requirements for that RRSet.
N.B.: A DNSKEY with the REVOKE bit set has a different fingerprint
than one without the bit set. This affects the matching of a DNSKEY
to DS records in the parent [RFC3755], or the fingerprint stored at a
resolver used to configure a trust point.
In the given example, the attacker could revoke B because it has
knowledge of B's private key, but could not revoke A.
2.2. Add Hold-Down
Assume two trust point keys A and B. Assume that B has been
compromised. An attacker could generate and add a new trust anchor
key C (by adding C to the DNSKEY RRSet and signing it with B), and
then invalidate the compromised key. This would result in both the
attacker and owner being able to sign data in the zone and have it
accepted as valid by resolvers.
To mitigate but not completely solve this problem, we add a hold-down
time to the addition of the trust anchor. When the resolver sees a
new SEP key in a validated trust point DNSKEY RRSet, the resolver
starts an acceptance timer, and remembers all the keys that validated
the RRSet. If the resolver ever sees the DNSKEY RRSet without the
new key but validly signed, it stops the acceptance process for that
key and resets the acceptance timer. If all of the keys that were
StJohns Standards Track [Page 4]
RFC 5011 Trust Anchor Update September 2007
originally used to validate this key are revoked prior to the timer
expiring, the resolver stops the acceptance process and resets the
timer.
Once the timer expires, the new key will be added as a trust anchor
the next time the validated RRSet with the new key is seen at the
resolver. The resolver MUST NOT treat the new key as a trust anchor
until the hold-down time expires AND it has retrieved and validated a
DNSKEY RRSet after the hold-down time that contains the new key.
N.B.: Once the resolver has accepted a key as a trust anchor, the key
MUST be considered a valid trust anchor by that resolver until
explicitly revoked as described above.
In the given example, the zone owner can recover from a compromise by
revoking B and adding a new key D and signing the DNSKEY RRSet with
both A and B.
The reason this does not completely solve the problem has to do with
the distributed nature of DNS. The resolver only knows what it sees.
A determined attacker who holds one compromised key could keep a
single resolver from realizing that the key had been compromised by
intercepting 'real' data from the originating zone and substituting
their own (e.g., using the example, signed only by B). This is no
worse than the current situation assuming a compromised key.
2.3. Active Refresh
A resolver that has been configured for an automatic update of keys
from a particular trust point MUST query that trust point (e.g., do a
lookup for the DNSKEY RRSet and related RRSIG records) no less often
than the lesser of 15 days, half the original TTL for the DNSKEY
RRSet, or half the RRSIG expiration interval and no more often than
once per hour. The expiration interval is the amount of time from
when the RRSIG was last retrieved until the expiration time in the
RRSIG. That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
1/2*RRSigExpirationInterval))
If the query fails, the resolver MUST repeat the query until
satisfied no more often than once an hour and no less often than the
lesser of 1 day, 10% of the original TTL, or 10% of the original
expiration interval. That is, retryTime = MAX (1 hour, MIN (1 day,
.1 * origTTL, .1 * expireInterval)).
StJohns Standards Track [Page 5]
RFC 5011 Trust Anchor Update September 2007
2.4. Resolver Parameters
2.4.1. Add Hold-Down Time
The add hold-down time is 30 days or the expiration time of the
original TTL of the first trust point DNSKEY RRSet that contained the
new key, whichever is greater. This ensures that at least two
validated DNSKEY RRSets that contain the new key MUST be seen by the
resolver prior to the key's acceptance.
2.4.2. Remove Hold-Down Time
The remove hold-down time is 30 days. This parameter is solely a key
management database bookeeping parameter. Failure to remove
information about the state of defunct keys from the database will
not adversely impact the security of this protocol, but may end up
with a database cluttered with obsolete key information.
2.4.3. Minimum Trust Anchors per Trust Point
A compliant resolver MUST be able to manage at least five SEP keys
per trust point.
3. Changes to DNSKEY RDATA Wire Format
Bit 8 of the DNSKEY Flags field is designated as the 'REVOKE' flag.
If this bit is set to '1', AND the resolver sees an RRSIG(DNSKEY)
signed by the associated key, then the resolver MUST consider this
key permanently invalid for all purposes except for validating the
revocation.
4. State Table
The most important thing to understand is the resolver's view of any
key at a trust point. The following state table describes this view
at various points in the key's lifetime. The table is a normative
part of this specification. The initial state of the key is 'Start'.
The resolver's view of the state of the key changes as various events
occur.
This is the state of a trust-point key as seen from the resolver.
The column on the left indicates the current state. The header at
the top shows the next state. The intersection of the two shows the
event that will cause the state to transition from the current state
to the next.
StJohns Standards Track [Page 6]
RFC 5011 Trust Anchor Update September 2007
NEXT STATE
--------------------------------------------------
FROM |Start |AddPend |Valid |Missing|Revoked|Removed|
----------------------------------------------------------
Start | |NewKey | | | | |
----------------------------------------------------------
AddPend |KeyRem | |AddTime| | | |
----------------------------------------------------------
Valid | | | |KeyRem |Revbit | |
----------------------------------------------------------
Missing | | |KeyPres| |Revbit | |
----------------------------------------------------------
Revoked | | | | | |RemTime|
----------------------------------------------------------
Removed | | | | | | |
----------------------------------------------------------
State Table
4.1. Events
NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
That key will become a new trust anchor for the named trust
point after it's been present in the RRSet for at least 'add
time'.
KeyPres The key has returned to the valid DNSKEY RRSet.
KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
this key.
AddTime The key has been in every valid DNSKEY RRSet seen for at
least the 'add time'.
RemTime A revoked key has been missing from the trust-point DNSKEY
RRSet for sufficient time to be removed from the trust set.
RevBit The key has appeared in the trust anchor DNSKEY RRSet with
its "REVOKED" bit set, and there is an RRSig over the DNSKEY
RRSet signed by this key.
4.2. States
Start The key doesn't yet exist as a trust anchor at the resolver.
It may or may not exist at the zone server, but either
hasn't yet been seen at the resolver or was seen but was
absent from the last DNSKEY RRSet (e.g., KeyRem event).
StJohns Standards Track [Page 7]
RFC 5011 Trust Anchor Update September 2007
AddPend The key has been seen at the resolver, has its 'SEP' bit
set, and has been included in a validated DNSKEY RRSet.
There is a hold-down time for the key before it can be used
as a trust anchor.
Valid The key has been seen at the resolver and has been included
in all validated DNSKEY RRSets from the time it was first
seen through the hold-down time. It is now valid for
verifying RRSets that arrive after the hold-down time.
Clarification: The DNSKEY RRSet does not need to be
continuously present at the resolver (e.g., its TTL might
expire). If the RRSet is seen and is validated (i.e.,
verifies against an existing trust anchor), this key MUST be
in the RRSet, otherwise a 'KeyRem' event is triggered.
Missing This is an abnormal state. The key remains a valid trust-
point key, but was not seen at the resolver in the last
validated DNSKEY RRSet. This is an abnormal state because
the zone operator should be using the REVOKE bit prior to
removal.
Revoked This is the state a key moves to once the resolver sees an
RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet
contains this key with its REVOKE bit set to '1'. Once in
this state, this key MUST permanently be considered invalid
as a trust anchor.
Removed After a fairly long hold-down time, information about this
key may be purged from the resolver. A key in the removed
state MUST NOT be considered a valid trust anchor. (Note:
this state is more or less equivalent to the "Start" state,
except that it's bad practice to re-introduce previously
used keys -- think of this as the holding state for all the
old keys for which the resolver no longer needs to track
state.)
5. Trust Point Deletion
A trust point that has all of its trust anchors revoked is considered
deleted and is treated as if the trust point was never configured.
If there are no superior configured trust points, data at and below
the deleted trust point are considered insecure by the resolver. If
there ARE superior configured trust points, data at and below the
deleted trust point are evaluated with respect to the superior trust
point(s).
Alternately, a trust point that is subordinate to another configured
trust point MAY be deleted by a resolver after 180 days, where such a
StJohns Standards Track [Page 8]
RFC 5011 Trust Anchor Update September 2007
subordinate trust point validly chains to a superior trust point.
The decision to delete the subordinate trust anchor is a local
configuration decision. Once the subordinate trust point is deleted,
validation of the subordinate zone is dependent on validating the
chain of trust to the superior trust point.
6. Scenarios - Informative
The suggested model for operation is to have one active key and one
stand-by key at each trust point. The active key will be used to
sign the DNSKEY RRSet. The stand-by key will not normally sign this
RRSet, but the resolver will accept it as a trust anchor if/when it
sees the signature on the trust point DNSKEY RRSet.
Since the stand-by key is not in active signing use, the associated
private key may (and should) be provided with additional protections
not normally available to a key that must be used frequently (e.g.,
locked in a safe, split among many parties, etc). Notionally, the
stand-by key should be less subject to compromise than an active key,
but that will be dependent on operational concerns not addressed
here.
6.1. Adding a Trust Anchor
Assume an existing trust anchor key 'A'.
1. Generate a new key pair.
2. Create a DNSKEY record from the key pair and set the SEP and Zone
Key bits.
3. Add the DNSKEY to the RRSet.
4. Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
'A'.
5. Wait for various resolvers' timers to go off and for them to
retrieve the new DNSKEY RRSet and signatures.
6. The new trust anchor will be populated at the resolvers on the
schedule described by the state table and update algorithm -- see
Sections 2 and 4 above.
6.2. Deleting a Trust Anchor
Assume existing trust anchors 'A' and 'B' and that you want to revoke
and delete 'A'.
StJohns Standards Track [Page 9]
RFC 5011 Trust Anchor Update September 2007
1. Set the revocation bit on key 'A'.
2. Sign the DNSKEY RRSet with both 'A' and 'B'. 'A' is now revoked.
The operator should include the revoked 'A' in the RRSet for at
least the remove hold-down time, but then may remove it from the
DNSKEY RRSet.
6.3. Key Roll-Over
Assume existing keys A and B. 'A' is actively in use (i.e. has been
signing the DNSKEY RRSet). 'B' was the stand-by key. (i.e. has been
in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
used to sign the RRSet).
1. Generate a new key pair 'C'.
2. Add 'C' to the DNSKEY RRSet.
3. Set the revocation bit on key 'A'.
4. Sign the RRSet with 'A' and 'B'.
'A' is now revoked, 'B' is now the active key, and 'C' will be the
stand-by key once the hold-down expires. The operator should include
the revoked 'A' in the RRSet for at least the remove hold-down time,
but may then remove it from the DNSKEY RRSet.
6.4. Active Key Compromised
This is the same as the mechanism for Key Roll-Over (Section 6.3)
above, assuming 'A' is the active key.
6.5. Stand-by Key Compromised
Using the same assumptions and naming conventions as Key Roll-Over
(Section 6.3) above:
1. Generate a new key pair 'C'.
2. Add 'C' to the DNSKEY RRSet.
3. Set the revocation bit on key 'B'.
4. Sign the RRSet with 'A' and 'B'.
'B' is now revoked, 'A' remains the active key, and 'C' will be the
stand-by key once the hold-down expires. 'B' should continue to be
included in the RRSet for the remove hold-down time.
6.6. Trust Point Deletion
To delete a trust point that is subordinate to another configured
trust point (e.g., example.com to .com) requires some juggling of the
data. The specific process is:
StJohns Standards Track [Page 10]
RFC 5011 Trust Anchor Update September 2007
1. Generate a new DNSKEY and DS record and provide the DS record to
the parent along with DS records for the old keys.
2. Once the parent has published the DSs, add the new DNSKEY to the
RRSet and revoke ALL of the old keys at the same time, while
signing the DNSKEY RRSet with all of the old and new keys.
3. After 30 days, stop publishing the old, revoked keys and remove
any corresponding DS records in the parent.
Revoking the old trust-point keys at the same time as adding new keys
that chain to a superior trust prevents the resolver from adding the
new keys as trust anchors. Adding DS records for the old keys avoids
a race condition where either the subordinate zone becomes unsecure
(because the trust point was deleted) or becomes bogus (because it
didn't chain to the superior zone).
7. IANA Considerations
The IANA has assigned a bit in the DNSKEY flags field (see Section 7
of [RFC4034]) for the REVOKE bit (8).
8. Security Considerations
In addition to the following sections, see also Theory of Operation
above (Section 2) and especially Section 2.2 for related discussions.
Security considerations for trust anchor rollover not specific to
this protocol are discussed in [RFC4986].
8.1. Key Ownership vs. Acceptance Policy
The reader should note that, while the zone owner is responsible for
creating and distributing keys, it's wholly the decision of the
resolver owner as to whether to accept such keys for the
authentication of the zone information. This implies the decision to
update trust-anchor keys based on trusting a current trust-anchor key
is also the resolver owner's decision.
The resolver owner (and resolver implementers) MAY choose to permit
or prevent key status updates based on this mechanism for specific
trust points. If they choose to prevent the automated updates, they
will need to establish a mechanism for manual or other out-of-band
updates, which are outside the scope of this document.
StJohns Standards Track [Page 11]
RFC 5011 Trust Anchor Update September 2007
8.2. Multiple Key Compromise
This scheme permits recovery as long as at least one valid trust-
anchor key remains uncompromised, e.g., if there are three keys, you
can recover if two of them are compromised. The zone owner should
determine their own level of comfort with respect to the number of
active, valid trust anchors in a zone and should be prepared to
implement recovery procedures once they detect a compromise. A
manual or other out-of-band update of all resolvers will be required
if all trust-anchor keys at a trust point are compromised.
8.3. Dynamic Updates
Allowing a resolver to update its trust anchor set based on in-band
key information is potentially less secure than a manual process.
However, given the nature of the DNS, the number of resolvers that
would require update if a trust anchor key were compromised, and the
lack of a standard management framework for DNS, this approach is no
worse than the existing situation.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation
Signer (DS)", RFC 3755, May 2004.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
10. Informative References
[RFC4986] Eland, H., Mundy, R., Crocker, S., and S. Krishnaswamy,
"Requirements Related to DNS Security (DNSSEC) Trust
Anchor Rollover", RFC 4986, August 2007.
StJohns Standards Track [Page 12]
RFC 5011 Trust Anchor Update September 2007
Author's Address
Michael StJohns
Independent
EMail: mstjohns@comcast.net
StJohns Standards Track [Page 13]
RFC 5011 Trust Anchor Update September 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
StJohns Standards Track [Page 14]

332
contrib/zkt-1.1.3/domaincmp.c
View file

@ -1,332 +0,0 @@
/*****************************************************************
**
** @(#) domaincmp.c -- compare two domain names
**
** Copyright (c) Aug 2005, Karle Boss, Holger Zuleger (kaho).
** isparentdomain() (c) Mar 2010 by Holger Zuleger
** All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Karle Boss or Holger Zuleger (kaho) nor the
** names of its contributors may be used to endorse or promote products
** derived from this software without specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <assert.h>
# include <ctype.h>
#define extern
# include "domaincmp.h"
#undef extern
#define goto_labelstart(str, p) while ( (p) > (str) && *((p)-1) != '.' ) \
(p)--
/*****************************************************************
** int domaincmp (a, b)
** compare a and b as fqdns.
** return <0 | 0 | >0 as in strcmp
** A subdomain is less than the corresponding parent domain,
** thus domaincmp ("z.example.net", "example.net") return < 0 !!
*****************************************************************/
int domaincmp (const char *a, const char *b)
{
return domaincmp_dir (a, b, 1);
}
/*****************************************************************
** int domaincmp_dir (a, b, subdomain_above)
** compare a and b as fqdns.
** return <0 | 0 | >0 as in strcmp
** A subdomain is less than the corresponding parent domain,
** thus domaincmp ("z.example.net", "example.net") return < 0 !!
*****************************************************************/
int domaincmp_dir (const char *a, const char *b, int subdomain_above)
{
register const char *pa;
register const char *pb;
int dir;
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
if ( subdomain_above )
dir = 1;
else
dir = -1;
if ( *a == '.' ) /* skip a leading dot */
a++;
if ( *b == '.' ) /* same at the other string */
b++;
/* let pa and pb point to the last non dot char */
pa = a + strlen (a);
do
pa--;
while ( pa > a && *pa == '.' );
pb = b + strlen (b);
do
pb--;
while ( pb > b && *pb == '.' );
/* cmp both domains starting at the end */
while ( *pa == *pb && pa > a && pb > b )
pa--, pb--;
if ( *pa != *pb ) /* both domains are different ? */
{
if ( *pa == '.' )
pa++; /* set to beginning of next label */
else
goto_labelstart (a, pa); /* find begin of current label */
if ( *pb == '.' )
pb++; /* set to beginning of next label */
else
goto_labelstart (b, pb); /* find begin of current label */
}
else /* maybe one of them has a subdomain */
{
if ( pa > a )
if ( pa[-1] == '.' )
return -1 * dir;
else
goto_labelstart (a, pa);
else if ( pb > b )
if ( pb[-1] == '.' )
return 1 * dir;
else
goto_labelstart (b, pb);
else
return 0; /* both are at the beginning, so they are equal */
}
/* both domains are definitly unequal */
while ( *pa == *pb ) /* so we have to look at the point where they differ */
pa++, pb++;
return *pa - *pb;
}
/*****************************************************************
**
** int issubdomain ("child", "parent")
**
** "child" and "parent" are standardized domain names in such
** a way that even both domain names are ending with a dot,
** or none of them.
**
** returns 1 if "child" is a subdomain of "parent"
** returns 0 if "child" is not a subdomain of "parent"
**
*****************************************************************/
int issubdomain (const char *child, const char *parent)
{
const char *p;
const char *cdot;
int ccnt;
int pcnt;
if ( !child || !parent || *child == '\0' || *parent == '\0' )
return 0;
cdot = NULL;
pcnt = 0;
for ( p = parent; *p; p++ )
if ( *p == '.' )
pcnt++;
ccnt = 0;
for ( p = child; *p; p++ )
if ( *p == '.' )
{
if ( ccnt == 0 )
cdot = p;
ccnt++;
}
if ( ccnt == 0 ) /* child is not a fqdn or is not deep enough ? */
return 0;
if ( pcnt == 0 ) /* parent is not a fqdn ? */
return 0;
if ( pcnt >= ccnt ) /* parent has more levels than child ? */
return 0;
/* is child a (one level) subdomain of parent ? */
if ( strcmp (cdot+1, parent) == 0 ) /* the domains are equal ? */
return 1;
return 0;
}
/*****************************************************************
**
** int isparentdomain ("child", "parent", level)
**
** "child" and "parent" are standardized domain names in such
** a way that even both domain names are ending with a dot,
** or none of them.
**
** returns 1 if "child" is a subdomain of "parent"
** returns 0 if "child" is not a subdomain of "parent"
** returns -1 if "child" and "parent" are the same domain
**
*****************************************************************/
int isparentdomain (const char *child, const char *parent, int level)
{
const char *p;
const char *cdot;
const char *pdot;
int ccnt;
int pcnt;
if ( !child || !parent || *child == '\0' || *parent == '\0' )
return 0;
pdot = cdot = NULL;
pcnt = 0;
for ( p = parent; *p; p++ )
if ( *p == '.' )
{
if ( pcnt == 0 )
pdot = p;
pcnt++;
}
ccnt = 0;
for ( p = child; *p; p++ )
if ( *p == '.' )
{
if ( ccnt == 0 )
cdot = p;
ccnt++;
}
if ( ccnt == 0 || ccnt < level ) /* child is not a fqdn or is not deep enough ? */
return 0;
if ( pcnt == 0 ) /* parent is not a fqdn ? */
return 0;
if ( pcnt > ccnt ) /* parent has more levels than child ? */
return 0;
if ( pcnt == ccnt ) /* both are at the same level ? */
{
/* let's check the domain part */
if ( strcmp (cdot, pdot) == 0 ) /* the domains are equal ? */
return -1;
return 0;
}
if ( pcnt > ccnt ) /* parent has more levels than child ? */
return 0;
/* is child a (one level) subdomain of parent ? */
if ( strcmp (cdot+1, parent) == 0 ) /* the domains are equal ? */
return 1;
return 0;
}
#ifdef DOMAINCMP_TEST
static struct {
char *a;
char *b;
int res;
} ex[] = {
{ ".", ".", 0 },
{ "test", "", 1 },
{ "", "test2", -1 },
{ "", "", 0 },
{ "de", "de", 0 },
{ ".de", "de", 0 },
{ "de.", "de.", 0 },
{ ".de", ".de", 0 },
{ ".de.", ".de.", 0 },
{ ".de", "zde", -1 },
{ ".de", "ade", 1 },
{ "zde", ".de", 1 },
{ "ade", ".de", -1 },
{ "a.de", ".de", -1 },
{ ".de", "a.de", 1 },
{ "a.de", "b.de", -1 },
{ "a.de.", "b.de", -1 },
{ "a.de", "b.de.", -1 },
{ "a.de", "a.de.", 0 },
{ "aa.de", "b.de", -1 },
{ "ba.de", "b.de", 1 },
{ "a.de", "a.dk", -1 },
{ "anna.example.de", "anna.example.de", 0 },
{ "anna.example.de", "annamirl.example.de", -1 },
{ "anna.example.de", "ann.example.de", 1 },
{ "example.de.", "xy.example.de.", 1 },
{ "example.de.", "ab.example.de.", 1 },
{ "example.de", "ab.example.de", 1 },
{ "xy.example.de.", "example.de.", -1 },
{ "ab.example.de.", "example.de.", -1 },
{ "ab.example.de", "example.de", -1 },
{ "ab.mast.de", "axt.de", 1 },
{ "ab.mast.de", "obt.de", -1 },
{ "abc.example.de.", "xy.example.de.", -1 },
{ NULL, NULL, 0 }
};
const char *progname;
main (int argc, char *argv[])
{
int expect;
int res;
int c;
int i;
progname = *argv;
for ( i = 0; ex[i].a; i++ )
{
expect = ex[i].res;
if ( expect < 0 )
c = '<';
else if ( expect > 0 )
c = '>';
else
c = '=';
printf ("%-20s %-20s ", ex[i].a, ex[i].b);
printf ("%3d ", issubdomain (ex[i].a, ex[i].b));
printf ("\t==> 0 %c ", c);
fflush (stdout);
res = domaincmp (ex[i].a, ex[i].b);
printf ("%3d ", res);
if ( res < 0 && expect < 0 || res > 0 && expect > 0 || res == 0 && expect == 0 )
puts ("ok");
else
puts ("not ok");
}
}
#endif

