upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 13:19:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

move to zkt 0,99c (RT #20054)

Browse source
This commit is contained in:
Francis Dupont 2009-09-23 13:27:59 +00:00
parent 6839f8b6df
commit 484076c325
122 changed files with 12116 additions and 4080 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag. [RT #19305]

56
contrib/zkt/CHANGELOG
View file

@ -1,4 +1,58 @@
zkt 0.98 -- 30. Dec 2008
zkt 0.99c -- 1. Aug 2009
* misc dnssec-signer command line option vars changed to storage
class static.
* port setenv() replaced by putenv() in misc.c
* misc Install binaries in prefix/bin instead of $HOME/bin.
Fixing some spelling errors in dnssec-signzone.8 and
dnssec-zkt.8.
Thanks to Mans Nilsson.
* port timegm() check added to configure.ac
* misc configure.ac, Makefile.in, and doc is now part of distribution
* bug off by one error fixed in splitpath()
* misc is_dotfile() renamed to is_dotfilename() (misc.c)
* misc inc_soaserial() sourced out to soaserial.c
* misc reload() functions sourced out to nscomm.c
* bug Introducing parameter "KeyAlgorithm" for both ZSK and
KSK keys instead of separate KSK and ZSK algorithms.
New functions dki_algo() and dki_findalgo().
* bug Redirect stderr message (additionally to stdout) of
dnssec-signzone command to pipe.
Pick up last line of output for logging.
* misc "Sig_GenerateDS" is no longer a hidden parameter.
* misc "make clean" now remove the binary files
New target "distclean" added to Makefile
* bug Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
Soderblum and Peter Norin for the patch)
Changed all TIMEINT parameter values to long.
* bug If someone changes the zone.db file in dynamic mode, this will be treated
the same way as an initial setup, so the zone.db file will be used as new
input file (Thanks to Shane Wegner for this patch)
* bug Option nsec3_param added to dnssec-signzone command for dynamic zones.
* func New option "NamedChrootDir" added to dnssec.conf to specify the
directory of a chrooted named. Without such an option
"dnssec-signer -N named.conf" couldn't find the zone file directory.
* misc Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
suppress the warning message about ZSK keysize of 512 bits.
zkt 0.98 -- 28. Dec 2008
* misc Target "install-man" added to Makefile
man files moved to sub directory "man"

56
contrib/zkt/Makefile.in
View file

@ -6,7 +6,6 @@
prefix = @prefix@
mandir = @mandir@
INSTALL_DIR = $$HOME/bin
CC = @CC@
@ -25,11 +24,12 @@ VERSION = @PACKAGE_VERSION@
HEADER = dki.h misc.h domaincmp.h zconf.h config_zkt.h \
config.h.in strlist.h zone.h zkt.h debug.h \
ncparse.h log.h rollover.h
ncparse.h log.h rollover.h nscomm.h soaserial.h
SRC_ALL = dki.c misc.c domaincmp.c zconf.c log.c
OBJ_ALL = $(SRC_ALL:.c=.o)
SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c
SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c \
nscomm.c soaserial.c
OBJ_SIG = $(SRC_SIG:.c=.o)
MAN_SIG = dnssec-signer.8
PROG_SIG= dnssec-signer
@ -47,17 +47,18 @@ PROG_SER= zkt-soaserial
MAN_ALL = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
configure examples
SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) man $(OTHER)
MNTSAVE = $(SAVE) configure.ac config.h.in doc
SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \
man configure.ac config.h.in doc
#MNTSAVE = $(SAVE) configure.ac config.h.in doc
all: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
macos: ## for MAC OS
macos: ## for MAC OS (depreciated)
macos:
$(MAKE) CFLAGS="$(CFLAGS) -D HAS_UTYPES=0" all
solaris: ## for solaris
solaris: ## for solaris (depreciated)
solaris:
@$(MAKE) CFLAGS="$(CFLAGS) -D HAVE_GETOPT_LONG=0" all
@ -74,13 +75,16 @@ $(PROG_ZKT): $(OBJ_ZKT) $(OBJ_ALL) Makefile
$(PROG_SER): $(OBJ_SER) Makefile
$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
install: ## install binaries in INSTALL_DIR
install: ## install binaries in prefix/bin
install: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(INSTALL_DIR)
test -d $(prefix)/bin || mkdir -p $(prefix)/bin
cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/
install-man: ## install man pages in mandir
install-man:
test -d $(mandir)/man8/ && cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
test -d $(mandir)/man8/ || mkdir -p $(mandir)/man8/
cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
tags: ## create tags file
@ -89,20 +93,19 @@ tags: $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
clean: ## remove objectfiles and binaries
clean:
rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL)
-rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \
$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
distclean: ## remove objectfiles, binaries and distribution files
distclean: clean
-rm -f Makefile config.h config.log config.status config.cache \
$(PROJECT)-$(VERSION).tar.gz
dist: ## create tar file for distribution
dist: $(PROJECT)-$(VERSION).tar.gz
tar: ## create tar file for distribution
tar: $(PROJECT)-$(VERSION).tar.gz
maintain: ## create configure script
maintain: configure
mainttar: ## create tar file for maintenance
mainttar: $(PROJECT)-maint-$(VERSION).tar.gz
configure: configure.ac
configure: ## create configure script
configure: configure.ac Makefile.in
autoconf && autoheader
man: man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
@ -124,12 +127,6 @@ $(PROJECT)-$(VERSION).tar.gz: $(SAVE)
cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-$(VERSION).tar.gz $$distfiles ;\
)
$(PROJECT)-maint-$(VERSION).tar.gz: $(MNTSAVE)
( \
distfiles=`ls -d $(MNTSAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-maint-$(VERSION).tar.gz $$distfiles ;\
)
depend:
$(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
@ -138,14 +135,17 @@ help:
## all dependicies
#:r !make depend
#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
ncparse.h zone.h dki.h rollover.h log.h
ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
zone.h
ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
log.h rollover.h
nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \
misc.h debug.h
soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h
dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
dki.h zkt.h
strlist.o: strlist.c strlist.h

11
contrib/zkt/README
View file

@ -1,7 +1,7 @@
#
# README dnssec zone key tool
#
# (c) March 2005 - Dec 2008 by Holger Zuleger hznet
# (c) March 2005 - Aug 2009 by Holger Zuleger hznet
# (c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
# (c) for zconf.c by Jeroen Masar & Holger Zuleger
#
@ -16,13 +16,13 @@ The complete software stands under BSD licence (see LICENCE file)
To build the software:
a) Get the current version of zkt
$ wget http://www.hznet.de/dns/zkt/zkt-0.98.tar.gz
$ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz
b) Unpack
$ tar xzvf zkt-0.98.tar.gz
$ tar xzvf zkt-0.99c.tar.gz
c) Change to dir
$ cd zkt-0.98
$ cd zkt-0.99c
d) Run configure script
$ ./configure
@ -33,7 +33,8 @@ f) Compile
$ make
g) Install
$ make install # this will copy the binarys to $HOME/bin
# make install
# make install-man
h) (optional) Install and modify the default dnssec.conf file
$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf

1
contrib/zkt/README.logging
View file

@ -55,6 +55,7 @@ Current logging messages:
Start and stop of dnssec-signer
Re-signing events
Key rollover events
KSK key generation and revoking
Zone reload resp. freeze/thaw of dynamic zone
LG_INFO: Currently none
planned:

11
contrib/zkt/TODO
View file

@ -1,16 +1,15 @@
TODO list as of zkt-0.97
TODO list as of zkt-0.99
general:
Renaming of the tools to zkt-* ?
dnssec-zkt:
feat option to specify the key age as remaining lifetime
(Option -i inverse age ?) As of v0.95 the key lifetime
is stored at the key itself, so this could be possibly
implemented without big effort(?).
(Option -i inverse age ?).
dnssec-signer:
bug Distribute_Cmd will not work properly on dynamic zones
bug Distribute_Cmd wouldn't work properly on dynamic zones
(missing freeze, thaw; copy Keyfiles instead of signed zone file)
bug Automatic KSK rollover of dynamic zones will only work if the parent
uses the standard name for the signed zonefile (zonefile.db.signed).
@ -19,7 +18,7 @@ dnssec-signer:
(Key removal is not recognized by dosigning () function )
bug There is no online checking of the key material by design.
So the signer command checks the status of the key as they
The signer command checks the status of the key as they
are represented in the file system and not in the zone.
The dnssec maintainer is responsible for the lifeliness of the
data in the hosted domain.

12
contrib/zkt/config.h.in
View file

@ -34,6 +34,9 @@
/* Define to 1 if you have the `gettimeofday' function. */
#undef HAVE_GETTIMEOFDAY
/* Define to 1 if you have the `getuid' function. */
#undef HAVE_GETUID
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
@ -53,8 +56,8 @@
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the `setenv' function. */
#undef HAVE_SETENV
/* Define to 1 if you have the `putenv' function. */
#undef HAVE_PUTENV
/* Define to 1 if you have the `socket' function. */
#undef HAVE_SOCKET
@ -119,6 +122,9 @@
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the `timegm' function. */
#undef HAVE_TIMEGM
/* Define to 1 if you have the `tzset' function. */
#undef HAVE_TZSET
@ -198,7 +204,7 @@
/* Define to rpl_malloc if the replacement function should be used. */
#undef malloc
/* Define to `unsigned' if <sys/types.h> does not define. */
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Define to `unsigned char' if <sys/types.h> does not define. */

22
contrib/zkt/config_zkt.h
View file

@ -37,10 +37,6 @@
#ifndef CONFIG_ZKT_H
# define CONFIG_ZKT_H
#ifndef HAS_TIMEGM
# define HAS_TIMEGM 1
#endif
#ifndef LOG_FNAMETMPL
# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
#endif
@ -52,13 +48,9 @@
# define HAS_UTYPES 1
#endif
#ifndef HAVE_GETOPT_LONG
# define HAVE_GETOPT_LONG 1
#endif
#ifndef HAVE_STRFTIME
# define HAVE_STRFTIME 1
#endif
/* # define HAVE_TIMEGM 1 */
/* # define HAVE_GETOPT_LONG 1 */
/* # define HAVE_STRFTIME 1 */
#ifndef TTL_IN_KEYFILE_ALLOWED
# define TTL_IN_KEYFILE_ALLOWED 1
@ -84,6 +76,10 @@
# define LOG_WITH_LEVEL 1
#endif
#ifndef ALWAYS_CHECK_KEYSETFILES
# define ALWAYS_CHECK_KEYSETFILES 1
#endif
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
#endif
@ -104,9 +100,9 @@
#ifndef ZKT_VERSION
# if defined(USE_TREE) && USE_TREE
# define ZKT_VERSION "vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
# define ZKT_VERSION "vT0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
# else
# define ZKT_VERSION "v0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
# define ZKT_VERSION "v0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
# endif
#endif

5675
contrib/zkt/configure vendored
View file

File diff suppressed because it is too large Load diff

142
contrib/zkt/configure.ac Normal file
View file

@ -0,0 +1,142 @@
# -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.
#
# @(#) configure.ac
#
# 2008-06-27 initial setup
# 2008-06-29 add of BIND path checking
# 2008-06-30 add of arg checkings
# 2008-07-02 additional arg checkings
# 2008-07-04 check for getopt_long() added
# 2008-08-30 check for unsigned integer types
# 2008-10-01 if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
# 2009-07-30 check for timegm() added
#
AC_PREREQ(2.59)
### Package name and current version
AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de)
dnl AC_REVISION($Revision: 1.1 $)
### Files to test to check if src dir contains the package
AC_CONFIG_SRCDIR([dnssec-zkt.c])
AC_CONFIG_HEADER([config.h])
### Checks for programs.
AC_PROG_CC
### find out the path to BIND utils and version
AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
if test -z "$SIGNZONE_PROG" ; then
# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
else
bind_util_path=`dirname "$SIGNZONE_PROG"`
# define BIND_UTIL_PATH in config.h.in
AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
# define BIND_VERSION in config.h.in
bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
fi
AC_CHECK_TYPE(uint, unsigned int)
AC_CHECK_TYPE(ulong, unsigned long)
AC_CHECK_TYPE(ushort, unsigned short)
AC_CHECK_TYPE(uchar, unsigned char)
### define configure arguments
AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval])
printtimezone=0
test "$printtimezone" = yes && printtimezone=1
AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval])
printyear=0
test "$printyear" = yes && printyear=1
AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year)
AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval])
logprogname=0
test "$logprogname" = yes && logprogname=1
AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval])
logtimestamp=1
test "$logtimestamp" = no && logtimestamp=0
AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval])
loglevel=1
test "$loglevel" = no && loglevel=0
AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval])
ttl_in_keyfile=1
test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
configpath="/var/named"
AC_ARG_ENABLE([configpath],
AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
[configpath=$enableval])
case "$configpath" in
yes)
configpath="/var/named"
;;
no)
configpath=""
;;
*)
;;
esac
AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
usetree=1
t="T"
AC_ARG_ENABLE([tree],
AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
[usetree=$enableval])
if test "$usetree" = no
then
usetree=0
t=""
fi
AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string)
### Checks for libraries.
### Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_STDC
AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h])
### Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_TYPE_SIZE_T
AC_HEADER_TIME
AC_STRUCT_TM
AC_TYPE_UID_T
### Checks for library functions.
AC_FUNC_CLOSEDIR_VOID
AC_FUNC_ERROR_AT_LINE
AC_FUNC_MALLOC
AC_FUNC_MKTIME
AC_FUNC_STAT
AC_FUNC_STRFTIME
AC_FUNC_UTIME_NULL
AC_FUNC_VPRINTF
# 2008-07-04 getopt_long added
# 2009-07-30 timegm added
AC_CHECK_FUNCS([getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT

64
contrib/zkt/dki.c
View file

@ -400,7 +400,7 @@ int dki_readdir (const char *dir, dki_t **listp, int recursive)
while ( (dentp = readdir (dirp)) != NULL )
{
if ( is_dotfile (dentp->d_name) )
if ( is_dotfilename (dentp->d_name) )
continue;
dbg_val ("directory: check %s\n", dentp->d_name);
@ -679,7 +679,6 @@ int dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl)
{
char *p;
dki_estr[0] = '\0';
if ( dkp == NULL )
return 0;
@ -711,7 +710,6 @@ int dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp)
{
int days;
dki_estr[0] = '\0';
if ( dkp == NULL )
return 0;
@ -741,7 +739,6 @@ int dki_prt_comment (const dki_t *dkp, FILE *fp)
{
int len = 0;
dki_estr[0] = '\0';
if ( dkp == NULL )
return len;
len += fprintf (fp, "; %s ", dkp->name);
@ -761,7 +758,6 @@ int dki_prt_trustedkey (const dki_t *dkp, FILE *fp)
int spaces;
int len = 0;
dki_estr[0] = '\0';
if ( dkp == NULL )
return len;
len += fprintf (fp, "\"%s\" ", dkp->name);
@ -792,7 +788,6 @@ int dki_cmp (const dki_t *a, const dki_t *b)
{
int res;
dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
@ -816,7 +811,6 @@ int dki_allcmp (const dki_t *a, const dki_t *b)
{
int res;
dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
@ -842,7 +836,6 @@ int dki_allcmp (const dki_t *a, const dki_t *b)
*****************************************************************/
int dki_namecmp (const dki_t *a, const dki_t *b)
{
dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
@ -853,7 +846,6 @@ int dki_namecmp (const dki_t *a, const dki_t *b)
*****************************************************************/
int dki_tagcmp (const dki_t *a, const dki_t *b)
{
dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
@ -866,19 +858,26 @@ int dki_tagcmp (const dki_t *a, const dki_t *b)
*****************************************************************/
int dki_timecmp (const dki_t *a, const dki_t *b)
{
dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
return ((ulong)a->time - (ulong)b->time);
}
/*****************************************************************
** dki_algo () return the algorithm of the key
*****************************************************************/
time_t dki_algo (const dki_t *dkp)
{
assert (dkp != NULL);
return (dkp->algo);
}
/*****************************************************************
** dki_time () return the timestamp of the key
*****************************************************************/
time_t dki_time (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->time);
}
@ -888,7 +887,6 @@ time_t dki_time (const dki_t *dkp)
*****************************************************************/
time_t dki_exptime (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->exptime);
}
@ -898,7 +896,6 @@ time_t dki_exptime (const dki_t *dkp)
*****************************************************************/
time_t dki_lifetime (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->lifetime);
}
@ -908,7 +905,6 @@ time_t dki_lifetime (const dki_t *dkp)
*****************************************************************/
ushort dki_lifetimedays (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->lifetime / DAYSEC);
}
@ -918,7 +914,6 @@ ushort dki_lifetimedays (const dki_t *dkp)
*****************************************************************/
time_t dki_gentime (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->gentime > 0L ? dkp->gentime: dkp->time);
}
@ -933,7 +928,6 @@ ushort dki_setlifetime (dki_t *dkp, int days)
ulong lifetsec;
char path[MAX_PATHSIZE+1];
dki_estr[0] = '\0';
assert (dkp != NULL);
lifetsec = dkp->lifetime; /* old lifetime */
@ -959,7 +953,6 @@ time_t dki_setexptime (dki_t *dkp, time_t sec)
char path[MAX_PATHSIZE+1];
time_t oldexptime;
dki_estr[0] = '\0';
assert (dkp != NULL);
dbg_val1 ("dki_setexptime (%ld)\n", sec);
@ -980,7 +973,6 @@ time_t dki_setexptime (dki_t *dkp, time_t sec)
*****************************************************************/
int dki_age (const dki_t *dkp, time_t curr)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return ((ulong)curr - (ulong)dkp->time);
}
@ -990,7 +982,6 @@ int dki_age (const dki_t *dkp, time_t curr)
*****************************************************************/
dk_flag_t dki_getflag (const dki_t *dkp, time_t curr)
{
dki_estr[0] = '\0';
return dkp->flags;
}
@ -999,7 +990,6 @@ dk_flag_t dki_getflag (const dki_t *dkp, time_t curr)
*****************************************************************/
dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag)
{
dki_estr[0] = '\0';
return dkp->flags |= (ushort)flag;
}
@ -1008,7 +998,6 @@ dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag)
*****************************************************************/
dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag)
{
dki_estr[0] = '\0';
return dkp->flags &= ~((ushort)flag);
}
@ -1017,7 +1006,6 @@ dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag)
*****************************************************************/
int dki_isksk (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->flags & DK_FLAG_KSK) == DK_FLAG_KSK;
}
@ -1027,7 +1015,6 @@ int dki_isksk (const dki_t *dkp)
*****************************************************************/
int dki_isrevoked (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->flags & DK_FLAG_REVOKE) == DK_FLAG_REVOKE;
}
@ -1037,7 +1024,6 @@ int dki_isrevoked (const dki_t *dkp)
*****************************************************************/
int dki_isdepreciated (const dki_t *dkp)
{
dki_estr[0] = '\0';
return dki_status (dkp) == DKI_DEPRECIATED;
}
@ -1046,7 +1032,6 @@ int dki_isdepreciated (const dki_t *dkp)
*****************************************************************/
int dki_isactive (const dki_t *dkp)
{
dki_estr[0] = '\0';
return dki_status (dkp) == DKI_ACTIVE;
}
@ -1055,7 +1040,6 @@ int dki_isactive (const dki_t *dkp)
*****************************************************************/
int dki_ispublished (const dki_t *dkp)
{
dki_estr[0] = '\0';
return dki_status (dkp) == DKI_PUBLISHED;
}
@ -1065,7 +1049,6 @@ int dki_ispublished (const dki_t *dkp)
*****************************************************************/
dk_status_t dki_status (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->status);
}
@ -1075,7 +1058,6 @@ dk_status_t dki_status (const dki_t *dkp)
*****************************************************************/
const char *dki_statusstr (const dki_t *dkp)
{
dki_estr[0] = '\0';
assert (dkp != NULL);
switch ( dkp->status )
{
@ -1099,7 +1081,6 @@ dki_t *dki_add (dki_t **list, dki_t *new)
dki_t *curr;
dki_t *last;
dki_estr[0] = '\0';
if ( list == NULL )
return NULL;
if ( new == NULL )
@ -1129,7 +1110,6 @@ const dki_t *dki_search (const dki_t *list, int tag, const char *name)
{
const dki_t *curr;
dki_estr[0] = '\0';
curr = list;
if ( tag )
while ( curr && (tag != curr->tag ||
@ -1152,7 +1132,6 @@ dki_t *dki_tadd (dki_t **tree, dki_t *new)
{
dki_t **p;
dki_estr[0] = '\0';
p = tsearch (new, tree, dki_namecmp);
if ( *p == new )
dbg_val ("dki_tadd: New entry %s added\n", new->name);
@ -1174,7 +1153,6 @@ const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name)
dki_t search;
dki_t **p;
dki_estr[0] = '\0';
search.tag = tag;
snprintf (search.name, sizeof (search.name), "%s", name);
p = tfind (&search, &tree, dki_namecmp);
@ -1193,7 +1171,6 @@ const dki_t *dki_find (const dki_t *list, int ksk, int status, int no)
const dki_t *dkp;
const dki_t *last;
dki_estr[0] = '\0';
last = NULL;
for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
if ( dki_isksk (dkp) == ksk && dki_status (dkp) == status )
@ -1204,3 +1181,24 @@ const dki_t *dki_find (const dki_t *list, int ksk, int status, int no)
return last;
}
/*****************************************************************
** dki_findalgo () find the n'th ksk or zsk key with given
** algorithm and status
*****************************************************************/
const dki_t *dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)
{
const dki_t *dkp;
const dki_t *last;
last = NULL;
for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
if ( dki_isksk (dkp) == ksk && dki_algo (dkp) == alg &&
dki_status (dkp) == status )
{
no--;
last = dkp;
}
return last;
}

