From c52235e52ee12e4d15f808ac06608584257f6479 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 23 Jun 2010 02:42:10 +0000 Subject: [PATCH] 2922 [contrib] Update zkt to version 1.0.: --- CHANGES | 2 + contrib/zkt/CHANGELOG | 111 +- contrib/zkt/Makefile.in | 137 +- contrib/zkt/README | 40 +- contrib/zkt/README.logging | 16 +- contrib/zkt/TODO | 22 +- contrib/zkt/config.h.in | 24 +- contrib/zkt/config_zkt.h | 8 +- contrib/zkt/configure | 429 ++-- contrib/zkt/configure.ac | 71 +- contrib/zkt/dki.c | 38 +- contrib/zkt/dki.h | 17 +- contrib/zkt/dnssec-zkt.c | 5 +- contrib/zkt/doc/KeyRollover.ps | 304 --- .../draft-gudmundsson-life-of-dnskey-00.txt | 616 ----- .../doc/draft-ietf-dnsop-rfc4641bis-01.txt | 2128 ----------------- contrib/zkt/doc/rfc4641.txt | 1963 --------------- contrib/zkt/domaincmp.c | 153 +- contrib/zkt/domaincmp.h | 3 + contrib/zkt/examples/{flat => }/dnssec.conf | 32 +- contrib/zkt/examples/flat/dist.sh | 70 - contrib/zkt/examples/flat/dnssec-signer.sh | 14 - .../Kdyn.example.net.+003+42138.key | 3 - .../Kdyn.example.net.+003+42138.private | 7 - .../Kdyn.example.net.+005+01355.depreciated | 10 - .../Kdyn.example.net.+005+01355.key | 3 - .../Kdyn.example.net.+005+10643.key | 3 - .../Kdyn.example.net.+005+10643.private | 10 - .../Kdyn.example.net.+007+30323.key | 3 + .../Kdyn.example.net.+007+30323.private | 10 + .../Kdyn.example.net.+007+52935.key | 3 + .../Kdyn.example.net.+007+52935.private | 10 + .../examples/flat/dyn.example.net/dnskey.db | 35 - .../examples/flat/dyn.example.net/dnssec.conf | 5 - .../dyn.example.net/dsset-dyn.example.net. | 2 - .../dyn.example.net/keyset-dyn.example.net. | 18 - .../dyn.example.net/zktlog-dyn.example.net. | 161 ++ .../zkt/examples/flat/dyn.example.net/zone.db | 115 - .../flat/dyn.example.net/zone.db.dsigned | 221 -- .../examples/flat/dyn.example.net/zone.org | 30 - .../example.net/Kexample.net.+005+07308.key | 3 - .../Kexample.net.+005+07308.private | 10 - .../example.net/Kexample.net.+005+24545.key | 3 - .../Kexample.net.+005+24545.published | 10 - .../example.net/Kexample.net.+005+33840.key | 3 - .../Kexample.net.+005+33840.published | 10 - .../Kexample.net.+005+34925.depreciated | 10 - .../example.net/Kexample.net.+005+34925.key | 3 - .../example.net/Kexample.net.+005+48089.key | 3 - .../Kexample.net.+005+48089.private | 10 - .../example.net/Kexample.net.+008+08406.key | 3 + .../Kexample.net.+008+08406.private | 10 + .../example.net/Kexample.net.+008+36257.key | 3 + .../Kexample.net.+008+36257.private | 10 + .../zkt/examples/flat/example.net/dnskey.db | 45 - .../zkt/examples/flat/example.net/dnssec.conf | 2 + .../flat/example.net/dsset-example.net. | 4 - .../example.net/kexample.net.+005+01764.key | 4 - .../kexample.net.+005+01764.private | 10 - .../example.net/kexample.net.+005+14829.key | 4 - .../kexample.net.+005+14829.private | 10 - .../example.net/kexample.net.+005+41151.key | 4 - .../kexample.net.+005+41151.private | 10 - .../flat/example.net/keyset-example.net. | 19 - contrib/zkt/examples/flat/example.net/z.db | 34 + .../flat/example.net/zktlog-example.net. | 274 +++ contrib/zkt/examples/flat/example.net/zone.db | 43 - .../examples/flat/example.net/zone.db.signed | 165 -- .../flat/keysets/dlvset-sub.example.net. | 2 - .../flat/keysets/dsset-dyn.example.net. | 2 - .../examples/flat/keysets/dsset-example.net. | 4 - .../flat/keysets/dsset-sub.example.net. | 2 - .../flat/keysets/keyset-dyn.example.net. | 18 - .../examples/flat/keysets/keyset-example.net. | 19 - .../flat/keysets/keyset-sub.example.net. | 8 - contrib/zkt/examples/flat/named.conf | 109 - .../Ksub.example.net.+007+02048.key | 3 + .../Ksub.example.net.+007+02048.published | 10 + .../Ksub.example.net.+007+14600.depreciated | 10 - .../Ksub.example.net.+007+14600.key | 3 - .../Ksub.example.net.+007+32345.key | 3 - .../Ksub.example.net.+007+32345.private | 10 - .../Ksub.example.net.+007+41747.key | 3 + .../Ksub.example.net.+007+41747.private | 10 + .../Ksub.example.net.+007+42834.key | 3 + .../Ksub.example.net.+007+42834.private | 10 + .../Ksub.example.net.+007+48516.key | 3 - .../Ksub.example.net.+007+48516.private | 10 - .../sub.example.net/dlvset-sub.example.net. | 2 - .../examples/flat/sub.example.net/dnskey.db | 29 - .../examples/flat/sub.example.net/dnssec.conf | 15 - .../sub.example.net/dsset-sub.example.net. | 2 - .../sub.example.net/keyset-sub.example.net. | 8 - .../examples/flat/sub.example.net/maxhexsalt | 1 - .../flat/sub.example.net/maxhexsalt+1 | 1 - .../sub.example.net/zktlog-sub.example.net. | 321 +++ .../zkt/examples/flat/sub.example.net/zone.db | 25 - .../flat/sub.example.net/zone.db.signed | 109 - contrib/zkt/examples/flat/zkt.log | 1031 -------- contrib/zkt/examples/flat/zone.conf | 10 - .../de/example.de/Kexample.de.+005+09743.key | 3 + .../Kexample.de.+005+09743.published | 10 + .../de/example.de/Kexample.de.+005+37983.key | 3 - .../Kexample.de.+005+37983.published | 10 - .../de/example.de/Kexample.de.+005+39599.key | 3 + .../example.de/Kexample.de.+005+39599.private | 10 + .../de/example.de/Kexample.de.+005+47280.key | 3 - .../example.de/Kexample.de.+005+47280.private | 10 - .../de/example.de/Kexample.de.+005+55529.key | 3 - .../example.de/Kexample.de.+005+55529.private | 10 - .../hierarchical/de/example.de/dnskey.db | 33 - .../de/example.de/dsset-example.de. | 4 - .../de/example.de/kexample.de.+005+17439.key | 4 - .../example.de/kexample.de.+005+17439.private | 10 - .../de/example.de/kexample.de.+005+41145.key | 4 - .../example.de/kexample.de.+005+41145.private | 10 - .../de/example.de/kexample.de.+005+59244.key | 4 - .../example.de/kexample.de.+005+59244.private | 10 - .../de/example.de/keyset-example.de. | 19 - .../de/example.de/keyset-sub.example.de. | 7 - .../Ksub.example.de.+001+11091.key | 3 - .../Ksub.example.de.+001+11091.published | 10 - .../Ksub.example.de.+001+38598.key | 3 - .../Ksub.example.de.+001+38598.private | 10 - .../Ksub.example.de.+001+60332.key | 3 - .../Ksub.example.de.+001+60332.private | 10 - .../Ksub.example.de.+005+07295.key | 3 + .../Ksub.example.de.+005+07295.private | 10 + .../Ksub.example.de.+005+08544.key | 3 + .../Ksub.example.de.+005+08544.private | 10 + .../Ksub.example.de.+005+24426.key | 3 - .../Ksub.example.de.+005+24426.private | 10 - .../Ksub.example.de.+005+26451.key | 3 - .../Ksub.example.de.+005+26451.private | 10 - .../Ksub.example.de.+005+27861.key | 3 + .../Ksub.example.de.+005+27861.private | 10 + .../Ksub.example.de.+005+37547.key | 3 - .../Ksub.example.de.+005+37547.private | 10 - .../Ksub.example.de.+005+40559.key | 3 + .../Ksub.example.de.+005+40559.published | 10 + .../Ksub.example.de.+005+40956.key | 3 - .../Ksub.example.de.+005+40956.private | 10 - .../Ksub.example.de.+005+42639.key | 3 + .../Ksub.example.de.+005+42639.private | 10 + .../Ksub.example.de.+005+57863.key | 3 - .../Ksub.example.de.+005+57863.published | 10 - .../Ksub.example.de.+005+63530.depreciated | 10 + .../Ksub.example.de.+005+63530.key | 3 + .../sub.example.de/dlvset-sub.example.de. | 8 - .../de/example.de/sub.example.de/dnskey.db | 65 - .../de/example.de/sub.example.de/dnssec.conf | 17 - .../sub.example.de/dsset-sub.example.de. | 8 - .../sub.example.de/keyset-sub.example.de. | 29 - .../ksub.example.de.+005+06903.key | 3 - .../ksub.example.de.+005+06903.private | 10 - .../ksub.example.de.+005+31785.key | 3 - .../ksub.example.de.+005+31785.private | 10 - .../ksub.example.de.+005+40998.key | 3 - .../ksub.example.de.+005+40998.private | 10 - .../ksub.example.de.+005+56595.key | 3 - .../ksub.example.de.+005+56595.private | 10 - .../sub.example.de/parent-sub.example.de. | 7 - .../de/example.de/sub.example.de/zone.db | 25 - .../example.de/sub.example.de/zone.db.signed | 215 -- .../hierarchical/de/example.de/zone.db | 38 - .../hierarchical/de/example.de/zone.db.signed | 124 - .../hierarchical/de/example.de/zone.soa | 10 - .../hierarchical/de/keyset-example.de. | 19 - contrib/zkt/examples/hierarchical/dnssec.conf | 40 - .../hierarchical/log/zktlog-example.de. | 16 + .../hierarchical/log/zktlog-sub.example.de. | 33 + contrib/zkt/examples/hierarchical/named.conf | 102 - contrib/zkt/examples/hierarchical/zone.conf | 10 - contrib/zkt/examples/views/dnssec-extern.conf | 39 - contrib/zkt/examples/views/dnssec-intern.conf | 39 - .../zkt/examples/views/dnssec-signer-extern | 7 - .../zkt/examples/views/dnssec-signer-intern | 7 - contrib/zkt/examples/views/dnssec-zkt-extern | 7 - contrib/zkt/examples/views/dnssec-zkt-intern | 7 - .../example.net/Kexample.net.+005+10367.key | 3 - .../Kexample.net.+005+10367.private | 10 - .../example.net/Kexample.net.+005+14714.key | 3 - .../Kexample.net.+005+14714.published | 10 - .../example.net/Kexample.net.+005+23553.key | 1 - .../Kexample.net.+005+23553.private | 10 - .../Kexample.net.+005+35744.depreciated | 10 - .../example.net/Kexample.net.+005+35744.key | 4 - .../views/extern/example.net/dnskey.db | 36 - .../extern/example.net/dsset-example.net. | 2 - .../extern/example.net/keyset-example.net. | 10 - .../examples/views/extern/example.net/zone.db | 33 - .../views/extern/example.net/zone.db.signed | 114 - contrib/zkt/examples/views/extern/zkt-ext.log | 51 - .../example.net/Kexample.net.+005+00126.key | 1 - .../Kexample.net.+005+00126.private | 10 - .../Kexample.net.+005+05972.depreciated | 10 - .../example.net/Kexample.net.+005+05972.key | 1 - .../example.net/Kexample.net.+005+23375.key | 3 - .../Kexample.net.+005+23375.private | 10 - .../example.net/Kexample.net.+005+55745.key | 3 - .../Kexample.net.+005+55745.published | 10 - .../views/intern/example.net/dnskey.db | 36 - .../intern/example.net/dsset-example.net. | 2 - .../intern/example.net/keyset-example.net. | 10 - .../examples/views/intern/example.net/zone.db | 33 - .../views/intern/example.net/zone.db.signed | 114 - contrib/zkt/examples/views/intern/zkt-int.log | 192 -- contrib/zkt/examples/views/named.conf | 97 - contrib/zkt/examples/views/named.log | 17 - contrib/zkt/examples/views/root.hint | 45 - contrib/zkt/examples/views/viewtest.sh | 20 - .../zkt/examples/{dnssec-zkt.sh => zkt-ls.sh} | 4 +- .../{dnssec-signer.sh => zkt-signer.sh} | 4 +- contrib/zkt/log.c | 42 + contrib/zkt/log.h | 11 + contrib/zkt/man/dnssec-signer.8.pdf | Bin 12482 -> 0 bytes contrib/zkt/man/zkt-conf.8 | 247 ++ contrib/zkt/man/zkt-conf.8.html | 312 +++ contrib/zkt/man/zkt-conf.8.org | 227 ++ contrib/zkt/man/zkt-conf.8.pdf | Bin 0 -> 7672 bytes contrib/zkt/man/zkt-keyman.8 | 316 +++ .../{dnssec-zkt.8.html => zkt-keyman.8.html} | 276 +-- contrib/zkt/man/zkt-keyman.8.pdf | Bin 0 -> 9659 bytes contrib/zkt/man/zkt-ls.8 | 268 +++ contrib/zkt/man/zkt-ls.8.html | 382 +++ contrib/zkt/man/zkt-ls.8.pdf | Bin 0 -> 8086 bytes .../zkt/man/{dnssec-signer.8 => zkt-signer.8} | 94 +- ...dnssec-signer.8.html => zkt-signer.8.html} | 205 +- contrib/zkt/man/zkt-signer.8.pdf | Bin 0 -> 12620 bytes contrib/zkt/misc.c | 7 +- contrib/zkt/misc.h | 2 +- contrib/zkt/ncparse.c | 2 +- contrib/zkt/nscomm.c | 43 +- contrib/zkt/nscomm.h | 4 +- contrib/zkt/rollover.c | 8 +- contrib/zkt/tags | 279 ++- contrib/zkt/tcap.c | 343 +++ contrib/zkt/tcap.h | 29 + contrib/zkt/zconf.c | 516 ++-- contrib/zkt/zconf.h | 18 + contrib/zkt/zfparse.c | 289 +++ contrib/zkt/zfparse.h | 42 + contrib/zkt/zkt-conf.c | 340 +++ contrib/zkt/zkt-keyman.c | 722 ++++++ contrib/zkt/zkt-ls.c | 424 ++++ contrib/zkt/{dnssec-signer.c => zkt-signer.c} | 126 +- contrib/zkt/zkt.c | 69 +- contrib/zkt/zone.c | 6 +- 248 files changed, 6668 insertions(+), 10543 deletions(-) delete mode 100644 contrib/zkt/doc/KeyRollover.ps delete mode 100644 contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt delete mode 100644 contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt delete mode 100644 contrib/zkt/doc/rfc4641.txt rename contrib/zkt/examples/{flat => }/dnssec.conf (51%) delete mode 100755 contrib/zkt/examples/flat/dist.sh delete mode 100755 contrib/zkt/examples/flat/dnssec-signer.sh delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private create mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key create mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private create mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key create mode 100644 contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/dnskey.db delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/dnssec.conf delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net. delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net. create mode 100644 contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net. delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/zone.db delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned delete mode 100644 contrib/zkt/examples/flat/dyn.example.net/zone.org delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private delete mode 100644 contrib/zkt/examples/flat/example.net/dnskey.db create mode 100644 contrib/zkt/examples/flat/example.net/dnssec.conf delete mode 100644 contrib/zkt/examples/flat/example.net/dsset-example.net. delete mode 100644 contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key delete mode 100644 contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private delete mode 100644 contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key delete mode 100644 contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private delete mode 100644 contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key delete mode 100644 contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private delete mode 100644 contrib/zkt/examples/flat/example.net/keyset-example.net. create mode 100644 contrib/zkt/examples/flat/example.net/z.db create mode 100644 contrib/zkt/examples/flat/example.net/zktlog-example.net. delete mode 100644 contrib/zkt/examples/flat/example.net/zone.db delete mode 100644 contrib/zkt/examples/flat/example.net/zone.db.signed delete mode 100644 contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/keysets/dsset-dyn.example.net. delete mode 100644 contrib/zkt/examples/flat/keysets/dsset-example.net. delete mode 100644 contrib/zkt/examples/flat/keysets/dsset-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/keysets/keyset-dyn.example.net. delete mode 100644 contrib/zkt/examples/flat/keysets/keyset-example.net. delete mode 100644 contrib/zkt/examples/flat/keysets/keyset-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/named.conf create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private delete mode 100644 contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/sub.example.net/dnskey.db delete mode 100644 contrib/zkt/examples/flat/sub.example.net/dnssec.conf delete mode 100644 contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/sub.example.net/maxhexsalt delete mode 100644 contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1 create mode 100644 contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net. delete mode 100644 contrib/zkt/examples/flat/sub.example.net/zone.db delete mode 100644 contrib/zkt/examples/flat/sub.example.net/zone.db.signed delete mode 100644 contrib/zkt/examples/flat/zkt.log delete mode 100644 contrib/zkt/examples/flat/zone.conf create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/dnskey.db delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/zone.db delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/zone.soa delete mode 100644 contrib/zkt/examples/hierarchical/de/keyset-example.de. delete mode 100644 contrib/zkt/examples/hierarchical/dnssec.conf create mode 100644 contrib/zkt/examples/hierarchical/log/zktlog-example.de. create mode 100644 contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de. delete mode 100644 contrib/zkt/examples/hierarchical/named.conf delete mode 100644 contrib/zkt/examples/hierarchical/zone.conf delete mode 100644 contrib/zkt/examples/views/dnssec-extern.conf delete mode 100644 contrib/zkt/examples/views/dnssec-intern.conf delete mode 100755 contrib/zkt/examples/views/dnssec-signer-extern delete mode 100755 contrib/zkt/examples/views/dnssec-signer-intern delete mode 100755 contrib/zkt/examples/views/dnssec-zkt-extern delete mode 100755 contrib/zkt/examples/views/dnssec-zkt-intern delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated delete mode 100644 contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key delete mode 100644 contrib/zkt/examples/views/extern/example.net/dnskey.db delete mode 100644 contrib/zkt/examples/views/extern/example.net/dsset-example.net. delete mode 100644 contrib/zkt/examples/views/extern/example.net/keyset-example.net. delete mode 100644 contrib/zkt/examples/views/extern/example.net/zone.db delete mode 100644 contrib/zkt/examples/views/extern/example.net/zone.db.signed delete mode 100644 contrib/zkt/examples/views/extern/zkt-ext.log delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key delete mode 100644 contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published delete mode 100644 contrib/zkt/examples/views/intern/example.net/dnskey.db delete mode 100644 contrib/zkt/examples/views/intern/example.net/dsset-example.net. delete mode 100644 contrib/zkt/examples/views/intern/example.net/keyset-example.net. delete mode 100644 contrib/zkt/examples/views/intern/example.net/zone.db delete mode 100644 contrib/zkt/examples/views/intern/example.net/zone.db.signed delete mode 100644 contrib/zkt/examples/views/intern/zkt-int.log delete mode 100644 contrib/zkt/examples/views/named.conf delete mode 100644 contrib/zkt/examples/views/named.log delete mode 100644 contrib/zkt/examples/views/root.hint delete mode 100755 contrib/zkt/examples/views/viewtest.sh rename contrib/zkt/examples/{dnssec-zkt.sh => zkt-ls.sh} (62%) rename contrib/zkt/examples/{dnssec-signer.sh => zkt-signer.sh} (63%) delete mode 100644 contrib/zkt/man/dnssec-signer.8.pdf create mode 100644 contrib/zkt/man/zkt-conf.8 create mode 100644 contrib/zkt/man/zkt-conf.8.html create mode 100644 contrib/zkt/man/zkt-conf.8.org create mode 100644 contrib/zkt/man/zkt-conf.8.pdf create mode 100644 contrib/zkt/man/zkt-keyman.8 rename contrib/zkt/man/{dnssec-zkt.8.html => zkt-keyman.8.html} (54%) create mode 100644 contrib/zkt/man/zkt-keyman.8.pdf create mode 100644 contrib/zkt/man/zkt-ls.8 create mode 100644 contrib/zkt/man/zkt-ls.8.html create mode 100644 contrib/zkt/man/zkt-ls.8.pdf rename contrib/zkt/man/{dnssec-signer.8 => zkt-signer.8} (84%) rename contrib/zkt/man/{dnssec-signer.8.html => zkt-signer.8.html} (61%) create mode 100644 contrib/zkt/man/zkt-signer.8.pdf create mode 100644 contrib/zkt/tcap.c create mode 100644 contrib/zkt/tcap.h create mode 100644 contrib/zkt/zfparse.c create mode 100644 contrib/zkt/zfparse.h create mode 100644 contrib/zkt/zkt-conf.c create mode 100644 contrib/zkt/zkt-keyman.c create mode 100644 contrib/zkt/zkt-ls.c rename contrib/zkt/{dnssec-signer.c => zkt-signer.c} (88%) diff --git a/CHANGES b/CHANGES index 3874fbb0b9..9d41309dde 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2922 [contrib] Update zkt to version 1.0. + 2921. [bug] The resolver could attempt to destroy a fetch context to soon. [RT #19878] diff --git a/contrib/zkt/CHANGELOG b/contrib/zkt/CHANGELOG index 423797f990..21af332623 100644 --- a/contrib/zkt/CHANGELOG +++ b/contrib/zkt/CHANGELOG @@ -1,3 +1,112 @@ +zkt 1.0 -- 15. June 2010 + +* feat "/dev/urandom" check added to checkconfig() + +* feat Config compability switch (-C) added to zkt-conf + +* feat zkt-ls has a new switch -s to change sorting of domains from + subdomain before parent to subdomain below the parent + +* feat "zkt-ls -T" prints only parent trust anchor + +zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) ) + +* feat Several config parameter are printed now in a more consistent and + user friendly form. + SerialFormat "Incremental" could be abbreviated as "inc" on input. + +* bug use of AC_ARG_ENABLE macros changed in a way that it is possible + to use it as a "--disable-FEATURE" switch. + +* port no longer checking for malloc() in configue script. + Mainly because it checks only if malloc(0) is allowed and we do + not need this. + +* port --disable-color-mode added to configure script + +* bug Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac + +* misc man page zkt-keyman added + +* misc New command zkt-keyman added as replacement for dnssec-zkt's key + management functionality + +* misc man page zkt-ls added + +* port Check for ncurses added to Makefile.in + +* misc Color mode (Option -C) added to zkt-ls (experimental) + New source file tcap.c. + +* misc Deprecate "single linked list" version of ZKT. The binary tree + version is the default for years, so the VERSION string does no + longer contain a "T". Now, if someone insist on the single link + list version (configure --disable-tree) a "S" is added to the + version string. + Anyway, the code for the single link list version does no longer + have the same functionality and will be removed in one of the later + releases. + +* misc New command zkt-ls added as replacement for dnssec-zkt's key + listing functionality + +* func New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch] + and zconf.c + New parameter NSEC3 added. Now it's possible to configure + an NSEC3_OPTOUT zone. + +* bug Token parsing function gettok() fixed to recognize tokens + with dashes ("zone-statistics" was seen as "zone"). + Thanks to Andreas Baess for finding this bug. + +* bug Fixed bug in (re)salting dynamic zones. + sig_zone() and gensalt() needs parameter change for this + +* func New option -a added to zkt-conf + +* func In zconf.c CONF_TIMEINT parameter are now able to recognize + "unset" values (which is represented internaly as 0) + +* func Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL + is less than 1. + max_ttl checks in checkconfig() fixed. + +* func printconfigdiff() added to zconf.c and used by zkt-conf. + Now local configs are printed as diff to site wide config. + +* misc man page zkt-signer.8 changed to new command syntax + +* func Per domain logging added. Use parameter LogDomainDir to + enable it. For more details see file README.logging. + +* func distribute.sh supports new action type "distkeys" but is + currently not used + +* misc LOG_FNAMETMPL changed and moved from config_zkt.h to log.h + +* misc Default soa serial format changed from "Incremental" + to "Unixtime" + +* func dnssec-signer command renamed to zkt-signer. Man page updated. + +* func New command zkt-conf added as replacement for dnssec-zkt -Z + +* misc timeint2str() is now global (zconf.c) + +* func zfparse.c - a rudimentary zone file parser + scans minimum and maximum ttl values; adds $INCLUDE dnskey.db + +zkt 0.99d -- Not released + +* func Option SIG_DnsKeyKSK for DNSKEY signing with KSK only + added (only useful with BIND9.7) + +* misc For BIND 9.7 compability: + Run dnssec-signzone in compability mode ("-C") if + SigGenerateDS is true. + Run dnssec-keygen in compability mode ("-C -q") + Add option -u to dnssec-signzone if NSEC3 chaining is requested + zkt 0.99c -- 1. Aug 2009 * misc dnssec-signer command line option vars changed to storage @@ -504,7 +613,7 @@ zkt 0.63 -- 14. June 2005 zkt 0.62 -- 13. May 2005 * func dnssec-signer: Option -o added. - Now it works a little bit more like dnssec-signzone. + Now it works a bit more like dnssec-signzone. * func strlist.c: prepstrlist and unprepstrlist functions get a second parameter for the delimiter. diff --git a/contrib/zkt/Makefile.in b/contrib/zkt/Makefile.in index 7c61450e50..21219cd9d6 100644 --- a/contrib/zkt/Makefile.in +++ b/contrib/zkt/Makefile.in @@ -18,23 +18,44 @@ CFLAGS += -Wall #-DDBG CFLAGS += -Wmissing-prototypes CFLAGS += $(PROFILE) $(OPTIM) LDFLAGS += $(PROFILE) +LIBS = @LIBS@ PROJECT = @PACKAGE_TARNAME@ VERSION = @PACKAGE_VERSION@ HEADER = dki.h misc.h domaincmp.h zconf.h config_zkt.h \ config.h.in strlist.h zone.h zkt.h debug.h \ - ncparse.h log.h rollover.h nscomm.h soaserial.h + ncparse.h log.h rollover.h nscomm.h soaserial.h \ + zfparse.h tcap.h SRC_ALL = dki.c misc.c domaincmp.c zconf.c log.c OBJ_ALL = $(SRC_ALL:.c=.o) -SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c \ +SRC_SIG = zkt-signer.c zone.c ncparse.c rollover.c \ nscomm.c soaserial.c OBJ_SIG = $(SRC_SIG:.c=.o) -MAN_SIG = dnssec-signer.8 -PROG_SIG= dnssec-signer +MAN_SIG = zkt-signer.8 +PROG_SIG= zkt-signer -SRC_ZKT = dnssec-zkt.c strlist.c zkt.c +SRC_CNF = zkt-conf.c zfparse.c +OBJ_CNF = $(SRC_CNF:.c=.o) +MAN_CNF = zkt-conf.8 +PROG_CNF= zkt-conf + +# shared sources +SRC_KLS = strlist.c zkt.c tcap.c +OBJ_KLS = $(SRC_KLS:.c=.o) + +SRC_KEY = zkt-keyman.c +OBJ_KEY = $(SRC_KEY:.c=.o) $(OBJ_KLS) +MAN_KEY = zkt-keyman.8 +PROG_KEY= zkt-keyman + +SRC_LS = zkt-ls.c +OBJ_LS = $(SRC_LS:.c=.o) $(OBJ_KLS) +MAN_LS = zkt-ls.8 +PROG_LS= zkt-ls + +SRC_ZKT = dnssec-zkt.c strlist.c zkt.c tcap.c OBJ_ZKT = $(SRC_ZKT:.c=.o) MAN_ZKT = dnssec-zkt.8 PROG_ZKT= dnssec-zkt @@ -44,15 +65,20 @@ OBJ_SER = $(SRC_SER:.c=.o) #MAN_SER = zkt-soaserial.8 PROG_SER= zkt-soaserial -MAN_ALL = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER) +SRC_PRG = $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_LS) $(SRC_SER) $(SRC_KEY) +OBJ_PRG = $(SRC_PRG:.c=.o) +PROG_PRG= $(PROG_SIG) $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SER) $(PROG_KEY) + +MAN_ALL = $(MAN_ZKT) $(MAN_SIG) $(MAN_LS) $(MAN_CNF) $(MAN_KEY) OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \ configure examples -SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \ +SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_KLS) \ + $(SRC_LS) $(SRC_KEY) $(SRC_SER) $(OTHER) \ man configure.ac config.h.in doc #MNTSAVE = $(SAVE) configure.ac config.h.in doc -all: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) +all: $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SIG) $(PROG_SER) $(PROG_KEY) macos: ## for MAC OS (depreciated) macos: @@ -68,17 +94,27 @@ linux: $(PROG_SIG): $(OBJ_SIG) $(OBJ_ALL) Makefile $(CC) $(LDFLAGS) $(OBJ_SIG) $(OBJ_ALL) -o $(PROG_SIG) + ln -f $(PROG_SIG) dnssec-signer + +$(PROG_CNF): $(OBJ_CNF) $(OBJ_ALL) Makefile + $(CC) $(LDFLAGS) $(OBJ_CNF) $(OBJ_ALL) -o $(PROG_CNF) + +$(PROG_KEY): $(OBJ_KEY) $(OBJ_ALL) Makefile + $(CC) $(LDFLAGS) $(LIBS) $(OBJ_KEY) $(OBJ_ALL) -o $(PROG_KEY) $(PROG_ZKT): $(OBJ_ZKT) $(OBJ_ALL) Makefile - $(CC) $(LDFLAGS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT) + $(CC) $(LDFLAGS) $(LIBS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT) + +$(PROG_LS): $(OBJ_LS) $(OBJ_ALL) Makefile + $(CC) $(LDFLAGS) $(LIBS) $(OBJ_LS) $(OBJ_ALL) -o $(PROG_LS) $(PROG_SER): $(OBJ_SER) Makefile $(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER) install: ## install binaries in prefix/bin -install: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) +install: $(PROG_PRG) test -d $(prefix)/bin || mkdir -p $(prefix)/bin - cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/ + cp dnssec-signer $(PROG_PRG) $(prefix)/bin/ install-man: ## install man pages in mandir install-man: @@ -88,13 +124,13 @@ install-man: tags: ## create tags file -tags: $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) - ctags $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) +#tags: $(SRC_ALL) $(SRC_PRG) +tags: $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS) + ctags $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS) clean: ## remove objectfiles and binaries clean: - -rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \ - $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) + -rm -f $(OBJ_PRG) $(OBJ_ALL) $(PROG_PRG) distclean: ## remove objectfiles, binaries and distribution files distclean: clean @@ -108,16 +144,27 @@ configure: ## create configure script configure: configure.ac Makefile.in autoconf && autoheader -man: man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf +man: man/$(MAN_KEY).html man/$(MAN_KEY).pdf \ + man/$(MAN_SIG).html man/$(MAN_SIG).pdf \ + man/$(MAN_LS).html man/$(MAN_LS).pdf \ + man/$(MAN_CNF).html man/$(MAN_CNF).pdf -man/$(MAN_ZKT).html: man/$(MAN_ZKT) - groff -Thtml -man -mhtml man/$(MAN_ZKT) > man/$(MAN_ZKT).html -man/$(MAN_ZKT).pdf: man/$(MAN_ZKT) - groff -Tps -man man/$(MAN_ZKT) | ps2pdf - man/$(MAN_ZKT).pdf +man/$(MAN_KEY).html: man/$(MAN_KEY) + groff -Thtml -man -mhtml man/$(MAN_KEY) > man/$(MAN_KEY).html +man/$(MAN_KEY).pdf: man/$(MAN_KEY) + groff -Tps -man man/$(MAN_KEY) | ps2pdf - man/$(MAN_KEY).pdf +man/$(MAN_LS).html: man/$(MAN_LS) + groff -Thtml -man -mhtml man/$(MAN_LS) > man/$(MAN_LS).html +man/$(MAN_LS).pdf: man/$(MAN_LS) + groff -Tps -man man/$(MAN_LS) | ps2pdf - man/$(MAN_LS).pdf man/$(MAN_SIG).html: man/$(MAN_SIG) groff -Thtml -man -mhtml man/$(MAN_SIG) > man/$(MAN_SIG).html man/$(MAN_SIG).pdf: man/$(MAN_SIG) groff -Tps -man man/$(MAN_SIG) | ps2pdf - man/$(MAN_SIG).pdf +man/$(MAN_CNF).html: man/$(MAN_CNF) + groff -Thtml -man -mhtml man/$(MAN_CNF) > man/$(MAN_CNF).html +man/$(MAN_CNF).pdf: man/$(MAN_CNF) + groff -Tps -man man/$(MAN_CNF) | ps2pdf - man/$(MAN_CNF).pdf $(PROJECT)-$(VERSION).tar.gz: $(SAVE) @@ -128,31 +175,45 @@ $(PROJECT)-$(VERSION).tar.gz: $(SAVE) ) depend: - $(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL) + $(CC) -MM $(CFLAGS) $(SRC_PRG) $(SRC_ALL) help: @grep "^.*:[ ]*##" Makefile ## all dependicies #:r !make depend -#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c -dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \ +#gcc -MM -g -DHAVE_CONFIG_H -I. -Wall -Wmissing-prototypes zkt-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c zkt-conf.c zfparse.c dnssec-zkt.c strlist.c zkt.c tcap.c zkt-ls.c strlist.c zkt.c tcap.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c +zkt-signer.o: zkt-signer.c config.h config_zkt.h zconf.h debug.h misc.h \ ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h -zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \ - zone.h +zone.o: zone.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \ + dki.h zone.h ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h -rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \ - log.h rollover.h -nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \ - misc.h debug.h -soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h -dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \ - dki.h zkt.h +rollover.o: rollover.c config.h config_zkt.h zconf.h debug.h misc.h \ + zone.h dki.h log.h rollover.h +nscomm.o: nscomm.c config.h config_zkt.h zconf.h nscomm.h zone.h dki.h \ + log.h misc.h debug.h +soaserial.o: soaserial.c config.h config_zkt.h zconf.h log.h debug.h \ + soaserial.h +zkt-conf.o: zkt-conf.c config.h config_zkt.h debug.h misc.h zconf.h \ + zfparse.h +zfparse.o: zfparse.c config.h config_zkt.h zconf.h log.h debug.h \ + zfparse.h +dnssec-zkt.o: dnssec-zkt.c config.h config_zkt.h debug.h misc.h zconf.h \ + strlist.h dki.h zkt.h strlist.o: strlist.c strlist.h -zkt.o: zkt.c config_zkt.h dki.h misc.h zconf.h strlist.h zkt.h -zkt-soaserial.o: zkt-soaserial.c config_zkt.h -dki.o: dki.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h -misc.o: misc.c config_zkt.h zconf.h log.h debug.h misc.h +zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \ + domaincmp.h tcap.h zkt.h +tcap.o: tcap.c config.h config_zkt.h tcap.h +zkt-ls.o: zkt-ls.c config.h config_zkt.h debug.h misc.h zconf.h strlist.h \ + dki.h tcap.h zkt.h +strlist.o: strlist.c strlist.h +zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \ + domaincmp.h tcap.h zkt.h +tcap.o: tcap.c config.h config_zkt.h tcap.h +zkt-soaserial.o: zkt-soaserial.c config.h config_zkt.h +dki.o: dki.