43
contrib/zkt-1.1.3/domaincmp.h
View file

@ -1,43 +0,0 @@
/*****************************************************************
**
** @(#) domaincmp.h -- compare two domain names
**
** Copyright (c) Aug 2005, Karle Boss (kaho). All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef DOMAINCMP_H
# define DOMAINCMP_H
extern int domaincmp (const char *a, const char *b);
extern int domaincmp_dir (const char *a, const char *b, int subdomain_above);
extern int isparentdomain (const char *child, const char *parent, int level);
extern int issubdomain (const char *child, const char *parent);
#endif

13
contrib/zkt-1.1.3/examples/clean.sh
View file

@ -1,13 +0,0 @@
{
find . -name "dnskey.db"
find . -name "dsset-*"
find . -name "keyset-*"
find . -name "K*"
} | xargs rm
for file in `find . -name "zone.db.signed"`
do
cp /dev/null $file
done

82
contrib/zkt-1.1.3/examples/flat/dist.sh
View file

@ -1,82 +0,0 @@
#################################################################
#
# @(#) dist.sh -- distribute and reload command for dnssec-signer
#
# (c) Jul 2008 Holger Zuleger hznet.de
#
# Feb 2010 action "distkeys" added
#
# This shell script will be run by dnssec-signer as a distribution
# and reload command if:
#
# a) the dnssec.conf file parameter Distribute_Cmd: points
# to this file
# and
# b) the user running the dnssec-signer command is not
# root (uid==0)
# and
# c) the owner of this shell script is the same as the
# running user and the access rights don't allow writing
# for anyone except the owner
# or
# d) the group of this shell script is the same as the
# running user and the access rights don't allow writing
# for anyone except the group
#
#################################################################
# set path to rndc and scp
PATH="/bin:/usr/bin:/usr/local/sbin"
# remote server and directory
server=localhost # fqdn of remote name server
dir=/var/named # zone directory on remote name server
progname=$0
usage()
{
echo "usage: $progname distribute|reload <domain> <path_to_zonefile> [<viewname>]" 1>&2
test $# -gt 0 && echo $* 1>&2
exit 1
}
if test $# -lt 3
then
usage
fi
action="$1"
domain="$2"
zonefile="$3"
view=""
test $# -gt 3 && view="$4"
case $action in
distkeys)
if test -n "$view"
then
echo "scp K$zone+* $server:$dir/$view/$zone/"
: scp K$zone+* $server:$dir/$view/$zone/
else
echo "scp K$zone+* $server:$dir/$zone/"
: scp K$zone+* $server:$dir/$zone/
fi
;;
distribute)
if test -n "$view"
then
echo "scp $zonefile $server:$dir/$view/$domain/"
: scp $zonefile $server:$dir/$view/$domain/
else
echo "scp $zonefile $server:$dir/$domain/"
: scp $zonefile $server:$dir/$domain/
fi
;;
reload)
echo "rndc $action $domain $view"
: rndc $action $domain $view
;;
*)
usage "illegal action $action"
;;
esac

45
contrib/zkt-1.1.3/examples/flat/dnssec.conf
View file

@ -1,45 +0,0 @@
#
# @(#) dnssec.conf T1.0rc1 (c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "."
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 2d # (172800 seconds)
Sigvalidity: 6d # (518400 seconds)
Max_TTL: 8h # (28800 seconds)
Propagation: 5m # (300 seconds)
KEY_TTL: 1h # (3600 seconds)
Serialformat: incremental
# signing key parameters
Key_Algo: RSASHA512
KSK_lifetime: 60d # (5184000 seconds)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 2w # (1209600 seconds)
ZSK_bits: 1024
ZSK_randfile: "/dev/urandom"
SaltBits: 24
# dnssec-signer options
LogFile: "zkt.log"
LogLevel: DEBUG
LogDomainDir: "."
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
KeySetDir: "../keysets"
DLV_Domain: ""
Sig_Pseudorand: True
Sig_GenerateDS: True
Sig_DnsKeyKSK: False
Sig_Parameter: "-n 1"
Distribute_Cmd: "./dist.sh"

3
contrib/zkt-1.1.3/examples/flat/dyn.example.net/dnssec.conf
View file

@ -1,3 +0,0 @@
Key_Algo: NSEC3RSASHA1 # (Algorithm ID 7)
KSK_lifetime: 60d # (5184000 seconds)
KSK_bits: 1024

161
contrib/zkt-1.1.3/examples/flat/dyn.example.net/zktlog-dyn.example.net.
View file

@ -1,161 +0,0 @@
2010-02-21 19:43:15.018: debug: Check RFC5011 status
2010-02-21 19:43:15.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:43:15.018: debug: Check KSK status
2010-02-21 19:43:15.018: debug: No active KSK found: generate new one
2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935
2010-02-21 19:43:15.330: debug: Check ZSK status
2010-02-21 19:43:15.330: debug: No active ZSK found: generate new one
2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323
2010-02-21 19:43:15.368: debug: Re-signing necessary: Modfied zone key set
2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
2010-02-21 19:43:15.368: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:43:15.368: debug: Signing zone "dyn.example.net."
2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:43:15.368: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:43:15.368: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:43:15.374: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:43:15.374: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:43:15.382: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3."
2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed!
2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:43:15.382: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:43:15.382: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 19:45:36.415: debug: Check RFC5011 status
2010-02-21 19:45:36.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:45:36.416: debug: Check KSK status
2010-02-21 19:45:36.416: debug: Check ZSK status
2010-02-21 19:45:36.416: debug: Re-signing not necessary!
2010-02-21 19:45:36.416: debug: Check if there is a parent file to copy
2010-02-21 19:45:41.448: debug: Check RFC5011 status
2010-02-21 19:45:41.448: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:45:41.448: debug: Check KSK status
2010-02-21 19:45:41.448: debug: Check ZSK status
2010-02-21 19:45:41.448: debug: Re-signing necessary: Option -f
2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 19:45:41.448: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:45:41.448: debug: Signing zone "dyn.example.net."
2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:45:41.448: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:45:41.448: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:45:41.457: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:45:41.458: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:45:41.473: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed!
2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:45:41.473: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:45:41.473: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 19:47:06.899: debug: Check RFC5011 status
2010-02-21 19:47:06.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:47:06.899: debug: Check KSK status
2010-02-21 19:47:06.899: debug: Check ZSK status
2010-02-21 19:47:06.899: debug: Re-signing necessary: Option -f
2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 19:47:06.899: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:47:06.900: debug: Signing zone "dyn.example.net."
2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:47:06.900: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:47:06.900: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:47:06.910: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:47:06.910: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:47:06.926: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed!
2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:47:06.926: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:47:06.926: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 19:58:40.972: debug: Check RFC5011 status
2010-02-21 19:58:40.972: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:58:40.972: debug: Check KSK status
2010-02-21 19:58:40.972: debug: Check ZSK status
2010-02-21 19:58:40.973: debug: Re-signing necessary: Option -f
2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 19:58:40.973: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:58:40.973: debug: Signing zone "dyn.example.net."
2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:58:40.973: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:58:40.973: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:58:40.982: debug: Dynamic Zone signing: zone file manually edited: Use it as new input file
2010-02-21 19:58:40.982: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:58:40.983: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:58:40.999: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed!
2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:58:40.999: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:58:40.999: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 20:00:48.833: debug: Check RFC5011 status
2010-02-21 20:00:48.833: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 20:00:48.833: debug: Check KSK status
2010-02-21 20:00:48.833: debug: Check ZSK status
2010-02-21 20:00:48.833: debug: Re-signing necessary: Option -f
2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 20:00:48.833: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 20:00:48.834: debug: Signing zone "dyn.example.net."
2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 20:00:48.834: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 20:00:48.834: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 20:00:48.844: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 20:00:48.844: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 20:00:48.878: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 20:00:48.878: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 20:00:48.878: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 20:00:48.884: debug: Signing completed after 0s.
2010-02-21 20:01:11.175: debug: Check RFC5011 status
2010-02-21 20:01:11.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 20:01:11.175: debug: Check KSK status
2010-02-21 20:01:11.175: debug: Check ZSK status
2010-02-21 20:01:11.176: debug: Re-signing necessary: Option -f
2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 20:01:11.176: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 20:01:11.176: debug: Signing zone "dyn.example.net."
2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 20:01:11.176: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 20:01:11.176: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 20:01:11.181: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 20:01:11.181: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 20:01:11.202: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 20:01:11.203: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 20:01:11.203: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 20:01:11.208: debug: Signing completed after 0s.
2010-02-21 20:01:17.175: debug: Check RFC5011 status
2010-02-21 20:01:17.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 20:01:17.175: debug: Check KSK status
2010-02-21 20:01:17.175: debug: Check ZSK status
2010-02-21 20:01:17.176: debug: Re-signing not necessary!
2010-02-21 20:01:17.176: debug: Check if there is a parent file to copy
2010-02-25 23:42:29.326: debug: Check RFC5011 status
2010-02-25 23:42:29.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-25 23:42:29.326: debug: Check KSK status
2010-02-25 23:42:29.326: debug: Check ZSK status
2010-02-25 23:42:29.326: debug: Re-signing necessary: re-signing interval (2d) reached
2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
2010-02-25 23:42:29.326: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-25 23:42:29.327: debug: Signing zone "dyn.example.net."
2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone
2010-02-25 23:42:29.327: debug: freeze dynamic zone "dyn.example.net."
2010-02-25 23:42:29.327: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-25 23:42:29.388: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-25 23:42:29.425: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-25 23:42:29.471: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone
2010-02-25 23:42:29.471: debug: thaw dynamic zone "dyn.example.net."
2010-02-25 23:42:29.471: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-25 23:42:29.486: debug: Signing completed after 0s.
2010-03-02 10:59:46.770: debug: Check RFC5011 status
2010-03-02 10:59:46.770: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-02 10:59:46.770: debug: Check KSK status
2010-03-02 10:59:46.770: debug: Check ZSK status
2010-03-02 10:59:46.770: debug: Re-signing necessary: re-signing interval (2d) reached
2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
2010-03-02 10:59:46.770: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-03-02 10:59:46.770: debug: Signing zone "dyn.example.net."
2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone
2010-03-02 10:59:46.770: debug: freeze dynamic zone "dyn.example.net."
2010-03-02 10:59:46.770: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-03-02 10:59:46.852: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-03-02 10:59:46.875: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-03-02 10:59:46.950: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone
2010-03-02 10:59:46.950: debug: thaw dynamic zone "dyn.example.net."
2010-03-02 10:59:46.950: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-03-02 10:59:46.964: debug: Signing completed after 0s.

135
contrib/zkt-1.1.3/examples/flat/dyn.example.net/zone.db
View file

@ -1,135 +0,0 @@
; File written on Thu Feb 25 23:42:29 2010
; dnssec_signzone version 9.7.0
dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
18 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 7 3 7200 20100303214229 (
20100225214229 30323 dyn.example.net.
Ih9WgRBKZVDT3zJR9eFcB0VKU0o2G7h13XHZ
W6j2Jr1H4Db5IC1xiHXq+hI9UMkVQA3fu1Ub
+tjqAJE+y3hUFg== )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
7200 RRSIG NS 7 3 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
uvTn2MCWjTfS/piH3kKEmF1gPoeN8jIdcFFJ
5t3b8RIwjorD81gWIRmzkGDE59hoL4mMvEnO
32sAi8qkYhvBOA== )
3600 DNSKEY 256 3 7 (
AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8R
is63E/oRRGQEH5U/ZS3Axz3aOhPFKzAAhjfa
G3vTNW3Wl4bl4ITFZrk=
) ; key id = 30323
3600 DNSKEY 257 3 7 (
AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmO
oBYx8s1uLzmS/3APsh1eWCeoBgAjRry1tpM/
bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjE
nG4HCT58TuAVxjiefN+vb1pvyFlAL58YOkuG
f9tG/NJMNc+XrULAU1ey2dT9Fh+SCVO3
) ; key id = 52935
3600 RRSIG DNSKEY 7 3 3600 20100227180048 (
20100221180048 30323 dyn.example.net.
je5kBhDdp9b9fjH/lJ1o9WDBL2YxZ+6UNuF9
zNbeeDlfBHe7XlTGw9MHyvZh46wx2OUmLoGM
DFhPfIwUwtttUA== )
3600 RRSIG DNSKEY 7 3 3600 20100227180048 (
20100221180048 52935 dyn.example.net.
MuyIUCa3XlttWuSnaQegQnRgTrTsx0Mj4EGI
fwtZs2H3L079Y/brqMvtlIGxtlr9meLg43oo
jX1w48ilerzf1PwYhUVpFefZTgmClK0h2ej4
Ho9Qh4/6snesVj06kWsQDkhuVs58zHmhRtEy
P4YlqP/R1CAk166RhwSmGuSx1O8= )
0 NSEC3PARAM 1 0 10 76931F
0 RRSIG NSEC3PARAM 7 3 0 20100227180048 (
20100221180048 30323 dyn.example.net.
LGD8bq/sX9yvDUpmyaRczfTshrR6T9HmQ5/a
MwMSY+5LDAD/YdwtpVF7uNwdMa6ydJFQW37u
Rma0TxEqKPGPyQ== )
localhost.dyn.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
SHLL1lIJZaEGKphkFm3NShS6H33mBnwwACkH
eF3JE5vWwTuT7hffdJlwcahYQfcr3egPv64d
iyCNYNjdvlJpsg== )
ns1.dyn.example.net. 7200 IN A 1.0.0.5
7200 RRSIG A 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
6PF5dGgOJdolEyxrHqyA66BFLrUORQLZvVBw
9fX9uGWWKiu6yRR3i4LwIkQ+VelTpCbTsLh4
gm+rcSMFNeOtxA== )
7200 AAAA 2001:db8::53
7200 RRSIG AAAA 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
dk1DfG0y9qjCi3VD4e9B1NGKWEig7q8hFdaR
3hElCIzGlflvgHRiE7iTJxDMB+kTA0by4BMZ
yssUuXP2FMlB2g== )
ns2.dyn.example.net. 7200 IN A 1.2.0.6
7200 RRSIG A 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
Ei5VGwE7CNBQ7ZOHpyKZXtuC8I7lusZ4d+gx
MwpLROH+6OSu26x2ScPdwg1qpZ5Mui01ss6O
IcJL36PRqAM26A== )
x.dyn.example.net. 7200 IN A 1.2.3.4
7200 RRSIG A 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
ieiExNeDjeucDjtMVj0F9kwIsL0ngZfAmEU/
/UlYe8/8pg2NzFulOviI09ekgOOnMfcnb4n4
/pRIkFddCEOt0g== )
y.dyn.example.net. 7200 IN A 1.2.3.5
7200 RRSIG A 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
NfDUCrArDXCTPrTpiesQYCoZ039YE/KwlN25
EZ9vOVt6dE2R9KkAWezkdY9zDmJMGTN1XYI/
vgd56J8B5Y/uQQ== )
z.dyn.example.net. 7200 IN A 1.2.3.6
7200 RRSIG A 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
VH3BsA8JLlqmL0xkXgXlPXT0xfRcdFy7vPYh
27exw16LDbQF15KjkHvUJ+Bkei/SmRa20Dll
Yy536Dj+ar5ABQ== )
A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
9BhZcQdLwRPU/Dz38uMis/nCcddyhKEm0Zb+
Mhh3V3OsGI202cebTaxbwVEbQQOeowpUmf8l
AmK/cNX7+IS2rw== )
AJHVGTICN6K0VDA53GCHFMT219SRRQLM.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
lVyEaxejO5qFlyyBp8gYyQnG+DkIm8vofj+B
SuTxalc2l+TYen1RnSTeeXfMqc9YpGu4SCaG
Fyznu1K88oUhMg== )
FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F I7A7A184GGMI35K1E3IR650LKO7NOB5R A AAAA RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
577WZnTQemStx+ciON9rEGXAGnU7C0KLjrFL
VyhocnBnNtxJS8eRMSWvb9XuYCMNhYKOurtt
Ar4qh4VW1+unmA== )
I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F IMQ912BREQP1POLAH3RMONG3UED541AS A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
+PKntiPlw2om9e0KJX/L2VxSCbxL95eIV2f+
5YBMq3npDguHaUiBwan8Vsm+aNsdr1NDDLY/
HdJzEfVmSNGs7Q== )
IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
smsg35snQ9PpeG2r8ZGxBl44pwSReh/1rIil
u/n8aa5nKbBpkqtbcc7q1OpUgb1Q7+Tl/wes
kB6bohsRdrwEJA== )
S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F T320G5LC07QE1BLR074KORIJTG9DPTI9 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
XalRIESpdeVK1aNbwu9ym2Spk981Y127rKua
xsoals0Zn2tTjF9wpOYVGVOto3FcWBbyKD1g
69BTRlv634UIOw== )
T320G5LC07QE1BLR074KORIJTG9DPTI9.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN NS SOA RRSIG DNSKEY NSEC3PARAM
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
D3xq+CkK/a8YSbh9o8WwWnenjDQ3weVdtZ0x
i6bOv3iRITOfCRjYgbeIYtjMFb1rZwgCPD40
JQgGu5mx1TjnGA== )

