upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Import dnssec-zkt to contrib/zkt. [rt18448]

Browse source
This commit is contained in:
Evan Hunt 2008-09-29 21:44:21 +00:00
parent 8b1cba45ad
commit 614a39f897
68 changed files with 21323 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

446
contrib/zkt/CHANGELOG Normal file
View file

@ -0,0 +1,446 @@
zkt 0.97 --
* bug LG_* logging level wasn't mapped to syslog level in lg_mesg().
gettock() in ncparse.c did not recognize C single line comments "//"
(Thanks to Frank Behrens for finding this out)
* misc dist_and_reload () now calls the "Distribute_Cmd" twice:
First with argument "distribute" for signed zone file distribution,
second with argument "reload" to initiate a reload.
Again see example/flat/dist.sh for an example script.
* bug full KSK rollover will (mostly) also work for dynamic zones
This is a hack and requires further investigation. Currently
it will not work if someone is using non standard zone file
names.
* misc default ZSK lifetime set to 3 month
* misc get_mtime() renamed to file_mtime()
* func is_exec_ok() added and called in dist_and_reload ()
* func New parameter "Distribute_Cmd" added for specifing a user
defined distribution (and reload) command (See example/flat/dist.sh).
* misc Changed wording to be a bit more consistent to
draft-gudmundsson-life-of-dnskey-00.txt
- State of published key will be print as "pub" instead of "pre"
by dnssec-zkt.
- Option --pre-publish of dnssec-zkt changed to --published.
- Changed wording in all comments and log message from "pre-publish"
to "published".
* func Highly experimental code to do a full automatic ksk rollover
in hierachical mode.
ksk_rollover() added in rollover.c; parameter change for ksk_status()
* misc Changed name of "dnssec-soaserial" to "zkt-soaserial"
* bug Fixed verbose logging error if -N or -D option was used
* func Some LG_INFO messages added about key status change
* func Remove of function to register a new ksk (zktr.[ch])
* misc Changed licence from GNU GPLv2 to BSD licence
* bug Fixed bug in logging of ZSK rollover
* misc Changed tar file to zipped one and archive the files with
toplevel directory
* bug Fixed use of uninitialized vars in zconf.c (line)
* port Preparation for use of autoconf
- config.h renamed to config_zkt.h and change of include directives
- conditional include of config.h
- ./configure script is able to determine BIND utility path
(BIND_UTIL_PATH) and version (BIND_VERSION)
- compile time options are settable via configure script (--enable-xxx)
- For now, the configure script is not able to set the install dir.
* bug ksk rollover phase2 did not trigger resigning of parent
(the parent file was copied to the parent directory only
after child zone resigning)
* bug fixed bad notice message in zskstatus ()
* func dnssec-zkt -Z print out syslog facility & level with
upper case letter and without quotation marks
* func Syslog facility DAEMON added
zkt 0.96 -- 19. June 2008
* func Config file option "SIG_Parameter" added.
* func Function verbmesg() added and used for verbose logging
to stdout and/or to syslog resp. file.
Config file parameter VerboseLog added to config file.
* bug Option -O wasn't recognized by dnssec-signer
* func Better support of initial setup of dynamic signed
zones (just create an empty "zone.db.dsigned" file
and run dnssec-signer with option -d).
* func Improved error logging; incr_soa() errors are written
as clear text message instead of error number
* func elog_mesg() function replaced by a more general
logging mechanism.
ErrorLog config parameter replaced by LogFile,
LogLevel and SyslogFacility, SyslogLevel parameter
* func New function filesize() added
* func dki_prt_trustedkey print out old key id if key
is revoked
* func dki_new() writes gentime (GMT) and proposed key
lifetime (days) as comment into the *.key file
* bug Doing some housekeeping
zkt 0.95 -- 19. April 2008
* misc This is not a public released version of zkt.
* func All config file option are now settable via
commandline option -O (--option or --config-option)
* misc Function fatal() now has an exit code of 127.
This is neccessary because values from 1 to 64 are
reflecting the number of errors occured.
* func Errorlog functionality added
All dnssec-signer errors will be logged in the file
specified by the Errorlog config file parameter or
specified by the command line option -L (--errorlog).
If a directory is given, then the logging will occur
in a file within this directory which is named
like "zkt-<current-date>.log".
The dnssec-signer command has an exit code of 0 if
no error occured, an exit code of 127 on fatal errors,
an exit code from 1 to 63 reflecting the number of errors
occured, or an exit code of 64 if more than 63 errors
occured.
* func dnssec-signer: Introducing long options
* bug New skript added to example/views directory to
read in the right config file
* func New option -f (--lifetime) and -F (--setlifetime)
added to dnssec-zkt.
* func New option -e (--expire) added to dnssec-zkt.
(Seems to be that the dnssec-zkt command is a little
bit overloaded with options.)
* func dki.c and zkt.c supports storage of key lifetime,
generation time and expiration time as a comment in the
.key file. With this, it's possible to change the default
lifetime without any impact on already used keys.
zkt 0.94 -- 6. Dec 2007
* bug Case mismatch of zone name and key file name prevent
dki_read() from reading the key.
Thanks to Alan Clegg for finding this out.
Added some additional error processing and convert
zone name to lower case.
* misc Builtin default for KSK_randfile changed
from NULL to "/dev/urandom".
* bug dnssec-signer has to use private keys for signing
even if the revoke bit is set.
To achieve this the file pattern K*.private is added
to the dnssec-signzone run.
* bug Uninitialized variable "len" in sign_zone().
* func Default config file is settable via environment
variable ZKT_CONFFILE
* func Support of views added
Link dnssec-zkt to dnssec-zkt-<view> and
dnssec-signer to dnssec-signer-<view>.
Option -V and --view added to dnssec-zkt.
Option -V added to dnssec-signer.
View support added to parse_namedconf().
zkt 0.93 -- 1. Nov 2007
* func The ksk registration mechanism is disabled by
default (see REG_URL in config.h).
* func Basic support for revoke flag added (RFC5011).
Semantic of option -R of dnssec-zkt changed.
* func Undocumented option -S changed to lower case.
Pre-pulished KSK will be shown as "standby" key.
New Option -S (standby) for pre-publish KSK.
* func New command dnssec-soaserial added.
* bug dnssec-signer do not print the incremented serial
number anymore.
time2str() fixed bug in time format (HAS_STRFTIME=0).
* port New build dependencies "solaris", "macos" and "help"
added to Makefile.
zkt 0.92 -- 1. Oct 2007
* func Parameter "Serialformat" in dnssec.conf added .
Now it is possible to use the unixtime format for
the SOA serial number. If you use BIND 9.4 or
greater in conjunction with this, than there is no
need for the special SOA serial formating in
the zonefile. (Thanks to Jakob Schlyter for the
-N option of dnssec-signzone and the suggestion to
add the unixtime support to zkt)
* func Option --ksk-roll-stat added.
* port Added macro HAS_GETOPT_LONG to support OS with
lack of getopt_long() (e.g. solaris).
Options -[01239] added.
* misc Unused macro HAS_ULONG removed from config.h.
Deklaration of unsigned types moved from dki.h to
config.h (so it will be available in _all_ source
files). Thanks to Mans Nilsson.
Unused macro isblank() (ncparse.c) removed.
* bug In dosigning(): freeze the dynamic zone _before_ copying
the zone file.
zkt 0.91 -- 1. Apr 2007
* doc --ksk-rollover option added to usage().
* func some experimental code for dynamic zones added.
new functions added: copyzonefile(), dyn_update_freeze().
New option "-d" added.
zkt 0.90 -- 6. Dec 2006
* func CHECK_RESIGN interval added to config.h.
This is the dnssec-signer calling interval (at least 1 day or 86400 sec).
* func new function dki_destroy() added; semantic of dk_remove()
changed to rename the key files instead of physical deletion.
* doc Setup of new example directory (flat and hierarchical).
* doc dnssec-zkt man page updated.
Added some comments in misc.c
* misc function strtaint() renamed to str_untaint(),
dki_keycmp() renamed to dki_tagcmp().
* func New parameter key_ttl added to dnssec.conf.
New func dki_prt_dnskeyttl () added.
Now dnskey.db is written with key_ttl value.
* func dnssec-signer: In hierarchical mode sign_zone() copies the
parent-file (if such a file exist) instead of the
keyset-file to the parent directory.
* func dnssec-zkt: Option --ksk-roll-phase[123] and function
ksk_rollover() added.
* misc zconf: default values for sigvalidity, resign_int etc. changed,
new dnssec.conf example file created.
* func dnssec-zkt: Long option support added.
zkt 0.83 -- 11. Sep 2006
* bug dosigning(): Fixed bug in the bug fixing of printing undefined
serial number if incr_serial() failed. (Thanks to Randy McCasskill).
zkt 0.82 -- 8. Sep 2006
* bug Use option -e for dnssec-keygen calls in dki_new(), because
an RSA exponent of 3 is vulnerable.
* bug dosigning(): Fixed bug in printing undefined serial
number if incr_serial() failed.
an RSA exponent of 3 is vulnerable.
* bug dosigning(): Fixed bug in printing undefined serial
number if incr_serial() failed.
zkt 0.81 -- 13. July 2006
* bug The function ceatekey() won't work with USE_TREE.
Size of MAX_DNAME increased.
zkt 0.8 -- 09. July 2006
* func Now a hierarchical directory structure with subdomains stored in
subfolders of the parent domain are allowed. Added copyfile(),
cmpfile() and new_keysetfiles() for that.
* func Config parameter added to choose if the domain name is
right or left justified listed by dnssec-zkt (printkeyinfo).
* func New class of key added ("sep"). A SEP key is a (public) key file
without the private counterpart. So we could use the key solely
as an secure entry point. (dki.h, dki_read).
zkt 0.70 -- 15. Sep 2005
* func Experimental code added to use a binary search tree instead of a
single linked list. This is mainly for performance improvement for large
sites. If you don't want to use it, set USE_TREE in config.h to zero.
In the first step only dnssec-zkt use the new data structure.
The tree is build over the domain names and each node is the starting point
of a linked list of keys.
As a result, it's not possible anymore to search on key tags only. You have
to specify the domain name plus the tag. :-(
* func Function parseurl added.
* func Experimental code to register a new ksk. Currently it's more like
a key announcement because of the lack of identification and
authentication.
zkt 0.65 -- 22. Aug 2005
* misc Rewrite of the domaincmp() function. Now it's round about 2 times faster.
After some additional changes and the compiler option -O3 the dnssec-zkt
on the ~ 12000 zones requires only a minute
$ time dnssec-zkt -z -r sec > /dev/null
real 0m58.287s
user 0m54.610s
sys 0m3.680s
* func A keyset directory is introduced (experimental)
The parameter -d is added to the call of the dnssec-signzone command
if the config option KeySetDir is set.
As a result, all dsset-, keyset- and dlvset- files are stored in one directory.
The advantage is, that the chain of trust of all local subzone is build
automatically (This is the reason why we sort the zones with the child zones
first).
The disadvantage is that we store many files in single directory (3 files
per zone).
zkt 0.64 -- 1. Aug 2005
* bug The code for option -Z of dnssec-zkt should be executed before we read the
complete directory tree. This is usefull if we have a very deep directory
structure and the recursive flag is switched on.
* func SIG_Pseudorand parameter added.
* func ([KZ]SK)|(SIG)_randfile parameter added.
* func measure the time used for signing of each zone.
* bug function logflush() added to misc.c and called by dosigning().
* misc some perfomance test made:
- Directory structure "sec/<firstletter>/domain" with round about 12200 domains
- One of the domain is a big one (~ 820000 RRs), the others are mostly very small ones
- We use a dsa with 704 bits as ksk and a rsamd5 with 512 bits as zsk on each domain.
- All test made on Sun Fire V440 with 4 CPU and 4x2GB main memory
# sequential signing of all zones
$ time dnssec-signer -v -v -f -D sec
real 434m (~ 7h 14min)
user 188
sys 175
# with option -p and -r /dev/urandom
$ time dnssec-signer -v -v -f -D sec > log
real 96m28.306s
user 290m41.980s
sys 6m13.790s
# one process for each firstletter subdirectory
$ time par_signer.sh
real 394m12.334s
user 295m58.390s
sys 786m42.479s
# with option -p and -r /dev/urandom
$ time par_signer.sh
real 78m49.323s
user 284m58.350s
sys 5m39.340s
$ time dnssec-zkt -z -r sec > /dev/null
real 2m5.722s
user 2m0.060s
sys 0m4.510s
# signing the big (820000 RR) domain only
$ time dnssec-signer -v -v -f -D sec/b/big-domain
real 196m23.165 (~ 3h 16min)
user 176m57.610
sys 167m27.570
# with option -p and -r /dev/urandom
$ time dnssec-signer -v -v -f -D sec/b/big-domain
real 49m53.152
user 173m59.520
sys 1m40.150
zkt 0.63 -- 14. June 2005
* bug allow TTL value in keyfiles (see TTL_IN_KEYFILES_ALLOWED
in dki_readfile()).
* misc function strchop() added to misc.c.
zkt 0.62 -- 13. May 2005
* func dnssec-signer: Option -o added.
Now it works a little bit more like dnssec-signzone.
* func strlist.c: prepstrlist and unprepstrlist functions get a
second parameter for the delimiter.
* bug fixed some typos and inaccurate usage of symbolic constants.
Doing some housekeeping.
zkt 0.61 -- 3. May 2005
* bug local config file will not be mentioned if -N switch is used.
zkt 0.6 -- 1. May 2005
* doc dnssec-signer: man page added.
* func dnssec-signer: Print out a warning message if ksk lifetime is exceeded.
* func dnssec-signer: Remaining arguments will be interpreted as zone names
(in_strarr () added).
* func dnssec-signer: Option -D added.
zkt 0.51 -- 8. April 2005
* func dnssec-signer: Option -N added.
* func dnssec-signer: change of keystatus from pre-published to active
resets timestamp of key, thus age of active key counts 0.
* bug prepstrlist: resulting string was not terminated with '\0'.
* bug dnssec-signer: do signing if there are additional keys, or the
status of any key is changed (function check_keytimestamp).
* func dnssec-zkt: -l <list> option added.
* func dnssec-zkt: -p flag defaults to on in key creation mode (-C).

30
contrib/zkt/LICENSE Normal file
View file

@ -0,0 +1,30 @@
Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
This software is open source.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
Neither the name of Holger Zuleger HZnet nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

151
contrib/zkt/Makefile.in Normal file
View file

@ -0,0 +1,151 @@
#################################################################
#
# @(#) Makefile for dnssec zone key tool (c) Mar 2005 hoz
#
#################################################################
INSTALL_DIR ?= $$HOME/bin
CC ?= @CC@
PROFILE = # -pg
OPTIM = # -O3 -DNDEBUG
#CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@
CFLAGS += -g @DEFS@ -I@top_srcdir@
CFLAGS += -Wall #-DDBG
CFLAGS += -Wmissing-prototypes
CFLAGS += $(PROFILE) $(OPTIM)
LDFLAGS += $(PROFILE)
PROJECT = @PACKAGE_TARNAME@
VERSION = @PACKAGE_VERSION@
HEADER = dki.h misc.h domaincmp.h zconf.h config_zkt.h \
config.h.in strlist.h zone.h zkt.h debug.h \
ncparse.h log.h rollover.h
SRC_ALL = dki.c misc.c domaincmp.c zconf.c log.c
OBJ_ALL = $(SRC_ALL:.c=.o)
SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c
OBJ_SIG = $(SRC_SIG:.c=.o)
MAN_SIG = dnssec-signer.8
PROG_SIG= dnssec-signer
SRC_ZKT = dnssec-zkt.c strlist.c zkt.c
OBJ_ZKT = $(SRC_ZKT:.c=.o)
MAN_ZKT = dnssec-zkt.8
PROG_ZKT= dnssec-zkt
SRC_SER = zkt-soaserial.c
OBJ_SER = $(SRC_SER:.c=.o)
#MAN_SER = zkt-soaserial.8
PROG_SER= zkt-soaserial
MAN = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
configure examples
SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(MAN) $(OTHER)
MNTSAVE = $(SAVE) configure.ac config.h.in doc
all: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
macos: ## for MAC OS
macos:
$(MAKE) CFLAGS="$(CFLAGS) -D HAS_UTYPES=0" all
solaris: ## for solaris
solaris:
@$(MAKE) CFLAGS="$(CFLAGS) -D HAVE_GETOPT_LONG=0" all
linux: ## for linux (default)
linux:
@$(MAKE) all
$(PROG_SIG): $(OBJ_SIG) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_SIG) $(OBJ_ALL) -o $(PROG_SIG)
$(PROG_ZKT): $(OBJ_ZKT) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT)
$(PROG_SER): $(OBJ_SER) Makefile
$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
install: ## install binaries in INSTALL_DIR
install: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(INSTALL_DIR)
tags: ## create tags file
tags: $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
ctags $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
clean: ## remove objectfiles and binaries
clean:
rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL)
dist: ## create tar file for distribution
dist: $(PROJECT)-$(VERSION).tar.gz
tar: ## create tar file for distribution
tar: $(PROJECT)-$(VERSION).tar.gz
maintain: ## create configure script
maintain: configure
mainttar: ## create tar file for maintenance
mainttar: $(PROJECT)-maint-$(VERSION).tar.gz
configure: configure.ac
autoconf && autoheader
man: $(MAN_ZKT).html $(MAN_ZKT).pdf $(MAN_SIG).html $(MAN_SIG).pdf
$(MAN_ZKT).html: $(MAN_ZKT)
groff -Thtml -man -mhtml $(MAN_ZKT) > $(MAN_ZKT).html
$(MAN_ZKT).pdf: $(MAN_ZKT)
groff -Tps -man $(MAN_ZKT) | ps2pdf - $(MAN_ZKT).pdf
$(MAN_SIG).html: $(MAN_SIG)
groff -Thtml -man -mhtml $(MAN_SIG) > $(MAN_SIG).html
$(MAN_SIG).pdf: $(MAN_SIG)
groff -Tps -man $(MAN_SIG) | ps2pdf - $(MAN_SIG).pdf
$(PROJECT)-$(VERSION).tar.gz: $(SAVE)
rm -f examples/hierarchical/log/zkt-*
( \
distfiles=`ls -d $(SAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-$(VERSION).tar.gz $$distfiles ;\
)
$(PROJECT)-maint-$(VERSION).tar.gz: $(MNTSAVE)
( \
distfiles=`ls -d $(SAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-maint-$(VERSION).tar.gz $$distfiles ;\
)
depend:
$(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
help:
@grep "^.*:[ ]*##" Makefile
## all dependicies
#:r !make depend
#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
ncparse.h zone.h dki.h rollover.h log.h
zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
zone.h
ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
log.h rollover.h
dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
dki.h zkt.h
strlist.o: strlist.c strlist.h
zkt.o: zkt.c config_zkt.h dki.h misc.h zconf.h strlist.h zkt.h
zkt-soaserial.o: zkt-soaserial.c config_zkt.h
dki.o: dki.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h
misc.o: misc.c config_zkt.h zconf.h log.h debug.h misc.h
domaincmp.o: domaincmp.c domaincmp.h
zconf.o: zconf.c config_zkt.h debug.h misc.h zconf.h dki.h
log.o: log.c config_zkt.h misc.h zconf.h debug.h log.h

44
contrib/zkt/README Normal file
View file

@ -0,0 +1,44 @@
#
# README dnssec zone key tool
#
# (c) March 2005 - Aug 2008 by Holger Zuleger hznet
# (c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
# (c) for zconf.c by Jeroen Masar & Holger Zuleger
#
For more information about the DNSSEC Zone Key Tool please
have a look at "http://www.hznet.de/dns/zkt/"
You can also subscribe to the zkt-users@sourceforge.net mailing list
on the following website: https://lists.sourceforge.net/lists/listinfo/zkt-users
The complete software stands under BSD licence (see LICENCE file)
To build the software:
a) Get the current version of zkt
$ wget http://www.hznet.de/dns/zkt/zkt-0.97.tar.gz
b) Unpack
$ tar xzvf zkt-0.97.tar.gz
c) Change to dir
$ cd zkt-0.97
d) Run configure script
$ ./configure
e) (optional) Edit config_zkt.h
f) Compile
$ make
For MAC users: # this should not needed anymore
$ make macos
For Solaris: # this should not needed anymore
$ make solaris
g) Install
$ make install # this will copy the binarys to $HOME/bin
h) (optional) Install and modify the default dnssec.conf file
$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
$ vi /var/named/dnssec.conf

99
contrib/zkt/README.logging Normal file
View file

@ -0,0 +1,99 @@
#
# README.logging
#
# Introduction into the new logging feature
# available since v0.96
#
In previous version of dnssec-signer every message was written
to the default stdout and stderr channels, and the logging itself
was handled by a redirection of those chanels to the logger command
or to a file.
Now, since version v0.96, the dnssec-signer command is able to log all
messages by itself. File and SYSLOG logging is supported.
To enable the logging into a file channel, you have to specify
the file or directory name via the commandline option -L (--logfile)
or via the config file parameter "LogFile".
LogFile: ""|"<file>"|"<directory>" (default is "")
If a file is specified, than each run of dnssec-signer will append the
messages to tat file. If a directory is specified, than a file with a
name of zkt-<ISOdate&timeUTC>.log" will be created on each dnssec-signer run.
Logging into the syslog channel could be enabled via the config file
parameter "SyslogFacility".
SyslogFacility: NONE|USER|DAEMON|LOCAL0|..|LOCAL7 (default is USER)
For both channels, the log level could be independently set to one
of six log levels:
LG_FATAL, LG_ERROR, LG_WARNING
LB_NOTICE, LG_INFO, LG_DEBUG
The loglevel is settable via the config file parameter :
SyslogLevel: FATAL|ERROR|WARNING|NOTICE|INFO|DEBUG
(default is ERROR)
and
LogLevel: FATAL|ERROR|WARNING|NOTICE|INFO|DEBUG
(default is NOTICE)
All the log parameters are settable on the commandline via the generic
option -O "optstring" (--config-option="opt").
A verbose message output to stdout could be achieved by the commandline
option -v (or -v -v).
If you want to log the same messages with loglevel LG_DEBUG to a file or
to syslog, you could enable this by setting the config file option
"VerboseLog" to a value of 1 or 2.
Current logging messages:
LG_FATAL: Not all of the fatal errors are logged
(e.g.: config file or command line option fatal errors are
not logged)
LG_ERROR: All error messages will be logged
LG_WARNING: KSK lifetime expiration
LG_NOTICE:
Start and stop of dnssec-signer
Re-signing events
Key rollover events
Zone reload resp. freeze/thaw of dynamic zone
LG_INFO: Currently none
planned:
Mesages for key generation and key status change
(e.g.: pre-publish -> activate; revoked -> removed etc.)
LG_DEBUG: all "verbose" (-v) and "very verbose" (-v -v) messages
Some recomended and useful logging settings
- The default setting
LogFile: ""
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 0
- Setting as in version v0.95
LogFile: "zkt-error.log" # or a directory for seperate logfiles
LogLevel: ERROR
SyslogFacility: NONE
VerboseLog: 0
- Setting as in previous versions
LogFile: ""
SyslogFacility: NONE
VerboseLog: 0
- Recommended setting for normal usage
LogFile: "zkt.log" # or a directory for seperate logfiles
LogLevel: ERROR
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 0
- Recommended setting for debugging
LogFile: "zkt.log" # or a directory for seperate logfiles
LogLevel: DEBUG
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 2
-

37
contrib/zkt/TODO Normal file
View file

@ -0,0 +1,37 @@
TODO list as of zkt-0.97
general:
Renaming of the tools to zkt-* ?
dnssec-zkt:
feat option to specify the key age as remaining lifetime
(Option -i inverse age ?) As of v0.95 the key lifetime
is stored at the key itself, so this could be possibly
implemented without big effort(?).
dnssec-signer:
bug Distribute_Cmd will not work properly on dynamic zones
bug Automatic KSK rollover of dynamic zones will only work if the parent
uses the standard name for the signed zonefile (zonefile.db.signed).
bug Phase3 of manual ksk rollover do not trigger a resigning of the zone
(Key removal is not recognized by dosigning () function )
bug There is no online checking of the key material by design.
So the signer command checks the status of the key as they
are represented in the file system and not in the zone.
The dnssec maintainer is responsible for the lifeliness of the
data in the hosted domain.
In other words: It's highly recommended to use the
option -r when you use dnssec-signer on a production zone.
Then the time of propagation is (more or less) equal to the timestamp
of the zone.db.signed file.
bug The max_TTL and Key_TTL parameter should be set to the value found
in the zone. A mechanism for setting up a dnssec.conf file for the
zone specific TTL values is needed.
dki:
feat Use dynamic memory for dname in dki_t

217
contrib/zkt/config.h.in Normal file
View file

@ -0,0 +1,217 @@
/* config.h.in. Generated from configure.ac by autoheader. */
/* Path to BIND utilities */
#undef BIND_UTIL_PATH
/* BIND version as integer number without dots */
#undef BIND_VERSION
/* Define to 1 if the `closedir' function returns void instead of `int'. */
#undef CLOSEDIR_VOID
/* set path of config file (defaults to /var/named) */
#undef CONFIG_PATH
/* Define to 1 if you have the `alarm' function. */
#undef HAVE_ALARM
/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
*/
#undef HAVE_DIRENT_H
/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
#undef HAVE_DOPRNT
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
/* Define to 1 if you have the <getopt.h> header file. */
#undef HAVE_GETOPT_H
/* Define to 1 if you have the `getopt_long' function. */
#undef HAVE_GETOPT_LONG
/* Define to 1 if you have the `gettimeofday' function. */
#undef HAVE_GETTIMEOFDAY
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
to 0 otherwise. */
#undef HAVE_MALLOC
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the `memset' function. */
#undef HAVE_MEMSET
/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
#undef HAVE_NDIR_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the `setenv' function. */
#undef HAVE_SETENV
/* Define to 1 if you have the `socket' function. */
#undef HAVE_SOCKET
/* Define to 1 if `stat' has the bug that it succeeds when given the
zero-length file name argument. */
#undef HAVE_STAT_EMPTY_STRING_BUG
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the `strcasecmp' function. */
#undef HAVE_STRCASECMP
/* Define to 1 if you have the `strchr' function. */
#undef HAVE_STRCHR
/* Define to 1 if you have the `strdup' function. */
#undef HAVE_STRDUP
/* Define to 1 if you have the `strerror' function. */
#undef HAVE_STRERROR
/* Define to 1 if you have the `strftime' function. */
#undef HAVE_STRFTIME
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the `strncasecmp' function. */
#undef HAVE_STRNCASECMP
/* Define to 1 if you have the `strrchr' function. */
#undef HAVE_STRRCHR
/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
*/
#undef HAVE_SYS_DIR_H
/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
*/
#undef HAVE_SYS_NDIR_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/time.h> header file. */
#undef HAVE_SYS_TIME_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the `tzset' function. */
#undef HAVE_TZSET
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the `utime' function. */
#undef HAVE_UTIME
/* Define to 1 if you have the <utime.h> header file. */
#undef HAVE_UTIME_H
/* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */
#undef HAVE_UTIME_NULL
/* Define to 1 if you have the `vprintf' function. */
#undef HAVE_VPRINTF
/* log with level */
#undef LOG_WITH_LEVEL
/* log with progname */
#undef LOG_WITH_PROGNAME
/* log with timestamp */
#undef LOG_WITH_TIMESTAMP
/* Define to 1 if `lstat' dereferences a symlink specified with a trailing
slash. */
#undef LSTAT_FOLLOWS_SLASHED_SYMLINK
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* print age of year */
#undef PRINT_AGE_OF_YEAR
/* print out timezone */
#undef PRINT_TIMEZONE
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
#undef TIME_WITH_SYS_TIME
/* Define to 1 if your <sys/time.h> declares `struct tm'. */
#undef TM_IN_SYS_TIME
/* TTL in keyfiles allowed */
#undef TTL_IN_KEYFILE_ALLOWED
/* Use TREE data structure for dnssec-zkt */
#undef USE_TREE
/* ZKT version string */
#undef ZKT_VERSION
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
/* Define to rpl_malloc if the replacement function should be used. */
#undef malloc
/* Define to `unsigned' if <sys/types.h> does not define. */
#undef size_t
/* Define to `unsigned char' if <sys/types.h> does not define. */
#undef uchar
/* Define to `int' if <sys/types.h> doesn't define. */
#undef uid_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef uint
/* Define to `unsigned long' if <sys/types.h> does not define. */
#undef ulong
/* Define to `unsigned short' if <sys/types.h> does not define. */
#undef ushort

121
contrib/zkt/config_zkt.h Normal file
View file

@ -0,0 +1,121 @@
/*****************************************************************
**
** @(#) config_zkt.h -- config options for ZKT
**
** Copyright (c) Aug 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef CONFIG_ZKT_H
# define CONFIG_ZKT_H
#ifndef HAS_TIMEGM
# define HAS_TIMEGM 1
#endif
#ifndef HAS_UTYPES
# define HAS_UTYPES 1
#endif
#ifndef LOG_FNAMETMPL
# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
#endif
/* don't change anything below this */
/* the values here are determined or settable via the ./configure script */
#ifndef HAVE_GETOPT_LONG
# define HAVE_GETOPT_LONG 1
#endif
#ifndef HAVE_STRFTIME
# define HAVE_STRFTIME 1
#endif
#ifndef TTL_IN_KEYFILE_ALLOWED
# define TTL_IN_KEYFILE_ALLOWED 1
#endif
#ifndef PRINT_TIMEZONE
# define PRINT_TIMEZONE 0
#endif
#ifndef PRINT_AGE_WITH_YEAR
# define PRINT_AGE_WITH_YEAR 0
#endif
#ifndef LOG_WITH_PROGNAME
# define LOG_WITH_PROGNAME 0
#endif
#ifndef LOG_WITH_TIMESTAMP
# define LOG_WITH_TIMESTAMP 1
#endif
#ifndef LOG_WITH_LEVEL
# define LOG_WITH_LEVEL 1
#endif
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
#endif
/* tree usage is setable by configure script parameter */
#ifndef USE_TREE
# define USE_TREE 1
#endif
/* BIND version and utility path will be set by ./configure script */
#ifndef BIND_VERSION
# define BIND_VERSION 942
#endif
#ifndef BIND_UTIL_PATH
# define BIND_UTIL_PATH "/usr/local/sbin/"
#endif
#ifndef ZKT_VERSION
# if defined(USE_TREE) && USE_TREE
# define ZKT_VERSION "vT0.97 (c) Feb 2005 - Aug 2008 Holger Zuleger hznet.de"
# else
# define ZKT_VERSION "v0.97 (c) Feb 2005 - Aug 2008 Holger Zuleger hznet.de"
# endif
#endif
#if !defined(HAS_UTYPES) || !HAS_UTYPES
typedef unsigned long ulong;
typedef unsigned int uint;
typedef unsigned short ushort;
typedef unsigned char uchar;
#endif
#endif