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \ + dki.h +misc.o: misc.c config.h config_zkt.h zconf.h log.h debug.h misc.h domaincmp.o: domaincmp.c domaincmp.h -zconf.o: zconf.c config_zkt.h debug.h misc.h zconf.h dki.h -log.o: log.c config_zkt.h misc.h zconf.h debug.h log.h +zconf.o: zconf.c config.h config_zkt.h debug.h misc.h zconf.h dki.h +log.o: log.c config.h config_zkt.h misc.h zconf.h debug.h log.h diff --git a/contrib/zkt/README b/contrib/zkt/README index de95c08e36..df1a3c609d 100644 --- a/contrib/zkt/README +++ b/contrib/zkt/README @@ -2,8 +2,8 @@ # README dnssec zone key tool # # (c) March 2005 - Aug 2009 by Holger Zuleger hznet -# (c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho) -# (c) for zconf.c by Jeroen Masar & Holger Zuleger +# (c) domaincmp() Aug 2005 by Karle Boss & H. Zuleger (kaho) +# (c) zconf.c by Jeroen Masar & Holger Zuleger # For more information about the DNSSEC Zone Key Tool please @@ -12,35 +12,41 @@ have a look at "http://www.hznet.de/dns/zkt/" You can also subscribe to the zkt-users@sourceforge.net mailing list on the following website: https://lists.sourceforge.net/lists/listinfo/zkt-users -The complete software stands under BSD licence (see LICENCE file) +The ZKT software is licenced under BSD (see LICENCE file) To build the software: a) Get the current version of zkt - $ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz + $ wget http://www.hznet.de/dns/zkt/zkt-1.0.tar.gz b) Unpack - $ tar xzvf zkt-0.99c.tar.gz + $ tar xzvf zkt-1.0.tar.gz -c) Change to dir - $ cd zkt-0.99c +c) Change to source directory + $ cd zkt-1.0 d) Run configure script $ ./configure -e) (optional) Edit config_zkt.h - -f) Compile +e) Compile $ make -g) Install +f) Install # make install # make install-man -h) (optional) Install and modify the default dnssec.conf file - $ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf + +Prepare your setup: +a) (optional) Install or rebuild the default dnssec.conf file + $ zkt-conf -d -w # Install new file + or + $ zkt-conf -s -w # rebuild existing file + +b) (optional) Change default parameters + $ zkt-conf -s -O "Zonedir: /var/named/zones" -w + or use your prefered editor $ vi /var/named/dnssec.conf -i) Prepare your zones for zkt - Have a look at the presentation I've held at the DE-CIX technical - meeting (http://www.hznet.de/dns/dnssec-decix050916.pdf) - It will give you an overview of how to configure a zone for zkt usage. +c) Prepare one of your zone for zkt + $ cd /var/name/zones/net/example.net # change dir to zone directory + $ cp zone.db # copy and rename existing zone file to "zone.db" + $ zkt-conf -w zone.db # create local dnssec.conf file and include dnskey.db into zone file diff --git a/contrib/zkt/README.logging b/contrib/zkt/README.logging index dc9293a9ca..7a069cbe5d 100644 --- a/contrib/zkt/README.logging +++ b/contrib/zkt/README.logging @@ -3,6 +3,7 @@ # # Introduction into the new logging feature # available since v0.96 +# Per domain logging is enabled since v1.0 # In previous version of dnssec-signer every message was written @@ -10,8 +11,8 @@ to the default stdout and stderr channels, and the logging itself was handled by a redirection of those chanels to the logger command or to a file. -Now, since version v0.96, the dnssec-signer command is able to log all -messages by itself. File and SYSLOG logging is supported. +Since v0.96, the dnssec-signer command is able to log all messages +by itself. File and SYSLOG logging is supported. To enable the logging into a file channel, you have to specify the file or directory name via the commandline option -L (--logfile) @@ -19,7 +20,14 @@ or via the config file parameter "LogFile". LogFile: ""|""|"" (default is "") If a file is specified, than each run of dnssec-signer will append the messages to that file. If a directory is specified, than a file with a -name of zkt-.log" will be created on each dnssec-signer run. +name of zkt-+log" will be created on each dnssec-signer run. + +Since v1.0 per domain logging is possible. +If the parameter "LogDomainDir:" is not empty, than the domain specific messages +are written to a separate log file with a name like "zkt-+log" in the +directory specified by the parameter. +If "LogDomainDir:" is set to ".", then the logfile will be created in the domain +directory of the zone. Logging into the syslog channel could be enabled via the config file parameter "SyslogFacility". @@ -95,5 +103,3 @@ Some recomended and useful logging settings SyslogFacility: USER SyslogLevel: NOTICE VerboseLog: 2 - -- diff --git a/contrib/zkt/TODO b/contrib/zkt/TODO index 12abdb059b..778f2c770f 100644 --- a/contrib/zkt/TODO +++ b/contrib/zkt/TODO @@ -1,7 +1,9 @@ TODO list as of zkt-0.99 general: - Renaming of the tools to zkt-* ? + Renaming to zkt-? and split of the functions of dnssec-zkt to + separate commands + Fixed in zkt-1.0 (zkt-conf command) dnssec-zkt: feat option to specify the key age as remaining lifetime @@ -23,14 +25,22 @@ dnssec-signer: The dnssec maintainer is responsible for the lifeliness of the data in the hosted domain. In other words: It's highly recommended to use the - option -r when you use dnssec-signer on a production zone. + option -r when you use zkt-signer on a production zone. Then the time of propagation is (more or less) equal to the timestamp of the zone.db.signed file. - bug The max_TTL and Key_TTL parameter should be set to the value found - in the zone. A mechanism for setting up a dnssec.conf file for the - zone specific TTL values is needed. + bug The max_TTL parameter should be set to the value found + in the zone. A mechanism for setting up a dnssec.conf file + for the zone specific TTL values is needed. + Fixed in zkt-1.0 (zkt-conf command) + +zkt-conf: + port Option -C (compability) to create older config files + misc Change syntax of config parameters to a more uniq form (e.g. no "_" char) + +zkt-rollover: + feat New command to roll keys independent of zone signing + (Usefull for dynamic zones managed by BIND9.7) dki: feat Use dynamic memory for dname in dki_t - diff --git a/contrib/zkt/config.h.in b/contrib/zkt/config.h.in index 76b786b15f..db57743e88 100644 --- a/contrib/zkt/config.h.in +++ b/contrib/zkt/config.h.in @@ -9,12 +9,18 @@ /* Define to 1 if the `closedir' function returns void instead of `int'. */ #undef CLOSEDIR_VOID +/* zkt-ls with colors */ +#undef COLOR_MODE + /* set path of config file (defaults to /var/named) */ #undef CONFIG_PATH /* Define to 1 if you have the `alarm' function. */ #undef HAVE_ALARM +/* Define to 1 if you have the header file. */ +#undef HAVE_CURSES_H + /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_DIRENT_H @@ -40,9 +46,8 @@ /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H -/* Define to 1 if your system has a GNU libc compatible `malloc' function, and - to 0 otherwise. */ -#undef HAVE_MALLOC +/* Define to 1 if you have the `ncurses' library (-lncurses). */ +#undef HAVE_LIBNCURSES /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H @@ -122,6 +127,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H +/* Define to 1 if you have the header file. */ +#undef HAVE_TERM_H + /* Define to 1 if you have the `timegm' function. */ #undef HAVE_TIMEGM @@ -171,8 +179,8 @@ /* Define to the version of this package. */ #undef PACKAGE_VERSION -/* print age of year */ -#undef PRINT_AGE_OF_YEAR +/* print age with year */ +#undef PRINT_AGE_WITH_YEAR /* print out timezone */ #undef PRINT_TIMEZONE @@ -192,6 +200,9 @@ /* Use TREE data structure for dnssec-zkt */ #undef USE_TREE +/* ZKT copyright string */ +#undef ZKT_COPYRIGHT + /* ZKT version string */ #undef ZKT_VERSION @@ -201,9 +212,6 @@ /* Define to `int' if doesn't define. */ #undef gid_t -/* Define to rpl_malloc if the replacement function should be used. */ -#undef malloc - /* Define to `unsigned int' if does not define. */ #undef size_t diff --git a/contrib/zkt/config_zkt.h b/contrib/zkt/config_zkt.h index b1035293a4..21ca84069c 100644 --- a/contrib/zkt/config_zkt.h +++ b/contrib/zkt/config_zkt.h @@ -37,10 +37,6 @@ #ifndef CONFIG_ZKT_H # define CONFIG_ZKT_H -#ifndef LOG_FNAMETMPL -# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log" -#endif - /* don't change anything below this */ /* the values here are determined or settable via the ./configure script */ @@ -52,6 +48,10 @@ /* # define HAVE_GETOPT_LONG 1 */ /* # define HAVE_STRFTIME 1 */ +#ifndef COLOR_MODE +# define COLOR_MODE 1 +#endif + #ifndef TTL_IN_KEYFILE_ALLOWED # define TTL_IN_KEYFILE_ALLOWED 1 #endif diff --git a/contrib/zkt/configure b/contrib/zkt/configure index 8d4d49639d..6f34793f0a 100755 --- a/contrib/zkt/configure +++ b/contrib/zkt/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for ZKT 0.99c. +# Generated by GNU Autoconf 2.61 for ZKT 1.0. # # Report bugs to . # @@ -574,11 +574,11 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='ZKT' PACKAGE_TARNAME='zkt' -PACKAGE_VERSION='0.99c' -PACKAGE_STRING='ZKT 0.99c' +PACKAGE_VERSION='1.0' +PACKAGE_STRING='ZKT 1.0' PACKAGE_BUGREPORT='Holger Zuleger hznet.de' -ac_unique_file="dnssec-zkt.c" +ac_unique_file="zkt-signer.c" # Factoring default headers for most tests. ac_includes_default="\ #include @@ -1179,7 +1179,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ZKT 0.99c to adapt to many kinds of systems. +\`configure' configures ZKT 1.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1240,15 +1240,16 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ZKT 0.99c:";; + short | recursive ) echo "Configuration of ZKT 1.0:";; esac cat <<\_ACEOF Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --disable-color-mode zkt without colors --enable-print-timezone print out timezone - --enable-print-age print age of year + --enable-print-age print age with year --enable-log-progname log with progname --disable-log-timestamp do not log with timestamp --disable-log-level do not log with level @@ -1259,6 +1260,11 @@ Optional Features: --disable-tree use single linked list instead of binary tree data structure for dnssec-zkt +Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --without-curses Ignore presence of curses and disable color mode + Some influential environment variables: CC C compiler command CFLAGS C compiler flags @@ -1333,7 +1339,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ZKT configure 0.99c +ZKT configure 1.0 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1347,7 +1353,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ZKT $as_me 0.99c, which was +It was created by ZKT $as_me 1.0, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -2674,7 +2680,6 @@ fi if test -z "$SIGNZONE_PROG" ; then -# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***]) { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5 echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;} else @@ -2686,7 +2691,7 @@ cat >>confdefs.h <<_ACEOF _ACEOF # define BIND_VERSION in config.h.in - bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"` + bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[0-9]\012" | sed "s/^\(...\).*/\1/"` cat >>confdefs.h <<_ACEOF #define BIND_VERSION $bind_version @@ -3585,13 +3590,118 @@ fi ### define configure arguments +# Check whether --enable-color_mode was given. +if test "${enable_color_mode+set}" = set; then + enableval=$enable_color_mode; +fi + +color_mode=1 +if test "$enable_color_mode" = "no"; then + color_mode=0 +fi + + + +# Check whether --with-curses was given. +if test "${with_curses+set}" = set; then + withval=$with_curses; +fi + + +if test "x$with_curses" != "xno"; then + +{ echo "$as_me:$LINENO: checking for tgetent in -lncurses" >&5 +echo $ECHO_N "checking for tgetent in -lncurses... $ECHO_C" >&6; } +if test "${ac_cv_lib_ncurses_tgetent+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lncurses $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char tgetent (); +int +main () +{ +return tgetent (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_lib_ncurses_tgetent=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_ncurses_tgetent=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_lib_ncurses_tgetent" >&5 +echo "${ECHO_T}$ac_cv_lib_ncurses_tgetent" >&6; } +if test $ac_cv_lib_ncurses_tgetent = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNCURSES 1 +_ACEOF + + LIBS="-lncurses $LIBS" + +fi + +else + HAVE_LIB_NCURSES=0; color_mode=0 +fi + + + +cat >>confdefs.h <<_ACEOF +#define COLOR_MODE $color_mode +_ACEOF + + + # Check whether --enable-printtimezone was given. if test "${enable_printtimezone+set}" = set; then - enableval=$enable_printtimezone; printtimezone=$enableval + enableval=$enable_printtimezone; fi printtimezone=0 -test "$printtimezone" = yes && printtimezone=1 +if test "$enable_printtimezone" = "yes"; then + printtimezone=1 +fi + cat >>confdefs.h <<_ACEOF #define PRINT_TIMEZONE $printtimezone @@ -3600,24 +3710,31 @@ _ACEOF # Check whether --enable-printyear was given. if test "${enable_printyear+set}" = set; then - enableval=$enable_printyear; printyear=$enableval + enableval=$enable_printyear; fi -printyear=0 test "$printyear" = yes && printyear=1 +printyear=0 +if test "$enable_printyear" = "yes"; then + printyear=1 +fi + cat >>confdefs.h <<_ACEOF -#define PRINT_AGE_OF_YEAR $printyear +#define PRINT_AGE_WITH_YEAR $printyear _ACEOF # Check whether --enable-logprogname was given. if test "${enable_logprogname+set}" = set; then - enableval=$enable_logprogname; logprogname=$enableval + enableval=$enable_logprogname; fi logprogname=0 -test "$logprogname" = yes && logprogname=1 +if test "$enable_logprogname" = "yes"; then + logprogname=1 +fi + cat >>confdefs.h <<_ACEOF #define LOG_WITH_PROGNAME $logprogname @@ -3626,11 +3743,14 @@ _ACEOF # Check whether --enable-logtimestamp was given. if test "${enable_logtimestamp+set}" = set; then - enableval=$enable_logtimestamp; logtimestamp=$enableval + enableval=$enable_logtimestamp; fi logtimestamp=1 -test "$logtimestamp" = no && logtimestamp=0 +if test "$enable_logtimestamp" = "no"; then + logtimestamp=0 +fi + cat >>confdefs.h <<_ACEOF #define LOG_WITH_TIMESTAMP $logtimestamp @@ -3639,11 +3759,14 @@ _ACEOF # Check whether --enable-loglevel was given. if test "${enable_loglevel+set}" = set; then - enableval=$enable_loglevel; loglevel=$enableval + enableval=$enable_loglevel; fi loglevel=1 -test "$loglevel" = no && loglevel=0 +if test "$enable_loglevel" = "no"; then + loglevel=0 +fi + cat >>confdefs.h <<_ACEOF #define LOG_WITH_LEVEL $loglevel @@ -3652,11 +3775,14 @@ _ACEOF # Check whether --enable-ttl_in_keyfile was given. if test "${enable_ttl_in_keyfile+set}" = set; then - enableval=$enable_ttl_in_keyfile; ttl_in_keyfile=$enableval + enableval=$enable_ttl_in_keyfile; fi ttl_in_keyfile=1 -test "$ttl_in_keyfile" = no && ttl_in_keyfile=0 +if test "$enable_ttl_in_keyfile" = "no"; then + ttl_in_keyfile=0 +fi + cat >>confdefs.h <<_ACEOF #define TTL_IN_KEYFILE_ALLOWED $ttl_in_keyfile @@ -3686,7 +3812,7 @@ _ACEOF usetree=1 -t="T" +t="" # Check whether --enable-tree was given. if test "${enable_tree+set}" = set; then enableval=$enable_tree; usetree=$enableval @@ -3695,7 +3821,7 @@ fi if test "$usetree" = no then usetree=0 - t="" + t="S" fi cat >>confdefs.h <<_ACEOF @@ -3705,13 +3831,17 @@ _ACEOF cat >>confdefs.h <<_ACEOF -#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de" +#define ZKT_VERSION "$t$PACKAGE_VERSION" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define ZKT_COPYRIGHT "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de" _ACEOF ### Checks for libraries. - ### Checks for header files. @@ -4140,7 +4270,9 @@ fi -for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h + + +for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then @@ -4752,241 +4884,6 @@ esac fi -for ac_header in stdlib.h -do -as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - { echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -else - # Is the header compilable? -{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 -echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_header_compiler=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6; } - -# Is the header present? -{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 -echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include <$ac_header> -_ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_header_preproc=no -fi - -rm -f conftest.err conftest.$ac_ext -{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6; } - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 -echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 -echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 -echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} - { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 -echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - ( cat <<\_ASBOX -## -------------------------------------- ## -## Report this to Holger Zuleger hznet.de ## -## -------------------------------------- ## -_ASBOX - ) | sed "s/^/$as_me: WARNING: /" >&2 - ;; -esac -{ echo "$as_me:$LINENO: checking for $ac_header" >&5 -echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - eval "$as_ac_Header=\$ac_header_preproc" -fi -ac_res=`eval echo '${'$as_ac_Header'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } - -fi -if test `eval echo '${'$as_ac_Header'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -{ echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5 -echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6; } -if test "${ac_cv_func_malloc_0_nonnull+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - if test "$cross_compiling" = yes; then - ac_cv_func_malloc_0_nonnull=no -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#if defined STDC_HEADERS || defined HAVE_STDLIB_H -# include -#else -char *malloc (); -#endif - -int -main () -{ -return ! malloc (0); - ; - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_malloc_0_nonnull=yes -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -ac_cv_func_malloc_0_nonnull=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - - -fi -{ echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5 -echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6; } -if test $ac_cv_func_malloc_0_nonnull = yes; then - -cat >>confdefs.h <<\_ACEOF -#define HAVE_MALLOC 1 -_ACEOF - -else - cat >>confdefs.h <<\_ACEOF -#define HAVE_MALLOC 0 -_ACEOF - - case " $LIBOBJS " in - *" malloc.$ac_objext "* ) ;; - *) LIBOBJS="$LIBOBJS malloc.$ac_objext" - ;; -esac - - -cat >>confdefs.h <<\_ACEOF -#define malloc rpl_malloc -_ACEOF - -fi - - - - @@ -6608,7 +6505,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ZKT $as_me 0.99c, which was +This file was extended by ZKT $as_me 1.0, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -6657,7 +6554,7 @@ Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -ZKT config.status 0.99c +ZKT config.status 1.0 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff --git a/contrib/zkt/configure.ac b/contrib/zkt/configure.ac index 0b0f1c00da..c10790a2c9 100644 --- a/contrib/zkt/configure.ac +++ b/contrib/zkt/configure.ac @@ -11,16 +11,17 @@ # 2008-08-30 check for unsigned integer types # 2008-10-01 if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort # 2009-07-30 check for timegm() added +# 2009-12-02 the tr command in bind_version= didn't work well under solaris # -AC_PREREQ(2.59) +dnl AC_PREREQ(2.59) ### Package name and current version -AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de) -dnl AC_REVISION($Revision: 1.1 $) +AC_INIT(ZKT, 1.0, Holger Zuleger hznet.de) +dnl AC_REVISION($Revision: 1.2 $) ### Files to test to check if src dir contains the package -AC_CONFIG_SRCDIR([dnssec-zkt.c]) +AC_CONFIG_SRCDIR([zkt-signer.c]) AC_CONFIG_HEADER([config.h]) @@ -30,14 +31,13 @@ AC_PROG_CC ### find out the path to BIND utils and version AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone) if test -z "$SIGNZONE_PROG" ; then -# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***]) AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***]) else bind_util_path=`dirname "$SIGNZONE_PROG"` # define BIND_UTIL_PATH in config.h.in AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities) # define BIND_VERSION in config.h.in - bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"` + bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[[0-9]]\012" | sed "s/^\(...\).*/\1/"` AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots) fi @@ -47,39 +47,56 @@ AC_CHECK_TYPE(ushort, unsigned short) AC_CHECK_TYPE(uchar, unsigned char) ### define configure arguments -AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval]) +AC_ARG_ENABLE([color_mode], AS_HELP_STRING([--disable-color-mode], [zkt without colors])) +color_mode=1 +AS_IF([test "$enable_color_mode" = "no"], [color_mode=0]) + +AC_ARG_WITH([curses], + AS_HELP_STRING([--without-curses], [Ignore presence of curses and disable color mode])) + +AS_IF([test "x$with_curses" != "xno"], + [AC_CHECK_LIB([ncurses],[tgetent])], + [HAVE_LIB_NCURSES=0; color_mode=0]) + +AC_DEFINE_UNQUOTED(COLOR_MODE, $color_mode, zkt-ls with colors) + + +dnl printtimezone is a default-disabled feature +AC_ARG_ENABLE([printtimezone], AS_HELP_STRING( [--enable-print-timezone], [print out timezone])) printtimezone=0 -test "$printtimezone" = yes && printtimezone=1 +AS_IF([test "$enable_printtimezone" = "yes"], [printtimezone=1]) AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone) -AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval]) -printyear=0 +AC_ARG_ENABLE([printyear], AS_HELP_STRING( [--enable-print-age], [print age with year])) test "$printyear" = yes && printyear=1 -AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year) +printyear=0 +AS_IF([test "$enable_printyear" = "yes"], [printyear=1]) +AC_DEFINE_UNQUOTED(PRINT_AGE_WITH_YEAR, $printyear, print age with year) -AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval]) +AC_ARG_ENABLE([logprogname], AS_HELP_STRING( [--enable-log-progname], [log with progname])) logprogname=0 -test "$logprogname" = yes && logprogname=1 +AS_IF([test "$enable_logprogname" = "yes"], [logprogname=1]) AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname) -AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval]) +dnl logtimestamp is a default-enabled feature +AC_ARG_ENABLE([logtimestamp], AS_HELP_STRING([--disable-log-timestamp], [do not log with timestamp])) logtimestamp=1 -test "$logtimestamp" = no && logtimestamp=0 +AS_IF([test "$enable_logtimestamp" = "no"], [logtimestamp=0]) AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp) -AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval]) +AC_ARG_ENABLE([loglevel], AS_HELP_STRING([--disable-log-level], [do not log with level])) loglevel=1 -test "$loglevel" = no && loglevel=0 +AS_IF([test "$enable_loglevel" = "no"], [loglevel=0]) AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level) -AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval]) +AC_ARG_ENABLE([ttl_in_keyfile], AS_HELP_STRING([--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles])) ttl_in_keyfile=1 -test "$ttl_in_keyfile" = no && ttl_in_keyfile=0 +AS_IF([test "$enable_ttl_in_keyfile" = "no"], [ttl_in_keyfile=0]) AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed) configpath="/var/named" AC_ARG_ENABLE([configpath], - AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]), + AS_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]), [configpath=$enableval]) case "$configpath" in yes) @@ -94,26 +111,26 @@ esac AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)]) usetree=1 -t="T" +t="" AC_ARG_ENABLE([tree], - AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]), + AS_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]), [usetree=$enableval]) if test "$usetree" = no then usetree=0 - t="" + t="S" fi AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt) -AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string) +AC_DEFINE_UNQUOTED(ZKT_VERSION, "$t$PACKAGE_VERSION", ZKT version string) +AC_DEFINE_UNQUOTED(ZKT_COPYRIGHT, "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de", ZKT copyright string) ### Checks for libraries. - ### Checks for header files. AC_HEADER_DIRENT AC_HEADER_STDC -AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h]) +AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h]) ### Checks for typedefs, structures, and compiler characteristics. @@ -125,9 +142,9 @@ AC_TYPE_UID_T ### Checks for library functions. +dnl AC_FUNC_MALLOC AC_FUNC_CLOSEDIR_VOID AC_FUNC_ERROR_AT_LINE -AC_FUNC_MALLOC AC_FUNC_MKTIME AC_FUNC_STAT AC_FUNC_STRFTIME diff --git a/contrib/zkt/dki.c b/contrib/zkt/dki.c index b6a68db4bc..f42a75fa82 100644 --- a/contrib/zkt/dki.c +++ b/contrib/zkt/dki.c @@ -227,6 +227,11 @@ void dki_tfree (dki_t **tree) } #endif +#if defined(BIND_VERSION) && BIND_VERSION >= 970 +# define KEYGEN_COMPMODE "-C -q " /* this is the compability mode needed by BIND 9.7 */ +#else +# define KEYGEN_COMPMODE "" +#endif /***************************************************************** ** dki_new () ** create new keyfile @@ -250,15 +255,15 @@ dki_t *dki_new (const char *dir, const char *name, int ksk, int algo, int bitsiz if ( rfile && *rfile ) snprintf (randfile, sizeof (randfile), "-r %.250s ", rfile); - if ( algo == DK_ALGO_RSA || algo == DK_ALGO_RSASHA1 ) + if ( algo == DK_ALGO_RSA || algo == DK_ALGO_RSASHA1 || algo == DK_ALGO_RSASHA256 || algo == DK_ALGO_RSASHA512 ) expflag = "-e "; if ( dir && *dir ) - snprintf (cmdline, sizeof (cmdline), "cd %s ; %s %s%s-n ZONE -a %s -b %d %s %s", - dir, KEYGENCMD, randfile, expflag, dki_algo2str(algo), bitsize, flag, name); + snprintf (cmdline, sizeof (cmdline), "cd %s ; %s %s%s%s-n ZONE -a %s -b %d %s %s", + dir, KEYGENCMD, KEYGEN_COMPMODE, randfile, expflag, dki_algo2str(algo), bitsize, flag, name); else - snprintf (cmdline, sizeof (cmdline), "%s %s%s-n ZONE -a %s -b %d %s %s", - KEYGENCMD, randfile, expflag, dki_algo2str(algo), bitsize, flag, name); + snprintf (cmdline, sizeof (cmdline), "%s %s%s%s-n ZONE -a %s -b %d %s %s", + KEYGENCMD, KEYGEN_COMPMODE, randfile, expflag, dki_algo2str(algo), bitsize, flag, name); dbg_msg (cmdline); @@ -632,6 +637,8 @@ char *dki_algo2str (int algo) case DK_ALGO_RSASHA1: return ("RSASHA1"); case DK_ALGO_NSEC3DSA: return ("NSEC3DSA"); case DK_ALGO_NSEC3RSASHA1: return ("NSEC3RSASHA1"); + case DK_ALGO_RSASHA256: return ("RSASHA256"); + case DK_ALGO_RSASHA512: return ("RSASHA512"); } return ("unknown"); } @@ -651,6 +658,8 @@ char *dki_algo2sstr (int algo) case DK_ALGO_RSASHA1: return ("RSASHA1"); case DK_ALGO_NSEC3DSA: return ("N3DSA"); case DK_ALGO_NSEC3RSASHA1: return ("N3RSA1"); + case DK_ALGO_RSASHA256: return ("RSASHA2"); + case DK_ALGO_RSASHA512: return ("RSASHA5"); } return ("unknown"); } @@ -841,6 +850,18 @@ int dki_namecmp (const dki_t *a, const dki_t *b) return domaincmp (a->name, b->name); } + +/***************************************************************** +** dki_revnamecmp () return <0 | 0 | >0 +*****************************************************************/ +int dki_revnamecmp (const dki_t *a, const dki_t *b) +{ + if ( a == NULL ) return -1; + if ( b == NULL ) return 1; + + return domaincmp_dir (a->name, b->name, 0); +} + /***************************************************************** ** dki_tagcmp () return <0 | 0 | >0 *****************************************************************/ @@ -1128,11 +1149,14 @@ const dki_t *dki_search (const dki_t *list, int tag, const char *name) /***************************************************************** ** dki_tadd () add a key to the given tree *****************************************************************/ -dki_t *dki_tadd (dki_t **tree, dki_t *new) +dki_t *dki_tadd (dki_t **tree, dki_t *new, int sub_before) { dki_t **p; - p = tsearch (new, tree, dki_namecmp); + if ( sub_before ) + p = tsearch (new, tree, dki_namecmp); + else + p = tsearch (new, tree, dki_revnamecmp); if ( *p == new ) dbg_val ("dki_tadd: New entry %s added\n", new->name); else diff --git a/contrib/zkt/dki.h b/contrib/zkt/dki.h index a8b3426363..d0712b14bf 100644 --- a/contrib/zkt/dki.h +++ b/contrib/zkt/dki.h @@ -55,13 +55,17 @@ # define MAX_PATHSIZE (MAX_DNAMESIZE + 1 + MAX_FNAMESIZE) /* algorithm types */ -# define DK_ALGO_RSA 1 /* RFC2537 */ -# define DK_ALGO_DH 2 /* RFC2539 */ -# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */ -# define DK_ALGO_EC 4 /* */ -# define DK_ALGO_RSASHA1 5 /* RFC3110 */ +# define DK_ALGO_RSA 1 /* RFC2537 */ +# define DK_ALGO_DH 2 /* RFC2539 */ +# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */ +# define DK_ALGO_EC 4 /* */ +# define DK_ALGO_RSASHA1 5 /* RFC3110 */ # define DK_ALGO_NSEC3DSA 6 /* symlink to alg 3 RFC5155 */ # define DK_ALGO_NSEC3RSASHA1 7 /* symlink to alg 5 RFC5155 */ +# define DK_ALGO_RSASHA256 8 /* RFCxxx */ +# define DK_ALGO_RSASHA512 10 /* RFCxxx */ +# define DK_ALGO_NSEC3RSASHA256 DK_ALGO_RSASHA256 /* same as non nsec algorithm RFCxxx */ +# define DK_ALGO_NSEC3RSASHA512 DK_ALGO_RSASHA512 /* same as non nsec algorithm RFCxxx */ /* protocol types */ # define DK_PROTO_DNS 3 @@ -137,9 +141,10 @@ dki_t **tdelete (const dki_t *dkp, dki_t **tree, int(*compar)(const dki_t *, con void twalk (const dki_t *root, void (*action)(const dki_t **nodep, VISIT which, int depth)); extern void dki_tfree (dki_t **tree); -extern dki_t *dki_tadd (dki_t **tree, dki_t *new); +extern dki_t *dki_tadd (dki_t **tree, dki_t *new, int sub_before); extern int dki_tagcmp (const dki_t *a, const dki_t *b); extern int dki_namecmp (const dki_t *a, const dki_t *b); +extern int dki_revnamecmp (const dki_t *a, const dki_t *b); extern int dki_allcmp (const dki_t *a, const dki_t *b); #endif diff --git a/contrib/zkt/dnssec-zkt.c b/contrib/zkt/dnssec-zkt.c index bfc92d9c0d..744a6f865f 100644 --- a/contrib/zkt/dnssec-zkt.c +++ b/contrib/zkt/dnssec-zkt.c @@ -307,6 +307,7 @@ int main (int argc, char *argv[]) /* it's better to do this before we read the whole directory tree */ if ( action == 'Z' ) { + fprintf (stderr, "The use of -Z is deprecated. Please use zkt-conf instead\n"); printconfig ("stdout", config); return 0; } @@ -758,7 +759,7 @@ static int parsedirectory (const char *dir, dki_t **listp) { // fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name); #if defined (USE_TREE) && USE_TREE - dki_tadd (listp, dkp); + dki_tadd (listp, dkp, 1); #else dki_add (listp, dkp); #endif @@ -780,7 +781,7 @@ static void parsefile (const char *file, dki_t **listp) { if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */ #if defined (USE_TREE) && USE_TREE - dki_tadd (listp, dkp); /* ... and add to tree */ + dki_tadd (listp, dkp, 1); /* ... and add to tree */ #else dki_add (listp, dkp); /* ... and add to list */ #endif diff --git a/contrib/zkt/doc/KeyRollover.ps b/contrib/zkt/doc/KeyRollover.ps deleted file mode 100644 index 7f22fdead4..0000000000 --- a/contrib/zkt/doc/KeyRollover.ps +++ /dev/null @@ -1,304 +0,0 @@ -%!PS-Adobe-3.0 -%%Creator: groff version 1.19.2 -%%CreationDate: Mon Jul 14 23:23:30 2008 -%%DocumentNeededResources: font Times-Bold -%%+ font Times-Roman -%%+ font Courier -%%+ font Symbol -%%DocumentSuppliedResources: procset grops 1.19 2 -%%Pages: 1 -%%PageOrder: Ascend -%%DocumentMedia: Default 595 842 0 () () -%%Orientation: Portrait -%%EndComments -%%BeginDefaults -%%PageMedia: Default -%%EndDefaults -%%BeginProlog -%%BeginResource: procset grops 1.19 2 -%!PS-Adobe-3.0 Resource-ProcSet -/setpacking where{ -pop -currentpacking -true setpacking -}if -/grops 120 dict dup begin -/SC 32 def -/A/show load def -/B{0 SC 3 -1 roll widthshow}bind def -/C{0 exch ashow}bind def -/D{0 exch 0 SC 5 2 roll awidthshow}bind def -/E{0 rmoveto show}bind def -/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def -/G{0 rmoveto 0 exch ashow}bind def -/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def -/I{0 exch rmoveto show}bind def -/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def -/K{0 exch rmoveto 0 exch ashow}bind def -/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def -/M{rmoveto show}bind def -/N{rmoveto 0 SC 3 -1 roll widthshow}bind def -/O{rmoveto 0 exch ashow}bind def -/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def -/Q{moveto show}bind def -/R{moveto 0 SC 3 -1 roll widthshow}bind def -/S{moveto 0 exch ashow}bind def -/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def -/SF{ -findfont exch -[exch dup 0 exch 0 exch neg 0 0]makefont -dup setfont -[exch/setfont cvx]cvx bind def -}bind def -/MF{ -findfont -[5 2 roll -0 3 1 roll -neg 0 0]makefont -dup setfont -[exch/setfont cvx]cvx bind def -}bind def -/level0 0 def -/RES 0 def -/PL 0 def -/LS 0 def -/MANUAL{ -statusdict begin/manualfeed true store end -}bind def -/PLG{ -gsave newpath clippath pathbbox grestore -exch pop add exch pop -}bind def -/BP{ -/level0 save def -1 setlinecap -1 setlinejoin -72 RES div dup scale -LS{ -90 rotate -}{ -0 PL translate -}ifelse -1 -1 scale -}bind def -/EP{ -level0 restore -showpage -}def -/DA{ -newpath arcn stroke -}bind def -/SN{ -transform -.25 sub exch .25 sub exch -round .25 add exch round .25 add exch -itransform -}bind def -/DL{ -SN -moveto -SN -lineto stroke -}bind def -/DC{ -newpath 0 360 arc closepath -}bind def -/TM matrix def -/DE{ -TM currentmatrix pop -translate scale newpath 0 0 .5 0 360 arc closepath -TM setmatrix -}bind def -/RC/rcurveto load def -/RL/rlineto load def -/ST/stroke load def -/MT/moveto load def -/CL/closepath load def -/Fr{ -setrgbcolor fill -}bind def -/setcmykcolor where{ -pop -/Fk{ -setcmykcolor fill -}bind def -}if -/Fg{ -setgray fill -}bind def -/FL/fill load def -/LW/setlinewidth load def -/Cr/setrgbcolor load def -/setcmykcolor where{ -pop -/Ck/setcmykcolor load def -}if -/Cg/setgray load def -/RE{ -findfont -dup maxlength 1 index/FontName known not{1 add}if dict begin -{ -1 index/FID ne{def}{pop pop}ifelse -}forall -/Encoding exch def -dup/FontName exch def -currentdict end definefont pop -}bind def -/DEFS 0 def -/EBEGIN{ -moveto -DEFS begin -}bind def -/EEND/end load def -/CNT 0 def -/level1 0 def -/PBEGIN{ -/level1 save def -translate -div 3 1 roll div exch scale -neg exch neg exch translate -0 setgray -0 setlinecap -1 setlinewidth -0 setlinejoin -10 setmiterlimit -[]0 setdash -/setstrokeadjust where{ -pop -false setstrokeadjust -}if -/setoverprint where{ -pop -false setoverprint -}if -newpath -/CNT countdictstack def -userdict begin -/showpage{}def -/setpagedevice{}def -}bind def -/PEND{ -countdictstack CNT sub{end}repeat -level1 restore -}bind def -end def -/setpacking where{ -pop -setpacking -}if -%%EndResource -%%EndProlog -%%BeginSetup -%%BeginFeature: *PageSize Default -<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice -%%EndFeature -%%IncludeResource: font Times-Bold -%%IncludeResource: font Times-Roman -%%IncludeResource: font Courier -%%IncludeResource: font Symbol -grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72 -def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron -/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent -/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen -/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon -/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O -/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex -/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y -/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft -/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl -/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut -/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash -/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen -/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft -/logicalnot/minus/registered/macron/degree/plusminus/twosuperior -/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior -/ordmasculine/guilsinglright/onequarter/onehalf/threequarters -/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE -/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex -/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis -/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn -/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla -/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis -/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash -/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def -/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE -/Times-Bold@0 ENC0/Times-Bold RE -%%EndSetup -%%Page: 1 1 -%%BeginPageSetup -BP -%%EndPageSetup -/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G -(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235 -(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G -(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57 -(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E -(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0 -SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E -26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10 -/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89 -E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2 -(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F -26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1 -17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E --.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1 -(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69 --.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1 -(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385) --64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G -46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G -61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H -(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52 -(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695 -E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL -280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1 -196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r) --.