135
contrib/zkt-1.1.3/examples/flat/dyn.example.net/zone.db.dsigned
View file

@ -1,135 +0,0 @@
; File written on Tue Mar 2 10:59:46 2010
; dnssec_signzone version 9.7.0
dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
19 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 7 3 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
eNZruaQkUB/jteZtRkZ957BX65zjXIGaKlkf
Bq0XW8OgyHYCvJiB7waJYyiWKeQskp0Z90JF
34WMUztuTvWUTA== )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
7200 RRSIG NS 7 3 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
obQoowLwuBixnopoSvUsXvwveB7Pqmeblt2S
5SXo7ztPNcM1hTdWfIEwRDpQ2DhOfGYi0Ov0
xEmMlPheVZkW6g== )
3600 DNSKEY 256 3 7 (
AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8R
is63E/oRRGQEH5U/ZS3Axz3aOhPFKzAAhjfa
G3vTNW3Wl4bl4ITFZrk=
) ; key id = 30323
3600 DNSKEY 257 3 7 (
AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmO
oBYx8s1uLzmS/3APsh1eWCeoBgAjRry1tpM/
bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjE
nG4HCT58TuAVxjiefN+vb1pvyFlAL58YOkuG
f9tG/NJMNc+XrULAU1ey2dT9Fh+SCVO3
) ; key id = 52935
3600 RRSIG DNSKEY 7 3 3600 20100308085946 (
20100302085946 30323 dyn.example.net.
4xQy+G1g8IHVp3NTxHtUIaz/G+h6+ce4SRum
bftLFS9rXV13wSa761J1YoDYx8lj98IDBuED
94980qJWjgNfdw== )
3600 RRSIG DNSKEY 7 3 3600 20100308085946 (
20100302085946 52935 dyn.example.net.
VmL0mzUoBzSX+5gB/9MsHUFWBbHrVoyMUjnw
mR7FyrZMfNgz4rf6J2bZ8a8zYGvSXEBrangQ
kkPlxuvNxzn2s+Ji+crfUNa2ZFzRKA8BBczU
0WLETC5QKonjiAzofCcP15OPN4H18y9WMfE/
wU0oPhcd8d31Ckf2jPaSdTS8NMk= )
0 NSEC3PARAM 1 0 10 76931F
0 RRSIG NSEC3PARAM 7 3 0 20100308085946 (
20100302085946 30323 dyn.example.net.
GSTGjHni3oZ1Nod57kXFkxcOiKXTzjfJ0PDy
hjDfzYS1QKtKA6LzkaBzyl5HK+Yy3DOcep7G
dj7VJG8bsa9S/A== )
localhost.dyn.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
N5t+OxMeH2rozoIM1ZtXUpnpSep3Qd1J/KUE
LjkisP6KvmwVhkbdcv44KbgS5aR16RJOlFdW
+ilc8QpZ4bvqlQ== )
ns1.dyn.example.net. 7200 IN A 1.0.0.5
7200 RRSIG A 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
2DoRBkfIQEBmEeo2Z02SA329ebgp2lFQ2Ykl
Qe5S+J6ZMjVdZyjW8XqBCiqEg6fNbQyUFn3X
pSVvabUPjJpHWA== )
7200 AAAA 2001:db8::53
7200 RRSIG AAAA 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
XD+JHAergnT3NDQqEUGv52GNdcF1U1SitccE
y5iL4Dk0qVu+uEA4TVupnMhwOK+wl8759Yw/
SF6h6CzzKx0Eiw== )
ns2.dyn.example.net. 7200 IN A 1.2.0.6
7200 RRSIG A 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
S+CpXVolhedS2bFTNdoNAPd+T2Bi/5iKVcKJ
9S27k/tpifBNVjAQPktM9iya60upXxuOkHqt
/uuF4iTlh9Yukw== )
x.dyn.example.net. 7200 IN A 1.2.3.4
7200 RRSIG A 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
Fb+8g0K+/6ZkXctNOprGKyJC1Y5pFizibI3o
k2E6aDN8hUJ5FK/1fkRl5IQ7HDpAUZviWaQp
j9tfr9r9xW0bMw== )
y.dyn.example.net. 7200 IN A 1.2.3.5
7200 RRSIG A 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
S1l/dM/Ez91B4Py7mI/GESjgqccGIwi9clyc
Vj3S40uF4dGaAgxoCDS0pMvyS0k7ir0g1qbK
/csopbL0wHSaVg== )
z.dyn.example.net. 7200 IN A 1.2.3.6
7200 RRSIG A 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
SgorWJQS6SiDvv6KRmWQEcUaaCkMCHZDcSMx
JiOT84ygkUBCzwTykQskoNtbUSIfAASU3lE7
e31RZotcxlkirQ== )
A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
hp879kZpD/Qe+d4FoanRewI4CXMuTOMcao5G
S7quT3mr+Mgi1nrSSz+/IBhlzCipziFjY42a
TNt8FoYo9Z8irw== )
AJHVGTICN6K0VDA53GCHFMT219SRRQLM.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
1MC5bqNXkVG4gaFKJQJBG7v4ZKOht6EJEkUZ
nAwTF2Nw5mWFFMBbOwVMtbJFA+ewHrebB6cK
FitvPi3yLDW8aA== )
FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F I7A7A184GGMI35K1E3IR650LKO7NOB5R A AAAA RRSIG
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
7Y+yhH11EojLDu43C8dCuD6D0F4RZYUt9J0+
KUfRVUMhftYsMl6G2qgkfsgJE+FG1Nj/nI+b
pO7VSJGfV5Za4A== )
I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F IMQ912BREQP1POLAH3RMONG3UED541AS A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
K0ggT6yH7z1YshOb08se84cRWvWWeQFdMTDG
XhA/2UEamfE1NHetPuYzJZQdrVPeX3tgjCjS
Jmb3YuSE1XD3zQ== )
IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
mQoG3VBXfi7u2+zlmJttsGaStP3WvDPDQ99T
l2ha4zmpZPd1JUKHMXYTLTlUuWAq7BcS9MUn
hfhXcmSEr96K1Q== )
S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F T320G5LC07QE1BLR074KORIJTG9DPTI9 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
0/TWe9HMZiA+yW0oLHkYKeIXrrXU/1ec8XDy
cbZM1IGPjHlMEjKKorZgx983FuiyKFLa97+3
bB3abnKo7e2yRQ== )
T320G5LC07QE1BLR074KORIJTG9DPTI9.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN NS SOA RRSIG DNSKEY NSEC3PARAM
7200 RRSIG NSEC3 7 4 7200 20100308085946 (
20100302085946 30323 dyn.example.net.
BXRjHUGEmoz1cMAXSCmfFVe6+qCYVyivjeAT
7hPcfB8iS2ck8Sq/CjOAKBu0BeSBim+9Oduu
kKNL3thgyMPcug== )

30
contrib/zkt-1.1.3/examples/flat/dyn.example.net/zone.org
View file

@ -1,30 +0,0 @@
;-----------------------------------------------------------------
;
; @(#) dyn.example.net/zone.org
;
;-----------------------------------------------------------------
$TTL 7200
@ IN SOA ns1.example.net. hostmaster.example.net. (
1 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.net.
IN NS ns2.example.net.
ns1 IN A 1.0.0.5
IN AAAA 2001:db8::53
ns2 IN A 1.2.0.6
localhost IN A 127.0.0.1
x IN A 1.2.3.4
y IN A 1.2.3.5
z IN A 1.2.3.6
$INCLUDE dnskey.db

33
contrib/zkt-1.1.3/examples/flat/example.net/dnskey.db
View file

@ -1,33 +0,0 @@
;
; !!! Don't edit this file by hand.
; !!! It will be generated by zkt-signer.
;
; Last generation time Nov 17 2014 19:14:01
;
; *** List of Key Signing Keys ***
; example.net. tag=44671 algo=RSASHA256 generated Nov 14 2014 18:09:16
example.net. 3600 IN DNSKEY 257 3 8 (
AwEAAQ5RiqQEKys2xlo5nK3n9tnWeGg/tHSTbaFw6AN1QPLlaEVLNXDa
YKcpefu6ewNamaInrjBrkkbqRnwKTuLCwJ9aA/hyFzocCOPh+he9dEQH
bRTKDdTkjD3PqkOK97a+s1grWIdkRcceT3MXEsAwyjlasXPRKt/4v1sq
S7592eyo6wTcbeaoPYo6KMQLfcA9AHso9LBaRpqv7GlSjl5IV51mcU8=
) ; key id = 44671
; *** List of Zone Signing Keys ***
; example.net. tag=7929 algo=RSASHA256 generated Nov 14 2014 18:09:16
example.net. 3600 IN DNSKEY 256 3 8 (
AwEAAaFO1yW7cx3/4SBRganmyOEs2eIeAE25CgXYrtLALzFdgi+gRfl+
QEOzMZBk/LmgKFcgp4GfgtuzKA08VGNmLUEGI+UBSP+DUezQfK/lxPCX
uRMh0BJgAjnlo+jGaI2fpfKXBp+5uLiY3pbkdm6LiaJb/s4v0DJjglGW
iiPMIxyR
) ; key id = 7929
; example.net. tag=2253 algo=RSASHA256 generated Nov 14 2014 18:09:16
example.net. 3600 IN DNSKEY 256 3 8 (
AwEAAZF8FdZfjdp4pyHk53/qvnzROy2lhF0cJ0XbRaIgeIYHYMIUmMLr
sazBQ7/3ZdFoQjgEWz2BbKyfroJmE+VrCc1dBJ50PJUm3vcBbUwMgy4y
Xq3PtmwKzlr3YGMUgE31cByog0QRnW6myNdEfDLf74yxRiPgIwk1rEmI
YFUI4x69
) ; key id = 2253

5
contrib/zkt-1.1.3/examples/flat/example.net/dnssec.conf
View file

@ -1,5 +0,0 @@
Key_Algo: RSASHA256 # (Algorithm ID 8)
NSEC3: OPTOUT
ZSKpermanent: true
DependFiles: "zone.localhost, zone.hosts"
MaximumTTL: 2h # (7200 seconds)