6838
contrib/zkt/configure vendored Executable file
View file

File diff suppressed because it is too large Load diff

66
contrib/zkt/debug.h Normal file
View file

@ -0,0 +1,66 @@
/*****************************************************************
**
** @(#) debug.h -- macros for debug messages
**
** compile with cc -DDBG to activate
**
** Copyright (c) Jan 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef DEBUG_H
# define DEBUG_H
# ifdef DBG
# define dbg_line() fprintf (stderr, "DBG: %s(%d) reached\n", __FILE__, __LINE__)
# define dbg_msg(msg) fprintf (stderr, "DBG: %s(%d) %s\n", __FILE__, __LINE__, msg)
# define dbg_val0(text) fprintf (stderr, "DBG: %s(%d) %s", __FILE__, __LINE__, text)
# define dbg_val1(fmt, var) dbg_val (fmt, var)
# define dbg_val(fmt, var) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, var)
# define dbg_val2(fmt, v1, v2) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2)
# define dbg_val3(fmt, v1, v2, v3) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3)
# define dbg_val4(fmt, v1, v2, v3, v4) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3, v4)
# define dbg_val5(fmt, v1, v2, v3, v4, v5) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3, v4, v5)
# define dbg_val6(fmt, v1, v2, v3, v4, v5, v6) fprintf (stderr, "DBG: %s(%d) " fmt, __FILE__, __LINE__, v1, v2, v3, v4, v5, v6)
# else
# define dbg_line()
# define dbg_msg(msg)
# define dbg_val0(text)
# define dbg_val1(fmt, var)
# define dbg_val(fmt, str)
# define dbg_val2(fmt, v1, v2)
# define dbg_val3(fmt, v1, v2, v3)
# define dbg_val4(fmt, v1, v2, v3, v4)
# define dbg_val5(fmt, v1, v2, v3, v4, v5)
# define dbg_val6(fmt, v1, v2, v3, v4, v5, v6)
# endif
#endif

1185
contrib/zkt/dki.c Normal file
View file

File diff suppressed because it is too large Load diff

185
contrib/zkt/dki.h Normal file
View file

@ -0,0 +1,185 @@
/*****************************************************************
**
** @(#) dki.h -- Header file for DNSsec Key info/manipulation
**
** Copyright (c) July 2004 - Jan 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef DKI_H
# define DKI_H
# ifndef TYPES_H
# include <sys/types.h>
# include <stdio.h>
# include <time.h>
# endif
# define MAX_LABELSIZE (255)
# define MAX_FNAMESIZE (1+255+2+3+1+5+1+11)
/* Kdomain.+ALG+KEYID.type */
/* domain == FQDN (max 255) */
/* ALG == 3; KEYID == 5 chars */
/* type == key||published|private|depreciated == 11 chars */
//# define MAX_DNAMESIZE (254)
# define MAX_DNAMESIZE (1023)
/* /path/name / filename */
# define MAX_PATHSIZE (MAX_DNAMESIZE + 1 + MAX_FNAMESIZE)
/* algorithm types */
# define DK_ALGO_RSA 1 /* RFC2537 */
# define DK_ALGO_DH 2 /* RFC2539 */
# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */
# define DK_ALGO_EC 4 /* */
# define DK_ALGO_RSASHA1 5 /* RFC3110 */
/* protocol types */
# define DK_PROTO_DNS 3
/* flag bits */
typedef enum { /* 11 1111 */
/* 0123 4567 8901 2345 */
DK_FLAG_KSK= 01, /* 0000 0000 0000 0001 Bit 15 RFC4034/RFC3757 */
DK_FLAG_REVOKE= 0200, /* 0000 0000 1000 0000 Bit 8 RFC5011 */
DK_FLAG_ZONE= 0400, /* 0000 0001 0000 0000 Bit 7 RFC4034 */
} dk_flag_t;
/* status types */
typedef enum {
DKI_SEP= 'e',
DKI_SECUREENTRYPOINT= 'e',
DKI_PUB= 'p',
DKI_PUBLISHED= 'p',
DKI_ACT= 'a',
DKI_ACTIVE= 'a',
DKI_DEP= 'd',
DKI_DEPRECIATED= 'd',
DKI_REV= 'r',
DKI_REVOKED= 'r',
} dk_status_t;
# define DKI_KEY_FILEEXT ".key"
# define DKI_PUB_FILEEXT ".published"
# define DKI_ACT_FILEEXT ".private"
# define DKI_DEP_FILEEXT ".depreciated"
# define DKI_KSK 1
# define DKI_ZSK 0
typedef struct dki {
char dname[MAX_DNAMESIZE+1]; /* directory */
char fname[MAX_FNAMESIZE+1]; /* file name without extension */
char name[MAX_LABELSIZE+1]; /* domain name or label */
ushort algo; /* key algorithm */
ushort proto; /* must be 3 (DNSSEC) */
dk_flag_t flags; /* ZONE, optional SEP or REVOKE flag */
time_t time; /* key file time */
time_t gentime; /* key generation time (will be set on key generation and never changed) */
time_t exptime; /* time the key was expired (0L if not) */
ulong lifetime; /* proposed key life time at time of generation */
uint tag; /* key id */
dk_status_t status; /* key exist (".key") and name of private */
/* key file is ".published", ".private" */
/* or ".depreciated" */
char *pubkey; /* base64 public key */
struct dki *next; /* ptr to next entry in list */
} dki_t;
#if defined(USE_TREE) && USE_TREE
/*
* Instead of including <search.h>, which contains horrible false function
* declarations, we declared it for our usage (Yes, these functions return
* the adress of a pointer variable)
*/
typedef enum
{
/* we change the naming to the new, and more predictive one, used by Knuth */
PREORDER, /* preorder, */
INORDER, /* postorder, */
POSTORDER, /* endorder, */
LEAF /* leaf */
}
VISIT;
dki_t **tsearch (const dki_t *dkp, dki_t **tree, int(*compar)(const dki_t *, const dki_t *));
dki_t **tfind (const dki_t *dkp, const dki_t **tree, int(*compar)(const dki_t *, const dki_t *));
dki_t **tdelete (const dki_t *dkp, dki_t **tree, int(*compar)(const dki_t *, const dki_t *));
void twalk (const dki_t *root, void (*action)(const dki_t **nodep, VISIT which, int depth));
extern void dki_tfree (dki_t **tree);
extern dki_t *dki_tadd (dki_t **tree, dki_t *new);
extern int dki_tagcmp (const dki_t *a, const dki_t *b);
extern int dki_namecmp (const dki_t *a, const dki_t *b);
extern int dki_allcmp (const dki_t *a, const dki_t *b);
#endif
extern dki_t *dki_read (const char *dir, const char *fname);
extern int dki_readdir (const char *dir, dki_t **listp, int recursive);
extern int dki_prt_trustedkey (const dki_t *dkp, FILE *fp);
extern int dki_prt_dnskey (const dki_t *dkp, FILE *fp);
extern int dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl);
extern int dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp);
extern int dki_prt_comment (const dki_t *dkp, FILE *fp);
extern int dki_cmp (const dki_t *a, const dki_t *b);
extern int dki_timecmp (const dki_t *a, const dki_t *b);
extern int dki_age (const dki_t *dkp, time_t curr);
extern dk_flag_t dki_getflag (const dki_t *dkp, time_t curr);
extern dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag);
extern dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag);
extern dk_status_t dki_status (const dki_t *dkp);
extern const char *dki_statusstr (const dki_t *dkp);
extern int dki_isksk (const dki_t *dkp);
extern int dki_isdepreciated (const dki_t *dkp);
extern int dki_isrevoked (const dki_t *dkp);
extern int dki_isactive (const dki_t *dkp);
extern int dki_ispublished (const dki_t *dkp);
extern time_t dki_time (const dki_t *dkp);
extern time_t dki_exptime (const dki_t *dkp);
extern time_t dki_gentime (const dki_t *dkp);
extern time_t dki_lifetime (const dki_t *dkp);
extern ushort dki_lifetimedays (const dki_t *dkp);
extern ushort dki_setlifetime (dki_t *dkp, int days);
extern time_t dki_setexptime (dki_t *dkp, time_t sec);
extern dki_t *dki_new (const char *dir, const char *name, int ksk, int algo, int bitsize, const char *rfile, int lf_days);
extern dki_t *dki_remove (dki_t *dkp);
extern dki_t *dki_destroy (dki_t *dkp);
extern int dki_setstatus (dki_t *dkp, int status);
extern int dki_setstatus_preservetime (dki_t *dkp, int status);
extern dki_t *dki_add (dki_t **dkp, dki_t *new);
extern const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name);
extern const dki_t *dki_search (const dki_t *list, int tag, const char *name);
extern const dki_t *dki_find (const dki_t *list, int ksk, int status, int first);
extern void dki_free (dki_t *dkp);
extern void dki_freelist (dki_t **listp);
extern char *dki_algo2str (int algo);
extern const char *dki_geterrstr (void);
#endif

436
contrib/zkt/dnssec-signer.8 Normal file
View file

@ -0,0 +1,436 @@
.TH dnssec-signer 8 "June 27, 2008" "ZKT 0.96" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH NAME
dnssec-signer \(em Secure DNS zone signing tool
.SH SYNOPSYS
.na
.B dnssec-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.B \-N
.I "named.conf"
.RI [ zone
.RI "" ... ]
.br
.B dnssec-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.RB [ \-D
.IR "directory" ]
.RI [ zone
.RI "" ... ]
.br
.B dnssec-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.B \-o
.IR "origin"
.RI [ zonefile ]
.SH DESCRIPTION
The
.I dnssec-signer
command is a wrapper around
.I dnssec-signzone(8)
and
.I dnssec-keygen(8)
to sign a zone and manage the necessary zone keys.
It's able to increment the serial number before signing the zone
and can trigger
.I named(8)
to reload the signed zone file.
The command controls several secure zones and, if started in regular
intervals via
.IR cron(8) ,
can do all that stuff automatically.
.PP
In the most useful usage scenario the command will be called with option
.B \-N
to read the secure zones out of the given
.I named.conf
file.
If you have a configuration file with views, you have to use option
-V viewname or --view viewname to specify the name of the view.
Alternatively you could link the executable file to a second name like
.I dnssec-signer-viewname
and use that command to specify the name of the view.
All master zone statements will be scanned for filenames
ending with ".signed".
These zones will be checked if the necessary zone- and key signing keys
are existent and fresh enough to be used in the signing process.
If some out-dated keys where found, new keying material will be generated via
the
.I dnssec-keygen(8)
command and the old ones will be marked as depreciated.
So the command do anything needed for a zone key rollover as defined by [2].
.PP
If the resigning interval is reached or any new key must be announced,
the serial number of the zone will be incremented and the
.I dnssec-signzone(8)
command will be evoked to sign the zone.
After that, if the option
.B \-r
is given, the
.I rndc(8)
command will be called to reload the zone on the
nameserver.
.PP
In the second form of the command it's possible to specify a directory
tree with the option
.B \-D
.IR dir .
Every secure zone found in a subdirectory below
.I dir
will be signed.
However, it's also possible to reduce the signing to those
zones given as arguments.
In directory mode the pre-requisite is, that the directory name is
exactly (including the trailing dot) the same as the zone name.
.PP
In the last form of the command, the functionality is more or less the same
as the
.I dnssec-signzone (8)
command.
The parameter specify the zone file name and the option
.B \-o
takes the name of the zone.
.PP
If neither
.B \-N
nor
.B \-D
nor
.B \-o
is given, then the default directory specified in the
.I dnssec.conf
file by the parameter
.I zonedir
will be used as the top level directory.
.SH OPTIONS
.TP
.BI \-L " file|dir" ", \-\-logfile=" file|dir
Specify the name of a log file or a directory where
logfiles are created with a name like
.fam C
.\"# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
.RI zkt- YYYY-MM-DD T hhmmss Z.log .
.fam T
.\" \&.
If the argument is not an absolute path name and a zone directory
is specified in the config file, this will prepend the given name.
This option is also settable in the dnssec.conf file via the parameter
.BI LogFile .
.br
The default is no file logging, but error logging to syslog with facility
.BI USER
at level
.BI ERROR
is enabled by default.
These parameters are settable via the config file parameter
.BI "SyslogFacility:" ,
.BI "SyslogLevel:" ,
.BI "LogFile:"
and
.BI "Loglevel" .
.br
There is an additional parameter
.BI VerboseLog:
which specifies the verbosity (0|1|2) of messages that will be logged
with level
.BI DEBUG
to file and syslog.
.TP
.BI \-V " view" ", \-\-view=" view
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
it's also possible to create a hard or softlink to the
executable file with an additional name like
.I dnssec-zkt-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read configuration values out of the specified file.
Otherwise the default config file is read or build-in defaults
will be used.
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
Several config file options could be specified at the argument string
but have to be delimited by semicolon (or newline).
.TP
.BR \-f ", " \-\-force
Force a resigning of the zone, regardless if the resigning interval
is reached, or any new keys must be announced.
.TP
.BR \-n ", " \-\-noexec
Don't execute the
.I dnssec-signzone(8)
command.
Currently this option is of very limited usage.
.TP
.BR \-r ", " \-\-reload
Reload the zone via
.I rndc(8)
after successful signing.
In a production environment it's recommended to use this option
to be sure that a freshly signed zone will be immediately propagated.
However, that's only feasable if the named runs on the signing
machine, which is not recommended.
Otherwise the signed zonefile must be copied to the production
server before reloading the zone.
If this is the case, the parameter
.I propagation
in the
.I dnssec.conf
file must be set to a reasonable value.
.TP
.BR \-v ", " \-\-verbose
Verbose mode (recommended).
A second
.B \-v
will be a little more verbose.
.TP
.BR \-h ", " \-\-help
Print out the online help.
.SH SAMPLE USAGE
.TP
.fam C
.B "dnssec-signer \-N /var/named/named.conf \-r \-v \-v
.fam T
Sign all secure zones found in the named.conf file and, if necessary,
trigger a reload of the zone.
Print some explanatory remarks on stdout.
.TP
.fam C
.B "dnssec-signer \-D zonedir/example.net. \-f \-v \-v
.fam T
Force the signing of the zone found in the directory
.I zonedir/example.net .
Do not reload the zone.
.TP
.fam C
.B "dnssec-signer \-D zonedir \-f \-v \-v example.net.
.fam T
Same as above.
.TP
.fam C
.B "dnssec-signer \-f \-v \-v example.net.
.fam T
Same as above if the
.I dnssec.conf
file contains the path of the parent directory of the
.I example.net
zone.
.TP
.fam C
.B "dnssec-signer \-f \-v \-v \-o example.net. zone.db
.fam T
Same as above if we are in the directory containing the
.I example.net
files.
.TP
.fam C
.B "dnssec-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
.fam T
.br
Sign the example.net zone but overwrite some config file values with the parameters
given on the commandline.
.SH Zone setup and initial preparation
.TP
Create a separate directory for every secure zone.
.br
This is useful because there are many additional files needed to
secure a zone.
Besides the zone file
.RI ( zone.db ),
there is a signed zone file
.RI ( zone.db.signed),
a minimum of four files containing the keying material,
a file called
.I dnskey.db
with the current used keys,
and the
.I dsset-
and
.IR keyset- files
created by the
.I dnssec-signzone(8)
command.
So in summary there is a minimum of nine files used per secure zone.
For every additional key there are two extra files and
every delegated subzone creates also two or three files.
.TP
Name the directory just like the zone.
.br
That's only needed if you want to use the dnssec-signer command in
directory mode
.RB ( \-D ).
Then the name of the zone will be parsed out of the directory name.
.TP
Change the name of the zone file to \fIzone.db\fP
Otherwise you have to set the name via the
.I dnssec.conf
parameter
.IR zonefile ,
or you have to use the option
.B \-o
to name the zone and specify the zone file as argument.
.TP
Add the name of the signed zonefile to the \fInamed.conf\fP file
The filename is the name of the zone file with the
extension
.IR .signed .
Create an empty file with the name
.IB zonefile .signed
in the zone directory.
.TP
Include the keyfile in the zone.
The name of the keyfile is settable by the
.I dnssec.conf
parameter
.I keyfile .
The default is
.I dnskey.db .
.br
.if t \{\
.nf
.fam C
...
IN NS ns1.example.net.
IN NS ns2.example.net.
$INCLUDE dnskey.db
...
.fi
.fam T
.\}
.TP
Control the format of the SOA-Record
For automatic incrementation of the serial number, the SOA-Record
must be formated, so that the serial number is on a single line and
left justified in a field of at least 10 spaces!
.if t \{\
.fam C
.fi 0
@ IN SOA ns1.example.net. hostmaster.example.net. (
60 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ); Minimum
.fi
.fam T
.\}
If you use a BIND Verison of 9.4 or greater and
use the unixtime format for the serial number (See parameter
Serialformat in
.IR dnssec.conf )
than this is not necessary.
.TP
Try to sign the zone
If the current working directory is the directory of the zone
.IR example.net ,
use the command
.fam C
.nf
.sp 0.5
$ dnssec-signer \-D .. \-v \-v example.net
$ dnssec-signer \-o example.net.
.sp 0.5
.fi
.fam T
to create the initial keying material and a signed zone file.
Then try to load the file on the name server.
.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
Specifies the name of the default global configuration files.
.SH FILES
.TP
.I /var/named/dnssec.conf
Built-in default global configuration file.
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
Use
.I dnssec-zkt(8)
with option
.B \-Z
to create an initial config file.
.TP
.I /var/named/dnssec-<view>.conf
View specific global configuration file.
.TP
.I ./dnssec.conf
Local configuration file.
.TP
.I dnskey.db
The file contains the currently used key and zone signing keys.
It will be created by
.IR dnsssec-signer(8) .
The name of the file is settable via the dnssec configuration
file (parameter
.IR keyfile ).
.TP
.I zone.db
This is the zone file.
The name of the file is settable via the dnssec configuration
file (parameter
.IR zonefile ).
.SH BUGS
.PP
The zone name given as an argument must be ending with a dot.
.PP
The named.conf parser is a little bit rudimental and not
very well tested.
.SH AUTHOR
Holger Zuleger
.SH COPYRIGHT
Copyright (c) 2005 \- 2008 by Holger Zuleger.
Licensed under the GPL 2. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
.SH SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
.br
RFC4033, RFC4034, RFC4035
.br
[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
.br
(http://www.nlnetlabs.nl/dnssec_howto/)
.br
[2] RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman
.br
(http://www.ietf.org/rfc/rfc4641.txt)

1002
contrib/zkt/dnssec-signer.c Normal file
View file

File diff suppressed because it is too large Load diff

481
contrib/zkt/dnssec-zkt.8 Normal file
View file

@ -0,0 +1,481 @@
.TH dnssec-zkt 8 "July 27, 2008" "ZKT 0.97" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH NAME
dnssec-zkt \(em Secure DNS zone key tool
.SH SYNOPSYS
.na
.B dnssec-zkt
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-adefhkLrptz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.BR \-C <label>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-krpz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-create= <label>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-krpz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.BR \- { P | A | D | R } <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-published= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-active= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-depreciate= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.BR \-\-rename= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.BR \-\-destroy= <keytag>
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-r ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.B \-T
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.B \-\-list-trustedkeys
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.B \-K
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hkzr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B dnssec-zkt
.B \-\-list-dnskeys
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-hkzr ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B dnssec-zkt
.B \-Z
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-\-zone-config
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.B dnssec-zkt
.B \-9 | \-\-ksk-rollover
.br
.B dnssec-zkt
.B \-1 | \-\-ksk-roll-phase1
.I "do.ma.in."
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-2 | \-\-ksk-roll-phase2
.I "do.ma.in."
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-3 | \-\-ksk-roll-phase3
.I do.ma.in.
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.B dnssec-zkt
.B \-0 | \-\-ksk-roll-stat
.I do.ma.in.
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.br
.ad
.SH DESCRIPTION
The
.I dnssec-zkt
command is a wrapper around
.I dnssec-keygen(8)
to assist in dnssec zone key management.
.PP
In the common usage the command prints out information about
all dnssec (zone) keys found in the given (or predefined default) directory.
It's also possible to specify keyfiles (K*.key) as arguments.
With option
.B \-r
subdirectories will be searched recursively, and all dnssec keys found
will be listed sorted by domain name, key type and generation time.
In that mode the use of the
.B \-p
option may be helpful to find the location of the keyfile in the directory tree.
.PP
Other forms of the command print out keys in a format suitable for
a trusted-key section or as a DNSKEY resource record.
.PP
The command is also useful in dns key management.
It allows key livetime monitoring and status change.
.SH GENERAL OPTIONS
.TP
.BI \-V " view" ", \-\-view=" view
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
it's also possible to create a hard or softlink to the
executable file to give it an additional name like
.I dnssec-zkt-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read default values from the specified config file.
Otherwise the default config file is read or build in defaults
will be used.
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
Several config file options could be specified at the argument string
but have to be delimited by semicolon (or newline).
.TP
.BI \-l " list"
Print out information solely about domains given in the comma or space separated
list.
Take care of, that every domain name has a trailing dot.
.TP
.BR \-d ", " \-\-directory
Skip directory arguments.
This will be useful in combination with wildcard arguments
to prevent dnsssec-zkt to list all keys found in subdirectories.
For example "dnssec-zkt -d *" will print out a list of all keys only found in
the current directory.
Maybe it's easier to use "dnssec-zkt ." instead (without -r set).
The option works similar to the \-d option of
.IR ls(1) .
.TP
.BR \-L ", " \-\-left-justify
Print out the domain name left justified.
.TP
.BR \-k ", " \-\-ksk
Select and print key signing keys only (default depends on command mode).
.TP
.BR \-z ", " \-\-zsk
Select and print zone signing keys only (default depends on command mode).
.TP
.BR \-r ", " \-\-recursive
Recursive mode (default is off).
.br
Also settable in the dnssec.conf file (Parameter: Recursive).
.TP
.BR \-p ", " \-\-path
Print pathname in listing mode.
In -C mode, don't create the new key in the same directory as (already existing)
keys with the same label.
.TP
.BR \-a ", " \-\-age
Print age of key in weeks, days, hours, minutes and seconds (default is off).
.br
Also settable in the dnssec.conf file (Parameter: PrintAge).
.TP
.BR \-f ", " \-\-lifetime
Print the key lifetime.
.TP
.BR \-F ", " \-\-setlifetime
Set the key lifetime of all the selected keys.
Use option -k, -z, -l or the file and dir argument for key selection.
.TP
.BR \-e ", " \-\-exptime
Print the key expiration time.
.TP
.BR \-t ", " \-\-time
Print the key generation time (default is on).
.br
Also settable in the dnssec.conf file (Parameter: PrintTime).
.TP
.B \-h
No header or trusted-key section header and trailer in -T mode
.PP
.SH COMMAND OPTIONS
.TP
.BR \-H ", " \-\-help
Print out the online help.
.TP
.BR \-T ", " \-\-list-trustedkeys
List all key signing keys as a
.I named.conf
trusted-key section.
Use
.B \-h
to supress the section header/trailer.
.TP
.BR \-K ", " \-\-list-dnskeys
List the public part of all the keys in DNSKEY resource record format.
Use
.B \-h
to suppress comment lines.
.TP
.BI \-C " zone" ", \-\-create=" zone
Create a new zone signing key for the given zone.
Add option
.B \-k
to create a key signing key.
The key algorithm and key length will be examined from built-in default values
or from the parameter settings in the
.I dnssec.conf
file.
.br
The keyfile will be created in the current directory if
the
.B \-p
option is specified.
.TP
.BI \-R " keyid" ", \-\-revoke=" keyid
Revoke the key signing key with the given keyid.
A revoked key has bit 8 in the flags filed set (see RFC5011).
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
.TP
.BI \-\-rename=" keyid
Rename the key files of the key with the given keyid
(Look at key file names starting with an lower 'k').
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
.TP
.BI \-\-destroy= keyid
Deletes the key with the given keyid.
The keyid is the numeric keytag with an optionally added zone name separated by a colon.
Beware that this deletes both private and public keyfiles, thus the key is
unrecoverable lost.
.TP
.BI \-P|A|D " keyid," " \-\-published=" keyid, " \-\-active=" keyid, " \-\-depreciated=" keyid
Change the status of the given dnssec key to
published
.RB ( \-P ),
active
.RB ( \-A )
or depreciated
.RB ( \-D ).
The
.I keyid
is the numeric keytag with an optionally added zone name separated by a colon.
Setting the status to "published" or "depreciate" will change the filename
of the private key file to ".published" or ".depreciated" respectivly.
This prevents the usage of the key as a signing key by the use of
.IR dnssec-signzone(8) .
The time of status change will be stored in the 'mtime' field of the corresponding
".key" file.
Key activation via option
.B \-A
will restore the original timestamp and file name (".private").
.TP
.BR \-Z ", " \-\-zone-config
Write all config parameters to stdout.
The output is suitable as a template for the
.I dnssec.conf
file, so the easiest way to create a
.I dnssec.conf
file is to redirect the standard output of the above command.
Pay attention not to overwrite an existing file.
.TP
.BI \-\-ksk-roll-phase[123] " do.ma.in."
Initiate a key signing key rollover of the specified domain.
This feature is currently in experimental status and is mainly for the use
in an hierachical environment.
Use --ksk-rollover for a little more detailed description.
.SH SAMPLE USAGE
.TP
.fam C
.B "dnssec-zkt \-r .
.fam T
Print out a list of all zone keys found below the current directory.
.TP
.fam C
.B "dnssec-zkt \-Z \-c """"
.fam T
Print out the compiled in default parameters.
.TP
.fam C
.B "dnssec-zkt \-C example.net \-k \-r ./zonedir
.fam T
Create a new key signing key for the zone "example.net".
Store the key in the same directory below "zonedir" where the other
"example.net" keys live.
.TP
.fam C
.B "dnssec-zkt \-T ./zonedir/example.net
.fam T
Print out a trusted-key section containing the key signing keys of "example.net".
.TP
.fam C
.B "dnssec-zkt \-D 123245 \-r .
.fam T
Depreciate the key with tag "12345" below the current directory,
.TP
.fam C
.B "dnssec-zkt --view intern
Print out a list of all zone keys found below the directory where all
the zones of view intern live.
There should be a seperate dnssec config file
.I dnssec-intern.conf
with a directory option to take affect of this.
.TP
.fam C
.B "dnssec-zkt-intern
.fam T
Same as above.
The binary file
.I dnssec-zkt
have linked to
.I dnssec-zkt-intern .
.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
Specifies the name of the default global configuration files.
.SH FILES
.TP
.I /var/named/dnssec.conf
Built-in default global configuration file.
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
.TP
.I /var/named/dnssec-<view>.conf
View specific global configuration file.
.TP
.I ./dnssec.conf
Local configuration file (only used in
.B \-C
mode).
.SH BUGS
.PP
Some of the general options will not be meaningful in all of the command modes.
.br
The option
.B \-l
and the ksk rollover options
insist on domain names ending with a dot.
.PP
.SH AUTHOR
Holger Zuleger
.SH COPYRIGHT
Copyright (c) 2005 \- 2007 by Holger Zuleger.
Licensed under the GPL 2. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
.SH SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-signer(8),
.br
RFC4641
"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
.br
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
.br
(http://www.nlnetlabs.nl/dnssec_howto/)