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R -(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr) --2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035 -(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 -318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo) -.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62 -(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d) --.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41 --.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R -33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32 -297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95 -362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo) --.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G -(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F --.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1 -F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72 -428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H -(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q -(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a) --.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09 -(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q -(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2) -5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48 -402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R -(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G -(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1 -F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo) -.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1 -(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8 -Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1 -(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N -33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I -(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4 -Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E -(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q -(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5 -DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha) -2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3 --.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E -(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5 -2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E -(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol -SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP -%%Trailer -end -%%EOF diff --git a/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt b/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt deleted file mode 100644 index 18cda6c742..0000000000 --- a/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt +++ /dev/null @@ -1,616 +0,0 @@ - - - -Intended Status: Informational O. Gudmundsson -Network Working Group OGUD Consulting LLC -Internet-Draft J. Ihren -Expires: August 21, 2008 AAB - February 18, 2008 - - - Names of States in the life of a DNSKEY - draft-gudmundsson-life-of-dnskey-00 - -Status of this Memo - - By submitting this Internet-Draft, each author represents that any - applicable patent or other IPR claims of which he or she is aware - have been or will be disclosed, and any of which he or she becomes - aware will be disclosed, in accordance with Section 6 of BCP 79. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on August 21, 2008. - -Copyright Notice - - Copyright (C) The IETF Trust (2008). - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 1] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -Abstract - - This document recommends a specific terminology to use when - expressing the state that a DNSKEY is in at particular time. This - does not affect how the protocol operates in any way. - - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. DNSKEY timeline . . . . . . . . . . . . . . . . . . . . . . . 4 - 3. Life stages of a DNSKEY . . . . . . . . . . . . . . . . . . . 5 - 3.1. Generated . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3.2. Published . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3.2.1. Pre-Publication . . . . . . . . . . . . . . . . . . . 5 - 3.2.2. Out-Of-Band Publication . . . . . . . . . . . . . . . 5 - 3.3. Active . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3.4. Retired . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3.5. Removed . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 3.5.1. Lame . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 3.5.2. Stale . . . . . . . . . . . . . . . . . . . . . . . . 6 - 3.6. Revoked . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 4. Security considerations . . . . . . . . . . . . . . . . . . . 7 - 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8 - 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9 - 6.2. Informative References . . . . . . . . . . . . . . . . . . 9 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 - Intellectual Property and Copyright Statements . . . . . . . . . . 11 - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 2] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -1. Introduction - - When the editors of this document where comparing their DNSSEC key - management projects they discovered that they where discussing - roughly the same thing but using different terminology. - - This document presents a unified terminology to use when describing - the current state of a DNSKEY. - - The DNSSEC standards documents ([1], [2] and [3]) do not address the - required states for the key management of a DNSSEC key. The DNSSEC - Operational Practices [4] document does propose that keys be - published before use but uses inconsistent or confusing terms. This - document assumes basic understanding of DNSSEC and key management. - - The terms proposed in this document attempt to avoid any confusion - and make the states of keys to be as clear as possible. The terms - used in this document are intended as a operational supplement to the - terms defined in Section 2 of [1]. - - To large extent this discussion is motivated by Trust anchor keys but - the same terminology can be used for zone signing keys. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 3] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -2. DNSKEY timeline - - The model in this document is that keys progress through a state - machine along a one-way path, keys never move to an earlier states. - - - - GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED - | ^ | | | ^ - | | | | v | - +--> Pre-PUBLISHED--+ +--------+---------> REVOKED ---+ - - - DNSKEY time line. - - There are few more states that are defined below but these apply only - to the publisher of TA's and the consumer of TA's. Two of these are - sub-sets of the Published state, the other two are error states. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 4] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -3. Life stages of a DNSKEY - -3.1. Generated - - Once a key is generated it enters state Generated and stays there - until the next state. While in this state only the owner of the key - is aware of its existence and can prepare for its future use. - -3.2. Published - - Once the key is added to the DNSKEY set of a zone the key is there - for the world to see, or published. The key needs to remain in this - state for some time to propagate to all validators that have cached - the prior version of the DNSKEY set. In the case of KSK the key - should remain in this state for a longer time as documented in DNSSEC - Timers RFC [5]. - -3.2.1. Pre-Publication - - In certain circumstances a zone owner may want to give out a new - Trust Anchor before exposing the actual public key. In this case the - zone can publish a DS record of the key. This allows others to - configure the trust anchor but will not be able to use the key until - the key is published in the DNSKEY RRset. - -3.2.2. Out-Of-Band Publication - - In certain circumstances a domain may want to give out a new Trust - Anchor outside DNS to give others a long lead time to configure the - new key as trust anchor. The reason people may want to do this is to - keep the size of the DNSKEY set smaller and only add new trust anchor - just before the key goes into use. One likely use for this is the - DNS "." root key as it does not have a parent that can publish a DS - record for it. The publication mechanism does not matter it can be - any one of web-site, advertisement in Financial Times and other - international publication, e-mail to DNS related mailing lists, etc.. - -3.3. Active - - The key is in ACTIVE state while it is actively signing data in the - zone it resides in. It is one of the the keys that are signing the - zone or parts of the zone. - -3.4. Retired - - When the key is no longer used for signing the zone it enters state - Retired. In this state there may still be signatures by the key in - cached data from the zone available at recursive servers, but the - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 5] - -Internet-Draft DNSSEC Key life stages. February 2008 - - - authoritative servers for the zone do no longer carry any signatures - generated by the key. - -3.5. Removed - - Once the key is removed from the DNSKEY RRset it enters the state - Removed. At this point all signatures by the key that may still be - temporarily valid will fail to verify once the validator refreshes - the DNSKEY RRset in its memory. - - Therefore "removal" of a key is typically not done until all the - cached signatures have expired. Entering this state too early may - cause number of validators to end up with STALE Trust Anchors. - -3.5.1. Lame - - A Trust Anchor is Lame if the parent continues to publish DS pointing - to the key after it has been removed from the DNSKEY RRset. A Trust - Anchor is arguably Lame if there are no signatures by a Retired KSK - in the zone. - -3.5.2. Stale - - A Stale Trust Anchor is an old TA that remains in a validators list - of active key(s) after the key has been removed from the zone's - DNSKEY RRset. - -3.6. Revoked - - There are times when a zone wants to signal that a particular key - should not be used at all. The mechanism to do this is to set the - REVOKE bit [5]. Any key in any of the while the key is the DNSSKEY - set can be exited to Revoked state. After some time in the Revoke - state the key will be Removed. - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 6] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -4. Security considerations - - TBD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 7] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -5. IANA considerations - - This document does not have any IANA actions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 8] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -6. References - -6.1. Normative References - -6.2. Informative References - - [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "DNS Security Introduction and Requirements", RFC 4033, - March 2005. - - [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "Resource Records for the DNS Security Extensions", RFC 4034, - March 2005. - - [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "Protocol Modifications for the DNS Security Extensions", - RFC 4035, March 2005. - - [4] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices", - RFC 4641, September 2006. - - [5] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust - Anchors", RFC 5011, September 2007. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 9] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -Authors' Addresses - - Olafur Gudmundsson - OGUD Consulting LLC - 3821 Village Park Drive - Chevy Chase, MD 20815 - USA - - Email: ogud@ogud.com - - - Johan Ihren - Automatica, AB - Bellmansgatan 30 - Stockholm, SE-118 47 - Sweden - - Email: johani@automatica.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 10] - -Internet-Draft DNSSEC Key life stages. February 2008 - - -Full Copyright Statement - - Copyright (C) The IETF Trust (2008). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND - THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS - OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at - ietf-ipr@ietf.org. - - -Acknowledgment - - Funding for the RFC Editor function is provided by the IETF - Administrative Support Activity (IASA). - - - - - -Gudmundsson & Ihren Expires August 21, 2008 [Page 11] - diff --git a/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt b/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt deleted file mode 100644 index fbc46c116f..0000000000 --- a/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt +++ /dev/null @@ -1,2128 +0,0 @@ - - - -DNSOP O. Kolkman -Internet-Draft NLnet Labs -Obsoletes: 2541 (if approved) R. Gieben -Intended status: BCP -Expires: September 8, 2009 March 7, 2009 - - - DNSSEC Operational Practices, Version 2 - draft-ietf-dnsop-rfc4641bis-01 - -Status of This Memo - - This Internet-Draft is submitted to IETF in full conformance with the - provisions of BCP 78 and BCP 79. This document may contain material - from IETF Documents or IETF Contributions published or made publicly - available before November 10, 2008. The person(s) controlling the - copyright in some of this material may not have granted the IETF - Trust the right to allow modifications of such material outside the - IETF Standards Process. Without obtaining an adequate license from - the person(s) controlling the copyright in such materials, this - document may not be modified outside the IETF Standards Process, and - derivative works of it may not be created outside the IETF Standards - Process, except to format it for publication as an RFC or to - translate it into languages other than English. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on September 8, 2009. - -Copyright Notice - - Copyright (c) 2009 IETF Trust and the persons identified as the - document authors. All rights reserved. - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 1] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents in effect on the date of - publication of this document (http://trustee.ietf.org/license-info). - Please review these documents carefully, as they describe your rights - and restrictions with respect to this document. - -Abstract - - This document describes a set of practices for operating the DNS with - security extensions (DNSSEC). The target audience is zone - administrators deploying DNSSEC. - - The document discusses operational aspects of using keys and - signatures in the DNS. It discusses issues of key generation, key - storage, signature generation, key rollover, and related policies. - - This document obsoletes RFC 2541, as it covers more operational - ground and gives more up-to-date requirements with respect to key - sizes and the new DNSSEC specification. - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.1. The Use of the Term 'key' . . . . . . . . . . . . . . . . 5 - 1.2. Time Definitions . . . . . . . . . . . . . . . . . . . . . 5 - 2. Keeping the Chain of Trust Intact . . . . . . . . . . . . . . 5 - 3. Keys Generation and Storage . . . . . . . . . . . . . . . . . 6 - 3.1. Zone and Key Signing Keys . . . . . . . . . . . . . . . . 6 - 3.1.1. Motivations for the KSK and ZSK Separation . . . . . . 7 - 3.1.2. Differentiation for 'High-Level' Zones . . . . . . . . 9 - 3.2. Key Generation . . . . . . . . . . . . . . . . . . . . . . 9 - 3.3. Key Effectivity Period . . . . . . . . . . . . . . . . . . 9 - 3.4. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . 10 - 3.5. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 10 - 3.6. Private Key Storage . . . . . . . . . . . . . . . . . . . 11 - 4. Signature Generation, Key Rollover, and Related Policies . . . 12 - 4.1. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12 - 4.1.1. Time Considerations . . . . . . . . . . . . . . . . . 13 - 4.2. Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 15 - 4.2.1. Zone Signing Key Rollovers . . . . . . . . . . . . . . 15 - 4.2.1.1. Pre-Publish Key Rollover . . . . . . . . . . . . . 15 - 4.2.1.2. Double Signature Zone Signing Key Rollover . . . . 17 - 4.2.1.3. Pros and Cons of the Schemes . . . . . . . . . . . 19 - 4.2.2. Key Signing Key Rollovers . . . . . . . . . . . . . . 19 - 4.2.3. Difference Between ZSK and KSK Rollovers . . . . . . . 21 - 4.2.4. Key algorithm rollover . . . . . . . . . . . . . . . . 22 - 4.2.5. Automated Key Rollovers . . . . . . . . . . . . . . . 23 - 4.3. Planning for Emergency Key Rollover . . . . . . . . . . . 24 - - - -Kolkman & Gieben Expires September 8, 2009 [Page 2] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - 4.3.1. KSK Compromise . . . . . . . . . . . . . . . . . . . . 24 - 4.3.1.1. Keeping the Chain of Trust Intact . . . . . . . . 25 - 4.3.1.2. Breaking the Chain of Trust . . . . . . . . . . . 26 - 4.3.2. ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26 - 4.3.3. Compromises of Keys Anchored in Resolvers . . . . . . 26 - 4.4. Parental Policies . . . . . . . . . . . . . . . . . . . . 27 - 4.4.1. Initial Key Exchanges and Parental Policies - Considerations . . . . . . . . . . . . . . . . . . . . 27 - 4.4.2. Storing Keys or Hashes? . . . . . . . . . . . . . . . 27 - 4.4.3. Security Lameness . . . . . . . . . . . . . . . . . . 28 - 4.4.4. DS Signature Validity Period . . . . . . . . . . . . . 28 - 4.4.5. (Non) Cooperating Registrars . . . . . . . . . . . . . 29 - 5. Security Considerations . . . . . . . . . . . . . . . . . . . 30 - 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30 - 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 - 8.1. Normative References . . . . . . . . . . . . . . . . . . . 31 - 8.2. Informative References . . . . . . . . . . . . . . . . . . 31 - Appendix A. Terminology . . . . . . . . . . . . . . . . . . . . . 32 - Appendix B. Zone Signing Key Rollover How-To . . . . . . . . . . 34 - Appendix C. Typographic Conventions . . . . . . . . . . . . . . . 34 - Appendix D. Document Editing History . . . . . . . . . . . . . . 37 - D.1. draft-ietf-dnsop-rfc4641-00 . . . . . . . . . . . . . . . 37 - D.2. version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 3] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - -1. Introduction - - This document describes how to run a DNS Security (DNSSEC)-enabled - environment. It is intended for operators who have knowledge of the - DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC. - See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the - newly introduced Resource Records (RRs), and RFC 4035 [5] for the - protocol changes. - - During workshops and early operational deployment tests, operators - and system administrators have gained experience about operating the - DNS with security extensions (DNSSEC). This document translates - these experiences into a set of practices for zone administrators. - At the time of writing, there exists very little experience with - DNSSEC in production environments; this document should therefore - explicitly not be seen as representing 'Best Current Practices'. - [OK: Is this document ripe enough to shoot for BCP?] - - The procedures herein are focused on the maintenance of signed zones - (i.e., signing and publishing zones on authoritative servers). It is - intended that maintenance of zones such as re-signing or key - rollovers be transparent to any verifying clients on the Internet. - - The structure of this document is as follows. In Section 2, we - discuss the importance of keeping the "chain of trust" intact. - Aspects of key generation and storage of private keys are discussed - in Section 3; the focus in this section is mainly on the private part - of the key(s). Section 4 describes considerations concerning the - public part of the keys. Since these public keys appear in the DNS - one has to take into account all kinds of timing issues, which are - discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the - rollover, or supercession, of keys. Finally, Section 4.4 discusses - considerations on how parents deal with their children's public keys - in order to maintain chains of trust. - - The typographic conventions used in this document are explained in - Appendix C. - - Since this is a document with operational suggestions and there are - no protocol specifications, the RFC 2119 [6] language does not apply. - - This document [OK: when approved] obsoletes RFC 4641 [16]. - - [OK: Editorial comments and questions are indicated by square - brackets and editor innitials] - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 4] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - -1.1. The Use of the Term 'key' - - It is assumed that the reader is familiar with the concept of - asymmetric keys on which DNSSEC is based (public key cryptography - RFC4949 [17]). Therefore, this document will use the term 'key' - rather loosely. Where it is written that 'a key is used to sign - data' it is assumed that the reader understands that it is the - private part of the key pair that is used for signing. It is also - assumed that the reader understands that the public part of the key - pair is published in the DNSKEY Resource Record and that it is the - public part that is used in key exchanges. - -1.2. Time Definitions - - In this document, we will be using a number of time-related terms. - The following definitions apply: - - o "Signature validity period" The period that a signature is valid. - It starts at the time specified in the signature inception field - of the RRSIG RR and ends at the time specified in the expiration - field of the RRSIG RR. - - o "Signature publication period" Time after which a signature (made - with a specific key) is replaced with a new signature (made with - the same key). This replacement takes place by publishing the - relevant RRSIG in the master zone file. After one stops - publishing an RRSIG in a zone, it may take a while before the - RRSIG has expired from caches and has actually been removed from - the DNS. - - o "Key effectivity period" The period during which a key pair is - expected to be effective. This period is defined as the time - between the first inception time stamp and the last expiration - date of any signature made with this key, regardless of any - discontinuity in the use of the key. The key effectivity period - can span multiple signature validity periods. - - o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum - value of the TTLs from the complete set of RRs in a zone. Note - that the minimum TTL is not the same as the MINIMUM field in the - SOA RR. See [9] for more information. - -2. Keeping the Chain of Trust Intact - - Maintaining a valid chain of trust is important because broken chains - of trust will result in data being marked as Bogus (as defined in [3] - Section 5), which may cause entire (sub)domains to become invisible - to verifying clients. The administrators of secured zones have to - - - -Kolkman & Gieben Expires September 8, 2009 [Page 5] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - realize that their zone is, to verifying clients, part of a chain of - trust. - - As mentioned in the introduction, the procedures herein are intended - to ensure that maintenance of zones, such as re-signing or key - rollovers, will be transparent to the verifying clients on the - Internet. - - Administrators of secured zones will have to keep in mind that data - published on an authoritative primary server will not be immediately - seen by verifying clients; it may take some time for the data to be - transferred to other secondary authoritative nameservers and clients - may be fetching data from caching non-authoritative servers. In this - light, note that the time for a zone transfer from master to slave is - negligible when using NOTIFY [8] and incremental transfer (IXFR) [7]. - It increases when full zone transfers (AXFR) are used in combination - with NOTIFY. It increases even more if you rely on full zone - transfers based on only the SOA timing parameters for refresh. - - For the verifying clients, it is important that data from secured - zones can be used to build chains of trust regardless of whether the - data came directly from an authoritative server, a caching - nameserver, or some middle box. Only by carefully using the - available timing parameters can a zone administrator ensure that the - data necessary for verification can be obtained. - - The responsibility for maintaining the chain of trust is shared by - administrators of secured zones in the chain of trust. This is most - obvious in the case of a 'key compromise' when a trade-off between - maintaining a valid chain of trust and replacing the compromised keys - as soon as possible must be made. Then zone administrators will have - to make a trade-off, between keeping the chain of trust intact -- - thereby allowing for attacks with the compromised key -- or - deliberately breaking the chain of trust and making secured - subdomains invisible to security-aware resolvers. Also see - Section 4.3. - -3. Keys Generation and Storage - - This section describes a number of considerations with respect to the - security of keys. It deals with the generation, effectivity period, - size, and storage of private keys. - -3.1. Zone and Key Signing Keys - - The DNSSEC validation protocol does not distinguish between different - types of DNSKEYs. All DNSKEYs can be used during the validation. In - practice, operators use Key Signing and Zone Signing Keys and use the - - - -Kolkman & Gieben Expires September 8, 2009 [Page 6] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - so-called Secure Entry Point (SEP) [5] flag to distinguish between - them during operations. The dynamics and considerations are - discussed below. - - To make zone re-signing and key rollover procedures easier to - implement, it is possible to use one or more keys as Key Signing Keys - (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone. - Other keys can be used to sign all the RRSets in a zone and are - referred to as Zone Signing Keys (ZSKs). In this document, we assume - that KSKs are the subset of keys that are used for key exchanges with - the parent and potentially for configuration as trusted anchors -- - the SEP keys. In this document, we assume a one-to-one mapping - between KSK and SEP keys and we assume the SEP flag to be set on all - KSKs. - -3.1.1. Motivations for the KSK and ZSK Separation - - Differentiating between the KSK and ZSK functions has several - advantages: - - o No parent/child interaction is required when ZSKs are updated. - - o [OK: Bullet removed, strawman Paul Hoffman] - - o As the KSK is only used to sign a key set, which is most probably - updated less frequently than other data in the zone, it can be - stored separately from and in a safer location than the ZSK. - - o A KSK can have a longer key effectivity period. - - For almost any method of key management and zone signing, the KSK is - used less frequently than the ZSK. Once a key set is signed with the - KSK, all the keys in the key set can be used as ZSKs. If a ZSK is - compromised, it can be simply dropped from the key set. The new key - set is then re-signed with the KSK. - - Given the assumption that for KSKs the SEP flag is set, the KSK can - be distinguished from a ZSK by examining the flag field in the DNSKEY - RR. If the flag field is an odd number it is a KSK. If it is an - even number it is a ZSK. - - The Zone Signing Key can be used to sign all the data in a zone on a - regular basis. When a Zone Signing Key is to be rolled, no - interaction with the parent is needed. This allows for signature - validity periods on the order of days. - - The Key Signing Key is only to be used to sign the DNSKEY RRs in a - zone. If a Key Signing Key is to be rolled over, there will be - - - -Kolkman & Gieben Expires September 8, 2009 [Page 7] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - interactions with parties other than the zone administrator. If - there is a parent zone, these can include the registry of the parent - zone or administrators of verifying resolvers that have the - particular key configured as secure entry points. If this is a trust - anchor, everyone relying on the trust anchor needs to roll over to - the new key. The latter may be subject to stability costs if - automated trust-anchor rollover mechanisms (such as e.g. RFC5011 - [18]) are not in place. Hence, the key effectivity period of these - keys can and should be made much longer. - - There are two schools of thought on rolling a KSK that is not a trust - anchor [OK: One can never be sure a KSK is _not_ a trust anchor]: - - o It should be done regularly (possibly every few months) so that a - key rollover remains an operational routine. - - o It should only be done when it is known or strongly suspected that - the key has been compromised in order to reduce the stability - issues on systems where the rollover does not happen cleanly. - - There is no widespread agreement on which of these two schools of - thought is better for different deployments of DNSSEC. There is a - stability cost every time a non-anchor KSK is rolled over, but it is - possibly low if the communication between the child and the parent is - good. On the other hand, the only completely effective way to tell - if the communication is good is to test it periodically. Thus, - rolling a KSK with a parent is only done for two reasons: to test and - verify the rolling system to prepare for an emergency, and in the - case of an actual emergency. - - [OK: The paragraph below is a straw-man by Paul Hoffman] Because of - the difficulty of getting all users of a trust anchor to replace an - old trust anchor with a new one, a KSK that is a trust anchor should - never be rolled unless it is known or strongly suspected that the key - has been compromised. - - [OK: This is an alternative straw-man by Olaf Kolkman] The same - operational concerns apply to the rollover of KSKs that are used as - trust-anchors. Since the administrator of a zone can not be certain - that the zone's KSK is in use as a trust-anchor she will have to - assume that a rollover will cause a stability cost for the users that - did configure her key as a trust-anchor. Those costs can be - minimized by automating the rollover RFC5011 [18] and by rolling the - key regularly, and advertising such, so that the operators of - recursive nameservers will put the appropriate mechanism in place to - deal with these stability costs, or, in other words, budget for these - costs instead of incuring them unexpectedly. - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 8] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - -3.1.2. Differentiation for 'High-Level' Zones - - In an earlier version of this document we made a differentiation - between KSKs used for zones that are high in the DNS hierarchy versus - KSKs used for zones low in that hierarchy. We have come to realize - that there are other considerations that argue such differentiation - does not need to be made. - - Longer keys are not useful because the crypto guidance is that - everyone should use keys that no one can break. Also, it is - impossible to judge which zones are more or less valuable to an - attacker. An attack can only be used if the compromise is unnoticed - and the attacker can act as an man-in-the-middle attack (MITM) in an - unnoticed way. If .example is compromised and the attacker forges - answers for somebank.example and sends them out as an MITM, when the - attack is discovered it will be simple to prove that .example has - been compromised and the KSK will be rolled. Defining a long-term - successful attack is difficult for keys at any level. - -3.2. Key Generation - - Careful generation of all keys is a sometimes overlooked but - absolutely essential element in any cryptographically secure system. - The strongest algorithms used with the longest keys are still of no - use if an adversary can guess enough to lower the size of the likely - key space so that it can be exhaustively searched. Technical - suggestions for the generation of random keys will be found in RFC - 4086 [14] and NIST SP 800-900 [20]. One should carefully assess if - the random number generator used during key generation adheres to - these suggestions. - - Keys with a long effectivity period are particularly sensitive as - they will represent a more valuable target and be subject to attack - for a longer time than short-period keys. It is strongly recommended - that long-term key generation occur off-line in a manner isolated - from the network via an air gap or, at a minimum, high-level secure - hardware. - -3.3. Key Effectivity Period - - From a purely operational perspective, a reasonable key effectivity - period for KSKs that have a parent zone is 13 months, with the intent - to replace them after 12 months. An intended key effectivity period - of a month is reasonable for Zone Signing Keys. This annual rollover - gives operational practice to rollovers. - - Ignoring the operational perspective, a reasonable effectivity period - for KSKs that have a parent zone is of the order of 2 decades or - - - -Kolkman & Gieben Expires September 8, 2009 [Page 9] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - longer. That is, if one does not plan to test the rollover - procedure, the key should be effective essentially forever, and then - only rolled over in case of emergency. - - The "operational habit" argument also applies to trust anchor - reconfiguration. If a short key effectivity period is used and the - trust anchor configuration has to be revisited on a regular basis, - the odds that the configuration tends to be forgotten is smaller. - The trade-off is against a system that is so dynamic that - administrators of the validating clients will not be able to follow - the modifications.Note that if a trust anchor replacement is done - incorrectly, the entire zone that the trust anchor covers will become - bogus until the trust anchor is corrected. - - Key effectivity periods can be made very short, as in a few minutes. - But when replacing keys one has to take the considerations from - Section 4.1 and Section 4.2 into account. - -3.4. Key Algorithm - - There are currently two types of signature algorithms that can be - used in DNSSEC: RSA and DSA. Both are fully specified in many - freely-available documents, and both are widely considered to be - patent-free. The creation of signatures wiht