687
contrib/zkt-1.1.3/examples/flat/example.net/zktlog-example.net.
View file

@ -1,687 +0,0 @@
2010-02-06 00:26:54.533: debug: Check RFC5011 status
2010-02-06 00:26:54.533: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-06 00:26:54.533: debug: Check KSK status
2010-02-06 00:26:54.533: debug: Check ZSK status
2010-02-06 00:26:54.533: debug: Re-signing not necessary!
2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy
2010-02-06 00:29:31.291: debug: Check RFC5011 status
2010-02-06 00:29:31.291: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-06 00:29:31.291: debug: Check KSK status
2010-02-06 00:29:31.292: debug: Check ZSK status
2010-02-06 00:29:31.292: debug: Re-signing not necessary!
2010-02-06 00:29:31.292: debug: Check if there is a parent file to copy
2010-02-06 00:40:35.043: debug: Check RFC5011 status
2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-06 00:40:35.043: debug: Check KSK status
2010-02-06 00:40:35.043: debug: Check ZSK status
2010-02-06 00:40:35.043: debug: Re-signing not necessary!
2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy
2010-02-06 00:52:55.403: debug: Check RFC5011 status
2010-02-06 00:52:55.403: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-06 00:52:55.403: debug: Check KSK status
2010-02-06 00:52:55.403: debug: Check ZSK status
2010-02-06 00:52:55.403: debug: Re-signing not necessary!
2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy
2010-02-07 13:53:48.304: debug: Check RFC5011 status
2010-02-07 13:53:48.304: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-07 13:53:48.304: debug: Check KSK status
2010-02-07 13:53:48.304: debug: Check ZSK status
2010-02-07 13:53:48.304: debug: Re-signing not necessary!
2010-02-07 13:53:48.304: debug: Check if there is a parent file to copy
2010-02-07 13:54:03.466: debug: Check RFC5011 status
2010-02-07 13:54:03.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-07 13:54:03.466: debug: Check KSK status
2010-02-07 13:54:03.466: debug: Check ZSK status
2010-02-07 13:54:03.466: debug: Re-signing not necessary!
2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy
2010-02-07 13:54:08.019: debug: Check RFC5011 status
2010-02-07 13:54:08.019: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-07 13:54:08.020: debug: Check KSK status
2010-02-07 13:54:08.020: debug: Check ZSK status
2010-02-07 13:54:08.020: debug: Re-signing necessary: Option -f
2010-02-07 13:54:08.020: notice: "example.net.": re-signing triggered: Option -f
2010-02-07 13:54:08.020: debug: Writing key file "./example.net/dnskey.db"
2010-02-07 13:54:08.020: debug: Incrementing serial number in file "./example.net/zone.db"
2010-02-07 13:54:08.020: debug: Signing zone "example.net."
2010-02-07 13:54:08.021: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-02-07 13:54:08.125: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-02-07 13:54:08.125: debug: Signing completed after 0s.
2010-02-07 13:54:08.125: notice: "example.net.": distribution triggered
2010-02-07 13:54:08.125: debug: Distribute zone "example.net."
2010-02-07 13:54:08.125: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
2010-02-07 13:54:08.129: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
2010-02-07 13:54:08.129: notice: "example.net.": reload triggered
2010-02-07 13:54:08.129: debug: Reload zone "example.net."
2010-02-07 13:54:08.129: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
2010-02-07 13:54:08.139: debug: ./dist.sh reload return: "rndc reload example.net. "
2010-02-07 14:06:27.670: debug: Check RFC5011 status
2010-02-07 14:06:27.670: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-07 14:06:27.670: debug: Check KSK status
2010-02-07 14:06:27.670: debug: Check ZSK status
2010-02-07 14:06:27.670: debug: Re-signing not necessary!
2010-02-07 14:06:27.671: debug: Check if there is a parent file to copy
2010-02-07 14:06:33.753: debug: Check RFC5011 status
2010-02-07 14:06:33.753: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-07 14:06:33.753: debug: Check KSK status
2010-02-07 14:06:33.753: debug: Check ZSK status
2010-02-07 14:06:33.753: debug: Re-signing necessary: Option -f
2010-02-07 14:06:33.753: notice: "example.net.": re-signing triggered: Option -f
2010-02-07 14:06:33.753: debug: Writing key file "./example.net/dnskey.db"
2010-02-07 14:06:33.754: debug: Incrementing serial number in file "./example.net/zone.db"
2010-02-07 14:06:33.754: debug: Signing zone "example.net."
2010-02-07 14:06:33.754: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-02-07 14:06:33.790: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-02-07 14:06:33.790: debug: Signing completed after 0s.
2010-02-07 14:06:33.790: notice: "example.net.": distribution triggered
2010-02-07 14:06:33.790: debug: Distribute zone "example.net."
2010-02-07 14:06:33.790: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
2010-02-07 14:06:33.794: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
2010-02-07 14:06:33.794: notice: "example.net.": reload triggered
2010-02-07 14:06:33.794: debug: Reload zone "example.net."
2010-02-07 14:06:33.794: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
2010-02-07 14:06:33.797: debug: ./dist.sh reload return: "rndc reload example.net. "
2010-02-21 12:50:43.587: debug: Check RFC5011 status
2010-02-21 12:50:43.587: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 12:50:43.587: debug: Check KSK status
2010-02-21 12:50:43.587: debug: Check ZSK status
2010-02-21 12:50:43.587: debug: Lifetime(1209600 +/-150 sec) of active key 33002 exceeded (2394625 sec)
2010-02-21 12:50:43.587: debug: ->depreciate it
2010-02-21 12:50:43.587: debug: ->activate published key 29240
2010-02-21 12:50:43.587: notice: "example.net.": lifetime of zone signing key 33002 exceeded: ZSK rollover done
2010-02-21 12:50:43.587: debug: New key for publishing needed
2010-02-21 12:50:43.658: debug: ->creating new key 5525
2010-02-21 12:50:43.658: info: "example.net.": new key 5525 generated for publishing
2010-02-21 12:50:43.658: debug: Re-signing necessary: Modfied zone key set
2010-02-21 12:50:43.658: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-02-21 12:50:43.658: debug: Writing key file "./example.net/dnskey.db"
2010-02-21 12:50:43.665: debug: Incrementing serial number in file "./example.net/zone.db"
2010-02-21 12:50:43.665: debug: Signing zone "example.net."
2010-02-21 12:50:43.665: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-02-21 12:50:43.733: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-02-21 12:50:43.733: debug: Signing completed after 0s.
2010-02-21 12:50:51.205: debug: Check RFC5011 status
2010-02-21 12:50:51.205: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 12:50:51.205: debug: Check KSK status
2010-02-21 12:50:51.205: debug: Check ZSK status
2010-02-21 12:50:51.205: debug: Re-signing not necessary!
2010-02-21 12:50:51.205: debug: Check if there is a parent file to copy
2010-02-21 12:51:23.497: debug: Check RFC5011 status
2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 12:51:23.497: debug: Check KSK status
2010-02-21 12:51:23.497: debug: Check ZSK status
2010-02-21 12:51:23.497: debug: Re-signing not necessary!
2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy
2010-02-21 19:16:18.594: debug: Check RFC5011 status
2010-02-21 19:16:18.594: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:16:18.594: debug: Check KSK status
2010-02-21 19:16:18.594: debug: Check ZSK status
2010-02-21 19:16:18.594: debug: Re-signing not necessary!
2010-02-21 19:16:18.594: debug: Check if there is a parent file to copy
2010-02-21 19:32:11.378: debug: Check RFC5011 status
2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:32:11.378: debug: Check KSK status
2010-02-21 19:32:11.378: debug: Check ZSK status
2010-02-21 19:32:11.378: debug: Re-signing not necessary!
2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy
2010-02-21 19:32:15.982: debug: Check RFC5011 status
2010-02-21 19:32:15.982: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:32:15.982: debug: Check KSK status
2010-02-21 19:32:15.982: debug: Check ZSK status
2010-02-21 19:32:15.982: debug: Re-signing necessary: Option -f
2010-02-21 19:32:15.982: notice: "example.net.": re-signing triggered: Option -f
2010-02-21 19:32:15.982: debug: Writing key file "./example.net/dnskey.db"
2010-02-21 19:32:15.982: debug: Incrementing serial number in file "./example.net/zone.db"
2010-02-21 19:32:15.982: debug: Signing zone "example.net."
2010-02-21 19:32:15.982: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-02-21 19:32:16.019: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-02-21 19:32:16.019: debug: Signing completed after 1s.
2010-02-21 19:32:32.232: debug: Check RFC5011 status
2010-02-21 19:32:32.232: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:32:32.233: debug: Check KSK status
2010-02-21 19:32:32.233: debug: Check ZSK status
2010-02-21 19:32:32.233: debug: Re-signing necessary: Option -f
2010-02-21 19:32:32.233: notice: "example.net.": re-signing triggered: Option -f
2010-02-21 19:32:32.233: debug: Writing key file "./example.net/dnskey.db"
2010-02-21 19:32:32.233: debug: Incrementing serial number in file "./example.net/zone.db"
2010-02-21 19:32:32.233: debug: Signing zone "example.net."
2010-02-21 19:32:32.233: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-02-21 19:32:32.273: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-02-21 19:32:32.273: debug: Signing completed after 0s.
2010-02-25 00:12:27.060: debug: Check RFC5011 status
2010-02-25 00:12:27.060: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-25 00:12:27.060: debug: Check KSK status
2010-02-25 00:12:27.060: debug: Check ZSK status
2010-02-25 00:12:27.060: debug: Lifetime(29100 sec) of depreciated key 33002 exceeded (300104 sec)
2010-02-25 00:12:27.060: info: "example.net.": old ZSK 33002 removed
2010-02-25 00:12:27.081: debug: ->remove it
2010-02-25 00:12:27.082: debug: Re-signing necessary: Modfied zone key set
2010-02-25 00:12:27.082: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-02-25 00:12:27.082: debug: Writing key file "./example.net/dnskey.db"
2010-02-25 00:12:27.086: debug: Incrementing serial number in file "./example.net/zone.db"
2010-02-25 00:12:27.086: debug: Signing zone "example.net."
2010-02-25 00:12:27.086: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-02-25 00:12:27.173: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-02-25 00:12:27.174: debug: Signing completed after 0s.
2010-02-25 23:42:21.013: debug: Check RFC5011 status
2010-02-25 23:42:21.013: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-25 23:42:21.013: debug: Check KSK status
2010-02-25 23:42:21.013: debug: Check ZSK status
2010-02-25 23:42:21.013: debug: Re-signing not necessary!
2010-02-25 23:42:21.013: debug: Check if there is a parent file to copy
2010-03-02 10:59:12.416: debug: Check RFC5011 status
2010-03-02 10:59:12.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-02 10:59:12.416: debug: Check KSK status
2010-03-02 10:59:12.416: debug: Check ZSK status
2010-03-02 10:59:12.416: debug: Re-signing necessary: re-signing interval (2d) reached
2010-03-02 10:59:12.416: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
2010-03-02 10:59:12.416: debug: Writing key file "./example.net/dnskey.db"
2010-03-02 10:59:12.449: debug: Incrementing serial number in file "./example.net/zone.db"
2010-03-02 10:59:12.449: debug: Signing zone "example.net."
2010-03-02 10:59:12.450: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-02 10:59:12.530: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-03-02 10:59:12.530: debug: Signing completed after 0s.
2010-03-03 23:22:00.415: debug: Check RFC5011 status
2010-03-03 23:22:00.415: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-03 23:22:00.415: debug: Check KSK status
2010-03-03 23:22:00.415: debug: Check ZSK status
2010-03-03 23:22:00.416: debug: Re-signing not necessary!
2010-03-03 23:22:00.416: debug: Check if there is a parent file to copy
2010-03-08 23:11:50.170: debug: Check RFC5011 status
2010-03-08 23:11:50.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-08 23:11:50.170: debug: Check KSK status
2010-03-08 23:11:50.170: debug: Check ZSK status
2010-03-08 23:11:50.171: debug: Lifetime(1209600 +/-150 sec) of active key 29240 exceeded (1333267 sec)
2010-03-08 23:11:50.171: debug: ->depreciate it
2010-03-08 23:11:50.171: debug: ->activate published key 5525
2010-03-08 23:11:50.171: notice: "example.net.": lifetime of zone signing key 29240 exceeded: ZSK rollover done
2010-03-08 23:11:50.171: debug: New key for publishing needed
2010-03-08 23:11:50.228: debug: ->creating new key 21482
2010-03-08 23:11:50.228: info: "example.net.": new key 21482 generated for publishing
2010-03-08 23:11:50.228: debug: Re-signing necessary: Modfied zone key set
2010-03-08 23:11:50.228: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-03-08 23:11:50.228: debug: Writing key file "././example.net/dnskey.db"
2010-03-08 23:11:50.235: debug: Incrementing serial number in file "././example.net/zone.db"
2010-03-08 23:11:50.235: debug: Signing zone "example.net."
2010-03-08 23:11:50.235: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-08 23:11:50.294: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-03-08 23:11:50.294: debug: Signing completed after 0s.
2010-03-08 23:12:56.212: debug: Check RFC5011 status
2010-03-08 23:12:56.212: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-08 23:12:56.212: debug: Check KSK status
2010-03-08 23:12:56.212: debug: Check ZSK status
2010-03-08 23:12:56.212: debug: Re-signing necessary: Modfied zone key set
2010-03-08 23:12:56.212: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-03-08 23:12:56.212: debug: Writing key file "././example.net/dnskey.db"
2010-03-08 23:12:56.213: debug: Incrementing serial number in file "././example.net/zone.db"
2010-03-08 23:12:56.213: debug: Signing zone "example.net."
2010-03-08 23:12:56.213: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-08 23:12:56.278: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-03-08 23:12:56.279: debug: Signing completed after 0s.
2010-03-08 23:13:36.984: debug: Check RFC5011 status
2010-03-08 23:13:36.984: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-08 23:13:36.984: debug: Check KSK status
2010-03-08 23:13:36.984: debug: Check ZSK status
2010-03-08 23:13:36.985: debug: Re-signing not necessary!
2010-03-08 23:13:36.985: debug: Check if there is a parent file to copy
2010-03-08 23:18:52.287: debug: Check RFC5011 status
2010-03-08 23:18:52.287: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-08 23:18:52.287: debug: Check KSK status
2010-03-08 23:18:52.287: debug: Check ZSK status
2010-03-08 23:18:52.287: debug: Re-signing not necessary!
2010-03-08 23:18:52.287: debug: Check if there is a parent file to copy
2010-03-11 23:46:35.831: debug: Check RFC5011 status
2010-03-11 23:46:35.831: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-11 23:46:35.831: debug: Check KSK status
2010-03-11 23:46:35.831: debug: Check ZSK status
2010-03-11 23:46:35.831: debug: Lifetime(29100 sec) of depreciated key 29240 exceeded (261285 sec)
2010-03-11 23:46:35.831: info: "example.net.": old ZSK 29240 removed
2010-03-11 23:46:35.832: debug: ->remove it
2010-03-11 23:46:35.832: debug: Re-signing necessary: Modfied zone key set
2010-03-11 23:46:35.832: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-03-11 23:46:35.832: debug: Writing key file "./example.net/dnskey.db"
2010-03-11 23:46:35.841: debug: Incrementing serial number in file "./example.net/zone.db"
2010-03-11 23:46:35.841: debug: Signing zone "example.net."
2010-03-11 23:46:35.841: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-11 23:46:35.929: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-03-11 23:46:35.929: debug: Signing completed after 0s.
2010-03-11 23:52:33.132: debug: Check RFC5011 status
2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-11 23:52:33.133: debug: Check KSK status
2010-03-11 23:52:33.133: debug: No active KSK found: generate new one
2010-03-11 23:52:33.374: info: "example.net.": generated new KSK 8406
2010-03-11 23:52:33.374: debug: Check ZSK status
2010-03-11 23:52:33.374: debug: No active ZSK found: generate new one
2010-03-11 23:52:33.400: info: "example.net.": generated new ZSK 36257
2010-03-11 23:52:33.400: debug: Re-signing necessary: Modfied zone key set
2010-03-11 23:52:33.400: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-03-11 23:52:33.400: debug: Writing key file "./example.net/dnskey.db"
2010-03-11 23:52:33.400: debug: Incrementing serial number in file "./example.net/zone.db"
2010-03-11 23:52:33.400: debug: Signing zone "example.net."
2010-03-11 23:52:33.400: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 69AE05 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-11 23:52:33.408: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
2010-03-11 23:52:33.408: error: "example.net.": signing failed!
2010-03-11 23:53:27.856: debug: Check RFC5011 status
2010-03-11 23:53:27.856: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-11 23:53:27.856: debug: Check KSK status
2010-03-11 23:53:27.856: debug: Check ZSK status
2010-03-11 23:53:27.856: debug: Re-signing necessary: Modified keys
2010-03-11 23:53:27.856: notice: "example.net.": re-signing triggered: Modified keys
2010-03-11 23:53:27.856: debug: Writing key file "./example.net/dnskey.db"
2010-03-11 23:53:27.856: debug: Incrementing serial number in file "./example.net/zone.db"
2010-03-11 23:53:27.856: debug: Signing zone "example.net."
2010-03-11 23:53:27.856: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-03-11 23:53:27.920: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-03-11 23:53:27.920: debug: Signing completed after 0s.
2010-07-05 08:15:24.179: debug: Check RFC5011 status
2010-07-05 08:15:24.179: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-07-05 08:15:24.179: debug: Check KSK status
2010-07-05 08:15:24.179: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h49m44s
2010-07-05 08:15:24.179: debug: Check ZSK status
2010-07-05 08:15:24.179: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081384 sec)
2010-07-05 08:15:24.179: debug: ->waiting for published key
2010-07-05 08:15:24.179: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h49m44s: ZSK rollover deferred: waiting for published key
2010-07-05 08:15:24.179: debug: New key for publishing needed
2010-07-05 08:15:24.278: debug: ->creating new key 48476
2010-07-05 08:15:24.278: info: "example.net.": new key 48476 generated for publishing
2010-07-05 08:15:24.278: debug: Re-signing necessary: Modfied zone key set
2010-07-05 08:15:24.278: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-07-05 08:15:24.278: debug: Writing key file "./example.net/dnskey.db"
2010-07-05 08:15:24.278: debug: Incrementing serial number in file "./example.net/zone.db"
2010-07-05 08:15:24.278: debug: Signing zone "example.net."
2010-07-05 08:15:24.278: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 5816F0 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-07-05 08:15:24.315: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-07-05 08:15:24.315: debug: Signing completed after 0s.
2010-07-05 08:15:28.174: debug: Check RFC5011 status
2010-07-05 08:15:28.174: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-07-05 08:15:28.174: debug: Check KSK status
2010-07-05 08:15:28.174: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h49m48s
2010-07-05 08:15:28.174: debug: Check ZSK status
2010-07-05 08:15:28.174: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081388 sec)
2010-07-05 08:15:28.174: debug: ->waiting for published key
2010-07-05 08:15:28.174: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h49m48s: ZSK rollover deferred: waiting for published key
2010-07-05 08:15:28.174: debug: Re-signing not necessary!
2010-07-05 08:15:28.174: debug: Check if there is a parent file to copy
2010-07-05 08:15:58.502: debug: Check RFC5011 status
2010-07-05 08:15:58.502: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-07-05 08:15:58.503: debug: Check KSK status
2010-07-05 08:15:58.503: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m18s
2010-07-05 08:15:58.503: debug: Check ZSK status
2010-07-05 08:15:58.503: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081418 sec)
2010-07-05 08:15:58.503: debug: ->waiting for published key
2010-07-05 08:15:58.503: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m18s: ZSK rollover deferred: waiting for published key
2010-07-05 08:15:58.503: debug: Re-signing not necessary!
2010-07-05 08:15:58.503: debug: Check if there is a parent file to copy
2010-07-05 08:16:04.937: debug: Check RFC5011 status
2010-07-05 08:16:04.937: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-07-05 08:16:04.937: debug: Check KSK status
2010-07-05 08:16:04.937: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m24s
2010-07-05 08:16:04.937: debug: Check ZSK status
2010-07-05 08:16:04.937: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081424 sec)
2010-07-05 08:16:04.937: debug: ->waiting for published key
2010-07-05 08:16:04.937: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m24s: ZSK rollover deferred: waiting for published key
2010-07-05 08:16:04.937: debug: Re-signing necessary: Option -f
2010-07-05 08:16:04.937: notice: "example.net.": re-signing triggered: Option -f
2010-07-05 08:16:04.937: debug: Writing key file "./example.net/dnskey.db"
2010-07-05 08:16:04.937: debug: Incrementing serial number in file "./example.net/zone.db"
2010-07-05 08:16:04.937: debug: Signing zone "example.net."
2010-07-05 08:16:04.937: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 C58544 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-07-05 08:16:04.993: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-07-05 08:16:04.993: debug: Signing completed after 0s.
2010-07-05 08:16:33.604: debug: Check RFC5011 status
2010-07-05 08:16:33.604: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-07-05 08:16:33.604: debug: Check KSK status
2010-07-05 08:16:33.604: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m53s
2010-07-05 08:16:33.604: debug: Check ZSK status
2010-07-05 08:16:33.604: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081453 sec)
2010-07-05 08:16:33.604: debug: ->waiting for published key
2010-07-05 08:16:33.604: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m53s: ZSK rollover deferred: waiting for published key
2010-07-05 08:16:33.604: debug: Re-signing necessary: Option -f
2010-07-05 08:16:33.604: notice: "example.net.": re-signing triggered: Option -f
2010-07-05 08:16:33.604: debug: Writing key file "./example.net/dnskey.db"
2010-07-05 08:16:33.605: debug: Incrementing serial number in file "./example.net/zone.db"
2010-07-05 08:16:33.605: debug: Signing zone "example.net."
2010-07-05 08:16:33.605: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 FCB8E2 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-07-05 08:16:33.648: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-07-05 08:16:33.648: debug: Signing completed after 0s.