823
contrib/zkt/dnssec-zkt.c Normal file
View file

@ -0,0 +1,823 @@
/*****************************************************************
**
** @(#) dnssec-zkt.c (c) Jan 2005 Holger Zuleger hznet.de
**
** Secure DNS zone key tool
** A wrapper command around the BIND dnssec-keygen utility
**
** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <stdlib.h> /* abort(), exit(), ... */
# include <string.h>
# include <dirent.h>
# include <assert.h>
# include <unistd.h>
# include <ctype.h>
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
# include <getopt.h>
#endif
# include "debug.h"
# include "misc.h"
# include "strlist.h"
# include "zconf.h"
# include "dki.h"
# include "zkt.h"
extern int optopt;
extern int opterr;
extern int optind;
extern char *optarg;
const char *progname;
char *labellist = NULL;
int headerflag = 1;
int ageflag = 0;
int lifetime = 0;
int lifetimeflag = 0;
int timeflag = 1;
int exptimeflag = 0;
int pathflag = 0;
int kskflag = 1;
int zskflag = 1;
int ljustflag = 0;
static int dirflag = 0;
static int recflag = RECURSIVE;
static int trustedkeyflag = 0;
static char *kskdomain = "";
static const char *view = "";
# define short_options ":0:1:2:3:9A:C:D:P:S:R:HKTs:ZV:afF:c:O:dhkLl:prtez"
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
static struct option long_options[] = {
{"ksk-rollover", no_argument, NULL, '9'},
{"ksk-status", required_argument, NULL, '0'},
{"ksk-roll-status", required_argument, NULL, '0'},
{"ksk-newkey", required_argument, NULL, '1'},
{"ksk-publish", required_argument, NULL, '2'},
{"ksk-delkey", required_argument, NULL, '3'},
{"ksk-roll-phase1", required_argument, NULL, '1'},
{"ksk-roll-phase2", required_argument, NULL, '2'},
{"ksk-roll-phase3", required_argument, NULL, '3'},
{"list-dnskeys", no_argument, NULL, 'K'},
{"list-trustedkeys", no_argument, NULL, 'T'},
{"ksk", no_argument, NULL, 'k'},
{"zsk", no_argument, NULL, 'z'},
{"age", no_argument, NULL, 'a'},
{"lifetime", no_argument, NULL, 'f'},
{"time", no_argument, NULL, 't'},
{"expire", no_argument, NULL, 'e'},
{"recursive", no_argument, NULL, 'r'},
{"zone-config", no_argument, NULL, 'Z'},
{"leftjust", no_argument, NULL, 'L'},
{"path", no_argument, NULL, 'p'},
{"nohead", no_argument, NULL, 'h'},
{"directory", no_argument, NULL, 'd'},
{"config", required_argument, NULL, 'c'},
{"option", required_argument, NULL, 'O'},
{"config-option", required_argument, NULL, 'O'},
{"published", required_argument, NULL, 'P'},
{"standby", required_argument, NULL, 'S'},
{"active", required_argument, NULL, 'A'},
{"depreciated", required_argument, NULL, 'D'},
{"create", required_argument, NULL, 'C'},
{"revoke", required_argument, NULL, 'R'},
{"remove", required_argument, NULL, 19 },
{"destroy", required_argument, NULL, 20 },
{"setlifetime", required_argument, NULL, 'F' },
{"view", required_argument, NULL, 'V' },
{"help", no_argument, NULL, 'H'},
{0, 0, 0, 0}
};
#endif
static int parsedirectory (const char *dir, dki_t **listp);
static void parsefile (const char *file, dki_t **listp);
static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf);
static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf);
static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp);
static void usage (char *mesg, zconf_t *cp);
static const char *parsetag (const char *str, int *tagp);
static void setglobalflags (zconf_t *config)
{
recflag = config->recursive;
ageflag = config->printage;
timeflag = config->printtime;
ljustflag = config->ljust;
}
int main (int argc, char *argv[])
{
dki_t *data = NULL;
dki_t *dkp;
int c;
int opt_index;
int action;
const char *file;
const char *defconfname = NULL;
char *p;
char str[254+1];
const char *keyname = NULL;
int searchtag;
zconf_t *config;
progname = *argv;
if ( (p = strrchr (progname, '/')) )
progname = ++p;
view = getnameappendix (progname, "dnssec-zkt");
defconfname = getdefconfname (view);
config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
if ( fileexist (defconfname) ) /* load default config file */
config = loadconfig (defconfname, config);
if ( config == NULL )
fatal ("Out of memory\n");
setglobalflags (config);
opterr = 0;
opt_index = 0;
action = 0;
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
#else
while ( (c = getopt (argc, argv, short_options)) != -1 )
#endif
{
switch ( c )
{
case '9': /* ksk rollover help */
ksk_roll ("help", c - '0', NULL, NULL);
exit (1);
case '1': /* ksk rollover: create new key */
case '2': /* ksk rollover: publish DS */
case '3': /* ksk rollover: delete old key */
case '0': /* ksk rollover: show current status */
action = c;
if ( !optarg )
usage ("ksk rollover requires an domain argument", config);
kskdomain = str_tolowerdup (optarg);
break;
case 'T':
trustedkeyflag = 1;
zskflag = pathflag = 0;
/* fall through */
case 'H':
case 'K':
case 'Z':
action = c;
break;
case 'C':
pathflag = !pathflag;
/* fall through */
case 'P':
case 'S':
case 'A':
case 'D':
case 'R':
case 's':
case 19:
case 20:
if ( (keyname = parsetag (optarg, &searchtag)) != NULL )
{
int len = strlen (keyname);
if ( len > 0 && keyname[len-1] != '.' )
{
snprintf (str, sizeof(str), "%s.", keyname);
keyname = str;
}
}
keyname = str_tolowerdup (keyname);
action = c;
break;
case 'a': /* age */
ageflag = !ageflag;
break;
case 'f': /* key lifetime */
lifetimeflag = !lifetimeflag;
break;
case 'F': /* set key lifetime */
lifetime = atoi (optarg);
lifetimeflag = 1; /* set some flags for more informative output */
exptimeflag = 1;
timeflag = 1;
action = c;
break;
case 'V': /* view name */
view = optarg;
defconfname = getdefconfname (view);
if ( fileexist (defconfname) ) /* load default config file */
config = loadconfig (defconfname, config);
if ( config == NULL )
fatal ("Out of memory\n");
setglobalflags (config);
break;
case 'c':
config = loadconfig (optarg, config);
setglobalflags (config);
checkconfig (config);
break;
case 'O': /* read option from commandline */
config = loadconfig_fromstr (optarg, config);
setglobalflags (config);
checkconfig (config);
break;
case 'd': /* ignore directory arg */
dirflag = 1;
break;
case 'h': /* print no headline */
headerflag = 0;
break;
case 'k': /* ksk only */
zskflag = 0;
break;
case 'L': /* ljust */
ljustflag = !ljustflag;
break;
case 'l': /* label list */
labellist = prepstrlist (optarg, LISTDELIM);
if ( labellist == NULL )
fatal ("Out of memory\n");
break;
case 'p': /* print path */
pathflag = 1;
break;
case 'r': /* switch recursive flag */
recflag = !recflag;
break;
case 't': /* time */
timeflag = !timeflag;
break;
case 'e': /* expire time */
exptimeflag = !exptimeflag;
break;
case 'z': /* zsk only */
kskflag = 0;
break;
case ':':
snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
optopt);
usage (str, config);
break;
case '?':
if ( isprint (optopt) )
snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
optopt);
else
snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
optopt);
usage (str, config);
break;
default:
abort();
}
}
/* it's better to do this before we read the whole directory tree */
if ( action == 'Z' )
{
printconfig ("stdout", config);
return 0;
}
if ( kskflag == 0 && zskflag == 0 )
kskflag = zskflag = 1;
c = optind;
do {
if ( c >= argc ) /* no args left */
file = config->zonedir; /* use default directory */
else
file = argv[c++];
if ( is_directory (file) )
parsedirectory (file, &data);
else
parsefile (file, &data);
} while ( c < argc ); /* for all arguments */
switch ( action )
{
case 'H':
usage ("", config);
case 'C':
createkey (keyname, data, config);
break;
case 'P':
case 'S':
case 'A':
case 'D':
if ( (dkp = (dki_t*)zkt_search (data, searchtag, keyname)) == NULL )
fatal ("Key with tag %u not found\n", searchtag);
else if ( dkp == (void *) 01 )
fatal ("Key with tag %u found multiple times\n", searchtag);
if ( (c = dki_setstatus_preservetime (dkp, action)) != 0 )
fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
break;
case 19: /* remove (rename) key file */
if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
fatal ("Key with tag %u not found\n", searchtag);
else if ( dkp == (void *) 01 )
fatal ("Key with tag %u found multiple times\n", searchtag);
dki_remove (dkp);
break;
case 20: /* destroy the key (remove the files!) */
if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
fatal ("Key with tag %u not found\n", searchtag);
else if ( dkp == (void *) 01 )
fatal ("Key with tag %u found multiple times\n", searchtag);
dki_destroy (dkp);
break;
case 'R':
if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
fatal ("Key with tag %u not found\n", searchtag);
else if ( dkp == (void *) 01 )
fatal ("Key with tag %u found multiple times\n", searchtag);
if ( (c = dki_setstatus (dkp, action)) != 0 )
fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
break;
case 's':
if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
fatal ("Key with tag %u not found\n", searchtag);
else if ( dkp == (void *) 01 )
fatal ("Key with tag %u found multiple times\n", searchtag);
dki_prt_dnskey (dkp, stdout);
break;
case 'K':
zkt_list_dnskeys (data);
break;
case 'T':
zkt_list_trustedkeys (data);
break;
case '1': /* ksk rollover new key */
case '2': /* ksk rollover publish DS */
case '3': /* ksk rollover delete old key */
case '0': /* ksk rollover status */
ksk_roll (kskdomain, action - '0', data, config);
break;
case 'F':
zkt_setkeylifetime (data);
/* fall through */
default:
zkt_list_keys (data);
}
return 0;
}
# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
# define loptstr(lstr, sstr) lstr
#else
# define lopt_usage(mesg, value)
# define loptstr(lstr, sstr) sstr
#endif
static void usage (char *mesg, zconf_t *cp)
{
fprintf (stderr, "Secure DNS Zone Key Tool %s\n", ZKT_VERSION);
fprintf (stderr, "\n");
fprintf (stderr, "Show zone config parameter as %s file\n", LOCALCONF_FILE);
sopt_usage ("\tusage: %s -Z\n", progname);
lopt_usage ("\tusage: %s --zone-config\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "List keys in current or given directory (-r for recursive mode)\n");
sopt_usage ("\tusage: %s [-dhatkzpr] [-c config] [file|dir ...]\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "List public part of keys in DNSKEY RR format\n");
sopt_usage ("\tusage: %s -K [-dhkzr] [-c config] [file|dir ...]\n", progname);
lopt_usage ("\tusage: %s --list-dnskeys [-dhkzr] [-c config] [file|dir ...]\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "List keys (output is suitable for trusted-keys section)\n");
sopt_usage ("\tusage: %s -T [-dhzr] [-c config] [file|dir ...]\n", progname);
lopt_usage ("\tusage: %s --list-trustedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "Create a new key \n");
sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
fprintf (stderr, "\t\tKSK (use -k): %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->z_algo), cp->z_bits);
fprintf (stderr, "\n");
fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
sopt_usage ("\tusage: %s -P|-A|-D <keyspec> [-dr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --published=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --active=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --depreciated=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "Revoke specified key (<keyspec> := tag | tag:name) \n");
sopt_usage ("\tusage: %s -R <keyspec> [-dr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --revoke=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "Remove (rename) or destroy (delete) specified key (<keyspec> := tag | tag:name) \n");
lopt_usage ("\tusage: %s --remove=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --destroy=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "Initiate a semi-automated KSK rollover");
fprintf (stderr, "('%s -9%s' prints out a short description)\n", progname, loptstr ("|--ksk-rollover", ""));
sopt_usage ("\tusage: %s {-1} do.ma.in.\n", progname);
lopt_usage ("\tusage: %s {--ksk-roll-phase1|--ksk-newkey} do.ma.in.\n", progname);
sopt_usage ("\tusage: %s {-2} do.ma.in.\n", progname);
lopt_usage ("\tusage: %s {--ksk-roll-phase2|--ksk-publish} do.ma.in.\n", progname);
sopt_usage ("\tusage: %s {-3} do.ma.in.\n", progname);
lopt_usage ("\tusage: %s {--ksk-roll-phase3|--ksk-delkey} do.ma.in.\n", progname);
sopt_usage ("\tusage: %s {-0} do.ma.in.\n", progname);
lopt_usage ("\tusage: %s {--ksk-roll-status|--ksk-status} do.ma.in.\n", progname);
fprintf (stderr, "\n");
fprintf (stderr, "\n");
fprintf (stderr, "General options \n");
fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
fprintf (stderr, "\t\t read config options from commandline\n");
fprintf (stderr, "\t-h%s\t no headline or trusted-key section header/trailer in -T mode\n", loptstr (", --nohead", "\t"));
fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
fprintf (stderr, "\t-L%s\t print the domain name left justified (default: %s)\n", loptstr (", --leftjust", "\t"), ljustflag ? "on": "off");
fprintf (stderr, "\t-l list\t\t print out only zone keys out of the given domain list\n");
fprintf (stderr, "\t-p%s\t show path of keyfile / create key in current directory\n", loptstr (", --path", "\t"));
fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
fprintf (stderr, "\t-a%s\t print age of key (default: %s)\n", loptstr (", --age", "\t"), ageflag ? "on": "off");
fprintf (stderr, "\t-t%s\t print key generation time (default: %s)\n", loptstr (", --time", "\t"),
timeflag ? "on": "off");
fprintf (stderr, "\t-e%s\t print key expiration time\n", loptstr (", --expire", "\t"));
fprintf (stderr, "\t-f%s\t print key lifetime\n", loptstr (", --lifetime", "\t"));
fprintf (stderr, "\t-F days%s=days\t set key lifetime\n", loptstr (", --setlifetime", "\t"));
fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
if ( mesg && *mesg )
fprintf (stderr, "%s\n", mesg);
exit (1);
}
static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)
{
const char *dir = "";
dki_t *dkp;
if ( keyname == NULL || *keyname == '\0' )
fatal ("Create key: no keyname!");
dbg_val2 ("createkey: keyname %s, pathflag = %d\n", keyname, pathflag);
/* search for already existent key to get the directory name */
if ( pathflag && (dkp = (dki_t *)zkt_search (list, 0, keyname)) != NULL )
{
char path[MAX_PATHSIZE+1];
zconf_t localconf;
dir = dkp->dname;
pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
if ( fileexist (path) ) /* load local config file */
{
dbg_val ("Load local config file \"%s\"\n", path);
memcpy (&localconf, conf, sizeof (zconf_t));
conf = loadconfig (path, &localconf);
}
}
if ( zskflag )
dkp = dki_new (dir, keyname, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
else
dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
if ( dkp == NULL )
fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
/* create a new key always in state published, which means "standby" for ksk */
dki_setstatus (dkp, DKI_PUB);
}
static int get_parent_phase (const char *file)
{
FILE *fp;
int phase;
if ( (fp = fopen (file, "r")) == NULL )
return -1;
phase = 0;
if ( fscanf (fp, "; KSK rollover phase%d", &phase) != 1 )
phase = 0;
fclose (fp);
return phase;
}
static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)
{
char path[MAX_PATHSIZE+1];
zconf_t localconf;
const char *dir;
dki_t *keylist;
dki_t *dkp;
dki_t *standby;
int parent_exist;
int parent_age;
int parent_phase;
int parent_propagation;
int key_ttl;
int ksk;
if ( phase == 9 ) /* usage */
{
fprintf (stderr, "A KSK rollover requires three consecutive steps:\n");
fprintf (stderr, "\n");
fprintf (stderr, "-1%s", loptstr ("|--ksk-roll-phase1 (--ksk-newkey)\n", ""));
fprintf (stderr, "\t Create a new KSK.\n");
fprintf (stderr, "\t This step also creates a parent-<domain> file which contains only\n");
fprintf (stderr, "\t the _old_ key. This file will be copied in hierarchical mode\n");
fprintf (stderr, "\t by dnssec-signer to the parent directory as keyset-<domain> file.\n");
fprintf (stderr, "\t Wait until the new keyset is propagated, before going to the next step.\n");
fprintf (stderr, "\n");
fprintf (stderr, "-2%s", loptstr ("|--ksk-roll-phase2 (--ksk-publish)\n", ""));
fprintf (stderr, "\t This step creates a parent-<domain> file with the _new_ key only.\n");
fprintf (stderr, "\t Please send this file immediately to the parent (In hierarchical\n");
fprintf (stderr, "\t mode this will be done automatically by the dnssec-signer command).\n");
fprintf (stderr, "\t Then wait until the new DS is generated by the parent and propagated\n");
fprintf (stderr, "\t to all the parent name server, plus the old DS TTL before going to step three.\n");
fprintf (stderr, "\n");
fprintf (stderr, "-3%s", loptstr ("|--ksk-roll-phase3 (--ksk-delkey)\n", ""));
fprintf (stderr, "\t Remove (rename) the old KSK and the parent-<domain> file.\n");
fprintf (stderr, "\t You have to manually delete the old KSK (look at file names beginning\n");
fprintf (stderr, "\t with an lower 'k').\n");
fprintf (stderr, "\n");
fprintf (stderr, "-0%s", loptstr ("|--ksk-roll-stat (--ksk-status)\n", ""));
fprintf (stderr, "\t Show the current KSK rollover state of a domain.\n");
fprintf (stderr, "\n");
return;
}
if ( keyname == NULL || *keyname == '\0' )
fatal ("ksk rollover: no domain!");
dbg_val2 ("ksk_roll: keyname %s, phase = %d\n", keyname, phase);
/* search for already existent key to get the directory name */
if ( (keylist = (dki_t *)zkt_search (list, 0, keyname)) == NULL )
fatal ("ksk rollover: domain %s not found!\n", keyname);
dkp = keylist;
/* try to read local config file */
dir = dkp->dname;
pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
if ( fileexist (path) ) /* load local config file */
{
dbg_val ("Load local config file \"%s\"\n", path);
memcpy (&localconf, conf, sizeof (zconf_t));
conf = loadconfig (path, &localconf);
}
key_ttl = conf->key_ttl;
/* check if parent-file already exist */
pathname (path, sizeof (path), dir, "parent-", keyname);
parent_phase = parent_age = 0;
if ( (parent_exist = fileexist (path)) != 0 )
{
parent_phase = get_parent_phase (path);
parent_age = file_age (path);
}
// parent_propagation = 2 * DAYSEC;
parent_propagation = 5 * MINSEC;
ksk = 0; /* count active(!) key signing keys */
standby = NULL; /* find standby key if available */
for ( dkp = keylist; dkp; dkp = dkp->next )
if ( dki_isksk (dkp) )
{
if ( dki_status (dkp) == DKI_ACT )
ksk++;
else if ( dki_status (dkp) == DKI_PUB )
standby = dkp;
}
switch ( phase )
{
case 0: /* print status (debug) */
fprintf (stdout, "ksk_rollover:\n");
fprintf (stdout, "\t domain = %s\n", keyname);
fprintf (stdout, "\t phase = %d\n", parent_phase);
fprintf (stdout, "\t parent_file %s %s\n", path, parent_exist ? "exist": "not exist");
if ( parent_exist )
fprintf (stdout, "\t age of parent_file %d %s\n", parent_age, str_delspace (age2str (parent_age)));
fprintf (stdout, "\t # of active key signing keys %d\n", ksk);
fprintf (stdout, "\t parent_propagation %d %s\n", parent_propagation, str_delspace (age2str (parent_propagation)));
fprintf (stdout, "\t keys ttl %d %s\n", key_ttl, age2str (key_ttl));
for ( dkp = keylist; dkp; dkp = dkp->next )
{
/* TODO: Nur zum testen */
dki_prt_dnskey (dkp, stdout);
}
break;
case 1:
if ( parent_exist || ksk > 1 )
fatal ("Can\'t create new ksk because there is already an ksk rollover in progress\n");
fprintf (stdout, "create new ksk \n");
dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
if ( dkp == NULL )
fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
if ( standby )
{
dki_setstatus (standby, DKI_ACT); /* activate standby key */
dki_setstatus (dkp, DKI_PUB); /* new key will be the new standby */
}
// dkp = keylist; /* use old key to create the parent file */
if ( (dkp = (dki_t *)dki_find (keylist, 1, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
if ( !create_parent_file (path, phase, key_ttl, dkp) )
fatal ("Couldn't create parentfile %s\n", path);
break;
case 2:
if ( ksk < 2 )
fatal ("Can\'t publish new key because no one exist\n");
if ( !parent_exist )
fatal ("More than one KSK but no parent file found!\n");
if ( parent_phase != 1 )
fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
if ( parent_age < conf->proptime + key_ttl )
fatal ("ksk_rollover (phase2): you have to wait for the propagation of the new KSK (at least %dsec or %s)\n",
conf->proptime + key_ttl - parent_age,
str_delspace (age2str (conf->proptime + key_ttl - parent_age)));
fprintf (stdout, "save new ksk in parent file\n");
dkp = keylist->next; /* set dkp to new ksk */
if ( !create_parent_file (path, phase, key_ttl, dkp) )
fatal ("Couldn't create parentfile %s\n", path);
break;
case 3:
if ( !parent_exist || ksk < 2 )
fatal ("ksk-delkey only allowed after ksk-publish\n");
if ( parent_phase != 2 )
fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
if ( parent_age < parent_propagation + key_ttl )
fatal ("ksk_rollover (phase3): you have to wait for DS propagation (at least %dsec or %s)\n",
parent_propagation + key_ttl - parent_age,
str_delspace (age2str (parent_propagation + key_ttl - parent_age)));
/* remove the parentfile */
fprintf (stdout, "remove parentfile \n");
unlink (path);
/* remove or rename the old key */
fprintf (stdout, "old ksk renamed \n");
dkp = keylist; /* set dkp to old ksk */
dki_remove (dkp);
break;
default: assert (phase == 1 || phase == 2 || phase == 3);
}
}
/*****************************************************************
** create_parent_file ()
*****************************************************************/
static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)
{
FILE *fp;
assert ( fname != NULL );
if ( dkp == NULL || (phase != 1 && phase != 2) )
return 0;
if ( (fp = fopen (fname, "w")) == NULL )
fatal ("can\'t create new parentfile \"%s\"\n", fname);
if ( phase == 1 )
fprintf (fp, "; KSK rollover phase1 (old key)\n");
else
fprintf (fp, "; KSK rollover phase2 (new key)\n");
dki_prt_dnskeyttl (dkp, fp, ttl);
fclose (fp);
return phase;
}
static int parsedirectory (const char *dir, dki_t **listp)
{
dki_t *dkp;
DIR *dirp;
struct dirent *dentp;
char path[MAX_PATHSIZE+1];
if ( dirflag )
return 0;
dbg_val ("directory: opendir(%s)\n", dir);
if ( (dirp = opendir (dir)) == NULL )
return 0;
while ( (dentp = readdir (dirp)) != NULL )
{
if ( is_dotfile (dentp->d_name) )
continue;
dbg_val ("directory: check %s\n", dentp->d_name);
pathname (path, sizeof (path), dir, dentp->d_name, NULL);
if ( is_directory (path) && recflag )
{
dbg_val ("directory: recursive %s\n", path);
parsedirectory (path, listp);
}
else if ( is_keyfilename (dentp->d_name) )
if ( (dkp = dki_read (dir, dentp->d_name)) )
{
// fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
#if defined (USE_TREE) && USE_TREE
dki_tadd (listp, dkp);
#else
dki_add (listp, dkp);
#endif
}
}
closedir (dirp);
return 1;
}
static void parsefile (const char *file, dki_t **listp)
{
char path[MAX_PATHSIZE+1];
dki_t *dkp;
/* file arg contains path ? ... */
file = splitpath (path, sizeof (path), file); /* ... then split of */
if ( is_keyfilename (file) ) /* plain file name looks like DNS key file ? */
{
if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
#if defined (USE_TREE) && USE_TREE
dki_tadd (listp, dkp); /* ... and add to tree */
#else
dki_add (listp, dkp); /* ... and add to list */
#endif
else
error ("error parsing %s: (%s)\n", file, dki_geterrstr());
}
}
static const char *parsetag (const char *str, int *tagp)
{
const char *p;
*tagp = 0;
while ( isspace (*str) ) /* skip leading ws */
str++;
p = str;
if ( isdigit (*p) ) /* keytag starts with digit */
{
sscanf (p, "%u", tagp); /* read keytag as number */
do /* eat up to the end of the number */
p++;
while ( isdigit (*p) );
if ( *p == ':' ) /* label follows ? */
return p+1; /* return that */
if ( *p == '\0' )
return NULL; /* no label */
}
return str; /* return as label string if not a numeric keytag */
}

190
contrib/zkt/domaincmp.c Normal file
View file

@ -0,0 +1,190 @@
/*****************************************************************
**
** @(#) domaincmp.c -- compare two domain names
**
** Copyright (c) Aug 2005, Karle Boss, Holger Zuleger (kaho).
** All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Karle Boss or Holger Zuleger (kaho) nor the
** names of its contributors may be used to endorse or promote products
** derived from this software without specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <assert.h>
# include <ctype.h>
#define extern
# include "domaincmp.h"
#undef extern
#define goto_labelstart(str, p) while ( (p) > (str) && *((p)-1) != '.' ) \
(p)--
/*****************************************************************
** int domaincmp (a, b)
** compare a and b as fqdns.
** return <0 | 0 | >0 as in strcmp
** A subdomain is less than the corresponding parent domain,
** thus domaincmp ("z.example.net", "example.net") return < 0 !!
*****************************************************************/
int domaincmp (const char *a, const char *b)
{
register const char *pa;
register const char *pb;
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
if ( *a == '.' ) /* skip a leading dot */
a++;
if ( *b == '.' ) /* same at the other string */
b++;
/* let pa and pb point to the last non dot char */
pa = a + strlen (a);
do
pa--;
while ( pa > a && *pa == '.' );
pb = b + strlen (b);
do
pb--;
while ( pb > b && *pb == '.' );
/* cmp both domains starting at the end */
while ( *pa == *pb && pa > a && pb > b )
pa--, pb--;
if ( *pa != *pb ) /* both domains are different ? */
{
if ( *pa == '.' )
pa++; /* set to beginning of next label */
else
goto_labelstart (a, pa); /* find begin of current label */
if ( *pb == '.' )
pb++; /* set to beginning of next label */
else
goto_labelstart (b, pb); /* find begin of current label */
}
else /* maybe one of them has a subdomain */
{
if ( pa > a )
if ( pa[-1] == '.' )
return -1;
else
goto_labelstart (a, pa);
else if ( pb > b )
if ( pb[-1] == '.' )
return 1;
else
goto_labelstart (b, pb);
else
return 0; /* both are at the beginning, so they are equal */
}
/* both domains are definitly unequal */
while ( *pa == *pb ) /* so we have to look at the point where they differ */
pa++, pb++;
return *pa - *pb;
}
#ifdef DOMAINCMP_TEST
static struct {
char *a;
char *b;
int res;
} ex[] = {
{ ".", ".", 0 },
{ "test", "", 1 },
{ "", "test2", -1 },
{ "", "", 0 },
{ "de", "de", 0 },
{ ".de", "de", 0 },
{ "de.", "de.", 0 },
{ ".de", ".de", 0 },
{ ".de.", ".de.", 0 },
{ ".de", "zde", -1 },
{ ".de", "ade", 1 },
{ "zde", ".de", 1 },
{ "ade", ".de", -1 },
{ "a.de", ".de", -1 },
{ ".de", "a.de", 1 },
{ "a.de", "b.de", -1 },
{ "a.de.", "b.de", -1 },
{ "a.de", "b.de.", -1 },
{ "a.de", "a.de.", 0 },
{ "aa.de", "b.de", -1 },
{ "ba.de", "b.de", 1 },
{ "a.de", "a.dk", -1 },
{ "anna.example.de", "anna.example.de", 0 },
{ "anna.example.de", "annamirl.example.de", -1 },
{ "anna.example.de", "ann.example.de", 1 },
{ "example.de.", "xy.example.de.", 1 },
{ "example.de.", "ab.example.de.", 1 },
{ "example.de", "ab.example.de", 1 },
{ "ab.example.de", "example.de", -1 },
{ "ab.mast.de", "axt.de", 1 },
{ "ab.mast.de", "obt.de", -1 },
{ "abc.example.de.", "xy.example.de.", -1 },
{ NULL, NULL, 0 }
};
const char *progname;
main (int argc, char *argv[])
{
int expect;
int res;
int c;
int i;
progname = *argv;
for ( i = 0; ex[i].a; i++ )
{
expect = ex[i].res;
if ( expect < 0 )
c = '<';
else if ( expect > 0 )
c = '>';
else
c = '=';
printf ("%-20s %-20s ==> %c 0 ", ex[i].a, ex[i].b, c);
fflush (stdout);
res = domaincmp (ex[i].a, ex[i].b);
printf ("%3d ", res);
if ( res < 0 && expect < 0 || res > 0 && expect > 0 || res == 0 && expect == 0 )
puts ("ok");
else
puts ("not ok");
}
}
#endif

40
contrib/zkt/domaincmp.h Normal file
View file

@ -0,0 +1,40 @@
/*****************************************************************
**
** @(#) domaincmp.h -- compare two domain names
**
** Copyright (c) Aug 2005, Karle Boss (kaho). All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef DOMAINCMP_H
# define DOMAINCMP_H
extern int domaincmp (const char *a, const char *b);
#endif

24
contrib/zkt/examples/dnskey.db Normal file
View file

@ -0,0 +1,24 @@
;
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
; Last generation time Jun 24 2008 09:58:34
;
; *** List of Key Signing Keys ***
; example.net. tag=31674 algo=RSASHA1 generated Jun 24 2008 09:58:34
example.net. 14400 IN DNSKEY 257 3 5 (
BQEAAAABC23icFZAD3DFBLoEw7DWKl8Hig7azmEbpXHYyAV98l+QQaTA
b98Ob3YbrVJ9IU8E0KBFb5iYpHobxowPsI8FjUH2oL/7PfhtN1E3NlL6
Uhbo8Umf6H0UULEsUTlTT8dnX+ikjAr8bN71YJP7BXlszezsFHuMEspN
dOPyMr93230+R2KTEzC2H4CQzSRIr5xXSIq8kkrJ3miGjTyj5awvXfJ+
eQ==
) ; key id = 31674
; *** List of Zone Signing Keys ***
; example.net. tag=33755 algo=RSASHA1 generated Jun 24 2008 09:58:34
example.net. 14400 IN DNSKEY 256 3 5 (
BQEAAAABzN8pvZb5GSy8AozXt4L8HK/x59TQjh9IaZS+mIyyuHDX2iaF
UigOqHixIJtDLD1r/MfelgJ/Mh6+vCu+XmMQuw==
) ; key id = 33755

12
contrib/zkt/examples/dnssec-signer.sh Executable file
View file

@ -0,0 +1,12 @@
#!/bin/sh
#
# Shell script to start the dnssec-signer
# command out of the example directory
#
if test ! -f dnssec.conf
then
echo Please start this skript out of the flat or hierarchical sub directory
exit 1
fi
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"

12
contrib/zkt/examples/dnssec-zkt.sh Executable file
View file

@ -0,0 +1,12 @@
#!/bin/sh
#
# Shell script to start the dnssec-zkt command
# out of the example directory
#
if test ! -f dnssec.conf
then
echo Please start this skript out of the flat or hierarchical sub directory
exit 1
fi
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt "$@"

70
contrib/zkt/examples/flat/dist.sh Executable file
View file

@ -0,0 +1,70 @@
#################################################################
#
# @(#) dist.sh -- distribute and reload command for dnssec-signer
#
# (c) Jul 2008 Holger Zuleger hznet.de
#
# This shell script will be run by dnssec-signer as a distribution
# and reload command if:
#
# a) the dnssec.conf file parameter Distribute_Cmd: points
# to this file
# and
# b) the user running the dnssec-signer command is not
# root (uid==0)
# and
# c) the owner of this shell script is the same as the
# running user and the access rights don't allow writing
# for anyone except the owner
# or
# d) the group of this shell script is the same as the
# running user and the access rights don't allow writing
# for anyone except the group
#
#################################################################
# set path to rndc and scp
PATH="/bin:/usr/bin:/usr/local/sbin"
# remote server and directory
server=localhost # fqdn of remote name server
dir=/var/named # zone directory on remote name server
progname=$0
usage()
{
echo "usage: $progname distribute|reload <domain> <path_to_zonefile> [<viewname>]" 1>&2
test $# -gt 0 && echo $* 1>&2
exit 1
}
if test $# -lt 3
then
usage
fi
action="$1"
domain="$2"
zonefile="$3"
view=""
test $# -gt 3 && view="$4"
case $action in
distribute)
if test -n "$view"
then
echo "scp $zonefile $server:$dir/$view/$domain/"
: scp $zonefile $server:$dir/$view/$domain/
else
echo "scp $zonefile $server:$dir/$domain/"
: scp $zonefile $server:$dir/$domain/
fi
;;
reload)
echo "rndc $action $zone $view"
: rndc $action $zone $view
;;
*)
usage "illegal action $action"
;;
esac

41
contrib/zkt/examples/flat/dnssec.conf Normal file
View file

@ -0,0 +1,41 @@
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "."
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 2d # (172800 seconds)
Sigvalidity: 6d # (518400 seconds)
Max_TTL: 8h # (28800 seconds)
Propagation: 5m # (300 seconds)
KEY_TTL: 1h # (3600 seconds)
Serialformat: incremental
# signing key parameters
KSK_lifetime: 60d # (5184000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 2w # (1209600 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
# dnssec-signer options
LogFile: "zkt.log"
LogLevel: debug
SyslogFacility: USER
SyslogLevel: notice
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
KeySetDir: "../keysets"
DLV_Domain: ""
Sig_Pseudorand: True
Distribute_Cmd: "./dist.sh"

2
contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. Normal file
View file

@ -0,0 +1,2 @@
sub.example.net.dlv.trusted-keys.de. IN DLV 54876 5 1 CAB6127E303A8A8D7D5A29AE05DB60F4C5060B10
sub.example.net.dlv.trusted-keys.de. IN DLV 54876 5 2 7C8CAF1844479F3600213173BB5D1E2A44143D63B6E0B3E10D8C5310 ADF84D30

2
contrib/zkt/examples/flat/keysets/dsset-dyn.example.net. Normal file
View file

@ -0,0 +1,2 @@
dyn.example.net. IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879
dyn.example.net. IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6

4
contrib/zkt/examples/flat/keysets/dsset-example.net. Normal file
View file

@ -0,0 +1,4 @@
example.net. IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
example.net. IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
example.net. IN DS 41151 5 1 BBB692EA07571E412F9385A618C1CAD9BFC1469A
example.net. IN DS 41151 5 2 4D22B44C3DC09BD9EEADFFB917EFCE8E45F22E89FF0C096CD14F4405 CA1CAE3F