RSA and DSA takes - roughly the same time, but DSA is about ten times slower for - signature verification. - - We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the - preferred signature algorithms. Both have advantages and - disadvantages. RSA/SHA-1 has been deployed for many years, while - RSA/SHA-256 has only begun to be deployed. On the other hand, it is - expected that if effective attacks on either algorithm appeark, they - will appear for RSA/SHA-1 first. RSA/MD5 should not be considered - for use because RSA/MD5 will very likely be the first common-use - signature algorithm to have an effective attack. - - At the time of publication, it is known that the SHA-1 hash has - cryptanalysis issues. There is work in progress on addressing these - issues. We recommend the use of public key algorithms based on - hashes stronger than SHA-1 (e.g., SHA-256), as soon as these - algorithms are available in protocol specifications (see [21] and - [22]) and implementations. - -3.5. Key Sizes - - DNSSEC signing keys should be large enough to avoid all know - cryptographic attacks during the lifetime of the key. To date, - despite huge efforts, no one has broken a regular 1024-bit key; in - - - -Kolkman & Gieben Expires September 8, 2009 [Page 10] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - fact, the best completed attack is estimated to be the equivalent of - a 700-bit key. An attacker breaking a 1024-bit signing key would - need expend phenominal amounts of networked computing power in a way - that would not be detected in order to break a single key. Because - of this, it is estimated that most zones can safely use 1024-bit keys - for at least the next ten years. A 1024-bit asymmetric key has an - approximate equivalent strength of a symmetric 80-bit key. - - Keys that are used as extremely high value trust anchors, or non- - anchor keys that may be difficult to roll over, may want to use - lengths longer than 1024 bits. Typically, the next larger key size - used is 2048 bits, which have the approximate equivalent strength of - a symmetric 112-bit key. In a standard CPU, it takes about four - times as long to sign or verify with a 2048-bit key as it does with a - 1024-bit key. - - Another way to decide on the size of key to use is to remember that - the phenominal effort it takes for an attacker to break a 1024-bit - key is the same regardless of how the key is used. If an attacker - has the capability of breaking a 1024-bit DNSSEC key, he also has the - capability of breaking one of the many 1024-bit TLS trust anchor keys - that are installed with web browsers. If the value of a DNSSEC key - is lower to the attacker than the value of a TLS trust anchor, the - attacker will use the resources to attack the TLS trust anchor. - - It is possible that there is a unexpected improvement in the ability - for attackers to beak keys, and that such an attack would make it - feasible to break 1024-bit keys but not 2048-bit keys. If such an - improvement happens, it is likely that there will be a huge amount of - publicity, particularly because of the large number of 1024-bit TLS - trust anchors build into popular web browsers. At that time, all - 1024-bit keys (both ones with parent zones and ones that are trust - anchors) can be rolled over and replaced with larger keys. - - Earlier documents (including the previous version of this document) - urged the use of longer keys in situations where a particular key was - "heavily used". That advice may have been true 15 years ago, but it - is not true today when using RSA or DSA algorithms and keys of 1024 - bits or higher. - -3.6. Private Key Storage - - It is recommended that, where possible, zone private keys and the - zone file master copy that is to be signed be kept and used in off- - line, non-network-connected, physically secure machines only. - Periodically, an application can be run to add authentication to a - zone by adding RRSIG and NSEC RRs. Then the augmented file can be - transferred. - - - -Kolkman & Gieben Expires September 8, 2009 [Page 11] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - When relying on dynamic update to manage a signed zone [11], be aware - that at least one private key of the zone will have to reside on the - master server. This key is only as secure as the amount of exposure - the server receives to unknown clients and the security of the host. - Although not mandatory, one could administer the DNS in the following - way. The master that processes the dynamic updates is unavailable - from generic hosts on the Internet, it is not listed in the NS RRSet, - although its name appears in the SOA RRs MNAME field. The - nameservers in the NS RRSet are able to receive zone updates through - NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This - approach is known as the "hidden master" setup. - - The ideal situation is to have a one-way information flow to the - network to avoid the possibility of tampering from the network. - Keeping the zone master file on-line on the network and simply - cycling it through an off-line signer does not do this. The on-line - version could still be tampered with if the host it resides on is - compromised. For maximum security, the master copy of the zone file - should be off-net and should not be updated based on an unsecured - network mediated communication. - - In general, keeping a zone file off-line will not be practical and - the machines on which zone files are maintained will be connected to - a network. Operators are advised to take security measures to shield - unauthorized access to the master copy. - - For dynamically updated secured zones [11], both the master copy and - the private key that is used to update signatures on updated RRs will - need to be on-line. - -4. Signature Generation, Key Rollover, and Related Policies - -4.1. Time in DNSSEC - - Without DNSSEC, all times in the DNS are relative. The SOA fields - REFRESH, RETRY, and EXPIRATION are timers used to determine the time - elapsed after a slave server synchronized with a master server. The - Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are - used to determine how long a forwarder should cache data after it has - been fetched from an authoritative server. By using a signature - validity period, DNSSEC introduces the notion of an absolute time in - the DNS. Signatures in DNSSEC have an expiration date after which - the signature is marked as invalid and the signed data is to be - considered Bogus. - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 12] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - -4.1.1. Time Considerations - - Because of the expiration of signatures, one should consider the - following: - - o We suggest the Maximum Zone TTL of your zone data to be a fraction - of your signature validity period. - - If the TTL would be of similar order as the signature validity - period, then all RRSets fetched during the validity period - would be cached until the signature expiration time. Section - 7.1 of [3] suggests that "the resolver may use the time - remaining before expiration of the signature validity period of - a signed RRSet as an upper bound for the TTL". As a result, - query load on authoritative servers would peak at signature - expiration time, as this is also the time at which records - simultaneously expire from caches. - - To avoid query load peaks, we suggest the TTL on all the RRs in - your zone to be at least a few times smaller than your - signature validity period. - - o We suggest the signature publication period to end at least one - Maximum Zone TTL duration before the end of the signature validity - period. - - Re-signing a zone shortly before the end of the signature - validity period may cause simultaneous expiration of data from - caches. This in turn may lead to peaks in the load on - authoritative servers. - - o We suggest the Minimum Zone TTL to be long enough to both fetch - and verify all the RRs in the trust chain. In workshop - environments, it has been demonstrated [19] that a low TTL (under - 5 to 10 minutes) caused disruptions because of the following two - problems: - - 1. During validation, some data may expire before the - validation is complete. The validator should be able to keep - all data until it is completed. This applies to all RRs needed - to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the - final answers, i.e., the RRSet that is returned for the initial - query. - - 2. Frequent verification causes load on recursive nameservers. - Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit - from caching. The TTL on those should be relatively long. - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 13] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - o Slave servers will need to be able to fetch newly signed zones - well before the RRSIGs in the zone served by the slave server pass - their signature expiration time. - - When a slave server is out of sync with its master and data in - a zone is signed by expired signatures, it may be better for - the slave server not to give out any answer. - - Normally, a slave server that is not able to contact a master - server for an extended period will expire a zone. When that - happens, the server will respond differently to queries for - that zone. Some servers issue SERVFAIL, whereas others turn - off the 'AA' bit in the answers. The time of expiration is set - in the SOA record and is relative to the last successful - refresh between the master and the slave servers. There exists - no coupling between the signature expiration of RRSIGs in the - zone and the expire parameter in the SOA. - - If the server serves a DNSSEC zone, then it may well happen - that the signatures expire well before the SOA expiration timer - counts down to zero. It is not possible to completely prevent - this from happening by tweaking the SOA parameters. - - However, the effects can be minimized where the SOA expiration - time is equal to or shorter than the signature validity period. - - The consequence of an authoritative server not being able to - update a zone, whilst that zone includes expired signatures, is - that non-secure resolvers will continue to be able to resolve - data served by the particular slave servers while security- - aware resolvers will experience problems because of answers - being marked as Bogus. - - We suggest the SOA expiration timer being approximately one - third or one fourth of the signature validity period. It will - allow problems with transfers from the master server to be - noticed before the actual signature times out. - - We also suggest that operators of nameservers that supply - secondary services develop 'watch dogs' to spot upcoming - signature expirations in zones they slave, and take appropriate - action. - - When determining the value for the expiration parameter one has - to take the following into account: What are the chances that - all my secondaries expire the zone? How quickly can I reach an - administrator of secondary servers to load a valid zone? These - questions are not DNSSEC specific but may influence the choice - - - -Kolkman & Gieben Expires September 8, 2009 [Page 14] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - of your signature validity intervals. - -4.2. Key Rollovers - - Regardless of whether a zone uses periodic key rollovers in order to - practice for emergencies, or only rolls over keys in an emergency, - key rollovers are a fact of life when using DNSSEC. Zone - administrators who are in the process of rolling their keys have to - take into account that data published in previous versions of their - zone still lives in caches. When deploying DNSSEC, this becomes an - important consideration; ignoring data that may be in caches may lead - to loss of service for clients. - - The most pressing example of this occurs when zone material signed - with an old key is being validated by a resolver that does not have - the old zone key cached. If the old key is no longer present in the - current zone, this validation fails, marking the data "Bogus". - Alternatively, an attempt could be made to validate data that is - signed with a new key against an old key that lives in a local cache, - also resulting in data being marked "Bogus". - -4.2.1. Zone Signing Key Rollovers - - For "Zone Signing Key rollovers", there are two ways to make sure - that during the rollover data still cached can be verified with the - new key sets or newly generated signatures can be verified with the - keys still in caches. One schema, described in Section 4.2.1.2, uses - double signatures; the other uses key pre-publication - (Section 4.2.1.1). The pros, cons, and recommendations are described - in Section 4.2.1.3. - -4.2.1.1. Pre-Publish Key Rollover - - This section shows how to perform a ZSK rollover without the need to - sign all the data in a zone twice -- the "pre-publish key rollover". - This method has advantages in the case of a key compromise. If the - old key is compromised, the new key has already been distributed in - the DNS. The zone administrator is then able to quickly switch to - the new key and remove the compromised key from the zone. Another - major advantage is that the zone size does not double, as is the case - with the double signature ZSK rollover. A small "how-to" for this - kind of rollover can be found in Appendix B. - - - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 15] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - Pre-publish key rollover involves four stages as follows: - - ---------------------------------------------------------------- - initial new DNSKEY new RRSIGs DNSKEY removal - ---------------------------------------------------------------- - SOA0 SOA1 SOA2 SOA3 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) - - DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 DNSKEY11 - RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) - ---------------------------------------------------------------- - - Pre-Publish Key Rollover - - initial: Initial version of the zone: DNSKEY 1 is the Key Signing - Key. DNSKEY 10 is used to sign all the data of the zone, the Zone - Signing Key. - - new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no - signatures are generated with this key yet, but this does not - secure against brute force attacks on the public key. The minimum - duration of this pre-roll phase is the time it takes for the data - to propagate to the authoritative servers plus TTL value of the - key set. - - new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is - used to sign the data in the zone exclusively (i.e., all the - signatures from DNSKEY 10 are removed from the zone). DNSKEY 10 - remains published in the key set. This way data that was loaded - into caches from version 1 of the zone can still be verified with - key sets fetched from version 2 of the zone. The minimum time - that the key set including DNSKEY 10 is to be published is the - time that it takes for zone data from the previous version of the - zone to expire from old caches, i.e., the time it takes for this - zone to propagate to all authoritative servers plus the Maximum - Zone TTL value of any of the data in the previous version of the - zone. - - DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, - now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the - DNSKEY 1. - - The above scheme can be simplified by always publishing the "future" - key immediately after the rollover. The scheme would look as follows - (we show two rollovers); the future key is introduced in "new DNSKEY" - - - -Kolkman & Gieben Expires September 8, 2009 [Page 16] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY - (II)": - - - initial new RRSIGs new DNSKEY - ----------------------------------------------------------------- - SOA0 SOA1 SOA2 - RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2) - - DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 DNSKEY11 DNSKEY12 - RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) - RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) - ---------------------------------------------------------------- - - ---------------------------------------------------------------- - new RRSIGs (II) new DNSKEY (II) - ---------------------------------------------------------------- - SOA3 SOA4 - RRSIG12(SOA3) RRSIG12(SOA4) - - DNSKEY1 DNSKEY1 - DNSKEY11 DNSKEY12 - DNSKEY12 DNSKEY13 - RRSIG1(DNSKEY) RRSIG1(DNSKEY) - RRSIG12(DNSKEY) RRSIG12(DNSKEY) - ---------------------------------------------------------------- - - Pre-Publish Key Rollover, Showing Two Rollovers - - Note that the key introduced in the "new DNSKEY" phase is not used - for production yet; the private key can thus be stored in a - physically secure manner and does not need to be 'fetched' every time - a zone needs to be signed. - -4.2.1.2. Double Signature Zone Signing Key Rollover - - This section shows how to perform a ZSK key rollover using the double - zone data signature scheme, aptly named "double signature rollover". - - During the "new DNSKEY" stage the new version of the zone file will - need to propagate to all authoritative servers and the data that - exists in (distant) caches will need to expire, requiring at least - the Maximum Zone TTL. - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 17] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - Double signature ZSK rollover involves three stages as follows: - - ---------------------------------------------------------------- - initial new DNSKEY DNSKEY removal - ---------------------------------------------------------------- - SOA0 SOA1 SOA2 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) - RRSIG11(SOA1) - DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 - RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) - RRSIG11(DNSKEY) - ---------------------------------------------------------------- - - Double Signature Zone Signing Key Rollover - - initial: Initial Version of the zone: DNSKEY 1 is the Key Signing - Key. DNSKEY 10 is used to sign all the data of the zone, the Zone - Signing Key. - - new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is - introduced into the key set and all the data in the zone is signed - with DNSKEY 10 and DNSKEY 11. The rollover period will need to - continue until all data from version 0 of the zone has expired - from remote caches. This will take at least the Maximum Zone TTL - of version 0 of the zone. - - DNSKEY removal: DNSKEY 10 is removed from the zone. All the - signatures from DNSKEY 10 are removed from the zone. The key set, - now only containing DNSKEY 11, is re-signed with DNSKEY 1. - - At every instance, RRSIGs from the previous version of the zone can - be verified with the DNSKEY RRSet from the current version and the - other way around. The data from the current version can be verified - with the data from the previous version of the zone. The duration of - the "new DNSKEY" phase and the period between rollovers should be at - least the Maximum Zone TTL. - - Making sure that the "new DNSKEY" phase lasts until the signature - expiration time of the data in the initial version of the zone is - recommended. This way all caches are cleared of the old signatures. - However, this duration could be considerably longer than the Maximum - Zone TTL, making the rollover a lengthy procedure. - - Note that in this example we assumed that the zone was not modified - during the rollover. New data can be introduced in the zone as long - - - -Kolkman & Gieben Expires September 8, 2009 [Page 18] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - as it is signed with both keys. - -4.2.1.3. Pros and Cons of the Schemes - - Pre-publish key rollover: This rollover does not involve signing the - zone data twice. Instead, before the actual rollover, the new key - is published in the key set and thus is available for - cryptanalysis attacks. A small disadvantage is that this process - requires four steps. Also the pre-publish scheme involves more - parental work when used for KSK rollovers as explained in - Section 4.2.3. - - Double signature ZSK rollover: The drawback of this signing scheme - is that during the rollover the number of signatures in your zone - doubles; this may be prohibitive if you have very big zones. An - advantage is that it only requires three steps. - -4.2.2. Key Signing Key Rollovers - - For the rollover of a Key Signing Key, the same considerations as for - the rollover of a Zone Signing Key apply. However, we can use a - double signature scheme to guarantee that old data (only the apex key - set) in caches can be verified with a new key set and vice versa. - Since only the key set is signed with a KSK, zone size considerations - do not apply. - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 19] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - -------------------------------------------------------------------- - initial new DNSKEY DS change DNSKEY removal - -------------------------------------------------------------------- - Parent: - SOA0 --------> SOA1 --------> - RRSIGpar(SOA0) --------> RRSIGpar(SOA1) --------> - DS1 --------> DS2 --------> - RRSIGpar(DS) --------> RRSIGpar(DS) --------> - - - Child: - SOA0 SOA1 --------> SOA2 - RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2) - --------> - DNSKEY1 DNSKEY1 --------> DNSKEY2 - DNSKEY2 --------> - DNSKEY10 DNSKEY10 --------> DNSKEY10 - RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY) - RRSIG2 (DNSKEY) --------> - RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) - -------------------------------------------------------------------- - - Stages of Deployment for a Double Signature Key Signing Key Rollover - - initial: Initial version of the zone. The parental DS points to - DNSKEY1. Before the rollover starts, the child will have to - verify what the TTL is of the DS RR that points to DNSKEY1 -- it - is needed during the rollover and we refer to the value as TTL_DS. - - new DNSKEY: During the "new DNSKEY" phase, the zone administrator - generates a second KSK, DNSKEY2. The key is provided to the - parent, and the child will have to wait until a new DS RR has been - generated that points to DNSKEY2. After that DS RR has been - published on all servers authoritative for the parent's zone, the - zone administrator has to wait at least TTL_DS to make sure that - the old DS RR has expired from caches. - - DS change: The parent replaces DS1 with DS2. - - DNSKEY removal: DNSKEY1 has been removed. - - The scenario above puts the responsibility for maintaining a valid - chain of trust with the child. It also is based on the premise that - the parent only has one DS RR (per algorithm) per zone. An - alternative mechanism has been considered. Using an established - trust relation, the interaction can be performed in-band, and the - removal of the keys by the child can possibly be signaled by the - parent. In this mechanism, there are periods where there are two DS - - - -Kolkman & Gieben Expires September 8, 2009 [Page 20] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - RRs at the parent. Since at the moment of writing the protocol for - this interaction has not been developed, further discussion is out of - scope for this document. - -4.2.3. Difference Between ZSK and KSK Rollovers - - Note that KSK rollovers and ZSK rollovers are different in the sense - that a KSK rollover requires interaction with the parent (and - possibly replacing of trust anchors) and the ensuing delay while - waiting for it. - - A zone key rollover can be handled in two different ways: pre-publish - (Section 4.2.1.1) and double signature (Section 4.2.1.2). - - As the KSK is used to validate the key set and because the KSK is not - changed during a ZSK rollover, a cache is able to validate the new - key set of the zone. The pre-publish method would also work for a - KSK rollover. The records that are to be pre-published are the - parental DS RRs. The pre-publish method has some drawbacks for KSKs. - We first describe the rollover scheme and then indicate these - drawbacks. - - - -------------------------------------------------------------------- - initial new DS new DNSKEY DS/DNSKEY removal - -------------------------------------------------------------------- - Parent: - SOA0 SOA1 --------> SOA2 - RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2) - DS1 DS1 --------> DS2 - DS2 --------> - RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS) - - Child: - SOA0 --------> SOA1 SOA1 - RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1) - --------> - DNSKEY1 --------> DNSKEY2 DNSKEY2 - --------> - DNSKEY10 --------> DNSKEY10 DNSKEY10 - RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY) - RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY) - -------------------------------------------------------------------- - - Stages of Deployment for a Pre-Publish Key Signing Key Rollover - - When the child zone wants to roll, it notifies the parent during the - "new DS" phase and submits the new key (or the corresponding DS) to - - - -Kolkman & Gieben Expires September 8, 2009 [Page 21] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1 - and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase), - which can take place as soon as the new DS set propagated through the - DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that - ("DS/DNSKEY removal" phase), it can notify the parent that the old DS - record can be deleted. - - The drawbacks of this scheme are that during the "new DS" phase the - parent cannot verify the match between the DS2 RR and DNSKEY2 using - the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a - "security lame" key (see Section 4.4.3). Finally, the child-parent - interaction consists of two steps. The "double signature" method - only needs one interaction. - -4.2.4. Key algorithm rollover - - [OK: The txt of this section is a strawman for the issue in: http:// - www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll - ] - - A special class of keyrollover is the rollover of key algorithms - (either adding a new algorithm, removing an old algorithm, or both), - additional steps are needed to retain integrity during the rollover. - - Because of the algorithm downgrade protection in RFC4035 section 2.2, - you may not have a key of an algorithm for which you do not have - signatures. - - When adding a new algorithm, the signatures should be added first. - After the TTL has expired, and caches have dropped the old data - covered by those signatures, the DNSKEY with the new algorithm can be - added. When removing an old algorithm, the DNSKEY should be removed - first. - - To do both, the following steps can be used. For simplicity, we use - a zone that is only signed by one zone signing key. - - - - - - - - - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 22] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - ---------------------------------------------------------------- - 1 Initial 2 New RRSIGS 3 New DNSKEY - ---------------------------------------------------------------- - SOA0 SOA1 SOA2 - RRSIG1(SOA0) RRSIG1(SOA1) RRSIG1(SOA2) - RRSIG2(SOA1) RRSIG2(SOA2) - - DNSKEY1 DNSKEY1 DNSKEY1 - RRSIG1(DNSKEY) RRSIG1(DNSKEY) DNSKEY2 - RRSIG2(DNSKEY) RRSIG1(DNSKEY) - RRSIG2(DNSKEY) - ---------------------------------------------------------------- - 4 Remove DNSKEY 5 Remove RRSIGS - ---------------------------------------------------------------- - SOA3 SOA4 - RRSIG1(SOA3) RRSIG2(SOA4) - RRSIG2(SOA3) - - DNSKEY2 DNSKEY2 - RRSIG1(DNSKEY) RRSIG2(DNSKEY) - RRSIG2(DNSKEY) - ---------------------------------------------------------------- - - Stages of Deployment during an Algorithm Rollover. - - In step 2, the signatures for the new key are added, but the key - itself is not. While in theory, the signatures of the keyset should - always be synchronized with the keyset itself, it can be possible - that RRSIGS are requested separately, so it might be prudent to also - sign the DNSKEY set with the new signature. - - After the cache data has expired, the new key can be added to the - zone, as done in step 3. - - The next step is to remove the old algorithm. This time the key - needs to be removed first, before removing the signatures. The key - is removed in step 4, and after the cache data has expired, the - signatures can be removed in step 5. - - The above steps ensure that during the rollover to a new algorithm, - the integrity of the zone is never broken. - -4.2.5. Automated Key Rollovers - - As keys must be renewed periodically, there is some motivation to - automate the rollover process. Consider the following: - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 23] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - o ZSK rollovers are easy to automate as only the child zone is - involved. - - o A KSK rollover needs interaction between parent and child. Data - exchange is needed to provide the new keys to the parent; - consequently, this data must be authenticated and integrity must - be guaranteed in order to avoid attacks on the rollover. - -4.3. Planning for Emergency Key Rollover - - This section deals with preparation for a possible key compromise. - Our advice is to have a documented procedure ready for when a key - compromise is suspected or confirmed. - - When the private material of one of your keys is compromised it can - be used for as long as a valid trust chain exists. A trust chain - remains intact for - - o as long as a signature over the compromised key in the trust chain - is valid, - - o as long as a parental DS RR (and signature) points to the - compromised key, - - o as long as the key is anchored in a resolver and is used as a - starting point for validation (this is generally the hardest to - update). - - While a trust chain to your compromised key exists, your namespace is - vulnerable to abuse by anyone who has obtained illegitimate - possession of the key. Zone operators have to make a trade-off if - the abuse of the compromised key is worse than having data in caches - that cannot be validated. If the zone operator chooses to break the - trust chain to the compromised key, data in caches signed with this - key cannot be validated. However, if the zone administrator chooses - to take the path of a regular rollover, the malicious key holder can - spoof data so that it appears to be valid. - -4.3.1. KSK Compromise - - A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable - as long as the compromised KSK is configured as trust anchor or a - parental DS points to it. - - A compromised KSK can be used to sign the key set of an attacker's - zone. That zone could be used to poison the DNS. - - Therefore, when the KSK has been compromised, the trust anchor or the - - - -Kolkman & Gieben Expires September 8, 2009 [Page 24] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - parental DS should be replaced as soon as possible. It is local - policy whether to break the trust chain during the emergency - rollover. The trust chain would be broken when the compromised KSK - is removed from the child's zone while the parent still has a DS - pointing to the compromised KSK (the assumption is that there is only - one DS at the parent. If there are multiple DSes this does not apply - -- however the chain of trust of this particular key is broken). - - Note that an attacker's zone still uses the compromised KSK and the - presence of a parental DS would cause the data in this zone to appear - as valid. Removing the compromised key would cause the attacker's - zone to appear as valid and the child's zone as Bogus. Therefore, we - advise not to remove the KSK before the parent has a DS to a new KSK - in place. - -4.3.1.1. Keeping the Chain of Trust Intact - - If we follow this advice, the timing of the replacement of the KSK is - somewhat critical. The goal is to remove the compromised KSK as soon - as the new DS RR is available at the parent. And also make sure that - the signature made with a new KSK over the key set with the - compromised KSK in it expires just after the new DS appears at the - parent, thus removing the old cruft in one swoop. - - The procedure is as follows: - - 1. Introduce a new KSK into the key set, keep the compromised KSK in - the key set. - - 2. Sign the key set, with a short validity period. The validity - period should expire shortly after the DS is expected to appear - in the parent and the old DSes have expired from caches. - - 3. Upload the DS for this new key to the parent. - - 4. Follow the procedure of the regular KSK rollover: Wait for the DS - to appear in the authoritative servers and then wait as long as - the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet - and modify/extend the expiration time. - - 5. Remove the compromised DNSKEY RR from the zone and re-sign the - key set using your "normal" validity interval. - - An additional danger of a key compromise is that the compromised key - could be used to facilitate a legitimate DNSKEY/DS rollover and/or - nameserver changes at the parent. When that happens, the domain may - be in dispute. An authenticated out-of-band and secure notify - mechanism to contact a parent is needed in this case. - - - -Kolkman & Gieben Expires September 8, 2009 [Page 25] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - Note that this is only a problem when the DNSKEY and or DS records - are used for authentication at the parent. - -4.3.1.2. Breaking the Chain of Trust - - There are two methods to break the chain of trust. The first method - causes the child zone to appear 'Bogus' to validating resolvers. The - other causes the child zone to appear 'insecure'. These are - described below. - - In the method that causes the child zone to appear 'Bogus' to - validating resolvers, the child zone replaces the current KSK with a - new one and re-signs the key set. Next it sends the DS of the new - key to the parent. Only after the parent has placed the new DS in - the zone is the child's chain of trust repaired. - - An alternative method of breaking the chain of trust is by removing - the DS RRs from the parent zone altogether. As a result, the child - zone would become insecure. - -4.3.2. ZSK Compromise - - Primarily because there is no parental interaction required when a - ZSK is compromised, the situation is less severe than with a KSK - compromise. The zone must still be re-signed with a new ZSK as soon - as possible. As