2010-07-30 01:30:55.411: debug: Check RFC5011 status
2010-07-30 01:30:55.411: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-07-30 01:30:55.411: debug: Check KSK status
2010-07-30 01:30:55.411: debug: Check ZSK status
2010-07-30 01:30:55.411: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (2130473 sec)
2010-07-30 01:30:55.411: debug: ->depreciate it
2010-07-30 01:30:55.411: debug: ->activate published key 48476
2010-07-30 01:30:55.411: notice: "example.net.": lifetime of zone signing key 36257 exceeded: ZSK rollover done
2010-07-30 01:30:55.411: debug: New key for publishing needed
2010-07-30 01:30:55.493: debug: ->creating new key 1775
2010-07-30 01:30:55.493: info: "example.net.": new key 1775 generated for publishing
2010-07-30 01:30:55.493: debug: Re-signing necessary: Modfied zone key set
2010-07-30 01:30:55.493: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-07-30 01:30:55.493: debug: Writing key file "./example.net/dnskey.db"
2010-07-30 01:30:55.493: debug: Incrementing serial number in file "./example.net/zone.db"
2010-07-30 01:30:55.493: debug: Signing zone "example.net."
2010-07-30 01:30:55.494: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 3723BA -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-07-30 01:30:55.563: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-07-30 01:30:55.563: debug: Signing completed after 0s.
2010-08-26 22:52:09.539: debug: Check RFC5011 status
2010-08-26 22:52:09.539: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 22:52:09.539: debug: Check KSK status
2010-08-26 22:52:09.539: debug: Check ZSK status
2010-08-26 22:52:09.539: debug: Lifetime(29100 sec) of depreciated key 36257 exceeded (2409674 sec)
2010-08-26 22:52:09.539: info: "example.net.": old ZSK 36257 removed
2010-08-26 22:52:09.572: debug: ->remove it
2010-08-26 22:52:09.572: debug: Lifetime(1209600 +/-150 sec) of active key 48476 exceeded (2409674 sec)
2010-08-26 22:52:09.572: debug: ->depreciate it
2010-08-26 22:52:09.572: debug: ->activate published key 1775
2010-08-26 22:52:09.572: notice: "example.net.": lifetime of zone signing key 48476 exceeded: ZSK rollover done
2010-08-26 22:52:09.572: debug: New key for publishing needed
2010-08-26 22:52:09.640: debug: ->creating new key 26477
2010-08-26 22:52:09.640: info: "example.net.": new key 26477 generated for publishing
2010-08-26 22:52:09.640: debug: Re-signing necessary: Modfied zone key set
2010-08-26 22:52:09.640: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-08-26 22:52:09.640: debug: Writing key file "./example.net/dnskey.db"
2010-08-26 22:52:09.641: debug: Incrementing serial number in file "./example.net/zone.db"
2010-08-26 22:52:09.641: debug: Signing zone "example.net."
2010-08-26 22:52:09.641: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 2F41F9 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-08-26 22:52:09.704: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-08-26 22:52:09.704: debug: Signing completed after 0s.
2010-08-26 22:56:02.938: debug: Check RFC5011 status
2010-08-26 22:56:02.938: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 22:56:02.938: debug: Check KSK status
2010-08-26 22:56:02.938: debug: Check ZSK status
2010-08-26 22:56:02.938: debug: Re-signing not necessary!
2010-08-26 22:56:02.938: debug: Check if there is a parent file to copy
2010-08-26 23:06:00.593: debug: Check RFC5011 status
2010-08-26 23:06:00.593: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:06:00.593: debug: Check KSK status
2010-08-26 23:06:00.593: debug: Check ZSK status
2010-08-26 23:06:00.593: debug: New key for publishing needed
2010-08-26 23:06:00.631: debug: ->creating new key 18026
2010-08-26 23:06:00.631: info: "example.net.": new key 18026 generated for publishing
2010-08-26 23:06:00.631: debug: Re-signing necessary: Modfied zone key set
2010-08-26 23:06:00.631: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-08-26 23:06:00.631: debug: Writing key file "./example.net/dnskey.db"
2010-08-26 23:06:00.631: debug: Incrementing serial number in file "./example.net/zone.db"
2010-08-26 23:06:00.631: debug: Signing zone "example.net."
2010-08-26 23:06:00.631: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 5EA89E -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-08-26 23:06:00.672: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-08-26 23:06:00.672: debug: Signing completed after 0s.
2010-08-26 23:11:33.808: debug: Check RFC5011 status
2010-08-26 23:11:33.808: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:11:33.809: debug: Check KSK status
2010-08-26 23:11:33.809: debug: Check ZSK status
2010-08-26 23:11:33.809: debug: Re-signing not necessary!
2010-08-26 23:11:33.809: debug: Check if there is a parent file to copy
2010-08-26 23:12:51.012: debug: Check RFC5011 status
2010-08-26 23:12:51.012: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:12:51.012: debug: Check KSK status
2010-08-26 23:12:51.012: debug: Check ZSK status
2010-08-26 23:12:51.012: debug: Re-signing not necessary!
2010-08-26 23:12:51.012: debug: Check if there is a parent file to copy
2010-08-26 23:23:47.886: debug: Check RFC5011 status
2010-08-26 23:23:47.886: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:23:47.886: debug: Check KSK status
2010-08-26 23:23:47.886: debug: Check ZSK status
2010-08-26 23:23:47.886: debug: Re-signing not necessary!
2010-08-26 23:23:47.886: debug: Check if there is a parent file to copy
2010-08-26 23:50:15.724: debug: Check RFC5011 status
2010-08-26 23:50:15.724: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:50:15.724: debug: Check KSK status
2010-08-26 23:50:15.724: debug: Check ZSK status
2010-08-26 23:50:15.725: debug: Re-signing not necessary!
2010-08-26 23:50:15.725: debug: Check if there is a parent file to copy
2010-08-26 23:50:55.124: debug: Check RFC5011 status
2010-08-26 23:50:55.124: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:50:55.124: debug: Check KSK status
2010-08-26 23:50:55.124: debug: Check ZSK status
2010-08-26 23:50:55.124: debug: Re-signing not necessary!
2010-08-26 23:50:55.124: debug: Check if there is a parent file to copy
2010-08-26 23:51:46.719: debug: Check RFC5011 status
2010-08-26 23:51:46.719: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:51:46.719: debug: Check KSK status
2010-08-26 23:51:46.719: debug: Check ZSK status
2010-08-26 23:51:46.719: debug: Re-signing not necessary!
2010-08-26 23:51:46.719: debug: Check if there is a parent file to copy
2010-08-26 23:54:22.824: debug: Check RFC5011 status
2010-08-26 23:54:22.824: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:54:22.824: debug: Check KSK status
2010-08-26 23:54:22.824: debug: Check ZSK status
2010-08-26 23:54:22.824: debug: Re-signing not necessary!
2010-08-26 23:54:22.825: debug: Check if there is a parent file to copy
2010-08-26 23:55:00.018: debug: Check RFC5011 status
2010-08-26 23:55:00.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:55:00.018: debug: Check KSK status
2010-08-26 23:55:00.018: debug: Check ZSK status
2010-08-26 23:55:00.018: debug: New key for pre-publishing needed
2010-08-26 23:55:00.110: debug: ->creating new key 18293
2010-08-26 23:55:00.110: info: "example.net.": new key 18293 generated for pre-publishing
2010-08-26 23:55:00.110: debug: Re-signing necessary: Modfied zone key set
2010-08-26 23:55:00.110: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-08-26 23:55:00.110: debug: Writing key file "./example.net/dnskey.db"
2010-08-26 23:55:00.110: debug: Incrementing serial number in file "./example.net/zone.db"
2010-08-26 23:55:00.110: debug: Signing zone "example.net."
2010-08-26 23:55:00.111: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 EBE919 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-08-26 23:55:00.168: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-08-26 23:55:00.169: debug: Signing completed after 0s.
2010-08-26 23:56:17.466: debug: Check RFC5011 status
2010-08-26 23:56:17.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:56:17.466: debug: Check KSK status
2010-08-26 23:56:17.466: debug: Check ZSK status
2010-08-26 23:56:17.466: debug: Re-signing necessary: Modfied zone key set
2010-08-26 23:56:17.466: notice: "example.net.": re-signing triggered: Modfied zone key set
2010-08-26 23:56:17.466: debug: Writing key file "./example.net/dnskey.db"
2010-08-26 23:56:17.467: debug: Incrementing serial number in file "./example.net/zone.db"
2010-08-26 23:56:17.467: debug: Signing zone "example.net."
2010-08-26 23:56:17.467: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 A876E5 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-08-26 23:56:17.531: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-08-26 23:56:17.531: debug: Signing completed after 0s.
2010-08-26 23:57:00.178: debug: Check RFC5011 status
2010-08-26 23:57:00.178: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-08-26 23:57:00.178: debug: Check KSK status
2010-08-26 23:57:00.178: debug: Check ZSK status
2010-08-26 23:57:00.178: debug: Re-signing not necessary!
2010-08-26 23:57:00.178: debug: Check if there is a parent file to copy
2010-10-21 14:01:35.546: debug: Check RFC5011 status
2010-10-21 14:01:35.546: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:01:35.546: debug: Check KSK status
2010-10-21 14:01:35.546: debug: Check ZSK status
2010-10-21 14:01:35.546: debug: Re-signing necessary: re-signing interval (2d) reached
2010-10-21 14:01:35.546: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
2010-10-21 14:01:35.546: debug: Writing key file "./example.net/dnskey.db"
2010-10-21 14:01:35.607: debug: Incrementing serial number in file "./example.net/zone.db"
2010-10-21 14:01:35.607: debug: Signing zone "example.net."
2010-10-21 14:01:35.607: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 9FC981 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2010-10-21 14:01:35.761: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-10-21 14:01:35.761: debug: Signing completed after 0s.
2010-10-21 14:02:09.209: debug: Check RFC5011 status
2010-10-21 14:02:09.209: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:02:09.209: debug: Check KSK status
2010-10-21 14:02:09.209: debug: Check ZSK status
2010-10-21 14:02:09.209: debug: Re-signing not necessary!
2010-10-21 14:02:09.209: debug: Check if there is a parent file to copy
2010-10-21 14:05:36.170: debug: Check RFC5011 status
2010-10-21 14:05:36.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:05:36.170: debug: Check KSK status
2010-10-21 14:05:36.170: debug: Check ZSK status
2010-10-21 14:05:36.170: debug: Re-signing not necessary!
2010-10-21 14:05:36.170: debug: Check if there is a parent file to copy
2010-10-21 14:30:43.892: debug: Check RFC5011 status
2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:30:43.892: debug: Check KSK status
2010-10-21 14:30:43.892: debug: Check ZSK status
2010-10-21 14:30:43.892: debug: Re-signing not necessary!
2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy
2014-11-14 18:04:37.729: debug: Check RFC5011 status
2014-11-14 18:04:37.729: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:04:37.729: debug: Check KSK status
2014-11-14 18:04:37.729: debug: Check ZSK status
2014-11-14 18:04:37.729: debug: Re-signing necessary: Modified keys
2014-11-14 18:04:37.729: notice: "example.net.": re-signing triggered: Modified keys
2014-11-14 18:04:37.729: debug: Writing key file "./example.net/dnskey.db"
2014-11-14 18:04:37.730: debug: Incrementing serial number in file "./example.net/zone.db"
2014-11-14 18:04:37.730: debug: Signing zone "example.net."
2014-11-14 18:04:37.730: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 97195D -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-14 18:04:37.827: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:04:37.827: debug: Signing completed after 0s.
2014-11-14 18:09:16.427: debug: Check RFC5011 status
2014-11-14 18:09:16.427: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:09:16.427: debug: Check KSK status
2014-11-14 18:09:16.428: debug: No active KSK found: generate new one
2014-11-14 18:09:16.495: info: "example.net.": generated new KSK 44671
2014-11-14 18:09:16.495: debug: Check ZSK status
2014-11-14 18:09:16.495: debug: No active ZSK found: generate new one
2014-11-14 18:09:16.515: info: "example.net.": generated new ZSK 7929
2014-11-14 18:09:16.515: debug: New key for pre-publishing needed
2014-11-14 18:09:16.546: debug: ->creating new key 2253
2014-11-14 18:09:16.546: info: "example.net.": new key 2253 generated for pre-publishing
2014-11-14 18:09:16.546: debug: Re-signing necessary: Modified zone key set
2014-11-14 18:09:16.546: notice: "example.net.": re-signing triggered: Modified zone key set
2014-11-14 18:09:16.547: debug: Writing key file "./example.net/dnskey.db"
2014-11-14 18:09:16.547: debug: Incrementing serial number in file "./example.net/zone.db"
2014-11-14 18:09:16.547: debug: Signing zone "example.net."
2014-11-14 18:09:16.547: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 B26BB7 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-14 18:09:16.646: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:09:16.646: debug: Signing completed after 0s.
2014-11-14 18:11:40.877: debug: Check RFC5011 status
2014-11-14 18:11:40.877: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:11:40.877: debug: Check KSK status
2014-11-14 18:11:40.877: debug: Check ZSK status
2014-11-14 18:11:40.877: debug: Re-signing not necessary!
2014-11-14 18:11:40.877: debug: Check if there is a parent file to copy
2014-11-14 18:11:46.599: debug: Check RFC5011 status
2014-11-14 18:11:46.599: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:11:46.599: debug: Check KSK status
2014-11-14 18:11:46.599: debug: Check ZSK status
2014-11-14 18:11:46.599: debug: Re-signing not necessary!
2014-11-14 18:11:46.599: debug: Check if there is a parent file to copy
2014-11-14 18:15:54.380: debug: Check RFC5011 status
2014-11-14 18:15:54.380: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:15:54.380: debug: Check KSK status
2014-11-14 18:15:54.380: debug: Check ZSK status
2014-11-14 18:15:54.380: debug: Re-signing not necessary!
2014-11-14 18:15:54.380: debug: Check if there is a parent file to copy
2014-11-14 18:31:09.365: debug: Check RFC5011 status
2014-11-14 18:31:09.365: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:31:09.365: debug: Check KSK status
2014-11-14 18:31:09.365: debug: Check ZSK status
2014-11-14 18:31:09.365: debug: Re-signing necessary: Modified keys
2014-11-14 18:31:09.365: notice: "example.net.": re-signing triggered: Modified keys
2014-11-14 18:31:09.365: debug: Writing key file "././example.net/dnskey.db"
2014-11-14 18:31:09.366: debug: Incrementing serial number in file "././example.net/zone.db"
2014-11-14 18:31:09.366: debug: Signing zone "example.net."
2014-11-14 18:31:09.366: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 8B4599 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-14 18:31:09.488: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:31:09.488: debug: Signing completed after 0s.
2014-11-14 18:31:27.335: debug: Check RFC5011 status
2014-11-14 18:31:27.335: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:31:27.335: debug: Check KSK status
2014-11-14 18:31:27.335: debug: Check ZSK status
2014-11-14 18:31:27.335: debug: Re-signing not necessary!
2014-11-14 18:31:27.335: debug: Check if there is a parent file to copy
2014-11-14 18:38:16.356: debug: Check RFC5011 status
2014-11-14 18:38:16.356: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:38:16.356: debug: Check KSK status
2014-11-14 18:38:16.356: debug: Check ZSK status
2014-11-14 18:38:16.356: debug: Re-signing necessary: Modified keys
2014-11-14 18:38:16.356: notice: "example.net.": re-signing triggered: Modified keys
2014-11-14 18:38:16.356: debug: Writing key file "././example.net/dnskey.db"
2014-11-14 18:38:16.356: debug: Incrementing serial number in file "././example.net/zone.db"
2014-11-14 18:38:16.356: debug: Signing zone "example.net."
2014-11-14 18:38:16.356: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 BEBFB0 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-14 18:38:16.484: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:38:16.484: debug: Signing completed after 0s.
2014-11-15 18:16:50.572: debug: Check RFC5011 status
2014-11-15 18:16:50.572: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:16:50.572: debug: Check KSK status
2014-11-15 18:16:50.572: debug: Check ZSK status
2014-11-15 18:16:50.573: debug: Re-signing necessary: Modified keys
2014-11-15 18:16:50.573: notice: "example.net.": re-signing triggered: Modified keys
2014-11-15 18:16:50.573: debug: Writing key file "././example.net/dnskey.db"
2014-11-15 18:16:50.573: debug: Incrementing serial number in file "././example.net/zone.db"
2014-11-15 18:16:50.573: debug: Signing zone "example.net."
2014-11-15 18:16:50.573: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 DC5680 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-15 18:16:50.715: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-15 18:16:50.715: debug: Signing completed after 0s.
2014-11-15 18:16:54.202: debug: Check RFC5011 status
2014-11-15 18:16:54.202: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:16:54.202: debug: Check KSK status
2014-11-15 18:16:54.203: debug: Check ZSK status
2014-11-15 18:16:54.203: debug: Re-signing not necessary!
2014-11-15 18:16:54.203: debug: Check if there is a parent file to copy
2014-11-15 18:17:06.919: debug: Check RFC5011 status
2014-11-15 18:17:06.919: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:17:06.919: debug: Check KSK status
2014-11-15 18:17:06.919: debug: Check ZSK status
2014-11-15 18:17:06.919: debug: Re-signing necessary: Modified keys
2014-11-15 18:17:06.919: notice: "example.net.": re-signing triggered: Modified keys
2014-11-15 18:17:06.919: debug: Writing key file "././example.net/dnskey.db"
2014-11-15 18:17:06.919: debug: Incrementing serial number in file "././example.net/zone.db"
2014-11-15 18:17:06.919: debug: Signing zone "example.net."
2014-11-15 18:17:06.919: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 D82F90 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-15 18:17:07.040: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-15 18:17:07.040: debug: Signing completed after 1s.
2014-11-15 18:17:17.242: debug: Check RFC5011 status
2014-11-15 18:17:17.242: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:17:17.242: debug: Check KSK status
2014-11-15 18:17:17.243: debug: Check ZSK status
2014-11-15 18:17:17.243: debug: Re-signing necessary: Zone file edited
2014-11-15 18:17:17.243: notice: "example.net.": re-signing triggered: Zone file edited
2014-11-15 18:17:17.243: debug: Writing key file "././example.net/dnskey.db"
2014-11-15 18:17:17.243: debug: Incrementing serial number in file "././example.net/zone.db"
2014-11-15 18:17:17.243: debug: Signing zone "example.net."
2014-11-15 18:17:17.243: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 603310 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-15 18:17:17.365: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-15 18:17:17.365: debug: Signing completed after 0s.
2014-11-17 19:12:44.250: debug: Check RFC5011 status
2014-11-17 19:12:44.250: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:12:44.250: debug: Check KSK status
2014-11-17 19:12:44.250: debug: Check ZSK status
2014-11-17 19:12:44.250: debug: Re-signing necessary: re-signing interval (2d) reached
2014-11-17 19:12:44.250: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
2014-11-17 19:12:44.250: debug: Writing key file "./example.net/dnskey.db"
2014-11-17 19:12:44.251: debug: Incrementing serial number in file "./example.net/zone.db"
2014-11-17 19:12:44.251: debug: Signing zone "example.net."
2014-11-17 19:12:44.251: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 9F5882 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-17 19:12:44.392: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-17 19:12:44.392: debug: Signing completed after 0s.
2014-11-17 19:12:49.692: debug: Check RFC5011 status
2014-11-17 19:12:49.692: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:12:49.692: debug: Check KSK status
2014-11-17 19:12:49.692: debug: Check ZSK status
2014-11-17 19:12:49.692: debug: Re-signing not necessary!
2014-11-17 19:12:49.692: debug: Check if there is a parent file to copy
2014-11-17 19:13:02.603: debug: Check RFC5011 status
2014-11-17 19:13:02.603: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:02.603: debug: Check KSK status
2014-11-17 19:13:02.603: debug: Check ZSK status
2014-11-17 19:13:02.603: debug: Re-signing not necessary!
2014-11-17 19:13:02.603: debug: Check if there is a parent file to copy
2014-11-17 19:13:50.410: debug: Check RFC5011 status
2014-11-17 19:13:50.410: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:50.410: debug: Check KSK status
2014-11-17 19:13:50.410: debug: Check ZSK status
2014-11-17 19:13:50.410: debug: Re-signing necessary: Modified keys
2014-11-17 19:13:50.410: notice: "example.net.": re-signing triggered: Modified keys
2014-11-17 19:13:50.410: debug: Writing key file "./example.net/dnskey.db"
2014-11-17 19:13:50.410: debug: Incrementing serial number in file "./example.net/zone.db"
2014-11-17 19:13:50.410: debug: Signing zone "example.net."
2014-11-17 19:13:50.411: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 053453 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-17 19:13:50.525: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-17 19:13:50.525: debug: Signing completed after 0s.
2014-11-17 19:13:54.302: debug: Check RFC5011 status
2014-11-17 19:13:54.302: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:54.302: debug: Check KSK status
2014-11-17 19:13:54.302: debug: Check ZSK status
2014-11-17 19:13:54.302: debug: Re-signing not necessary!
2014-11-17 19:13:54.302: debug: Check if there is a parent file to copy
2014-11-17 19:14:01.846: debug: Check RFC5011 status
2014-11-17 19:14:01.846: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:14:01.846: debug: Check KSK status
2014-11-17 19:14:01.846: debug: Check ZSK status
2014-11-17 19:14:01.846: debug: Re-signing necessary: Zone file edited
2014-11-17 19:14:01.846: notice: "example.net.": re-signing triggered: Zone file edited
2014-11-17 19:14:01.846: debug: Writing key file "./example.net/dnskey.db"
2014-11-17 19:14:01.846: debug: Incrementing serial number in file "./example.net/zone.db"
2014-11-17 19:14:01.846: debug: Signing zone "example.net."
2014-11-17 19:14:01.847: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 7CF530 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2014-11-17 19:14:01.969: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-17 19:14:01.969: debug: Signing completed after 0s.