2
contrib/zkt/dki.h
View file

@ -163,6 +163,7 @@ extern int dki_isdepreciated (const dki_t *dkp);
extern int dki_isrevoked (const dki_t *dkp);
extern int dki_isactive (const dki_t *dkp);
extern int dki_ispublished (const dki_t *dkp);
extern time_t dki_algo (const dki_t *dkp);
extern time_t dki_time (const dki_t *dkp);
extern time_t dki_exptime (const dki_t *dkp);
extern time_t dki_gentime (const dki_t *dkp);
@ -179,6 +180,7 @@ extern dki_t *dki_add (dki_t **dkp, dki_t *new);
extern const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name);
extern const dki_t *dki_search (const dki_t *list, int tag, const char *name);
extern const dki_t *dki_find (const dki_t *list, int ksk, int status, int first);
extern const dki_t *dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no);
extern void dki_free (dki_t *dkp);
extern void dki_freelist (dki_t **listp);
extern char *dki_algo2str (int algo);

244
contrib/zkt/dnssec-signer.c
View file

@ -57,6 +57,8 @@
# include "debug.h"
# include "misc.h"
# include "ncparse.h"
# include "nscomm.h"
# include "soaserial.h"
# include "zone.h"
# include "dki.h"
# include "rollover.h"
@ -100,9 +102,6 @@ static int check_keydb_timestamp (dki_t *keylist, time_t reftime);
static int new_keysetfiles (const char *dir, time_t zone_signing_time);
static int writekeyfile (const char *fname, const dki_t *list, int key_ttl);
static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf);
static int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
static int reload_zone (const char *domain, const zconf_t *z);
static int dist_and_reload (const zone_t *zp);
static void register_key (dki_t *listp, const zconf_t *z);
static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
@ -112,11 +111,11 @@ extern int opterr;
extern int optind;
extern char *optarg;
const char *progname;
const char *viewname = NULL;
const char *logfile = NULL;
const char *origin = NULL;
const char *namedconf = NULL;
const char *dirname = NULL;
static const char *viewname = NULL;
static const char *logfile = NULL;
static const char *origin = NULL;
static const char *namedconf = NULL;
static const char *dirname = NULL;
static int verbose = 0;
static int force = 0;
static int reloadflag = 0;
@ -135,7 +134,9 @@ int main (int argc, char *const argv[])
{
int c;
int errcnt;
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
int opt_index;
#endif
char errstr[255+1];
char *p;
const char *defconfname;
@ -147,7 +148,7 @@ int main (int argc, char *const argv[])
viewname = getnameappendix (progname, "dnssec-signer");
defconfname = getdefconfname (viewname);
config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
config = loadconfig ("", (zconf_t *)NULL); /* load build-in config */
if ( fileexist (defconfname) ) /* load default config file */
config = loadconfig (defconfname, config);
if ( config == NULL )
@ -202,11 +203,11 @@ int main (int argc, char *const argv[])
break;
#if defined(BIND_VERSION) && BIND_VERSION >= 940
case 'd':
#if BIND_VERSION >= 960
# if BIND_VERSION >= 960
set_bind96_dynzone (dynamic_zone);
#else
# else
set_bind94_dynzone(dynamic_zone);
#endif
# endif
/* dynamic zone requires a name server reload... */
reloadflag = 0; /* ...but "rndc thaw" reloads the zone anyway */
break;
@ -215,7 +216,8 @@ int main (int argc, char *const argv[])
noexec = 1;
break;
case 'r':
reloadflag = 1;
if ( !dynamic_zone ) /* dynamic zones don't need a rndc reload (see "-d" */
reloadflag = 1;
break;
case 'v':
verbose++;
@ -238,6 +240,7 @@ int main (int argc, char *const argv[])
/* store some of the commandline parameter in the config structure */
setconfigpar (config, "--view", viewname);
setconfigpar (config, "-v", &verbose);
setconfigpar (config, "--noexec", &noexec);
if ( logfile == NULL )
logfile = config->logfile;
@ -276,7 +279,7 @@ int main (int argc, char *const argv[])
memset (dir, '\0', sizeof (dir));
if ( config->zonedir )
strncpy (dir, config->zonedir, sizeof(dir));
if ( !parse_namedconf (namedconf, dir, sizeof (dir), add2zonelist) )
if ( !parse_namedconf (namedconf, config->chroot_dir, dir, sizeof (dir), add2zonelist) )
fatal ("Can't read file %s as namedconf file\n", namedconf);
if ( zonelist == NULL )
fatal ("No signed zone found in file %s\n", namedconf);
@ -423,7 +426,7 @@ static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf)
while ( (dentp = readdir (dirp)) != NULL )
{
if ( is_dotfile (dentp->d_name) )
if ( is_dotfilename (dentp->d_name) )
continue;
pathname (path, sizeof (path), dir, dentp->d_name, NULL);
@ -496,10 +499,16 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
if ( !newkey )
newkey = check_keydb_timestamp (zp->keys, file_mtime (path));
/* if we work in subdir mode, check if there is a new keyset- file */
newkeysetfile = 0;
#if defined(ALWAYS_CHECK_KEYSETFILES) && ALWAYS_CHECK_KEYSETFILES /* patch from Shane Wegner 15. June 2009 */
/* check if there is a new keyset- file */
if ( !newkey )
newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
#else
/* if we work in subdir mode, check if there is a new keyset- file */
if ( !newkey && zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
#endif
/**
** Check if it is time to do a re-sign. This is the case if
@ -605,13 +614,21 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
pathname (zfile, sizeof (zfile), zp->dir, zp->file, NULL);
pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
if ( filesize (path) == 0L ) /* initial signing request */
if ( filesize (path) == 0L ) /* initial signing request ? */
{
verbmesg (1, zp->conf, "\tDynamic Zone signing: Initial signing request: Add DNSKEYs to zonefile\n");
copyfile (zfile, path, zp->conf->keyfile);
}
#if 1
else if ( zfile_time > zfilesig_time ) /* zone.db is newer than signed file */
{
verbmesg (1, zp->conf, "\tDynamic Zone signing: zone file manually edited: Use it as new input file\n");
copyfile (zfile, path, NULL);
}
#endif
verbmesg (1, zp->conf, "\tDynamic Zone signing: copy old signed zone file %s to new input file %s\n",
path, zfile);
if ( newkey ) /* if we have new keys, they should be added to the zone file */
copyzonefile (path, zfile, zp->conf->keyfile);
else /* else we can do a simple file copy */
@ -621,7 +638,7 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
timer = start_timer ();
if ( (err = sign_zone (zp->dir, zp->zone, zp->file, zp->conf)) < 0 )
{
error ("Signing of zone %s failed (%d)!\n", zp->zone, err);
error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
}
timer = stop_timer (timer);
@ -629,6 +646,7 @@ static int dosigning (zone_t *zonelist, zone_t *zp)
if ( dynamic_zone )
dyn_update_freeze (zp->zone, zp->conf, 0); /* thaw dynamic zone file */
if ( err >= 0 )
{
const char *tstr = str_delspace (age2str (timer));
@ -807,27 +825,12 @@ static int sign_zone (const char *dir, const char *domain, const char *file, con
nsec3param[0] = '\0';
#if defined(BIND_VERSION) && BIND_VERSION >= 960
if ( conf->z_algo == DK_ALGO_NSEC3DSA || conf->z_algo == DK_ALGO_NSEC3RSASHA1 )
if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 )
{
static char hexstr[] = "0123456789ABCDEF";
static int seed = 0;
char salt[510+1]; /* salt has a maximum of 255 bytes == 510 hex nibbles */
int saltlen = 0; /* current length of salt in hex nibbles */
int i;
int hex;
if ( seed == 0 )
srandom (seed = (unsigned int)time (NULL));
saltlen = conf->saltbits / 4;
for ( i = 0; i < saltlen; i++ )
{
hex = random () % 16;
assert ( hex >= 0 && hex < 16 );
salt[i] = hexstr[hex];
}
salt[i] = '\0';
snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
if ( gensalt (salt, sizeof (salt), conf->saltbits) )
snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
}
#endif
@ -847,23 +850,34 @@ static int sign_zone (const char *dir, const char *domain, const char *file, con
dbg_line();
#if defined(BIND_VERSION) && BIND_VERSION >= 940
if ( dynamic_zone )
snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s-o %s -e +%d %s -N increment -f %s.dsigned %s K*.private",
dir, SIGNCMD, param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
else
#endif
snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%d %s %s K*.private",
snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
verbmesg (2, conf, "\t Run cmd \"%s\"\n", cmd);
*str = '\0';
if ( noexec == 0 )
{
#if 0
if ( (fp = popen (cmd, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
return -1;
#else
if ( (fp = popen (cmd, "r")) == NULL )
return -1;
str[0] = '\0';
while ( fgets (str, sizeof str, fp) != NULL ) /* eat up all output until the last line */
;
#endif
pclose (fp);
}
dbg_line();
verbmesg (2, conf, "\t Cmd dnssec-signzone return: \"%s\"\n", str_chop (str, '\n'));
len = strlen (str) - 6;
if ( len < 0 || strcmp (str+len, "signed") != 0 )
return -1;
return 0;
}
@ -897,155 +911,3 @@ static void copy_keyset (const char *dir, const char *domain, const zconf_t *con
}
}
}
static int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
{
char cmdline[254+1];
char str[254+1];
char *action;
FILE *fp;
assert (z != NULL);
if ( freeze )
action = "freeze";
else
action = "thaw";
if ( z->view )
snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
else
snprintf (str, sizeof (str), "\"%s\"", domain);
lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
if ( z->view )
snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
else
snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
verbmesg (2, z, "\t Run cmd \"%s\"\n", cmdline);
*str = '\0';
if ( noexec == 0 )
{
if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
return -1;
pclose (fp);
}
verbmesg (2, z, "\t rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
return 0;
}
/*****************************************************************
** distribute and reload a zone via "distribute_command"
*****************************************************************/
static int dist_and_reload (const zone_t *zp)
{
char path[MAX_PATHSIZE+1];
char cmdline[254+1];
char zone[254+1];
char str[254+1];
FILE *fp;
assert (zp != NULL);
assert (zp->conf->dist_cmd != NULL);
if ( !is_exec_ok (zp->conf->dist_cmd) )
{
char *mesg;
if ( getuid () == 0 )
mesg = "\tDistribution command %s not run as root\n";
else
mesg = "\tDistribution command %s not run due to strange file mode settings\n";
verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
return -1;
}
if ( zp->conf->view )
snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
else
snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
if ( zp->conf->view )
snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
else
snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
*str = '\0';
if ( noexec == 0 )
{
verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
return -2;
pclose (fp);
verbmesg (2, zp->conf, "\t %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
}
lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
if ( zp->conf->view )
snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
else
snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
*str = '\0';
if ( noexec == 0 )
{
verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
return -2;
pclose (fp);
verbmesg (2, zp->conf, "\t %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
}
return 0;
}
/*****************************************************************
** reload a zone via "rndc"
*****************************************************************/
static int reload_zone (const char *domain, const zconf_t *z)
{
char cmdline[254+1];
char str[254+1];
FILE *fp;
assert (z != NULL);
// fprintf (stderr, "reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
if ( z->view )
snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
else
snprintf (str, sizeof (str), "\"%s\"", domain);
lg_mesg (LG_NOTICE, "%s: reload triggered", str);
verbmesg (1, z, "\tReload zone %s\n", str);
if ( z->view )
snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
else
snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
*str = '\0';
if ( noexec == 0 )
{
verbmesg (2, z, "\t Run cmd \"%s\"\n", cmdline);
if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
return -1;
pclose (fp);
verbmesg (2, z, "\t rndc reload return: \"%s\"\n", str_chop (str, '\n'));
}
return 0;
}

8
contrib/zkt/dnssec-zkt.c
View file

@ -428,7 +428,7 @@ static void usage (char *mesg, zconf_t *cp)
sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
fprintf (stderr, "\t\tKSK (use -k): %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->z_algo), cp->z_bits);
fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
fprintf (stderr, "\n");
fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
@ -508,7 +508,7 @@ static void createkey (const char *keyname, const dki_t *list, const zconf_t *co
}
if ( zskflag )
dkp = dki_new (dir, keyname, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
else
dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
if ( dkp == NULL )
@ -657,7 +657,7 @@ static void ksk_roll (const char *keyname, int phase, const dki_t *list, const z
}
// dkp = keylist; /* use old key to create the parent file */
if ( (dkp = (dki_t *)dki_find (keylist, 1, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
if ( !create_parent_file (path, phase, key_ttl, dkp) )
fatal ("Couldn't create parentfile %s\n", path);
@ -743,7 +743,7 @@ static int parsedirectory (const char *dir, dki_t **listp)
while ( (dentp = readdir (dirp)) != NULL )
{
if ( is_dotfile (dentp->d_name) )
if ( is_dotfilename (dentp->d_name) )
continue;
dbg_val ("directory: check %s\n", dentp->d_name);

95
contrib/zkt/doc/KeyRollover.ms Normal file
View file

@ -0,0 +1,95 @@
.NH 1
DNS Key Status Types and Filenames
.PP
.TS
cfB | cfB s | cfB s | cfB | cfB
cfB | cfB | cfB | cfB | cfB | cfB | cfB
l | l | n | l | l | c | lfCW .
Status Key Filename used for dnssec-zkt
\^ Type Flags public private signing? label
_
active ZSK 256 .key .private y act ive
KSK 257 .key .private y act ive
.sp 0.2
published ZSK 256 .key .published n pub lished
KSK 257 .key .private n sta ndby
.sp 0.2
depreciated (retired) ZSK 256 .key .depreciated n dep reciated
.sp 0.2
revoked KSK 385 .key .private y rev oked
.sp 0.2
removed KSK 257 k*.key k*.private n -
.sp 0.2
sep KSK 257 .key - n sep
.ig
.sp 0.2
(master KSK 257 M...key .private n -)
..
.TE
.SP 2
.NH 1
Key rollover
.PP
.NH 2
Zone signing key rollover (pre-publish RFC4641)
.PP
.TS
rfB cfB |cfB |cfB |cfB
lfB |cfB |cfB |cfB |cfB
l |l |l |l |l .
action create change remove
keys newkey sig key old key
_
zsk1 active active depreciated
zsk2 published active active
.sp 0.3
RRSIG zsk1 zsk1 zsk2 zsk2
.TE
.SP 2
.NH 2
Key signing key rollover (double signature RFC4641)
.PP
.TS
rfB cfB |cfB |cfB |cfB
lfB |cfB |cfB |cfB |cfB
l |l |l |l |l .
action create change remove
keys newkey delegation old key
_
ksk\d1\u active active active
ksk\d2\u active active active
.sp 0.3
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk1,ksk2 ksk2
.sp 0.3
DS at parent DS\d1\u DS\d1\u DS\d2\u DS\d2\u
.TE
.\"RRSIG DNSKEY\dksk1\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk2\u
.SP 2
.NH 2
Key signing key rollover (rfc5011)
.PP
.TS
rfB cfB |cfB |cfB
lfB |cfB |cfB |cfB
l |l |l |l .
action newkey change delegation
keys & rollover & remove old key
_
ksk\d1\u active revoke\v'-0.2'\(dg\v'+0.2'
ksk\d2\u standby active active
ksk\d3\u standby\v'-0.2'\(dd\v'+0.2' standby
.sp 0.3
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk2
.sp 0.3
Parent DS DS\d1\u DS\d1\u DS\d2\u
DS\d2\u DS\d2\u DS\d3\u
.TE
.LP
\v'-0.2'\(dg\v'0.2'
Have to remain until the remove hold-down time is expired,
which is 30days at a minimum.
.LP
\v'-0.2'\(dd\v'0.2'
Will be the standby key after the hold-down time is expired
.br
Add holdtime \(eq max(30days, TTL of DNSKEY)