this is a local operation and requires no - communication between the parent and child, this can be achieved - fairly quickly. However, one has to take into account that just as - with a normal rollover the immediate disappearance of the old - compromised key may lead to verification problems. Also note that as - long as the RRSIG over the compromised ZSK is not expired the zone - may be still at risk. - -4.3.3. Compromises of Keys Anchored in Resolvers - - A key can also be pre-configured in resolvers. For instance, if - DNSSEC is successfully deployed the root key may be pre-configured in - most security aware resolvers. - - If trust-anchor keys are compromised, the resolvers using these keys - should be notified of this fact. Zone administrators may consider - setting up a mailing list to communicate the fact that a SEP key is - about to be rolled over. This communication will of course need to - be authenticated, e.g., by using digital signatures. - - End-users faced with the task of updating an anchored key should - always validate the new key. New keys should be authenticated out- - of-band, for example, through the use of an announcement website that - - - -Kolkman & Gieben Expires September 8, 2009 [Page 26] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - is secured using secure sockets (TLS) [23]. - -4.4. Parental Policies - -4.4.1. Initial Key Exchanges and Parental Policies Considerations - - The initial key exchange is always subject to the policies set by the - parent. When designing a key exchange policy one should take into - account that the authentication and authorization mechanisms used - during a key exchange should be as strong as the authentication and - authorization mechanisms used for the exchange of delegation - information between parent and child. That is, there is no implicit - need in DNSSEC to make the authentication process stronger than it - was in DNS. - - Using the DNS itself as the source for the actual DNSKEY material, - with an out-of-band check on the validity of the DNSKEY, has the - benefit that it reduces the chances of user error. A DNSKEY query - tool can make use of the SEP bit [5] to select the proper key from a - DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is - sent. It can validate the self-signature over a key; thereby - verifying the ownership of the private key material. Fetching the - DNSKEY from the DNS ensures that the chain of trust remains intact - once the parent publishes the DS RR indicating the child is secure. - - Note: the out-of-band verification is still needed when the key - material is fetched via the DNS. The parent can never be sure - whether or not the DNSKEY RRs have been spoofed. - -4.4.2. Storing Keys or Hashes? - - When designing a registry system one should consider which of the - DNSKEYs and/or the corresponding DSes to store. Since a child zone - might wish to have a DS published using a message digest algorithm - not yet understood by the registry, the registry can't count on being - able to generate the DS record from a raw DNSKEY. Thus, we recommend - that registry systems at least support storing DS records. - - It may also be useful to store DNSKEYs, since having them may help - during troubleshooting and, as long as the child's chosen message - digest is supported, the overhead of generating DS records from them - is minimal. Having an out-of-band mechanism, such as a registry - directory (e.g., Whois), to find out which keys are used to generate - DS Resource Records for specific owners and/or zones may also help - with troubleshooting. - - The storage considerations also relate to the design of the customer - interface and the method by which data is transferred between - - - -Kolkman & Gieben Expires September 8, 2009 [Page 27] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - registrant and registry; Will the child zone administrator be able to - upload DS RRs with unknown hash algorithms or does the interface only - allow DNSKEYs? In the registry-registrar model, one can use the - DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15], - which allows transfer of DS RRs and optionally DNSKEY RRs. - -4.4.3. Security Lameness - - Security lameness is defined as what happens when a parent has a DS - RR pointing to a non-existing DNSKEY RR. When this happens, the - child's zone may be marked "Bogus" by verifying DNS clients. - - As part of a comprehensive delegation check, the parent could, at key - exchange time, verify that the child's key is actually configured in - the DNS. However, if a parent does not understand the hashing - algorithm used by child, the parental checks are limited to only - comparing the key id. - - Child zones should be very careful in removing DNSKEY material, - specifically SEP keys, for which a DS RR exists. - - Once a zone is "security lame", a fix (e.g., removing a DS RR) will - take time to propagate through the DNS. - -4.4.4. DS Signature Validity Period - - Since the DS can be replayed as long as it has a valid signature, a - short signature validity period over the DS minimizes the time a - child is vulnerable in the case of a compromise of the child's - KSK(s). A signature validity period that is too short introduces the - possibility that a zone is marked "Bogus" in case of a configuration - error in the signer. There may not be enough time to fix the - problems before signatures expire. Something as mundane as operator - unavailability during weekends shows the need for DS signature - validity periods longer than 2 days. We recommend an absolute - minimum for a DS signature validity period of a few days. - - The maximum signature validity period of the DS record depends on how - long child zones are willing to be vulnerable after a key compromise. - On the other hand, shortening the DS signature validity interval - increases the operational risk for the parent. Therefore, the parent - may have policy to use a signature validity interval that is - considerably longer than the child would hope for. - - A compromise between the operational constraints of the parent and - minimizing damage for the child may result in a DS signature validity - period somewhere between a week and months. - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 28] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - In addition to the signature validity period, which sets a lower - bound on the number of times the zone owner will need to sign the - zone data and which sets an upper bound to the time a child is - vulnerable after key compromise, there is the TTL value on the DS - RRs. Shortening the TTL means that the authoritative servers will - see more queries. But on the other hand, a short TTL lowers the - persistence of DS RRSets in caches thereby increasing the speed with - which updated DS RRSets propagate through the DNS. - -4.4.5. (Non) Cooperating Registrars - - [OK: this is a first strawman, and is intended to start the - discussion of the issue. By no means this is intended to be a final - text.] - - The parent-child relation is often described in terms of a (thin) - registry model. Where a registry maintains the parent zone, and the - registrant (the user of the child-domain name), deals with the - registry through an intermediary called a registrar. (See [12] for a - comprehensive definition). Registrants may out-source the - maintenance of their DNS system, including the maintenance of DNSSEC - key material, to the registrar or to another third party. The entity - that has control over the DNS zone and its keys may prevent the - registrant to make a timely move to a different registrar. [OK: I - use the term registrar below while it is the operator of the DNS zone - who is the actual culprit. For instance, the case also applies when - a registrant passes a zone to another registrant. Should I just use - "DNS Administrator"?] - - Suppose that the registrant wants to move from losing registrar A to - gaining registrar B. Let us first look what would happen in a - cooperative environment. The assumption is that registrar A will not - hand off any private key material to registrar B because that would - be a trivial case. - - In a cooperating environment one could proceed with a pre-publish ZSK - rollover whereby registrar A pre-publishes the ZSK of registrar B, - combined with a double signature KSK rollover where the two - registrars exchange public keys and independently generate a - signature over the keysets that they combine and both publish in the - zone. - - In the non-cooperative case matters are more complicated. The - loosing registrar A may not cooperate and leave the data in the DNS - as is. In the extreme case registrar A may become obstructive and - publish a DNSKEY RR with a high TTL and corresponding signature - validity so that registrar A's DNSKEY, would end up in caches for, in - theory, tens of years. - - - -Kolkman & Gieben Expires September 8, 2009 [Page 29] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - The problem arises when a validator tries to validate with A's key - and there is no signature material produced with Registrars A - available in the delegation path after redelegation from registrar A - to registrar B has taken place. One could imagine a rollover - scenario where registrar B pulls all RRSIGs created by registar A and - publishes those in conjunction with its own signatures, but that - would not allow any changes in the zone content. Since a - redelegation took place the NS RRset has -- per definition-- changed - so such rollover scenario will not work. Besides if zone transfers - are not allowed by A and NSEC3 is deployed in the A's zone then - registrar B will not have certainty that all of A's RRSIGs are - transfered. - - The only viable option for the registrant is to publish its zone - unsigned and ask the registry to remove the DS pointing to registrar - A for as long as the DNSKEY of registrar A, or any of the signatures - produced by registrar A are likely to appear in caches, which as - mentioned above could in theory be for tens of years. [OK: Some - implementations limit the time data is cached. Although that is not - a protocol requirement (and may even be considered a protocol - violation) it seems that that practice may limit the impact of this - problem, is that worth mentioning?] - - [OK: This is really the point that I'm trying to make, is the above - text needed?] There is no operational methodology to work around - this business issue and proper contractual relations ships between - registrants and their registrars seem to be the only solution to cope - with these problems. - -5. Security Considerations - - DNSSEC adds data integrity to the DNS. This document tries to assess - the operational considerations to maintain a stable and secure DNSSEC - service. Not taking into account the 'data propagation' properties - in the DNS will cause validation failures and may make secured zones - unavailable to security-aware resolvers. - -6. IANA considerations - - There are no IANA considerations with respect to this document - -7. Acknowledgments - - Most of the text of this document is copied from RFC4641 [16] people - involved in that work were in random order: Rip Loomis, Olafur - Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van - Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte - Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman, - - - -Kolkman & Gieben Expires September 8, 2009 [Page 30] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian - Bedford, and Lindy Foster, G. Guette, and O. Courtay. - - For this version of the document we would like to acknowldge: - - o Paul Hoffman for his contribution on the choice of cryptographic - paramenters and addressing some of the trust anchor issues. - - o Jelte Jansen provided the text in Section 4.2.4 - -8. References - -8.1. Normative References - - [1] Mockapetris, P., "Domain names - concepts and facilities", - STD 13, RFC 1034, November 1987. - - [2] Mockapetris, P., "Domain names - implementation and - specification", STD 13, RFC 1035, November 1987. - - [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "DNS Security Introduction and Requirements", RFC 4033, - March 2005. - - [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "Resource Records for the DNS Security Extensions", RFC 4034, - March 2005. - - [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "Protocol Modifications for the DNS Security Extensions", - RFC 4035, March 2005. - -8.2. Informative References - - [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. - - [7] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, - August 1996. - - [8] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes - (DNS NOTIFY)", RFC 1996, August 1996. - - [9] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", - RFC 2308, March 1998. - - [10] Eastlake, D., "DNS Security Operational Considerations", - RFC 2541, March 1999. - - - -Kolkman & Gieben Expires September 8, 2009 [Page 31] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic - Update", RFC 3007, November 2000. - - [12] Hollenbeck, S., "Generic Registry-Registrar Protocol - Requirements", RFC 3375, September 2002. - - [13] Orman, H. and P. Hoffman, "Determining Strengths For Public - Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, - April 2004. - - [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness - Requirements for Security", BCP 106, RFC 4086, June 2005. - - [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions - Mapping for the Extensible Provisioning Protocol (EPP)", - RFC 4310, December 2005. - - [16] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices", - RFC 4641, September 2006. - - [17] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, - August 2007. - - [18] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust - Anchors", RFC 5011, September 2007. - - [19] Rose, S., "NIST DNSSEC workshop notes", , June 2001. - - [20] Barker, E. and J. Kelsey, "Recommendation for Random Number - Generation Using Deterministic Random Bit Generators - (Revised)", Nist Special Publication 800-90, March 2007. - - [21] Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and - RRSIG Resource Records for DNSSEC", - draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress), - July 2008. - - [22] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) - Resource Records (RRs)", RFC 4509, May 2006. - - [23] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and - T. Wright, "Transport Layer Security (TLS) Extensions", - RFC 4366, April 2006. - -Appendix A. Terminology - - In this document, there is some jargon used that is defined in other - documents. In most cases, we have not copied the text from the - - - -Kolkman & Gieben Expires September 8, 2009 [Page 32] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - documents defining the terms but have given a more elaborate - explanation of the meaning. Note that these explanations should not - be seen as authoritative. - - Anchored key: A DNSKEY configured in resolvers around the globe. - This key is hard to update, hence the term anchored. - - Bogus: Also see Section 5 of [3]. An RRSet in DNSSEC is marked - "Bogus" when a signature of an RRSet does not validate against a - DNSKEY. - - Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is - used exclusively for signing the apex key set. The fact that a - key is a KSK is only relevant to the signing tool. - - Key size: The term 'key size' can be substituted by 'modulus size' - throughout the document. It is mathematically more correct to use - modulus size, but as this is a document directed at operators we - feel more at ease with the term key size. - - Private and public keys: DNSSEC secures the DNS through the use of - public key cryptography. Public key cryptography is based on the - existence of two (mathematically related) keys, a public key and a - private key. The public keys are published in the DNS by use of - the DNSKEY Resource Record (DNSKEY RR). Private keys should - remain private. - - Key rollover: A key rollover (also called key supercession in some - environments) is the act of replacing one key pair with another at - the end of a key effectivity period. - - Secure Entry Point (SEP) key: A KSK that has a parental DS record - pointing to it or is configured as a trust anchor. Although not - required by the protocol, we recommend that the SEP flag [5] is - set on these keys. - - Self-signature: This only applies to signatures over DNSKEYs; a - signature made with DNSKEY x, over DNSKEY x is called a self- - signature. Note: without further information, self-signatures - convey no trust. They are useful to check the authenticity of the - DNSKEY, i.e., they can be used as a hash. - - Singing the zone file: The term used for the event where an - administrator joyfully signs its zone file while producing melodic - sound patterns. - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 33] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - Signer: The system that has access to the private key material and - signs the Resource Record sets in a zone. A signer may be - configured to sign only parts of the zone, e.g., only those RRSets - for which existing signatures are about to expire. - - Zone Signing Key (ZSK): A key that is used for signing all data in a - zone (except, perhaps, the DNSKEY RRSet). The fact that a key is - a ZSK is only relevant to the signing tool. - - Zone administrator: The 'role' that is responsible for signing a - zone and publishing it on the primary authoritative server. - -Appendix B. Zone Signing Key Rollover How-To - - Using the pre-published signature scheme and the most conservative - method to assure oneself that data does not live in caches, here - follows the "how-to". - - Step 0: The preparation: Create two keys and publish both in your - key set. Mark one of the keys "active" and the other "published". - Use the "active" key for signing your zone data. Store the - private part of the "published" key, preferably off-line. The - protocol does not provide for attributes to mark a key as active - or published. This is something you have to do on your own, - through the use of a notebook or key management tool. - - Step 1: Determine expiration: At the beginning of the rollover make - a note of the highest expiration time of signatures in your zone - file created with the current key marked as active. Wait until - the expiration time marked in Step 1 has passed. - - Step 2: Then start using the key that was marked "published" to sign - your data (i.e., mark it "active"). Stop using the key that was - marked "active"; mark it "rolled". - - Step 3: It is safe to engage in a new rollover (Step 1) after at - least one signature validity period. - -Appendix C. Typographic Conventions - - The following typographic conventions are used in this document: - - Key notation: A key is denoted by DNSKEYx, where x is a number or an - identifier, x could be thought of as the key id. - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 34] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - RRSet notations: RRs are only denoted by the type. All other - information -- owner, class, rdata, and TTL -- is left out. Thus: - "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a - list of RRs. A example of this would be "A1, A2", specifying the - RRSet containing two "A" records. This could again be abbreviated - to just "A". - - Signature notation: Signatures are denoted as RRSIGx(RRSet), which - means that RRSet is signed with DNSKEYx. - - Zone representation: Using the above notation we have simplified the - representation of a signed zone by leaving out all unnecessary - details such as the names and by representing all data by "SOAx" - - SOA representation: SOAs are represented as SOAx, where x is the - serial number. - - Using this notation the following signed zone: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 35] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - example.net. 86400 IN SOA ns.example.net. bert.example.net. ( - 2006022100 ; serial - 86400 ; refresh ( 24 hours) - 7200 ; retry ( 2 hours) - 3600000 ; expire (1000 hours) - 28800 ) ; minimum ( 8 hours) - 86400 RRSIG SOA 5 2 86400 20130522213204 ( - 20130422213204 14 example.net. - cmL62SI6iAX46xGNQAdQ... ) - 86400 NS a.example.net. - 86400 NS b.example.net. - 86400 RRSIG NS 5 2 86400 20130507213204 ( - 20130407213204 14 example.net. - SO5epiJei19AjXoUpFnQ ... ) - 86400 DNSKEY 256 3 5 ( - EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14 - 86400 DNSKEY 257 3 5 ( - gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15 - 86400 RRSIG DNSKEY 5 2 86400 20130522213204 ( - 20130422213204 14 example.net. - J4zCe8QX4tXVGjV4e1r9... ) - 86400 RRSIG DNSKEY 5 2 86400 20130522213204 ( - 20130422213204 15 example.net. - keVDCOpsSeDReyV6O... ) - 86400 RRSIG NSEC 5 2 86400 20130507213204 ( - 20130407213204 14 example.net. - obj3HEp1GjnmhRjX... ) - a.example.net. 86400 IN TXT "A label" - 86400 RRSIG TXT 5 3 86400 20130507213204 ( - 20130407213204 14 example.net. - IkDMlRdYLmXH7QJnuF3v... ) - 86400 NSEC b.example.com. TXT RRSIG NSEC - 86400 RRSIG NSEC 5 3 86400 20130507213204 ( - 20130407213204 14 example.net. - bZMjoZ3bHjnEz0nIsPMM... ) - ... - - is reduced to the following representation: - - SOA2006022100 - RRSIG14(SOA2006022100) - DNSKEY14 - DNSKEY15 - - RRSIG14(KEY) - RRSIG15(KEY) - - The rest of the zone data has the same signature as the SOA record, - - - -Kolkman & Gieben Expires September 8, 2009 [Page 36] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - i.e., an RRSIG created with DNSKEY 14. - -Appendix D. Document Editing History - - [To be removed prior to publication as an RFC] - -D.1. draft-ietf-dnsop-rfc4641-00 - - Version 0 was differs from RFC4641 in the following ways. - - o Status of this memo appropriate for I-D - - o TOC formatting differs. - - o Whitespaces, linebreaks, and pagebreaks may be slightly different - because of xml2rfc generation. - - o References slightly reordered. - - o Applied the errata from - http://www.rfc-editor.org/errata_search.php?rfc=4641 - - o Inserted trivial "IANA considertations" section. - - In other words it should not contain substantive changes in content - as intended by the workinggroup for the original RFC4641. - -D.2. version 0->1 - - Cryptography details rewritten. (See http://www.nlnetlabs.nl/svn/ - rfc4641bis/trunk/open-issues/cryptography_flawed) - - o Reference to NIST 800-90 added - - o RSA/SHA256 is being recommended in addition to RSA/SHA1. - - o Complete rewrite of Section 3.5 removing the table and suggesting - a keysize of 1024 for keys in use for less than 8 years, issued up - to at least 2015. - - o Replaced the reference to Schneiers' applied cryptograpy with a - reference to RFC4949. - - o Removed the KSK for high level zones consideration - - Applied some differentiation with respect of the use of a KSK for - parent or trust-anchor relation http://www.nlnetlabs.nl/svn/ - rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent - - - -Kolkman & Gieben Expires September 8, 2009 [Page 37] - -Internet-Draft DNSSEC Operational Practices, Version 2 March 2009 - - - http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ - rollover_assumptions - - Added Section 4.2.4 as suggested by Jelte Jansen in http:// - www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll - - Added Section 4.4.5 Issue identified by Antoin Verschuur http:// - www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ - non-cooperative-registrars - - In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset. - - $Id: draft-ietf-dnsop-rfc4641bis-01.txt,v 1.1 2009/09/23 13:22:50 fdupont Exp $ - -Authors' Addresses - - Olaf M. Kolkman - NLnet Labs - Kruislaan 419 - Amsterdam 1098 VA - The Netherlands - - EMail: olaf@nlnetlabs.nl - URI: http://www.nlnetlabs.nl - - - Miek Gieben - - - EMail: miek@miek.nl - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires September 8, 2009 [Page 38] - diff --git a/contrib/zkt/doc/rfc4641.txt b/contrib/zkt/doc/rfc4641.txt deleted file mode 100644 index 0a013bcba5..0000000000 --- a/contrib/zkt/doc/rfc4641.txt +++ /dev/null @@ -1,1963 +0,0 @@ - - - - - - -Network Working Group O. Kolkman -Request for Comments: 4641 R. Gieben -Obsoletes: 2541 NLnet Labs -Category: Informational September 2006 - - - DNSSEC Operational Practices - -Status of This Memo - - This memo provides information for the Internet community. It does - not specify an Internet standard of any kind. Distribution of this - memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2006). - -Abstract - - This document describes a set of practices for operating the DNS with - security extensions (DNSSEC). The target audience is zone - administrators deploying DNSSEC. - - The document discusses operational aspects of using keys and - signatures in the DNS. It discusses issues of key generation, key - storage, signature generation, key rollover, and related policies. - - This document obsoletes RFC 2541, as it covers more operational - ground and gives more up-to-date requirements with respect to key - sizes and the new DNSSEC specification. - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Informational [Page 1] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -Table of Contents - - 1. Introduction ....................................................3 - 1.1. The Use of the Term 'key' ..................................4 - 1.2. Time Definitions ...........................................4 - 2. Keeping the Chain of Trust Intact ...............................5 - 3. Keys Generation and Storage .....................................6 - 3.1. Zone and Key Signing Keys ..................................6 - 3.1.1. Motivations for the KSK and ZSK Separation ..........6 - 3.1.2. KSKs for High-Level Zones ...........................7 - 3.2. Key Generation .............................................8 - 3.3. Key Effectivity Period .....................................8 - 3.4. Key Algorithm ..............................................9 - 3.5. Key Sizes ..................................................9 - 3.6. Private Key Storage .......................................11 - 4. Signature Generation, Key Rollover, and Related Policies .......12 - 4.1. Time in DNSSEC ............................................12 - 4.1.1. Time Considerations ................................12 - 4.2. Key Rollovers .............................................14 - 4.2.1. Zone Signing Key Rollovers .........................14 - 4.2.1.1. Pre-Publish Key Rollover ..................15 - 4.2.1.2. Double Signature Zone Signing Key - Rollover ..................................17 - 4.2.1.3. Pros and Cons of the Schemes ..............18 - 4.2.2. Key Signing Key Rollovers ..........................18 - 4.2.3. Difference Between ZSK and KSK Rollovers ...........20 - 4.2.4. Automated Key Rollovers ............................21 - 4.3. Planning for Emergency Key Rollover .......................21 - 4.3.1. KSK Compromise .....................................22 - 4.3.1.1. Keeping the Chain of Trust Intact .........22 - 4.3.1.2. Breaking the Chain of Trust ...............23 - 4.3.2. ZSK Compromise .....................................23 - 4.3.3. Compromises of Keys Anchored in Resolvers ..........24 - 4.4. Parental Policies .........................................24 - 4.4.1. Initial Key Exchanges and Parental Policies - Considerations .....................................24 - 4.4.2. Storing Keys or Hashes? ............................25 - 4.4.3. Security Lameness ..................................25 - 4.4.4. DS Signature Validity Period .......................26 - 5. Security Considerations ........................................26 - 6. Acknowledgments ................................................26 - 7. References .....................................................27 - 7.1. Normative References ......................................27 - 7.2. Informative References ....................................28 - Appendix A. Terminology ...........................................30 - Appendix B. Zone Signing Key Rollover How-To ......................31 - Appendix C. Typographic Conventions ...............................32 - - - - -Kolkman & Gieben Informational [Page 2] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -1. Introduction - - This document describes how to run a DNS Security (DNSSEC)-enabled - environment. It is intended for operators who have knowledge of the - DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC. - See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the - newly introduced Resource Records (RRs), and RFC 4035 [6] for the - protocol changes. - - During workshops and early operational deployment tests, operators - and system administrators have gained experience about operating the - DNS with security extensions (DNSSEC). This document translates - these experiences into a set of practices for zone administrators. - At the time of writing, there exists very little experience with - DNSSEC in production environments; this document should therefore - explicitly not be seen as representing 'Best Current Practices'. - - The procedures herein are focused on the maintenance of signed zones - (i.e., signing and publishing zones on authoritative servers). It is - intended that maintenance of zones such as re-signing or key - rollovers be transparent to any verifying clients on the Internet. - - The structure of this document is as follows. In Section 2, we - discuss the importance of keeping the "chain of trust" intact. - Aspects of key generation and storage of private keys are discussed - in Section 3; the focus in this section is mainly on the private part - of the key(s). Section 4 describes considerations concerning the - public part of the keys. Since these public keys appear in the DNS - one has to take into account all kinds of timing issues, which are - discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the - rollover, or supercession, of keys. Finally, Section 4.4 discusses - considerations on how parents deal with their children's public keys - in order to maintain chains of trust. - - The typographic conventions used in this document are explained in - Appendix C. - - Since this is a document with operational suggestions and there are - no protocol specifications, the RFC 2119 [7] language does not apply. - - This document obsoletes RFC 2541 [12] to reflect the evolution of the - underlying DNSSEC protocol since then. Changes in the choice of - cryptographic algorithms, DNS record types and type names, and the - parent-child key and signature exchange demanded a major rewrite and - additional information and explanation. - - - - - - -Kolkman & Gieben Informational [Page 3] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -1.1. The Use of the Term 'key' - - It is assumed that the reader is familiar with the concept of - asymmetric keys on which DNSSEC is based (public key cryptography - [17]). Therefore, this document will use the term 'key' rather - loosely. Where it is written that 'a key is used to sign data' it is - assumed that the reader understands that it is the private part of - the key pair that is used for signing. It is also assumed that the - reader understands that the public part of the key pair is published - in the DNSKEY Resource Record and that it is the public part that is - used in key exchanges. - -1.2. Time Definitions - - In this document, we will be using a number of time-related terms. - The following definitions apply: - - o "Signature validity period" The period that a signature is valid. - It starts at the time specified in the signature inception field - of the RRSIG RR and ends at the time specified in the expiration - field of the RRSIG RR. - - o "Signature publication period" Time after which a signature (made - with a specific key) is replaced with a new signature (made with - the same key). This replacement takes place by publishing the - relevant RRSIG in the master zone file. After one stops - publishing an RRSIG in a zone, it may take a while before the - RRSIG has expired from caches and has actually been removed from - the DNS. - - o "Key effectivity period" The period during which a key pair is - expected to be effective. This period is defined as the time - between the first inception time stamp and the last expiration - date of any signature made with this key, regardless of any - discontinuity in the use of the key. The key effectivity period - can span multiple signature validity periods. - - o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum - value of the TTLs from the complete set of RRs in a zone. Note - that the minimum TTL is not the same as the MINIMUM field in the - SOA RR. See [11] for more information. - - - - - - - - - - -Kolkman & Gieben Informational [Page 4] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -2. Keeping the Chain of Trust Intact - - Maintaining a valid chain of trust is important because broken chains - of trust will result in data being marked as Bogus (as defined in [4] - Section 5), which may cause entire (sub)domains to become invisible - to verifying clients. The administrators of secured zones have to - realize that their zone is, to verifying clients, part of a chain of - trust. - - As mentioned in the introduction, the procedures herein are intended - to ensure that maintenance of zones, such as re-signing or key - rollovers, will be transparent to the verifying clients on the - Internet. - - Administrators of secured zones will have to keep in mind that data - published on an authoritative primary server will not be immediately - seen by verifying clients; it may take some time for the data to be - transferred to other secondary authoritative nameservers and clients - may be fetching data from caching non-authoritative servers. In this - light, note that the time for a zone transfer from master to slave is - negligible when using NOTIFY [9] and incremental transfer (IXFR) [8]. - It increases when full zone transfers (AXFR) are used in combination - with NOTIFY. It increases even more if you rely on full zone - transfers based on only the SOA timing parameters for refresh. - - For the verifying clients, it is important that data from secured - zones can be used to build chains of trust regardless of whether the - data came directly from an authoritative server, a caching - nameserver, or