39
contrib/zkt-1.1.3/examples/flat/example.net/zone.db
View file

@ -1,39 +0,0 @@
;-----------------------------------------------------------------
;
; @(#) example.net/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
; Ensure that the serial number below is left
; justified in a field of at least 10 chars!!
; 0123456789;
; It's also possible to use the date format e.g. 2005040101
@ IN SOA ns1.example.net. hostmaster.example.net. (
396 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.net.
IN NS ns2.example.net.
ns1 IN A 1.0.0.5
IN AAAA 2001:db8::53
ns2 IN A 1.2.0.6
; Delegation to secure zone; The DS resource record will
; be added by dnssec-signzone automatically if the
; keyset-sub.example.net file is present (run dnssec-signzone
; with option -g or use the dnssec-signer tool) ;-)
sub IN NS ns1.example.net.
; this file will contain all the zone keys
$INCLUDE dnskey.db
$INCLUDE zone.localhost
$INCLUDE zone.hosts

236
contrib/zkt-1.1.3/examples/flat/example.net/zone.db.signed
View file

@ -1,236 +0,0 @@
; File written on Mon Nov 17 19:14:01 2014
; dnssec_signzone version 9.10.1b1
example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
396 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 8 2 7200 (
20141123171401 20141117171401 7929 example.net.
nSDd2lzZOipVaXTc2gvg4MICjFPg1+57qFwF
n3dofSvjNE9lbmKBsWY9KbawRmcvieFj9Lw/
+xmGlzQya1THGUHom7JoH2u0nO6vWMD+i7HT
0xHOg2+FjIqNvG0VFwSg//ASdSzZ6zzyY+iU
oZcT6fSAQCXLo52AAbsNwM7E0UM= )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
7200 RRSIG NS 8 2 7200 (
20141123171401 20141117171401 7929 example.net.
eSQSoaLKL/JxYimCdpoPouWtbQVvodzNMolg
e1fG8U7GLgP2MMNUk/E/OlGYYft53dbQN8XD
2PdXi9fqH6n4jaOR+eHClAq4xUN3He9gq8GU
tRc0Yj5D4VLKs7gBjPSVKkEDeVJFMCxXhIvO
c4r2k7TPw3oi2WQdw4+jPoYu0SQ= )
3600 DNSKEY 256 3 8 (
AwEAAZF8FdZfjdp4pyHk53/qvnzROy2lhF0c
J0XbRaIgeIYHYMIUmMLrsazBQ7/3ZdFoQjgE
Wz2BbKyfroJmE+VrCc1dBJ50PJUm3vcBbUwM
gy4yXq3PtmwKzlr3YGMUgE31cByog0QRnW6m
yNdEfDLf74yxRiPgIwk1rEmIYFUI4x69
) ; ZSK; alg = RSASHA256; key id = 2253
3600 DNSKEY 256 3 8 (
AwEAAaFO1yW7cx3/4SBRganmyOEs2eIeAE25
CgXYrtLALzFdgi+gRfl+QEOzMZBk/LmgKFcg
p4GfgtuzKA08VGNmLUEGI+UBSP+DUezQfK/l
xPCXuRMh0BJgAjnlo+jGaI2fpfKXBp+5uLiY
3pbkdm6LiaJb/s4v0DJjglGWiiPMIxyR
) ; ZSK; alg = RSASHA256; key id = 7929
3600 DNSKEY 257 3 8 (
AwEAAQ5RiqQEKys2xlo5nK3n9tnWeGg/tHST
baFw6AN1QPLlaEVLNXDaYKcpefu6ewNamaIn
rjBrkkbqRnwKTuLCwJ9aA/hyFzocCOPh+he9
dEQHbRTKDdTkjD3PqkOK97a+s1grWIdkRcce
T3MXEsAwyjlasXPRKt/4v1sqS7592eyo6wTc
beaoPYo6KMQLfcA9AHso9LBaRpqv7GlSjl5I
V51mcU8=
) ; KSK; alg = RSASHA256; key id = 44671
3600 RRSIG DNSKEY 8 2 3600 (
20141123171401 20141117171401 7929 example.net.
FA+VaaIn6SThjdlGRxlmYtqsXe3c7QAO0UAg
LIGjdfs0yO8cSz07jzT1UsZancDhyprCdinl
u9eOl0Lf9sPPKZFJUFYofKZmXCvtI7z8t1o7
h74BwQlUeRAwG8vgK8flo09UMZ/wuT39ArAr
ZCtXC/6DqiWZmmbAZ7igLIo36kA= )
3600 RRSIG DNSKEY 8 2 3600 (
20141123171401 20141117171401 44671 example.net.
BacfHSvqUyB6q7Ynkf9tTFjA+kYhmHLV7acO
Ua/I+tAs1ELtCLLJLv+1d449ovmSTm0RYRwO
cGlpggtL8qGa5wl/BA5sobzxIkREKj0c1cud
taViyZ4PaDO86Q4ZmZChQafbIxbLYqsL/v8z
517NzZ2xtZetnv5NtKzKvrVblVPaV0IyJHLK
KvdHsU0eCqPSHfPYbMg3uusZhL618tARxQn3
8g== )
0 NSEC3PARAM 1 0 10 7CF530
0 RRSIG NSEC3PARAM 8 2 0 (
20141123171401 20141117171401 7929 example.net.
MdriHagoMqEW0VoINMPaATPCsYZYiKVHUN56
Bl8kCNFlNaVD8Pn32z+Ewh1I/m5OxCUry10J
BPEFZmXlKDiJ36/bzAFDUPBBsvjCPIGHedZT
oyPwZ6JVoDrBEmQWHaoq5YTsVcNy0E4zC/Md
4FKPNZnCiExDX0h8MGxMAVTZG5I= )
a.example.net. 7200 IN A 1.2.3.1
7200 RRSIG A 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
C7WKU0ffs8VpzaYt2CqdnUgQMjfwXAHIzmbR
Q3EOqzg66u2Jz1jdO+CwPRizTb2u+vh7/uDL
bDPn0YEDHDgmfTYu03aWf5Lpo50QlKQrCFIE
stdhE2IH1wyej/vqlthXA0ZH7xr4EHwGFPRv
GfYOIBiXs8K1drY1tp7qxFX9Mro= )
b.example.net. 7200 IN MX 10 a.example.net.
7200 RRSIG MX 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
BRSj7EugAKkgnFCoChaM764Vh25FOjQIhB91
dRfm9/vrcJ+48DXPo3ag/SpNzV4d37UokEl6
YXvpb4HiwFsPB0Dvvvct6yicR2UjGCNatKGx
4IAmLmbT2sViBGnXBlD349FFl32oeeXEIu2J
B9q6NtrP65FFXINY+oFoxi+aYMI= )
d.example.net. 7200 IN A 1.2.3.3
7200 RRSIG A 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
ek0mcsVZAxWO6xsjw6eObrkEYfGIUDglNH5T
VgpNIrR7lb2XywLfdyz4PuCb/0ZEN7niY6VW
rza4v+3dJGoqOKxu4QDY4iRrWChy/F3St0ZA
vDiLWWmxnhpTo9l+M34kuCrbx0NahwUfejBw
Chp1sLTWJM6OF+qsTKotRdfbLeM= )
7200 AAAA 2001:db8::3
7200 RRSIG AAAA 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
h34UzUI64yyIsI1MbqeSMuRqHL9jCAikW7i+
MWYtXptQ0XB2416yB+w7fcC8ctl9v2H1244V
XeJOJV85HHwKfEOP1G9kCvS5b9iEoDFfVDUt
PwLMFhKe94XQ+aUA81RYoAJnzdj84Bi3YZ3g
U1Yv4tv/oW0dd/W4Pvo/UVadybA= )
localhost.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
OQMFtldAekpNnf4cUqlw8rmSrjPQjjPlVb3i
ktCiez0s+s9PG18lbMsfYFZvEm+deDit8fR9
lDKdUWwvxSkjeeCeABsg0kd1FLEuFKOv1HGP
ql1dAA0/X+XTQ7FSfAuZmsmKTUYOgZjgmeBY
EOkXYfa/IMDPauDWJbtbRsfuEzA= )
ns1.example.net. 7200 IN A 1.0.0.5
7200 RRSIG A 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
Tv5nLzFdIM6tU8BYb+twJ+2d+5b+VyuED977
6wcDI2sb79Y9RwySP4UE+x4Zbm6P+lgqTI2y
ITCWvVDyTqOcUUbWGX62KDVD+4nK0EK59jro
VghtBWH3RLB0vSb59xNKPgOpgP4tTbWLyN5J
OaVHNxmOu24ygvDRYMEQYHgRKtE= )
7200 AAAA 2001:db8::53
7200 RRSIG AAAA 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
OkW0vncVMFb0Fw6yxcpQ38AzPc2yxoekLDCi
1VmSMfBzCQRekqUIE3TtqBpJtaUP4JMANIXb
xvmbL1wl/IT4BqSg8faDg4DBsYeCr70ucUUj
NDKbeYtKdNkYIZGX8U27wflFOAISR4TEguZe
TqxoBuoWmyo4+Yrk4skFFa30Qsk= )
ns2.example.net. 7200 IN A 1.2.0.6
7200 RRSIG A 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
Mt6BRM5elYbfPQOQgfiJ8PAkJbwdfhUedXug
M7eTDcxjXTtxraMxheWIuEcgZ7UtQuX1/gUy
Fl98gixX05g80F9YdyB/dnzMK0k2hHMWxr4j
DD1e5rAsnCfT+PnZGVEkhPWCRM6Uw8qOdXOx
PktCHwWV1XnfxLAi0YZXJoJGlYs= )
sub.example.net. 7200 IN NS ns1.example.net.
7200 DS 33936 7 1 (
8E06D0C044A15C396F43E1743EDC0C0772F1
19A7 )
7200 DS 33936 7 2 (
496F56E015F74A955A1B277255DE56C564DC
C5AF559DAAA40C4DE01933E073E7 )
7200 DS 60396 10 1 (
00A6EDBD5687D69DB7636749A057ABB43A13
576E )
7200 DS 60396 10 2 (
FE01A3C47B2D3F19CAB32451986B36C2ADEF
2C4247B7B24DEB77EDB90EE1CB4C )
7200 RRSIG DS 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
S+ognL1Unax/NnfRIcnq53uHltBCquHMKgkS
JMnQYGJcXZzUlUpKkXCXR9kZfZFfWjNV72FA
lqgV9+AXi9bIO1HmLWXQ0AFkS1g6wkBvcrGT
95IbQRlL1hOySNmnILA/RyOKaHEM3Vxjl0CM
lOSEX34CAAsj/0srNJWWhaNgUFI= )
CP5JT7EV1K7R3VBGJ54G2FALVGI94Q9A.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
GH4PQAVJQD10HL7KI3S4CTURR9E3V4B4
NS SOA RRSIG DNSKEY NSEC3PARAM )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
KvHTjmmjBwYgJvTQUTpOmtA+1nEfefVMgYV5
I2OMDZ5/dhgrktETUchyHiqS6J9nQeS7HiqC
2/fftgueMyofDAbhjQ0yf9hpWdNpquI1vKID
UZKZUIWTtcH9vbEST80qxlKJdwUHwlZwnTHf
+ZUj3mVn+Vrb7g6yQt1jBmihcao= )
GH4PQAVJQD10HL7KI3S4CTURR9E3V4B4.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
KIMJV7K0CDS0O96IHHOF7H6PIJ40T4J2
A RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
LaIQC6orUjlak00kA9dySq0qphgvcKllGGf2
5BrENDnYVN0RPCwzMfXPxzHDIG7o4GGRvFpx
dpxChETPSoPObVJpwmgUHILPrrcAkwYIcH0T
KETpGHgmixCDwZE9kUHzy6FGZcWQDezQT7CD
+EsC6GWCswWnyetA9R7ZY5N7OPY= )
KIMJV7K0CDS0O96IHHOF7H6PIJ40T4J2.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
MG6NM7AJN6AMBK227QBFBHPD726L69B2
NS DS RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
PAlwSBhhkusXgnZOG9IpG9u5lVSfIWGaRxFk
nhaBMW8AL/sjZFl7yMIP4Vsqnv1QW1EB+wa6
zC7AzG80FvQcU4anxuUlPSkWyxQ8T8cVZHu3
9HMGs++pvNdta+iBeV8F4zjVw73TWFQ4yX1u
04AKmsNnNhCnTQmxEGO7LJ9ras0= )
MG6NM7AJN6AMBK227QBFBHPD726L69B2.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
QTFSVH9JGRG31JP59190G8AD6SKQELK7
A AAAA RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
eG4jlpmAJg/OT56On/WfZYmYuthPjc5u4rYr
eSXnpjjreFfQuGhj0or2yedAOgIYXktJ2Dtc
TWIl4ppySs7mwzn2QQAMRjh5PovVasdxGVAG
pPd5Q/SlPuQ6/szIn66y+wobGT948oaPbXRm
ptmofvmb6T5NqSFGM7LWXmElHfk= )
QTFSVH9JGRG31JP59190G8AD6SKQELK7.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
R0VERQHHM272SRP6M3CJFOE3FGK2A5DC
MX RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
UgYYu5vLwPg8DJ3C8ye5qZ5SlBWS8cri/0W3
uhsmZNpmgN7DoM37tymSAE9ilsNOCUOMfP2n
vOP1KBnhPwHhcgKhh6UqtTchr/qPThG51XJA
uKxsrY/hY5mIE5Fk7n84DV4OpFGdFdmgtraq
Vj7Y/RFukf2W4y5zzsh3f1RfJBo= )
R0VERQHHM272SRP6M3CJFOE3FGK2A5DC.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
SPNT3RTA99QNKF4OPN46CKHN6T498NFU
A RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
gkqYtdVKHOIthI2QMIURdiWsTRGrmBPxRDpC
orUkxgnwYvu124S9T7xnu6ImhoaDCcn1XH0L
ekhOOCT+7phOAKu60Q4wOYIs7je9H6baJUzL
OJFlcaheGSGAkW+X+vJqkABJ/cNy39O8BcE1
3+GtsHBfmvCaFBDbXPX8TynH5qY= )
SPNT3RTA99QNKF4OPN46CKHN6T498NFU.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
UUS79RPELAT8G2MR1SKQJURUST94FD4H
A AAAA RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
JyfcdxODrVWXS4PNNMZ7URyYRlEFjVBssCB4
8eZ/wqIdMnEgY8VVlnsutZHett3wbrG1NChH
xtdYENYV8U4KcjrVnmHNFjkAnXsQe2ZqLXVX
/LWgY19BqoioSnKeL6ZEwTCZmWmCv/8bF9Ju
rrtpRrLAzRo5aeDnoMxSwteKiko= )
UUS79RPELAT8G2MR1SKQJURUST94FD4H.example.net. 7200 IN NSEC3 1 1 10 7CF530 (
CP5JT7EV1K7R3VBGJ54G2FALVGI94Q9A
A RRSIG )
7200 RRSIG NSEC3 8 3 7200 (
20141123171401 20141117171401 7929 example.net.
HxoUXP1Dt9c0Ass7uGGOpTKKG3vIXY3cHS56
4TTi8AOl9bV9Hf6awiYUw4qBby8+M6sXeRmP
zYTNCfwIaBx9QhSJnaRXcUqC7T3Rnjk/ST/W
flKzVLqV83K6h8aYQCKaV4FCatNrQimbt+8G
NwUd565/EsJ77HRJCOYLWuBG28o= )

5
contrib/zkt-1.1.3/examples/flat/example.net/zone.hosts
View file

@ -1,5 +0,0 @@
a IN A 1.2.3.1
b IN MX 10 a
;c IN A 1.2.3.2
d IN A 1.2.3.3
IN AAAA 2001:0db8::3

2
contrib/zkt-1.1.3/examples/flat/example.net/zone.localhost
View file

@ -1,2 +0,0 @@
localhost IN A 127.0.0.1

4
contrib/zkt-1.1.3/examples/flat/keysets/dlvset-sub.example.net.
View file

@ -1,4 +0,0 @@
sub.example.net.dlv.trusted-keys.de. IN DLV 42834 7 1 9660E85E9542C823D4E9860D778350AA5D8904E9
sub.example.net.dlv.trusted-keys.de. IN DLV 42834 7 2 1337FB51C697B7CD20C8D6BBC498310588C78B3595FB53F35C871DBF EC86DAAE
sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE

2
contrib/zkt-1.1.3/examples/flat/keysets/dsset-example.net.
View file

@ -1,2 +0,0 @@
example.net. IN DS 44671 8 1 C29F02EF0E0C4AB5AFDDB5220DC35149CBB9067E
example.net. IN DS 44671 8 2 2CA230B1D3BB0DC700B75152B403BE83E4CC3410AFEC38EAF00177BC 9692ADFA

4
contrib/zkt-1.1.3/examples/flat/keysets/dsset-sub.example.net.
View file

@ -1,4 +0,0 @@
sub.example.net. IN DS 33936 7 1 8E06D0C044A15C396F43E1743EDC0C0772F119A7
sub.example.net. IN DS 33936 7 2 496F56E015F74A955A1B277255DE56C564DCC5AF559DAAA40C4DE019 33E073E7
sub.example.net. IN DS 60396 10 1 00A6EDBD5687D69DB7636749A057ABB43A13576E
sub.example.net. IN DS 60396 10 2 FE01A3C47B2D3F19CAB32451986B36C2ADEF2C4247B7B24DEB77EDB9 0EE1CB4C

10
contrib/zkt-1.1.3/examples/flat/keysets/keyset-example.net.
View file

@ -1,10 +0,0 @@
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 8 (
AwEAAQ5RiqQEKys2xlo5nK3n9tnWeGg/tHST
baFw6AN1QPLlaEVLNXDaYKcpefu6ewNamaIn
rjBrkkbqRnwKTuLCwJ9aA/hyFzocCOPh+he9
dEQHbRTKDdTkjD3PqkOK97a+s1grWIdkRcce
T3MXEsAwyjlasXPRKt/4v1sqS7592eyo6wTc
beaoPYo6KMQLfcA9AHso9LBaRpqv7GlSjl5I
V51mcU8=
) ; KSK; alg = RSASHA256; key id = 44671

15
contrib/zkt-1.1.3/examples/flat/keysets/keyset-sub.example.net.
View file

@ -1,15 +0,0 @@
$ORIGIN .
sub.example.net 7200 IN DNSKEY 257 3 7 (
AwEAAcN3xHB1ZkrRCdxMWoogYdMx9NXO5pu2
U41Terw/v9/tBQQ8ZCwq3KyBMTlwow1n1+ri
NDi3jhJInw+obqUgvxEYU1+xkbAUXU26KqGD
7fe+PEk+UlVQ0LHY65yFHTWNc4/3DnEei++V
uiJ1o7V7sSkQGDJC6L4U+e7vbHi3cBmx
) ; KSK; alg = NSEC3RSASHA1; key id = 33936
7200 IN DNSKEY 257 3 10 (
AwEAAeTP9f5eCzD71+u4oa7XIjEz/IAD4OQB
D+DgiflOGKrBRnU8uHVqIdqwPhaDqWdutMoZ
abBDlABe/NB7y55ea7s8RCQzQ2dLFGEL3/+G
cebakcATH8e6Fp5+QLCSpyRJhfSZZF6qDJ/p
i2RCS2/VfwCwr+N7VRelFCzri6v+EEeV
) ; KSK; alg = RSASHA512; key id = 60396

111
contrib/zkt-1.1.3/examples/flat/named.conf
View file

@ -1,111 +0,0 @@
/*****************************************************************
**
** #(@) named.conf (c) 6. May 2004 (hoz)
**
*****************************************************************/
/*****************************************************************
** logging options
*****************************************************************/
logging {
channel "named-log" {
file "/var/log/named" versions 3 size 2m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel "resolver-log" {
file "/var/log/named";
print-time yes;
print-category yes;
print-severity yes;
severity debug 1;
};
channel "dnssec-log" {
# file "/var/log/named-dnssec" ;
file "/var/log/named" ;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category "dnssec" { "dnssec-log"; };
category "default" { "named-log"; };
category "resolver" { "resolver-log"; };
category "client" { "resolver-log"; };
category "queries" { "resolver-log"; };
};
/*****************************************************************
** name server options
*****************************************************************/
options {
directory ".";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on-v6 { any; };
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
recursion yes;
dnssec-enable yes;
edns-udp-size 4096;
# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
querylog yes;
};
/*****************************************************************
** include shared secrets...
*****************************************************************/
/** for control sessions ... **/
controls {
inet 127.0.0.1
allow { localhost; };
inet ::1
allow { localhost; };
};
/*****************************************************************
** ... and trusted_keys
*****************************************************************/
# include "trusted-keys.conf" ;
/*****************************************************************
** root server hints and required 127 stuff
*****************************************************************/
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.ARPA" in {
type master;
file "127.0.0.zone";
};
#include "zone.conf";
zone "example.NET." in {
type master;
file "example.net/zone.db.signed";
zone-statistics yes;
};
zone "sub.example.NET." in {
type master;
file "sub.example.net/zone.db.signed";
zone-statistics no;
};

2
contrib/zkt-1.1.3/examples/flat/sub.example.net/dlvset-sub.example.net.
View file