2
contrib/zkt/examples/flat/keysets/dsset-sub.example.net. Normal file
View file

@ -0,0 +1,2 @@
sub.example.net. IN DS 54876 5 1 CAB6127E303A8A8D7D5A29AE05DB60F4C5060B10
sub.example.net. IN DS 54876 5 2 7C8CAF1844479F3600213173BB5D1E2A44143D63B6E0B3E10D8C5310 ADF84D30

18
contrib/zkt/examples/flat/keysets/keyset-dyn.example.net. Normal file
View file

@ -0,0 +1,18 @@
$ORIGIN .
dyn.example.net 7200 IN DNSKEY 257 3 3 (
CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
) ; key id = 42138

19
contrib/zkt/examples/flat/keysets/keyset-example.net. Normal file
View file

@ -0,0 +1,19 @@
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 5 (
BQEAAAABDAnSCbSyScZdP2M6OQTbTGvZRD5a
vmDYgAwXv0EsnNautYn7kzDGwY3oVTXWDTdI
I+syK0pt0unjUn2ActoXtyFzIk61VRKDroAN
M9/WO0PO/y50vNIGMJUL1TiMR6jCp23eSxQ3
9/1A+BeiU+fMjoJK0/Yc7hbMHWwD8myU0IEX
8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjK
T1YYVnoQqw==
) ; key id = 41151
7200 IN DNSKEY 257 3 5 (
BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
+B9rLlBU8w==
) ; key id = 1764

8
contrib/zkt/examples/flat/keysets/keyset-sub.example.net. Normal file
View file

@ -0,0 +1,8 @@
$ORIGIN .
sub.example.net 7200 IN DNSKEY 257 3 5 (
AQOjGNN0/hLA20+W2qo0sktVActYKf1Opnx+
bmkWSrsmJHMBHlT8hL507pGTmDoyH0Ae9+3M
ZSTBL1S+HhA12B0htiTp8IbtN/gZOBbwD36c
BpPe72uDQoUy/TdSn1HLtoqUSMTB+saqCTZW
CfIEqcbHRn0T6PhgqLyCvLzbZ/avYw==
) ; key id = 54876

99
contrib/zkt/examples/flat/named.conf Normal file
View file

@ -0,0 +1,99 @@
/*****************************************************************
**
** #(@) named.conf (c) 6. May 2004 (hoz)
**
*****************************************************************/
/*****************************************************************
** logging options
*****************************************************************/
logging {
channel "named-log" {
file "/var/log/named" versions 3 size 2m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel "resolver-log" {
file "/var/log/named";
print-time yes;
print-category yes;
print-severity yes;
severity debug 1;
};
channel "dnssec-log" {
# file "/var/log/named-dnssec" ;
file "/var/log/named" ;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category "dnssec" { "dnssec-log"; };
category "default" { "named-log"; };
category "resolver" { "resolver-log"; };
category "client" { "resolver-log"; };
category "queries" { "resolver-log"; };
};
/*****************************************************************
** name server options
*****************************************************************/
options {
directory ".";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on-v6 { any; };
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
recursion yes;
dnssec-enable yes;
edns-udp-size 4096;
# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
querylog yes;
};
/*****************************************************************
** include shared secrets...
*****************************************************************/
/** for control sessions ... **/
controls {
inet 127.0.0.1
allow { localhost; };
inet ::1
allow { localhost; };
};
/*****************************************************************
** ... and trusted_keys
*****************************************************************/
# include "trusted-keys.conf" ;
/*****************************************************************
** root server hints and required 127 stuff
*****************************************************************/
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.ARPA" in {
type master;
file "127.0.0.zone";
};
include "zone.conf";

2501
contrib/zkt/examples/flat/zkt.log Normal file
View file

File diff suppressed because it is too large Load diff

10
contrib/zkt/examples/flat/zone.conf Normal file
View file

@ -0,0 +1,10 @@
zone "example.NET." in {
type master;
file "example.net./zone.db.signed";
};
zone "sub.example.NET." in {
type master;
file "sub.example.net./zone.db.signed";
};

40
contrib/zkt/examples/hierarchical/dnssec.conf Normal file
View file

@ -0,0 +1,40 @@
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "."
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 1w # (604800 seconds)
Sigvalidity: 10d # (864000 seconds)
Max_TTL: 6h # (21600 seconds)
Propagation: 5m # (300 seconds)
KEY_TTL: 1h # (3600 seconds)
Serialformat: incremental
# signing key parameters
KSK_lifetime: 20d # (1728000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 4w # (2419200 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
# dnssec-signer options
LogFile: "log"
LogLevel: "info"
SyslogFacility: "user"
SyslogLevel: "notice"
Keyfile: "dnskey.db"
Zonefile: "zone.db"
KeySetDir: ".."
DLV_Domain: ""
Sig_Pseudorand: True
Sig_Parameter: "-j 1800"

102
contrib/zkt/examples/hierarchical/named.conf Normal file
View file

@ -0,0 +1,102 @@
/*****************************************************************
**
** #(@) named.conf (c) 6. May 2004 (hoz)
**
*****************************************************************/
/*****************************************************************
** logging options
*****************************************************************/
logging {
channel "named-log" {
file "/var/log/named" versions 3 size 2m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel "resolver-log" {
file "/var/log/named";
print-time yes;
print-category yes;
print-severity yes;
severity debug 1;
};
channel "dnssec-log" {
# file "/var/log/named-dnssec" ;
file "/var/log/named" ;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category "dnssec" { "dnssec-log"; };
category "default" { "named-log"; };
category "resolver" { "resolver-log"; };
category "client" { "resolver-log"; };
category "queries" { "resolver-log"; };
};
/*****************************************************************
** name server options
*****************************************************************/
options {
directory ".";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on-v6 { any; };
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
recursion yes;
dnssec-enable yes;
edns-udp-size 4096;
# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
querylog yes;
};
/*****************************************************************
** include shared secrets...
*****************************************************************/
/** for control sessions ... **/
# include "rndc.key";
controls {
inet 127.0.0.1
allow { localhost; }
keys { "rndc-key"; };
inet ::1
allow { localhost; }
keys { "rndc-key"; };
};
/*****************************************************************
** ... and trusted_keys
*****************************************************************/
# include "trusted-keys.conf" ;
/*****************************************************************
** root server hints and required 127 stuff
*****************************************************************/
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
include "zone.conf";

10
contrib/zkt/examples/hierarchical/zone.conf Normal file
View file

@ -0,0 +1,10 @@
zone "example.de." in {
type master;
file "de./example.de./zone.db.signed";
};
zone "sub.example.de." in {
type master;
file "de./example.de./sub.example.de./zone.db.signed";
};

39
contrib/zkt/examples/views/dnssec-extern.conf Normal file
View file

@ -0,0 +1,39 @@
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "extern"
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 1w # (604800 seconds)
Sigvalidity: 10d # (864000 seconds)
Max_TTL: 8h # (28800 seconds)
Propagation: 5m # (300 seconds)
KEY_TTL: 1h # (3600 seconds)
Serialformat: unixtime
# signing key parameters
KSK_lifetime: 1y # (31536000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 30d # (2592000 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
# dnssec-signer options
LogFile: "zkt-ext.log"
LogLevel: "debug"
SyslogFacility: "none"
SyslogLevel: "notice"
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
DLV_Domain: ""
Sig_Pseudorand: True

39
contrib/zkt/examples/views/dnssec-intern.conf Normal file
View file

@ -0,0 +1,39 @@
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "intern"
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 5h # (18000 seconds)
Sigvalidity: 1d # (86400 seconds)
Max_TTL: 30m # (1800 seconds)
Propagation: 1m # (60 seconds)
KEY_TTL: 30m # (1800 seconds)
Serialformat: unixtime
# signing key parameters
KSK_lifetime: 1y # (31536000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 30d # (2592000 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
# dnssec-signer options
LogFile: "zkt-int.log"
LogLevel: "debug"
SyslogFacility: "none"
SyslogLevel: "notice"
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
DLV_Domain: ""
Sig_Pseudorand: True

7
contrib/zkt/examples/views/dnssec-signer-extern Executable file
View file

@ -0,0 +1,7 @@
#!/bin/sh
#
# Shell script to start the dnssec-signer
# command out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@"

7
contrib/zkt/examples/views/dnssec-signer-intern Executable file
View file

@ -0,0 +1,7 @@
#!/bin/sh
#
# Shell script to start the dnssec-signer
# command out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@"

7
contrib/zkt/examples/views/dnssec-zkt-extern Executable file
View file

@ -0,0 +1,7 @@
#!/bin/sh
#
# Shell script to start the dnssec-zkt command
# out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@"

7
contrib/zkt/examples/views/dnssec-zkt-intern Executable file
View file

@ -0,0 +1,7 @@
#!/bin/sh
#
# Shell script to start the dnssec-zkt command
# out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@"

28
contrib/zkt/examples/views/extern/zkt-ext.log vendored Normal file
View file

@ -0,0 +1,28 @@
2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 17:59:04.196: debug: Check RFC5011 status
2008-06-12 17:59:04.196: debug: ->ksk5011status returns 0
2008-06-12 17:59:04.196: debug: Check ksk status
2008-06-12 17:59:04.196: debug: Re-signing not necessary!
2008-06-12 17:59:04.196: notice: end of run: 0 errors occured
2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 17:59:17.436: debug: Check RFC5011 status
2008-06-12 17:59:17.436: debug: ->ksk5011status returns 0
2008-06-12 17:59:17.436: debug: Check ksk status
2008-06-12 17:59:17.436: debug: Re-signing not necessary!
2008-06-12 17:59:17.436: notice: end of run: 0 errors occured
2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 18:00:07.819: debug: Check RFC5011 status
2008-06-12 18:00:07.819: debug: ->ksk5011status returns 0
2008-06-12 18:00:07.819: debug: Check ksk status
2008-06-12 18:00:07.819: debug: Re-signing not necessary!
2008-06-12 18:00:07.819: notice: end of run: 0 errors occured
2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 18:00:39.020: debug: Check RFC5011 status
2008-06-12 18:00:39.020: debug: ->ksk5011status returns 0
2008-06-12 18:00:39.020: debug: Check ksk status
2008-06-12 18:00:39.020: debug: Re-signing not necessary!
2008-06-12 18:00:39.020: notice: end of run: 0 errors occured

169
contrib/zkt/examples/views/intern/zkt-int.log Normal file
View file

@ -0,0 +1,169 @@
2008-06-12 18:02:13.593: notice: running as ../../dnssec-signer -V intern -v -v
2008-06-12 18:02:13.594: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:02:13.594: debug: Check RFC5011 status
2008-06-12 18:02:13.595: debug: ->ksk5011status returns 0
2008-06-12 18:02:13.595: debug: Check ksk status
2008-06-12 18:02:13.595: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727466 sec)
2008-06-12 18:02:13.595: debug: ->waiting for pre-publish key
2008-06-12 18:02:13.595: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h17m46s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:02:13.595: debug: Re-signing necessary: Modified keys
2008-06-12 18:02:13.595: notice: "example.net.": re-signing triggered: Modified keys
2008-06-12 18:02:13.595: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:02:13.596: debug: Signing zone "example.net."
2008-06-12 18:02:13.596: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:02:13.705: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:02:13.705: debug: Signing completed after 0s.
2008-06-12 18:02:13.705: debug:
2008-06-12 18:02:13.705: notice: end of run: 0 errors occured
2008-06-12 18:03:13.208: notice: running as ../../dnssec-signer -V intern -r -v -v
2008-06-12 18:03:13.209: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:03:13.209: debug: Check RFC5011 status
2008-06-12 18:03:13.209: debug: ->ksk5011status returns 0
2008-06-12 18:03:13.209: debug: Check ksk status
2008-06-12 18:03:13.209: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727526 sec)
2008-06-12 18:03:13.209: debug: ->waiting for pre-publish key
2008-06-12 18:03:13.209: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m46s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:03:13.209: debug: Re-signing not necessary!
2008-06-12 18:03:13.209: notice: end of run: 0 errors occured
2008-06-12 18:03:19.287: notice: running as ../../dnssec-signer -V intern -r -v -v
2008-06-12 18:03:19.288: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:03:19.288: debug: Check RFC5011 status
2008-06-12 18:03:19.289: debug: ->ksk5011status returns 0
2008-06-12 18:03:19.289: debug: Check ksk status
2008-06-12 18:03:19.289: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727532 sec)
2008-06-12 18:03:19.289: debug: ->waiting for pre-publish key
2008-06-12 18:03:19.289: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m52s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:03:19.289: debug: Re-signing not necessary!
2008-06-12 18:03:19.289: notice: end of run: 0 errors occured
2008-06-12 18:03:23.617: notice: running as ../../dnssec-signer -V intern -f -r -v -v
2008-06-12 18:03:23.618: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:03:23.618: debug: Check RFC5011 status
2008-06-12 18:03:23.618: debug: ->ksk5011status returns 0
2008-06-12 18:03:23.618: debug: Check ksk status
2008-06-12 18:03:23.618: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727536 sec)
2008-06-12 18:03:23.618: debug: ->waiting for pre-publish key
2008-06-12 18:03:23.618: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m56s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:03:23.618: debug: Re-signing necessary: Option -f
2008-06-12 18:03:23.618: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:03:23.618: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:03:23.619: debug: Signing zone "example.net."
2008-06-12 18:03:23.619: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:03:23.719: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:03:23.719: debug: Signing completed after 0s.
2008-06-12 18:03:23.720: notice: ""example.net." in view "intern"": reload triggered
2008-06-12 18:03:23.772: debug:
2008-06-12 18:03:23.772: notice: end of run: 0 errors occured
2008-06-12 18:05:39.532: notice: running as ../../dnssec-signer -V intern -f -r -v -v
2008-06-12 18:05:39.533: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:05:39.533: debug: Check RFC5011 status
2008-06-12 18:05:39.533: debug: ->ksk5011status returns 0
2008-06-12 18:05:39.533: debug: Check ksk status
2008-06-12 18:05:39.533: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727672 sec)
2008-06-12 18:05:39.533: debug: ->waiting for pre-publish key
2008-06-12 18:05:39.533: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h21m12s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:05:39.533: debug: Re-signing necessary: Option -f
2008-06-12 18:05:39.533: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:05:39.533: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:05:39.534: debug: Signing zone "example.net."
2008-06-12 18:05:39.534: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:05:39.629: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:05:39.630: debug: Signing completed after 0s.
2008-06-12 18:05:39.630: notice: ""example.net."": reload triggered
2008-06-12 18:05:39.640: debug:
2008-06-12 18:05:39.640: notice: end of run: 0 errors occured
2008-06-12 18:07:47.753: notice: running as ../../dnssec-signer -V intern -f -r -v -v
2008-06-12 18:07:47.754: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:07:47.754: debug: Check RFC5011 status
2008-06-12 18:07:47.754: debug: ->ksk5011status returns 0
2008-06-12 18:07:47.754: debug: Check ksk status
2008-06-12 18:07:47.754: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727800 sec)
2008-06-12 18:07:47.754: debug: ->waiting for pre-publish key
2008-06-12 18:07:47.754: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h23m20s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:07:47.754: debug: Re-signing necessary: Option -f
2008-06-12 18:07:47.754: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:07:47.754: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:07:47.754: debug: Signing zone "example.net."
2008-06-12 18:07:47.754: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:07:47.856: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:07:47.856: debug: Signing completed after 0s.
2008-06-12 18:07:47.856: notice: ""example.net."": reload triggered
2008-06-12 18:07:47.866: debug:
2008-06-12 18:07:47.867: notice: end of run: 0 errors occured
2008-06-12 18:10:57.978: notice: running as ../../dnssec-signer -V intern -f -r -v -v
2008-06-12 18:10:57.978: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:10:57.978: debug: Check RFC5011 status
2008-06-12 18:10:57.978: debug: ->ksk5011status returns 0
2008-06-12 18:10:57.978: debug: Check ksk status
2008-06-12 18:10:57.978: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727990 sec)
2008-06-12 18:10:57.978: debug: ->waiting for pre-publish key
2008-06-12 18:10:57.978: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h26m30s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:10:57.978: debug: Re-signing necessary: Option -f
2008-06-12 18:10:57.978: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:10:57.978: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:10:57.979: debug: Signing zone "example.net."
2008-06-12 18:10:57.979: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:10:58.081: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:10:58.081: debug: Signing completed after 1s.
2008-06-12 18:10:58.081: notice: ""example.net." in view "intern"": reload triggered
2008-06-12 18:10:58.093: debug:
2008-06-12 18:10:58.093: notice: end of run: 0 errors occured
2008-06-12 18:13:29.511: notice: running as ../../dnssec-signer -V intern -f -r -v -v
2008-06-12 18:13:29.512: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:13:29.512: debug: Check RFC5011 status
2008-06-12 18:13:29.512: debug: ->ksk5011status returns 0
2008-06-12 18:13:29.512: debug: Check ksk status
2008-06-12 18:13:29.512: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728142 sec)
2008-06-12 18:13:29.512: debug: ->waiting for pre-publish key
2008-06-12 18:13:29.512: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m2s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:13:29.512: debug: Re-signing necessary: Option -f
2008-06-12 18:13:29.512: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:13:29.512: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:13:29.513: debug: Signing zone "example.net."
2008-06-12 18:13:29.513: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:13:29.612: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:13:29.612: debug: Signing completed after 0s.
2008-06-12 18:13:29.612: notice: ""example.net." in view "intern"": reload triggered
2008-06-12 18:13:29.612: debug: Reload zone "example.net." in view "intern"
2008-06-12 18:13:29.612: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
2008-06-12 18:13:29.623: debug:
2008-06-12 18:13:29.623: notice: end of run: 0 errors occured
2008-06-12 18:13:38.707: notice: running as ../../dnssec-signer -V intern -f -r -v
2008-06-12 18:13:38.708: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:13:38.709: debug: Check RFC5011 status
2008-06-12 18:13:38.709: debug: ->ksk5011status returns 0
2008-06-12 18:13:38.709: debug: Check ksk status
2008-06-12 18:13:38.709: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728151 sec)
2008-06-12 18:13:38.709: debug: ->waiting for pre-publish key
2008-06-12 18:13:38.709: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m11s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:13:38.709: debug: Re-signing necessary: Option -f
2008-06-12 18:13:38.709: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:13:38.709: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:13:38.710: debug: Signing zone "example.net."
2008-06-12 18:13:38.710: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:13:39.163: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:13:39.163: debug: Signing completed after 1s.
2008-06-12 18:13:39.163: notice: ""example.net." in view "intern"": reload triggered
2008-06-12 18:13:39.163: debug: Reload zone "example.net." in view "intern"
2008-06-12 18:13:39.163: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
2008-06-12 18:13:39.174: debug:
2008-06-12 18:13:39.174: notice: end of run: 0 errors occured
2008-06-12 18:13:43.163: notice: running as ../../dnssec-signer -V intern -f -r -v -v
2008-06-12 18:13:43.164: debug: parsing zone "example.net." in dir "intern/example.net."
2008-06-12 18:13:43.164: debug: Check RFC5011 status
2008-06-12 18:13:43.164: debug: ->ksk5011status returns 0
2008-06-12 18:13:43.164: debug: Check ksk status
2008-06-12 18:13:43.164: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728156 sec)
2008-06-12 18:13:43.164: debug: ->waiting for pre-publish key
2008-06-12 18:13:43.164: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m16s: ZSK rollover deferred: waiting for pre-publish key
2008-06-12 18:13:43.164: debug: Re-signing necessary: Option -f
2008-06-12 18:13:43.164: notice: "example.net.": re-signing triggered: Option -f
2008-06-12 18:13:43.164: debug: Writing key file "intern/example.net./dnskey.db"
2008-06-12 18:13:43.164: debug: Signing zone "example.net."
2008-06-12 18:13:43.164: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
2008-06-12 18:13:43.262: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-06-12 18:13:43.262: debug: Signing completed after 0s.
2008-06-12 18:13:43.262: notice: ""example.net." in view "intern"": reload triggered
2008-06-12 18:13:43.262: debug: Reload zone "example.net." in view "intern"
2008-06-12 18:13:43.262: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
2008-06-12 18:13:43.273: debug:
2008-06-12 18:13:43.273: notice: end of run: 0 errors occured

97
contrib/zkt/examples/views/named.conf Normal file
View file

@ -0,0 +1,97 @@
/*****************************************************************
**
** #(@) named.conf (c) 6. May 2004 (hoz)
*****************************************************************/
/*****************************************************************
** logging options
*****************************************************************/
logging {
channel "named-log" {
file "named.log";
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category "dnssec" { "named-log"; };
category "edns-disabled" { "named-log"; };
category "default" { "named-log"; };
};
/*****************************************************************
** name server options
*****************************************************************/
options {
directory ".";
pid-file "named.pid";
listen-on-v6 port 1053 { any; };
listen-on port 1053 { any; };
empty-zones-enable no;
port 1053;
query-source address * port 1053;
query-source-v6 address * port 1053;
transfer-source * port 53;
transfer-source-v6 * port 53;
use-alt-transfer-source no;
notify-source * port 53;
notify-source-v6 * port 53;
recursion yes;
dnssec-enable yes;
dnssec-validation yes; /* required by BIND 9.4.0 */
dnssec-accept-expired false; /* added since BIND 9.5.0 */
edns-udp-size 1460; /* (M4) */
max-udp-size 1460; /* (M5) */
# allow-query { localhost; }; /* default in 9.4.0 */
# allow-query-cache { localhost; }; /* default in 9.4.0 */
dnssec-must-be-secure "." no;
querylog yes;
stats-server 127.0.0.1 port 8881; /* added since BIND 9.5.0 */
};
/*****************************************************************
** view intern
*****************************************************************/
view "intern" {
match-clients { 127.0.0.1; ::1; };
recursion yes;
zone "." in {
type hint;
file "root.hint";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone "example.net" in {
type master;
file "intern/example.net./zone.db.signed";
};
};
/*****************************************************************
** view extern
*****************************************************************/
view "extern" {
match-clients { any; };
recursion no;
zone "." in {
type hint;
file "root.hint";
};
zone "example.net" in {
type master;
file "extern/example.net./zone.db.signed";
};
};

17
contrib/zkt/examples/views/named.log Normal file
View file

@ -0,0 +1,17 @@
20-Nov-2007 17:12:58.092 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
20-Nov-2007 17:12:58.092 general: critical: exiting (due to early fatal error)
20-Nov-2007 17:20:24.941 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
20-Nov-2007 17:20:24.941 general: critical: exiting (due to early fatal error)
20-Nov-2007 17:28:22.686 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
20-Nov-2007 17:28:22.686 general: critical: exiting (due to early fatal error)
20-Nov-2007 17:40:12.389 general: error: zone 0.0.127.in-addr.arpa/IN/intern: loading from master file 127.0.0.zone failed: file not found
20-Nov-2007 17:40:12.391 general: info: zone example.net/IN/intern: loaded serial 1195574789 (signed)
20-Nov-2007 17:40:12.393 general: info: zone example.net/IN/extern: loaded serial 1195561217 (signed)
20-Nov-2007 17:40:12.393 general: notice: running
20-Nov-2007 17:40:12.393 notify: info: zone example.net/IN/intern: sending notifies (serial 1195574789)
20-Nov-2007 17:40:12.394 notify: info: zone example.net/IN/extern: sending notifies (serial 1195561217)
20-Nov-2007 19:07:04.016 general: info: shutting down
20-Nov-2007 19:07:04.017 network: info: no longer listening on ::#1053
20-Nov-2007 19:07:04.017 network: info: no longer listening on 127.0.0.1#1053
20-Nov-2007 19:07:04.017 network: info: no longer listening on 145.253.100.51#1053
20-Nov-2007 19:07:04.020 general: notice: exiting

45
contrib/zkt/examples/views/root.hint Normal file
View file

@ -0,0 +1,45 @@
; <<>> DiG 9.5.0a6 <<>> ns . @a.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33355
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
;; Query time: 114 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Nov 5 07:28:00 2007
;; MSG SIZE rcvd: 436

20
contrib/zkt/examples/views/viewtest.sh Executable file
View file

@ -0,0 +1,20 @@
ZKT_CONFFILE=dnssec.conf
export ZKT_CONFFILE
if true
then
echo "All internal keys:"
./dnssec-zkt-intern
echo
echo "All external keys:"
./dnssec-zkt-extern
echo
fi
echo "Sign both views"
./dnssec-signer-intern -v -v -f -r
echo
./dnssec-signer-extern -v -v

45
contrib/zkt/examples/zone.db Normal file
View file

@ -0,0 +1,45 @@
;-----------------------------------------------------------------
;
; @(#) example.net/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
; Be sure that the serial number below is left
; justified in a field of at least 10 chars!!
; 0123456789;
; It's also possible to use the date form e.g. 2005040101
@ IN SOA ns1.example.net. hostmaster.example.net. (
263 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.net.
IN NS ns2.example.net.
ns1 IN A 1.0.0.5
IN AAAA 2001:db8::53
ns2 IN A 1.2.0.6
localhost IN A 127.0.0.1
a IN A 1.2.3.1
b IN MX 10 a
;c IN A 1.2.3.2
d IN A 1.2.3.3
IN AAAA 2001:0db8::3
; Delegation to secure zone; The DS resource record will
; be added by dnssec-signzone automatically if the
; keyset-sub.example.net file is present (run dnssec-signzone
; with option -g or use the dnssec-signer tool) ;-)
sub IN NS ns1.example.net.
sub IN DS 54876 5 1 CAB6127E303A8A8D7D5A29AE05DB60F4C5060B10
sub IN DS 54876 5 2 7C8CAF1844479F3600213173BB5D1E2A44143D63B6E0B3E10D8C5310 ADF84D30
; this file will have all the zone keys
$INCLUDE dnskey.db

146
contrib/zkt/examples/zone.db.signed Normal file
View file

@ -0,0 +1,146 @@
; File written on Tue Jun 24 10:00:31 2008
; dnssec_signzone version 9.5.0
example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
263 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
7200 RRSIG SOA 5 2 7200 20080724070030 (
20080624070030 33755 example.net.
FFUGR4+nzjZbpDT/RAncV7dNvBy1xil4MO17
DU+gotHHV1Yq+4RRqEnRhOSWydDC9ENAjH7W
lmzr+igFHp8qiw== )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
7200 RRSIG NS 5 2 7200 20080724070030 (
20080624070030 33755 example.net.
mpT5zY57UtLMdl6iKVtvr78vINyaA3NkZ0af
E/TtUUBJeIEjLauzxA5jJBGqLWAiLj8HKWhS
dq1VfORhRh/Xng== )
7200 NSEC a.example.net. NS SOA RRSIG NSEC DNSKEY
7200 RRSIG NSEC 5 2 7200 20080724070030 (
20080624070030 33755 example.net.
Q5yxSoL+Df3UbGe1RSFFj01SoBGLgjXvgLd5
wKota7wnjO8CxidmrN+qcKQHjF+R+mH8GeQ7
xL1qZxKLQqxmwA== )
14400 DNSKEY 256 3 5 (
BQEAAAABzN8pvZb5GSy8AozXt4L8HK/x59TQ
jh9IaZS+mIyyuHDX2iaFUigOqHixIJtDLD1r
/MfelgJ/Mh6+vCu+XmMQuw==
) ; key id = 33755
14400 DNSKEY 257 3 5 (
BQEAAAABC23icFZAD3DFBLoEw7DWKl8Hig7a
zmEbpXHYyAV98l+QQaTAb98Ob3YbrVJ9IU8E
0KBFb5iYpHobxowPsI8FjUH2oL/7PfhtN1E3
NlL6Uhbo8Umf6H0UULEsUTlTT8dnX+ikjAr8
bN71YJP7BXlszezsFHuMEspNdOPyMr93230+
R2KTEzC2H4CQzSRIr5xXSIq8kkrJ3miGjTyj
5awvXfJ+eQ==
) ; key id = 31674
14400 RRSIG DNSKEY 5 2 14400 20080724070030 (
20080624070030 31674 example.net.
BGed6Vivkmx/SM7HuXMy9ex+p0fDWcXW6uTH
SZLs9oAZMSkm8Xh2RNNI1sgZefGpsOc7AZJE
JuIWttqKm5VL57qpEKeTxZ9oE6Vpk4ko5lMo
yTJUoih7lTXo7a1OsNHMFZadE7Fu4Q8pjGUZ
ZJI4zBrT7JmgyPNCkgn1JdC2qJlc6ClHEb4E
6pQyH3BnSOFudZDz8MdVQnqdxpShGwucnf2i
oA== )
14400 RRSIG DNSKEY 5 2 14400 20080724070030 (
20080624070030 33755 example.net.
f03G7Cq3CwWz7Lbe7cl61ciSsdEYv4heYnR3
binJ3xWO7jSiRAvUAfkIYDspdlF/PCOnv8sr
id8TL8q/qQ0MCg== )
a.example.net. 7200 IN A 1.2.3.1
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
VuIrcft9jvWKORJy2SQ4UgWwRnUL4gIiaVpy
3i5hfjM6X38FHsy0SvGrjxQqiurwZZS4NxXG
ljUerawxMdHWWw== )
7200 NSEC b.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
yc/tsRYQRaYsPp+5jPUj2NR0R3zHKvXBQ/RO
14b/eKL9i4NnuzS50qFZwzpcOBOJd6XITO4p
yJNZQKtryRJuSg== )
b.example.net. 7200 IN MX 10 a.example.net.
7200 RRSIG MX 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
xVjOhCO2zJVp1SsoMdM6ePCZUkittsqEP7rI
7j8r2S1j4oiIdXaxCBBVwddhS/x1eziI/a2S
/HwVRJThIYIKnQ== )
7200 NSEC d.example.net. MX RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
jC171VBU0dqcI1NnMUUqrUIjq09sVHnFo9CH
0jKNwxkj+K1Zkr7CBm6htH+EkKKhqKFW8kz7
b2r05FL1xakcnQ== )
d.example.net. 7200 IN A 1.2.3.3
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
Q4C7HCpDR6fxIczzqGDnkpXUL5oxdPDYWF2H
vmAalL++9A5hVGz8S5IfX87dZAg71c1j8ZAe
5oS0pvLQnweoIw== )
7200 AAAA 2001:db8::3
7200 RRSIG AAAA 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
ECjxqQpJCbL6A9iBk/bImgzDNevUXFjq8n2L
14ewG5zQSz/0l0NqcHKtCiruBjHd+DEXjTEI
Qo8RvMm7Rn8OsA== )
7200 NSEC localhost.example.net. A AAAA RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
k+AhslVfBZgXkTaWjDVB+3nLm2ye8UOGMNhY
QcKxJZaVYKnUZfyX1sJONN4UdFjmnkdNcRVC
6ouWrLbIwslqIQ== )
localhost.example.net. 7200 IN A 127.0.0.1
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
wZjK9o3CElHLPSzynvzft/nQAEeBpNOj22vq
3TWa9HWQ0RqL55NRmzxuDtyMtPOFQpniVxgV
jizb8X3SPJ5V1g== )
7200 NSEC ns1.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
e4nOW7PuqCQBYgSCBQH06V2XB7SF85jmfFIc
dSMbsLRK+1tN/Y2+85WKVSQrXZzWRHgjQ+Hw
iL/FWK5Zfq7ixg== )
ns1.example.net. 7200 IN A 1.0.0.5
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
tTfMDk2ww2uWutlhjRMDPGo9ZPugjJqSbdyP
6cJcCDJUBce0UZFxjvDBZhfG7O2XUscooUjp
JpXsJ54ksPugXA== )
7200 AAAA 2001:db8::53
7200 RRSIG AAAA 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
x8iMgcICSOxgx4biLForfZxgMbMVpzwMQR6n
naFVK79GOwFFT8krAfo6K6Rg7Fyu0jSE/59H
3Y15F0ju6YvbAg== )
7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
EYof9XuXHXuWgRF0MzgO/Z8FGYJEfLlJKWCV
IWh+b8XJejLO1Tt0vlJZl0orrs6yam/B8CWb
dgq8ktbqpNHmvg== )
ns2.example.net. 7200 IN A 1.2.0.6
7200 RRSIG A 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
Uh93B1J7mOqBcW8sXWHA6vmeGszGJGE/BtFV
cdO4tBNoIDbIdkzBUJZphc6HfK7/gu7WFhAo
5v6cZr4bRDOf6A== )
7200 NSEC sub.example.net. A RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
xOkV3aTsgrP7ZyaHfKhLmjJfhboQJpDYFdqV
y0zzZuGQr7Yr4PxWED5WJhm4fFf48agNWBmm
rk1OaFadv6m2uw== )
sub.example.net. 7200 IN NS ns1.example.net.
7200 NSEC example.net. NS RRSIG NSEC
7200 RRSIG NSEC 5 3 7200 20080724070030 (
20080624070030 33755 example.net.
Pr8KFvU/Fr2lp9W6Wqqq47VKrnh3tL90S8Eu
KIPsfmBE00g7eGPVswJUWShXMBZFLtfqI8z/
UBM6VzROSTtryA== )