some middle box. Only by carefully using the - available timing parameters can a zone administrator ensure that the - data necessary for verification can be obtained. - - The responsibility for maintaining the chain of trust is shared by - administrators of secured zones in the chain of trust. This is most - obvious in the case of a 'key compromise' when a trade-off between - maintaining a valid chain of trust and replacing the compromised keys - as soon as possible must be made. Then zone administrators will have - to make a trade-off, between keeping the chain of trust intact -- - thereby allowing for attacks with the compromised key -- or - deliberately breaking the chain of trust and making secured - subdomains invisible to security-aware resolvers. Also see Section - 4.3. - - - - - - - - - -Kolkman & Gieben Informational [Page 5] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -3. Keys Generation and Storage - - This section describes a number of considerations with respect to the - security of keys. It deals with the generation, effectivity period, - size, and storage of private keys. - -3.1. Zone and Key Signing Keys - - The DNSSEC validation protocol does not distinguish between different - types of DNSKEYs. All DNSKEYs can be used during the validation. In - practice, operators use Key Signing and Zone Signing Keys and use the - so-called Secure Entry Point (SEP) [3] flag to distinguish between - them during operations. The dynamics and considerations are - discussed below. - - To make zone re-signing and key rollover procedures easier to - implement, it is possible to use one or more keys as Key Signing Keys - (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone. - Other keys can be used to sign all the RRSets in a zone and are - referred to as Zone Signing Keys (ZSKs). In this document, we assume - that KSKs are the subset of keys that are used for key exchanges with - the parent and potentially for configuration as trusted anchors -- - the SEP keys. In this document, we assume a one-to-one mapping - between KSK and SEP keys and we assume the SEP flag to be set on all - KSKs. - -3.1.1. Motivations for the KSK and ZSK Separation - - Differentiating between the KSK and ZSK functions has several - advantages: - - o No parent/child interaction is required when ZSKs are updated. - - o The KSK can be made stronger (i.e., using more bits in the key - material). This has little operational impact since it is only - used to sign a small fraction of the zone data. Also, the KSK is - only used to verify the zone's key set, not for other RRSets in - the zone. - - o As the KSK is only used to sign a key set, which is most probably - updated less frequently than other data in the zone, it can be - stored separately from and in a safer location than the ZSK. - - o A KSK can have a longer key effectivity period. - - For almost any method of key management and zone signing, the KSK is - used less frequently than the ZSK. Once a key set is signed with the - KSK, all the keys in the key set can be used as ZSKs. If a ZSK is - - - -Kolkman & Gieben Informational [Page 6] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - compromised, it can be simply dropped from the key set. The new key - set is then re-signed with the KSK. - - Given the assumption that for KSKs the SEP flag is set, the KSK can - be distinguished from a ZSK by examining the flag field in the DNSKEY - RR. If the flag field is an odd number it is a KSK. If it is an - even number it is a ZSK. - - The Zone Signing Key can be used to sign all the data in a zone on a - regular basis. When a Zone Signing Key is to be rolled, no - interaction with the parent is needed. This allows for signature - validity periods on the order of days. - - The Key Signing Key is only to be used to sign the DNSKEY RRs in a - zone. If a Key Signing Key is to be rolled over, there will be - interactions with parties other than the zone administrator. These - can include the registry of the parent zone or administrators of - verifying resolvers that have the particular key configured as secure - entry points. Hence, the key effectivity period of these keys can - and should be made much longer. Although, given a long enough key, - the key effectivity period can be on the order of years, we suggest - planning for a key effectivity on the order of a few months so that a - key rollover remains an operational routine. - -3.1.2. KSKs for High-Level Zones - - Higher-level zones are generally more sensitive than lower-level - zones. Anyone controlling or breaking the security of a zone thereby - obtains authority over all of its subdomains (except in the case of - resolvers that have locally configured the public key of a subdomain, - in which case this, and only this, subdomain wouldn't be affected by - the compromise of the parent zone). Therefore, extra care should be - taken with high-level zones, and strong keys should be used. - - The root zone is the most critical of all zones. Someone controlling - or compromising the security of the root zone would control the - entire DNS namespace of all resolvers using that root zone (except in - the case of resolvers that have locally configured the public key of - a subdomain). Therefore, the utmost care must be taken in the - securing of the root zone. The strongest and most carefully handled - keys should be used. The root zone private key should always be kept - off-line. - - Many resolvers will start at a root server for their access to and - authentication of DNS data. Securely updating the trust anchors in - an enormous population of resolvers around the world will be - extremely difficult. - - - - -Kolkman & Gieben Informational [Page 7] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -3.2. Key Generation - - Careful generation of all keys is a sometimes overlooked but - absolutely essential element in any cryptographically secure system. - The strongest algorithms used with the longest keys are still of no - use if an adversary can guess enough to lower the size of the likely - key space so that it can be exhaustively searched. Technical - suggestions for the generation of random keys will be found in RFC - 4086 [14]. One should carefully assess if the random number - generator used during key generation adheres to these suggestions. - - Keys with a long effectivity period are particularly sensitive as - they will represent a more valuable target and be subject to attack - for a longer time than short-period keys. It is strongly recommended - that long-term key generation occur off-line in a manner isolated - from the network via an air gap or, at a minimum, high-level secure - hardware. - -3.3. Key Effectivity Period - - For various reasons, keys in DNSSEC need to be changed once in a - while. The longer a key is in use, the greater the probability that - it will have been compromised through carelessness, accident, - espionage, or cryptanalysis. Furthermore, when key rollovers are too - rare an event, they will not become part of the operational habit and - there is risk that nobody on-site will remember the procedure for - rollover when the need is there. - - From a purely operational perspective, a reasonable key effectivity - period for Key Signing Keys is 13 months, with the intent to replace - them after 12 months. An intended key effectivity period of a month - is reasonable for Zone Signing Keys. - - For key sizes that match these effectivity periods, see Section 3.5. - - As argued in Section 3.1.2, securely updating trust anchors will be - extremely difficult. On the other hand, the "operational habit" - argument does also apply to trust anchor reconfiguration. If a short - key effectivity period is used and the trust anchor configuration has - to be revisited on a regular basis, the odds that the configuration - tends to be forgotten is smaller. The trade-off is against a system - that is so dynamic that administrators of the validating clients will - not be able to follow the modifications. - - Key effectivity periods can be made very short, as in a few minutes. - But when replacing keys one has to take the considerations from - Section 4.1 and Section 4.2 into account. - - - - -Kolkman & Gieben Informational [Page 8] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -3.4. Key Algorithm - - There are currently three different types of algorithms that can be - used in DNSSEC: RSA, DSA, and elliptic curve cryptography. The - latter is fairly new and has yet to be standardized for usage in - DNSSEC. - - RSA has been developed in an open and transparent manner. As the - patent on RSA expired in 2000, its use is now also free. - - DSA has been developed by the National Institute of Standards and - Technology (NIST). The creation of signatures takes roughly the same - time as with RSA, but is 10 to 40 times as slow for verification - [17]. - - We suggest the use of RSA/SHA-1 as the preferred algorithm for the - key. The current known attacks on RSA can be defeated by making your - key longer. As the MD5 hashing algorithm is showing cracks, we - recommend the usage of SHA-1. - - At the time of publication, it is known that the SHA-1 hash has - cryptanalysis issues. There is work in progress on addressing these - issues. We recommend the use of public key algorithms based on - hashes stronger than SHA-1 (e.g., SHA-256), as soon as these - algorithms are available in protocol specifications (see [19] and - [20]) and implementations. - -3.5. Key Sizes - - When choosing key sizes, zone administrators will need to take into - account how long a key will be used, how much data will be signed - during the key publication period (see Section 8.10 of [17]), and, - optionally, how large the key size of the parent is. As the chain of - trust really is "a chain", there is not much sense in making one of - the keys in the chain several times larger then the others. As - always, it's the weakest link that defines the strength of the entire - chain. Also see Section 3.1.1 for a discussion of how keys serving - different roles (ZSK vs. KSK) may need different key sizes. - - Generating a key of the correct size is a difficult problem; RFC 3766 - [13] tries to deal with that problem. The first part of the - selection procedure in Section 1 of the RFC states: - - 1. Determine the attack resistance necessary to satisfy the - security requirements of the application. Do this by - estimating the minimum number of computer operations that the - attacker will be forced to do in order to compromise the - - - - -Kolkman & Gieben Informational [Page 9] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - security of the system and then take the logarithm base two of - that number. Call that logarithm value "n". - - A 1996 report recommended 90 bits as a good all-around choice - for system security. The 90 bit number should be increased by - about 2/3 bit/year, or about 96 bits in 2005. - - [13] goes on to explain how this number "n" can be used to calculate - the key sizes in public key cryptography. This culminated in the - table given below (slightly modified for our purpose): - - +-------------+-----------+--------------+ - | System | | | - | requirement | Symmetric | RSA or DSA | - | for attack | key size | modulus size | - | resistance | (bits) | (bits) | - | (bits) | | | - +-------------+-----------+--------------+ - | 70 | 70 | 947 | - | 80 | 80 | 1228 | - | 90 | 90 | 1553 | - | 100 | 100 | 1926 | - | 150 | 150 | 4575 | - | 200 | 200 | 8719 | - | 250 | 250 | 14596 | - +-------------+-----------+--------------+ - - The key sizes given are rather large. This is because these keys are - resilient against a trillionaire attacker. Assuming this rich - attacker will not attack your key and that the key is rolled over - once a year, we come to the following recommendations about KSK - sizes: 1024 bits for low-value domains, 1300 bits for medium-value - domains, and 2048 bits for high-value domains. - - Whether a domain is of low, medium, or high value depends solely on - the views of the zone owner. One could, for instance, view leaf - nodes in the DNS as of low value, and top-level domains (TLDs) or the - root zone of high value. The suggested key sizes should be safe for - the next 5 years. - - As ZSKs can be rolled over more easily (and thus more often), the key - sizes can be made smaller. But as said in the introduction of this - paragraph, making the ZSKs' key sizes too small (in relation to the - KSKs' sizes) doesn't make much sense. Try to limit the difference in - size to about 100 bits. - - - - - - -Kolkman & Gieben Informational [Page 10] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - Note that nobody can see into the future and that these key sizes are - only provided here as a guide. Further information can be found in - [16] and Section 7.5 of [17]. It should be noted though that [16] is - already considered overly optimistic about what key sizes are - considered safe. - - One final note concerning key sizes. Larger keys will increase the - sizes of the RRSIG and DNSKEY records and will therefore increase the - chance of DNS UDP packet overflow. Also, the time it takes to - validate and create RRSIGs increases with larger keys, so don't - needlessly double your key sizes. - -3.6. Private Key Storage - - It is recommended that, where possible, zone private keys and the - zone file master copy that is to be signed be kept and used in off- - line, non-network-connected, physically secure machines only. - Periodically, an application can be run to add authentication to a - zone by adding RRSIG and NSEC RRs. Then the augmented file can be - transferred. - - When relying on dynamic update to manage a signed zone [10], be aware - that at least one private key of the zone will have to reside on the - master server. This key is only as secure as the amount of exposure - the server receives to unknown clients and the security of the host. - Although not mandatory, one could administer the DNS in the following - way. The master that processes the dynamic updates is unavailable - from generic hosts on the Internet, it is not listed in the NS RR - set, although its name appears in the SOA RRs MNAME field. The - nameservers in the NS RRSet are able to receive zone updates through - NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This - approach is known as the "hidden master" setup. - - The ideal situation is to have a one-way information flow to the - network to avoid the possibility of tampering from the network. - Keeping the zone master file on-line on the network and simply - cycling it through an off-line signer does not do this. The on-line - version could still be tampered with if the host it resides on is - compromised. For maximum security, the master copy of the zone file - should be off-net and should not be updated based on an unsecured - network mediated communication. - - In general, keeping a zone file off-line will not be practical and - the machines on which zone files are maintained will be connected to - a network. Operators are advised to take security measures to shield - unauthorized access to the master copy. - - - - - -Kolkman & Gieben Informational [Page 11] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - For dynamically updated secured zones [10], both the master copy and - the private key that is used to update signatures on updated RRs will - need to be on-line. - -4. Signature Generation, Key Rollover, and Related Policies - -4.1. Time in DNSSEC - - Without DNSSEC, all times in the DNS are relative. The SOA fields - REFRESH, RETRY, and EXPIRATION are timers used to determine the time - elapsed after a slave server synchronized with a master server. The - Time to Live (TTL) value and the SOA RR minimum TTL parameter [11] - are used to determine how long a forwarder should cache data after it - has been fetched from an authoritative server. By using a signature - validity period, DNSSEC introduces the notion of an absolute time in - the DNS. Signatures in DNSSEC have an expiration date after which - the signature is marked as invalid and the signed data is to be - considered Bogus. - -4.1.1. Time Considerations - - Because of the expiration of signatures, one should consider the - following: - - o We suggest the Maximum Zone TTL of your zone data to be a fraction - of your signature validity period. - - If the TTL would be of similar order as the signature validity - period, then all RRSets fetched during the validity period - would be cached until the signature expiration time. Section - 7.1 of [4] suggests that "the resolver may use the time - remaining before expiration of the signature validity period of - a signed RRSet as an upper bound for the TTL". As a result, - query load on authoritative servers would peak at signature - expiration time, as this is also the time at which records - simultaneously expire from caches. - - To avoid query load peaks, we suggest the TTL on all the RRs in - your zone to be at least a few times smaller than your - signature validity period. - - o We suggest the signature publication period to end at least one - Maximum Zone TTL duration before the end of the signature validity - period. - - - - - - - -Kolkman & Gieben Informational [Page 12] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - Re-signing a zone shortly before the end of the signature - validity period may cause simultaneous expiration of data from - caches. This in turn may lead to peaks in the load on - authoritative servers. - - o We suggest the Minimum Zone TTL to be long enough to both fetch - and verify all the RRs in the trust chain. In workshop - environments, it has been demonstrated [18] that a low TTL (under - 5 to 10 minutes) caused disruptions because of the following two - problems: - - 1. During validation, some data may expire before the - validation is complete. The validator should be able to - keep all data until it is completed. This applies to all - RRs needed to complete the chain of trust: DSes, DNSKEYs, - RRSIGs, and the final answers, i.e., the RRSet that is - returned for the initial query. - - 2. Frequent verification causes load on recursive nameservers. - Data at delegation points, DSes, DNSKEYs, and RRSIGs - benefit from caching. The TTL on those should be - relatively long. - - o Slave servers will need to be able to fetch newly signed zones - well before the RRSIGs in the zone served by the slave server pass - their signature expiration time. - - When a slave server is out of sync with its master and data in - a zone is signed by expired signatures, it may be better for - the slave server not to give out any answer. - - Normally, a slave server that is not able to contact a master - server for an extended period will expire a zone. When that - happens, the server will respond differently to queries for - that zone. Some servers issue SERVFAIL, whereas others turn - off the 'AA' bit in the answers. The time of expiration is set - in the SOA record and is relative to the last successful - refresh between the master and the slave servers. There exists - no coupling between the signature expiration of RRSIGs in the - zone and the expire parameter in the SOA. - - If the server serves a DNSSEC zone, then it may well happen - that the signatures expire well before the SOA expiration timer - counts down to zero. It is not possible to completely prevent - this from happening by tweaking the SOA parameters. However, - the effects can be minimized where the SOA expiration time is - equal to or shorter than the signature validity period. The - consequence of an authoritative server not being able to update - - - -Kolkman & Gieben Informational [Page 13] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - a zone, whilst that zone includes expired signatures, is that - non-secure resolvers will continue to be able to resolve data - served by the particular slave servers while security-aware - resolvers will experience problems because of answers being - marked as Bogus. - - We suggest the SOA expiration timer being approximately one - third or one fourth of the signature validity period. It will - allow problems with transfers from the master server to be - noticed before the actual signature times out. We also suggest - that operators of nameservers that supply secondary services - develop 'watch dogs' to spot upcoming signature expirations in - zones they slave, and take appropriate action. - - When determining the value for the expiration parameter one has - to take the following into account: What are the chances that - all my secondaries expire the zone? How quickly can I reach an - administrator of secondary servers to load a valid zone? These - questions are not DNSSEC specific but may influence the choice - of your signature validity intervals. - -4.2. Key Rollovers - - A DNSSEC key cannot be used forever (see Section 3.3). So key - rollovers -- or supercessions, as they are sometimes called -- are a - fact of life when using DNSSEC. Zone administrators who are in the - process of rolling their keys have to take into account that data - published in previous versions of their zone still lives in caches. - When deploying DNSSEC, this becomes an important consideration; - ignoring data that may be in caches may lead to loss of service for - clients. - - The most pressing example of this occurs when zone material signed - with an old key is being validated by a resolver that does not have - the old zone key cached. If the old key is no longer present in the - current zone, this validation fails, marking the data "Bogus". - Alternatively, an attempt could be made to validate data that is - signed with a new key against an old key that lives in a local cache, - also resulting in data being marked "Bogus". - -4.2.1. Zone Signing Key Rollovers - - For "Zone Signing Key rollovers", there are two ways to make sure - that during the rollover data still cached can be verified with the - new key sets or newly generated signatures can be verified with the - keys still in caches. One schema, described in Section 4.2.1.2, uses - - - - - -Kolkman & Gieben Informational [Page 14] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - double signatures; the other uses key pre-publication (Section - 4.2.1.1). The pros, cons, and recommendations are described in - Section 4.2.1.3. - -4.2.1.1. Pre-Publish Key Rollover - - This section shows how to perform a ZSK rollover without the need to - sign all the data in a zone twice -- the "pre-publish key rollover". - This method has advantages in the case of a key compromise. If the - old key is compromised, the new key has already been distributed in - the DNS. The zone administrator is then able to quickly switch to - the new key and remove the compromised key from the zone. Another - major advantage is that the zone size does not double, as is the case - with the double signature ZSK rollover. A small "how-to" for this - kind of rollover can be found in Appendix B. - - Pre-publish key rollover involves four stages as follows: - - ---------------------------------------------------------------- - initial new DNSKEY new RRSIGs DNSKEY removal - ---------------------------------------------------------------- - SOA0 SOA1 SOA2 SOA3 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) - - DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 DNSKEY11 - RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) - ---------------------------------------------------------------- - - Pre-Publish Key Rollover - - initial: Initial version of the zone: DNSKEY 1 is the Key Signing - Key. DNSKEY 10 is used to sign all the data of the zone, the Zone - Signing Key. - - new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no - signatures are generated with this key yet, but this does not - secure against brute force attacks on the public key. The minimum - duration of this pre-roll phase is the time it takes for the data - to propagate to the authoritative servers plus TTL value of the - key set. - - new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is - used to sign the data in the zone exclusively (i.e., all the - signatures from DNSKEY 10 are removed from the zone). DNSKEY 10 - remains published in the key set. This way data that was loaded - - - -Kolkman & Gieben Informational [Page 15] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - into caches from version 1 of the zone can still be verified with - key sets fetched from version 2 of the zone. The minimum time - that the key set including DNSKEY 10 is to be published is the - time that it takes for zone data from the previous version of the - zone to expire from old caches, i.e., the time it takes for this - zone to propagate to all authoritative servers plus the Maximum - Zone TTL value of any of the data in the previous version of the - zone. - - DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now - only containing DNSKEY 1 and DNSKEY 11, is re-signed with the - DNSKEY 1. - - The above scheme can be simplified by always publishing the "future" - key immediately after the rollover. The scheme would look as follows - (we show two rollovers); the future key is introduced in "new DNSKEY" - as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY - (II)": - - ---------------------------------------------------------------- - initial new RRSIGs new DNSKEY - ---------------------------------------------------------------- - SOA0 SOA1 SOA2 - RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2) - - DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 DNSKEY11 DNSKEY12 - RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) - RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) - ---------------------------------------------------------------- - - ---------------------------------------------------------------- - new RRSIGs (II) new DNSKEY (II) - ---------------------------------------------------------------- - SOA3 SOA4 - RRSIG12(SOA3) RRSIG12(SOA4) - - DNSKEY1 DNSKEY1 - DNSKEY11 DNSKEY12 - DNSKEY12 DNSKEY13 - RRSIG1(DNSKEY) RRSIG1(DNSKEY) - RRSIG12(DNSKEY) RRSIG12(DNSKEY) - ---------------------------------------------------------------- - - Pre-Publish Key Rollover, Showing Two Rollovers - - - - - -Kolkman & Gieben Informational [Page 16] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - Note that the key introduced in the "new DNSKEY" phase is not used - for production yet; the private key can thus be stored in a - physically secure manner and does not need to be 'fetched' every time - a zone needs to be signed. - -4.2.1.2. Double Signature Zone Signing Key Rollover - - This section shows how to perform a ZSK key rollover using the double - zone data signature scheme, aptly named "double signature rollover". - - During the "new DNSKEY" stage the new version of the zone file will - need to propagate to all authoritative servers and the data that - exists in (distant) caches will need to expire, requiring at least - the Maximum Zone TTL. - - Double signature ZSK rollover involves three stages as follows: - - ---------------------------------------------------------------- - initial new DNSKEY DNSKEY removal - ---------------------------------------------------------------- - SOA0 SOA1 SOA2 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) - RRSIG11(SOA1) - - DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 - RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) - RRSIG11(DNSKEY) - ---------------------------------------------------------------- - - Double Signature Zone Signing Key Rollover - - initial: Initial Version of the zone: DNSKEY 1 is the Key Signing - Key. DNSKEY 10 is used to sign all the data of the zone, the Zone - Signing Key. - - new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is - introduced into the key set and all the data in the zone is signed - with DNSKEY 10 and DNSKEY 11. The rollover period will need to - continue until all data from version 0 of the zone has expired - from remote caches. This will take at least the Maximum Zone TTL - of version 0 of the zone. - - DNSKEY removal: DNSKEY 10 is removed from the zone. All the - signatures from DNSKEY 10 are removed from the zone. The key set, - now only containing DNSKEY 11, is re-signed with DNSKEY 1. - - - -Kolkman & Gieben Informational [Page 17] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - At every instance, RRSIGs from the previous version of the zone can - be verified with the DNSKEY RRSet from the current version and the - other way around. The data from the current version can be verified - with the data from the previous version of the zone. The duration of - the "new DNSKEY" phase and the period between rollovers should be at - least the Maximum Zone TTL. - - Making sure that the "new DNSKEY" phase lasts until the signature - expiration time of the data in initial version of the zone is - recommended. This way all caches are cleared of the old signatures. - However, this duration could be considerably longer than the Maximum - Zone TTL, making the rollover a lengthy procedure. - - Note that in this example we assumed that the zone was not modified - during the rollover. New data can be introduced in the zone as long - as it is signed with both keys. - -4.2.1.3. Pros and Cons of the Schemes - - Pre-publish key rollover: This rollover does not involve signing the - zone data twice. Instead, before the actual rollover, the new key - is published in the key set and thus is available for - cryptanalysis attacks. A small disadvantage is that this process - requires four steps. Also the pre-publish scheme involves more - parental work when used for KSK rollovers as explained in Section - 4.2.3. - - Double signature ZSK rollover: The drawback of this signing scheme is - that during the rollover the number of signatures in your zone - doubles; this may be prohibitive if you have very big zones. An - advantage is that it only requires three steps. - -4.2.2. Key Signing Key Rollovers - - For the rollover of a Key Signing Key, the same considerations as for - the rollover of a Zone Signing Key apply. However, we can use a - double signature scheme to guarantee that old data (only the apex key - set) in caches can be verified with a new key set and vice versa. - Since only the key set is signed with a KSK, zone size considerations - do not apply. - - - - - - - - - - - -Kolkman & Gieben Informational [Page 18] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - -------------------------------------------------------------------- - initial new DNSKEY DS change DNSKEY removal - -------------------------------------------------------------------- - Parent: - SOA0 --------> SOA1 --------> - RRSIGpar(SOA0) --------> RRSIGpar(SOA1) --------> - DS1 --------> DS2 --------> - RRSIGpar(DS) --------> RRSIGpar(DS) --------> - - - Child: - SOA0 SOA1 --------> SOA2 - RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2) - --------> - DNSKEY1 DNSKEY1 --------> DNSKEY2 - DNSKEY2 --------> - DNSKEY10 DNSKEY10 --------> DNSKEY10 - RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY) - RRSIG2 (DNSKEY) --------> - RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) - -------------------------------------------------------------------- - - Stages of Deployment for a Double Signature Key Signing Key Rollover - - initial: Initial version of the zone. The parental DS points to - DNSKEY1. Before the rollover starts, the child will have to - verify what the TTL is of the DS RR that points to DNSKEY1 -- it - is needed during the rollover and we refer to the value as TTL_DS. - - new DNSKEY: During the "new DNSKEY" phase, the zone administrator - generates a second KSK, DNSKEY2. The key is provided to the - parent, and the child will have to wait until a new DS RR has been - generated that points to DNSKEY2. After that DS RR has been - published on all servers authoritative for the parent's zone, the - zone administrator has to wait at least TTL_DS to make sure that - the old DS RR has expired from caches. - - DS change: The parent replaces DS1 with DS2. - - DNSKEY removal: DNSKEY1 has been removed. - - The scenario above puts the responsibility for maintaining a valid - chain of trust with the child. It also is based on the premise that - the parent only has one DS RR (per algorithm) per zone. An - alternative mechanism has been considered. Using an established - trust relation, the interaction can be performed in-band, and the - removal of the keys by the child can possibly be signaled by the - parent. In this mechanism, there are periods where there are two DS - - - -Kolkman & Gieben Informational [Page 19] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - RRs at the parent. Since at the moment of writing the protocol for - this interaction has not been developed, further discussion is out of - scope for this document. - -4.2.3. Difference Between ZSK and KSK Rollovers - - Note that KSK rollovers and ZSK rollovers are different in the sense - that a KSK rollover requires interaction with the parent (and - possibly replacing of trust anchors) and the ensuing delay while - waiting for it. - - A zone key rollover can be handled in two different ways: pre-publish - (Section 4.2.1.1) and double signature (Section 4.2.1.2). - - As the KSK is used to validate the key set and because the KSK is not - changed during a ZSK rollover, a cache is able to validate the new - key set of the zone. The pre-publish method would also work for a - KSK rollover. The records that are to be pre-published are the - parental DS RRs. The pre-publish method has some drawbacks for KSKs. - We first describe the rollover scheme and then indicate these - drawbacks. - - -------------------------------------------------------------------- - initial new DS new DNSKEY DS/DNSKEY removal - -------------------------------------------------------------------- - Parent: - SOA0 SOA1 --------> SOA2 - RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2) - DS1 DS1 --------> DS2 - DS2 --------> - RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS) - - - Child: - SOA0 --------> SOA1 SOA1 - RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1) - --------> - DNSKEY1 --------> DNSKEY2 DNSKEY2 - --------> - DNSKEY10 --------> DNSKEY10 DNSKEY10 - RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY) - RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY) - -------------------------------------------------------------------- - - Stages