@ -1,2 +0,0 @@
sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE

47
contrib/zkt-1.1.3/examples/flat/sub.example.net/dnskey.db
View file

@ -1,47 +0,0 @@
;
; !!! Don't edit this file by hand.
; !!! It will be generated by zkt-signer.
;
; Last generation time Nov 17 2014 19:12:44
;
; *** List of Key Signing Keys ***
; sub.example.net. tag=60396 algo=RSASHA512 generated Nov 14 2014 18:09:16
sub.example.net. 3600 IN DNSKEY 257 3 10 (
AwEAAeTP9f5eCzD71+u4oa7XIjEz/IAD4OQBD+DgiflOGKrBRnU8uHVq
IdqwPhaDqWdutMoZabBDlABe/NB7y55ea7s8RCQzQ2dLFGEL3/+Gceba
kcATH8e6Fp5+QLCSpyRJhfSZZF6qDJ/pi2RCS2/VfwCwr+N7VRelFCzr
i6v+EEeV
) ; key id = 60396
; sub.example.net. tag=33936 algo=NSEC3RSASHA1 generated Nov 14 2014 18:11:13
sub.example.net. 3600 IN DNSKEY 257 3 7 (
AwEAAcN3xHB1ZkrRCdxMWoogYdMx9NXO5pu2U41Terw/v9/tBQQ8ZCwq
3KyBMTlwow1n1+riNDi3jhJInw+obqUgvxEYU1+xkbAUXU26KqGD7fe+
PEk+UlVQ0LHY65yFHTWNc4/3DnEei++VuiJ1o7V7sSkQGDJC6L4U+e7v
bHi3cBmx
) ; key id = 33936
; *** List of Zone Signing Keys ***
; sub.example.net. tag=21503 algo=RSASHA512 generated Nov 14 2014 18:09:16
sub.example.net. 3600 IN DNSKEY 256 3 10 (
AwEAAahmSxE4IXfSeRORsgUxextvSLXIqa790jXejxDQoSmv+Tb7mHsK
sB65qxMjXYwIWmh4lbx66g/yVL9NaIMw6o01jdH3zYi0p3grqvGB8Z+s
4PodN5v1xmSEEqXjYXsjHucg+hQgMkrvls3uwl//gz9t5iQx7/FQ56dD
zpPyxti5
) ; key id = 21503
; sub.example.net. tag=6419 algo=NSEC3RSASHA1 generated Nov 14 2014 18:11:13
sub.example.net. 3600 IN DNSKEY 256 3 7 (
AwEAAbv1lSpyfRbHCrGs667jxg8+IYrU8GqZ8NPy1CGj3yxtFH1xCvd7
E9gYjtcPaqse+FsCrChUi/2RQGIPaB0PbyM=
) ; key id = 6419
; sub.example.net. tag=53867 algo=RSASHA512 generated Nov 17 2014 19:12:44
sub.example.net. 3600 IN DNSKEY 256 3 10 (
AwEAAeweX3J5rUFFMZMN06/70lion/SSy6i6HVAveLAgXMQVJBRngAQp
2TVxfh0Dxjjywu1NkEokr5FUB9kqL36SwwMTzoZ3yuJjylw+GS8dw/Z9
PFEw0aNMP3qXnL5wHVuzatBnpGo9jAzy6PtRkJal/WiNPl8tdlIaxhi5
X0EnQ2cf
) ; key id = 53867

7
contrib/zkt-1.1.3/examples/flat/sub.example.net/dnssec.conf
View file

@ -1,7 +0,0 @@
ResignInterval: 1d # (86400 seconds)
SigValidity: 2d # (172800 seconds)
MaximumTTL: 90s # (90 seconds)
KSKlifetime: 1w # (604800 seconds)
KSKbits: 1024
ZSKlifetime: 3d # (259200 seconds)
NSEC3: On # (On|Off|OptOut)

1
contrib/zkt-1.1.3/examples/flat/sub.example.net/maxhexsalt
View file

@ -1 +0,0 @@
1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE

1
contrib/zkt-1.1.3/examples/flat/sub.example.net/maxhexsalt+1
View file

@ -1 +0,0 @@
1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE1

218
contrib/zkt-1.1.3/examples/flat/sub.example.net/zktlog-sub.example.net.
View file

@ -1,218 +0,0 @@
2010-10-21 14:01:35.486: debug: Check RFC5011 status
2010-10-21 14:01:35.486: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:01:35.486: debug: Check KSK status
2010-10-21 14:01:35.486: debug: Check ZSK status
2010-10-21 14:01:35.486: debug: No active ZSK found: generate new one
2010-10-21 14:01:35.495: error: sub.example.net.": can't generate new ZSK
2010-10-21 14:01:35.495: debug: Re-signing necessary: Modfied zone key set
2010-10-21 14:01:35.496: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2010-10-21 14:01:35.496: debug: Writing key file "./sub.example.net/dnskey.db"
2010-10-21 14:01:35.496: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2010-10-21 14:01:35.496: debug: Signing zone "sub.example.net."
2010-10-21 14:01:35.496: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9FC981 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2010-10-21 14:01:35.546: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed."
2010-10-21 14:01:35.546: error: "sub.example.net.": signing failed!
2010-10-21 14:02:09.146: debug: Check RFC5011 status
2010-10-21 14:02:09.146: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:02:09.146: debug: Check KSK status
2010-10-21 14:02:09.146: debug: Check ZSK status
2010-10-21 14:02:09.146: debug: No active ZSK found: generate new one
2010-10-21 14:02:09.156: error: sub.example.net.": can't generate new ZSK
2010-10-21 14:02:09.156: debug: Re-signing necessary: Modified keys
2010-10-21 14:02:09.156: notice: "sub.example.net.": re-signing triggered: Modified keys
2010-10-21 14:02:09.156: debug: Writing key file "./sub.example.net/dnskey.db"
2010-10-21 14:02:09.157: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2010-10-21 14:02:09.157: debug: Signing zone "sub.example.net."
2010-10-21 14:02:09.157: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 BD326D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2010-10-21 14:02:09.208: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed."
2010-10-21 14:02:09.208: error: "sub.example.net.": signing failed!
2010-10-21 14:05:35.988: debug: Check RFC5011 status
2010-10-21 14:05:35.988: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:05:35.988: debug: Check KSK status
2010-10-21 14:05:35.988: debug: Check ZSK status
2010-10-21 14:05:35.988: debug: No active ZSK found: generate new one
2010-10-21 14:05:36.091: info: "sub.example.net.": generated new ZSK 7987
2010-10-21 14:05:36.091: debug: Re-signing necessary: Modfied zone key set
2010-10-21 14:05:36.091: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2010-10-21 14:05:36.091: debug: Writing key file "./sub.example.net/dnskey.db"
2010-10-21 14:05:36.091: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2010-10-21 14:05:36.091: debug: Signing zone "sub.example.net."
2010-10-21 14:05:36.091: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 75DE06 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2010-10-21 14:05:36.170: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-10-21 14:05:36.170: debug: Signing completed after 0s.
2010-10-21 14:30:43.892: debug: Check RFC5011 status
2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:30:43.892: debug: Check KSK status
2010-10-21 14:30:43.892: debug: Check ZSK status
2010-10-21 14:30:43.892: debug: Re-signing not necessary!
2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy
2014-11-14 18:04:37.686: debug: Check RFC5011 status
2014-11-14 18:04:37.686: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:04:37.686: debug: Check KSK status
2014-11-14 18:04:37.686: warning: "sub.example.net.": lifetime of key signing key 33176 exceeded since 4d8h26m2s
2014-11-14 18:04:37.686: debug: Check ZSK status
2014-11-14 18:04:37.686: debug: Lifetime(259200 +/-150 sec) of active key 7987 exceeded (980762 sec)
2014-11-14 18:04:37.686: debug: ->waiting for published key
2014-11-14 18:04:37.686: notice: "sub.example.net.": lifetime of zone signing key 7987 exceeded since 1w1d8h26m2s: ZSK rollover deferred: waiting for published key
2014-11-14 18:04:37.686: debug: New ZSK for publishing needed
2014-11-14 18:04:37.721: debug: ->creating new key 39632
2014-11-14 18:04:37.721: info: "sub.example.net.": new zone signing key 39632 generated for publishing
2014-11-14 18:04:37.721: debug: Re-signing necessary: Modified zone key set
2014-11-14 18:04:37.721: notice: "sub.example.net.": re-signing triggered: Modified zone key set
2014-11-14 18:04:37.721: debug: Writing key file "./sub.example.net/dnskey.db"
2014-11-14 18:04:37.721: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2014-11-14 18:04:37.721: debug: Signing zone "sub.example.net."
2014-11-14 18:04:37.722: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 97195D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-14 18:04:37.729: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC-only DNSKEY"
2014-11-14 18:04:37.729: error: "sub.example.net.": signing failed!
2014-11-14 18:09:16.251: debug: Check RFC5011 status
2014-11-14 18:09:16.251: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:09:16.251: debug: Check KSK status
2014-11-14 18:09:16.251: debug: No active KSK found: generate new one
2014-11-14 18:09:16.288: info: "sub.example.net.": generated new KSK 60396
2014-11-14 18:09:16.288: debug: Check ZSK status
2014-11-14 18:09:16.288: debug: No active ZSK found: generate new one
2014-11-14 18:09:16.329: info: "sub.example.net.": generated new ZSK 21503
2014-11-14 18:09:16.329: debug: Re-signing necessary: Modified zone key set
2014-11-14 18:09:16.329: notice: "sub.example.net.": re-signing triggered: Modified zone key set
2014-11-14 18:09:16.329: debug: Writing key file "./sub.example.net/dnskey.db"
2014-11-14 18:09:16.330: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2014-11-14 18:09:16.330: debug: Signing zone "sub.example.net."
2014-11-14 18:09:16.330: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B26BB7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-14 18:09:16.427: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:09:16.427: debug: Signing completed after 0s.
2014-11-14 18:11:40.699: debug: Check RFC5011 status
2014-11-14 18:11:40.699: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:11:40.699: debug: Check KSK status
2014-11-14 18:11:40.699: debug: Check ZSK status
2014-11-14 18:11:40.699: debug: Re-signing necessary: Modified keys
2014-11-14 18:11:40.699: notice: "sub.example.net.": re-signing triggered: Modified keys
2014-11-14 18:11:40.699: debug: Writing key file "././sub.example.net/dnskey.db"
2014-11-14 18:11:40.699: debug: Incrementing serial number in file "././sub.example.net/zone.db"
2014-11-14 18:11:40.699: debug: Signing zone "sub.example.net."
2014-11-14 18:11:40.699: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 E8CBA9 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-14 18:11:40.876: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:11:40.876: debug: Signing completed after 0s.
2014-11-14 18:11:46.599: debug: Check RFC5011 status
2014-11-14 18:11:46.599: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:11:46.599: debug: Check KSK status
2014-11-14 18:11:46.599: debug: Check ZSK status
2014-11-14 18:11:46.599: debug: Re-signing not necessary!
2014-11-14 18:11:46.599: debug: Check if there is a parent file to copy
2014-11-14 18:15:54.379: debug: Check RFC5011 status
2014-11-14 18:15:54.379: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:15:54.379: debug: Check KSK status
2014-11-14 18:15:54.379: debug: Check ZSK status
2014-11-14 18:15:54.379: debug: Re-signing not necessary!
2014-11-14 18:15:54.379: debug: Check if there is a parent file to copy
2014-11-14 18:31:09.365: debug: Check RFC5011 status
2014-11-14 18:31:09.365: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:31:09.365: debug: Check KSK status
2014-11-14 18:31:09.365: debug: Check ZSK status
2014-11-14 18:31:09.365: debug: Re-signing not necessary!
2014-11-14 18:31:09.365: debug: Check if there is a parent file to copy
2014-11-14 18:31:27.335: debug: Check RFC5011 status
2014-11-14 18:31:27.335: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:31:27.335: debug: Check KSK status
2014-11-14 18:31:27.335: debug: Check ZSK status
2014-11-14 18:31:27.335: debug: Re-signing not necessary!
2014-11-14 18:31:27.335: debug: Check if there is a parent file to copy
2014-11-14 18:38:16.355: debug: Check RFC5011 status
2014-11-14 18:38:16.355: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:38:16.355: debug: Check KSK status
2014-11-14 18:38:16.355: debug: Check ZSK status
2014-11-14 18:38:16.355: debug: Re-signing not necessary!
2014-11-14 18:38:16.356: debug: Check if there is a parent file to copy
2014-11-15 18:16:50.447: debug: Check RFC5011 status
2014-11-15 18:16:50.447: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:16:50.447: debug: Check KSK status
2014-11-15 18:16:50.447: debug: Check ZSK status
2014-11-15 18:16:50.447: debug: Re-signing necessary: re-signing interval (1d) reached
2014-11-15 18:16:50.447: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached
2014-11-15 18:16:50.447: debug: Writing key file "././sub.example.net/dnskey.db"
2014-11-15 18:16:50.447: debug: Incrementing serial number in file "././sub.example.net/zone.db"
2014-11-15 18:16:50.447: debug: Signing zone "sub.example.net."
2014-11-15 18:16:50.448: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 DC5680 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-15 18:16:50.572: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-15 18:16:50.572: debug: Signing completed after 0s.
2014-11-15 18:16:54.202: debug: Check RFC5011 status
2014-11-15 18:16:54.202: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:16:54.202: debug: Check KSK status
2014-11-15 18:16:54.202: debug: Check ZSK status
2014-11-15 18:16:54.202: debug: Re-signing not necessary!
2014-11-15 18:16:54.202: debug: Check if there is a parent file to copy
2014-11-15 18:17:06.918: debug: Check RFC5011 status
2014-11-15 18:17:06.918: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:17:06.918: debug: Check KSK status
2014-11-15 18:17:06.918: debug: Check ZSK status
2014-11-15 18:17:06.918: debug: Re-signing not necessary!
2014-11-15 18:17:06.918: debug: Check if there is a parent file to copy
2014-11-15 18:17:17.242: debug: Check RFC5011 status
2014-11-15 18:17:17.242: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:17:17.242: debug: Check KSK status
2014-11-15 18:17:17.242: debug: Check ZSK status
2014-11-15 18:17:17.242: debug: Re-signing not necessary!
2014-11-15 18:17:17.242: debug: Check if there is a parent file to copy
2014-11-17 19:12:44.029: debug: Check RFC5011 status
2014-11-17 19:12:44.029: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:12:44.029: debug: Check KSK status
2014-11-17 19:12:44.029: debug: Check ZSK status
2014-11-17 19:12:44.029: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263008 sec)
2014-11-17 19:12:44.029: debug: ->waiting for published key
2014-11-17 19:12:44.029: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m28s: ZSK rollover deferred: waiting for published key
2014-11-17 19:12:44.029: debug: New ZSK for publishing needed
2014-11-17 19:12:44.110: debug: ->creating new key 53867
2014-11-17 19:12:44.110: info: "sub.example.net.": new zone signing key 53867 generated for publishing
2014-11-17 19:12:44.110: debug: Re-signing necessary: Modified zone key set
2014-11-17 19:12:44.110: notice: "sub.example.net.": re-signing triggered: Modified zone key set
2014-11-17 19:12:44.110: debug: Writing key file "./sub.example.net/dnskey.db"
2014-11-17 19:12:44.111: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2014-11-17 19:12:44.111: debug: Signing zone "sub.example.net."
2014-11-17 19:12:44.111: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9F5882 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-17 19:12:44.250: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-17 19:12:44.250: debug: Signing completed after 0s.
2014-11-17 19:12:49.691: debug: Check RFC5011 status
2014-11-17 19:12:49.691: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:12:49.691: debug: Check KSK status
2014-11-17 19:12:49.691: debug: Check ZSK status
2014-11-17 19:12:49.691: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263013 sec)
2014-11-17 19:12:49.691: debug: ->waiting for published key
2014-11-17 19:12:49.691: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m33s: ZSK rollover deferred: waiting for published key
2014-11-17 19:12:49.692: debug: Re-signing not necessary!
2014-11-17 19:12:49.692: debug: Check if there is a parent file to copy
2014-11-17 19:13:02.603: debug: Check RFC5011 status
2014-11-17 19:13:02.603: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:02.603: debug: Check KSK status
2014-11-17 19:13:02.603: debug: Check ZSK status
2014-11-17 19:13:02.603: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263026 sec)
2014-11-17 19:13:02.603: debug: ->waiting for published key
2014-11-17 19:13:02.603: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m46s: ZSK rollover deferred: waiting for published key
2014-11-17 19:13:02.603: debug: Re-signing not necessary!
2014-11-17 19:13:02.603: debug: Check if there is a parent file to copy
2014-11-17 19:13:50.409: debug: Check RFC5011 status
2014-11-17 19:13:50.409: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:50.409: debug: Check KSK status
2014-11-17 19:13:50.409: debug: Check ZSK status
2014-11-17 19:13:50.409: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263074 sec)
2014-11-17 19:13:50.409: debug: ->waiting for published key
2014-11-17 19:13:50.409: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m34s: ZSK rollover deferred: waiting for published key
2014-11-17 19:13:50.409: debug: Re-signing not necessary!
2014-11-17 19:13:50.409: debug: Check if there is a parent file to copy
2014-11-17 19:13:54.302: debug: Check RFC5011 status
2014-11-17 19:13:54.302: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:54.302: debug: Check KSK status
2014-11-17 19:13:54.302: debug: Check ZSK status
2014-11-17 19:13:54.302: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263078 sec)
2014-11-17 19:13:54.302: debug: ->waiting for published key
2014-11-17 19:13:54.302: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m38s: ZSK rollover deferred: waiting for published key
2014-11-17 19:13:54.302: debug: Re-signing not necessary!
2014-11-17 19:13:54.302: debug: Check if there is a parent file to copy
2014-11-17 19:14:01.845: debug: Check RFC5011 status
2014-11-17 19:14:01.846: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:14:01.846: debug: Check KSK status
2014-11-17 19:14:01.846: debug: Check ZSK status
2014-11-17 19:14:01.846: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263085 sec)
2014-11-17 19:14:01.846: debug: ->waiting for published key
2014-11-17 19:14:01.846: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m45s: ZSK rollover deferred: waiting for published key
2014-11-17 19:14:01.846: debug: Re-signing not necessary!
2014-11-17 19:14:01.846: debug: Check if there is a parent file to copy

25
contrib/zkt-1.1.3/examples/flat/sub.example.net/zone.db
View file

@ -1,25 +0,0 @@
;-----------------------------------------------------------------
;
; @(#) sub.example.net/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
@ IN SOA ns1.example.net. hostmaster.example.net. (
13 ; Serial
86400 ; Refresh (RIPE recommendation if NOTIFY is used)
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.net.
$INCLUDE dnskey.db
localhost IN A 127.0.0.1
a IN A 1.2.3.4
b IN A 1.2.3.5
c IN A 1.2.3.6