304
contrib/zkt/doc/KeyRollover.ps Normal file
View file

@ -0,0 +1,304 @@
%!PS-Adobe-3.0
%%Creator: groff version 1.19.2
%%CreationDate: Mon Jul 14 23:23:30 2008
%%DocumentNeededResources: font Times-Bold
%%+ font Times-Roman
%%+ font Courier
%%+ font Symbol
%%DocumentSuppliedResources: procset grops 1.19 2
%%Pages: 1
%%PageOrder: Ascend
%%DocumentMedia: Default 595 842 0 () ()
%%Orientation: Portrait
%%EndComments
%%BeginDefaults
%%PageMedia: Default
%%EndDefaults
%%BeginProlog
%%BeginResource: procset grops 1.19 2
%!PS-Adobe-3.0 Resource-ProcSet
/setpacking where{
pop
currentpacking
true setpacking
}if
/grops 120 dict dup begin
/SC 32 def
/A/show load def
/B{0 SC 3 -1 roll widthshow}bind def
/C{0 exch ashow}bind def
/D{0 exch 0 SC 5 2 roll awidthshow}bind def
/E{0 rmoveto show}bind def
/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
/G{0 rmoveto 0 exch ashow}bind def
/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/I{0 exch rmoveto show}bind def
/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
/K{0 exch rmoveto 0 exch ashow}bind def
/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/M{rmoveto show}bind def
/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
/O{rmoveto 0 exch ashow}bind def
/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/Q{moveto show}bind def
/R{moveto 0 SC 3 -1 roll widthshow}bind def
/S{moveto 0 exch ashow}bind def
/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/SF{
findfont exch
[exch dup 0 exch 0 exch neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/MF{
findfont
[5 2 roll
0 3 1 roll
neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/level0 0 def
/RES 0 def
/PL 0 def
/LS 0 def
/MANUAL{
statusdict begin/manualfeed true store end
}bind def
/PLG{
gsave newpath clippath pathbbox grestore
exch pop add exch pop
}bind def
/BP{
/level0 save def
1 setlinecap
1 setlinejoin
72 RES div dup scale
LS{
90 rotate
}{
0 PL translate
}ifelse
1 -1 scale
}bind def
/EP{
level0 restore
showpage
}def
/DA{
newpath arcn stroke
}bind def
/SN{
transform
.25 sub exch .25 sub exch
round .25 add exch round .25 add exch
itransform
}bind def
/DL{
SN
moveto
SN
lineto stroke
}bind def
/DC{
newpath 0 360 arc closepath
}bind def
/TM matrix def
/DE{
TM currentmatrix pop
translate scale newpath 0 0 .5 0 360 arc closepath
TM setmatrix
}bind def
/RC/rcurveto load def
/RL/rlineto load def
/ST/stroke load def
/MT/moveto load def
/CL/closepath load def
/Fr{
setrgbcolor fill
}bind def
/setcmykcolor where{
pop
/Fk{
setcmykcolor fill
}bind def
}if
/Fg{
setgray fill
}bind def
/FL/fill load def
/LW/setlinewidth load def
/Cr/setrgbcolor load def
/setcmykcolor where{
pop
/Ck/setcmykcolor load def
}if
/Cg/setgray load def
/RE{
findfont
dup maxlength 1 index/FontName known not{1 add}if dict begin
{
1 index/FID ne{def}{pop pop}ifelse
}forall
/Encoding exch def
dup/FontName exch def
currentdict end definefont pop
}bind def
/DEFS 0 def
/EBEGIN{
moveto
DEFS begin
}bind def
/EEND/end load def
/CNT 0 def
/level1 0 def
/PBEGIN{
/level1 save def
translate
div 3 1 roll div exch scale
neg exch neg exch translate
0 setgray
0 setlinecap
1 setlinewidth
0 setlinejoin
10 setmiterlimit
[]0 setdash
/setstrokeadjust where{
pop
false setstrokeadjust
}if
/setoverprint where{
pop
false setoverprint
}if
newpath
/CNT countdictstack def
userdict begin
/showpage{}def
/setpagedevice{}def
}bind def
/PEND{
countdictstack CNT sub{end}repeat
level1 restore
}bind def
end def
/setpacking where{
pop
setpacking
}if
%%EndResource
%%EndProlog
%%BeginSetup
%%BeginFeature: *PageSize Default
<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
%%EndFeature
%%IncludeResource: font Times-Bold
%%IncludeResource: font Times-Roman
%%IncludeResource: font Courier
%%IncludeResource: font Symbol
grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
/Times-Bold@0 ENC0/Times-Bold RE
%%EndSetup
%%Page: 1 1
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
-.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
-.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
-64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
-.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
-2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
-.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
-.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
-.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
-.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
-.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
-.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
%%Trailer
end
%%EOF

616
contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt Normal file
View file

@ -0,0 +1,616 @@
Intended Status: Informational O. Gudmundsson
Network Working Group OGUD Consulting LLC
Internet-Draft J. Ihren
Expires: August 21, 2008 AAB
February 18, 2008
Names of States in the life of a DNSKEY
draft-gudmundsson-life-of-dnskey-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 21, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2008).
Gudmundsson & Ihren Expires August 21, 2008 [Page 1]
Internet-Draft DNSSEC Key life stages. February 2008
Abstract
This document recommends a specific terminology to use when
expressing the state that a DNSKEY is in at particular time. This
does not affect how the protocol operates in any way.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. DNSKEY timeline . . . . . . . . . . . . . . . . . . . . . . . 4
3. Life stages of a DNSKEY . . . . . . . . . . . . . . . . . . . 5
3.1. Generated . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Published . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.1. Pre-Publication . . . . . . . . . . . . . . . . . . . 5
3.2.2. Out-Of-Band Publication . . . . . . . . . . . . . . . 5
3.3. Active . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.4. Retired . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.5. Removed . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5.1. Lame . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5.2. Stale . . . . . . . . . . . . . . . . . . . . . . . . 6
3.6. Revoked . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
6.2. Informative References . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . . . . 11
Gudmundsson & Ihren Expires August 21, 2008 [Page 2]
Internet-Draft DNSSEC Key life stages. February 2008
1. Introduction
When the editors of this document where comparing their DNSSEC key
management projects they discovered that they where discussing
roughly the same thing but using different terminology.
This document presents a unified terminology to use when describing
the current state of a DNSKEY.
The DNSSEC standards documents ([1], [2] and [3]) do not address the
required states for the key management of a DNSSEC key. The DNSSEC
Operational Practices [4] document does propose that keys be
published before use but uses inconsistent or confusing terms. This
document assumes basic understanding of DNSSEC and key management.
The terms proposed in this document attempt to avoid any confusion
and make the states of keys to be as clear as possible. The terms
used in this document are intended as a operational supplement to the
terms defined in Section 2 of [1].
To large extent this discussion is motivated by Trust anchor keys but
the same terminology can be used for zone signing keys.
Gudmundsson & Ihren Expires August 21, 2008 [Page 3]
Internet-Draft DNSSEC Key life stages. February 2008
2. DNSKEY timeline
The model in this document is that keys progress through a state
machine along a one-way path, keys never move to an earlier states.
GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
| ^ | | | ^
| | | | v |
+--> Pre-PUBLISHED--+ +--------+---------> REVOKED ---+
DNSKEY time line.
There are few more states that are defined below but these apply only
to the publisher of TA's and the consumer of TA's. Two of these are
sub-sets of the Published state, the other two are error states.
Gudmundsson & Ihren Expires August 21, 2008 [Page 4]
Internet-Draft DNSSEC Key life stages. February 2008
3. Life stages of a DNSKEY
3.1. Generated
Once a key is generated it enters state Generated and stays there
until the next state. While in this state only the owner of the key
is aware of its existence and can prepare for its future use.
3.2. Published
Once the key is added to the DNSKEY set of a zone the key is there
for the world to see, or published. The key needs to remain in this
state for some time to propagate to all validators that have cached
the prior version of the DNSKEY set. In the case of KSK the key
should remain in this state for a longer time as documented in DNSSEC
Timers RFC [5].
3.2.1. Pre-Publication
In certain circumstances a zone owner may want to give out a new
Trust Anchor before exposing the actual public key. In this case the
zone can publish a DS record of the key. This allows others to
configure the trust anchor but will not be able to use the key until
the key is published in the DNSKEY RRset.
3.2.2. Out-Of-Band Publication
In certain circumstances a domain may want to give out a new Trust
Anchor outside DNS to give others a long lead time to configure the
new key as trust anchor. The reason people may want to do this is to
keep the size of the DNSKEY set smaller and only add new trust anchor
just before the key goes into use. One likely use for this is the
DNS "." root key as it does not have a parent that can publish a DS
record for it. The publication mechanism does not matter it can be
any one of web-site, advertisement in Financial Times and other
international publication, e-mail to DNS related mailing lists, etc..
3.3. Active
The key is in ACTIVE state while it is actively signing data in the
zone it resides in. It is one of the the keys that are signing the
zone or parts of the zone.
3.4. Retired
When the key is no longer used for signing the zone it enters state
Retired. In this state there may still be signatures by the key in
cached data from the zone available at recursive servers, but the
Gudmundsson & Ihren Expires August 21, 2008 [Page 5]
Internet-Draft DNSSEC Key life stages. February 2008
authoritative servers for the zone do no longer carry any signatures
generated by the key.
3.5. Removed
Once the key is removed from the DNSKEY RRset it enters the state
Removed. At this point all signatures by the key that may still be
temporarily valid will fail to verify once the validator refreshes
the DNSKEY RRset in its memory.
Therefore "removal" of a key is typically not done until all the
cached signatures have expired. Entering this state too early may
cause number of validators to end up with STALE Trust Anchors.
3.5.1. Lame
A Trust Anchor is Lame if the parent continues to publish DS pointing
to the key after it has been removed from the DNSKEY RRset. A Trust
Anchor is arguably Lame if there are no signatures by a Retired KSK
in the zone.
3.5.2. Stale
A Stale Trust Anchor is an old TA that remains in a validators list
of active key(s) after the key has been removed from the zone's
DNSKEY RRset.
3.6. Revoked
There are times when a zone wants to signal that a particular key
should not be used at all. The mechanism to do this is to set the
REVOKE bit [5]. Any key in any of the while the key is the DNSSKEY
set can be exited to Revoked state. After some time in the Revoke
state the key will be Removed.
Gudmundsson & Ihren Expires August 21, 2008 [Page 6]
Internet-Draft DNSSEC Key life stages. February 2008
4. Security considerations
TBD
Gudmundsson & Ihren Expires August 21, 2008 [Page 7]
Internet-Draft DNSSEC Key life stages. February 2008
5. IANA considerations
This document does not have any IANA actions.
Gudmundsson & Ihren Expires August 21, 2008 [Page 8]
Internet-Draft DNSSEC Key life stages. February 2008
6. References
6.1. Normative References
6.2. Informative References
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
March 2005.
[2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005.
[3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Protocol Modifications for the DNS Security Extensions",
RFC 4035, March 2005.
[4] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
RFC 4641, September 2006.
[5] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
Anchors", RFC 5011, September 2007.
Gudmundsson & Ihren Expires August 21, 2008 [Page 9]
Internet-Draft DNSSEC Key life stages. February 2008
Authors' Addresses
Olafur Gudmundsson
OGUD Consulting LLC
3821 Village Park Drive
Chevy Chase, MD 20815
USA
Email: ogud@ogud.com
Johan Ihren
Automatica, AB
Bellmansgatan 30
Stockholm, SE-118 47
Sweden
Email: johani@automatica.se
Gudmundsson & Ihren Expires August 21, 2008 [Page 10]
Internet-Draft DNSSEC Key life stages. February 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Gudmundsson & Ihren Expires August 21, 2008 [Page 11]

2128
contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt Normal file
View file