of Deployment for a Pre-Publish Key Signing Key Rollover - - - - - - -Kolkman & Gieben Informational [Page 20] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - When the child zone wants to roll, it notifies the parent during the - "new DS" phase and submits the new key (or the corresponding DS) to - the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1 - and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase), - which can take place as soon as the new DS set propagated through the - DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that - ("DS/DNSKEY removal" phase), it can notify the parent that the old DS - record can be deleted. - - The drawbacks of this scheme are that during the "new DS" phase the - parent cannot verify the match between the DS2 RR and DNSKEY2 using - the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a - "security lame" key (see Section 4.4.3). Finally, the child-parent - interaction consists of two steps. The "double signature" method - only needs one interaction. - -4.2.4. Automated Key Rollovers - - As keys must be renewed periodically, there is some motivation to - automate the rollover process. Consider the following: - - o ZSK rollovers are easy to automate as only the child zone is - involved. - - o A KSK rollover needs interaction between parent and child. Data - exchange is needed to provide the new keys to the parent; - consequently, this data must be authenticated and integrity must - be guaranteed in order to avoid attacks on the rollover. - -4.3. Planning for Emergency Key Rollover - - This section deals with preparation for a possible key compromise. - Our advice is to have a documented procedure ready for when a key - compromise is suspected or confirmed. - - When the private material of one of your keys is compromised it can - be used for as long as a valid trust chain exists. A trust chain - remains intact for - - o as long as a signature over the compromised key in the trust chain - is valid, - - o as long as a parental DS RR (and signature) points to the - compromised key, - - o as long as the key is anchored in a resolver and is used as a - starting point for validation (this is generally the hardest to - update). - - - -Kolkman & Gieben Informational [Page 21] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - While a trust chain to your compromised key exists, your namespace is - vulnerable to abuse by anyone who has obtained illegitimate - possession of the key. Zone operators have to make a trade-off if - the abuse of the compromised key is worse than having data in caches - that cannot be validated. If the zone operator chooses to break the - trust chain to the compromised key, data in caches signed with this - key cannot be validated. However, if the zone administrator chooses - to take the path of a regular rollover, the malicious key holder can - spoof data so that it appears to be valid. - -4.3.1. KSK Compromise - - A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable - as long as the compromised KSK is configured as trust anchor or a - parental DS points to it. - - A compromised KSK can be used to sign the key set of an attacker's - zone. That zone could be used to poison the DNS. - - Therefore, when the KSK has been compromised, the trust anchor or the - parental DS should be replaced as soon as possible. It is local - policy whether to break the trust chain during the emergency - rollover. The trust chain would be broken when the compromised KSK - is removed from the child's zone while the parent still has a DS - pointing to the compromised KSK (the assumption is that there is only - one DS at the parent. If there are multiple DSes this does not apply - -- however the chain of trust of this particular key is broken). - - Note that an attacker's zone still uses the compromised KSK and the - presence of a parental DS would cause the data in this zone to appear - as valid. Removing the compromised key would cause the attacker's - zone to appear as valid and the child's zone as Bogus. Therefore, we - advise not to remove the KSK before the parent has a DS to a new KSK - in place. - -4.3.1.1. Keeping the Chain of Trust Intact - - If we follow this advice, the timing of the replacement of the KSK is - somewhat critical. The goal is to remove the compromised KSK as soon - as the new DS RR is available at the parent. And also make sure that - the signature made with a new KSK over the key set with the - compromised KSK in it expires just after the new DS appears at the - parent, thus removing the old cruft in one swoop. - - The procedure is as follows: - - 1. Introduce a new KSK into the key set, keep the compromised KSK in - the key set. - - - -Kolkman & Gieben Informational [Page 22] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - 2. Sign the key set, with a short validity period. The validity - period should expire shortly after the DS is expected to appear - in the parent and the old DSes have expired from caches. - - 3. Upload the DS for this new key to the parent. - - 4. Follow the procedure of the regular KSK rollover: Wait for the DS - to appear in the authoritative servers and then wait as long as - the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet - and modify/extend the expiration time. - - 5. Remove the compromised DNSKEY RR from the zone and re-sign the - key set using your "normal" validity interval. - - An additional danger of a key compromise is that the compromised key - could be used to facilitate a legitimate DNSKEY/DS rollover and/or - nameserver changes at the parent. When that happens, the domain may - be in dispute. An authenticated out-of-band and secure notify - mechanism to contact a parent is needed in this case. - - Note that this is only a problem when the DNSKEY and or DS records - are used for authentication at the parent. - -4.3.1.2. Breaking the Chain of Trust - - There are two methods to break the chain of trust. The first method - causes the child zone to appear 'Bogus' to validating resolvers. The - other causes the child zone to appear 'insecure'. These are - described below. - - In the method that causes the child zone to appear 'Bogus' to - validating resolvers, the child zone replaces the current KSK with a - new one and re-signs the key set. Next it sends the DS of the new - key to the parent. Only after the parent has placed the new DS in - the zone is the child's chain of trust repaired. - - An alternative method of breaking the chain of trust is by removing - the DS RRs from the parent zone altogether. As a result, the child - zone would become insecure. - -4.3.2. ZSK Compromise - - Primarily because there is no parental interaction required when a - ZSK is compromised, the situation is less severe than with a KSK - compromise. The zone must still be re-signed with a new ZSK as soon - as possible. As this is a local operation and requires no - communication between the parent and child, this can be achieved - fairly quickly. However, one has to take into account that just as - - - -Kolkman & Gieben Informational [Page 23] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - with a normal rollover the immediate disappearance of the old - compromised key may lead to verification problems. Also note that as - long as the RRSIG over the compromised ZSK is not expired the zone - may be still at risk. - -4.3.3. Compromises of Keys Anchored in Resolvers - - A key can also be pre-configured in resolvers. For instance, if - DNSSEC is successfully deployed the root key may be pre-configured in - most security aware resolvers. - - If trust-anchor keys are compromised, the resolvers using these keys - should be notified of this fact. Zone administrators may consider - setting up a mailing list to communicate the fact that a SEP key is - about to be rolled over. This communication will of course need to - be authenticated, e.g., by using digital signatures. - - End-users faced with the task of updating an anchored key should - always validate the new key. New keys should be authenticated out- - of-band, for example, through the use of an announcement website that - is secured using secure sockets (TLS) [21]. - -4.4. Parental Policies - -4.4.1. Initial Key Exchanges and Parental Policies Considerations - - The initial key exchange is always subject to the policies set by the - parent. When designing a key exchange policy one should take into - account that the authentication and authorization mechanisms used - during a key exchange should be as strong as the authentication and - authorization mechanisms used for the exchange of delegation - information between parent and child. That is, there is no implicit - need in DNSSEC to make the authentication process stronger than it - was in DNS. - - Using the DNS itself as the source for the actual DNSKEY material, - with an out-of-band check on the validity of the DNSKEY, has the - benefit that it reduces the chances of user error. A DNSKEY query - tool can make use of the SEP bit [3] to select the proper key from a - DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is - sent. It can validate the self-signature over a key; thereby - verifying the ownership of the private key material. Fetching the - DNSKEY from the DNS ensures that the chain of trust remains intact - once the parent publishes the DS RR indicating the child is secure. - - Note: the out-of-band verification is still needed when the key - material is fetched via the DNS. The parent can never be sure - whether or not the DNSKEY RRs have been spoofed. - - - -Kolkman & Gieben Informational [Page 24] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -4.4.2. Storing Keys or Hashes? - - When designing a registry system one should consider which of the - DNSKEYs and/or the corresponding DSes to store. Since a child zone - might wish to have a DS published using a message digest algorithm - not yet understood by the registry, the registry can't count on being - able to generate the DS record from a raw DNSKEY. Thus, we recommend - that registry systems at least support storing DS records. - - It may also be useful to store DNSKEYs, since having them may help - during troubleshooting and, as long as the child's chosen message - digest is supported, the overhead of generating DS records from them - is minimal. Having an out-of-band mechanism, such as a registry - directory (e.g., Whois), to find out which keys are used to generate - DS Resource Records for specific owners and/or zones may also help - with troubleshooting. - - The storage considerations also relate to the design of the customer - interface and the method by which data is transferred between - registrant and registry; Will the child zone administrator be able to - upload DS RRs with unknown hash algorithms or does the interface only - allow DNSKEYs? In the registry-registrar model, one can use the - DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15], - which allows transfer of DS RRs and optionally DNSKEY RRs. - -4.4.3. Security Lameness - - Security lameness is defined as what happens when a parent has a DS - RR pointing to a non-existing DNSKEY RR. When this happens, the - child's zone may be marked "Bogus" by verifying DNS clients. - - As part of a comprehensive delegation check, the parent could, at key - exchange time, verify that the child's key is actually configured in - the DNS. However, if a parent does not understand the hashing - algorithm used by child, the parental checks are limited to only - comparing the key id. - - Child zones should be very careful in removing DNSKEY material, - specifically SEP keys, for which a DS RR exists. - - Once a zone is "security lame", a fix (e.g., removing a DS RR) will - take time to propagate through the DNS. - - - - - - - - - -Kolkman & Gieben Informational [Page 25] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -4.4.4. DS Signature Validity Period - - Since the DS can be replayed as long as it has a valid signature, a - short signature validity period over the DS minimizes the time a - child is vulnerable in the case of a compromise of the child's - KSK(s). A signature validity period that is too short introduces the - possibility that a zone is marked "Bogus" in case of a configuration - error in the signer. There may not be enough time to fix the - problems before signatures expire. Something as mundane as operator - unavailability during weekends shows the need for DS signature - validity periods longer than 2 days. We recommend an absolute - minimum for a DS signature validity period of a few days. - - The maximum signature validity period of the DS record depends on how - long child zones are willing to be vulnerable after a key compromise. - On the other hand, shortening the DS signature validity interval - increases the operational risk for the parent. Therefore, the parent - may have policy to use a signature validity interval that is - considerably longer than the child would hope for. - - A compromise between the operational constraints of the parent and - minimizing damage for the child may result in a DS signature validity - period somewhere between a week and months. - - In addition to the signature validity period, which sets a lower - bound on the number of times the zone owner will need to sign the - zone data and which sets an upper bound to the time a child is - vulnerable after key compromise, there is the TTL value on the DS - RRs. Shortening the TTL means that the authoritative servers will - see more queries. But on the other hand, a short TTL lowers the - persistence of DS RRSets in caches thereby increasing the speed with - which updated DS RRSets propagate through the DNS. - -5. Security Considerations - - DNSSEC adds data integrity to the DNS. This document tries to assess - the operational considerations to maintain a stable and secure DNSSEC - service. Not taking into account the 'data propagation' properties - in the DNS will cause validation failures and may make secured zones - unavailable to security-aware resolvers. - -6. Acknowledgments - - Most of the ideas in this document were the result of collective - efforts during workshops, discussions, and tryouts. - - At the risk of forgetting individuals who were the original - contributors of the ideas, we would like to acknowledge people who - - - -Kolkman & Gieben Informational [Page 26] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - were actively involved in the compilation of this document. In - random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael - Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette - Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger - Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch. - - Some material in this document has been copied from RFC 2541 [12]. - - Mike StJohns designed the key exchange between parent and child - mentioned in the last paragraph of Section 4.2.2 - - Section 4.2.4 was supplied by G. Guette and O. Courtay. - - Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of - the spelling and style issues. - - Kolkman and Gieben take the blame for introducing all miscakes (sic). - - While working on this document, Kolkman was employed by the RIPE NCC - and Gieben was employed by NLnet Labs. - -7. References - -7.1. Normative References - - [1] Mockapetris, P., "Domain names - concepts and facilities", STD - 13, RFC 1034, November 1987. - - [2] Mockapetris, P., "Domain names - implementation and - specification", STD 13, RFC 1035, November 1987. - - [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System - KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) - Flag", RFC 3757, May 2004. - - [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "DNS Security Introduction and Requirements", RFC 4033, March - 2005. - - [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "Resource Records for the DNS Security Extensions", RFC 4034, - March 2005. - - [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, - "Protocol Modifications for the DNS Security Extensions", RFC - 4035, March 2005. - - - - - -Kolkman & Gieben Informational [Page 27] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -7.2. Informative References - - [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. - - [8] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August - 1996. - - [9] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes - (DNS NOTIFY)", RFC 1996, August 1996. - - [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic - Update", RFC 3007, November 2000. - - [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", - RFC 2308, March 1998. - - [12] Eastlake, D., "DNS Security Operational Considerations", RFC - 2541, March 1999. - - [13] Orman, H. and P. Hoffman, "Determining Strengths For Public - Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, - April 2004. - - [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness - Requirements for Security", BCP 106, RFC 4086, June 2005. - - [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions - Mapping for the Extensible Provisioning Protocol (EPP)", RFC - 4310, December 2005. - - [16] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key - Sizes", The Journal of Cryptology 14 (255-293), 2001. - - [17] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and - Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN - (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc., - 1996. - - [18] Rose, S., "NIST DNSSEC workshop notes", June 2001. - - [19] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource - Records in DNSSEC", Work in Progress, January 2006. - - [20] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) - Resource Records (RRs)", RFC 4509, May 2006. - - - - - -Kolkman & Gieben Informational [Page 28] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - [21] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and - T. Wright, "Transport Layer Security (TLS) Extensions", RFC - 4366, April 2006. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Informational [Page 29] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -Appendix A. Terminology - - In this document, there is some jargon used that is defined in other - documents. In most cases, we have not copied the text from the - documents defining the terms but have given a more elaborate - explanation of the meaning. Note that these explanations should not - be seen as authoritative. - - Anchored key: A DNSKEY configured in resolvers around the globe. - This key is hard to update, hence the term anchored. - - Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked - "Bogus" when a signature of an RRSet does not validate against a - DNSKEY. - - Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used - exclusively for signing the apex key set. The fact that a key is - a KSK is only relevant to the signing tool. - - Key size: The term 'key size' can be substituted by 'modulus size' - throughout the document. It is mathematically more correct to use - modulus size, but as this is a document directed at operators we - feel more at ease with the term key size. - - Private and public keys: DNSSEC secures the DNS through the use of - public key cryptography. Public key cryptography is based on the - existence of two (mathematically related) keys, a public key and a - private key. The public keys are published in the DNS by use of - the DNSKEY Resource Record (DNSKEY RR). Private keys should - remain private. - - Key rollover: A key rollover (also called key supercession in some - environments) is the act of replacing one key pair with another at - the end of a key effectivity period. - - Secure Entry Point (SEP) key: A KSK that has a parental DS record - pointing to it or is configured as a trust anchor. Although not - required by the protocol, we recommend that the SEP flag [3] is - set on these keys. - - Self-signature: This only applies to signatures over DNSKEYs; a - signature made with DNSKEY x, over DNSKEY x is called a self- - signature. Note: without further information, self-signatures - convey no trust. They are useful to check the authenticity of the - DNSKEY, i.e., they can be used as a hash. - - - - - - -Kolkman & Gieben Informational [Page 30] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - Singing the zone file: The term used for the event where an - administrator joyfully signs its zone file while producing melodic - sound patterns. - - Signer: The system that has access to the private key material and - signs the Resource Record sets in a zone. A signer may be - configured to sign only parts of the zone, e.g., only those RRSets - for which existing signatures are about to expire. - - Zone Signing Key (ZSK): A key that is used for signing all data in a - zone. The fact that a key is a ZSK is only relevant to the - signing tool. - - Zone administrator: The 'role' that is responsible for signing a zone - and publishing it on the primary authoritative server. - -Appendix B. Zone Signing Key Rollover How-To - - Using the pre-published signature scheme and the most conservative - method to assure oneself that data does not live in caches, here - follows the "how-to". - - Step 0: The preparation: Create two keys and publish both in your key - set. Mark one of the keys "active" and the other "published". - Use the "active" key for signing your zone data. Store the - private part of the "published" key, preferably off-line. The - protocol does not provide for attributes to mark a key as active - or published. This is something you have to do on your own, - through the use of a notebook or key management tool. - - Step 1: Determine expiration: At the beginning of the rollover make a - note of the highest expiration time of signatures in your zone - file created with the current key marked as active. Wait until - the expiration time marked in Step 1 has passed. - - Step 2: Then start using the key that was marked "published" to sign - your data (i.e., mark it "active"). Stop using the key that was - marked "active"; mark it "rolled". - - Step 3: It is safe to engage in a new rollover (Step 1) after at - least one signature validity period. - - - - - - - - - - -Kolkman & Gieben Informational [Page 31] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -Appendix C. Typographic Conventions - - The following typographic conventions are used in this document: - - Key notation: A key is denoted by DNSKEYx, where x is a number or an - identifier, x could be thought of as the key id. - - RRSet notations: RRs are only denoted by the type. All other - information -- owner, class, rdata, and TTL--is left out. Thus: - "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a - list of RRs. A example of this would be "A1, A2", specifying the - RRSet containing two "A" records. This could again be abbreviated to - just "A". - - Signature notation: Signatures are denoted as RRSIGx(RRSet), which - means that RRSet is signed with DNSKEYx. - - Zone representation: Using the above notation we have simplified the - representation of a signed zone by leaving out all unnecessary - details such as the names and by representing all data by "SOAx" - - SOA representation: SOAs are represented as SOAx, where x is the - serial number. - - Using this notation the following signed zone: - - example.net. 86400 IN SOA ns.example.net. bert.example.net. ( - 2006022100 ; serial - 86400 ; refresh ( 24 hours) - 7200 ; retry ( 2 hours) - 3600000 ; expire (1000 hours) - 28800 ) ; minimum ( 8 hours) - 86400 RRSIG SOA 5 2 86400 20130522213204 ( - 20130422213204 14 example.net. - cmL62SI6iAX46xGNQAdQ... ) - 86400 NS a.iana-servers.net. - 86400 NS b.iana-servers.net. - 86400 RRSIG NS 5 2 86400 20130507213204 ( - 20130407213204 14 example.net. - SO5epiJei19AjXoUpFnQ ... ) - 86400 DNSKEY 256 3 5 ( - EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14 - 86400 DNSKEY 257 3 5 ( - gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15 - 86400 RRSIG DNSKEY 5 2 86400 20130522213204 ( - 20130422213204 14 example.net. - J4zCe8QX4tXVGjV4e1r9... ) - - - - -Kolkman & Gieben Informational [Page 32] - -RFC 4641 DNSSEC Operational Practices September 2006 - - - 86400 RRSIG DNSKEY 5 2 86400 20130522213204 ( - 20130422213204 15 example.net. - keVDCOpsSeDReyV6O... ) - 86400 RRSIG NSEC 5 2 86400 20130507213204 ( - 20130407213204 14 example.net. - obj3HEp1GjnmhRjX... ) - a.example.net. 86400 IN TXT "A label" - 86400 RRSIG TXT 5 3 86400 20130507213204 ( - 20130407213204 14 example.net. - IkDMlRdYLmXH7QJnuF3v... ) - 86400 NSEC b.example.com. TXT RRSIG NSEC - 86400 RRSIG NSEC 5 3 86400 20130507213204 ( - 20130407213204 14 example.net. - bZMjoZ3bHjnEz0nIsPMM... ) - ... - - is reduced to the following representation: - - SOA2006022100 - RRSIG14(SOA2006022100) - DNSKEY14 - DNSKEY15 - - RRSIG14(KEY) - RRSIG15(KEY) - - The rest of the zone data has the same signature as the SOA record, - i.e., an RRSIG created with DNSKEY 14. - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Informational [Page 33] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -Authors' Addresses - - Olaf M. Kolkman - NLnet Labs - Kruislaan 419 - Amsterdam 1098 VA - The Netherlands - - EMail: olaf@nlnetlabs.nl - URI: http://www.nlnetlabs.nl - - - R. (Miek) Gieben - - EMail: miek@miek.nl - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Informational [Page 34] - -RFC 4641 DNSSEC Operational Practices September 2006 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2006). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at - ietf-ipr@ietf.org. - -Acknowledgement - - Funding for the RFC Editor function is provided by the IETF - Administrative Support Activity (IASA). - - - - - - - -Kolkman & Gieben Informational [Page 35] - diff --git a/contrib/zkt/domaincmp.c b/contrib/zkt/domaincmp.c index 7d2486fe10..a410db72f7 100644 --- a/contrib/zkt/domaincmp.c +++ b/contrib/zkt/domaincmp.c @@ -3,6 +3,7 @@ ** @(#) domaincmp.c -- compare two domain names ** ** Copyright (c) Aug 2005, Karle Boss, Holger Zuleger (kaho). +** isparentdomain() (c) Mar 2010 by Holger Zuleger ** All rights reserved. ** ** This software is open source. @@ -55,13 +56,31 @@ ** thus domaincmp ("z.example.net", "example.net") return < 0 !! *****************************************************************/ int domaincmp (const char *a, const char *b) +{ + return domaincmp_dir (a, b, 1); +} + +/***************************************************************** +** int domaincmp_dir (a, b, subdomain_above) +** compare a and b as fqdns. +** return <0 | 0 | >0 as in strcmp +** A subdomain is less than the corresponding parent domain, +** thus domaincmp ("z.example.net", "example.net") return < 0 !! +*****************************************************************/ +int domaincmp_dir (const char *a, const char *b, int subdomain_above) { register const char *pa; register const char *pb; + int dir; if ( a == NULL ) return -1; if ( b == NULL ) return 1; + if ( subdomain_above ) + dir = 1; + else + dir = -1; + if ( *a == '.' ) /* skip a leading dot */ a++; if ( *b == '.' ) /* same at the other string */ @@ -97,12 +116,12 @@ int domaincmp (const char *a, const char *b) { if ( pa > a ) if ( pa[-1] == '.' ) - return -1; + return -1 * dir; else goto_labelstart (a, pa); else if ( pb > b ) if ( pb[-1] == '.' ) - return 1; + return 1 * dir; else goto_labelstart (b, pb); else @@ -116,6 +135,130 @@ int domaincmp (const char *a, const char *b) return *pa - *pb; } +/***************************************************************** +** +** int issubdomain ("child", "parent") +** +** "child" and "parent" are standardized domain names in such +** a way that even both domain names are ending with a dot, +** or none of them. +** +** returns 1 if "child" is a subdomain of "parent" +** returns 0 if "child" is not a subdomain of "parent" +** +*****************************************************************/ +int issubdomain (const char *child, const char *parent) +{ + const char *p; + const char *cdot; + const char *pdot; + int ccnt; + int pcnt; + + if ( !child || !parent || *child == '\0' || *parent == '\0' ) + return 0; + + pdot = cdot = NULL; + pcnt = 0; + for ( p = parent; *p; p++ ) + if ( *p == '.' ) + { + if ( pcnt == 0 ) + pdot = p; + pcnt++; + } + + ccnt = 0; + for ( p = child; *p; p++ ) + if ( *p == '.' ) + { + if ( ccnt == 0 ) + cdot = p; + ccnt++; + } + if ( ccnt == 0 ) /* child is not a fqdn or is not deep enough ? */ + return 0; + if ( pcnt == 0 ) /* parent is not a fqdn ? */ + return 0; + + if ( pcnt >= ccnt ) /* parent has more levels than child ? */ + return 0; + + /* is child a (one level) subdomain of parent ? */ + if ( strcmp (cdot+1, parent) == 0 ) /* the domains are equal ? */ + return 1; + + return 0; +} + +/***************************************************************** +** +** int isparentdomain ("child", "parent", level) +** +** "child" and "parent" are standardized domain names in such +** a way that even both domain names are ending with a dot, +** or none of them. +** +** returns 1 if "child" is a subdomain of "parent" +** returns 0 if "child" is not a subdomain of "parent" +** returns -1 if "child" and "parent" are the same domain +** +*****************************************************************/ +int isparentdomain (const char *child, const char *parent, int level) +{ + const char *p; + const char *cdot; + const char *pdot; + int ccnt; + int pcnt; + + if ( !child || !parent || *child == '\0' || *parent == '\0' ) + return 0; + + pdot = cdot = NULL; + pcnt = 0; + for ( p = parent; *p; p++ ) + if ( *p == '.' ) + { + if ( pcnt == 0 ) + pdot = p; + pcnt++; + } + + ccnt = 0; + for ( p = child; *p; p++ ) + if ( *p == '.' ) + { + if ( ccnt == 0 ) + cdot = p; + ccnt++; + } + if ( ccnt == 0 || ccnt < level ) /* child is not a fqdn or is not deep enough ? */ + return 0; + if ( pcnt == 0 ) /* parent is not a fqdn ? */ + return 0; + + if ( pcnt > ccnt ) /* parent has more levels than child ? */ + return 0; + + if ( pcnt == ccnt ) /* both are at the same level ? */ + { + /* let's check the domain part */ + if ( strcmp (cdot, pdot) == 0 ) /* the domains are equal ? */ + return -1; + return 0; + } + + if ( pcnt > ccnt ) /* parent has more levels than child ? */ + return 0; + + /* is child a (one level) subdomain of parent ? */ + if ( strcmp (cdot+1, parent) == 0 ) /* the domains are equal ? */ + return 1; + + return 0; +} + #ifdef DOMAINCMP_TEST static struct { char *a; @@ -150,6 +293,8 @@ static struct { { "example.de.", "xy.example.de.", 1 }, { "example.de.", "ab.example.de.", 1 }, { "example.de", "ab.example.de", 1 }, + { "xy.example.de.", "example.de.", -1 }, + { "ab.example.de.", "example.de.", -1 }, { "ab.example.de", "example.de", -1 }, { "ab.mast.de", "axt.de", 1 }, { "ab.mast.de", "obt.de", -1 }, @@ -177,7 +322,9 @@ main (int argc, char *argv[]) c = '>'; else c = '='; - printf ("%-20s %-20s ==> %c 0 ", ex[i].a, ex[i].b, c); + printf ("%-20s %-20s ", ex[i].a, ex[i].b); + printf ("%3d ", issubdomain (ex[i].a, ex[i].b)); + printf ("\t==> 0 %c ", c); fflush (stdout); res = domaincmp (ex[i].a, ex[i].b); printf ("%3d ", res); diff --git a/contrib/zkt/domaincmp.h b/contrib/zkt/domaincmp.h index 7051f54a53..8c065602a1 100644 --- a/contrib/zkt/domaincmp.h +++ b/contrib/zkt/domaincmp.h @@ -37,4 +37,7 @@ #ifndef DOMAINCMP_H # define DOMAINCMP_H extern int domaincmp (const char *a, const char *b); +extern int domaincmp_dir (const char *a, const char *b, int subdomain_above); +extern int isparentdomain (const char *child, const char *parent, int level); +extern int issubdomain (const char *child, const char *parent); #endif diff --git a/contrib/zkt/examples/flat/dnssec.conf b/contrib/zkt/examples/dnssec.conf similarity index 51% rename from contrib/zkt/examples/flat/dnssec.conf rename to contrib/zkt/examples/dnssec.conf index 80b411ff3f..861e8f0bd2 100644 --- a/contrib/zkt/examples/flat/dnssec.conf +++ b/contrib/zkt/examples/dnssec.conf @@ -1,43 +1,41 @@ # -# @(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de +# @(#) dnssec.conf vT0.99d (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de # # dnssec-zkt options Zonedir: "." -Recursive: True -PrintTime: False -PrintAge: True +Recursive: False +PrintTime: True +PrintAge: False LeftJustify: False # zone specific values -ResignInterval: 2d # (172800 seconds) -Sigvalidity: 6d # (518400 seconds) +ResignInterval: 1w # (604800 seconds) +Sigvalidity: 10d # (864000 seconds) Max_TTL: 8h # (28800 seconds) Propagation: 5m # (300 seconds) -KEY_TTL: 1h # (3600 seconds) +KEY_TTL: 4h # (14400 seconds) Serialformat: incremental # signing key parameters Key_algo: RSASHA1 # (Algorithm ID 5) -KSK_lifetime: 60d # (5184000 seconds) +KSK_lifetime: 1y # (31536000 seconds) KSK_bits: 1300 KSK_randfile: "/dev/urandom" -ZSK_lifetime: 2w # (1209600 seconds) +ZSK_lifetime: 12w # (7257600 seconds) ZSK_bits: 512 ZSK_randfile: "/dev/urandom" SaltBits: 24 # dnssec-signer options -LogFile: "zkt.log" -LogLevel: DEBUG -SyslogFacility: USER +LogFile: "" +LogLevel: ERROR +SyslogFacility: NONE SyslogLevel: NOTICE -VerboseLog: 2 +VerboseLog: 0 Keyfile: "dnskey.db" Zonefile: "zone.db" -KeySetDir: "../keysets" DLV_Domain: "" -Sig_Pseudorand: True +Sig_Pseudorand: False Sig_GenerateDS: True -Sig_Parameter: "-n 1" -Distribute_Cmd: "./dist.sh" +Sig_Parameter: "" diff --git a/contrib/zkt/examples/flat/dist.sh b/contrib/zkt/examples/flat/dist.sh deleted file mode 100755 index e2131ee96f..0000000000 --- a/contrib/zkt/examples/flat/dist.sh +++ /dev/null @@ -1,70 +0,0 @@ -################################################################# -# -# @(#) dist.sh -- distribute and reload command for dnssec-signer -# -# (c) Jul 2008 Holger Zuleger hznet.de -# -# This shell script will be run by dnssec-signer as a distribution -# and reload command if: -# -# a) the dnssec.conf file parameter Distribute_Cmd: points -# to this file -# and -# b) the user running the dnssec-signer command is not -# root (uid==0) -# and -# c) the owner of this shell script is the same as the -# running user and the access rights don't allow writing -# for anyone except the owner -# or -# d) the group of this shell script is the same as the -# running user and the access rights don't allow writing -# for anyone except the group -# -################################################################# - -# set path to rndc and scp -PATH="/bin:/usr/bin:/usr/local/sbin" - -# remote server and directory -server=localhost # fqdn of remote name server -dir=/var/named # zone directory on remote name server - -progname=$0 -usage() -{ - echo "usage: $progname distribute|reload []" 1>&2 - test $# -gt 0 && echo $* 1>&2 - exit 1 -} - -if test $# -lt 3 -then - usage -fi -action="$1" -domain="$2" -zonefile="$3" -view="" -test $# -gt 3 && view="$4" - -case $action in -distribute) - if test -n "$view" - then - echo "scp $zonefile $server:$dir/$view/$domain/" - : scp $zonefile $server:$dir/$view/$domain/ - else - echo "scp $zonefile $server:$dir/$domain/" - : scp $zonefile $server:$dir/$domain/ - fi - ;; -reload) - echo "rndc $action $domain $view" - : rndc $action $domain $view - ;; -*) - usage "illegal action $action" - ;; -esac - diff --git a/contrib/zkt/examples/flat/dnssec-signer.sh b/contrib/zkt/examples/flat/dnssec-signer.sh deleted file mode 100755 index 435909dce1..0000000000 --- a/contrib/zkt/examples/flat/dnssec-signer.