443
contrib/zkt/log.c Normal file
View file

@ -0,0 +1,443 @@
/*****************************************************************
**
** @(#) log.c -- The ZKT error logging module
**
** Copyright (c) June 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
# include <ctype.h>
# include <sys/types.h>
# include <sys/stat.h>
# include <sys/time.h>
# include <time.h>
# include <assert.h>
# include <errno.h>
# include <syslog.h>
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
# include "misc.h"
# include "debug.h"
#define extern
# include "log.h"
#undef extern
/*****************************************************************
** module internal vars & declarations
*****************************************************************/
static FILE *lg_fp;
static int lg_minfilelevel;
static int lg_syslogging;
static int lg_minsyslevel;
static long lg_errcnt;
static const char *lg_progname;
typedef struct {
lg_lvl_t level;
const char *str;
int syslog_level;
} lg_symtbl_t;
static lg_symtbl_t symtbl[] = {
{ LG_NONE, "none", -1 },
{ LG_DEBUG, "debug", LOG_DEBUG },
{ LG_INFO, "info", LOG_INFO },
{ LG_NOTICE, "notice", LOG_NOTICE },
{ LG_WARNING, "warning", LOG_WARNING },
{ LG_ERROR, "error", LOG_ERR },
{ LG_FATAL, "fatal", LOG_CRIT },
{ LG_NONE, "user", LOG_USER },
{ LG_NONE, "daemon", LOG_DAEMON },
{ LG_NONE, "local0", LOG_LOCAL0 },
{ LG_NONE, "local1", LOG_LOCAL1 },
{ LG_NONE, "local2", LOG_LOCAL2 },
{ LG_NONE, "local3", LOG_LOCAL3 },
{ LG_NONE, "local4", LOG_LOCAL4 },
{ LG_NONE, "local5", LOG_LOCAL5 },
{ LG_NONE, "local6", LOG_LOCAL6 },
{ LG_NONE, "local7", LOG_LOCAL7 },
{ LG_NONE, NULL, -1 }
};
# define MAXFNAME (1023)
/*****************************************************************
** function definitions (for function declarations see log.h)
*****************************************************************/
/*****************************************************************
** lg_fileopen (path, name) -- open the log file
** Name is a (absolute or relative) file or directory name.
** If path is given and name is a relative path name then path
** is prepended to name.
** returns the open file pointer or NULL on error
*****************************************************************/
static FILE *lg_fileopen (const char *path, const char *name)
{
int len;
FILE *fp;
struct tm *t;
time_t sec;
char fname[MAXFNAME+1];
if ( name == NULL || *name == '\0' )
return NULL;
else if ( *name == '/' || path == NULL )
snprintf (fname, MAXFNAME, "%s", name);
else
snprintf (fname, MAXFNAME, "%s/%s", path, name);
# ifdef LOG_TEST
fprintf (stderr, "\t ==> \"%s\"", fname);
# endif
if ( is_directory (fname) )
{
len = strlen (fname);
time (&sec);
t = gmtime (&sec);
snprintf (fname+len, MAXFNAME-len, LOG_FNAMETMPL,
t->tm_year + 1900, t->tm_mon+1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec);
# ifdef LOG_TEST
fprintf (stderr, " isdir \"%s\"", fname);
# endif
}
# ifdef LOG_TEST
fprintf (stderr, "\n");
# endif
if ( (fp = fopen (fname, "a")) == NULL )
return NULL;
return fp;
}
/*****************************************************************
** lg_str2lvl (level_name)
*****************************************************************/
lg_lvl_t lg_str2lvl (const char *name)
{
lg_symtbl_t *p;
if ( !name )
return LG_NONE;
for ( p = symtbl; p->str; p++ )
if ( strcasecmp (name, p->str) == 0 )
return p->level;
return LG_NONE;
}
/*****************************************************************
** lg_lvl2syslog (level)
*****************************************************************/
lg_lvl_t lg_lvl2syslog (lg_lvl_t level)
{
lg_symtbl_t *p;
for ( p = symtbl; p->str; p++ )
if ( level == p->level )
return p->syslog_level;
assert ( p->str != NULL ); /* we assume not to reach this! */
return LOG_DEBUG; /* if not found, return DEBUG as default */
}
/*****************************************************************
** lg_str2syslog (facility_name)
*****************************************************************/
int lg_str2syslog (const char *facility)
{
lg_symtbl_t *p;
dbg_val1 ("lg_str2syslog (%s)\n", facility);
if ( !facility )
return LG_NONE;
for ( p = symtbl; p->str; p++ )
if ( strcasecmp (facility, p->str) == 0 )
return p->syslog_level;
return LG_NONE;
}
/*****************************************************************
** lg_lvl2str (level)
*****************************************************************/
const char *lg_lvl2str (lg_lvl_t level)
{
lg_symtbl_t *p;
if ( level < LG_DEBUG )
return "none";
for ( p = symtbl; p->str; p++ )
if ( level == p->level )
return p->str;
return "fatal";
}
/*****************************************************************
** lg_geterrcnt () -- returns the current value of the internal
** error counter
*****************************************************************/
long lg_geterrcnt ()
{
return lg_errcnt;
}
/*****************************************************************
** lg_seterrcnt () -- sets the internal error counter
** returns the current value
*****************************************************************/
long lg_seterrcnt (long value)
{
return lg_errcnt = value;
}
/*****************************************************************
** lg_reseterrcnt () -- resets the internal error counter to 0
** returns the current value
*****************************************************************/
long lg_reseterrcnt ()
{
return lg_seterrcnt (0L);
}
/*****************************************************************
** lg_open (prog, facility, syslevel, path, file, filelevel)
** -- open the log channel
** return values:
** 0 on success
** -1 on file open error
*****************************************************************/
int lg_open (const char *progname, const char *facility, const char *syslevel, const char *path, const char *file, const char *filelevel)
{
int sysfacility;
dbg_val6 ("lg_open (%s, %s, %s, %s, %s, %s)\n", progname, facility, syslevel, path, file, filelevel);
lg_minsyslevel = lg_str2lvl (syslevel);
lg_minfilelevel = lg_str2lvl (filelevel);
sysfacility = lg_str2syslog (facility);
if ( sysfacility >= 0 )
{
lg_syslogging = 1;
dbg_val2 ("lg_open: openlog (%s, LOG_NDELAY, %d)\n", progname, lg_str2syslog (facility));
openlog (progname, LOG_NDELAY, lg_str2syslog (facility));
}
if ( file && * file )
{
if ( (lg_fp = lg_fileopen (path, file)) == NULL )
return -1;
lg_progname = progname;
}
return 0;
}
/*****************************************************************
** lg_close () -- close the open filepointer for error logging
** return 0 if no error log file is currently open,
** otherwise the return code of fclose is returned.
*****************************************************************/
int lg_close ()
{
int ret = 0;
if ( lg_syslogging )
{
closelog ();
lg_syslogging = 0;
}
if ( lg_fp )
{
ret = fclose (lg_fp);
lg_fp = NULL;
}
return ret;
}
/*****************************************************************
**
** lg_args (level, argc, argv[])
** log all command line arguments (up to a length of 511 chars)
** with priority level
**
*****************************************************************/
void lg_args (lg_lvl_t level, int argc, char * const argv[])
{
char cmdline[511+1];
int len;
int i;
len = 0;
for ( i = 0; i < argc && len < sizeof (cmdline); i++ )
len += snprintf (cmdline+len, sizeof (cmdline) - len, " %s", argv[i]);
#if 1
lg_mesg (level, "------------------------------------------------------------");
#else
lg_mesg (level, "");
#endif
lg_mesg (level, "running%s ", cmdline);
}
/*****************************************************************
**
** lg_mesg (level, fmt, ...)
**
** Write a given message to the error log file and counts
** all messages written with an level greater than LOG_ERR.
**
** All messages will be on one line in the logfile, so it's
** not necessary to add an '\n' to the message.
**
** To call this function before an elog_open() is called is
** useless!
**
*****************************************************************/
void lg_mesg (int priority, char *fmt, ...)
{
va_list ap;
struct timeval tv;
struct tm *t;
char format[256];
assert (fmt != NULL);
assert (priority >= LG_DEBUG && priority <= LG_FATAL);
format[0] ='\0';
dbg_val3 ("syslog = %d prio = %d >= sysmin = %d\n", lg_syslogging, priority, lg_minsyslevel);
if ( lg_syslogging && priority >= lg_minsyslevel )
{
#if defined (LOG_WITH_LEVEL) && LOG_WITH_LEVEL
snprintf (format, sizeof (format), "%s: %s", lg_lvl2str(priority), fmt);
fmt = format;
#endif
va_start(ap, fmt);
vsyslog (lg_lvl2syslog (priority), fmt, ap);
va_end(ap);
}
dbg_val3 ("filelg = %d prio = %d >= filmin = %d\n", lg_fp!=NULL, priority, lg_minfilelevel);
if ( lg_fp && priority >= lg_minfilelevel )
{
#if defined (LOG_WITH_TIMESTAMP) && LOG_WITH_TIMESTAMP
gettimeofday (&tv, NULL);
t = localtime ((time_t *) &tv.tv_sec);
fprintf (lg_fp, "%04d-%02d-%02d ",
t->tm_year+1900, t->tm_mon+1, t->tm_mday);
fprintf (lg_fp, "%02d:%02d:%02d.%03ld: ",
t->tm_hour, t->tm_min, t->tm_sec, tv.tv_usec / 1000);
#endif
#if defined (LOG_WITH_PROGNAME) && LOG_WITH_PROGNAME
if ( lg_progname )
fprintf (lg_fp, "%s: ", lg_progname);
#endif
#if defined (LOG_WITH_LEVEL) && LOG_WITH_LEVEL
if ( fmt != format ) /* level is not in fmt string */
fprintf (lg_fp, "%s: ", lg_lvl2str(priority));
#endif
va_start(ap, fmt);
vfprintf (lg_fp, fmt, ap);
va_end(ap);
fprintf (lg_fp, "\n");
}
if ( priority >= LG_ERROR )
lg_errcnt++;
}
#ifdef LOG_TEST
const char *progname;
int main (int argc, char *argv[])
{
const char *levelstr;
const char *newlevelstr;
int level;
int err;
progname = *argv;
if ( --argc )
levelstr = *++argv;
else
levelstr = "fatal";
level = lg_str2lvl (levelstr);
newlevelstr = lg_lvl2str (level+1);
dbg_val4 ("base level = %s(%d) newlevel = %s(%d)\n", levelstr, level, newlevelstr, level+1);
if ( (err = lg_open (progname,
#if 1
"user",
#else
"none",
#endif
levelstr, ".",
#if 1
"test.log",
#else
NULL,
#endif
newlevelstr)) )
fprintf (stderr, "\topen error %d\n", err);
else
{
lg_mesg (LG_DEBUG, "debug message");
lg_mesg (LG_INFO, "INFO message");
lg_mesg (LG_NOTICE, "Notice message");
lg_mesg (LG_WARNING, "Warning message");
lg_mesg (LG_ERROR, "Error message");
lg_mesg (LG_FATAL, "Fatal message ");
}
if ( (err = lg_close ()) < 0 )
fprintf (stderr, "\tclose error %d\n", err);
return 0;
}
#endif

66
contrib/zkt/log.h Normal file
View file

@ -0,0 +1,66 @@
/*****************************************************************
**
** @(#) log.h (c) June 2008 Holger Zuleger hznet.de
**
** Copyright (c) June 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef LOG_H
# define LOG_H
# include <sys/types.h>
# include <stdarg.h>
# include <stdio.h>
# include <time.h>
# include <syslog.h>
typedef enum {
LG_NONE = 0,
LG_DEBUG,
LG_INFO,
LG_NOTICE,
LG_WARNING,
LG_ERROR,
LG_FATAL
} lg_lvl_t;
extern lg_lvl_t lg_str2lvl (const char *name);
extern int lg_str2syslog (const char *facility);
extern const char *lg_lvl2str (lg_lvl_t level);
extern lg_lvl_t lg_lvl2syslog (lg_lvl_t level);
extern long lg_geterrcnt (void);
extern long lg_seterrcnt (long value);
extern long lg_reseterrcnt (void);
extern int lg_open (const char *progname, const char *facility, const char *syslevel, const char *path, const char *file, const char *filelevel);
extern int lg_close (void);
extern void lg_args (lg_lvl_t level, int argc, char * const argv[]);
extern void lg_mesg (int level, char *fmt, ...);
#endif

1157
contrib/zkt/misc.c Normal file
View file

File diff suppressed because it is too large Load diff

84
contrib/zkt/misc.h Normal file
View file

@ -0,0 +1,84 @@
/*****************************************************************
**
** @(#) misc.h (c) 2005 - 2007 Holger Zuleger hznet.de
**
** Copyright (c) 2005 - 2007, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef MISC_H
# define MISC_H
# include <sys/types.h>
# include <stdarg.h>
# include <stdio.h>
# include "zconf.h"
# define min(a, b) ((a) < (b) ? (a) : (b))
# define max(a, b) ((a) > (b) ? (a) : (b))
extern const char *getnameappendix (const char *progname, const char *basename);
extern const char *getdefconfname (const char *view);
extern int fileexist (const char *name);
extern size_t filesize (const char *name);
extern int file_age (const char *fname);
extern int touch (const char *fname, time_t sec);
extern int linkfile (const char *fromfile, const char *tofile);
//extern int copyfile (const char *fromfile, const char *tofile);
extern int copyfile (const char *fromfile, const char *tofile, const char *dnskeyfile);
extern int copyzonefile (const char *fromfile, const char *tofile, const char *dnskeyfile);
extern int cmpfile (const char *file1, const char *file2);
extern char *str_delspace (char *s);
extern char *str_tolowerdup (const char *s);
extern int in_strarr (const char *str, char *const arr[], int cnt);
extern const char *splitpath (char *path, size_t size, const char *filename);
extern char *pathname (char *name, size_t size, const char *path, const char *file, const char *ext);
extern char *time2str (time_t sec, int precision);
extern char *time2isostr (time_t sec, int precision);
extern time_t timestr2time (const char *timestr);
extern int is_keyfilename (const char *name);
extern int is_directory (const char *name);
extern time_t file_mtime (const char *fname);
extern int is_exec_ok (const char *prog);
extern char *age2str (time_t sec);
extern time_t stop_timer (time_t start);
extern time_t start_timer (void);
extern void error (char *fmt, ...);
extern void fatal (char *fmt, ...);
extern void logmesg (char *fmt, ...);
extern void verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...);
extern void logflush (void);
extern int inc_serial (const char *fname, int use_unixtime);
extern const char *inc_errstr (int err);
extern char *str_untaint (char *str);
extern char *str_chop (char *str, char c);
extern int is_dotfile (const char *name);
extern void parseurl (char *url, char **proto, char **host, char **port, char **para);
#endif

317
contrib/zkt/ncparse.c Normal file
View file

@ -0,0 +1,317 @@
/*****************************************************************
**
** @(#) ncparse.c -- A very simple named.conf parser
**
** Copyright (c) Apr 2005 - Nov 2007, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <ctype.h>
# include <assert.h>
# include "debug.h"
# include "misc.h"
# include "log.h"
#define extern
# include "ncparse.h"
#undef extern
# define TOK_STRING 257
# define TOK_DIR 258
# define TOK_INCLUDE 259
# define TOK_ZONE 260
# define TOK_TYPE 261
# define TOK_MASTER 262
# define TOK_SLAVE 263
# define TOK_STUB 264
# define TOK_HINT 265
# define TOK_FORWARD 266
# define TOK_DELEGATION 267
# define TOK_VIEW 268
# define TOK_FILE 270
# define TOK_UNKNOWN 511
/* list of "named.conf" keywords we are interested in */
static struct KeyWords {
char *name;
int tok;
} kw[] = {
{ "STRING", TOK_STRING },
{ "include", TOK_INCLUDE },
{ "directory", TOK_DIR },
{ "file", TOK_FILE },
{ "zone", TOK_ZONE },
#if 0 /* we don't need the type keyword; master, slave etc. is sufficient */
{ "type", TOK_TYPE },
#endif
{ "master", TOK_MASTER },
{ "slave", TOK_SLAVE },
{ "stub", TOK_STUB },
{ "hint", TOK_HINT },
{ "forward", TOK_FORWARD },
{ "delegation-only", TOK_DELEGATION },
{ "view", TOK_VIEW },
{ NULL, TOK_UNKNOWN },
};
#ifdef DBG
static const char *tok2str (int tok)
{
int i;
i = 0;
while ( kw[i].name && kw[i].tok != tok )
i++;
return kw[i].name;
}
#endif
static int searchkw (const char *keyword)
{
int i;
dbg_val ("ncparse: searchkw (%s)\n", keyword);
i = 0;
while ( kw[i].name && strcmp (kw[i].name, keyword) != 0 )
i++;
return kw[i].tok;
}
static int gettok (FILE *fp, char *val, size_t valsize)
{
int lastc;
int c;
char buf[255+1];
char *p;
char *bufend;
*val = '\0';
do {
while ( (c = getc (fp)) != EOF && isspace (c) )
;
if ( c == '#' ) /* single line comment ? */
{
while ( (c = getc (fp)) != EOF && c != '\n' )
;
continue;
}
if ( c == EOF )
return EOF;
if ( c == '{' || c == '}' || c == ';' )
continue;
if ( c == '/' ) /* begin of C comment ? */
{
if ( (c = getc (fp)) == '*' ) /* yes! */
{
lastc = EOF; /* read until end of c comment */
while ( (c = getc (fp)) != EOF && !(lastc == '*' && c == '/') )
lastc = c;
}
else if ( c == '/' ) /* is it a C single line comment ? */
{
while ( (c = getc (fp)) != EOF && c != '\n' )
;
}
else /* no ! */
ungetc (c, fp);
continue;
}
if ( c == '\"' )
{
p = val;
bufend = val + valsize - 1;
while ( (c = getc (fp)) != EOF && p < bufend && c != '\"' )
*p++ = c;
*p = '\0';
/* if string buffer is too small, eat up rest of string */
while ( c != EOF && c != '\"' )
c = getc (fp);
return TOK_STRING;
}
p = buf;
bufend = buf + sizeof (buf) - 1;
do
*p++ = tolower (c);
while ( (c = getc (fp)) != EOF && p < bufend && isalpha (c) );
*p = '\0';
ungetc (c, fp);
if ( (c = searchkw (buf)) != TOK_UNKNOWN )
return c;
} while ( c != EOF );
return EOF;
}
/*****************************************************************
**
** parse_namedconf (const char *filename, int (*func) ())
**
** Very dumb named.conf parser.
** - In a zone declaration the _first_ keyword MUST be "type"
** - For every master zone "func (directory, zone, filename)" will be called
**
*****************************************************************/
int parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())
{
FILE *fp;
int tok;
char path[511+1];
#if 1 /* this is potentialy too small for key data, but we don't need the keys... */
char strval[255+1];
#else
char strval[4095+1];
#endif
char view[255+1];
char zone[255+1];
char zonefile[255+1];
dbg_val ("parse_namedconf: parsing file \"%s\" \n", filename);
assert (filename != NULL);
assert (dir != NULL && dirsize != 0);
assert (func != NULL);
view[0] = '\0';
if ( (fp = fopen (filename, "r")) == NULL )
return 0;
while ( (tok = gettok (fp, strval, sizeof strval)) != EOF )
{
if ( tok > 0 && tok < 256 )
{
error ("parse_namedconf: token found with value %-10d: %c\n", tok, tok);
lg_mesg (LG_ERROR, "parse_namedconf: token found with value %-10d: %c", tok, tok);
}
else if ( tok == TOK_DIR )
{
if ( gettok (fp, strval, sizeof (strval)) == TOK_STRING )
{
dbg_val2 ("parse_namedconf: directory found \"%s\" (dir is %s)\n",
strval, dir);
if ( *strval != '/' && *dir )
snprintf (path, sizeof (path), "%s/%s", dir, strval);
else
snprintf (path, sizeof (path), "%s", strval);
snprintf (dir, dirsize, "%s", path);
dbg_val ("parse_namedconf: new dir \"%s\" \n", dir);
}
}
else if ( tok == TOK_INCLUDE )
{
if ( gettok (fp, strval, sizeof (strval)) == TOK_STRING )
{
if ( *strval != '/' && *dir )
snprintf (path, sizeof (path), "%s/%s", dir, strval);
else
snprintf (path, sizeof (path), "%s", strval);
if ( !parse_namedconf (path, dir, dirsize, func) )
return 0;
}
else
{
error ("parse_namedconf: need a filename after \"include\"!\n");
lg_mesg (LG_ERROR, "parse_namedconf: need a filename after \"include\"!");
}
}
else if ( tok == TOK_VIEW )
{
if ( gettok (fp, strval, sizeof (strval)) != TOK_STRING )
continue;
snprintf (view, sizeof view, "%s", strval); /* store the name of the view */
}
else if ( tok == TOK_ZONE )
{
if ( gettok (fp, strval, sizeof (strval)) != TOK_STRING )
continue;
snprintf (zone, sizeof zone, "%s", strval); /* store the name of the zone */
if ( gettok (fp, strval, sizeof (strval)) != TOK_MASTER )
continue;
if ( gettok (fp, strval, sizeof (strval)) != TOK_FILE )
continue;
if ( gettok (fp, strval, sizeof (strval)) != TOK_STRING )
continue;
snprintf (zonefile, sizeof zonefile, "%s", strval); /* this is the filename */
dbg_val4 ("dir %s view %s zone %s file %s\n", dir, view, zone, zonefile);
(*func) (dir, view, zone, zonefile);
}
else
dbg_val3 ("%-10s(%d): %s\n", tok2str(tok), tok, strval);
}
fclose (fp);
return 1;
}
#ifdef TEST_NCPARSE
int printzone (const char *dir, const char *view, const char *zone, const char *file)
{
printf ("printzone ");
printf ("view \"%s\" " , view);
printf ("zone \"%s\" " , zone);
printf ("file ");
if ( dir && *dir )
printf ("%s/", dir, file);
printf ("%s", file);
putchar ('\n');
return 1;
}
char *progname;
main (int argc, char *argv[])
{
char directory[255+1];
progname = argv[0];
directory[0] = '\0';
if ( --argc == 0 )
parse_namedconf ("/var/named/named.conf", directory, sizeof (directory), printzone);
else
parse_namedconf (argv[1], directory, sizeof (directory), printzone);
}
#endif

41
contrib/zkt/ncparse.h Normal file
View file

@ -0,0 +1,41 @@
/*****************************************************************
**
** @(#) ncparse.h -- headerfile for a simple named.conf parser
**
** Copyright (c) Apr 2005 - Nov 2007, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef NCPARSE_H
# define NCPARSE_H
extern int parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ());
#endif