File diff suppressed because it is too large Load diff

1963
contrib/zkt/doc/rfc4641.txt Normal file
View file

File diff suppressed because it is too large Load diff

787
contrib/zkt/doc/rfc5011.txt Normal file
View file

@ -0,0 +1,787 @@
Network Working Group M. StJohns
Request for Comments: 5011 Independent
Category: Standards Track September 2007
Automated Updates of DNS Security (DNSSEC) Trust Anchors
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This document describes a means for automated, authenticated, and
authorized updating of DNSSEC "trust anchors". The method provides
protection against N-1 key compromises of N keys in the trust point
key set. Based on the trust established by the presence of a current
anchor, other anchors may be added at the same place in the
hierarchy, and, ultimately, supplant the existing anchor(s).
This mechanism will require changes to resolver management behavior
(but not resolver resolution behavior), and the addition of a single
flag bit to the DNSKEY record.
StJohns Standards Track [Page 1]
RFC 5011 Trust Anchor Update September 2007
Table of Contents
1. Introduction ....................................................2
1.1. Compliance Nomenclature ....................................3
2. Theory of Operation .............................................3
2.1. Revocation .................................................4
2.2. Add Hold-Down ..............................................4
2.3. Active Refresh .............................................5
2.4. Resolver Parameters ........................................6
2.4.1. Add Hold-Down Time ..................................6
2.4.2. Remove Hold-Down Time ...............................6
2.4.3. Minimum Trust Anchors per Trust Point ...............6
3. Changes to DNSKEY RDATA Wire Format .............................6
4. State Table .....................................................6
4.1. Events .....................................................7
4.2. States .....................................................7
5. Trust Point Deletion ............................................8
6. Scenarios - Informative .........................................9
6.1. Adding a Trust Anchor ......................................9
6.2. Deleting a Trust Anchor ....................................9
6.3. Key Roll-Over .............................................10
6.4. Active Key Compromised ....................................10
6.5. Stand-by Key Compromised ..................................10
6.6. Trust Point Deletion ......................................10
7. IANA Considerations ............................................11
8. Security Considerations ........................................11
8.1. Key Ownership vs. Acceptance Policy .......................11
8.2. Multiple Key Compromise ...................................12
8.3. Dynamic Updates ...........................................12
9. Normative References ...........................................12
10. Informative References ........................................12
1. Introduction
As part of the reality of fielding DNSSEC (Domain Name System
Security Extensions) [RFC4033] [RFC4034] [RFC4035], the community has
come to the realization that there will not be one signed name space,
but rather islands of signed name spaces each originating from
specific points (i.e., 'trust points') in the DNS tree. Each of
those islands will be identified by the trust point name, and
validated by at least one associated public key. For the purpose of
this document, we'll call the association of that name and a
particular key a 'trust anchor'. A particular trust point can have
more than one key designated as a trust anchor.
For a DNSSEC-aware resolver to validate information in a DNSSEC
protected branch of the hierarchy, it must have knowledge of a trust
anchor applicable to that branch. It may also have more than one
StJohns Standards Track [Page 2]
RFC 5011 Trust Anchor Update September 2007
trust anchor for any given trust point. Under current rules, a chain
of trust for DNSSEC-protected data that chains its way back to ANY
known trust anchor is considered 'secure'.
Because of the probable balkanization of the DNSSEC tree due to
signing voids at key locations, a resolver may need to know literally
thousands of trust anchors to perform its duties (e.g., consider an
unsigned ".COM"). Requiring the owner of the resolver to manually
manage these many relationships is problematic. It's even more
problematic when considering the eventual requirement for key
replacement/update for a given trust anchor. The mechanism described
herein won't help with the initial configuration of the trust anchors
in the resolvers, but should make trust point key
replacement/rollover more viable.
As mentioned above, this document describes a mechanism whereby a
resolver can update the trust anchors for a given trust point, mainly
without human intervention at the resolver. There are some corner
cases discussed (e.g., multiple key compromise) that may require
manual intervention, but they should be few and far between. This
document DOES NOT discuss the general problem of the initial
configuration of trust anchors for the resolver.
1.1. Compliance Nomenclature
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, [RFC2119].
2. Theory of Operation
The general concept of this mechanism is that existing trust anchors
can be used to authenticate new trust anchors at the same point in
the DNS hierarchy. When a zone operator adds a new SEP key (i.e., a
DNSKEY with the Secure Entry Point bit set) (see [RFC4034], Section
2.1.1) to a trust point DNSKEY RRSet, and when that RRSet is
validated by an existing trust anchor, then the resolver can add the
new key to its set of valid trust anchors for that trust point.
There are some issues with this approach that need to be mitigated.
For example, a compromise of one of the existing keys could allow an
attacker to add their own 'valid' data. This implies a need for a
method to revoke an existing key regardless of whether or not that
key is compromised. As another example, assuming a single key
compromise, we need to prevent an attacker from adding a new key and
revoking all the other old keys.
StJohns Standards Track [Page 3]
RFC 5011 Trust Anchor Update September 2007
2.1. Revocation
Assume two trust anchor keys A and B. Assume that B has been
compromised. Without a specific revocation bit, B could invalidate A
simply by sending out a signed trust point key set that didn't
contain A. To fix this, we add a mechanism that requires knowledge
of the private key of a DNSKEY to revoke that DNSKEY.
A key is considered revoked when the resolver sees the key in a
self-signed RRSet and the key has the REVOKE bit (see Section 7
below) set to '1'. Once the resolver sees the REVOKE bit, it MUST
NOT use this key as a trust anchor or for any other purpose except to
validate the RRSIG it signed over the DNSKEY RRSet specifically for
the purpose of validating the revocation. Unlike the 'Add' operation
below, revocation is immediate and permanent upon receipt of a valid
revocation at the resolver.
A self-signed RRSet is a DNSKEY RRSet that contains the specific
DNSKEY and for which there is a corresponding validated RRSIG record.
It's not a special DNSKEY RRSet, just a way of describing the
validation requirements for that RRSet.
N.B.: A DNSKEY with the REVOKE bit set has a different fingerprint
than one without the bit set. This affects the matching of a DNSKEY
to DS records in the parent [RFC3755], or the fingerprint stored at a
resolver used to configure a trust point.
In the given example, the attacker could revoke B because it has
knowledge of B's private key, but could not revoke A.
2.2. Add Hold-Down
Assume two trust point keys A and B. Assume that B has been
compromised. An attacker could generate and add a new trust anchor
key C (by adding C to the DNSKEY RRSet and signing it with B), and
then invalidate the compromised key. This would result in both the
attacker and owner being able to sign data in the zone and have it
accepted as valid by resolvers.
To mitigate but not completely solve this problem, we add a hold-down
time to the addition of the trust anchor. When the resolver sees a
new SEP key in a validated trust point DNSKEY RRSet, the resolver
starts an acceptance timer, and remembers all the keys that validated
the RRSet. If the resolver ever sees the DNSKEY RRSet without the
new key but validly signed, it stops the acceptance process for that
key and resets the acceptance timer. If all of the keys that were
StJohns Standards Track [Page 4]
RFC 5011 Trust Anchor Update September 2007
originally used to validate this key are revoked prior to the timer
expiring, the resolver stops the acceptance process and resets the
timer.
Once the timer expires, the new key will be added as a trust anchor
the next time the validated RRSet with the new key is seen at the
resolver. The resolver MUST NOT treat the new key as a trust anchor
until the hold-down time expires AND it has retrieved and validated a
DNSKEY RRSet after the hold-down time that contains the new key.
N.B.: Once the resolver has accepted a key as a trust anchor, the key
MUST be considered a valid trust anchor by that resolver until
explicitly revoked as described above.
In the given example, the zone owner can recover from a compromise by
revoking B and adding a new key D and signing the DNSKEY RRSet with
both A and B.
The reason this does not completely solve the problem has to do with
the distributed nature of DNS. The resolver only knows what it sees.
A determined attacker who holds one compromised key could keep a
single resolver from realizing that the key had been compromised by
intercepting 'real' data from the originating zone and substituting
their own (e.g., using the example, signed only by B). This is no
worse than the current situation assuming a compromised key.
2.3. Active Refresh
A resolver that has been configured for an automatic update of keys
from a particular trust point MUST query that trust point (e.g., do a
lookup for the DNSKEY RRSet and related RRSIG records) no less often
than the lesser of 15 days, half the original TTL for the DNSKEY
RRSet, or half the RRSIG expiration interval and no more often than
once per hour. The expiration interval is the amount of time from
when the RRSIG was last retrieved until the expiration time in the
RRSIG. That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
1/2*RRSigExpirationInterval))
If the query fails, the resolver MUST repeat the query until
satisfied no more often than once an hour and no less often than the
lesser of 1 day, 10% of the original TTL, or 10% of the original
expiration interval. That is, retryTime = MAX (1 hour, MIN (1 day,
.1 * origTTL, .1 * expireInterval)).
StJohns Standards Track [Page 5]
RFC 5011 Trust Anchor Update September 2007
2.4. Resolver Parameters
2.4.1. Add Hold-Down Time
The add hold-down time is 30 days or the expiration time of the
original TTL of the first trust point DNSKEY RRSet that contained the
new key, whichever is greater. This ensures that at least two
validated DNSKEY RRSets that contain the new key MUST be seen by the
resolver prior to the key's acceptance.
2.4.2. Remove Hold-Down Time
The remove hold-down time is 30 days. This parameter is solely a key
management database bookeeping parameter. Failure to remove
information about the state of defunct keys from the database will
not adversely impact the security of this protocol, but may end up
with a database cluttered with obsolete key information.
2.4.3. Minimum Trust Anchors per Trust Point
A compliant resolver MUST be able to manage at least five SEP keys
per trust point.
3. Changes to DNSKEY RDATA Wire Format
Bit 8 of the DNSKEY Flags field is designated as the 'REVOKE' flag.
If this bit is set to '1', AND the resolver sees an RRSIG(DNSKEY)
signed by the associated key, then the resolver MUST consider this
key permanently invalid for all purposes except for validating the
revocation.
4. State Table
The most important thing to understand is the resolver's view of any
key at a trust point. The following state table describes this view
at various points in the key's lifetime. The table is a normative
part of this specification. The initial state of the key is 'Start'.
The resolver's view of the state of the key changes as various events
occur.
This is the state of a trust-point key as seen from the resolver.
The column on the left indicates the current state. The header at
the top shows the next state. The intersection of the two shows the
event that will cause the state to transition from the current state
to the next.
StJohns Standards Track [Page 6]
RFC 5011 Trust Anchor Update September 2007
NEXT STATE
--------------------------------------------------
FROM |Start |AddPend |Valid |Missing|Revoked|Removed|
----------------------------------------------------------
Start | |NewKey | | | | |
----------------------------------------------------------
AddPend |KeyRem | |AddTime| | | |
----------------------------------------------------------
Valid | | | |KeyRem |Revbit | |
----------------------------------------------------------
Missing | | |KeyPres| |Revbit | |
----------------------------------------------------------
Revoked | | | | | |RemTime|
----------------------------------------------------------
Removed | | | | | | |
----------------------------------------------------------
State Table
4.1. Events
NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
That key will become a new trust anchor for the named trust
point after it's been present in the RRSet for at least 'add
time'.
KeyPres The key has returned to the valid DNSKEY RRSet.
KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
this key.
AddTime The key has been in every valid DNSKEY RRSet seen for at
least the 'add time'.
RemTime A revoked key has been missing from the trust-point DNSKEY
RRSet for sufficient time to be removed from the trust set.
RevBit The key has appeared in the trust anchor DNSKEY RRSet with
its "REVOKED" bit set, and there is an RRSig over the DNSKEY
RRSet signed by this key.
4.2. States
Start The key doesn't yet exist as a trust anchor at the resolver.
It may or may not exist at the zone server, but either
hasn't yet been seen at the resolver or was seen but was
absent from the last DNSKEY RRSet (e.g., KeyRem event).
StJohns Standards Track [Page 7]
RFC 5011 Trust Anchor Update September 2007
AddPend The key has been seen at the resolver, has its 'SEP' bit
set, and has been included in a validated DNSKEY RRSet.
There is a hold-down time for the key before it can be used
as a trust anchor.
Valid The key has been seen at the resolver and has been included
in all validated DNSKEY RRSets from the time it was first
seen through the hold-down time. It is now valid for
verifying RRSets that arrive after the hold-down time.
Clarification: The DNSKEY RRSet does not need to be
continuously present at the resolver (e.g., its TTL might
expire). If the RRSet is seen and is validated (i.e.,
verifies against an existing trust anchor), this key MUST be
in the RRSet, otherwise a 'KeyRem' event is triggered.
Missing This is an abnormal state. The key remains a valid trust-
point key, but was not seen at the resolver in the last
validated DNSKEY RRSet. This is an abnormal state because
the zone operator should be using the REVOKE bit prior to
removal.
Revoked This is the state a key moves to once the resolver sees an
RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet
contains this key with its REVOKE bit set to '1'. Once in
this state, this key MUST permanently be considered invalid
as a trust anchor.
Removed After a fairly long hold-down time, information about this
key may be purged from the resolver. A key in the removed
state MUST NOT be considered a valid trust anchor. (Note:
this state is more or less equivalent to the "Start" state,
except that it's bad practice to re-introduce previously
used keys -- think of this as the holding state for all the
old keys for which the resolver no longer needs to track
state.)
5. Trust Point Deletion
A trust point that has all of its trust anchors revoked is considered
deleted and is treated as if the trust point was never configured.
If there are no superior configured trust points, data at and below
the deleted trust point are considered insecure by the resolver. If
there ARE superior configured trust points, data at and below the
deleted trust point are evaluated with respect to the superior trust
point(s).
Alternately, a trust point that is subordinate to another configured
trust point MAY be deleted by a resolver after 180 days, where such a
StJohns Standards Track [Page 8]
RFC 5011 Trust Anchor Update September 2007
subordinate trust point validly chains to a superior trust point.
The decision to delete the subordinate trust anchor is a local
configuration decision. Once the subordinate trust point is deleted,
validation of the subordinate zone is dependent on validating the
chain of trust to the superior trust point.
6. Scenarios - Informative
The suggested model for operation is to have one active key and one
stand-by key at each trust point. The active key will be used to
sign the DNSKEY RRSet. The stand-by key will not normally sign this
RRSet, but the resolver will accept it as a trust anchor if/when it
sees the signature on the trust point DNSKEY RRSet.
Since the stand-by key is not in active signing use, the associated
private key may (and should) be provided with additional protections
not normally available to a key that must be used frequently (e.g.,
locked in a safe, split among many parties, etc). Notionally, the
stand-by key should be less subject to compromise than an active key,
but that will be dependent on operational concerns not addressed
here.
6.1. Adding a Trust Anchor
Assume an existing trust anchor key 'A'.
1. Generate a new key pair.
2. Create a DNSKEY record from the key pair and set the SEP and Zone
Key bits.
3. Add the DNSKEY to the RRSet.
4. Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
'A'.
5. Wait for various resolvers' timers to go off and for them to
retrieve the new DNSKEY RRSet and signatures.
6. The new trust anchor will be populated at the resolvers on the
schedule described by the state table and update algorithm -- see
Sections 2 and 4 above.
6.2. Deleting a Trust Anchor
Assume existing trust anchors 'A' and 'B' and that you want to revoke
and delete 'A'.
StJohns Standards Track [Page 9]
RFC 5011 Trust Anchor Update September 2007
1. Set the revocation bit on key 'A'.
2. Sign the DNSKEY RRSet with both 'A' and 'B'. 'A' is now revoked.
The operator should include the revoked 'A' in the RRSet for at
least the remove hold-down time, but then may remove it from the
DNSKEY RRSet.
6.3. Key Roll-Over
Assume existing keys A and B. 'A' is actively in use (i.e. has been
signing the DNSKEY RRSet). 'B' was the stand-by key. (i.e. has been
in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
used to sign the RRSet).
1. Generate a new key pair 'C'.
2. Add 'C' to the DNSKEY RRSet.
3. Set the revocation bit on key 'A'.
4. Sign the RRSet with 'A' and 'B'.
'A' is now revoked, 'B' is now the active key, and 'C' will be the
stand-by key once the hold-down expires. The operator should include
the revoked 'A' in the RRSet for at least the remove hold-down time,
but may then remove it from the DNSKEY RRSet.
6.4. Active Key Compromised
This is the same as the mechanism for Key Roll-Over (Section 6.3)
above, assuming 'A' is the active key.
6.5. Stand-by Key Compromised
Using the same assumptions and naming conventions as Key Roll-Over
(Section 6.3) above:
1. Generate a new key pair 'C'.
2. Add 'C' to the DNSKEY RRSet.
3. Set the revocation bit on key 'B'.
4. Sign the RRSet with 'A' and 'B'.
'B' is now revoked, 'A' remains the active key, and 'C' will be the
stand-by key once the hold-down expires. 'B' should continue to be
included in the RRSet for the remove hold-down time.
6.6. Trust Point Deletion
To delete a trust point that is subordinate to another configured
trust point (e.g., example.com to .com) requires some juggling of the
data. The specific process is:
StJohns Standards Track [Page 10]
RFC 5011 Trust Anchor Update September 2007
1. Generate a new DNSKEY and DS record and provide the DS record to
the parent along with DS records for the old keys.
2. Once the parent has published the DSs, add the new DNSKEY to the
RRSet and revoke ALL of the old keys at the same time, while
signing the DNSKEY RRSet with all of the old and new keys.
3. After 30 days, stop publishing the old, revoked keys and remove
any corresponding DS records in the parent.
Revoking the old trust-point keys at the same time as adding new keys
that chain to a superior trust prevents the resolver from adding the
new keys as trust anchors. Adding DS records for the old keys avoids
a race condition where either the subordinate zone becomes unsecure
(because the trust point was deleted) or becomes bogus (because it
didn't chain to the superior zone).
7. IANA Considerations
The IANA has assigned a bit in the DNSKEY flags field (see Section 7
of [RFC4034]) for the REVOKE bit (8).
8. Security Considerations
In addition to the following sections, see also Theory of Operation
above (Section 2) and especially Section 2.2 for related discussions.
Security considerations for trust anchor rollover not specific to
this protocol are discussed in [RFC4986].
8.1. Key Ownership vs. Acceptance Policy
The reader should note that, while the zone owner is responsible for
creating and distributing keys, it's wholly the decision of the
resolver owner as to whether to accept such keys for the
authentication of the zone information. This implies the decision to
update trust-anchor keys based on trusting a current trust-anchor key
is also the resolver owner's decision.
The resolver owner (and resolver implementers) MAY choose to permit
or prevent key status updates based on this mechanism for specific
trust points. If they choose to prevent the automated updates, they
will need to establish a mechanism for manual or other out-of-band
updates, which are outside the scope of this document.
StJohns Standards Track [Page 11]
RFC 5011 Trust Anchor Update September 2007
8.2. Multiple Key Compromise
This scheme permits recovery as long as at least one valid trust-
anchor key remains uncompromised, e.g., if there are three keys, you
can recover if two of them are compromised. The zone owner should
determine their own level of comfort with respect to the number of
active, valid trust anchors in a zone and should be prepared to
implement recovery procedures once they detect a compromise. A
manual or other out-of-band update of all resolvers will be required
if all trust-anchor keys at a trust point are compromised.
8.3. Dynamic Updates
Allowing a resolver to update its trust anchor set based on in-band
key information is potentially less secure than a manual process.
However, given the nature of the DNS, the number of resolvers that
would require update if a trust anchor key were compromised, and the
lack of a standard management framework for DNS, this approach is no
worse than the existing situation.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation
Signer (DS)", RFC 3755, May 2004.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
10. Informative References
[RFC4986] Eland, H., Mundy, R., Crocker, S., and S. Krishnaswamy,
"Requirements Related to DNS Security (DNSSEC) Trust
Anchor Rollover", RFC 4986, August 2007.
StJohns Standards Track [Page 12]
RFC 5011 Trust Anchor Update September 2007
Author's Address
Michael StJohns
Independent
EMail: mstjohns@comcast.net
StJohns Standards Track [Page 13]
RFC 5011 Trust Anchor Update September 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
StJohns Standards Track [Page 14]

4
contrib/zkt/examples/flat/dist.sh
View file

@ -60,8 +60,8 @@ distribute)
fi
;;
reload)
echo "rndc $action $zone $view"
: rndc $action $zone $view
echo "rndc $action $domain $view"
: rndc $action $domain $view
;;
*)
usage "illegal action $action"

14
contrib/zkt/examples/flat/dnssec-signer.sh Executable file
View file

@ -0,0 +1,14 @@
#!/bin/sh
#
# Shell script to start the dnssec-signer
# command out of the example directory
#
chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
if test ! -f dnssec.conf
then
echo Please start this skript out of the flat or hierarchical sub directory
exit 1
fi
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"

8
contrib/zkt/examples/flat/dnssec.conf
View file

@ -1,5 +1,5 @@
#
# @(#) dnssec.conf vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de
# @(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de
#
# dnssec-zkt options
@ -18,12 +18,11 @@ KEY_TTL: 1h # (3600 seconds)
Serialformat: incremental
# signing key parameters
Key_algo: RSASHA1 # (Algorithm ID 5)
KSK_lifetime: 60d # (5184000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 2w # (1209600 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
SaltBits: 24
@ -39,5 +38,6 @@ Zonefile: "zone.db"
KeySetDir: "../keysets"
DLV_Domain: ""
Sig_Pseudorand: True
Sig_Parameter: ""
Sig_GenerateDS: True
Sig_Parameter: "-n 1"
Distribute_Cmd: "./dist.sh"

3
contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081116175850
;% lifetime=90d
example.net. IN DNSKEY 256 3 5 BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==

10
contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private
View file

@ -1,10 +0,0 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: yh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
PublicExponent: AQAAAAE=
PrivateExponent: XHrB+Ib/yjBFNUQoB66abHOazbj5hDkaprg0ygOwDdrxLSpwrYHQAn5H6JPlGhcTZHN5X1nF4M7GlGlbRah0oQ==
Prime1: 7T9UFlW1S4Dnditz/D0PmPdJ+fiozB+wz8xxRuOT4zE=
Prime2: 2hjLgVBakXblbcuQ08UYHkP00pMp+45mK+L5M35OpS8=
Exponent1: CPzNNspgw6XVf63vdcnEP55k7wMVttStCJw8+r3T5FE=
Exponent2: t8JDeQOEiO2L0dbIkuANjXOBiCauM6fnRHanvKcwmrs=
Coefficient: ObUC9ojBjcCKuGvPqXfWD20iXRpkzVsHjrJqcLXRqw4=

0
contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.published → contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
View file

3
contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090730151357
;% lifetime=84d
example.net. IN DNSKEY 256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==

10
contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
PublicExponent: AQAAAAE=
PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ==
Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8=
Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8=
Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k=
Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc=
Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM=

3
contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090228113129
;% lifetime=60d
example.net. IN DNSKEY 257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ==

10
contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ==
PublicExponent: AQAAAAE=
PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ==
Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw==
Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw==
Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ==
Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ
Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P

10
contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
PublicExponent: AQAAAAE=
PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q==
Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU=
Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU=
Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk=
Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk=
Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk=

3
contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090615075841
;% lifetime=14d
example.net. IN DNSKEY 256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==

3
contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090630093509
;% lifetime=14d
example.net. IN DNSKEY 256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==

10
contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
PublicExponent: AQAAAAE=
PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ==
Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc=
Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0=
Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s=
Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE=
Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs=

44
contrib/zkt/examples/flat/example.net/dnskey.db
View file

@ -2,21 +2,21 @@
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
; Last generation time Dec 28 2008 23:08:02
; Last generation time Jul 30 2009 17:13:57
;
; *** List of Key Signing Keys ***
; example.net. tag=1764 algo=RSASHA1 generated Nov 16 2008 18:58:50
example.net. 3600 IN DNSKEY 257 3 5 (
BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8
VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs
lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+
YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU
8w==
) ; key id = 1764
; example.net. tag=33840 algo=RSASHA1 generated Feb 28 2009 12:31:29
example.net. 14400 IN DNSKEY 257 3 5 (
BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
aQ==
) ; key id = 33840
; example.net. tag=7308 algo=RSASHA1 generated Nov 16 2008 18:58:50
example.net. 3600 IN DNSKEY 257 3 5 (
; example.net. tag=7308 algo=RSASHA1 generated Feb 28 2009 12:31:29
example.net. 14400 IN DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ
oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ
w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU
@ -25,9 +25,21 @@ example.net. 3600 IN DNSKEY 257 3 5 (
) ; key id = 7308
; *** List of Zone Signing Keys ***
; example.net. tag=4157 algo=RSASHA1 generated Dec 09 2008 14:08:16
example.net. 3600 IN DNSKEY 256 3 5 (
BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS
ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
) ; key id = 4157
; example.net. tag=34925 algo=RSASHA1 generated Jun 17 2009 16:36:16
example.net. 14400 IN DNSKEY 256 3 5 (
BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj
w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
) ; key id = 34925
; example.net. tag=48089 algo=RSASHA1 generated Jun 30 2009 11:35:09
example.net. 14400 IN DNSKEY 256 3 5 (
BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
) ; key id = 48089
; example.net. tag=24545 algo=RSASHA1 generated Jul 30 2009 17:13:57
example.net. 14400 IN DNSKEY 256 3 5 (
BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ
WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
) ; key id = 24545

4
contrib/zkt/examples/flat/example.net/dsset-example.net.
View file

@ -1,4 +1,4 @@
example.net. IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
example.net. IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B

3
contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.key → contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
View file

@ -1,3 +1,4 @@
;% generationtime=20080506212634
;% lifetime=60d
example.net. IN DNSKEY 257 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
;% expirationtime=20090228113128
example.net. IN DNSKEY 385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==

0
contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.private → contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
View file

18
contrib/zkt/examples/flat/example.net/keyset-example.net.
View file

@ -1,5 +1,14 @@
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 5 (
BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
Il5cqhugaQ==
) ; key id = 33840
7200 IN DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@ -8,12 +17,3 @@ example.net 7200 IN DNSKEY 257 3 5 (
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
7200 IN DNSKEY 257 3 5 (
BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
+B9rLlBU8w==
) ; key id = 1764

2
contrib/zkt/examples/flat/example.net/zone.db
View file

@ -11,7 +11,7 @@ $TTL 7200
; 0123456789;
; It's also possible to use the date format e.g. 2005040101
@ IN SOA ns1.example.net. hostmaster.example.net. (
333 ; Serial
350 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire

267
contrib/zkt/examples/flat/example.net/zone.db.signed
View file

@ -1,36 +1,55 @@
; File written on Sun Dec 28 23:08:02 2008
; dnssec_signzone version 9.6.0
; File written on Thu Jul 30 17:13:57 2009
; dnssec_signzone version 9.7.0a1
example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
333 ; serial
350 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 5 2 7200 20090103210802 (
20081228210802 4157 example.net.
UqDcRU7Et3DQF9VF+1AmHFXLa9L2x6LYA1ZS
shG02/N9gH+2uNnxxBvuGDkSzTl5C52csvbw
LZnWW56sPCShiw== )
7200 RRSIG SOA 5 2 7200 20090809141357 (
20090730141357 48089 example.net.
ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph
ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB
gOjVmH4Ywf+oKg== )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
7200 RRSIG NS 5 2 7200 20090103210802 (
20081228210802 4157 example.net.
i4OCvNnG2BWy6gYbUnwv1xi6MRQjbDl6ts8o
28CxUNmBX/r3RWlewQiyO8acGC2UJUdWz7So
gbHJqojIAjjpbA== )
7200 RRSIG NS 5 2 7200 20090809141357 (
20090730141357 48089 example.net.
F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU
FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl
Mk6meHS+9wsneQ== )
7200 NSEC a.example.net. NS SOA RRSIG NSEC DNSKEY
7200 RRSIG NSEC 5 2 7200 20090103210802 (
20081228210802 4157 example.net.
g963zm5F91sPNl955WRBExCcKJehXmTjyw0K
ISKE7Dq77Z8zKkTpgf1QWhVe3UOLRRbXwRnC
aQh+jaXNE3vIag== )
3600 DNSKEY 256 3 5 (
BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1
y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMj
c0IQF7PAryhN2olWcINK/w==
) ; key id = 4157
3600 DNSKEY 257 3 5 (
7200 RRSIG NSEC 5 2 7200 20090809141357 (
20090730141357 48089 example.net.
OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ
9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e
olkU38g+o0fkPQ== )
14400 DNSKEY 256 3 5 (
BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk
mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY
m/hhC77xJoVwSeOtXdmKiQ==
) ; key id = 34925
14400 DNSKEY 256 3 5 (
BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0
nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma
dHRQZDfu79tEz8MUid7aOw==
) ; key id = 48089
14400 DNSKEY 256 3 5 (
BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA
1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc
oAhDVW0hZ6DSDuV/0kouMQ==
) ; key id = 24545
14400 DNSKEY 257 3 5 (
BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
Il5cqhugaQ==
) ; key id = 33840
14400 DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@ -39,128 +58,108 @@ example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
3600 DNSKEY 257 3 5 (
BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
+B9rLlBU8w==
) ; key id = 1764
3600 RRSIG DNSKEY 5 2 3600 20090103210802 (
20081228210802 1764 example.net.
DMU1/sQwNC9bxNCo+SGM1JpHAkWGCRoSEswb
2EV/YDWwF19IM2J/sz+9JB6h7esETapCg4qY
5SCBrgbMEvQNRL0t16K7ciAHYNKLTbMG0uaP
yEOVQ0/ZofoDEsYJYScyO3hC58F2Vl/YSBFo
hfkYvtrjrrDQqU9Uh8U1rcROIXNJF/FyDSuj
Ca2fzHlCvnJRfF/Djg7DOjXIlWBThc4kI12v
xw== )
3600 RRSIG DNSKEY 5 2 3600 20090103210802 (
20081228210802 4157 example.net.
gH+J4h1fRmX5QS/wocZKerd9RqgrFR/0m1HE
O+GYS4Q4X19TnGQW4Bq6w/QRI/5OiJH3YR2R
9MW3EmYMKX9Tuw== )
14400 RRSIG DNSKEY 5 2 14400 20090809141357 (
20090730141357 7308 example.net.
CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN
UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv
PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/
r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8
ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN
B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq
YQ== )
14400 RRSIG DNSKEY 5 2 14400 20090809141357 (
20090730141357 48089 example.net.
XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg
XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc
62464sVZH+EfWg== )
a.example.net. 7200 IN A 1.2.3.1
7200 RRSIG A 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
nh9TDSy8L61ccYJiLAL632N4FIvUpDCvsdcf
0HhGA8b++YADE5gX346coX1L0Oy+DB9eHIAZ
PCfli582EhPwKA== )
7200 RRSIG A 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg
1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs
nzR8X0uN22BTIA== )
7200 NSEC b.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
LCe66yRV1gez4AbSq7/SaPznvzuUPRnf+vh2
Fuv3IlCszc0Bdo/fAyUQcc9LRo8hrvfYFDjI
TFe3Mm0U0A5Lew== )
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s
ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv
0n6P1jVIBVTNOg== )
b.example.net. 7200 IN MX 10 a.example.net.
7200 RRSIG MX 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
oQuNvNDrqblLnEl5arNz+3YlBC9j33tp7OzF
MptYqb32rDNB/YivuxeiBWNt7ykFmdXh1P94
DZ8Qq2J8lIW1DA== )
7200 RRSIG MX 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN
S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH
UGStzfIl/8troQ== )
7200 NSEC d.example.net. MX RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
GF6J2HjZ4xrkdT2a6Zjukl5sUSwejQkzzx2+
pLRQ/RXtfkcMrO5xpsOZ8AqeZjySUMEGjS2U
RUlbzM0y/70x4g== )
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ
sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm
5lDVj28RqfZ7Pw== )
d.example.net. 7200 IN A 1.2.3.3
7200 RRSIG A 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
T9LBUwsAKM+3yh1wizaGqWvqfLOqfuTzZhpm
tmpDPZXzSjJ8pj4KO3f8eA7ygo52bY8hNzTh
2hwGBAQlb1ACpA== )
7200 RRSIG A 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh
Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn
4OEF4w8WGhL67A== )
7200 AAAA 2001:db8::3
7200 RRSIG AAAA 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
gpBuR+r14AbjVJLx48k8plwo52RG6taN03XU
8uUgfOSpJSprjpvhEzKt1h87aGtmZScoS/WH
3D3f2Xz4e+r6QA== )
7200 RRSIG AAAA 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd
qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0
J3JSNlXGbwHSgQ== )
7200 NSEC localhost.example.net. A AAAA RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
fSM90YN/6UVuUPbVTuhSj2Zzxdn+3TkVIXq6
CjpGxAxDGa5Uh3x6ExZUg3n7N7TWcuyN2fZV
va8VlkEJeAHd/g== )
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb
YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a
zgIUX0pOt281Bw== )
localhost.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
I0tSvJaBTdG0RTfOTkzDyW2iSKdX555aN5Ux
a4l5gJhiY4tpN1NNofQK8xbdZvJi+F0JBsb4
qctstfW97RAnZw== )
7200 RRSIG A 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw
EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m
kNSeEuoa+qR+eg== )
7200 NSEC ns1.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
pORPHi5yJId4IynH/UcNM1kL9kyJqO65+iku
G5z9A2CS+aJy39Am6Nbr11GN6SAVcOmSjjeA
SOAdxGlWWpwAvA== )
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP
0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw
3OFb0GRqEXDc5w== )
ns1.example.net. 7200 IN A 1.0.0.5
7200 RRSIG A 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
mPktHGQ4Cvn6JwysjndL8/dZhtht6bGq1OZI
qR4SSqIc14Yfbbee819fwuw/JGaaTFyItDU2
AIU8Ix2FrNLcQA== )
7200 RRSIG A 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr
o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6
89OCX/es/0rTtA== )
7200 AAAA 2001:db8::53
7200 RRSIG AAAA 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
I+i9d3dewJTTmK1J5gbMlsjodEDjV57fHDbv
3haEPH6WHn/9W3P9eTDRIVEIvSVCEObAJyem
ItOMKZOxlRTF5Q== )
7200 RRSIG AAAA 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP
Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv
OVzIQY+ltEOSvg== )
7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
KF6bVYTEEuOgaYTrD1BhY6dyYtp1k7uPQAbe
+8aDk4OJwtL681t91XIT/TRXvKwiSVH4M7Un
ZOFI4o33/oIJag== )
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz
wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK
iovzZNBDetmiBg== )
ns2.example.net. 7200 IN A 1.2.0.6
7200 RRSIG A 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
pLL55Ja/b/pGnWdYP2tAOtx84xyKiEdD/oPC
7prF8HCXLJgbFdnJ3JkZ1umAPbsRrEkFIFII
wGwfrjMkM9c8zw== )
7200 RRSIG A 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2
3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up
ZESuqA8PJwq9hQ== )
7200 NSEC sub.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
b5AfO/ekdK8rQBAiyGcjCSFHOLCYfdVJP7DD
FsNKBjkJj+jLz3P1lJClTrgc4gv7EmRlZncd
YOzblBcjylZqAw== )
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK
+NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32
YVpaLtAlA5Gc1g== )
sub.example.net. 7200 IN NS ns1.example.net.
7200 DS 18846 7 1 (
71103B8D50793E190E48D99E95B48D9F20C4
04C6 )
7200 DS 18846 7 2 (
42A13BAC66BEB451B6BF17A51FC2C141B765
D3E9B952C689BA4B572DC1AF2FCC )
7200 RRSIG DS 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
HeLgZtRjTPXR8HDw0uHiavKTmJTJU2ryunVf
JR8vASP8QT2D4hD0BvCUzQdIB23+oB9eY2dx
f9WtEwKY89dcTQ== )
7200 NSEC example.net. NS DS RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090103210802 (
20081228210802 4157 example.net.
XViJS+mWV3mddMCV25zV9i3ZpRlBsQIr/Guq
wJYzIiBP3F5cY+GbzOyjLdRnuy9pIeCUmEIN
0XsanfbJHcTm8w== )
7200 NSEC example.net. NS RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20090809141357 (
20090730141357 48089 example.net.
qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/
bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw
+dpIoVdHzGqmdg== )

4
contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
View file

@ -1,2 +1,2 @@
sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE

4
contrib/zkt/examples/flat/keysets/dsset-example.net.
View file

@ -1,4 +1,4 @@
example.net. IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
example.net. IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B

4
contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
View file

@ -1,2 +1,2 @@
sub.example.net. IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
sub.example.net. IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
sub.example.net. IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
sub.example.net. IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE

18
contrib/zkt/examples/flat/keysets/keyset-example.net.
View file

@ -1,5 +1,14 @@
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 5 (
BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
Il5cqhugaQ==
) ; key id = 33840
7200 IN DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@ -8,12 +17,3 @@ example.net 7200 IN DNSKEY 257 3 5 (
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
7200 IN DNSKEY 257 3 5 (
BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
+B9rLlBU8w==
) ; key id = 1764

12
contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
View file

@ -1,8 +1,8 @@
$ORIGIN .
sub.example.net 7200 IN DNSKEY 257 3 7 (
AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
) ; key id = 18846
AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
) ; key id = 48516

12
contrib/zkt/examples/flat/named.conf
View file

@ -96,4 +96,14 @@ zone "0.0.127.in-addr.ARPA" in {
file "127.0.0.zone";
};
include "zone.conf";
#include "zone.conf";
zone "example.NET." in {
type master;
file "example.net/zone.db.signed";
};
zone "sub.example.NET." in {
type master;
file "sub.example.net/zone.db.signed";
};

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081228220628
;% lifetime=3d
sub.example.net. IN DNSKEY 256 3 6 AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI v8lZ

7
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published
View file

@ -1,7 +0,0 @@
Private-key-format: v1.2
Algorithm: 6 (?)
Prime(p): vkFZckOUzy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1zgQ==
Subprime(q): qHjRa5osHmJx2NpT9a+wCWA7CLk=
Base(g): t9Qo3KI9nqhaA9i/vXOmHah4S/+KYgi2oWjP6z2sksF6/NEg2+6dLWefgWKruCLbWaImIbreEcSg2vlj+RsHTQ==
Private_value(x): J9kC0094M4urh22UyajBvYp6OUU=
Public_value(y): rfdSEO07PKqymWRw5N+ivNzs1ipxdThpEiJIu5H6FslIunCQDHZ3N97j3/u4pxILjeEq9oeEFxjZuNoSiL/JWQ==

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081216133130
;% lifetime=3d
sub.example.net. IN DNSKEY 256 3 6 AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi 7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp +U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn /UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0 DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls lfy1

7
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private
View file

@ -1,7 +0,0 @@
Private-key-format: v1.2
Algorithm: 6 (?)
Prime(p): 50c8zvi1zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp+Q==
Subprime(q): zVTFuNMY3m0bMsXC3ULBHHiaUM8=
Base(g): TVs1TYPKiksqFlHn7pI3m7tHu2VAIaWZ6wTjIAPaQsFgC8GhJeA+E+f9QNBbPTzHchphW9VxBxwECC57g2H9EQ==
Private_value(x): LnevSOPwRhakaa7vYh1YBwGWIh8=
Public_value(y): NwN9ucIKHYWeFToIQrCqIxfrtA1y7lmGOoeilp+MrraOjTAW+YV0g2mDE4IiWDuTEu/XfO+iyDycr95pbJX8tQ==

7
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated
View file

@ -1,7 +0,0 @@
Private-key-format: v1.2
Algorithm: 6 (?)
Prime(p): j+A/58oThRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qPoQ==
Subprime(q): kuawB/eONoc0BjGmDIKOerRKBkM=
Base(g): C/CRAij2ID/BEajrSxPOHaMWdQ06G5zfI6el3MIZtMFvNxBQypZ3VRawKbBeOncxvSMSX/ecw5MeJDKXCWfi7Q==
Private_value(x): HZ/c+Fa0T/qv5IwEmPEF681ckVw=
Public_value(y): bvjS4V5v38HzFvDmzxxq09i13mBupQ79O5ZLNyxoyE17kHNcKD6/ggVPSVx1jDymtgE9FLYgo1OoKh9qdNrG0w==

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081209130816
;% lifetime=3d
sub.example.net. IN DNSKEY 256 3 6 AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0 2sbT

10
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 7 (NSEC3RSASHA1)
Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ==
PublicExponent: AQAB
PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ==
Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE=
Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k=
Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE=
Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE=
Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI=

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090624144422
;% lifetime=3d
sub.example.net. IN DNSKEY 256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081125154049
;% lifetime=60d
sub.example.net. IN DNSKEY 257 3 7 AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP 7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq fu8SrJ0f

10
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private
View file

@ -1,10 +0,0 @@
Private-key-format: v1.2
Algorithm: 7 (?)
Modulus: 451+rtzB+GXdovwGVREaeA8D7cjYTcbdc9ETthrD81yjtpeiscomBEUygzfSruMMFq50t5cL/985ADDY/m8LDK4eYgWjh+VefnWwx4WlZ0/sTx+aLiT9igIRK768G9/6tlYMxWiyPxVUQhspNwkTXo2x3WWzUUgZ+Kp+7xKsnR8=
PublicExponent: AQAB
PrivateExponent: J0mYBDa2hFmQ2AEIVsaM+wwccX6pV0NsFgGQlW4pRGhJGcsymd16kmIfRebsxqMKAyA5pTa9K30sKYxE6CXikgpm1+TqQtH3CQJGEz81gf5/c/RgHdG4+bygPrKeW1vA7dI5jsEQ8wnhBAJa0jDIt8f0bP9G5rGYyxctmmC8mgE=
Prime1: 8gsI7gGw1oPDMLhQHMx3NorrKgy1wMu3/anCcIEEe1OflmSNHzb0Y4hQ8Zl97EyU6ZuPAGlnI4MfykK2V35orw==
Prime2: 8L163OyeS3aLn+Bxfxlc/6OZGat5b6C5RKFzvdJ9/7ZxM1woegJCe8DD0wwuKwNs7go+venTI4O7L1ZB0jJOkQ==
Exponent1: aJiOLlQ6uCjOk+JCdH+DUOWthEljzcH7a7oNlZKbfjP/9fzT41ZbPBvvZsh+2zuo6l7X6ESkVntWpJA5vguZbw==
Exponent2: a4mIh4VfFICI0Er3B/pxc3RF4JSbc0TNXZ3tUL7lL8P0fyfMoOu/fP5Xuz+2o9os34xOCJGZkkS26edTEa0NMQ==
Coefficient: sEYTrLAosmx+x8M2BBdTYLddTSbv3xXDlqHeCNxajW4bhhbjkn3oMCWQfaq7Oke4zeUXPOAYjaf8Ve2oLD9fzg==

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090630093509
;% lifetime=3d
sub.example.net. IN DNSKEY 256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=

10
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 7 (NSEC3RSASHA1)
Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ==
PublicExponent: AQAB
PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ==
Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU=
Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU=
Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190=
Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU=
Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo=

3
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090624144206
;% lifetime=7d
sub.example.net. IN DNSKEY 257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3

10
contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 7 (NSEC3RSASHA1)
Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc=
PublicExponent: AQAB
PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk=
Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw==
Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q==
Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw==
Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q==
Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g==

52
contrib/zkt/examples/flat/sub.example.net/dnskey.db
View file

@ -2,46 +2,28 @@
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
; Last generation time Dec 28 2008 23:08:02
; Last generation time Jun 30 2009 13:02:21
;
; *** List of Key Signing Keys ***
; sub.example.net. tag=18846 algo=NSEC3RSASHA1 generated Nov 25 2008 16:40:49
; sub.example.net. tag=48516 algo=NSEC3RSASHA1 generated Jun 24 2009 16:42:06
sub.example.net. 3600 IN DNSKEY 257 3 7 (
AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK
JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP
7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq
fu8SrJ0f
) ; key id = 18846
AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD
ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM
f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5
UPSENnx3
) ; key id = 48516
; *** List of Zone Signing Keys ***
; sub.example.net. tag=5823 algo=NSEC3DSA generated Dec 28 2008 23:06:27
sub.example.net. 3600 IN DNSKEY 256 3 6 (
AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi
7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp
+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn
/UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0
DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls
lfy1
) ; key id = 5823
; sub.example.net. tag=32345 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04
sub.example.net. 3600 IN DNSKEY 256 3 7 (
AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI
w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
) ; key id = 32345
; sub.example.net. tag=22440 algo=NSEC3DSA generated Dec 28 2008 23:06:27
sub.example.net. 3600 IN DNSKEY 256 3 6 (
AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco
zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP
oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW
sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe
YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0
2sbT
) ; key id = 22440
; sub.example.net. tag=4710 algo=NSEC3DSA generated Dec 28 2008 23:06:28
sub.example.net. 3600 IN DNSKEY 256 3 6 (
AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i
jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z
gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n
n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW
KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI
v8lZ
) ; key id = 4710
; sub.example.net. tag=14600 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04
sub.example.net. 3600 IN DNSKEY 256 3 7 (
AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5
+3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
) ; key id = 14600

4
contrib/zkt/examples/flat/sub.example.net/dnssec.conf
View file

@ -4,12 +4,12 @@ sigvalidity 2d
max_ttl 90s
Serialformat: unixtime
zsk_lifetime 3m
ksk_lifetime 1w
ksk_algo N3RSASHA1
ksk_bits 1024
zsk_lifetime 3d
zsk_algo NSEC3DSA
zsk_algo N3RSASHA1
zsk_bits 512
dlv_domain "dlv.trusted-keys.de"