233
contrib/zkt-1.1.3/examples/flat/sub.example.net/zone.db.signed
View file

@ -1,233 +0,0 @@
; File written on Mon Nov 17 19:12:44 2014
; dnssec_signzone version 9.10.1b1
sub.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
13 ; serial
86400 ; refresh (1 day)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 7 3 7200 (
20141119171244 20141117171244 6419 sub.example.net.
PttXCUlP7dbMYWpsFuMsy+/VN7HZp0TOWgmr
wvQHmb9Ju/y/ez3qHLjaqPun3osNEsjoDMB1
lB40pJzb0ghHyA== )
7200 RRSIG SOA 10 3 7200 (
20141119171244 20141117171244 21503 sub.example.net.
Gmcf5fw7E3qZH+qMzAM/AbUPk5bSE5NeOcBq
iRu6ArSiTZOQOVzh/vtcqZxaRYhGRmcP09Y1
r0bfxPRwxonM/68How2/KaYXDtK1c/X7Xtiu
hqh5E7Cd9952qEU1QzKPTq5q9b7tvW/vHbf0
wNK6WgfXiupZUtTt5DdA1AVXnuk= )
7200 NS ns1.example.net.
7200 RRSIG NS 7 3 7200 (
20141119171244 20141117171244 6419 sub.example.net.
dX8h35oAdqhsHi/XrkvzSb+CjrUKCmIIcFhQ
W3LBXeG1A2u0qvaWBTjCZlL+P82+drBEpHe9
mWAlkZX2QUIXBg== )
7200 RRSIG NS 10 3 7200 (
20141119171244 20141117171244 21503 sub.example.net.
OjicLog1suU6mLdK3AhYv3HXFmE30z/DcWWS
tSj2Gl8jCwVsIs6ckUi1OWTNxyelHXpv+yLd
eDFp8j080Txe/vxoLSb/p1Cny+y8JIepAeHU
u74MFmRqEchHoYD2r3Pz2eoW49vqHKEHnuS0
2N7vrkQpUbhPE3FK+BzfUz8oHnM= )
3600 DNSKEY 256 3 7 (
AwEAAbv1lSpyfRbHCrGs667jxg8+IYrU8GqZ
8NPy1CGj3yxtFH1xCvd7E9gYjtcPaqse+FsC
rChUi/2RQGIPaB0PbyM=
) ; ZSK; alg = NSEC3RSASHA1; key id = 6419
3600 DNSKEY 256 3 10 (
AwEAAahmSxE4IXfSeRORsgUxextvSLXIqa79
0jXejxDQoSmv+Tb7mHsKsB65qxMjXYwIWmh4
lbx66g/yVL9NaIMw6o01jdH3zYi0p3grqvGB
8Z+s4PodN5v1xmSEEqXjYXsjHucg+hQgMkrv
ls3uwl//gz9t5iQx7/FQ56dDzpPyxti5
) ; ZSK; alg = RSASHA512; key id = 21503
3600 DNSKEY 256 3 10 (
AwEAAeweX3J5rUFFMZMN06/70lion/SSy6i6
HVAveLAgXMQVJBRngAQp2TVxfh0Dxjjywu1N
kEokr5FUB9kqL36SwwMTzoZ3yuJjylw+GS8d
w/Z9PFEw0aNMP3qXnL5wHVuzatBnpGo9jAzy
6PtRkJal/WiNPl8tdlIaxhi5X0EnQ2cf
) ; ZSK; alg = RSASHA512; key id = 53867
3600 DNSKEY 257 3 7 (
AwEAAcN3xHB1ZkrRCdxMWoogYdMx9NXO5pu2
U41Terw/v9/tBQQ8ZCwq3KyBMTlwow1n1+ri
NDi3jhJInw+obqUgvxEYU1+xkbAUXU26KqGD
7fe+PEk+UlVQ0LHY65yFHTWNc4/3DnEei++V
uiJ1o7V7sSkQGDJC6L4U+e7vbHi3cBmx
) ; KSK; alg = NSEC3RSASHA1; key id = 33936
3600 DNSKEY 257 3 10 (
AwEAAeTP9f5eCzD71+u4oa7XIjEz/IAD4OQB
D+DgiflOGKrBRnU8uHVqIdqwPhaDqWdutMoZ
abBDlABe/NB7y55ea7s8RCQzQ2dLFGEL3/+G
cebakcATH8e6Fp5+QLCSpyRJhfSZZF6qDJ/p
i2RCS2/VfwCwr+N7VRelFCzri6v+EEeV
) ; KSK; alg = RSASHA512; key id = 60396
3600 RRSIG DNSKEY 7 3 3600 (
20141119171244 20141117171244 6419 sub.example.net.
KZIpG5rY8FipKmTaz1mT1rU7Wf/alUa0REGs
eIBU2Cj3niDZCN3q72uwls28s+ZLBiHRupiz
VB27b+2EwnyXUw== )
3600 RRSIG DNSKEY 7 3 3600 (
20141119171244 20141117171244 33936 sub.example.net.
cGyrJmadXCZXA+8q5Kn9AExvv5okZQuUvjuR
iJn3NGjVfaCkQdAmpzG1JCRLka0SIoNUfR3L
M6AUlnebGeLTTroQpUhc+9xzGh+j6ZG34Oy4
z5eGneO9zKCxHo7RS5QKtBMX/B4jGBA1ZXrH
8cznGrJP5lXmG0/Slqx5VkZpGZs= )
3600 RRSIG DNSKEY 10 3 3600 (
20141119171244 20141117171244 21503 sub.example.net.
WSKwZuoi/R5FbUAXbPi2Qzb1X9NmQlvgl/NS
BtNZPj0F6IkokKgAt+uTCb0yUFY5LAK5Au+Q
UhO8KRpU6tvgpXl3EDjoS2w4cB3x+lv5TNyb
pGVfUZoPcHUrkb+TbcuQfGwJwZff6nd7HmrA
rctHg958+q2bZZw1pqY+cJLUAyE= )
3600 RRSIG DNSKEY 10 3 3600 (
20141119171244 20141117171244 60396 sub.example.net.
rxtIgcBHPI3tvqEVA2P788Nh0amVHy0v/T57
fcwTbTLEnKDyd+uj1uYYiWkOvXu/1ooVzQu8
7KqXjKIxL0qheqladlUMQtBfh9Obz1pcQ6Jn
xE53Xkq+g4FNy06Fr6OXBjKCPgMWvF0AhGAy
1vZVLWcAjm27D3LwXD3dK52rmw8= )
0 NSEC3PARAM 1 0 10 9F5882
0 RRSIG NSEC3PARAM 7 3 0 (
20141119171244 20141117171244 6419 sub.example.net.
PKdn/FXU0FoVS+cspg+YPlHamyZ6HHFsspZM
LDF7HxxDSp0dh1tRczCLZbqGqcCXHnNZcpC0
u7U07psBmVflrg== )
0 RRSIG NSEC3PARAM 10 3 0 (
20141119171244 20141117171244 21503 sub.example.net.
OMwvPQ2mJh07YkZqG93wdx0lxpJ7lVvWBpvZ
dCOxD/hkUJ2GiOnleheXyBymNBb6NeipjhP4
v2GzL0V6zxMMiP95jgFiH0QA0VZulfZBYgLt
Q4/OzAVmsoF6rWDON64AjeW4K9739dEzIUVZ
LZIFQXisPdhvrn4NgJrdnpRuwk0= )
a.sub.example.net. 7200 IN A 1.2.3.4
7200 RRSIG A 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
TSpw1C3Cm6GHT+Si/FnQy3+jVhl3OzSNSjYg
4wpfrs36/ZhOfeIf1Gy/G1yQfwD6WVZ3+wEw
pZMXXWcz7HQIHg== )
7200 RRSIG A 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
J+lF2TQCLSTmwI9RT7RsWiavgorqcRGJ/ad3
7EwonF2CtZ29I8eVSTzUgtgNOHPOXlfK7UC5
6whoZE+peok5rTQu2GXHrmYdpEA4yTVXV+Mt
VVizFAlRVojCIuNAd8V033XKj5xp0DVJVD8M
s4n+IQ1C/re3qxj05mRWTGWDZAs= )
b.sub.example.net. 7200 IN A 1.2.3.5
7200 RRSIG A 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
d2SGbYnahENadQt9lMpXNhwjvTKLvzmVO2WA
H4I6CrX4OB9q1CiyivNUWznvUej7391j+oF+
91tNmiea7NXkbg== )
7200 RRSIG A 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
UNYfWh3nPXc3/cLJkVxYxgD73gV9NaqbNHTp
AtYOnyOHxQ/p4IPF+RlOzaFK0nHAdmGnW/cN
A8VZwWloyZBDhx2DjwrBTkDpFI/nqi1VdI53
A72aLjuFoHo/sUWkC0DNyYrOOWfv7ief3n7g
o9zYZ6AYMzHU15/MOLFo026M72s= )
c.sub.example.net. 7200 IN A 1.2.3.6
7200 RRSIG A 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
IgLll78E6Eh6wQFG8DjR9r5f1+tOfd7w54Z8
ZJn6NMXKpI9htEz4wc2uhYitTfQMkjhHs713
l9hDzj/N7ZUq4w== )
7200 RRSIG A 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
AJMY0J1QS68a43GKWOxBycEF4vmqYU4xG7mx
oLVs3W5zP4oWLc9L2KalGVSpc3tfgQEYMpaf
YMC/6lOV/jYVgu3tJHjXTXyXuakO1HmbUmz4
dsYwxqi2gCpUTrmqcRlh8aEvOXvLmsCS4Z4W
h9xDAguwKZO+FuH98GdjvYIBxZQ= )
localhost.sub.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
NqMM+MGnzC3pw27cKVFE5P2gFv1rkHYj1sAU
XFk2qAlV6TodM4pJD+Tc1QfQxs5FzJiNGY5M
ko7d1aGFx3f/0A== )
7200 RRSIG A 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
iGO6C0oU4frEi+JgR5I09jE0vRB7SKZUmeE9
HVAQeYwvUxUZ/CxANrdRddLTRS56WEXZh8/0
SftcbcRzBgcR9B6nJBNm4C2r8ERCU0PBLuz5
qtCMjYE+522ix1rhjKeyRIAmljv5J8TvDVGB
H/wMfmFRH/RkLcN/NeGcoWdyh/I= )
48I3NCI84TCLKJ9NNME64BPAJFNDGLQA.sub.example.net. 7200 IN NSEC3 1 0 10 9F5882 (
4BAC6PP7TNBHPHB5NF8CPM9TCFCGBR6R
A RRSIG )
7200 RRSIG NSEC3 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
cUUKJ2t2Jwj37BnhN3OiPmP+Vx8svGXQ+A8u
wupiN+hkyZq30MvAIOOfw9iwrlb7ViDoywJD
QXqlAzmnko1BPQ== )
7200 RRSIG NSEC3 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
mPc1t/mshOCMCAlnm3ADUiPdQz0FQQNW9e9C
D+uKsibGyiTY0lTfmWy9h8DuLQZ+NAPcmk48
IXyopP3GiqBRNuVLU18B4plmP4+BqSK43iMa
E9wPKzdYkWKrYQtpExrJOGcdKgEKYokrNLX3
AjeweKQlF0XsfXK+zR/Sw9ZfibY= )
4BAC6PP7TNBHPHB5NF8CPM9TCFCGBR6R.sub.example.net. 7200 IN NSEC3 1 0 10 9F5882 (
4LG74TG924990NI8BHBJU9FAV4TUMCLT
A RRSIG )
7200 RRSIG NSEC3 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
ZGKw78T9mj+71tdtaJPqzhJojkmSREbnNDPM
Ze/XTdHV0AgE0tFpIY3k7deUJGGUzow9cz8e
ro396x1UGvd4WA== )
7200 RRSIG NSEC3 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
hFjoFcD//EmH8J+dYCV3Fcupmxdao0BNjWWp
odVSTCRtJJCZhmkrz3ZM4nbqD8sSZII20M7H
D7aFzm2H5YPpbgUpvLfLA40gk/9tP2ybbRET
ii76RzSSIO69VgadjBNyBjmnuoRm65reKLA6
HRz5J+AIkapoAAXLPjN6CzW1C8s= )
4LG74TG924990NI8BHBJU9FAV4TUMCLT.sub.example.net. 7200 IN NSEC3 1 0 10 9F5882 (
6DNQUL36M576R5AMAB52O7QOVASKN098
A RRSIG )
7200 RRSIG NSEC3 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
qjS10ICZ+si7lO1hi0XcfUts8azgDIhG52PI
CG3/GRi2Gf/M7+3/y+SGbDVPIbt7iGv46rgY
aQA0von+Q/LrFQ== )
7200 RRSIG NSEC3 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
M/bEtsoBAWrH+e4u4pxvnVUiE2AusGn/IwOy
y8k6raRQUFymw8280X1Qu/fI85EHbmdS87Y8
QHwx364jmImIB/9ikGnb32Yq10yTUgli4j9I
SkjKnTXZQrGeDm91lOT66HkOqqx6alsE+uJC
0zTOrU5hImZKr71K6rnePPQ7paQ= )
6DNQUL36M576R5AMAB52O7QOVASKN098.sub.example.net. 7200 IN NSEC3 1 0 10 9F5882 (
94U6S8HHE6P1CI9JFL15CTOTRRJM8NC0
A RRSIG )
7200 RRSIG NSEC3 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
IbPLI7qRuG0jfJd2Fe7ce9YG2PignyaijdFG
iHsYYHvk4Gd/3TCpH69umTZ9Pt8IG615uHRI
0AdOEM+nCl70RA== )
7200 RRSIG NSEC3 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
e56NrfBDTS/h70xgFK4e3G6MXnosP/14Xbw5
IDV9gLd3FsIMMi9aMKh8XJjI228nlb7mw3KB
zNv/z6Vf/ABGy11hmKI7MbColDQOuM+ehkvy
UpQfPcuros7wfREWcnUOQqggrbazJsyLbwJB
GsZJiiy9iase+rd4l7a7ov7F0Vk= )
94U6S8HHE6P1CI9JFL15CTOTRRJM8NC0.sub.example.net. 7200 IN NSEC3 1 0 10 9F5882 (
48I3NCI84TCLKJ9NNME64BPAJFNDGLQA
NS SOA RRSIG DNSKEY NSEC3PARAM )
7200 RRSIG NSEC3 7 4 7200 (
20141119171244 20141117171244 6419 sub.example.net.
t/LkG2Osw1ennr5tkbT/Top9iiU5oOajG83q
QvnBwE7UVYBQPuvYNEBmzEPPjYJmh95Ysb77
Q4tvNGTeYmhE2A== )
7200 RRSIG NSEC3 10 4 7200 (
20141119171244 20141117171244 21503 sub.example.net.
H3daA7IcfSXZPTsbszyf7Os/PMdsx58nNgXq
rlaIJA79Mttlrkyp7YK3W9+b41OaoDo4QTza
7pwP4ZfMJmYRVmaYSc3/tukKuRmM0POE+ZFD
yE0Y+qx+9J8uXQ3VeIF+F4JRgMKPp7uGvI+d
1ut1c8O+8PN6JZ3AaLKlRzd2KkA= )

1
contrib/zkt-1.1.3/examples/flat/zkt-ls
View file

@ -1 +0,0 @@
../zkt-ls.sh

1
contrib/zkt-1.1.3/examples/flat/zkt-signer
View file

@ -1 +0,0 @@
../zkt-signer.sh

10
contrib/zkt-1.1.3/examples/flat/zone.conf
View file

@ -1,10 +0,0 @@
zone "example.NET." in {
type master;
file "example.net/zone.db.signed";
};
zone "sub.example.NET." in {
type master;
file "sub.example.net/zone.db.signed";
};

12
contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
View file

@ -1,12 +0,0 @@
sub.example.de.dlv.trusted-keys.net. IN DLV 8544 5 1 676E635D2DE4DB57348E6EA4D47B5A187077B30E
sub.example.de.dlv.trusted-keys.net. IN DLV 8544 5 2 15903EA9128343053FB37761B806705818527648201F8EA0B039716E EB199DF7
sub.example.de.dlv.trusted-keys.net. IN DLV 27861 5 1 A70BD190C8BA61C1D867B2A0788FB1011EB39689
sub.example.de.dlv.trusted-keys.net. IN DLV 27861 5 2 B7BCDAC3AADF8B46F57B9A999BDF6DDA00AAE87C2504704B639407CF 0C9C2149
sub.example.de.dlv.trusted-keys.net. IN DLV 32679 5 1 B2B115076F5BC2F2864D8ED1D63279193E5E7999
sub.example.de.dlv.trusted-keys.net. IN DLV 32679 5 2 71B3896274A524028F131983D780C12CB38EA40E435815E9CC301749 26BFD367
sub.example.de.dlv.trusted-keys.net. IN DLV 38331 5 1 8F7E90EE2686DAE4D31CEE40142AD6A25670B0A0
sub.example.de.dlv.trusted-keys.net. IN DLV 38331 5 2 7B791220D03926DC6D3531CD155EF1E2AB202CE5955DF61079BEDD48 67400707
sub.example.de.dlv.trusted-keys.net. IN DLV 42639 5 1 4BF75E73D98DDD2EA51761C78180E5501CD6C160
sub.example.de.dlv.trusted-keys.net. IN DLV 42639 5 2 23C39209F8D53D76AD86283B4553AEA5419E47494B40FAE1707B18D5 EBD47B07
sub.example.de.dlv.trusted-keys.net. IN DLV 51846 5 1 F0B3607F13FFE0C5AEF2ED24978FC8D42B391361
sub.example.de.dlv.trusted-keys.net. IN DLV 51846 5 2 B067543FEAC9F203E9508672D802DEFD9F8AFF6CDBCC298B25C2CCED EDC813D8

16
contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf
View file

@ -1,16 +0,0 @@
##
## dnssec-zkt v0.4 (c) Jan 2005 hoz <at> hznet <dot> de ##
##
resigninterval 12h
sigvalidity 1d
max_ttl 90s
ksk_lifetime 7d
key_algo RSASHA1
ksk_bits 1024
zsk_lifetime 3d
zsk_bits 512
dlv_domain "dlv.trusted-keys.net"

7
contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
View file

@ -1,7 +0,0 @@
; KSK rollover phase2 (this is the new key)
sub.example.de. 14400 IN DNSKEY 257 3 5 (
BQEAAAAB2CMCmaITzL7L6UmI0Y+u16LiyINgkYc3dxYunDYWK0FEXGa5
L7ss8jepJnBM6KD/rekwqb5wgso/5VnSprhUUnQqec6ESuJ/9/ThI6i7
zD6AnwdtXagTOaTRqWhUEcjgMIG4oJK/Pb5mZAlXvzPqmRkyeStRw0cU
AEWQvdtuDcc=
) ; key id = 51846

25
contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/zone.db
View file

@ -1,25 +0,0 @@
;-----------------------------------------------------------------
;
; @(#) sub.example.de/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
@ IN SOA ns1.example.de. hostmaster.example.de. (
2011012503; Serial (up to 10 digits)
86400 ; Refresh (RIPE recommendation if NOTIFY is used)
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.de.
$INCLUDE dnskey.db
localhost IN A 127.0.0.1
a IN A 1.2.3.4
b IN A 1.2.3.5
c IN A 1.2.3.6

0
contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
View file

38
contrib/zkt-1.1.3/examples/hierarchical/de/example.de/zone.db
View file

@ -1,38 +0,0 @@
;-----------------------------------------------------------------
;
; @(#) example.de/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
; Ensure that the serial number below is left
; justified in a field of at least 10 chars!!
; 0123456789;
; It's also possible to use the date format e.g. 2005040101
@ IN SOA ns1.example.de. hostmaster.example.de. (
315 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.de.
IN NS ns2.example.de.
ns1 IN A 1.0.0.5
IN AAAA 2001:db8::53
ns2 IN A 1.2.0.6
localhost IN A 127.0.0.1
; Delegation to secure zone; The DS resource record will
; be added by dnssec-signzone automatically if the
; keyset-sub.example.de file is present (run dnssec-signzone
; with option -g or use the dnssec-signer tool) ;-)
sub IN NS ns1.example.de.
; this file will contain all the zone keys
$INCLUDE dnskey.db

Some files were not shown because too many files have changed in this diff Show more