615
contrib/zkt/rollover.c Normal file
View file

@ -0,0 +1,615 @@
/*****************************************************************
**
** @(#) rollover.c -- The key rollover functions
**
** Copyright (c) Jan 2005 - May 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
# include <ctype.h>
# include <time.h>
# include <assert.h>
# include <dirent.h>
# include <errno.h>
# include <unistd.h>
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
# include "zconf.h"
# include "debug.h"
# include "misc.h"
# include "zone.h"
# include "dki.h"
# include "log.h"
#define extern
# include "rollover.h"
#undef extern
/*****************************************************************
** local function definition
*****************************************************************/
static dki_t *genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
{
dki_t *dkp;
if ( listp == NULL || domain == NULL )
return NULL;
if ( ksk )
dkp = dki_new (dir, domain, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
else
dkp = dki_new (dir, domain, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
dki_add (listp, dkp);
dki_setstatus (dkp, status);
return dkp;
}
static time_t get_exptime (dki_t *key, const zconf_t *z)
{
time_t exptime;
exptime = dki_exptime (key);
if ( exptime == 0L )
{
if ( dki_lifetime (key) )
exptime = dki_time (key) + dki_lifetime (key);
else
exptime = dki_time (key) + z->k_life;
}
return exptime;
}
/*****************************************************************
** is_parentdirsigned (name)
** Check if the parent directory of the zone specified by zp
** is a directory with a signed zone
** Returns 0 | 1
*****************************************************************/
static int is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)
{
char path[MAX_PATHSIZE+1];
const char *ext;
#if 0
const zconf_t *conf;
/* check if there is a local config file to get the name of the zone file */
snprintf (path, sizeof (path), "%s/../%s", zp->dir, LOCALCONF_FILE);
if ( fileexist (path) ) /* parent dir has local config file ? */
conf = loadconfig (path, NULL);
else
conf = zp->conf;
/* build the path of the .signed zone file */
snprintf (path, sizeof (path), "%s/../%s.signed", conf->dir, conf->zonefile);
if ( conf != zp->conf ) /* if we read in a local config file.. */
free (conf); /* ..free the memory used */
#else
/* currently we use the signed zone file name of the
* current directory for checking if the file exist.
* TODO: Instead we have to use the name of the zone file
* used in the parent dir (see above)
*/
ext = strrchr (zp->sfile, '.');
if ( ext && strcmp (zp->sfile, ".dsigned") == 0 ) /* is the current zone a dynamic one ? */
/* hack: we are using the standard zone file name for a static zone here */
snprintf (path, sizeof (path), "%s/../%s", zp->dir, "zone.db.signed");
else
{
# if 1
const zone_t *parent;
const char *parentname;
/* find out name of parent */
parentname = strchr (zp->zone, '.'); /* find first dot in zone name */
if ( parentname == NULL ) /* no parent found! */
return 0;
parentname += 1; /* skip '.' */
/* try to find parent zone in zonelist */
if ( (parent = zone_search (zonelist, parentname)) == NULL )
return 0;
snprintf (path, sizeof (path), "%s/%s", parent->dir, parent->sfile);
# else
snprintf (path, sizeof (path), "%s/../%s", zp->dir, zp->sfile);
# endif
}
#endif
lg_mesg (LG_DEBUG, "%s: is_parentdirsigned = %d fileexist (%s)\n", zp->zone, fileexist (path), path);
return fileexist (path); /* parent dir has zone.db.signed file ? */
}
/*****************************************************************
** create_parent_file ()
*****************************************************************/
static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)
{
FILE *fp;
assert ( fname != NULL );
if ( dkp == NULL || (phase != 1 && phase != 2) )
return 0;
if ( (fp = fopen (fname, "w")) == NULL )
fatal ("can\'t create new parentfile \"%s\"\n", fname);
if ( phase == 1 )
fprintf (fp, "; KSK rollover phase1 (new key generated but this is alread the old one)\n");
else
fprintf (fp, "; KSK rollover phase2 (this is the new key)\n");
dki_prt_dnskeyttl (dkp, fp, ttl);
fclose (fp);
return phase;
}
/*****************************************************************
** get_parent_phase ()
*****************************************************************/
static int get_parent_phase (const char *file)
{
FILE *fp;
int phase;
if ( (fp = fopen (file, "r")) == NULL )
return -1;
phase = 0;
if ( fscanf (fp, "; KSK rollover phase%d", &phase) != 1 )
phase = 0;
fclose (fp);
return phase;
}
/*****************************************************************
** kskrollover ()
*****************************************************************/
static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
{
char path[MAX_PATHSIZE+1];
const zconf_t *z;
time_t lifetime;
time_t currtime;
time_t age;
int currphase;
int parfile_age;
int parent_propagation;
int parent_resign;
int parent_keyttl;
assert ( ksk != NULL );
assert ( zp != NULL );
z = zp->conf;
/* check ksk lifetime */
if ( (lifetime = dki_lifetime (ksk)) == 0 ) /* if lifetime of key is not set.. */
lifetime = z->k_life; /* ..use global configured lifetime */
currtime = time (NULL);
age = dki_age (ksk, currtime);
/* build path of parent-file */
pathname (path, sizeof (path), zp->dir, "parent-", zp->zone);
/* check if we have to change the ksk ? */
if ( lifetime > 0 && age > lifetime && !fileexist (path) ) /* lifetime is over and no kskrollover in progress */
{
/* we are using hierachical mode and the parent directory contains a signed zone ? */
if ( z->keysetdir && strcmp (z->keysetdir, "..") == 0 && is_parentdirsigned (zonelist, zp) )
{
verbmesg (2, z, "\t\tkskrollover: create new key signing key\n");
/* create a new key: this is phase one of a double signing key rollover */
ksk = genkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
if ( ksk == NULL )
{
lg_mesg (LG_ERROR, "\"%s\": unable to generate new ksk for double signing rollover", zp->zone);
return 0;
}
lg_mesg (LG_INFO, "\"%s\": kskrollover phase1: New key %d generated", zp->zone, ksk->tag);
/* find the oldest active ksk to create the parent file */
if ( (ksk = (dki_t *)dki_find (zp->keys, 1, 'a', 1)) == NULL )
lg_mesg (LG_ERROR, "kskrollover phase1: Couldn't find the old active key\n");
if ( !create_parent_file (path, 1, z->key_ttl, ksk) )
lg_mesg (LG_ERROR, "Couldn't create parentfile %s\n", path);
}
else /* print out a warning only */
{
logmesg ("\t\tWarning: Lifetime of Key Signing Key %d exceeded: %s\n",
ksk->tag, str_delspace (age2str (age)));
lg_mesg (LG_WARNING, "\"%s\": lifetime of key signing key %d exceeded since %s",
zp->zone, ksk->tag, str_delspace (age2str (age - lifetime)));
}
return 1;
}
/* now check if there is an ongoing key rollover */
/* check if parent-file already exist */
if ( !fileexist (path) ) /* no parent-<zone> file found ? */
return 0; /* ok, that's it */
/* check the ksk rollover phase we are in */
currphase = get_parent_phase (path); /* this is the actual state we are in */
parfile_age = file_age (path);
/* TODO: Set these values to the one found in the parent dnssec.conf file */
parent_propagation = 5 * MINSEC;
parent_resign = z->resign;
parent_keyttl = z->key_ttl;
switch ( currphase )
{
case 1: /* we are currently in state one (new ksk already generated) */
if ( parfile_age > z->proptime + z->key_ttl ) /* can we go to phase 2 ? */
{
verbmesg (2, z, "\t\tkskrollover: save new ksk in parent file\n");
ksk = ksk->next; /* set ksk to new ksk */
if ( !create_parent_file (path, currphase+1, z->key_ttl, ksk) )
lg_mesg (LG_ERROR, "Couldn't create parentfile %s\n", path);
lg_mesg (LG_INFO, "\"%s\": kskrollover phase2: send new key %d to the parent zone", zp->zone, ksk->tag);
return 1;
}
else
verbmesg (2, z, "\t\tkskrollover: we are in state 1 and waiting for propagation of the new key (parentfile %d < prop %d + keyttl %d\n", parfile_age, z->proptime, z->key_ttl);
break;
case 2: /* we are currently in state two (propagation of new key to the parent) */
#if 0
if ( parfile_age >= parent_propagation + parent_resign + parent_keyttl ) /* can we go to phase 3 ? */
#else
if ( parfile_age >= parent_propagation + parent_keyttl ) /* can we go to phase 3 ? */
#endif
{
/* remove the parentfile */
unlink (path);
/* remove oldest key from list and mark file as removed */
zp->keys = dki_remove (ksk);
// verbmesg (2, z, "kskrollover: remove parentfile and rename old key to k<zone>+<algo>+<tag>.key\n");
verbmesg (2, z, "\t\tkskrollover: remove parentfile and rename old key to k%s+%03d+%05d.key\n",
ksk->name, ksk->algo, ksk->tag);
lg_mesg (LG_INFO, "\"%s\": kskrollover phase3: Remove old key %d", zp->zone, ksk->tag);
return 1;
}
else
#if 0
verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %d < parentprop %d + parentresig %d + parentkeyttl %d\n", parfile_age, parent_propagation, parent_resign, parent_keyttl);
#else
verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %d < parentprop %d + parentkeyttl %d\n", parfile_age, parent_propagation, parent_keyttl);
#endif
break;
default:
assert ( currphase == 1 || currphase == 2 );
/* NOTREACHED */
}
return 0;
}
/*****************************************************************
** global function definition
*****************************************************************/
/*****************************************************************
** ksk5011status ()
** Check if the list of zone keys containing a revoked or a
** standby key.
** Remove the revoked key if it is older than 30 days.
** If the lifetime of the active key is reached, do a rfc5011
** keyrollover.
** Returns an int with the rightmost bit set if a resigning
** is required. The second rightmost bit is set, if it is an
** rfc5011 zone.
*****************************************************************/
int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)
{
dki_t *standbykey;
dki_t *activekey;
dki_t *dkp;
dki_t *prev;
time_t currtime;
time_t exptime;
int ret;
assert ( listp != NULL );
assert ( z != NULL );
if ( z->k_life == 0 )
return 0;
verbmesg (1, z, "\tCheck RFC5011 status\n");
ret = 0;
currtime = time (NULL);
/* go through the list of key signing keys, */
/* remove revoked keys and set a pointer to standby and active key */
standbykey = activekey = NULL;
prev = NULL;
for ( dkp = *listp; dkp && dki_isksk (dkp); dkp = dkp->next )
{
exptime = get_exptime (dkp, z);
if ( dki_isrevoked (dkp) )
lg_mesg (LG_DEBUG, "Rev Exptime: %s", time2str (exptime, 's'));
/* revoked key is older than 30 days? */
if ( dki_isrevoked (dkp) && currtime > exptime + (DAYSEC * 30) )
{
verbmesg (1, z, "\tRemove revoked key %d which is older than 30 days\n", dkp->tag);
lg_mesg (LG_NOTICE, "zone \"%s\": removing revoked key %d", domain, dkp->tag);
/* remove key from list and mark file as removed */
if ( prev == NULL ) /* at the beginning of the list ? */
*listp = dki_remove (dkp);
else /* anywhere in the middle of the list */
prev->next = dki_remove (dkp);
ret |= 01; /* from now on a resigning is neccessary */
}
/* remember oldest standby and active key */
if ( dki_status (dkp) == DKI_PUBLISHED )
standbykey = dkp;
if ( dki_status (dkp) == DKI_ACTIVE )
activekey = dkp;
}
if ( standbykey == NULL && ret == 0 ) /* no standby key and also no revoked key found ? */
return ret; /* Seems that this is a non rfc5011 zone! */
ret |= 02; /* Zone looks like a rfc5011 zone */
exptime = get_exptime (activekey, z);
#if 0
lg_mesg (LG_DEBUG, "Act Exptime: %s", time2str (exptime, 's'));
lg_mesg (LG_DEBUG, "Stb time: %s", time2str (dki_time (standbykey), 's'));
lg_mesg (LG_DEBUG, "Stb time+wait: %s", time2str (dki_time (standbykey) + min (DAYSEC * 30, z->key_ttl), 's'));
#endif
/* At the time we first introduce a standby key, the lifetime of the current KSK should not be expired, */
/* otherwise we run into an (nearly) immediate key rollover! */
if ( currtime > exptime && currtime > dki_time (standbykey) + min (DAYSEC * 30, z->key_ttl) )
{
lg_mesg (LG_NOTICE, "\"%s\": starting rfc5011 rollover", domain);
verbmesg (1, z, "\tLifetime of Key Signing Key %d exceeded (%s): Starting rfc5011 rollover!\n",
activekey->tag, str_delspace (age2str (dki_age (activekey, currtime))));
verbmesg (2, z, "\t\t=>Generating new standby key signing key\n");
dkp = genkey (listp, dir, domain, DKI_KSK, z, DKI_PUBLISHED); /* gentime == now; lifetime = z->k_life; exp = 0 */
if ( !dkp )
{
error ("\tcould not generate new standby KSK\n");
lg_mesg (LG_ERROR, "\%s\": can't generate new standby KSK", domain);
}
else
lg_mesg (LG_INFO, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
/* standby key gets active */
verbmesg (2, z, "\t\t=>Activating old standby key %d \n", standbykey->tag);
dki_setstatus (standbykey, DKI_ACT);
/* active key should be revoked */
verbmesg (2, z, "\t\t=>Revoking old active key %d \n", activekey->tag);
dki_setstatus (activekey, DKI_REVOKED);
dki_setexptime (activekey, currtime); /* now the key is expired */
ret |= 01; /* resigning neccessary */
}
return ret;
}
/*****************************************************************
** kskstatus ()
** Check the ksk status of a zone if a ksk lifetime is set.
** If there is no key signing key present create a new one.
** Prints out a warning message if the lifetime of the current
** key signing key is over.
** Returns 1 if a resigning of the zone is neccessary, otherwise
** the function returns 0.
*****************************************************************/
int kskstatus (zone_t *zonelist, zone_t *zp)
{
dki_t *akey;
const zconf_t *z;
assert ( zp != NULL );
z = zp->conf;
if ( z->k_life == 0 )
return 0;
verbmesg (1, z, "\tCheck KSK status\n");
/* check if a key signing key exist ? */
akey = (dki_t *)dki_find (zp->keys, 1, 'a', 1);
if ( akey == NULL )
{
verbmesg (1, z, "\tNo active KSK found: generate new one\n");
akey = genkey (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
if ( !akey )
{
error ("\tcould not generate new KSK\n");
lg_mesg (LG_ERROR, "\"%s\": can't generate new KSK: \"%s\"",
zp->zone, dki_geterrstr());
}
else
lg_mesg (LG_INFO, "\"%s\": generated new KSK %d", zp->zone, akey->tag);
return akey != NULL; /* return value of 1 forces a resigning of the zone */
}
else /* try to start a full automatic ksk rollover */
kskrollover (akey, zonelist, zp);
return 0;
}
/*****************************************************************
** zskstatus ()
** Check the zsk status of a zone.
** Returns 1 if a resigning of the zone is neccessary, otherwise
** the function returns 0.
*****************************************************************/
int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)
{
dki_t *akey;
dki_t *nextkey;
dki_t *dkp, *last;
int keychange;
time_t lifetime;
time_t age;
time_t currtime;
assert ( listp != NULL );
/* dir can be NULL */
assert ( domain != NULL );
assert ( z != NULL );
currtime = time (NULL);
verbmesg (1, z, "\tCheck ZSK status\n");
dbg_val("zskstatus for %s \n", domain);
keychange = 0;
/* Is the depreciated key expired ? */
/* As mentioned by olaf, this is the max_ttl of all the rr in the zone */
lifetime = z->max_ttl + z->proptime; /* draft kolkman/gieben */
last = NULL;
dkp = *listp;
while ( dkp )
if ( !dki_isksk (dkp) &&
dki_status (dkp) == DKI_DEPRECIATED &&
dki_age (dkp, currtime) > lifetime )
{
keychange = 1;
verbmesg (1, z, "\tLifetime(%d sec) of depreciated key %d exceeded (%d sec)\n",
lifetime, dkp->tag, dki_age (dkp, currtime));
lg_mesg (LG_INFO, "\"%s\": old ZSK %d removed", domain, dkp->tag);
dkp = dki_destroy (dkp); /* delete the keyfiles */
dbg_msg("zskstatus: depreciated key removed ");
if ( last )
last->next = dkp;
else
*listp = dkp;
verbmesg (1, z, "\t\t->remove it\n");
}
else
{
last = dkp;
dkp = dkp->next;
}
/* check status of active key */
dbg_msg("zskstatus check status of active key ");
lifetime = z->z_life; /* global configured lifetime for zsk */
akey = (dki_t *)dki_find (*listp, 0, 'a', 1);
if ( akey == NULL && lifetime > 0 ) /* no active key found */
{
verbmesg (1, z, "\tNo active ZSK found: generate new one\n");
akey = genkey (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
lg_mesg (LG_INFO, "\"%s\": generated new ZSK %d", domain, akey->tag);
}
else /* active key exist */
{
if ( dki_lifetime (akey) )
lifetime = dki_lifetime (akey); /* set lifetime to lt of active key */
/* lifetime of active key is expired and published key exist ? */
age = dki_age (akey, currtime);
if ( lifetime > 0 && age > lifetime - (OFFSET) )
{
verbmesg (1, z, "\tLifetime(%d +/-%d sec) of active key %d exceeded (%d sec)\n",
lifetime, (OFFSET) , akey->tag, dki_age (akey, currtime) );
/* depreciate the key only if there is another active or published key */
if ( (nextkey = (dki_t *)dki_find (*listp, 0, 'a', 2)) == NULL ||
nextkey == akey )
nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
/* Is the published key sufficient long in the zone ? */
/* As mentioned by Olaf, this should be the ttl of the DNSKEY RR ! */
if ( nextkey && dki_age (nextkey, currtime) > z->key_ttl + z->proptime )
{
keychange = 1;
verbmesg (1, z, "\t\t->depreciate it\n");
dki_setstatus (akey, 'd'); /* depreciate the active key */
verbmesg (1, z, "\t\t->activate published key %d\n", nextkey->tag);
dki_setstatus (nextkey, 'a'); /* activate published key */
lg_mesg (LG_NOTICE, "\"%s\": lifetime of zone signing key %d exceeded: ZSK rollover done", domain, akey->tag);
akey = nextkey;
nextkey = NULL;
}
else
{
verbmesg (1, z, "\t\t->waiting for published key\n");
lg_mesg (LG_NOTICE, "\"%s\": lifetime of zone signing key %d exceeded since %s: ZSK rollover deferred: waiting for published key",
domain, akey->tag, str_delspace (age2str (age - lifetime)));
}
}
}
/* Should we add a new publish key? This is neccessary if the active
* key will be expired at the next re-signing interval (The published
* time will be checked just before the active key will be removed.
* See above).
*/
nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
if ( nextkey == NULL && lifetime > 0 && (akey == NULL ||
dki_age (akey, currtime + z->resign) > lifetime - (OFFSET)) )
{
keychange = 1;
verbmesg (1, z, "\tNew key for publishing needed\n");
nextkey = genkey (listp, dir, domain, DKI_ZSK, z, DKI_PUB);
if ( nextkey )
{
verbmesg (1, z, "\t\t->creating new key %d\n", nextkey->tag);
lg_mesg (LG_INFO, "\"%s\": new key %d generated for publishing", domain, nextkey->tag);
}
else
{
error ("\tcould not generate new ZSK: \"%s\"\n", dki_geterrstr());
lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK: \"%s\"",
domain, dki_geterrstr());
}
}
return keychange;
}

52
contrib/zkt/rollover.h Normal file
View file

@ -0,0 +1,52 @@
/*****************************************************************
**
** @(#) rollover.h (c) 2005 - 2008 Holger Zuleger hznet.de
**
** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef ROLLOVER_H
# define ROLLOVER_H
# include <sys/types.h>
# include <stdarg.h>
# include <stdio.h>
#ifndef ZCONF_H
# include "zconf.h"
#endif
# define OFFSET ((int) (2.5 * MINSEC))
extern int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z);
extern int kskstatus (zone_t *zonelist, zone_t *zp);
extern int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t *z);
#endif

166
contrib/zkt/strlist.c Normal file
View file

@ -0,0 +1,166 @@
/*****************************************************************
**
** @(#) strlist.c (c) Mar 2005 Holger Zuleger
**
** TODO: Maybe we should use a special type for the list:
** typedef struct { char cnt; char list[0+1]; } strlist__t;
** This results in better type control of the function parameters
**
** Copyright (c) Mar 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifdef TEST
# include <stdio.h>
#endif
#include <string.h>
#include <stdlib.h>
#include "strlist.h"
/*****************************************************************
** prepstrlist (str, delim)
** prepare a string with delimeters to a so called strlist.
** 'str' is a list of substrings delimeted by 'delim'
** The # of strings is stored at the first byte of the allocated
** memory. Every substring is stored as a '\0' terminated C-String.
** The function returns a pointer to dynamic allocated memory
*****************************************************************/
char *prepstrlist (const char *str, const char *delim)
{
char *p;
char *new;
int len;
int cnt;
if ( str == NULL )
return NULL;
len = strlen (str);
if ( (new = malloc (len + 2)) == NULL )
return new;
cnt = 0;
p = new;
for ( *p++ = '\0'; *str; str++ )
{
if ( strchr (delim, *str) == NULL )
*p++ = *str;
else if ( p[-1] != '\0' )
{
*p++ = '\0';
cnt++;
}
}
*p = '\0'; /*terminate string */
if ( p[-1] != '\0' )
cnt++;
*new = cnt & 0xFF;
return new;
}
/*****************************************************************
** isinlist (str, list)
** check if 'list' contains 'str'
*****************************************************************/
int isinlist (const char *str, const char *list)
{
int cnt;
if ( list == NULL || *list == '\0' )
return 1;
if ( str == NULL || *str == '\0' )
return 0;
cnt = *list;
while ( cnt-- > 0 )
{
list++;
if ( strcmp (str, list) == 0 )
return 1;
list += strlen (list);
}
return 0;
}
/*****************************************************************
** unprepstrlist (list, delimc)
*****************************************************************/
char *unprepstrlist (char *list, char delimc)
{
char *p;
int cnt;
cnt = *list & 0xFF;
p = list;
for ( *p++ = delimc; cnt > 1; p++ )
if ( *p == '\0' )
{
*p = delimc;
cnt--;
}
return list;
}
#ifdef TEST
main (int argc, char *argv[])
{
FILE *fp;
char *p;
char *searchlist = NULL;
char group[255];
if ( argc > 1 )
searchlist = prepstrlist (argv[1], LISTDELIM);
printf ("searchlist: %d entrys: \n", searchlist[0]);
if ( (fp = fopen ("/etc/group", "r")) == NULL )
exit (fprintf (stderr, "can't open file\n"));
while ( fscanf (fp, "%[^:]:%*[^\n]\n", group) != EOF )
if ( isinlist (group, searchlist) )
printf ("%s\n", group);
fclose (fp);
printf ("searchlist: \"%s\"\n", unprepstrlist (searchlist, *LISTDELIM));
for ( p = searchlist; *p; p++ )
if ( *p < 32 )
printf ("<%d>", *p);
else
printf ("%c", *p);
printf ("\n");
}
#endif

46
contrib/zkt/strlist.h Normal file
View file

@ -0,0 +1,46 @@
/*****************************************************************
**
** @(#) strlist.h (c) Mar 2005 Holger Zuleger
**
** Copyright (c) May 2005 Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef STRLIST_H
# define STRLIST_H
# define LISTDELIM " ,:;|^\t"
char *prepstrlist (const char *str, const char *delim);
int isinlist (const char *str, const char *list);
char *unprepstrlist (char *list, char delimc);
#endif

324
contrib/zkt/tags Normal file
View file

@ -0,0 +1,324 @@
!_TAG_FILE_FORMAT 2 /extended format; --format=1 will not append ;" to lines/
!_TAG_FILE_SORTED 1 /0=unsorted, 1=sorted, 2=foldcase/
!_TAG_PROGRAM_AUTHOR Darren Hiebert /dhiebert@users.sourceforge.net/
!_TAG_PROGRAM_NAME Exuberant Ctags //
!_TAG_PROGRAM_URL http://ctags.sourceforge.net /official site/
!_TAG_PROGRAM_VERSION 5.5.4 //
CONF_ALGO zconf.c /^ CONF_ALGO,$/;" e file:
CONF_BOOL zconf.c /^ CONF_BOOL,$/;" e file:
CONF_COMMENT zconf.c /^ CONF_COMMENT,$/;" e file:
CONF_END zconf.c /^ CONF_END = 0,$/;" e file:
CONF_FACILITY zconf.c /^ CONF_FACILITY,$/;" e file:
CONF_INT zconf.c /^ CONF_INT,$/;" e file:
CONF_LEVEL zconf.c /^ CONF_LEVEL,$/;" e file:
CONF_SERIAL zconf.c /^ CONF_SERIAL,$/;" e file:
CONF_STRING zconf.c /^ CONF_STRING,$/;" e file:
CONF_TIMEINT zconf.c /^ CONF_TIMEINT,$/;" e file:
ISCOMMENT zconf.c 68;" d file:
ISDELIM zconf.c 70;" d file:
ISTRUE zconf.c 66;" d file:
KEYSET_FILE_PFX dnssec-signer.c 669;" d file:
KeyWords ncparse.c /^static struct KeyWords {$/;" s file:
MAXFNAME log.c 97;" d file:
STRCONFIG_DELIMITER zconf.c 505;" d file:
TAINTEDCHARS misc.c 60;" d file:
TOK_DELEGATION ncparse.c 59;" d file:
TOK_DIR ncparse.c 49;" d file:
TOK_FILE ncparse.c 62;" d file:
TOK_FORWARD ncparse.c 58;" d file:
TOK_HINT ncparse.c 57;" d file:
TOK_INCLUDE ncparse.c 50;" d file:
TOK_MASTER ncparse.c 54;" d file:
TOK_SLAVE ncparse.c 55;" d file:
TOK_STRING ncparse.c 48;" d file:
TOK_STUB ncparse.c 56;" d file:
TOK_TYPE ncparse.c 53;" d file:
TOK_UNKNOWN ncparse.c 64;" d file:
TOK_VIEW ncparse.c 60;" d file:
TOK_ZONE ncparse.c 52;" d file:
a domaincmp.c /^ char *a;$/;" m file:
add2zonelist dnssec-signer.c /^static int add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;" f file:
age2str misc.c /^char *age2str (time_t sec)$/;" f
ageflag dnssec-zkt.c /^int ageflag = 0;$/;" v
b domaincmp.c /^ char *b;$/;" m file:
bool2str zconf.c /^static const char *bool2str (int val)$/;" f file:
check_keydb_timestamp dnssec-signer.c /^static int check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;" f file:
checkconfig zconf.c /^int checkconfig (const zconf_t *z)$/;" f
cmdline zconf.c /^ int cmdline; \/* is this a command line parameter ? *\/$/;" m file:
cmpfile misc.c /^int cmpfile (const char *file1, const char *file2)$/;" f
config dnssec-signer.c /^static zconf_t *config;$/;" v file:
config zconf.c /^static zconf_t *config;$/;" v file:
confpara zconf.c /^static zconf_para_t confpara[] = {$/;" v file:
copy_keyset dnssec-signer.c /^static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf)$/;" f file:
copyfile misc.c /^int copyfile (const char *fromfile, const char *tofile, const char *dnskeyfile)$/;" f
copyzonefile misc.c /^int copyzonefile (const char *fromfile, const char *tofile, const char *dnskeyfile)$/;" f
create_parent_file dnssec-zkt.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
create_parent_file rollover.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
createkey dnssec-zkt.c /^static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;" f file:
ctype_t zconf.c /^} ctype_t;$/;" t file:
def zconf.c /^static zconf_t def = {$/;" v file:
dirflag dnssec-zkt.c /^static int dirflag = 0;$/;" v file:
dirname dnssec-signer.c /^const char *dirname = NULL;$/;" v
dist_and_reload dnssec-signer.c /^static int dist_and_reload (const zone_t *zp)$/;" f file:
dki_add dki.c /^dki_t *dki_add (dki_t **list, dki_t *new)$/;" f
dki_age dki.c /^int dki_age (const dki_t *dkp, time_t curr)$/;" f
dki_algo2str dki.c /^char *dki_algo2str (int algo)$/;" f
dki_allcmp dki.c /^int dki_allcmp (const dki_t *a, const dki_t *b)$/;" f
dki_alloc dki.c /^static dki_t *dki_alloc ()$/;" f file:
dki_cmp dki.c /^int dki_cmp (const dki_t *a, const dki_t *b)$/;" f
dki_destroy dki.c /^dki_t *dki_destroy (dki_t *dkp)$/;" f
dki_estr dki.c /^static char dki_estr[255+1];$/;" v file:
dki_exptime dki.c /^time_t dki_exptime (const dki_t *dkp)$/;" f
dki_find dki.c /^const dki_t *dki_find (const dki_t *list, int ksk, int status, int no)$/;" f
dki_free dki.c /^void dki_free (dki_t *dkp)$/;" f
dki_freelist dki.c /^void dki_freelist (dki_t **listp)$/;" f
dki_gentime dki.c /^time_t dki_gentime (const dki_t *dkp)$/;" f
dki_geterrstr dki.c /^const char *dki_geterrstr ()$/;" f
dki_getflag dki.c /^dk_flag_t dki_getflag (const dki_t *dkp, time_t curr)$/;" f
dki_isactive dki.c /^int dki_isactive (const dki_t *dkp)$/;" f
dki_isdepreciated dki.c /^int dki_isdepreciated (const dki_t *dkp)$/;" f
dki_isksk dki.c /^int dki_isksk (const dki_t *dkp)$/;" f
dki_ispublished dki.c /^int dki_ispublished (const dki_t *dkp)$/;" f
dki_isrevoked dki.c /^int dki_isrevoked (const dki_t *dkp)$/;" f
dki_lifetime dki.c /^time_t dki_lifetime (const dki_t *dkp)$/;" f
dki_lifetimedays dki.c /^ushort dki_lifetimedays (const dki_t *dkp)$/;" f
dki_namecmp dki.c /^int dki_namecmp (const dki_t *a, const dki_t *b)$/;" f
dki_new dki.c /^dki_t *dki_new (const char *dir, const char *name, int ksk, int algo, int bitsize, const char *rfile, int lf_days)$/;" f
dki_prt_comment dki.c /^int dki_prt_comment (const dki_t *dkp, FILE *fp)$/;" f
dki_prt_dnskey dki.c /^int dki_prt_dnskey (const dki_t *dkp, FILE *fp)$/;" f
dki_prt_dnskey_raw dki.c /^int dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp)$/;" f
dki_prt_dnskeyttl dki.c /^int dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl)$/;" f
dki_prt_trustedkey dki.c /^int dki_prt_trustedkey (const dki_t *dkp, FILE *fp)$/;" f
dki_read dki.c /^dki_t *dki_read (const char *dirname, const char *filename)$/;" f
dki_readdir dki.c /^int dki_readdir (const char *dir, dki_t **listp, int recursive)$/;" f
dki_readfile dki.c /^static int dki_readfile (FILE *fp, dki_t *dkp)$/;" f file:
dki_remove dki.c /^dki_t *dki_remove (dki_t *dkp)$/;" f
dki_search dki.c /^const dki_t *dki_search (const dki_t *list, int tag, const char *name)$/;" f
dki_setexptime dki.c /^time_t dki_setexptime (dki_t *dkp, time_t sec)$/;" f
dki_setflag dki.c /^dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag)$/;" f
dki_setlifetime dki.c /^ushort dki_setlifetime (dki_t *dkp, int days)$/;" f
dki_setstat dki.c /^static int dki_setstat (dki_t *dkp, int status, int preserve_time)$/;" f file:
dki_setstatus dki.c /^int dki_setstatus (dki_t *dkp, int status)$/;" f
dki_setstatus_preservetime dki.c /^int dki_setstatus_preservetime (dki_t *dkp, int status)$/;" f
dki_status dki.c /^dk_status_t dki_status (const dki_t *dkp)$/;" f
dki_statusstr dki.c /^const char *dki_statusstr (const dki_t *dkp)$/;" f
dki_tadd dki.c /^dki_t *dki_tadd (dki_t **tree, dki_t *new)$/;" f
dki_tagcmp dki.c /^int dki_tagcmp (const dki_t *a, const dki_t *b)$/;" f
dki_tfree dki.c /^void dki_tfree (dki_t **tree)$/;" f
dki_time dki.c /^time_t dki_time (const dki_t *dkp)$/;" f
dki_timecmp dki.c /^int dki_timecmp (const dki_t *a, const dki_t *b)$/;" f
dki_tsearch dki.c /^const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name)$/;" f
dki_unsetflag dki.c /^dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag)$/;" f
dki_writeinfo dki.c /^static int dki_writeinfo (const dki_t *dkp, const char *path)$/;" f file:
domaincmp domaincmp.c /^int domaincmp (const char *a, const char *b)$/;" f
dosigning dnssec-signer.c /^static int dosigning (zone_t *zonelist, zone_t *zp)$/;" f file:
dupconfig zconf.c /^zconf_t *dupconfig (const zconf_t *conf)$/;" f
dyn_update_freeze dnssec-signer.c /^static int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;" f file:
dynamic_zone dnssec-signer.c /^static int dynamic_zone = 0; \/* dynamic zone ? *\/$/;" v file:
error misc.c /^void error (char *fmt, ...)$/;" f
ex domaincmp.c /^} ex[] = {$/;" v file:
exptimeflag dnssec-zkt.c /^int exptimeflag = 0;$/;" v
extern dki.c 59;" d file:
extern dki.c 61;" d file:
extern domaincmp.c 42;" d file:
extern domaincmp.c 44;" d file:
extern log.c 55;" d file:
extern log.c 57;" d file:
extern misc.c 56;" d file:
extern misc.c 58;" d file:
extern ncparse.c 44;" d file:
extern ncparse.c 46;" d file:
extern rollover.c 57;" d file:
extern rollover.c 59;" d file:
extern zconf.c 61;" d file:
extern zconf.c 63;" d file:
extern zkt.c 47;" d file:
extern zkt.c 49;" d file:
extern zone.c 53;" d file:
extern zone.c 55;" d file:
fatal misc.c /^void fatal (char *fmt, ...)$/;" f
file_age misc.c /^int file_age (const char *fname)$/;" f
file_mtime misc.c /^time_t file_mtime (const char *fname)$/;" f
fileexist misc.c /^int fileexist (const char *name)$/;" f
filesize misc.c /^size_t filesize (const char *name)$/;" f
force dnssec-signer.c /^static int force = 0;$/;" v file:
genkey rollover.c /^static dki_t *genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
get_exptime rollover.c /^static time_t get_exptime (dki_t *key, const zconf_t *z)$/;" f file:
get_parent_phase dnssec-zkt.c /^static int get_parent_phase (const char *file)$/;" f file:
get_parent_phase rollover.c /^static int get_parent_phase (const char *file)$/;" f file:
getdefconfname misc.c /^const char *getdefconfname (const char *view)$/;" f
getnameappendix misc.c /^const char *getnameappendix (const char *progname, const char *basename)$/;" f
gettok ncparse.c /^static int gettok (FILE *fp, char *val, size_t valsize)$/;" f file:
goto_labelstart domaincmp.c 47;" d file:
headerflag dnssec-zkt.c /^int headerflag = 1;$/;" v
in_strarr misc.c /^int in_strarr (const char *str, char *const arr[], int cnt)$/;" f
inc_errstr misc.c /^const char *inc_errstr (int err)$/;" f
inc_serial misc.c /^int inc_serial (const char *fname, int use_unixtime)$/;" f
inc_soa_serial misc.c /^static int inc_soa_serial (FILE *fp, int use_unixtime)$/;" f file:
is_directory misc.c /^int is_directory (const char *name)$/;" f
is_dotfile misc.c /^int is_dotfile (const char *name)$/;" f
is_exec_ok misc.c /^int is_exec_ok (const char *prog)$/;" f
is_keyfilename misc.c /^int is_keyfilename (const char *name)$/;" f
is_parentdirsigned rollover.c /^static int is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;" f file:
isinlist strlist.c /^int isinlist (const char *str, const char *list)$/;" f
ksk5011status rollover.c /^int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;" f
ksk_roll dnssec-zkt.c /^static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;" f file:
kskdomain dnssec-zkt.c /^static char *kskdomain = "";$/;" v file:
kskflag dnssec-zkt.c /^int kskflag = 1;$/;" v
kskrollover rollover.c /^static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;" f file:
kskstatus rollover.c /^int kskstatus (zone_t *zonelist, zone_t *zp)$/;" f
kw ncparse.c /^} kw[] = {$/;" v file:
label zconf.c /^ char *label; \/* the name of the paramter *\/$/;" m file:
labellist dnssec-zkt.c /^char *labellist = NULL;$/;" v
level log.c /^ lg_lvl_t level;$/;" m file:
lg_args log.c /^void lg_args (lg_lvl_t level, int argc, char * const argv[])$/;" f
lg_close log.c /^int lg_close ()$/;" f
lg_errcnt log.c /^static long lg_errcnt;$/;" v file:
lg_fileopen log.c /^static FILE *lg_fileopen (const char *path, const char *name)$/;" f file:
lg_fp log.c /^static FILE *lg_fp;$/;" v file:
lg_geterrcnt log.c /^long lg_geterrcnt ()$/;" f
lg_lvl2str log.c /^const char *lg_lvl2str (lg_lvl_t level)$/;" f
lg_lvl2syslog log.c /^lg_lvl_t lg_lvl2syslog (lg_lvl_t level)$/;" f
lg_mesg log.c /^void lg_mesg (int priority, char *fmt, ...)$/;" f
lg_minfilelevel log.c /^static int lg_minfilelevel;$/;" v file:
lg_minsyslevel log.c /^static int lg_minsyslevel;$/;" v file:
lg_open log.c /^int lg_open (const char *progname, const char *facility, const char *syslevel, const char *path, const char *file, const char *filelevel)$/;" f
lg_progname log.c /^static const char *lg_progname;$/;" v file:
lg_reseterrcnt log.c /^long lg_reseterrcnt ()$/;" f
lg_seterrcnt log.c /^long lg_seterrcnt (long value)$/;" f
lg_str2lvl log.c /^lg_lvl_t lg_str2lvl (const char *name)$/;" f
lg_str2syslog log.c /^int lg_str2syslog (const char *facility)$/;" f
lg_symtbl_t log.c /^} lg_symtbl_t;$/;" t file:
lg_syslogging log.c /^static int lg_syslogging;$/;" v file:
lifetime dnssec-zkt.c /^int lifetime = 0;$/;" v
lifetimeflag dnssec-zkt.c /^int lifetimeflag = 0;$/;" v
linkfile misc.c /^int linkfile (const char *fromfile, const char *tofile)$/;" f
list_dnskey zkt.c /^static void list_dnskey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
list_key zkt.c /^static void list_key (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
list_trustedkey zkt.c /^static void list_trustedkey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
ljustflag dnssec-zkt.c /^int ljustflag = 0;$/;" v
loadconfig zconf.c /^zconf_t *loadconfig (const char *filename, zconf_t *z)$/;" f
loadconfig_fromstr zconf.c /^zconf_t *loadconfig_fromstr (const char *str, zconf_t *z)$/;" f
logfile dnssec-signer.c /^const char *logfile = NULL;$/;" v
logflush misc.c /^void logflush ()$/;" f
logmesg misc.c /^void logmesg (char *fmt, ...)$/;" f
long_options dnssec-signer.c /^static struct option long_options[] = {$/;" v file:
long_options dnssec-zkt.c /^static struct option long_options[] = {$/;" v file:
lopt_usage dnssec-signer.c 302;" d file:
lopt_usage dnssec-signer.c 305;" d file:
lopt_usage dnssec-zkt.c 410;" d file:
lopt_usage dnssec-zkt.c 413;" d file:
loptstr dnssec-signer.c 303;" d file:
loptstr dnssec-signer.c 306;" d file:
loptstr dnssec-zkt.c 411;" d file:
loptstr dnssec-zkt.c 414;" d file:
main dnssec-signer.c /^int main (int argc, char *const argv[])$/;" f
main dnssec-zkt.c /^int main (int argc, char *argv[])$/;" f
main domaincmp.c /^main (int argc, char *argv[])$/;" f
main log.c /^int main (int argc, char *argv[])$/;" f
main misc.c /^main (int argc, char *argv[])$/;" f
main ncparse.c /^main (int argc, char *argv[])$/;" f
main strlist.c /^main (int argc, char *argv[])$/;" f
main zconf.c /^main (int argc, char *argv[])$/;" f
main zkt-soaserial.c /^int main (int argc, char *argv[])$/;" f
name ncparse.c /^ char *name;$/;" m struct:KeyWords file:
namedconf dnssec-signer.c /^const char *namedconf = NULL;$/;" v
new_keysetfiles dnssec-signer.c /^static int new_keysetfiles (const char *dir, time_t zone_signing_time)$/;" f file:
noexec dnssec-signer.c /^static int noexec = 0;$/;" v file:
origin dnssec-signer.c /^const char *origin = NULL;$/;" v
parse_namedconf ncparse.c /^int parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())$/;" f
parseconfigline zconf.c /^static void parseconfigline (char *buf, unsigned int line, zconf_t *z)$/;" f file:
parsedir dnssec-signer.c /^static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;" f file:
parsedirectory dnssec-zkt.c /^static int parsedirectory (const char *dir, dki_t **listp)$/;" f file:
parsefile dnssec-zkt.c /^static void parsefile (const char *file, dki_t **listp)$/;" f file:
parsetag dnssec-zkt.c /^static const char *parsetag (const char *str, int *tagp)$/;" f file:
parseurl misc.c /^void parseurl (char *url, char **proto, char **host, char **port, char **para)$/;" f
pathflag dnssec-zkt.c /^int pathflag = 0;$/;" v
pathname misc.c /^char *pathname (char *path, size_t size, const char *dir, const char *file, const char *ext)$/;" f
prepstrlist strlist.c /^char *prepstrlist (const char *str, const char *delim)$/;" f
printconfig zconf.c /^int printconfig (const char *fname, const zconf_t *z)$/;" f
printconfigline zconf.c /^static void printconfigline (FILE *fp, zconf_para_t *cp)$/;" f file:
printkeyinfo zkt.c /^static void printkeyinfo (const dki_t *dkp, const char *oldpath)$/;" f file:
printserial zkt-soaserial.c /^static void printserial (const char *fname, unsigned long serial)$/;" f file:
printzone ncparse.c /^int printzone (const char *dir, const char *view, const char *zone, const char *file)$/;" f
progname dnssec-signer.c /^const char *progname;$/;" v
progname dnssec-zkt.c /^const char *progname;$/;" v
progname domaincmp.c /^const char *progname;$/;" v
progname log.c /^const char *progname;$/;" v
progname misc.c /^const char *progname;$/;" v
progname ncparse.c /^char *progname;$/;" v
progname zconf.c /^const char *progname;$/;" v
progname zkt-soaserial.c /^static const char *progname;$/;" v file:
read_serial_fromfile zkt-soaserial.c /^static int read_serial_fromfile (const char *fname, unsigned long *serial)$/;" f file:
recflag dnssec-zkt.c /^static int recflag = RECURSIVE;$/;" v file:
register_key dnssec-signer.c /^static void register_key (dki_t *list, const zconf_t *z)$/;" f file:
reload_zone dnssec-signer.c /^static int reload_zone (const char *domain, const zconf_t *z)$/;" f file:
reloadflag dnssec-signer.c /^static int reloadflag = 0;$/;" v file:
res domaincmp.c /^ int res;$/;" m file:
searchitem zkt.c /^static int searchitem;$/;" v file:
searchkw ncparse.c /^static int searchkw (const char *keyword)$/;" f file:
searchresult zkt.c /^static const dki_t *searchresult;$/;" v file:
set_all_varptr zconf.c /^static void set_all_varptr (zconf_t *cp)$/;" f file:
set_keylifetime zkt.c /^static void set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
set_varptr zconf.c /^static int set_varptr (char *entry, void *ptr)$/;" f file:
setconfigpar zconf.c /^int setconfigpar (zconf_t *config, char *entry, const void *pval)$/;" f
setglobalflags dnssec-zkt.c /^static void setglobalflags (zconf_t *config)$/;" f file:
short_options dnssec-signer.c 66;" d file:
short_options dnssec-signer.c 68;" d file:
short_options dnssec-zkt.c 89;" d file:
sign_zone dnssec-signer.c /^static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;" f file:
sopt_usage dnssec-signer.c 300;" d file:
sopt_usage dnssec-zkt.c 408;" d file:
splitpath misc.c /^const char *splitpath (char *path, size_t size, const char *filename)$/;" f
start_timer misc.c /^time_t start_timer ()$/;" f
stop_timer misc.c /^time_t stop_timer (time_t start)$/;" f
str log.c /^ const char *str;$/;" m file:
str_chop misc.c /^char *str_chop (char *str, char c)$/;" f
str_delspace misc.c /^char *str_delspace (char *s)$/;" f
str_tolowerdup misc.c /^char *str_tolowerdup (const char *s)$/;" f
str_untaint misc.c /^char *str_untaint (char *str)$/;" f
symtbl log.c /^static lg_symtbl_t symtbl[] = {$/;" v file:
syslog_level log.c /^ int syslog_level;$/;" m file:
tag_search zkt.c /^static void tag_search (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
time2isostr misc.c /^char *time2isostr (time_t sec, int precision)$/;" f
time2str misc.c /^char *time2str (time_t sec, int precision)$/;" f
timeflag dnssec-zkt.c /^int timeflag = 1;$/;" v
timeint2str zconf.c /^static const char *timeint2str (ulong val)$/;" f file:
timestr zkt-soaserial.c /^static char *timestr (time_t sec)$/;" f file:
timestr2time misc.c /^time_t timestr2time (const char *timestr)$/;" f
today_serialtime misc.c /^static ulong today_serialtime ()$/;" f file:
tok ncparse.c /^ int tok;$/;" m struct:KeyWords file:
tok2str ncparse.c /^static const char *tok2str (int tok)$/;" f file:
touch misc.c /^int touch (const char *fname, time_t sec)$/;" f
trustedkeyflag dnssec-zkt.c /^static int trustedkeyflag = 0;$/;" v file:
type zconf.c /^ ctype_t type; \/* the parameter type *\/$/;" m file:
unprepstrlist strlist.c /^char *unprepstrlist (char *list, char delimc)$/;" f
usage dnssec-signer.c /^static void usage (char *mesg, zconf_t *conf)$/;" f file:
usage dnssec-zkt.c /^static void usage (char *mesg, zconf_t *cp)$/;" f file:
usage zkt-soaserial.c /^static void usage (const char *msg)$/;" f file:
var zconf.c /^ void *var; \/* pointer to the parameter variable *\/$/;" m file:
verbmesg misc.c /^void verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...)$/;" f
verbose dnssec-signer.c /^static int verbose = 0;$/;" v file:
view dnssec-zkt.c /^static const char *view = "";$/;" v file:
viewname dnssec-signer.c /^const char *viewname = NULL;$/;" v
writekeyfile dnssec-signer.c /^static int writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;" f file:
zconf_para_t zconf.c /^} zconf_para_t;$/;" t file:
zkt_list_dnskeys zkt.c /^void zkt_list_dnskeys (const dki_t *data)$/;" f
zkt_list_keys zkt.c /^void zkt_list_keys (const dki_t *data)$/;" f
zkt_list_trustedkeys zkt.c /^void zkt_list_trustedkeys (const dki_t *data)$/;" f
zkt_search zkt.c /^const dki_t *zkt_search (const dki_t *data, int searchtag, const char *keyname)$/;" f
zkt_setkeylifetime zkt.c /^void zkt_setkeylifetime (dki_t *data)$/;" f
zone_add zone.c /^zone_t *zone_add (zone_t **list, zone_t *new)$/;" f
zone_alloc zone.c /^static zone_t *zone_alloc ()$/;" f file:
zone_cmp zone.c /^static int zone_cmp (const zone_t *a, const zone_t *b)$/;" f file:
zone_estr zone.c /^static char zone_estr[255+1];$/;" v file:
zone_free zone.c /^void zone_free (zone_t *zp)$/;" f
zone_freelist zone.c /^void zone_freelist (zone_t **listp)$/;" f
zone_geterrstr zone.c /^const char *zone_geterrstr ()$/;" f
zone_new zone.c /^zone_t *zone_new (zone_t **zp, const char *zone, const char *dir, const char *file, const char *signed_ext, const zconf_t *cp)$/;" f
zone_print zone.c /^int zone_print (const char *mesg, const zone_t *z)$/;" f
zone_readdir zone.c /^int zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t **listp, const zconf_t *conf, int dyn_zone)$/;" f
zone_search zone.c /^const zone_t *zone_search (const zone_t *list, const char *zone)$/;" f
zonelist dnssec-signer.c /^static zone_t *zonelist = NULL; \/* must be static global because add2zonelist use it *\/$/;" v file:
zskflag dnssec-zkt.c /^int zskflag = 1;$/;" v
zskstatus rollover.c /^int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;" f