201
contrib/zkt/examples/flat/sub.example.net/zone.db.signed
View file

@ -1,116 +1,109 @@
; File written on Sun Dec 28 23:08:02 2008
; dnssec_signzone version 9.6.0
; File written on Tue Jun 30 13:02:21 2009
; dnssec_signzone version 9.7.0a1
sub.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
1230502082 ; serial
1246359741 ; serial
86400 ; refresh (1 day)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 6 3 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AMwSbl1AvSw6nz/6SAX26uwD5BAKYAxmfBIq
ynkaiFplhArpE1dTqlU= )
7200 RRSIG SOA 7 3 7200 20090702100221 (
20090630100221 32345 sub.example.net.
xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug
Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj
beUBuNmOKBwgQw== )
7200 NS ns1.example.net.
7200 RRSIG NS 6 3 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AFIZX6ddVm4v+ae2F4zcVgp0jJHow+jKe+LC
YYNpRqF42vDPsri4shw= )
3600 DNSKEY 256 3 6 (
AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oT
hRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1ch
epu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73
x4qPoQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc
3yOnpdzCGbTBbzcQUMqWd1UWsCmwXjp3Mb0j
El/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObP
HGrT2LXeYG6lDv07lks3LGjITXuQc1woPr+C
BU9JXHWMPKa2AT0UtiCjU6gqH2p02sbT
) ; key id = 22440
3600 DNSKEY 256 3 6 (
AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOU
zy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOB
RhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3
At1zgbfUKNyiPZ6oWgPYv71zph2oeEv/imII
tqFoz+s9rJLBevzRINvunS1nn4Fiq7gi21mi
JiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk
36K83OzWKnF1OGkSIki7kfoWyUi6cJAMdnc3
3uPf+7inEguN4Sr2h4QXGNm42hKIv8lZ
) ; key id = 4710
3600 DNSKEY 256 3 6 (
AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1
zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+
HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1
EtNp+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGl
mesE4yAD2kLBYAvBoSXgPhPn/UDQWz08x3Ia
YVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghC
sKojF+u0DXLuWYY6h6KWn4yuto6NMBb5hXSD
aYMTgiJYO5MS79d876LIPJyv3mlslfy1
) ; key id = 5823
7200 RRSIG NS 7 3 7200 20090702100221 (
20090630100221 32345 sub.example.net.
xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY
jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK
LPErXQ8ObaggQA== )
3600 DNSKEY 256 3 7 (
AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk
GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z
NwICF4QjetjqUGta4Ak=
) ; key id = 14600
3600 DNSKEY 256 3 7 (
AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw
hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf
fNq73SbkyknTyXYRe2k=
) ; key id = 32345
3600 DNSKEY 257 3 7 (
AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
) ; key id = 18846
3600 RRSIG DNSKEY 6 3 3600 20081230210802 (
20081228210802 5823 sub.example.net.
AMh2mLe04LwOikgp7Djk5OD+VjsxHWFIrM5K
eZ9TwWum0+c3KRc0Ye0= )
3600 RRSIG DNSKEY 7 3 3600 20081230210802 (
20081228210802 18846 sub.example.net.
oXtpSP1gJIoDZ4HUjdlGV6wyS0VPHp9pv7hB
t8sOWSTxSAQ2D1u+2bHK97lE7c1TJUqNsQO7
YiTwCvfeypt/9QWSFg8d8TrUTaFvUyZO9yJM
HEeJvoV9+TmRsqT1M4vYNO6OY9zBrqQF8Jov
gblJkg3ftGhllMDdz8JlIe3m35U= )
0 NSEC3PARAM 1 0 100 B5EA98
0 RRSIG NSEC3PARAM 6 3 0 20081230210802 (
20081228210802 5823 sub.example.net.
AEK69arso3M/F6qdvHBnEaS7PYoMPzkXeut8
f7tQNJi/n/57iOXxBtY= )
AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
) ; key id = 48516
3600 RRSIG DNSKEY 7 3 3600 20090702100221 (
20090630100221 32345 sub.example.net.
2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB
dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9
GcBg3KQvJl0+AQ== )
3600 RRSIG DNSKEY 7 3 3600 20090702100221 (
20090630100221 48516 sub.example.net.
PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx
f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/
iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid
qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5
F6avz0sLu3gtDu/nwyyK/5Hf3kM= )
0 NSEC3PARAM 1 0 100 86F43F
0 RRSIG NSEC3PARAM 7 3 0 20090702100221 (
20090630100221 32345 sub.example.net.
e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0
gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV
3uTWjwSs7kyfDQ== )
a.sub.example.net. 7200 IN A 1.2.3.4
7200 RRSIG A 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
ACtzcM76XGO0nQg0MNi/3xIA17I/Zl7dpLie
L+UWpvdyC01FhiJ9nBc= )
7200 RRSIG A 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD
LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/
hXTkHJif/0w78g== )
b.sub.example.net. 7200 IN A 1.2.3.5
7200 RRSIG A 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AMvlob5onyssxa/DQ13dtCp9pL9sHw4pruqq
PI85Joh+QNgM26VGXRA= )
7200 RRSIG A 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4
rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU
T10UWy4dnxfoNQ== )
c.sub.example.net. 7200 IN A 1.2.3.6
7200 RRSIG A 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AJAcwAkedEjx4i28vF/Uu31BDly6Hmc5LI9R
19PqH1vAijma5No2x5Q= )
7200 RRSIG A 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd
qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr
JJ+/QuqBHFyISQ== )
localhost.sub.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
ACgSEXi/TbpF35NNFs8zocciqhZtwDL5C4e/
6hTGwvl3Z+IjCjf8oDc= )
ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE A RRSIG
7200 RRSIG NSEC3 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AGjJ1uwyqNVcHgz3aFQZhvNFpBEPXdQaEeKo
/1Joi1+1g5r7AqEPgbU= )
FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 J961TISKA95UUNS1JAV5OMBDNS342B6O A RRSIG
7200 RRSIG NSEC3 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AERaVeALOfnnt/33oq5dDu08p3oyfYET59xd
x6I2CRIOFUr7LkHm2ro= )
J961TISKA95UUNS1JAV5OMBDNS342B6O.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O A RRSIG
7200 RRSIG NSEC3 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
ADgp7RYKJ95X9iLaS/O0N75fzc/yjA3NhVnv
hDKrUluwi2qYv1/AOIk= )
KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN A RRSIG
7200 RRSIG NSEC3 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AMkFnz9tj86fr4NmFDnrqDNFlkgMAhRY/fR3
SGzdb8LfKdbWCRwYtu0= )
TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A NS SOA RRSIG DNSKEY NSEC3PARAM
7200 RRSIG NSEC3 6 4 7200 20081230210802 (
20081228210802 5823 sub.example.net.
AHYEmiF12gwP5LOpUfqK+uHzj7cwuxlGXNT7
OdhDcXznJd5bkkQuoFY= )
7200 RRSIG A 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5
TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f
S06Z9C5YaKI7ig== )
7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG
7200 RRSIG NSEC3 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe
yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k
/t2mOvXB11pLqQ== )
AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM
7200 RRSIG NSEC3 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa
axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc
ivGHaozr64hBjg== )
D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5
h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo
wHjm0Ab+ez7COg== )
K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB
2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr
eARbsKjcsRJF7A== )
L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG
7200 RRSIG NSEC3 7 4 7200 20090702100221 (
20090630100221 32345 sub.example.net.
IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc
BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn
zBrGA0FxGvo4Pg== )