775
contrib/zkt/zconf.c Normal file
View file

@ -0,0 +1,775 @@
/****************************************************************
**
** @(#) zconf.c -- configuration file parser for dnssec.conf
**
** Most of the code is from the SixXS Heartbeat Client
** written by Jeroen Massar <jeroen@sixxs.net>
**
** New config types and some slightly code changes
** by Holger Zuleger
**
** Copyright (c) Aug 2005, Jeroen Massar, Holger Zuleger.
** All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Jeroen Masar or Holger Zuleger nor the
** names of its contributors may be used to endorse or promote products
** derived from this software without specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
****************************************************************/
# include <sys/types.h>
# include <stdio.h>
# include <errno.h>
# include <unistd.h>
# include <stdlib.h>
# include <stdarg.h>
# include <string.h>
# include <strings.h>
# include <assert.h>
# include <ctype.h>
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
# include "config_zkt.h"
# include "debug.h"
# include "misc.h"
#define extern
# include "zconf.h"
#undef extern
# include "dki.h"
# define ISTRUE(val) (strcasecmp (val, "yes") == 0 || \
strcasecmp (val, "true") == 0 )
# define ISCOMMENT(cp) (*(cp) == '#' || *(cp) == ';' || \
(*(cp) == '/' && *((cp)+1) == '/') )
# define ISDELIM(c) ( isspace (c) || (c) == ':' || (c) == '=' )
typedef enum {
CONF_END = 0,
CONF_STRING,
CONF_INT,
CONF_TIMEINT,
CONF_BOOL,
CONF_ALGO,
CONF_SERIAL,
CONF_FACILITY,
CONF_LEVEL,
CONF_COMMENT,
} ctype_t;
/*****************************************************************
** private (static) variables
*****************************************************************/
static zconf_t def = {
ZONEDIR, RECURSIVE,
PRINTTIME, PRINTAGE, LJUST,
SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Incremental,
RESIGN_INT,
KSK_LIFETIME, KSK_ALGO, KSK_BITS, KSK_RANDOM,
ZSK_LIFETIME, ZSK_ALGO, ZSK_BITS, ZSK_RANDOM,
NULL, /* viewname cmdline paramter */
LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
DNSKEYFILE, ZONEFILE, KEYSETDIR,
LOOKASIDEDOMAIN,
SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_PARAM,
DIST_CMD /* deafults to NULL which means to run "rndc reload" */
};
typedef struct {
char *label; /* the name of the paramter */
int cmdline; /* is this a command line parameter ? */
ctype_t type; /* the parameter type */
void *var; /* pointer to the parameter variable */
} zconf_para_t;
static zconf_para_t confpara[] = {
{ "", 0, CONF_COMMENT, ""},
{ "", 0, CONF_COMMENT, "\t@(#) dnssec.conf " ZKT_VERSION },
{ "", 0, CONF_COMMENT, ""},
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "dnssec-zkt options" },
{ "Zonedir", 0, CONF_STRING, &def.zonedir },
{ "Recursive", 0, CONF_BOOL, &def.recursive },
{ "PrintTime", 0, CONF_BOOL, &def.printtime },
{ "PrintAge", 0, CONF_BOOL, &def.printage },
{ "LeftJustify", 0, CONF_BOOL, &def.ljust },
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "zone specific values" },
{ "ResignInterval", 0, CONF_TIMEINT, &def.resign },
{ "Sigvalidity", 0, CONF_TIMEINT, &def.sigvalidity },
{ "Max_TTL", 0, CONF_TIMEINT, &def.max_ttl },
{ "Propagation", 0, CONF_TIMEINT, &def.proptime },
{ "KEY_TTL", 0, CONF_TIMEINT, &def.key_ttl },
#if defined (DEF_TTL)
{ "def_ttl", 0, CONF_TIMEINT, &def.def_ttl },
#endif
{ "Serialformat", 0, CONF_SERIAL, &def.serialform },
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "signing key parameters"},
{ "KSK_lifetime", 0, CONF_TIMEINT, &def.k_life },
{ "KSK_algo", 0, CONF_ALGO, &def.k_algo },
{ "KSK_bits", 0, CONF_INT, &def.k_bits },
{ "KSK_randfile", 0, CONF_STRING, &def.k_random },
{ "ZSK_lifetime", 0, CONF_TIMEINT, &def.z_life },
{ "ZSK_algo", 0, CONF_ALGO, &def.z_algo },
{ "ZSK_bits", 0, CONF_INT, &def.z_bits },
{ "ZSK_randfile", 0, CONF_STRING, &def.z_random },
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "dnssec-signer options"},
{ "--view", 1, CONF_STRING, &def.view },
{ "LogFile", 0, CONF_STRING, &def.logfile },
{ "LogLevel", 0, CONF_LEVEL, &def.loglevel },
{ "SyslogFacility", 0, CONF_FACILITY, &def.syslogfacility },
{ "SyslogLevel", 0, CONF_LEVEL, &def.sysloglevel },
{ "VerboseLog", 0, CONF_INT, &def.verboselog },
{ "-v", 1, CONF_INT, &def.verbosity },
{ "Keyfile", 0, CONF_STRING, &def.keyfile },
{ "Zonefile", 0, CONF_STRING, &def.zonefile },
{ "KeySetDir", 0, CONF_STRING, &def.keysetdir },
{ "DLV_Domain", 0, CONF_STRING, &def.lookaside },
{ "Sig_Randfile", 0, CONF_STRING, &def.sig_random },
{ "Sig_Pseudorand", 0, CONF_BOOL, &def.sig_pseudo },
{ "Sig_GenerateDS", 1, CONF_BOOL, &def.sig_gends },
{ "Sig_Parameter", 0, CONF_STRING, &def.sig_param },
{ "Distribute_Cmd", 0, CONF_STRING, &def.dist_cmd },
{ NULL, 0, CONF_END, NULL},
};
/*****************************************************************
** private (static) function deklaration and definition
*****************************************************************/
static const char *bool2str (int val)
{
return val ? "True" : "False";
}
static const char *timeint2str (ulong val)
{
static char str[20+1];
if ( val == 0 )
snprintf (str, sizeof (str), "%lu", val / YEARSEC);
else if ( val % YEARSEC == 0 )
snprintf (str, sizeof (str), "%luy", val / YEARSEC);
else if ( val % WEEKSEC == 0 )
snprintf (str, sizeof (str), "%luw", val / WEEKSEC);
else if ( val % DAYSEC == 0 )
snprintf (str, sizeof (str), "%lud", val / DAYSEC);
else if ( val % HOURSEC == 0 )
snprintf (str, sizeof (str), "%luh", val / HOURSEC);
else if ( val % MINSEC == 0 )
snprintf (str, sizeof (str), "%lum", val / MINSEC);
else
snprintf (str, sizeof (str), "%lus", val);
return str;
}
static int set_varptr (char *entry, void *ptr)
{
zconf_para_t *c;
for ( c = confpara; c->label; c++ )
if ( strcasecmp (entry, c->label) == 0 )
{
c->var = ptr;
return 1;
}
return 0;
}
static void set_all_varptr (zconf_t *cp)
{
set_varptr ("zonedir", &cp->zonedir);
set_varptr ("recursive", &cp->recursive);
set_varptr ("printage", &cp->printage);
set_varptr ("printtime", &cp->printtime);
set_varptr ("leftjustify", &cp->ljust);
set_varptr ("resigninterval", &cp->resign);
set_varptr ("sigvalidity", &cp->sigvalidity);
set_varptr ("max_ttl", &cp->max_ttl);
set_varptr ("key_ttl", &cp->key_ttl);
set_varptr ("propagation", &cp->proptime);
#if defined (DEF_TTL)
set_varptr ("def_ttl", &cp->def_ttl);
#endif
set_varptr ("serialformat", &cp->serialform);
set_varptr ("ksk_lifetime", &cp->k_life);
set_varptr ("ksk_algo", &cp->k_algo);
set_varptr ("ksk_bits", &cp->k_bits);
set_varptr ("ksk_randfile", &cp->k_random);
set_varptr ("zsk_lifetime", &cp->z_life);
set_varptr ("zsk_algo", &cp->z_algo);
set_varptr ("zsk_bits", &cp->z_bits);
set_varptr ("zsk_randfile", &cp->z_random);
set_varptr ("--view", &cp->view);
set_varptr ("logfile", &cp->logfile);
set_varptr ("loglevel", &cp->loglevel);
set_varptr ("syslogfacility", &cp->syslogfacility);
set_varptr ("sysloglevel", &cp->sysloglevel);
set_varptr ("verboselog", &cp->verboselog);
set_varptr ("-v", &cp->verbosity);
set_varptr ("keyfile", &cp->keyfile);
set_varptr ("zonefile", &cp->zonefile);
set_varptr ("keysetdir", &cp->keysetdir);
set_varptr ("dlv_domain", &cp->lookaside);
set_varptr ("sig_randfile", &cp->sig_random);
set_varptr ("sig_pseudorand", &cp->sig_pseudo);
set_varptr ("sig_generateds", &cp->sig_gends);
set_varptr ("sig_parameter", &cp->sig_param);
set_varptr ("distribute_cmd", &cp->dist_cmd);
}
static void parseconfigline (char *buf, unsigned int line, zconf_t *z)
{
char *end, *val, *p;
char *tag;
unsigned int len, found;
zconf_para_t *c;
p = &buf[strlen(buf)-1]; /* Chop off white space at eol */
while ( p >= buf && isspace (*p) )
*p-- = '\0';
for (p = buf; isspace (*p); p++ ) /* Ignore leading white space */
;
/* Ignore comments and emtpy lines */
if ( *p == '\0' || ISCOMMENT (p) )
return;
tag = p;
/* Get the end of the first argument */
end = &buf[strlen(buf)-1];
while ( p < end && !ISDELIM (*p) ) /* Skip until delim */
p++;
*p++ = '\0'; /* Terminate this argument */
dbg_val1 ("Parsing \"%s\"\n", tag);
while ( p < end && ISDELIM (*p) ) /* Skip delim chars */
p++;
val = p; /* Start of the value */
dbg_val1 ("\tgot value \"%s\"\n", val);
/* If starting with quote, skip until next quote */
if ( *p == '"' || *p == '\'' )
{
p++; /* Find next quote */
while ( p <= end && *p && *p != *val )
p++;
*p = '\0';
val++; /* Skip the first quote */
}
else /* Otherwise check if there is any comment char at the end */
{
while ( p < end && *p && !ISCOMMENT(p) )
p++;
if ( ISCOMMENT (p) )
{
do /* Chop off white space before comment */
*p-- = '\0';
while ( p >= val && isspace (*p) );
}
}
/* Otherwise it is already terminated above */
found = 0;
c = confpara;
while ( !found && c->type != CONF_END )
{
len = strlen (c->label);
if ( strcasecmp (tag, c->label) == 0 )
{
char **str;
char quantity;
int ival;
found = 1;
switch ( c->type )
{
case CONF_LEVEL:
case CONF_FACILITY:
case CONF_STRING:
str = (char **)c->var;
*str = strdup (val);
str_untaint (*str); /* remove "bad" characters */
break;
case CONF_INT:
sscanf (val, "%d", (int *)c->var);
break;
case CONF_TIMEINT:
quantity = 'd';
sscanf (val, "%d%c", &ival, &quantity);
if ( quantity == 'm' )
ival *= MINSEC;
else if ( quantity == 'h' )
ival *= HOURSEC;
else if ( quantity == 'd' )
ival *= DAYSEC;
else if ( quantity == 'w' )
ival *= WEEKSEC;
else if ( quantity == 'y' )
ival *= YEARSEC;
(*(int *)c->var) = ival;
break;
case CONF_ALGO:
if ( strcasecmp (val, "rsa") == 0 || strcasecmp (val, "rsamd5") == 0 )
*((int *)c->var) = DK_ALGO_RSA;
else if ( strcasecmp (val, "dsa") == 0 )
*((int *)c->var) = DK_ALGO_DSA;
else if ( strcasecmp (val, "rsasha1") == 0 )
*((int *)c->var) = DK_ALGO_RSASHA1;
else
error ("Illegal algorithm \"%s\" "
"in line %d.\n" , val, line);
break;
case CONF_SERIAL:
if ( strcasecmp (val, "unixtime") == 0 )
*((serial_form_t *)c->var) = Unixtime;
else if ( strcasecmp (val, "incremental") == 0 )
*((serial_form_t *)c->var) = Incremental;
else
error ("Illegal serial no format \"%s\" "
"in line %d.\n" , val, line);
break;
case CONF_BOOL:
*((int *)c->var) = ISTRUE (val);
break;
default:
fatal ("Illegal configuration type in line %d.\n", line);
}
}
c++;
}
if ( !found )
error ("Unknown configuration statement: %s \"%s\"\n", tag, val);
return;
}
static void printconfigline (FILE *fp, zconf_para_t *cp)
{
int i;
assert (fp != NULL);
assert (cp != NULL);
switch ( cp->type )
{
case CONF_COMMENT:
if ( cp->var )
fprintf (fp, "# %s\n", (char *)cp->var);
else
fprintf (fp, "\n");
break;
case CONF_LEVEL:
case CONF_FACILITY:
if ( *(char **)cp->var != NULL )
{
if ( **(char **)cp->var != '\0' )
{
char *p;
fprintf (fp, "%s:\t", cp->label);
for ( p = *(char **)cp->var; *p; p++ )
putc (toupper (*p), fp);
fprintf (fp, "\n");
}
else
fprintf (fp, "%s:\tNONE", cp->label);
}
break;
case CONF_STRING:
if ( *(char **)cp->var )
fprintf (fp, "%s:\t\"%s\"\n", cp->label, *(char **)cp->var);
break;
case CONF_BOOL:
fprintf (fp, "%s:\t%s\n", cp->label, bool2str ( *(int*)cp->var ));
break;
case CONF_TIMEINT:
i = *(ulong*)cp->var;
fprintf (fp, "%s:\t%s", cp->label, timeint2str (i));
if ( i )
fprintf (fp, "\t# (%d seconds)", i);
putc ('\n', fp);
break;
case CONF_ALGO:
i = *(int*)cp->var;
fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
fprintf (fp, "\t# (Algorithm ID %d)\n", i);
break;
case CONF_SERIAL:
fprintf (fp, "%s:\t", cp->label);
if ( *(serial_form_t*)cp->var == Unixtime )
fprintf (fp, "unixtime\n");
else
fprintf (fp, "incremental\n");
break;
case CONF_INT:
fprintf (fp, "%s:\t%d\n", cp->label, *(int *)cp->var);
break;
case CONF_END:
/* NOTREACHED */
break;
}
}
/*****************************************************************
** public function definition
*****************************************************************/
/*****************************************************************
** loadconfig (file, conf)
** Loads a config file into the "conf" structure pointed to by "z".
** If "z" is NULL then a new conf struct will be dynamically
** allocated.
** If no filename is given the conf struct will be initialized
** by the builtin default config
*****************************************************************/
zconf_t *loadconfig (const char *filename, zconf_t *z)
{
FILE *fp;
char buf[1023+1];
unsigned int line;
if ( z == NULL ) /* allocate new memory for zconf_t */
{
if ( (z = calloc (1, sizeof (zconf_t))) == NULL )
return NULL;
if ( filename && *filename )
memcpy (z, &def, sizeof (*z)); /* init new struct with defaults */
}
if ( filename == NULL || *filename == '\0' ) /* no file name given... */
{
dbg_val0("loadconfig (NULL)\n");
memcpy (z, &def, sizeof (*z)); /* ..then init with defaults */
return z;
}
dbg_val1 ("loadconfig (%s)\n", filename);
set_all_varptr (z);
if ( (fp = fopen(filename, "r")) == NULL )
fatal ("Could not open config file \"%s\"\n", filename);
line = 0;
while (fgets(buf, sizeof(buf), fp))
{
line++;
parseconfigline (buf, line, z);
}
fclose(fp);
return z;
}
# define STRCONFIG_DELIMITER ";\r\n"
zconf_t *loadconfig_fromstr (const char *str, zconf_t *z)
{
char *buf;
char *tok, *toksave;
unsigned int line;
if ( z == NULL )
{
if ( (z = calloc (1, sizeof (zconf_t))) == NULL )
return NULL;
memcpy (z, &def, sizeof (*z)); /* init with defaults */
}
if ( str == NULL || *str == '\0' )
{
dbg_val0("loadconfig_fromstr (NULL)\n");
memcpy (z, &def, sizeof (*z)); /* init with defaults */
return z;
}
dbg_val1 ("loadconfig_fromstr (\"%s\")\n", str);
set_all_varptr (z);
/* str is const, so we have to copy it into a new buffer */
if ( (buf = strdup (str)) == NULL )
fatal ("loadconfig_fromstr: Out of memory");
line = 0;
tok = strtok_r (buf, STRCONFIG_DELIMITER, &toksave);
while ( tok )
{
line++;
parseconfigline (tok, line, z);
tok = strtok_r (NULL, STRCONFIG_DELIMITER, &toksave);
}
free (buf);
return z;
}
/*****************************************************************
** dupconfig (config)
** duplicate config struct and return a ptr to the new struct
*****************************************************************/
zconf_t *dupconfig (const zconf_t *conf)
{
zconf_t *z;
assert (conf != NULL);
if ( (z = calloc (1, sizeof (zconf_t))) == NULL )
return NULL;
memcpy (z, conf, sizeof (*conf));
return z;
}
/*****************************************************************
** setconfigpar (entry, pval)
*****************************************************************/
int setconfigpar (zconf_t *config, char *entry, const void *pval)
{
char *str;
zconf_para_t *c;
set_all_varptr (config);
for ( c = confpara; c->type != CONF_END; c++ )
if ( strcasecmp (entry, c->label) == 0 )
{
switch ( c->type )
{
case CONF_LEVEL:
case CONF_FACILITY:
case CONF_STRING:
if ( pval )
{
str = strdup ((char *)pval);
str_untaint (str); /* remove "bad" characters */
}
else
str = NULL;
*((char **)c->var) = str;
break;
case CONF_BOOL:
/* fall through */
case CONF_ALGO:
/* fall through */
case CONF_TIMEINT:
/* fall through */
case CONF_INT:
*((int *)c->var) = *((int *)pval);
break;
case CONF_SERIAL:
*((serial_form_t *)c->var) = *((serial_form_t *)pval);
break;
case CONF_COMMENT:
case CONF_END:
/* NOTREACHED */
break;
}
return 1;
}
return 0;
}
/*****************************************************************
** printconfig (fname, config)
*****************************************************************/
int printconfig (const char *fname, const zconf_t *z)
{
zconf_para_t *cp;
FILE *fp;
if ( z == NULL )
return 0;
fp = stdout;
if ( fname && *fname )
{
if ( strcmp (fname, "stdout") == 0 )
fp = stdout;
else if ( strcmp (fname, "stderr") == 0 )
fp = stderr;
else if ( (fp = fopen(fname, "w")) == NULL )
{
error ("Could not open config file \"%s\" for writing\n", fname);
return -1;
}
}
set_all_varptr ((zconf_t *)z);
for ( cp = confpara; cp->type != CONF_END; cp++ ) /* loop through all parameter */
if ( !cp->cmdline ) /* if this is not a command line parameter ? */
printconfigline (fp, cp); /* print it out */
if ( fp && fp != stdout && fp != stderr )
fclose (fp);
return 1;
}
#if 0
/*****************************************************************
** printconfigdiff (fname, conf_a, conf_b)
*****************************************************************/
int printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)
{
zconf_para_t *cp;
FILE *fp;
if ( ref == NULL || z == NULL )
return 0;
fp = NULL;
if ( fname && *fname )
{
if ( strcmp (fname, "stdout") == 0 )
fp = stdout;
else if ( strcmp (fname, "stderr") == 0 )
fp = stderr;
else if ( (fp = fopen(fname, "w")) == NULL )
{
error ("Could not open config file \"%s\" for writing\n", fname);
return -1;
}
}
set_all_varptr ((zconf_t *)z);
for ( cp = confpara; cp->type != CONF_END; cp++ ) /* loop through all parameter */
{
if ( cp->cmdline )
continue;
printconfigline (fp, cp); /* print it out */
}
if ( fp && fp != stdout && fp != stderr )
fclose (fp);
return 1;
}
#endif
/*****************************************************************
** checkconfig (config)
*****************************************************************/
int checkconfig (const zconf_t *z)
{
if ( z == NULL )
return 1;
if ( z->sigvalidity < (1 * DAYSEC) || z->sigvalidity > (12 * WEEKSEC) )
{
fprintf (stderr, "Signature should be valid for at least 1 day and no longer than 3 month (12 weeks)\n");
fprintf (stderr, "The current value is %s\n", timeint2str (z->sigvalidity));
}
if ( z->resign > (z->sigvalidity*5/6) - (z->max_ttl + z->proptime) )
{
fprintf (stderr, "Re-signing interval (%s) should be less than ", timeint2str (z->resign));
fprintf (stderr, "5/6 of sigvalidity\n");
}
if ( z->resign < (z->max_ttl + z->proptime) )
{
fprintf (stderr, "Re-signing interval (%s) should be ", timeint2str (z->resign));
fprintf (stderr, "greater than max_ttl (%d) plus ", z->max_ttl);
fprintf (stderr, "propagation time (%d)\n", z->proptime);
}
if ( z->max_ttl >= z->sigvalidity )
fprintf (stderr, "Max TTL (%d) should be less than signatur validity (%d)\n",
z->max_ttl, z->sigvalidity);
if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
{
fprintf (stderr, "Lifetime of zone signing key (%s) ", timeint2str (z->z_life));
fprintf (stderr, "seems a little bit high ");
fprintf (stderr, "(In respect of key size (%d))\n", z->z_bits);
}
if ( z->k_life > 0 && z->k_life <= z->z_life )
{
fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
fprintf (stderr, "should be greater than lifetime of zsk\n");
}
if ( z->k_life > 0 && z->k_life > (26 * WEEKSEC) * (z->k_bits / 512.) )
{
fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
fprintf (stderr, "seems a little bit high ");
fprintf (stderr, "(In respect of key size (%d))\n", z->k_bits);
}
return 1;
}
#ifdef CONF_TEST
const char *progname;
static zconf_t *config;
main (int argc, char *argv[])
{
char *optstr;
int val;
progname = *argv;
config = loadconfig ("", (zconf_t *) NULL); /* load built in defaults */
while ( --argc >= 1 )
{
optstr = *++argv;
config = loadconfig_fromstr (optstr, config);
}
val = 1;
setconfigpar (config, "-v", &val);
val = 2;
setconfigpar (config, "verboselog", &val);
val = 1;
setconfigpar (config, "recursive", &val);
val = 1200;
setconfigpar (config, "propagation", &val);
printconfig ("stdout", config);
}
#endif

173
contrib/zkt/zconf.h Normal file
View file

@ -0,0 +1,173 @@
/*****************************************************************
**
** @(#) zconf.h
**
** Copyright (c) Jan 2005, Jeroen Masar, Holger Zuleger.
** All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Jeroen Masar and Holger Zuleger nor the
** names of its contributors may be used to endorse or promote products
** derived from this software without specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef ZCONF_H
# define ZCONF_H
# define MINSEC 60
# define HOURSEC (MINSEC * 60)
# define DAYSEC (HOURSEC * 24)
# define WEEKSEC (DAYSEC * 7)
# define YEARSEC (DAYSEC * 365)
# define DAY (1)
# define WEEK (DAY * 7)
# define MONTH (DAY * 30)
# define YEAR (DAY * 365)
# define SIG_VALID_DAYS (10) /* or 3 Weeks ? */
# define SIG_VALIDITY (SIG_VALID_DAYS * DAYSEC)
# define MAX_TTL ( 8 * HOURSEC) /* default value of maximum ttl time */
# define KEY_TTL ( 4 * HOURSEC) /* default value of KEY TTL */
# define PROPTIME ( 5 * MINSEC) /* expected slave propagation time */
/* should be small if notify is used */
#if defined (DEF_TTL)
# define DEF_TTL (MAX_TTL/2) /* currently not used */
#endif
# define RESIGN_INT ((SIG_VALID_DAYS - (SIG_VALID_DAYS / 3)) * DAYSEC)
# define KSK_LIFETIME (1 * YEARSEC)
#if 0
# define ZSK_LIFETIME ((SIG_VALID_DAYS * 3) * DAYSEC) /* set to three times the sig validity */
#else
# define ZSK_LIFETIME ((MONTH * 3) * DAYSEC) /* set fixed to 3 month */
#endif
# define KSK_ALGO (DK_ALGO_RSASHA1)
# define KSK_BITS (1300)
# define KSK_RANDOM "/dev/urandom" /* was NULL before v0.94 */
# define ZSK_ALGO (DK_ALGO_RSASHA1)
# define ZSK_BITS (512)
# define ZSK_RANDOM "/dev/urandom"
# define ZONEDIR "."
# define RECURSIVE 0
# define PRINTTIME 1
# define PRINTAGE 0
# define LJUST 0
# define KEYSETDIR NULL /* keysets */
# define LOGFILE ""
# define LOGLEVEL "error"
# define SYSLOGFACILITY "none"
# define SYSLOGLEVEL "notice"
# define VERBOSELOG 0
# define ZONEFILE "zone.db"
# define DNSKEYFILE "dnskey.db"
# define LOOKASIDEDOMAIN "" /* "dlv.trusted-keys.de" */
# define SIG_RANDOM NULL /* "/dev/urandom" */
# define SIG_PSEUDO 1
# define SIG_GENDS 1
# define SIG_PARAM ""
# define DIST_CMD NULL /* default is to run "rndc reload" */
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
#endif
# define CONFIG_FILE CONFIG_PATH "dnssec.conf"
# define LOCALCONF_FILE "dnssec.conf"
/* external command execution path (should be set via config.h) */
#ifndef BIND_UTIL_PATH
# define BIND_UTIL_PATH "/usr/local/sbin/" /* beware of trailing '/' */
#endif
# define SIGNCMD BIND_UTIL_PATH "dnssec-signzone"
# define KEYGENCMD BIND_UTIL_PATH "dnssec-keygen"
# define RELOADCMD BIND_UTIL_PATH "rndc"
typedef enum {
Unixtime = 1,
Incremental
} serial_form_t;
typedef enum {
none = 0,
user,
local0, local1, local2, local3, local4, local5, local6, local7
} syslog_facility_t;
typedef struct zconf {
char *zonedir;
int recursive;
int printtime;
int printage;
int ljust;
int sigvalidity; /* should be less than expire time */
int max_ttl; /* should be set to the maximum used ttl in the zone */
int key_ttl;
int proptime; /* expected time offset for zone propagation */
#if defined (DEF_TTL)
int def_ttl; /* default ttl set in soa record */
#endif
serial_form_t serialform; /* format of serial no */
int resign; /* resign interval */
int k_life;
int k_algo;
int k_bits;
char *k_random;
int z_life;
int z_algo;
int z_bits;
char *z_random;
char *view;
// char *errlog;
char *logfile;
char *loglevel;
char *syslogfacility;
char *sysloglevel;
int verboselog;
int verbosity;
char *keyfile;
char *zonefile;
char *keysetdir;
char *lookaside;
char *sig_random;
int sig_pseudo;
int sig_gends;
char *sig_param;
char *dist_cmd; /* cmd to run instead of "rndc reload" */
} zconf_t;
extern zconf_t *loadconfig (const char *filename, zconf_t *z);
extern zconf_t *loadconfig_fromstr (const char *str, zconf_t *z);
extern zconf_t *dupconfig (const zconf_t *conf);
extern int setconfigpar (zconf_t *conf, char *entry, const void *pval);
extern int printconfig (const char *fname, const zconf_t *cp);
extern int checkconfig (const zconf_t *z);
#endif

222
contrib/zkt/zkt-soaserial.c Normal file
View file

@ -0,0 +1,222 @@
/*****************************************************************
**
** @(#) zkt-soaserial.c (c) Oct 2007 Holger Zuleger hznet.de
**
** A small utility to print out the (unixtime) soa serial
** number in a human readable form
**
** Copyright (c) Oct 2007, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <sys/types.h>
# include <time.h>
# include <utime.h>
# include <assert.h>
# include <stdlib.h>
# include <ctype.h>
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
static const char *progname;
static char *timestr (time_t sec);
static int read_serial_fromfile (const char *fname, unsigned long *serial);
static void printserial (const char *fname, unsigned long serial);
static void usage (const char *msg);
/*****************************************************************
** timestr (sec)
*****************************************************************/
static char *timestr (time_t sec)
{
struct tm *t;
static char timestr[31+1]; /* 27+1 should be enough */
#if defined(HAVE_STRFTIME) && HAVE_STRFTIME
t = localtime (&sec);
strftime (timestr, sizeof (timestr), "%b %d %Y %T %z", t);
#else
static char *mstr[] = {
"Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
};
int h, s;
t = localtime (&sec);
s = abs (t->tm_gmtoff);
h = t->tm_gmtoff / 3600;
s = t->tm_gmtoff % 3600;
snprintf (timestr, sizeof (timestr), "%s %2d %4d %02d:%02d:%02d %c%02d%02d",
mstr[t->tm_mon], t->tm_mday, t->tm_year + 1900,
t->tm_hour, t->tm_min, t->tm_sec,
t->tm_gmtoff < 0 ? '-': '+',
h, s);
#endif
return timestr;
}
/****************************************************************
**
** int read_serial_fromfile (filename)
**
** This function depends on a special syntax formating the
** SOA record in the zone file!!
**
** To match the SOA record, the SOA RR must be formatted
** like this:
** @ IN SOA <master.fq.dn.> <hostmaster.fq.dn.> (
** <SPACEes or TABs> 1234567890; serial number
** <SPACEes or TABs> 86400 ; other values
** ...
**
****************************************************************/
static int read_serial_fromfile (const char *fname, unsigned long *serial)
{
FILE *fp;
char buf[4095+1];
char master[254+1];
int c;
int soafound;
if ( (fp = fopen (fname, "r")) == NULL )
return -1; /* file not found */
/* read until the line matches the beginning of a soa record ... */
soafound = 0;
while ( !soafound && fgets (buf, sizeof buf, fp) )
{
if ( sscanf (buf, "%*s %*d IN SOA %255s %*s (\n", master) == 1 )
soafound = 1;
else if ( sscanf (buf, "%*s IN SOA %255s %*s (\n", master) == 1 )
soafound = 1;
}
if ( !soafound )
return -2; /* no zone file (soa not found) */
/* move forward until any non ws is reached */
while ( (c = getc (fp)) != EOF && isspace (c) )
;
ungetc (c, fp); /* pushback the non ws */
*serial = 0L; /* read in the current serial number */
if ( fscanf (fp, "%lu", serial) != 1 ) /* try to get serial no */
return -3; /* no serial number found */
fclose (fp);
return 0; /* ok! */
}
/*****************************************************************
** printserial()
*****************************************************************/
static void printserial (const char *fname, unsigned long serial)
{
if ( fname && *fname )
printf ("%-30s\t", fname);
printf ("%10lu", serial);
/* try to guess the soa serial format */
if ( serial < 1136070000L ) /* plain integer (this is 2006-1-1 00:00 in unixtime format) */
;
else if ( serial > 2006010100L ) /* date format */
{
int y, m, d, v;
v = serial % 100;
serial /= 100;
d = serial % 100;
serial /= 100;
m = serial % 100;
serial /= 100;
y = serial;
printf ("\t%d-%02d-%02d Version %02d", y, m, d, v);
}
else /* unixtime */
printf ("\t%s\n", timestr (serial) );
printf ("\n");
}
/*****************************************************************
** usage (msg)
*****************************************************************/
static void usage (const char *msg)
{
if ( msg && *msg )
fprintf (stderr, "%s\n", msg);
fprintf (stderr, "usage: %s {-s serial | signed_zonefile [...]}\n", progname);
exit (1);
}
/*****************************************************************
** main()
*****************************************************************/
int main (int argc, char *argv[])
{
unsigned long serial;
progname = *argv;
if ( --argc == 0 )
usage ("");
if ( argv[1][0] == '-' )
{
if ( argv[1][1] != 's' )
usage ("illegal option");
if ( argc != 2 )
usage ("Option -s requires an argument");
serial = atol (argv[2]);
printserial ("", serial);
}
else
while ( argc-- > 0 )
if ( (read_serial_fromfile (*++argv, &serial)) != 0 )
fprintf (stderr, "couldn't read serial number from file %s\n", *argv);
else
printserial (*argv, serial);
return 0;
}

354
contrib/zkt/zkt.c Normal file
View file

@ -0,0 +1,354 @@
/*****************************************************************
**
** @(#) zkt.c -- A library for managing a list of dns zone files.
**
** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
# include "dki.h"
# include "misc.h"
# include "strlist.h"
# include "zconf.h"
#define extern
# include "zkt.h"
#undef extern
extern char *labellist;
extern int headerflag;
extern int timeflag;
extern int exptimeflag;
extern int lifetime;
extern int ageflag;
extern int lifetimeflag;
extern int kskflag;
extern int zskflag;
extern int pathflag;
extern int ljustflag;
static void printkeyinfo (const dki_t *dkp, const char *oldpath);
static void printkeyinfo (const dki_t *dkp, const char *oldpath)
{
time_t currtime;
if ( dkp == NULL ) /* print headline */
{
if ( headerflag )
{
printf ("%-33.33s %5s %3s %3.3s %-7s", "Keyname",
"Tag", "Typ", "Status", "Algorit");
if ( timeflag )
printf (" %-20s", "Generation Time");
if ( exptimeflag )
printf (" %-20s", "Expiration Time");
if ( ageflag )
printf (" %16s", "Age");
if ( lifetimeflag )
printf (" %4s", "LfTm");
putchar ('\n');
}
return;
}
time (&currtime);
/* TODO: use next line if dname is dynamically allocated */
/* if ( pathflag && dkp->dname && strcmp (oldpath, dkp->dname) != 0 ) */
if ( pathflag && strcmp (oldpath, dkp->dname) != 0 )
printf ("%s/\n", dkp->dname);
if ( (kskflag && dki_isksk (dkp)) || (zskflag && !dki_isksk (dkp)) )
{
if ( ljustflag )
printf ("%-33.33s ", dkp->name);
else
printf ("%33.33s ", dkp->name);
printf ("%05d ", dkp->tag);
printf ("%3s ", dki_isksk (dkp) ? "KSK" : "ZSK");
printf ("%-3.3s ", dki_statusstr (dkp) );
printf ("%-7s", dki_algo2str(dkp->algo));
if ( timeflag )
printf (" %-20s", time2str (dkp->gentime ? dkp->gentime: dkp->time, 's'));
if ( exptimeflag )
printf (" %-20s", time2str (dkp->exptime, 's'));
if ( ageflag )
printf (" %16s", age2str (dki_age (dkp, currtime)));
if ( lifetimeflag && dkp->lifetime )
{
if ( dkp->status == 'a' )
printf ("%c", (currtime < dkp->time + dkp->lifetime) ? '<' : '!');
else
putchar (' ');
printf ("%hdd", dki_lifetimedays (dkp));
}
putchar ('\n');
}
}
#if defined(USE_TREE) && USE_TREE
static void list_key (const dki_t **nodep, const VISIT which, int depth)
{
const dki_t *dkp;
static const char *oldpath = "";
if ( nodep == NULL )
return;
//fprintf (stderr, "listkey %d %d %s\n", which, depth, dkp->name);
if ( which == INORDER || which == LEAF )
{
dkp = *nodep;
while ( dkp ) /* loop through list */
{
if ( labellist == NULL || isinlist (dkp->name, labellist) )
printkeyinfo (dkp, oldpath); /* print entry */
oldpath = dkp->dname;
dkp = dkp->next;
}
}
}
#endif
void zkt_list_keys (const dki_t *data)
{
#if ! defined(USE_TREE) || !USE_TREE
const dki_t *dkp;
const char *oldpath;
#endif
if ( data ) /* print headline if list is not empty */
printkeyinfo (NULL, "");
#if defined(USE_TREE) && USE_TREE
twalk (data, list_key);
#else
oldpath = "";
for ( dkp = data; dkp; dkp = dkp->next ) /* loop through list */
{
if ( labellist == NULL || isinlist (dkp->name, labellist) )
printkeyinfo (dkp, oldpath); /* print entry */
oldpath = dkp->dname;
}
#endif
}
#if defined(USE_TREE) && USE_TREE
static void list_trustedkey (const dki_t **nodep, const VISIT which, int depth)
{
const dki_t *dkp;
if ( nodep == NULL )
return;
dkp = *nodep;
//fprintf (stderr, "list_trustedkey %d %d %s\n", which, depth, dkp->name);
if ( which == INORDER || which == LEAF )
while ( dkp ) /* loop through list */
{
if ( (dki_isksk (dkp) || zskflag) &&
(labellist == NULL || isinlist (dkp->name, labellist)) )
dki_prt_trustedkey (dkp, stdout);
dkp = dkp->next;
}
}
#endif
void zkt_list_trustedkeys (const dki_t *data)
{
#if !defined(USE_TREE) || !USE_TREE
const dki_t *dkp;
#endif
/* print headline if list is not empty */
if ( data && headerflag )
printf ("trusted-keys {\n");
#if defined(USE_TREE) && USE_TREE
twalk (data, list_trustedkey);
#else
for ( dkp = data; dkp; dkp = dkp->next ) /* loop through list */
if ( (dki_isksk (dkp) || zskflag) &&
(labellist == NULL || isinlist (dkp->name, labellist)) )
dki_prt_trustedkey (dkp, stdout);
#endif
/* print end of trusted-key section */
if ( data && headerflag )
printf ("};\n");
}
#if defined(USE_TREE) && USE_TREE
static void list_dnskey (const dki_t **nodep, const VISIT which, int depth)
{
const dki_t *dkp;
int ksk;
if ( nodep == NULL )
return;
if ( which == INORDER || which == LEAF )
for ( dkp = *nodep; dkp; dkp = dkp->next )
{
ksk = dki_isksk (dkp);
if ( (ksk && !kskflag) || (!ksk && !zskflag) )
continue;
if ( labellist == NULL || isinlist (dkp->name, labellist) )
{
if ( headerflag )
dki_prt_comment (dkp, stdout);
dki_prt_dnskey (dkp, stdout);
}
}
}
#endif
void zkt_list_dnskeys (const dki_t *data)
{
#if defined(USE_TREE) && USE_TREE
twalk (data, list_dnskey);
#else
const dki_t *dkp;
int ksk;
for ( dkp = data; dkp; dkp = dkp->next )
{
ksk = dki_isksk (dkp);
if ( (ksk && !kskflag) || (!ksk && !zskflag) )
continue;
if ( labellist == NULL || isinlist (dkp->name, labellist) )
{
if ( headerflag )
dki_prt_comment (dkp, stdout);
dki_prt_dnskey (dkp, stdout);
}
}
#endif
}
#if defined(USE_TREE) && USE_TREE
static void set_keylifetime (const dki_t **nodep, const VISIT which, int depth)
{
const dki_t *dkp;
int ksk;
if ( nodep == NULL )
return;
if ( which == INORDER || which == LEAF )
for ( dkp = *nodep; dkp; dkp = dkp->next )
{
ksk = dki_isksk (dkp);
if ( (ksk && !kskflag) || (!ksk && !zskflag) )
continue;
if ( labellist == NULL || isinlist (dkp->name, labellist) )
dki_setlifetime ((dki_t *)dkp, lifetime);
}
}
#endif
void zkt_setkeylifetime (dki_t *data)
{
#if defined(USE_TREE) && USE_TREE
twalk (data, set_keylifetime);
#else
dki_t *dkp;
int ksk;
for ( dkp = data; dkp; dkp = dkp->next )
{
ksk = dki_isksk (dkp);
if ( (ksk && !kskflag) || (!ksk && !zskflag) )
continue;
if ( labellist == NULL || isinlist (dkp->name, labellist) )
{
dki_setlifetime (dkp, lifetime);
}
}
#endif
}
#if defined(USE_TREE) && USE_TREE
static const dki_t *searchresult;
static int searchitem;
static void tag_search (const dki_t **nodep, const VISIT which, int depth)
{
const dki_t *dkp;
if ( nodep == NULL )
return;
if ( which == PREORDER || which == LEAF )
for ( dkp = *nodep; dkp; dkp = dkp->next )
{
if ( dkp->tag == searchitem )
{
if ( searchresult == NULL )
searchresult = dkp;
else
searchitem = 0;
}
}
}
#endif
const dki_t *zkt_search (const dki_t *data, int searchtag, const char *keyname)
{
const dki_t *dkp = NULL;
#if defined(USE_TREE) && USE_TREE
if ( keyname == NULL || *keyname == '\0' )
{
searchresult = NULL;
searchitem = searchtag;
twalk (data, tag_search);
if ( searchresult != NULL && searchitem == 0 )
dkp = (void *)01;
else
dkp = searchresult;
}
else
dkp = (dki_t*)dki_tsearch (data, searchtag, keyname);
#else
dkp = (dki_t*)dki_search (data, searchtag, keyname);
#endif
return dkp;
}

46
contrib/zkt/zkt.h Normal file
View file

@ -0,0 +1,46 @@
/*****************************************************************
**
** @(#) zkt.h (c) 2005 - 2008 Holger Zuleger hznet.de
**
** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef ZKT_H
# define ZKT_H
extern const dki_t *zkt_search (const dki_t *data, int searchtag, const char *keyname);
extern void zkt_list_keys (const dki_t *data);
extern void zkt_list_trustedkeys (const dki_t *data);
extern void zkt_list_dnskeys (const dki_t *data);
extern void zkt_setkeylifetime (dki_t *data);
#endif

336
contrib/zkt/zone.c Normal file
View file

@ -0,0 +1,336 @@
/*****************************************************************
**
** @(#) zone.c (c) Mar 2005 Holger Zuleger hznet.de
**
** Copyright (c) Mar 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
# include <sys/types.h>
# include <sys/stat.h>
# include <dirent.h>
# include <assert.h>
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
# include "config_zkt.h"
# include "debug.h"
# include "domaincmp.h"
# include "misc.h"
# include "zconf.h"
# include "dki.h"
#define extern
# include "zone.h"
#undef extern
/*****************************************************************
** private (static) function declaration and definition
*****************************************************************/
static char zone_estr[255+1];
/*****************************************************************
** zone_alloc ()
*****************************************************************/
static zone_t *zone_alloc ()
{
zone_t *zp;
if ( (zp = malloc (sizeof (zone_t))) )
{
memset (zp, 0, sizeof (zone_t));
return zp;
}
snprintf (zone_estr, sizeof (zone_estr),
"zone_alloc: Out of memory");
return NULL;
}
/*****************************************************************
** zone_cmp () return <0 | 0 | >0
*****************************************************************/
static int zone_cmp (const zone_t *a, const zone_t *b)
{
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
return domaincmp (a->zone, b->zone);
}
/*****************************************************************
** public function definition
*****************************************************************/
/*****************************************************************
** zone_free ()
*****************************************************************/
void zone_free (zone_t *zp)
{
assert (zp != NULL);
if ( zp->zone ) free ((char *)zp->zone);
if ( zp->dir ) free ((char *)zp->dir);
if ( zp->file ) free ((char *)zp->file);
if ( zp->sfile ) free ((char *)zp->sfile);
#if 0
/* TODO: actually there are some problems freeing the config :-( */
if ( zp->conf ) free ((zconf_t *)zp->conf);
#endif
if ( zp->keys ) dki_freelist (&zp->keys);
free (zp);
}
/*****************************************************************
** zone_freelist ()
*****************************************************************/
void zone_freelist (zone_t **listp)
{
zone_t *curr;
zone_t *next;
assert (listp != NULL);
curr = *listp;
while ( curr )
{
next = curr->next;
zone_free (curr);
curr = next;
}
if ( *listp )
*listp = NULL;
}
/*****************************************************************
** zone_new ()
** allocate memory for new zone structure and initialize it
*****************************************************************/
zone_t *zone_new (zone_t **zp, const char *zone, const char *dir, const char *file, const char *signed_ext, const zconf_t *cp)
{
char path[MAX_PATHSIZE+1];
zone_t *new;
assert (zp != NULL);
assert (zone != NULL && *zone != '\0');
dbg_val3 ("zone_new: (zp, zone: %s, dir: %s, file: %s, cp)\n", zone, dir, file);
if ( dir == NULL || *dir == '\0' )
dir = ".";
if ( file == NULL || *file == '\0' )
file = cp->zonefile;
else
{ /* check if file contains a path */
const char *p;
if ( (p = strrchr (file, '/')) != NULL )
{
snprintf (path, sizeof (path), "%s/%.*s", dir, p-file, file);
dir = path;
file = p+1;
}
}
if ( (new = zone_alloc ()) != NULL )
{
char *p;
new->zone = str_tolowerdup (zone);
new->dir = strdup (dir);
new->file = strdup (file);
/* check if file ends with ".signed" ? */
if ( (p = strrchr (new->file, '.')) != NULL && strcmp (p, signed_ext) == 0 )
{
new->sfile = strdup (new->file);
*p = '\0';
}
else
{
snprintf (path, sizeof (path), "%s%s", file, signed_ext);
new->sfile = strdup (path);
}
new->conf = cp;
new->keys = NULL;
dki_readdir (new->dir, &new->keys, 0);
new->next = NULL;
}
return zone_add (zp, new);
}
/*****************************************************************
** zone_readdir ()
*****************************************************************/
int zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t **listp, const zconf_t *conf, int dyn_zone)
{
char *p;
char path[MAX_PATHSIZE+1];
char *signed_ext = ".signed";
assert (dir != NULL && *dir != '\0');
assert (conf != NULL);
if ( zone == NULL ) /* zone not given ? */
{
if ( (zone = strrchr (dir, '/')) ) /* try to extract zone name out of directory */
zone++;
else
zone = dir;
}
dbg_val4 ("zone_readdir: (dir: %s, zone: %s, zfile: %s zp, cp, dyn_zone = %d)\n",
dir, zone, zfile ? zfile: "NULL", dyn_zone);
if ( dyn_zone )
signed_ext = ".dsigned";
if ( zfile && (p = strrchr (zfile, '/')) ) /* check if zfile contains a directory */
{
char subdir[MAX_PATHSIZE+1];
snprintf (subdir, sizeof (subdir), "%s/%.*s", dir, p - zfile, zfile);
pathname (path, sizeof (path), subdir, LOCALCONF_FILE, NULL);
}
else
pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
dbg_val1 ("zone_readdir: check local config file %s\n", path);
if ( fileexist (path) ) /* load local config file */
{
zconf_t *localconf;
localconf = dupconfig (conf);
conf = loadconfig (path, localconf);
}
if ( zfile == NULL )
{
zfile = conf->zonefile;
pathname (path, sizeof (path), dir, zfile, signed_ext);
}
else
{
dbg_val2("zone_readdir: add %s to zonefile if not already there ? (%s)\n", signed_ext, zfile);
if ( (p = strrchr (zfile, '.')) == NULL || strcmp (p, signed_ext) != 0 )
pathname (path, sizeof (path), dir, zfile, signed_ext);
else
pathname (path, sizeof (path), dir, zfile, NULL);
}
dbg_val1("zone_readdir: fileexist (%s): ", path);
if ( !fileexist (path) ) /* no .signed file found ? ... */
{
dbg_val0("no!\n");
return 0; /* ... not a secure zone ! */
}
dbg_val0("yes!\n");
dbg_val("zone_readdir: add zone (%s)\n", zone);
zone_new (listp, zone, dir, zfile, signed_ext, conf);
return 1;
}
/*****************************************************************
** zone_geterrstr ()
** return error string
*****************************************************************/
const char *zone_geterrstr ()
{
return zone_estr;
}
/*****************************************************************
** zone_add ()
*****************************************************************/
zone_t *zone_add (zone_t **list, zone_t *new)
{
zone_t *curr;
zone_t *last;
if ( list == NULL )
return NULL;
if ( new == NULL )
return *list;
last = curr = *list;
while ( curr && zone_cmp (curr, new) < 0 )
{
last = curr;
curr = curr->next;
}
if ( curr == *list ) /* add node at the beginning of the list */
*list = new;
else /* add node at end or between two nodes */
last->next = new;
new->next = curr;
return new;
}
/*****************************************************************
** zone_search ()
*****************************************************************/
const zone_t *zone_search (const zone_t *list, const char *zone)
{
if ( zone == NULL || *zone == '\0' )
return NULL;
while ( list && strcmp (zone, list->zone) != 0 )
list = list->next;
return list;
}
/*****************************************************************
** zone_print ()
*****************************************************************/
int zone_print (const char *mesg, const zone_t *z)
{
dki_t *dkp;
if ( !z )
return 0;
fprintf (stderr, "%s: zone\t %s\n", mesg, z->zone);
fprintf (stderr, "%s: dir\t %s\n", mesg, z->dir);
fprintf (stderr, "%s: file\t %s\n", mesg, z->file);
fprintf (stderr, "%s: sfile\t %s\n", mesg, z->sfile);
for ( dkp = z->keys; dkp; dkp = dkp->next )
{
dki_prt_comment (dkp, stderr);
}
return 1;
}

66
contrib/zkt/zone.h Normal file
View file

@ -0,0 +1,66 @@
/*****************************************************************
**
** @(#) zone.h -- Header file for zone info
**
** Copyright (c) Mar 2005, Holger Zuleger HZnet. All rights reserved.
**
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
** modification, are permitted provided that the following conditions
** are met:
**
** Redistributions of source code must retain the above copyright notice,
** this list of conditions and the following disclaimer.
**
** Redistributions in binary form must reproduce the above copyright notice,
** this list of conditions and the following disclaimer in the documentation
** and/or other materials provided with the distribution.
**
** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
** be used to endorse or promote products derived from this software without
** specific prior written permission.
**
** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
** POSSIBILITY OF SUCH DAMAGE.
**
*****************************************************************/
#ifndef ZONE_H
# define ZONE_H
# include <sys/types.h>
# include <stdio.h>
# include <time.h>
# include "dki.h"
/* all we have to know about a zone */
typedef struct Zone {
const char *zone; /* domain name or label */
const char *dir; /* directory of zone data */
const char *file; /* file name (zone.db) */
const char *sfile; /* file name of secured zone (zone.db.signed) */
const zconf_t *conf; /* ptr to config */ /* TODO: Should this be only a ptr to a local config ? */
dki_t *keys; /* ptr to keylist */
struct Zone *next; /* ptr to next entry in list */
} zone_t;
extern void zone_free (zone_t *zp);
extern void zone_freelist (zone_t **listp);
extern zone_t *zone_new (zone_t **zp, const char *zone, const char *dir, const char *file, const char *signed_ext, const zconf_t *cp);
extern const char *zone_geterrstr ();
extern zone_t *zone_add (zone_t **list, zone_t *new);
extern const zone_t *zone_search (const zone_t *list, const char *name);
extern int zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t **listp, const zconf_t *conf, int dyn_zone);
extern const char *zone_geterrstr (void);
extern int zone_print (const char *mesg, const zone_t *z);
#endif