892
contrib/zkt/examples/flat/zkt.log
View file

@ -137,3 +137,895 @@
2008-12-28 23:08:02.534: debug: Signing completed after 0s.
2008-12-28 23:08:02.534: debug:
2008-12-28 23:08:02.534: notice: end of run: 0 errors occured
2009-02-28 12:31:26.082: notice: ------------------------------------------------------------
2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf
2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-02-28 12:31:26.100: debug: Check RFC5011 status
2009-02-28 12:31:26.100: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-02-28 12:31:26.100: debug: Check KSK status
2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s
2009-02-28 12:31:26.100: debug: Check ZSK status
2009-02-28 12:31:26.100: debug: Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec)
2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed
2009-02-28 12:31:26.101: debug: ->remove it
2009-02-28 12:31:26.101: debug: Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec)
2009-02-28 12:31:26.101: debug: ->depreciate it
2009-02-28 12:31:26.101: debug: ->activate published key 4710
2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done
2009-02-28 12:31:26.101: debug: New key for publishing needed
2009-02-28 12:31:28.559: debug: ->creating new key 32820
2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing
2009-02-28 12:31:28.559: debug: Re-signing necessary: Modfied zone key set
2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-02-28 12:31:28.560: debug: Writing key file "././sub.example.net/dnskey.db"
2009-02-28 12:31:28.560: debug: Signing zone "sub.example.net."
2009-02-28 12:31:28.560: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-02-28 12:31:28.803: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-02-28 12:31:28.803: debug: Signing completed after 0s.
2009-02-28 12:31:28.803: debug:
2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net"
2009-02-28 12:31:28.803: debug: Check RFC5011 status
2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover
2009-02-28 12:31:28.803: debug: Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover!
2009-02-28 12:31:28.803: debug: =>Generating new standby key signing key
2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840
2009-02-28 12:31:29.067: debug: =>Activating old standby key 7308
2009-02-28 12:31:29.068: debug: =>Revoking old active key 1764
2009-02-28 12:31:29.068: debug: Check ZSK status
2009-02-28 12:31:29.068: debug: Re-signing necessary: Modfied zone key set
2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set
2009-02-28 12:31:29.068: debug: Writing key file "././example.net/dnskey.db"
2009-02-28 12:31:29.069: debug: Incrementing serial number in file "././example.net/zone.db"
2009-02-28 12:31:29.069: debug: Signing zone "example.net."
2009-02-28 12:31:29.069: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-02-28 12:31:29.206: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-02-28 12:31:29.206: debug: Signing completed after 0s.
2009-02-28 12:31:29.206: debug:
2009-02-28 12:31:29.206: notice: end of run: 0 errors occured
2009-02-28 12:31:34.121: notice: ------------------------------------------------------------
2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-02-28 12:31:34.126: debug: Check RFC5011 status
2009-02-28 12:31:34.126: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-02-28 12:31:34.126: debug: Check KSK status
2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s
2009-02-28 12:31:34.126: debug: Check ZSK status
2009-02-28 12:31:34.126: debug: Re-signing not necessary!
2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy
2009-02-28 12:31:34.126: debug:
2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net"
2009-02-28 12:31:34.126: debug: Check RFC5011 status
2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-02-28 12:31:34.126: debug: Check ZSK status
2009-02-28 12:31:34.126: debug: Re-signing not necessary!
2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy
2009-02-28 12:31:34.126: debug:
2009-02-28 12:31:34.126: notice: end of run: 0 errors occured
2009-02-28 12:32:49.522: notice: ------------------------------------------------------------
2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-02-28 12:32:49.525: debug: Check RFC5011 status
2009-02-28 12:32:49.525: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-02-28 12:32:49.525: debug: Check KSK status
2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s
2009-02-28 12:32:49.525: debug: Check ZSK status
2009-02-28 12:32:49.526: debug: Re-signing not necessary!
2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy
2009-02-28 12:32:49.526: debug:
2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net"
2009-02-28 12:32:49.526: debug: Check RFC5011 status
2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-02-28 12:32:49.526: debug: Check ZSK status
2009-02-28 12:32:49.526: debug: Re-signing not necessary!
2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy
2009-02-28 12:32:49.527: debug:
2009-02-28 12:32:49.527: notice: end of run: 0 errors occured
2009-02-28 12:42:47.999: notice: ------------------------------------------------------------
2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:45:56.491: notice: ------------------------------------------------------------
2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:50:13.057: notice: ------------------------------------------------------------
2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:50:54.700: notice: ------------------------------------------------------------
2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:52:23.926: notice: ------------------------------------------------------------
2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-02-28 12:52:23.934: debug: Check RFC5011 status
2009-02-28 12:52:23.934: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-02-28 12:52:23.934: debug: Check KSK status
2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s
2009-02-28 12:52:23.934: debug: Check ZSK status
2009-02-28 12:52:23.934: debug: Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec)
2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed
2009-02-28 12:52:23.934: debug: ->remove it
2009-02-28 12:52:23.934: debug: Re-signing necessary: Modfied zone key set
2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-02-28 12:52:23.934: debug: Writing key file "././sub.example.net/dnskey.db"
2009-02-28 12:52:23.935: debug: Signing zone "sub.example.net."
2009-02-28 12:52:23.935: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-02-28 12:52:24.701: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-02-28 12:52:24.701: debug: Signing completed after 1s.
2009-02-28 12:52:24.701: debug:
2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net"
2009-02-28 12:52:24.701: debug: Check RFC5011 status
2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-02-28 12:52:24.701: debug: Check ZSK status
2009-02-28 12:52:24.701: debug: Re-signing not necessary!
2009-02-28 12:52:24.701: debug: Check if there is a parent file to copy
2009-02-28 12:52:24.701: debug:
2009-02-28 12:52:24.701: notice: end of run: 0 errors occured
2009-02-28 12:53:08.325: notice: ------------------------------------------------------------
2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:53:48.858: notice: ------------------------------------------------------------
2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:54:09.878: notice: ------------------------------------------------------------
2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf
2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
2009-02-28 12:54:09.885: debug: Check RFC5011 status
2009-02-28 12:54:09.885: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-02-28 12:54:09.885: debug: Check KSK status
2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s
2009-02-28 12:54:09.886: debug: Check ZSK status
2009-02-28 12:54:09.886: debug: Re-signing not necessary!
2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy
2009-02-28 12:54:09.886: debug:
2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
2009-02-28 12:54:09.886: debug: Check RFC5011 status
2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-02-28 12:54:09.886: debug: Check ZSK status
2009-02-28 12:54:09.886: debug: Re-signing not necessary!
2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy
2009-02-28 12:54:09.886: debug:
2009-02-28 12:54:09.886: notice: end of run: 0 errors occured
2009-02-28 12:55:02.579: notice: ------------------------------------------------------------
2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf
2009-03-03 19:13:47.524: notice: ------------------------------------------------------------
2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf
2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
2009-03-03 19:13:47.532: debug: Check RFC5011 status
2009-03-03 19:13:47.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-03 19:13:47.532: debug: Check KSK status
2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s
2009-03-03 19:13:47.533: debug: Check ZSK status
2009-03-03 19:13:47.533: debug: Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec)
2009-03-03 19:13:47.533: debug: ->depreciate it
2009-03-03 19:13:47.533: debug: ->activate published key 32820
2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done
2009-03-03 19:13:47.533: debug: New key for publishing needed
2009-03-03 19:13:48.366: debug: ->creating new key 49656
2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing
2009-03-03 19:13:48.366: debug: Re-signing necessary: Modfied zone key set
2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-03-03 19:13:48.367: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db"
2009-03-03 19:13:48.367: debug: Signing zone "sub.example.net."
2009-03-03 19:13:48.367: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-03-03 19:13:48.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-03 19:13:48.543: debug: Signing completed after 0s.
2009-03-03 19:13:48.543: debug:
2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
2009-03-03 19:13:48.543: debug: Check RFC5011 status
2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-03-03 19:13:48.543: debug: Check ZSK status
2009-03-03 19:13:48.543: debug: Re-signing necessary: re-signing interval (2d) reached
2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
2009-03-03 19:13:48.543: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db"
2009-03-03 19:13:48.544: debug: Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db"
2009-03-03 19:13:48.544: debug: Signing zone "example.net."
2009-03-03 19:13:48.544: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-03-03 19:13:48.723: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-03 19:13:48.723: debug: Signing completed after 0s.
2009-03-03 19:13:48.723: debug:
2009-03-03 19:13:48.724: notice: end of run: 0 errors occured
2009-03-03 19:14:16.121: notice: ------------------------------------------------------------
2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf
2009-03-03 19:14:30.231: notice: ------------------------------------------------------------
2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf
2009-03-03 19:15:37.851: notice: ------------------------------------------------------------
2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf
2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net"
2009-03-03 19:15:37.853: debug: Check RFC5011 status
2009-03-03 19:15:37.853: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-03 19:15:37.853: debug: Check KSK status
2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s
2009-03-03 19:15:37.853: debug: Check ZSK status
2009-03-03 19:15:37.853: debug: Re-signing not necessary!
2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy
2009-03-03 19:15:37.853: debug:
2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net"
2009-03-03 19:15:37.853: debug: Check RFC5011 status
2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-03-03 19:15:37.853: debug: Check ZSK status
2009-03-03 19:15:37.853: debug: Re-signing not necessary!
2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy
2009-03-03 19:15:37.853: debug:
2009-03-03 19:15:37.853: notice: end of run: 0 errors occured
2009-03-03 19:15:44.219: notice: ------------------------------------------------------------
2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf
2009-03-03 19:15:49.305: notice: ------------------------------------------------------------
2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf
2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-03 19:15:49.308: debug: Check RFC5011 status
2009-03-03 19:15:49.308: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-03 19:15:49.308: debug: Check KSK status
2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s
2009-03-03 19:15:49.309: debug: Check ZSK status
2009-03-03 19:15:49.309: debug: Re-signing not necessary!
2009-03-03 19:15:49.309: debug: Check if there is a parent file to copy
2009-03-03 19:15:49.309: debug:
2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net"
2009-03-03 19:15:49.310: debug: Check RFC5011 status
2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
2009-03-03 19:15:49.310: debug: Check ZSK status
2009-03-03 19:15:49.310: debug: Re-signing not necessary!
2009-03-03 19:15:49.310: debug: Check if there is a parent file to copy
2009-03-03 19:15:49.310: debug:
2009-03-03 19:15:49.310: notice: end of run: 0 errors occured
2009-03-04 18:07:38.441: notice: ------------------------------------------------------------
2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf
2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-04 18:07:38.459: debug: Check RFC5011 status
2009-03-04 18:07:38.459: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-04 18:07:38.459: debug: Check KSK status
2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s
2009-03-04 18:07:38.459: debug: Check ZSK status
2009-03-04 18:07:38.459: debug: Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec)
2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed
2009-03-04 18:07:38.459: debug: ->remove it
2009-03-04 18:07:38.459: debug: Re-signing necessary: Modfied zone key set
2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-03-04 18:07:38.459: debug: Writing key file "././sub.example.net/dnskey.db"
2009-03-04 18:07:38.460: debug: Signing zone "sub.example.net."
2009-03-04 18:07:38.460: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-03-04 18:07:38.635: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:07:38.635: debug: Signing completed after 0s.
2009-03-04 18:07:38.635: debug:
2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net"
2009-03-04 18:07:38.635: debug: Check RFC5011 status
2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-03-04 18:07:38.636: debug: Check ZSK status
2009-03-04 18:07:38.636: debug: Re-signing not necessary!
2009-03-04 18:07:38.636: debug: Check if there is a parent file to copy
2009-03-04 18:07:38.636: debug:
2009-03-04 18:07:38.636: notice: end of run: 0 errors occured
2009-03-04 18:07:54.353: notice: ------------------------------------------------------------
2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf
2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-04 18:07:54.357: debug: Check RFC5011 status
2009-03-04 18:07:54.357: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-04 18:07:54.357: debug: Check KSK status
2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s
2009-03-04 18:07:54.357: debug: Check ZSK status
2009-03-04 18:07:54.357: debug: Re-signing not necessary!
2009-03-04 18:07:54.357: debug: Check if there is a parent file to copy
2009-03-04 18:07:54.357: debug:
2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net"
2009-03-04 18:07:54.357: debug: Check RFC5011 status
2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-03-04 18:07:54.358: debug: Check ZSK status
2009-03-04 18:07:54.358: debug: Re-signing not necessary!
2009-03-04 18:07:54.358: debug: Check if there is a parent file to copy
2009-03-04 18:07:54.358: debug:
2009-03-04 18:07:54.358: notice: end of run: 0 errors occured
2009-03-04 18:08:25.210: notice: ------------------------------------------------------------
2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf
2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-04 18:08:25.212: debug: Check RFC5011 status
2009-03-04 18:08:25.213: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-04 18:08:25.213: debug: Check KSK status
2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s
2009-03-04 18:08:25.213: debug: Check ZSK status
2009-03-04 18:08:25.213: debug: Re-signing not necessary!
2009-03-04 18:08:25.213: debug: Check if there is a parent file to copy
2009-03-04 18:08:25.213: debug:
2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net"
2009-03-04 18:08:25.214: debug: Check RFC5011 status
2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-03-04 18:08:25.214: debug: Check ZSK status
2009-03-04 18:08:25.214: debug: Re-signing not necessary!
2009-03-04 18:08:25.214: debug: Check if there is a parent file to copy
2009-03-04 18:08:25.214: debug:
2009-03-04 18:08:25.216: notice: end of run: 0 errors occured
2009-03-04 18:08:32.379: notice: ------------------------------------------------------------
2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf
2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-04 18:08:32.381: debug: Check RFC5011 status
2009-03-04 18:08:32.381: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-04 18:08:32.381: debug: Check KSK status
2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s
2009-03-04 18:08:32.381: debug: Check ZSK status
2009-03-04 18:08:32.381: debug: Re-signing necessary: Option -f
2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f
2009-03-04 18:08:32.381: debug: Writing key file "././sub.example.net/dnskey.db"
2009-03-04 18:08:32.382: debug: Signing zone "sub.example.net."
2009-03-04 18:08:32.382: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-03-04 18:08:32.896: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:08:32.896: debug: Signing completed after 0s.
2009-03-04 18:08:32.896: debug:
2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net"
2009-03-04 18:08:32.896: debug: Check RFC5011 status
2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-03-04 18:08:32.896: debug: Check ZSK status
2009-03-04 18:08:32.896: debug: Re-signing necessary: Option -f
2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f
2009-03-04 18:08:32.896: debug: Writing key file "././example.net/dnskey.db"
2009-03-04 18:08:32.897: debug: Incrementing serial number in file "././example.net/zone.db"
2009-03-04 18:08:32.897: debug: Signing zone "example.net."
2009-03-04 18:08:32.897: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-03-04 18:08:33.042: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:08:33.042: debug: Signing completed after 1s.
2009-03-04 18:08:33.042: debug:
2009-03-04 18:08:33.043: notice: end of run: 0 errors occured
2009-03-04 18:08:46.381: notice: ------------------------------------------------------------
2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf
2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-04 18:08:46.385: debug: Check RFC5011 status
2009-03-04 18:08:46.385: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-04 18:08:46.385: debug: Check KSK status
2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s
2009-03-04 18:08:46.385: debug: Check ZSK status
2009-03-04 18:08:46.385: debug: Re-signing necessary: Option -f
2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f
2009-03-04 18:08:46.385: debug: Writing key file "././sub.example.net/dnskey.db"
2009-03-04 18:08:46.386: debug: Signing zone "sub.example.net."
2009-03-04 18:08:46.386: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-03-04 18:08:46.990: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:08:46.991: debug: Signing completed after 0s.
2009-03-04 18:08:46.991: debug:
2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net"
2009-03-04 18:08:46.991: debug: Check RFC5011 status
2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-03-04 18:08:46.991: debug: Check ZSK status
2009-03-04 18:08:46.991: debug: Re-signing necessary: Option -f
2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f
2009-03-04 18:08:46.991: debug: Writing key file "././example.net/dnskey.db"
2009-03-04 18:08:46.992: debug: Incrementing serial number in file "././example.net/zone.db"
2009-03-04 18:08:46.992: debug: Signing zone "example.net."
2009-03-04 18:08:46.993: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-03-04 18:08:47.149: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:08:47.149: debug: Signing completed after 1s.
2009-03-04 18:08:47.149: debug:
2009-03-04 18:08:47.149: notice: end of run: 0 errors occured
2009-03-04 18:08:59.141: notice: ------------------------------------------------------------
2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf
2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
2009-03-04 18:08:59.145: debug: Check RFC5011 status
2009-03-04 18:08:59.145: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-03-04 18:08:59.145: debug: Check KSK status
2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s
2009-03-04 18:08:59.145: debug: Check ZSK status
2009-03-04 18:08:59.145: debug: Re-signing necessary: Option -f
2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f
2009-03-04 18:08:59.146: debug: Writing key file "././sub.example.net/dnskey.db"
2009-03-04 18:08:59.146: debug: Signing zone "sub.example.net."
2009-03-04 18:08:59.146: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-03-04 18:09:00.082: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:09:00.082: debug: Signing completed after 1s.
2009-03-04 18:09:00.082: debug:
2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net"
2009-03-04 18:09:00.083: debug: Check RFC5011 status
2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-03-04 18:09:00.083: debug: Check ZSK status
2009-03-04 18:09:00.083: debug: Re-signing necessary: Option -f
2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f
2009-03-04 18:09:00.083: debug: Writing key file "././example.net/dnskey.db"
2009-03-04 18:09:00.084: debug: Incrementing serial number in file "././example.net/zone.db"
2009-03-04 18:09:00.084: debug: Signing zone "example.net."
2009-03-04 18:09:00.084: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-03-04 18:09:00.238: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-03-04 18:09:00.238: debug: Signing completed after 0s.
2009-03-04 18:09:00.238: debug:
2009-03-04 18:09:00.238: notice: end of run: 0 errors occured
2009-06-15 09:58:41.205: notice: ------------------------------------------------------------
2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v
2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-15 09:58:41.226: debug: Check RFC5011 status
2009-06-15 09:58:41.226: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-15 09:58:41.226: debug: Check KSK status
2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s
2009-06-15 09:58:41.227: debug: Check ZSK status
2009-06-15 09:58:41.227: debug: Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec)
2009-06-15 09:58:41.227: debug: ->depreciate it
2009-06-15 09:58:41.227: debug: ->activate published key 49656
2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done
2009-06-15 09:58:41.227: debug: New key for publishing needed
2009-06-15 09:58:41.346: debug: ->creating new key 37135
2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing
2009-06-15 09:58:41.346: debug: Re-signing necessary: Modfied zone key set
2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-15 09:58:41.346: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-15 09:58:41.346: debug: Signing zone "sub.example.net."
2009-06-15 09:58:41.346: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-15 09:58:41.399: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-15 09:58:41.399: debug: Signing completed after 0s.
2009-06-15 09:58:41.399: debug:
2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net"
2009-06-15 09:58:41.399: debug: Check RFC5011 status
2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
2009-06-15 09:58:41.399: debug: Remove revoked key 1764 which is older than 30 days
2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764
2009-06-15 09:58:41.400: debug: Check ZSK status
2009-06-15 09:58:41.400: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec)
2009-06-15 09:58:41.400: debug: ->waiting for published key
2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key
2009-06-15 09:58:41.400: debug: New key for publishing needed
2009-06-15 09:58:41.499: debug: ->creating new key 34925
2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing
2009-06-15 09:58:41.499: debug: Re-signing necessary: Modfied zone key set
2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set
2009-06-15 09:58:41.499: debug: Writing key file "./example.net/dnskey.db"
2009-06-15 09:58:41.499: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-15 09:58:41.499: debug: Signing zone "example.net."
2009-06-15 09:58:41.499: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-06-15 09:58:41.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-15 09:58:41.543: debug: Signing completed after 0s.
2009-06-15 09:58:41.543: debug:
2009-06-15 09:58:41.543: notice: end of run: 0 errors occured
2009-06-17 16:36:16.761: notice: ------------------------------------------------------------
2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v
2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-17 16:36:16.792: debug: Check RFC5011 status
2009-06-17 16:36:16.792: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-17 16:36:16.792: debug: Check KSK status
2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s
2009-06-17 16:36:16.792: debug: Check ZSK status
2009-06-17 16:36:16.792: debug: Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec)
2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed
2009-06-17 16:36:16.792: debug: ->remove it
2009-06-17 16:36:16.792: debug: Re-signing necessary: Modfied zone key set
2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-17 16:36:16.792: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-17 16:36:16.793: debug: Signing zone "sub.example.net."
2009-06-17 16:36:16.793: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-17 16:36:16.984: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-17 16:36:16.984: debug: Signing completed after 0s.
2009-06-17 16:36:16.984: debug:
2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net"
2009-06-17 16:36:16.984: debug: Check RFC5011 status
2009-06-17 16:36:16.984: debug: Check ZSK status
2009-06-17 16:36:16.984: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec)
2009-06-17 16:36:16.984: debug: ->depreciate it
2009-06-17 16:36:16.984: debug: ->activate published key 34925
2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done
2009-06-17 16:36:16.984: debug: Re-signing necessary: Modfied zone key set
2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set
2009-06-17 16:36:16.984: debug: Writing key file "./example.net/dnskey.db"
2009-06-17 16:36:16.985: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-17 16:36:16.985: debug: Signing zone "example.net."
2009-06-17 16:36:16.985: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-06-17 16:36:17.102: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-17 16:36:17.102: debug: Signing completed after 1s.
2009-06-17 16:36:17.102: debug:
2009-06-17 16:36:17.102: notice: end of run: 0 errors occured
2009-06-24 16:33:27.617: notice: ------------------------------------------------------------
2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v
2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:33:27.619: debug: Check RFC5011 status
2009-06-24 16:33:27.620: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:33:27.620: debug: Check KSK status
2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s
2009-06-24 16:33:27.620: debug: Check ZSK status
2009-06-24 16:33:27.620: debug: Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec)
2009-06-24 16:33:27.620: debug: ->depreciate it
2009-06-24 16:33:27.620: debug: ->activate published key 37135
2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done
2009-06-24 16:33:27.620: debug: New key for publishing needed
2009-06-24 16:33:27.751: debug: ->creating new key 25272
2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing
2009-06-24 16:33:27.751: debug: Re-signing necessary: Modfied zone key set
2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-24 16:33:27.751: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:33:27.751: debug: Signing zone "sub.example.net."
2009-06-24 16:33:27.751: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed!
2009-06-24 16:33:27.859: debug: Signing completed after 0s.
2009-06-24 16:33:27.859: debug:
2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:33:27.859: debug: Check RFC5011 status
2009-06-24 16:33:27.859: debug: Check ZSK status
2009-06-24 16:33:27.859: debug: Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec)
2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed
2009-06-24 16:33:27.860: debug: ->remove it
2009-06-24 16:33:27.860: debug: Re-signing necessary: Modfied zone key set
2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set
2009-06-24 16:33:27.860: debug: Writing key file "./example.net/dnskey.db"
2009-06-24 16:33:27.860: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-24 16:33:27.860: debug: Signing zone "example.net."
2009-06-24 16:33:27.860: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-06-24 16:33:27.966: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:33:27.966: debug: Signing completed after 0s.
2009-06-24 16:33:27.966: debug:
2009-06-24 16:33:27.966: notice: end of run: 1 error occured
2009-06-24 16:42:06.709: notice: ------------------------------------------------------------
2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v
2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:42:06.711: debug: Check RFC5011 status
2009-06-24 16:42:06.711: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:42:06.711: debug: Check KSK status
2009-06-24 16:42:06.711: debug: No active KSK found: generate new one
2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516
2009-06-24 16:42:06.855: debug: Check ZSK status
2009-06-24 16:42:06.855: debug: No active ZSK found: generate new one
2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383
2009-06-24 16:42:06.883: debug: Re-signing necessary: Modfied zone key set
2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-24 16:42:06.883: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:42:06.883: debug: Signing zone "sub.example.net."
2009-06-24 16:42:06.883: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed!
2009-06-24 16:42:06.905: debug: Signing completed after 0s.
2009-06-24 16:42:06.905: debug:
2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:42:06.905: debug: Check RFC5011 status
2009-06-24 16:42:06.905: debug: Check ZSK status
2009-06-24 16:42:06.905: debug: Re-signing not necessary!
2009-06-24 16:42:06.905: debug: Check if there is a parent file to copy
2009-06-24 16:42:06.905: debug:
2009-06-24 16:42:06.905: notice: end of run: 1 error occured
2009-06-24 16:42:31.402: notice: ------------------------------------------------------------
2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v
2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:42:31.404: debug: Check RFC5011 status
2009-06-24 16:42:31.404: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:42:31.404: debug: Check KSK status
2009-06-24 16:42:31.404: debug: Check ZSK status
2009-06-24 16:42:31.404: debug: Re-signing necessary: Modified keys
2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys
2009-06-24 16:42:31.405: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:42:31.405: debug: Signing zone "sub.example.net."
2009-06-24 16:42:31.405: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed!
2009-06-24 16:42:31.450: debug: Signing completed after 0s.
2009-06-24 16:42:31.450: debug:
2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:42:31.450: debug: Check RFC5011 status
2009-06-24 16:42:31.450: debug: Check ZSK status
2009-06-24 16:42:31.450: debug: Re-signing not necessary!
2009-06-24 16:42:31.450: debug: Check if there is a parent file to copy
2009-06-24 16:42:31.450: debug:
2009-06-24 16:42:31.450: notice: end of run: 1 error occured
2009-06-24 16:42:48.193: notice: ------------------------------------------------------------
2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v
2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:42:48.195: debug: Check RFC5011 status
2009-06-24 16:42:48.195: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:42:48.195: debug: Check KSK status
2009-06-24 16:42:48.195: debug: Check ZSK status
2009-06-24 16:42:48.195: debug: Re-signing necessary: Modified keys
2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys
2009-06-24 16:42:48.195: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:42:48.195: debug: Signing zone "sub.example.net."
2009-06-24 16:42:48.195: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed!
2009-06-24 16:42:48.212: debug: Signing completed after 0s.
2009-06-24 16:42:48.212: debug:
2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:42:48.212: debug: Check RFC5011 status
2009-06-24 16:42:48.212: debug: Check ZSK status
2009-06-24 16:42:48.212: debug: Re-signing not necessary!
2009-06-24 16:42:48.212: debug: Check if there is a parent file to copy
2009-06-24 16:42:48.212: debug:
2009-06-24 16:42:48.212: notice: end of run: 1 error occured
2009-06-24 16:44:22.959: notice: ------------------------------------------------------------
2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v
2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:44:22.961: debug: Check RFC5011 status
2009-06-24 16:44:22.961: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:44:22.961: debug: Check KSK status
2009-06-24 16:44:22.961: debug: Check ZSK status
2009-06-24 16:44:22.961: debug: No active ZSK found: generate new one
2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600
2009-06-24 16:44:23.008: debug: Re-signing necessary: Modfied zone key set
2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-24 16:44:23.009: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:44:23.009: debug: Signing zone "sub.example.net."
2009-06-24 16:44:23.009: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:44:23.040: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:44:23.040: debug: Signing completed after 0s.
2009-06-24 16:44:23.040: debug:
2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:44:23.040: debug: Check RFC5011 status
2009-06-24 16:44:23.040: debug: Check ZSK status
2009-06-24 16:44:23.040: debug: Re-signing not necessary!
2009-06-24 16:44:23.040: debug: Check if there is a parent file to copy
2009-06-24 16:44:23.040: debug:
2009-06-24 16:44:23.040: notice: end of run: 0 errors occured
2009-06-24 16:50:36.189: notice: ------------------------------------------------------------
2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v
2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:50:36.191: debug: Check RFC5011 status
2009-06-24 16:50:36.191: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:50:36.191: debug: Check KSK status
2009-06-24 16:50:36.192: debug: Check ZSK status
2009-06-24 16:50:36.192: debug: Re-signing not necessary!
2009-06-24 16:50:36.192: debug: Check if there is a parent file to copy
2009-06-24 16:50:36.192: debug:
2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:50:36.192: debug: Check RFC5011 status
2009-06-24 16:50:36.192: debug: Check ZSK status
2009-06-24 16:50:36.193: debug: Re-signing not necessary!
2009-06-24 16:50:36.193: debug: Check if there is a parent file to copy
2009-06-24 16:50:36.193: debug:
2009-06-24 16:50:36.193: notice: end of run: 0 errors occured
2009-06-24 16:50:42.877: notice: ------------------------------------------------------------
2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f
2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:50:42.879: debug: Check RFC5011 status
2009-06-24 16:50:42.879: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:50:42.879: debug: Check KSK status
2009-06-24 16:50:42.879: debug: Check ZSK status
2009-06-24 16:50:42.879: debug: Re-signing necessary: Option -f
2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-24 16:50:42.879: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:50:42.879: debug: Signing zone "sub.example.net."
2009-06-24 16:50:42.879: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:50:42.932: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:50:42.932: debug: Signing completed after 0s.
2009-06-24 16:50:42.932: debug:
2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:50:42.932: debug: Check RFC5011 status
2009-06-24 16:50:42.932: debug: Check ZSK status
2009-06-24 16:50:42.932: debug: Re-signing necessary: Option -f
2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f
2009-06-24 16:50:42.932: debug: Writing key file "./example.net/dnskey.db"
2009-06-24 16:50:42.933: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-24 16:50:42.933: debug: Signing zone "example.net."
2009-06-24 16:50:42.933: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-06-24 16:50:42.978: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:50:42.978: debug: Signing completed after 0s.
2009-06-24 16:50:42.978: debug:
2009-06-24 16:50:42.979: notice: end of run: 0 errors occured
2009-06-24 16:50:51.923: notice: ------------------------------------------------------------
2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f
2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:50:51.924: debug: Check RFC5011 status
2009-06-24 16:50:51.924: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:50:51.924: debug: Check KSK status
2009-06-24 16:50:51.924: debug: Check ZSK status
2009-06-24 16:50:51.925: debug: Re-signing necessary: Option -f
2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-24 16:50:51.925: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:50:51.925: debug: Signing zone "sub.example.net."
2009-06-24 16:50:51.925: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:50:51.972: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:50:51.973: debug: Signing completed after 0s.
2009-06-24 16:50:51.973: debug:
2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:50:51.973: debug: Check RFC5011 status
2009-06-24 16:50:51.973: debug: Check ZSK status
2009-06-24 16:50:51.973: debug: Re-signing necessary: Option -f
2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f
2009-06-24 16:50:51.973: debug: Writing key file "./example.net/dnskey.db"
2009-06-24 16:50:51.973: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-24 16:50:51.973: debug: Signing zone "example.net."
2009-06-24 16:50:51.973: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-06-24 16:50:52.017: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:50:52.017: debug: Signing completed after 1s.
2009-06-24 16:50:52.017: debug:
2009-06-24 16:50:52.017: notice: end of run: 0 errors occured
2009-06-24 16:51:19.914: notice: ------------------------------------------------------------
2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f
2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:51:19.916: debug: Check RFC5011 status
2009-06-24 16:51:19.916: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:51:19.916: debug: Check KSK status
2009-06-24 16:51:19.916: debug: Check ZSK status
2009-06-24 16:51:19.916: debug: Re-signing necessary: Option -f
2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-24 16:51:19.916: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:51:19.917: debug: Signing zone "sub.example.net."
2009-06-24 16:51:19.917: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
2009-06-24 16:51:19.969: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:51:19.969: debug: Signing completed after 0s.
2009-06-24 16:51:19.969: debug:
2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:51:19.969: debug: Check RFC5011 status
2009-06-24 16:51:19.969: debug: Check ZSK status
2009-06-24 16:51:19.969: debug: Re-signing necessary: Option -f
2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f
2009-06-24 16:51:19.969: debug: Writing key file "./example.net/dnskey.db"
2009-06-24 16:51:19.969: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-24 16:51:19.969: debug: Signing zone "example.net."
2009-06-24 16:51:19.969: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
2009-06-24 16:51:20.018: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 16:51:20.018: debug: Signing completed after 1s.
2009-06-24 16:51:20.018: debug:
2009-06-24 16:51:20.018: notice: end of run: 0 errors occured
2009-06-24 16:55:38.094: notice: ------------------------------------------------------------
2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f
2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 16:55:38.096: debug: Check RFC5011 status
2009-06-24 16:55:38.096: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 16:55:38.096: debug: Check KSK status
2009-06-24 16:55:38.096: debug: Check ZSK status
2009-06-24 16:55:38.096: debug: Re-signing necessary: Option -f
2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-24 16:55:38.096: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 16:55:38.097: debug: Signing zone "sub.example.net."
2009-06-24 16:55:38.097: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
2009-06-24 16:55:38.144: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1."
2009-06-24 16:55:38.144: debug: Signing completed after 0s.
2009-06-24 16:55:38.144: debug:
2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 16:55:38.144: debug: Check RFC5011 status
2009-06-24 16:55:38.144: debug: Check ZSK status
2009-06-24 16:55:38.144: debug: Re-signing necessary: Option -f
2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f
2009-06-24 16:55:38.144: debug: Writing key file "./example.net/dnskey.db"
2009-06-24 16:55:38.144: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-24 16:55:38.144: debug: Signing zone "example.net."
2009-06-24 16:55:38.144: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2009-06-24 16:55:38.182: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1."
2009-06-24 16:55:38.182: debug: Signing completed after 0s.
2009-06-24 16:55:38.182: debug:
2009-06-24 16:55:38.182: notice: end of run: 0 errors occured
2009-06-24 17:12:06.145: notice: ------------------------------------------------------------
2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f
2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-24 17:12:06.147: debug: Check RFC5011 status
2009-06-24 17:12:06.147: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-24 17:12:06.147: debug: Check KSK status
2009-06-24 17:12:06.147: debug: Check ZSK status
2009-06-24 17:12:06.147: debug: Re-signing necessary: Option -f
2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-24 17:12:06.147: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-24 17:12:06.147: debug: Signing zone "sub.example.net."
2009-06-24 17:12:06.147: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
2009-06-24 17:12:06.204: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 17:12:06.204: debug: Signing completed after 0s.
2009-06-24 17:12:06.204: debug:
2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net"
2009-06-24 17:12:06.204: debug: Check RFC5011 status
2009-06-24 17:12:06.204: debug: Check ZSK status
2009-06-24 17:12:06.204: debug: Re-signing necessary: Option -f
2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f
2009-06-24 17:12:06.205: debug: Writing key file "./example.net/dnskey.db"
2009-06-24 17:12:06.205: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-24 17:12:06.205: debug: Signing zone "example.net."
2009-06-24 17:12:06.205: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2009-06-24 17:12:06.259: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-24 17:12:06.259: debug: Signing completed after 0s.
2009-06-24 17:12:06.259: debug:
2009-06-24 17:12:06.259: notice: end of run: 0 errors occured
2009-06-30 11:35:09.298: notice: ------------------------------------------------------------
2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v
2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-30 11:35:09.326: debug: Check RFC5011 status
2009-06-30 11:35:09.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-30 11:35:09.326: debug: Check KSK status
2009-06-30 11:35:09.326: debug: Check ZSK status
2009-06-30 11:35:09.326: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec)
2009-06-30 11:35:09.326: debug: ->waiting for published key
2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key
2009-06-30 11:35:09.326: debug: New key for publishing needed
2009-06-30 11:35:09.482: debug: ->creating new key 32345
2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing
2009-06-30 11:35:09.482: debug: Re-signing necessary: Modfied zone key set
2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-30 11:35:09.483: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-30 11:35:09.483: debug: Signing zone "sub.example.net."
2009-06-30 11:35:09.483: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
2009-06-30 11:35:09.838: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 11:35:09.838: debug: Signing completed after 0s.
2009-06-30 11:35:09.838: debug:
2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net"
2009-06-30 11:35:09.838: debug: Check RFC5011 status
2009-06-30 11:35:09.838: debug: Check ZSK status
2009-06-30 11:35:09.838: debug: New key for publishing needed
2009-06-30 11:35:09.896: debug: ->creating new key 48089
2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing
2009-06-30 11:35:09.896: debug: Re-signing necessary: Modfied zone key set
2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set
2009-06-30 11:35:09.897: debug: Writing key file "./example.net/dnskey.db"
2009-06-30 11:35:09.897: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-30 11:35:09.897: debug: Signing zone "example.net."
2009-06-30 11:35:09.897: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2009-06-30 11:35:09.997: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 11:35:09.997: debug: Signing completed after 0s.
2009-06-30 11:35:09.997: debug:
2009-06-30 11:35:09.997: notice: end of run: 0 errors occured
2009-06-30 12:01:53.878: notice: ------------------------------------------------------------
2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v
2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-30 12:01:53.881: debug: Check RFC5011 status
2009-06-30 12:01:53.881: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-30 12:01:53.881: debug: Check KSK status
2009-06-30 12:01:53.881: debug: Check ZSK status
2009-06-30 12:01:53.881: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec)
2009-06-30 12:01:53.881: debug: ->waiting for published key
2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key
2009-06-30 12:01:53.881: debug: Re-signing not necessary!
2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy
2009-06-30 12:01:53.881: debug:
2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net"
2009-06-30 12:01:53.881: debug: Check RFC5011 status
2009-06-30 12:01:53.881: debug: Check ZSK status
2009-06-30 12:01:53.881: debug: Re-signing not necessary!
2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy
2009-06-30 12:01:53.881: debug:
2009-06-30 12:01:53.881: notice: end of run: 0 errors occured
2009-06-30 12:02:05.490: notice: ------------------------------------------------------------
2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v
2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-30 12:02:05.492: debug: Check RFC5011 status
2009-06-30 12:02:05.492: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-30 12:02:05.492: debug: Check KSK status
2009-06-30 12:02:05.492: debug: Check ZSK status
2009-06-30 12:02:05.492: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec)
2009-06-30 12:02:05.492: debug: ->waiting for published key
2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key
2009-06-30 12:02:05.492: debug: Re-signing necessary: Option -f
2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-30 12:02:05.492: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-30 12:02:05.492: debug: Signing zone "sub.example.net."
2009-06-30 12:02:05.492: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
2009-06-30 12:02:05.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 12:02:05.543: debug: Signing completed after 0s.
2009-06-30 12:02:05.543: debug:
2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net"
2009-06-30 12:02:05.543: debug: Check RFC5011 status
2009-06-30 12:02:05.543: debug: Check ZSK status
2009-06-30 12:02:05.543: debug: Re-signing necessary: Option -f
2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f
2009-06-30 12:02:05.543: debug: Writing key file "./example.net/dnskey.db"
2009-06-30 12:02:05.544: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-30 12:02:05.544: debug: Signing zone "example.net."
2009-06-30 12:02:05.544: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2009-06-30 12:02:05.602: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 12:02:05.602: debug: Signing completed after 0s.
2009-06-30 12:02:05.602: debug:
2009-06-30 12:02:05.602: notice: end of run: 0 errors occured
2009-06-30 13:02:04.436: notice: ------------------------------------------------------------
2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v
2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-30 13:02:04.438: debug: Check RFC5011 status
2009-06-30 13:02:04.438: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-30 13:02:04.438: debug: Check KSK status
2009-06-30 13:02:04.438: debug: Check ZSK status
2009-06-30 13:02:04.438: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec)
2009-06-30 13:02:04.438: debug: ->depreciate it
2009-06-30 13:02:04.439: debug: ->activate published key 32345
2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done
2009-06-30 13:02:04.439: debug: Re-signing necessary: Modfied zone key set
2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2009-06-30 13:02:04.439: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-30 13:02:04.439: debug: Signing zone "sub.example.net."
2009-06-30 13:02:04.439: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
2009-06-30 13:02:04.491: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 13:02:04.491: debug: Signing completed after 0s.
2009-06-30 13:02:04.491: debug:
2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net"
2009-06-30 13:02:04.491: debug: Check RFC5011 status
2009-06-30 13:02:04.491: debug: Check ZSK status
2009-06-30 13:02:04.491: debug: Re-signing not necessary!
2009-06-30 13:02:04.491: debug: Check if there is a parent file to copy
2009-06-30 13:02:04.491: debug:
2009-06-30 13:02:04.491: notice: end of run: 0 errors occured
2009-06-30 13:02:21.019: notice: ------------------------------------------------------------
2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v
2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
2009-06-30 13:02:21.021: debug: Check RFC5011 status
2009-06-30 13:02:21.021: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2009-06-30 13:02:21.021: debug: Check KSK status
2009-06-30 13:02:21.021: debug: Check ZSK status
2009-06-30 13:02:21.022: debug: Re-signing necessary: Option -f
2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f
2009-06-30 13:02:21.022: debug: Writing key file "./sub.example.net/dnskey.db"
2009-06-30 13:02:21.022: debug: Signing zone "sub.example.net."
2009-06-30 13:02:21.022: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
2009-06-30 13:02:21.070: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 13:02:21.070: debug: Signing completed after 0s.
2009-06-30 13:02:21.070: debug:
2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net"
2009-06-30 13:02:21.070: debug: Check RFC5011 status
2009-06-30 13:02:21.070: debug: Check ZSK status
2009-06-30 13:02:21.070: debug: Re-signing necessary: Option -f
2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f
2009-06-30 13:02:21.071: debug: Writing key file "./example.net/dnskey.db"
2009-06-30 13:02:21.071: debug: Incrementing serial number in file "./example.net/zone.db"
2009-06-30 13:02:21.071: debug: Signing zone "example.net."
2009-06-30 13:02:21.071: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
2009-06-30 13:02:21.121: debug: Cmd dnssec-signzone return: "zone.db.signed"
2009-06-30 13:02:21.121: debug: Signing completed after 0s.
2009-06-30 13:02:21.121: debug:
2009-06-30 13:02:21.121: notice: end of run: 0 errors occured

3
contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key
View file

@ -1,3 +0,0 @@
;% generationtime=20080914221502
;% lifetime=90d
example.de. IN DNSKEY 256 3 5 BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==

10
contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private
View file

@ -1,10 +0,0 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: qbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
PublicExponent: AQAAAAE=
PrivateExponent: h7mIMjyW6H7MpJIYWhTgerkh5pR9LbSJbuA/cKp9AU18blpyk4xOzIYGw0SXBqFezHpF0I6BEzSikgwyF1RDAQ==
Prime1: 1YdJ1XTzsyvAgEjhutvSA4RSkCyPGsTZ81wxZcifWtE=
Prime2: y3EofwE/nv2kF6/I2STrb3A8gbsBx5D4/6SiKFuHDg0=
Exponent1: vjWx9G8qNVnlPPWD9uc/6um1vS2+yvriFV3MIMIZL/E=
Exponent2: o/Jlw/TZ/IrlSvzNCc+xeF8qpip51onZ6fOFFjQ+QQ==
Coefficient: K/UescJkRXWQr6FmABrKx3kalg748qkaWqvrY101OeY=

3
contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090615065826
;% lifetime=28d
example.de. IN DNSKEY 256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==

10
contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
PublicExponent: AQAAAAE=
PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q==
Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM=
Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c=
Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0=
Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc=
Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao=

14
contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
View file

@ -2,11 +2,11 @@
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
; Last generation time Dec 28 2008 23:06:40
; Last generation time Jul 04 2009 01:30:24
;
; *** List of Key Signing Keys ***
; example.de. tag=47280 algo=RSASHA1 generated Nov 16 2008 19:00:40
; example.de. tag=47280 algo=RSASHA1 generated Dec 28 2008 23:55:28
example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
@ -15,7 +15,7 @@ example.de. 3600 IN DNSKEY 257 3 5 (
uw==
) ; key id = 47280
; example.de. tag=37983 algo=RSASHA1 generated Nov 16 2008 19:00:40
; example.de. tag=37983 algo=RSASHA1 generated Dec 28 2008 23:55:28
example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
@ -25,9 +25,9 @@ example.de. 3600 IN DNSKEY 257 3 5 (
) ; key id = 37983
; *** List of Zone Signing Keys ***
; example.de. tag=11327 algo=RSASHA1 generated Nov 16 2008 19:00:40
; example.de. tag=55529 algo=RSASHA1 generated Jun 24 2009 17:12:33
example.de. 3600 IN DNSKEY 256 3 5 (
BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR
Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
) ; key id = 11327
BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC
XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
) ; key id = 55529

10
contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
View file

@ -1,7 +1,7 @@
; KSK rollover phase2 (this is the new key)
sub.example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
GLv3a4BbGFc=
) ; key id = 56595
BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
04a9eVgvhME=
) ; key id = 26451

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081228220640
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 1 BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published
View file

@ -1,10 +0,0 @@
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: 6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
PublicExponent: AQAAAAE=
PrivateExponent: uXBzw9Ow7+rVGZ4XZlUjLoBxRUAdN207E+mvZ+OadkH4f7l3PNYJYVn2hTvTZb8v6vhKc/sOoenMRAMavK2oCQ==
Prime1: 97fUb9zU6zIQ6P53ykjHwpMriBptXWkqH4LUKrtqAYs=
Prime2: 8Q9XIHa/vuddNXGbnv1WjhQ+BLULtEHoAor6Zz/AczM=
Exponent1: lys3DhbjPd0964qLcwyI0qZ5lMviMzFBbB/IOthfYnc=
Exponent2: 2csu2XGtql2o+T1SXeXc6JtC8prIJ+mJuXa0FapeHBc=
Coefficient: 0+x8jSWVmxWNuZlQNW0mZBFS5cEgll+u0t17KXdh6nI=

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090624151233
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
PublicExponent: AQAAAAE=
PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ==
Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok=
Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk=
Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE=
Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE=
Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw=

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090615065624
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
PublicExponent: AQAAAAE=
PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ==
Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE=
Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs=
Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E=
Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88=
Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8=

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081216163027
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 1 BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw 9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private
View file

@ -1,10 +0,0 @@
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: 46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
PublicExponent: AQAAAAE=
PrivateExponent: pqVDVhiSmZyjz4IM3xFkks4yc4MToD2EWbPKp4j8v4RETHjec3F9YYIMpkGaYoNqkx3+yvWpYPPy4YideIu3wQ==
Prime1: +1CFbP41B3shnGApkHvZYr3439pvg5KO60ykyewDDUU=
Prime2: 5+EDE42uEwgwiaPs+n4hXruj+K3ewL7cTY1HS7rPpWk=
Exponent1: tuWKUuBr0ajPkrvq1OdN0EcuggHhuizHNMl9ApAxBYU=
Exponent2: CHyQ5qkbFlgzbbfyXvjS6aonXu0vRQXN6xEpDrTAiek=
Coefficient: i4dbOUlePz8KFhOt0/8FImz2TAd2zZ0hryj4uAQbtUY=

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated
View file

@ -1,10 +0,0 @@
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: mjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
PublicExponent: AQAAAAE=
PrivateExponent: MPsUwCUqooIUfhCOmRxnn6ZhxzH+CpJOfJ1K0njPwjaQKm8ACnVpM7Fr3mv5b9m0TXNn3jpfQgD+mHzopnR8gQ==
Prime1: y24Ur3BJ40hhvFGqAPXaUEJcrEZIy4aCq2TxRSfFWs8=
Prime2: whV4QY7Syoe/CDglpRb/X1ZROUYNLo1y+uXMoSNtaYU=
Exponent1: DQywtacomS2IXan7sOtmkcWxxe7P6jTtI5KjlN4IhD0=
Exponent2: N/KfPaxytWiti6+d2E9B00TCwndDQq/vnJ2iYGdNp9k=
Coefficient: Lp80HvUH/WDwsH1akU1UWbN2n4m3g/hLtihVVuzf0s0=

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key
View file

@ -1,3 +0,0 @@
;% generationtime=20081120072448
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 1 BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090703233023
;% lifetime=5d
sub.example.de. IN DNSKEY 257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM=

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
PublicExponent: AQAAAAE=
PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E=
Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw==
Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ==
Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ==
Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ==
Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA==

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090630103352
;% lifetime=5d
sub.example.de. IN DNSKEY 257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk=

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
PublicExponent: AQAAAAE=
PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0=
Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw==
Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew==
Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w==
Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw==
Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew==

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090615065826
;% lifetime=5d
sub.example.de. IN DNSKEY 257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME=

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
PublicExponent: AQAAAAE=
PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0=
Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw==
Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw==
Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw==
Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ==
Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A==

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090630100243
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
PublicExponent: AQAAAAE=
PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ==
Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0=
Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs=
Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk=
Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs=
Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94=

3
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key Normal file
View file

@ -0,0 +1,3 @@
;% generationtime=20090703233023
;% lifetime=2d
sub.example.de. IN DNSKEY 256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published Normal file
View file

@ -0,0 +1,10 @@
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
PublicExponent: AQAAAAE=
PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ==
Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU=
Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks=
Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k=
Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0=
Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc=

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
View file

@ -1,6 +1,8 @@
sub.example.de.dlv.trusted-keys.net. IN DLV 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
sub.example.de.dlv.trusted-keys.net. IN DLV 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
sub.example.de.dlv.trusted-keys.net. IN DLV 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
sub.example.de.dlv.trusted-keys.net. IN DLV 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4

68
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
View file

@ -2,11 +2,11 @@
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
; Last generation time Dec 28 2008 23:06:40
; Last generation time Jul 04 2009 01:30:24
;
; *** List of Key Signing Keys ***
; sub.example.de. tag=40956 algo=RSASHA1 generated Oct 03 2008 01:02:19
; sub.example.de. tag=40956 algo=RSASHA1 generated Dec 28 2008 23:55:28
sub.example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg
CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/
@ -14,38 +14,52 @@ sub.example.de. 3600 IN DNSKEY 257 3 5 (
ISRyLtFdi10=
) ; key id = 40956
; sub.example.de. tag=56595 algo=RSASHA1 generated Oct 03 2008 23:27:15
; sub.example.de. tag=26451 algo=RSASHA1 generated Jun 15 2009 08:58:26
sub.example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
GLv3a4BbGFc=
) ; key id = 56595
BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
04a9eVgvhME=
) ; key id = 26451
; sub.example.de. tag=31785 algo=RSASHA1 generated Dec 16 2008 17:32:13
; sub.example.de. tag=24426 algo=RSASHA1 generated Jun 30 2009 12:33:52
sub.example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX
T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE
J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji
qj6JGXl48/0=
) ; key id = 31785
BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D
xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp
3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878
vlXrwWNo4Pk=
) ; key id = 24426
; sub.example.de. tag=60332 algo=RSAMD5 generated Jul 04 2009 01:30:23
sub.example.de. 3600 IN DNSKEY 257 3 1 (
BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ
f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg
oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ
jyZPu//rrNM=
) ; key id = 60332
; *** List of Zone Signing Keys ***
; sub.example.de. tag=59924 algo=RSAMD5 generated Dec 16 2008 17:30:27
; sub.example.de. tag=11091 algo=RSAMD5 generated Jun 24 2009 17:12:33
sub.example.de. 3600 IN DNSKEY 256 3 1 (
BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB
eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
) ; key id = 59924
BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+
2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
) ; key id = 11091
; sub.example.de. tag=39146 algo=RSAMD5 generated Dec 16 2008 17:30:27
; sub.example.de. tag=38598 algo=RSAMD5 generated Jun 24 2009 17:12:33
sub.example.de. 3600 IN DNSKEY 256 3 1 (
BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw
9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
) ; key id = 39146
BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe
zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
) ; key id = 38598
; sub.example.de. tag=4031 algo=RSAMD5 generated Dec 28 2008 23:06:40
sub.example.de. 3600 IN DNSKEY 256 3 1 (
BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN
cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
) ; key id = 4031
; sub.example.de. tag=37547 algo=RSASHA1 generated Jun 30 2009 12:02:43
sub.example.de. 3600 IN DNSKEY 256 3 5 (
BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy
5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
) ; key id = 37547
; sub.example.de. tag=57863 algo=RSASHA1 generated Jul 04 2009 01:30:23
sub.example.de. 3600 IN DNSKEY 256 3 5 (
BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1
XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
) ; key id = 57863

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
View file

@ -1,6 +1,8 @@
sub.example.de. IN DS 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
sub.example.de. IN DS 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
sub.example.de. IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
sub.example.de. IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
sub.example.de. IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
sub.example.de. IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
sub.example.de. IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
sub.example.de. IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
sub.example.de. IN DS 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
sub.example.de. IN DS 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
sub.example.de. IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
sub.example.de. IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4

33
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
View file

@ -1,18 +1,25 @@
$ORIGIN .
sub.example.de 7200 IN DNSKEY 257 3 5 (
BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
) ; key id = 56595
sub.example.de 7200 IN DNSKEY 257 3 1 (
BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
) ; key id = 60332
7200 IN DNSKEY 257 3 5 (
BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
) ; key id = 31785
BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
) ; key id = 24426
7200 IN DNSKEY 257 3 5 (
BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
) ; key id = 26451
7200 IN DNSKEY 257 3 5 (
BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv

0
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.key → contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
View file

0
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.private → contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
View file

0
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.key → contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
View file

0
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.private → contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
View file

10
contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
View file

@ -1,7 +1,7 @@
; KSK rollover phase2 (this is the new key)
sub.example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
GLv3a4BbGFc=
) ; key id = 56595
BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
04a9eVgvhME=
) ; key id = 26451

Some files were not shown because too many files have changed in this diff Show more