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# -# Shell script to start the dnssec-signer -# command out of the example directory -# - -chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@" - -if test ! -f dnssec.conf -then - echo Please start this skript out of the flat or hierarchical sub directory - exit 1 -fi -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@" diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key deleted file mode 100644 index 6a64c44d04..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080609224426 -;% lifetime=60d -dyn.example.net. IN DNSKEY 257 3 3 CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+VNGd4RjwWpEDj8RhEAhQ7 LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+AB KLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOf Ny/jtz4v+asIr6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i4RBVWgHH JMmtyqq+SqEkPhZvsTuo2sXgIH9vRS3XgfkGtw/KyTUM29bhZ2eB+Ldq +bggp1gbBDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjAolJwCtaPCD4e 4infmw+YSxjGau+YGgI0Cc0uItzQmNNpSoejM3IWGV+SN/YuPJIzw8wi xDfO6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOTdQjsJWLLdLTApVEH 10kjAGfa30Tm92lQhhG5ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1 diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private deleted file mode 100644 index 4f7ec3daf2..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private +++ /dev/null @@ -1,7 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 3 (DSA) -Prime(p): 4bble5+VNGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asIr6/d992V80G9wMKMvTM= -Subprime(q): 20V1WtRQn0w8PLMag+b61IpSCdc= -Base(g): EKAq+EqfbNibm1u/YuEQVVoBxyTJrcqqvkqhJD4Wb7E7qNrF4CB/b0Ut14H5BrcPysk1DNvW4Wdngfi3avm4IKdYGwQ4krMWT48XIosyP5gs11m6vAXX2ei7HXTIwKJScArWjwg+HuIp35sPmEsYxmrvmBoCNAnNLiLc0JjTaUo= -Private_value(x): xY/GSk3U4oHIsvUiAs/9/n+6ttk= -Public_value(y): h6MzchYZX5I39i48kjPDzCLEN87qQI2I+xbjkW+rfXXjxwC9S/CKpg9Dd84145N1COwlYst0tMClUQfXSSMAZ9rfROb3aVCGEbmi9atYIxsWXDgtu+Wif5faydY8263RrU/PhZ1yUNyY1Tx3GLWUW8ZtwnQTioGglUEjMOHgdfU= diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated deleted file mode 100644 index 3692946b73..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: 1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7wBS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ== -PublicExponent: AQAAAAE= -PrivateExponent: dAiTob6wk4h5l6frfh49NAzd3RBsVRxqqCsMao52fJvlK06wmOb9PkqOaEMTDroJEGgN6zD/sWcGPK7nYwDMHQ== -Prime1: 731n5xPK9UQqQsQtattcC4MxtL6+OP1CyLy8e2tsd/8= -Prime2: 5NwPUBy32o2zzpw4TDH3omB6yk0fmFItJx4ek3RaBYs= -Exponent1: jzq6en2c8SwS5uQwY3/vFY549HMSTxP58kyS/GJ9hqE= -Exponent2: y52KLCquniy3EwUypKRkPZPftjBoqZkXeQLXSk4b850= -Coefficient: vHnxG4D4n+IKETXrutOFT+iREDDcfj6GpYubIP/goZc= diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key deleted file mode 100644 index d129398073..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080609224426 -;% lifetime=14d -dyn.example.net. IN DNSKEY 256 3 5 BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7w BS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ== diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key deleted file mode 100644 index 7213f337c3..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081216133142 -;% lifetime=14d -dyn.example.net. IN DNSKEY 256 3 5 BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6q Exelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw== diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private deleted file mode 100644 index e54285047d..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: 4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6qExelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw== -PublicExponent: AQAAAAE= -PrivateExponent: sW8IqcOjr/1xymzxbq91KQiCxBY/8nDvDO/m4Re6aTrTXr450nw8eBZZQuOnHsSEyc4YA8Gs8AwxO1IGAyjHYQ== -Prime1: 94n25jivIMy9SIV890Kp6CIGfeG/6g9eBFG+igw5JPM= -Prime2: 6qYnXtPI7mxsinhBVf+/2Ncv+V48/790y+jUhJXFGXE= -Exponent1: 4uCtm1fxo8apOydY+plF8duFa4BQq2rZkG4XCKQFpo0= -Exponent2: DBPT/6Xc9NryN5/MaOWZhmEWha//SPrGIHrcOwRhE8E= -Coefficient: tmkhFA718p1qDTkmOa2MqYox+Cz1LsuNCraAK0srL1U= diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key new file mode 100644 index 0000000000..159bc8d727 --- /dev/null +++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key @@ -0,0 +1,3 @@ +;% generationtime=20100221184315 +;% lifetime=14d +dyn.example.net. IN DNSKEY 256 3 7 AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8Ris63E/oRRGQEH5U/ZS3A xz3aOhPFKzAAhjfaG3vTNW3Wl4bl4ITFZrk= diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private new file mode 100644 index 0000000000..515232c301 --- /dev/null +++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: +obStv0Rqv4+/vEGD2Vz1zMX7ZhRrxGKzrcT+hFEZAQflT9lLcDHPdo6E8UrMACGN9obe9M1bdaXhuXghMVmuQ== +PublicExponent: AQAB +PrivateExponent: 4osOepin5GdakfFkGIIWWZCDX7/whY4oZjtZnjUFEiZ6YGdQV8FwihgQ9ZdQwTY2QgaCiI/7l0yFE3X2YOk5HQ== +Prime1: /eFIXmTu+XNTuXVfHYcXJTFc4UaThJszaKPmg/xm3ts= +Prime2: /J5fOUcGkFGv4prHDAmige180r7zaYznUicuDvNwkvs= +Exponent1: Alf7EAwEfL8IzdR8jUw69XfwMJAzOm0oW1XwAdXpqTM= +Exponent2: FBUbCNimou57hw466LATZTTWCYL4otl6wkMvHC0qM+U= +Coefficient: Q9eSjjf/S3Is3mcOn2RsloJKVzLuHiv54HaF7mwkbU4= diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key new file mode 100644 index 0000000000..258429038c --- /dev/null +++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key @@ -0,0 +1,3 @@ +;% generationtime=20100221184315 +;% lifetime=60d +dyn.example.net. IN DNSKEY 257 3 7 AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmOoBYx8s1uLzmS/3APsh1e WCeoBgAjRry1tpM/bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjEnG4H CT58TuAVxjiefN+vb1pvyFlAL58YOkuGf9tG/NJMNc+XrULAU1ey2dT9 Fh+SCVO3 diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private new file mode 100644 index 0000000000..795110fe56 --- /dev/null +++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: 6oQNiADmWezVWwwmJl9NYwSC5qZ5WY6gFjHyzW4vOZL/cA+yHV5YJ6gGACNGvLW2kz9s+jDK7KATgfQunM1Aub1FuMOakM3wbCLcCMScbgcJPnxO4BXGOJ58369vWm/IWUAvnxg6S4Z/20b80kw1z5etQsBTV7LZ1P0WH5IJU7c= +PublicExponent: AQAB +PrivateExponent: F5/Z5RuCGQj8rUFaDn+HQjRQI4AdtWHiypmZhgxVgY1HYjiSjtbUNpp8kEL9e0Eq9UZsaf/EUXYGwQ6iK3WZ0WrVP72bkjcWQAB2THYIxP7DwmL4JcsbJ7uiMYeLrvUddoLwS3nKIFpc010iHA0y4hE/k/ny4zOyDCEhVr3WvQE= +Prime1: /R+fSD2bb3N6UoapSNFXYRFyBpHWtcv/AZqsJx60/4UTGOCWNj52kcGsI/ROz/Pwbdicxi8CQqjX0f4QjSCAdw== +Prime2: 7S5MPtJNSa+fHZBavW6vDnqpiHxAO7lIAcgtGxMM3L3553OzarlJV88Z452tn4HhfCCaIUW20j8cOJvTLkPWwQ== +Exponent1: 9v56YPWszM40GH9KhMGxsAhj6cE5cGBEz33saqfuGj/yaJ4ONZQyAvynStZEaWsxux5ZrJGGdSFop4JxCCUk9Q== +Exponent2: W8dembCnV6wt1jLV6he6hc/Rao8qC/JWetoLGj706zZYTcfn1ZR9XQ02521MkjygFHhJLDbd192z/fPOdEisAQ== +Coefficient: +W6uvg4HkWaKi6OCpCz/0fRQwaRtPSbpKJ2Anam4PAy+B6cgM3Yo48OB7o+WoexlgySsNL0ui5p4BvJWvtca7w== diff --git a/contrib/zkt/examples/flat/dyn.example.net/dnskey.db b/contrib/zkt/examples/flat/dyn.example.net/dnskey.db deleted file mode 100644 index e05508e7bb..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/dnskey.db +++ /dev/null @@ -1,35 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Dec 18 2008 01:03:01 -; - -; *** List of Key Signing Keys *** -; dyn.example.net. tag=42138 algo=DSA generated Aug 05 2008 23:01:57 -dyn.example.net. 3600 IN DNSKEY 257 3 3 ( - CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+VNGd4RjwWpEDj8RhEAhQ7 - LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+AB - KLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOf - Ny/jtz4v+asIr6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i4RBVWgHH - JMmtyqq+SqEkPhZvsTuo2sXgIH9vRS3XgfkGtw/KyTUM29bhZ2eB+Ldq - +bggp1gbBDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjAolJwCtaPCD4e - 4infmw+YSxjGau+YGgI0Cc0uItzQmNNpSoejM3IWGV+SN/YuPJIzw8wi - xDfO6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOTdQjsJWLLdLTApVEH - 10kjAGfa30Tm92lQhhG5ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd - clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1 - ) ; key id = 42138 - -; *** List of Zone Signing Keys *** -; dyn.example.net. tag=1355 algo=RSASHA1 generated Aug 05 2008 23:01:57 -dyn.example.net. 3600 IN DNSKEY 256 3 5 ( - BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7w - BS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ== - ) ; key id = 1355 - -; dyn.example.net. tag=10643 algo=RSASHA1 generated Dec 16 2008 14:31:42 -dyn.example.net. 3600 IN DNSKEY 256 3 5 ( - BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6q - Exelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw== - ) ; key id = 10643 - diff --git a/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf b/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf deleted file mode 100644 index 0998fda2ba..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf +++ /dev/null @@ -1,5 +0,0 @@ -# signing key parameters -KSK_lifetime: 60d # (5184000 seconds) -KSK_algo: DSA -KSK_bits: 1024 -KSK_randfile: "/dev/urandom" diff --git a/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net. b/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net. deleted file mode 100644 index f94666a617..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net. +++ /dev/null @@ -1,2 +0,0 @@ -dyn.example.net. IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879 -dyn.example.net. IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6 diff --git a/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net. b/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net. deleted file mode 100644 index 002217b0dc..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net. +++ /dev/null @@ -1,18 +0,0 @@ -$ORIGIN . -dyn.example.net 7200 IN DNSKEY 257 3 3 ( - CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V - NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K - S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s - m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA - EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI - r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i - 4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v - RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb - BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA - olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u - ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO - 6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT - dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5 - ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd - clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1 - ) ; key id = 42138 diff --git a/contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net. b/contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net. new file mode 100644 index 0000000000..24643defaf --- /dev/null +++ b/contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net. @@ -0,0 +1,161 @@ +2010-02-21 19:43:15.018: debug: Check RFC5011 status +2010-02-21 19:43:15.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:43:15.018: debug: Check KSK status +2010-02-21 19:43:15.018: debug: No active KSK found: generate new one +2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935 +2010-02-21 19:43:15.330: debug: Check ZSK status +2010-02-21 19:43:15.330: debug: No active ZSK found: generate new one +2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323 +2010-02-21 19:43:15.368: debug: Re-signing necessary: Modfied zone key set +2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set +2010-02-21 19:43:15.368: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:43:15.368: debug: Signing zone "dyn.example.net." +2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:43:15.368: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:43:15.368: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:43:15.374: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:43:15.374: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:43:15.382: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3." +2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed! +2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:43:15.382: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:43:15.382: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 19:45:36.415: debug: Check RFC5011 status +2010-02-21 19:45:36.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:45:36.416: debug: Check KSK status +2010-02-21 19:45:36.416: debug: Check ZSK status +2010-02-21 19:45:36.416: debug: Re-signing not necessary! +2010-02-21 19:45:36.416: debug: Check if there is a parent file to copy +2010-02-21 19:45:41.448: debug: Check RFC5011 status +2010-02-21 19:45:41.448: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:45:41.448: debug: Check KSK status +2010-02-21 19:45:41.448: debug: Check ZSK status +2010-02-21 19:45:41.448: debug: Re-signing necessary: Option -f +2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 19:45:41.448: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:45:41.448: debug: Signing zone "dyn.example.net." +2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:45:41.448: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:45:41.448: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:45:41.457: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:45:41.458: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:45:41.473: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY" +2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed! +2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:45:41.473: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:45:41.473: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 19:47:06.899: debug: Check RFC5011 status +2010-02-21 19:47:06.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:47:06.899: debug: Check KSK status +2010-02-21 19:47:06.899: debug: Check ZSK status +2010-02-21 19:47:06.899: debug: Re-signing necessary: Option -f +2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 19:47:06.899: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:47:06.900: debug: Signing zone "dyn.example.net." +2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:47:06.900: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:47:06.900: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:47:06.910: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:47:06.910: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:47:06.926: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0." +2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed! +2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:47:06.926: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:47:06.926: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 19:58:40.972: debug: Check RFC5011 status +2010-02-21 19:58:40.972: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:58:40.972: debug: Check KSK status +2010-02-21 19:58:40.972: debug: Check ZSK status +2010-02-21 19:58:40.973: debug: Re-signing necessary: Option -f +2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 19:58:40.973: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:58:40.973: debug: Signing zone "dyn.example.net." +2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:58:40.973: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:58:40.973: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:58:40.982: debug: Dynamic Zone signing: zone file manually edited: Use it as new input file +2010-02-21 19:58:40.982: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:58:40.983: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:58:40.999: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0." +2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed! +2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:58:40.999: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:58:40.999: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 20:00:48.833: debug: Check RFC5011 status +2010-02-21 20:00:48.833: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 20:00:48.833: debug: Check KSK status +2010-02-21 20:00:48.833: debug: Check ZSK status +2010-02-21 20:00:48.833: debug: Re-signing necessary: Option -f +2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 20:00:48.833: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 20:00:48.834: debug: Signing zone "dyn.example.net." +2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 20:00:48.834: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 20:00:48.834: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 20:00:48.844: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 20:00:48.844: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 20:00:48.878: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 20:00:48.878: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 20:00:48.878: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 20:00:48.884: debug: Signing completed after 0s. +2010-02-21 20:01:11.175: debug: Check RFC5011 status +2010-02-21 20:01:11.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 20:01:11.175: debug: Check KSK status +2010-02-21 20:01:11.175: debug: Check ZSK status +2010-02-21 20:01:11.176: debug: Re-signing necessary: Option -f +2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 20:01:11.176: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 20:01:11.176: debug: Signing zone "dyn.example.net." +2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 20:01:11.176: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 20:01:11.176: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 20:01:11.181: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 20:01:11.181: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 20:01:11.202: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 20:01:11.203: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 20:01:11.203: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 20:01:11.208: debug: Signing completed after 0s. +2010-02-21 20:01:17.175: debug: Check RFC5011 status +2010-02-21 20:01:17.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 20:01:17.175: debug: Check KSK status +2010-02-21 20:01:17.175: debug: Check ZSK status +2010-02-21 20:01:17.176: debug: Re-signing not necessary! +2010-02-21 20:01:17.176: debug: Check if there is a parent file to copy +2010-02-25 23:42:29.326: debug: Check RFC5011 status +2010-02-25 23:42:29.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 23:42:29.326: debug: Check KSK status +2010-02-25 23:42:29.326: debug: Check ZSK status +2010-02-25 23:42:29.326: debug: Re-signing necessary: re-signing interval (2d) reached +2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached +2010-02-25 23:42:29.326: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-25 23:42:29.327: debug: Signing zone "dyn.example.net." +2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone +2010-02-25 23:42:29.327: debug: freeze dynamic zone "dyn.example.net." +2010-02-25 23:42:29.327: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-25 23:42:29.388: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-25 23:42:29.425: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-25 23:42:29.471: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone +2010-02-25 23:42:29.471: debug: thaw dynamic zone "dyn.example.net." +2010-02-25 23:42:29.471: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-25 23:42:29.486: debug: Signing completed after 0s. +2010-03-02 10:59:46.770: debug: Check RFC5011 status +2010-03-02 10:59:46.770: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-02 10:59:46.770: debug: Check KSK status +2010-03-02 10:59:46.770: debug: Check ZSK status +2010-03-02 10:59:46.770: debug: Re-signing necessary: re-signing interval (2d) reached +2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached +2010-03-02 10:59:46.770: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-03-02 10:59:46.770: debug: Signing zone "dyn.example.net." +2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone +2010-03-02 10:59:46.770: debug: freeze dynamic zone "dyn.example.net." +2010-03-02 10:59:46.770: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-03-02 10:59:46.852: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-03-02 10:59:46.875: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-03-02 10:59:46.950: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone +2010-03-02 10:59:46.950: debug: thaw dynamic zone "dyn.example.net." +2010-03-02 10:59:46.950: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-03-02 10:59:46.964: debug: Signing completed after 0s. diff --git a/contrib/zkt/examples/flat/dyn.example.net/zone.db b/contrib/zkt/examples/flat/dyn.example.net/zone.db deleted file mode 100644 index 8ed11a4ba7..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/zone.db +++ /dev/null @@ -1,115 +0,0 @@ -; File written on Tue Dec 16 14:31:43 2008 -; dnssec_signzone version 9.6.0rc1 -dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( - 9 ; serial - 43200 ; refresh (12 hours) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 5 3 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - G4QPBPbeEnPfKggesblu+QPI6rlt8gOaqnJB - k/98pbkDxhgLmpPP9RdjD3bftSFRgOdPGN1Y - xE4AxSdo4AR5NA== ) - 7200 NS ns1.example.net. - 7200 NS ns2.example.net. - 7200 RRSIG NS 5 3 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - le7/8D28Oia0Ai/aSZsno5TILSCaPKNnuauM - MGEGfCixiCXFIOCuND54qMpUR3wNEnTkHkyl - OBYt6dGy5pH0dw== ) - 7200 NSEC localhost.dyn.example.net. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 5 3 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - ovWzUD/vXa15hxBDTtMKP4TcJEpG3RX+2CrZ - ztcRdF9uy3JXI3+dEgmB+cPaDVW1AiNIrIYF - 3MRaCHa4jhJISw== ) -$INCLUDE dnskey.db - 3600 RRSIG DNSKEY 3 3 3600 20081222123143 ( - 20081216123143 42138 dyn.example.net. - CL4xO8K27EV8Aq25hhFsk7Q5uL7sGO0HnsBH - tr6Iomd+JCqxBGvZSBg= ) - 3600 RRSIG DNSKEY 5 3 3600 20081222123143 ( - 20081216123143 1355 dyn.example.net. - DkobINneyOshuB+T7nfnGx/O7JvEBRPT/svs - ysxDmzZ8CaPF04lskwrLPFcRfMhrGX2JFYjE - uIWUFMbDBVHilA== ) -localhost.dyn.example.net. 7200 IN A 127.0.0.1 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - HDt+/eQ8d52VglJFPDwO3W7Gez2TUbvdz8Gk - SVDqIjHSTvJWN3L0vnBdHXOYUT8WLIMtQXXm - Y+JU8nNWxrD8yQ== ) - 7200 NSEC ns1.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - d+CMf40oITbKKIV2AE3JTmGKtxb1RJPEEm2p - z8RHSPFrdcC9ieJrdZIx1+Uxs5PjNbZcjdft - oiLcZ/pr+2QXew== ) -ns1.dyn.example.net. 7200 IN A 1.0.0.5 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - p99aPrpCC+FU8uRCJuRCo4aibhuFelbDXR1q - 9WRVJBJiDV4FO6EH/tCBAUQmNT0fh+mERKNd - 39Qjr5mH5gFcQw== ) - 7200 AAAA 2001:db8::53 - 7200 RRSIG AAAA 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - ajT50HHhQUY5mD8SH1nPd+mf4HosL1lVvDVN - HTnpoqCjG0guDuRk/BCLTBj1MPcPDYlkdDcd - Rpv5xbYbYNu5qQ== ) - 7200 NSEC ns2.dyn.example.net. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - lQESBjK8+FQmGgndAMbPvQ2WMomT3sa1ozPQ - /7ykGFFgM3YeUyA2h0AlUWHatLNDvMy2HeaM - C1ozcV9M/iHR0A== ) -ns2.dyn.example.net. 7200 IN A 1.2.0.6 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - OrkPhnVeL0kTY6hJzrBgXy1NGeiQQR+5ykSh - qFOOwR1C0YiBWGF3kkLE0ZAZ7XD+CPxc6Z/H - WL/+o/AVAtWrtg== ) - 7200 NSEC x.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - ZE+qfvafm4vmGkkpcI1Z1ND2doEwnGELDiYQ - SpNu3bWTHDO6B8vHql1QayGPLzDH8licFAXL - FdyUOVHrXZMZNw== ) -x.dyn.example.net. 7200 IN A 1.2.3.4 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - kYuQrOUinJDCsIGlv+qAPROyDOP6vCI11Us4 - V0c6HK18FaaNE0BeivHAMN9QkliHF9GjYVm2 - JbklfT3DUMSuIA== ) - 7200 NSEC y.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - AR2flkOCH0YPbmTGxPj4v8Ug/L2dasQElmZW - +NZK4vlyxwtGFowBDtcjiD10defZNP3Wuzus - YjuVA5JpZpTW8A== ) -y.dyn.example.net. 7200 IN A 1.2.3.5 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - HYDO2JtuRZWZ+XyDj7GZOlC3b2Y2rozEzzEf - OC/CChOsplwm1MDx+5nXPHM8wcIUUofrlq+b - lRLJfqwLt9erxg== ) - 7200 NSEC z.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - mtz25BnhPmwYaHG2DLth2f3XTUeAMFDnmXby - /kUWbflanujxvWDnB2hFs4qKGeE+WL36F/aw - /Ui1oFyMOcdvPg== ) -z.dyn.example.net. 7200 IN A 1.2.3.6 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - CxCptk9vpGT/9oG9WXiLmgKrWrxvuxFkgjEu - gBsp7loIM6x3Pr+CDXdsvbjDW1DwsjYBPyCa - JL7B7wczIlxQrA== ) - 7200 NSEC dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - hOjfx9YA8O7tSXycALMnI+cQw3hs4euTVNPf - fCiYukAFjwpQAmS8xVbtydTH7TVs5UcObyqB - 8gsnXboAW9x07g== ) diff --git a/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned b/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned deleted file mode 100644 index 31b15fd853..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned +++ /dev/null @@ -1,221 +0,0 @@ -; File written on Thu Dec 18 01:03:01 2008 -; dnssec_signzone version 9.6.0rc1 -dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( - 10 ; serial - 43200 ; refresh (12 hours) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 5 3 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - srn4ZqDvq1V4YWAn+s1UuC3pk9DFhyxo7w6h - 6LnIeqAvnt6naBfgu0IHKt62fCMlq2LaW3n5 - LYdW5XD0aMU2pA== ) - 7200 NS ns1.example.net. - 7200 NS ns2.example.net. - 7200 RRSIG NS 5 3 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - le7/8D28Oia0Ai/aSZsno5TILSCaPKNnuauM - MGEGfCixiCXFIOCuND54qMpUR3wNEnTkHkyl - OBYt6dGy5pH0dw== ) - 7200 RRSIG NS 5 3 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - IAaofnTCtf2xoxW+NxUyosdLTj2+ueDnv8tz - hgGwtzUeHn+AXZgwB3pe5AgMO+Y8WNg7AZJ7 - TlJkTe3CnL6/Uw== ) - 7200 NSEC localhost.dyn.example.net. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 5 3 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - ovWzUD/vXa15hxBDTtMKP4TcJEpG3RX+2CrZ - ztcRdF9uy3JXI3+dEgmB+cPaDVW1AiNIrIYF - 3MRaCHa4jhJISw== ) - 7200 RRSIG NSEC 5 3 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - S0ngwduIYE7H5DZ9A8OfeY9h0Sb6mdBQpN2+ - TzK3hsS6d92m7IoTkLMv8V1iGMY9cUasauwl - bzMUUgXpBSzFqA== ) - 3600 DNSKEY 256 3 5 ( - BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQu - IkM+jbh+s79ZpErpCR7wBS5TswdoTeglX9Uj - P0D6hLmHfTcsdHQLLeMidQ== - ) ; key id = 1355 - 3600 DNSKEY 256 3 5 ( - BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzev - MxDoizMthpHUkBf+8U6qExelm+aQQYnoyoe5 - NrreKBzt3jmqUYnn19QKQw== - ) ; key id = 10643 - 3600 DNSKEY 257 3 3 ( - CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V - NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K - S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s - m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA - EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI - r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i - 4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v - RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb - BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA - olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u - ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO - 6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT - dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5 - ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd - clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1 - ) ; key id = 42138 - 3600 RRSIG DNSKEY 3 3 3600 20081222123143 ( - 20081216123143 42138 dyn.example.net. - CL4xO8K27EV8Aq25hhFsk7Q5uL7sGO0HnsBH - tr6Iomd+JCqxBGvZSBg= ) - 3600 RRSIG DNSKEY 5 3 3600 20081222123143 ( - 20081216123143 1355 dyn.example.net. - DkobINneyOshuB+T7nfnGx/O7JvEBRPT/svs - ysxDmzZ8CaPF04lskwrLPFcRfMhrGX2JFYjE - uIWUFMbDBVHilA== ) - 3600 RRSIG DNSKEY 5 3 3600 20081223230301 ( - 20081217230301 10643 dyn.example.net. - 0W2AHhTCCVK1UAhfGkZTkrLuPfRNBgQHysKw - dHimxjMq/IlVwamPkmrW0NmYdt15C+E9SZja - HYu8RuXqyqxQzQ== ) -localhost.dyn.example.net. 7200 IN A 127.0.0.1 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - HDt+/eQ8d52VglJFPDwO3W7Gez2TUbvdz8Gk - SVDqIjHSTvJWN3L0vnBdHXOYUT8WLIMtQXXm - Y+JU8nNWxrD8yQ== ) - 7200 RRSIG A 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - vTo/zPTFUEK92lpo3XTuSai3VsUO5FuYuS0T - L3w3iIQHOdOSHunPy2brF6BzsznZXLuYvDvr - cZuxxYJpYRrecg== ) - 7200 NSEC ns1.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - d+CMf40oITbKKIV2AE3JTmGKtxb1RJPEEm2p - z8RHSPFrdcC9ieJrdZIx1+Uxs5PjNbZcjdft - oiLcZ/pr+2QXew== ) - 7200 RRSIG NSEC 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - G/Tw47gQNzuCEJTLHbCOcrBoEEP28QrwzLdw - 7Y+WXP7XFMsLDkdLGrsL6CGLDL/L9WBGU75x - QKKBPFshzJUeUQ== ) -ns1.dyn.example.net. 7200 IN A 1.0.0.5 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - p99aPrpCC+FU8uRCJuRCo4aibhuFelbDXR1q - 9WRVJBJiDV4FO6EH/tCBAUQmNT0fh+mERKNd - 39Qjr5mH5gFcQw== ) - 7200 RRSIG A 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - QPGkC3aXCaNaGauAaEs5AWlBoftcP/HbrVGe - JlzZN2LbwwbTNDtvotnW7PeWJaaj6vRInkOt - TjSz43Sfn4FJvg== ) - 7200 AAAA 2001:db8::53 - 7200 RRSIG AAAA 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - ajT50HHhQUY5mD8SH1nPd+mf4HosL1lVvDVN - HTnpoqCjG0guDuRk/BCLTBj1MPcPDYlkdDcd - Rpv5xbYbYNu5qQ== ) - 7200 RRSIG AAAA 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - BXvwGdoLeAuj709j3KGvK7RvgQ4MbJmew8De - ZbTBaoVt4Z79Tf0m67Vj+VqHRgTDjyIvnSNZ - Bawk6lWw5dvroA== ) - 7200 NSEC ns2.dyn.example.net. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - lQESBjK8+FQmGgndAMbPvQ2WMomT3sa1ozPQ - /7ykGFFgM3YeUyA2h0AlUWHatLNDvMy2HeaM - C1ozcV9M/iHR0A== ) - 7200 RRSIG NSEC 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - fYIG2W8qnQYoahLfwJqLf4Tigl93xfqXZO20 - qn/wPBW4jy+JnJ/ShptEZCeuyTTsVBw4ZnJI - 7o15ZBW1UlZy9g== ) -ns2.dyn.example.net. 7200 IN A 1.2.0.6 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - OrkPhnVeL0kTY6hJzrBgXy1NGeiQQR+5ykSh - qFOOwR1C0YiBWGF3kkLE0ZAZ7XD+CPxc6Z/H - WL/+o/AVAtWrtg== ) - 7200 RRSIG A 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - gDre5yf6WCDCute4lg1ktW9+mM4qPn5D5Oy6 - hsu3+9NRjOdAdQhV9HMzdOODooIOvLGKINOY - 6PFS66OvTcfNpA== ) - 7200 NSEC x.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - ZE+qfvafm4vmGkkpcI1Z1ND2doEwnGELDiYQ - SpNu3bWTHDO6B8vHql1QayGPLzDH8licFAXL - FdyUOVHrXZMZNw== ) - 7200 RRSIG NSEC 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - FZGn3y2M+YWoH6gk06gTUMZ49PIq+yDr708Y - fxPcEsRljuYU2GrmETQKJTDY1HjYomTBGoKm - StupQrHzOOasAA== ) -x.dyn.example.net. 7200 IN A 1.2.3.4 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - kYuQrOUinJDCsIGlv+qAPROyDOP6vCI11Us4 - V0c6HK18FaaNE0BeivHAMN9QkliHF9GjYVm2 - JbklfT3DUMSuIA== ) - 7200 RRSIG A 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - pYCB8HDdv9WxX1GxNWdafGZGSKrveweoOixc - uddF++dPA1m+ro/6Qw28Cj5Coth7IKu+TyM0 - JPWTJgOUck73zw== ) - 7200 NSEC y.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - AR2flkOCH0YPbmTGxPj4v8Ug/L2dasQElmZW - +NZK4vlyxwtGFowBDtcjiD10defZNP3Wuzus - YjuVA5JpZpTW8A== ) - 7200 RRSIG NSEC 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - Ant5JHyVUh8+mMG5+WGgimDGiItGVRWhb3B5 - C4KYb7DM8+qJ98W0KPIxFT9Sj9bsKyyOzvf3 - Bik/f7DSdcr6sg== ) -y.dyn.example.net. 7200 IN A 1.2.3.5 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - HYDO2JtuRZWZ+XyDj7GZOlC3b2Y2rozEzzEf - OC/CChOsplwm1MDx+5nXPHM8wcIUUofrlq+b - lRLJfqwLt9erxg== ) - 7200 RRSIG A 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - 1zS6xszu0hrKaJOLS6YOuFthmDCRp3PQIAjh - u6uPX6Kjpb8Svhdo7yFp7ukJU5OX6BEKiSon - qHajnJvPg72T6w== ) - 7200 NSEC z.dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - mtz25BnhPmwYaHG2DLth2f3XTUeAMFDnmXby - /kUWbflanujxvWDnB2hFs4qKGeE+WL36F/aw - /Ui1oFyMOcdvPg== ) - 7200 RRSIG NSEC 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - 3fCQpAl+OjtWt9ZIpTrYVLhpZoaLqAJ8hy2v - ZTu9MtmmS3W/cdp6qdSi+bUZuiptGoxTBAjh - aC7QpOrobV9C/w== ) -z.dyn.example.net. 7200 IN A 1.2.3.6 - 7200 RRSIG A 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - CxCptk9vpGT/9oG9WXiLmgKrWrxvuxFkgjEu - gBsp7loIM6x3Pr+CDXdsvbjDW1DwsjYBPyCa - JL7B7wczIlxQrA== ) - 7200 RRSIG A 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - MAJ85Q1cFh7yqewaQyJ3YxS3KwTK/rxW+leY - HLwxfcijXkUrxVaRtO/gTcFdo4aTJjeDrPhV - ESwQbI+NNVkVRw== ) - 7200 NSEC dyn.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 4 7200 20081222123143 ( - 20081216123143 1355 dyn.example.net. - hOjfx9YA8O7tSXycALMnI+cQw3hs4euTVNPf - fCiYukAFjwpQAmS8xVbtydTH7TVs5UcObyqB - 8gsnXboAW9x07g== ) - 7200 RRSIG NSEC 5 4 7200 20081223230301 ( - 20081217230301 10643 dyn.example.net. - hRnT7XWT+KFHsxZ8rNiqWJ2/5WyLQRxht/QQ - NXaYz2OeSGfgsRmdHc6UfjeVLyeXYn7Tkikr - Pg7pX/nmF4eldQ== ) diff --git a/contrib/zkt/examples/flat/dyn.example.net/zone.org b/contrib/zkt/examples/flat/dyn.example.net/zone.org deleted file mode 100644 index c536fc8744..0000000000 --- a/contrib/zkt/examples/flat/dyn.example.net/zone.org +++ /dev/null @@ -1,30 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) dyn.example.net/zone.org -; -;----------------------------------------------------------------- - -$TTL 7200 - -@ IN SOA ns1.example.net. hostmaster.example.net. ( - 1 ; Serial - 43200 ; Refresh - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - IN NS ns1.example.net. - IN NS ns2.example.net. - -ns1 IN A 1.0.0.5 - IN AAAA 2001:db8::53 -ns2 IN A 1.2.0.6 - -localhost IN A 127.0.0.1 - -x IN A 1.2.3.4 -y IN A 1.2.3.5 -z IN A 1.2.3.6 - -$INCLUDE dnskey.db - diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key deleted file mode 100644 index 5307c8a537..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081116175850 -;% lifetime=365d -example.net. IN DNSKEY 257 3 5 BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU t9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB /Q== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private deleted file mode 100644 index 91dcde1eb9..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB/Q== -PublicExponent: AQAAAAE= -PrivateExponent: CfS81MH9GT1CGQtK94PvSgggeQnSullWOmqQsKGndfJVpv4AJj/XCaEhgboIVshezJmUdHf3RWSOkSYfHAID89fTFAYvL4ZVSmkha1EivkY+tOeohM9zBzs5CfE9fmAlMCmxEQsYggZtjuddncKCNC4IYSkV6ez21S//3vnGvUtic+2ywaXF03MwhjKkOed6g8ukZJnj7B9Z5wu3rdiyOe85IQ== -Prime1: A7Wh1oSpETxNT/ptPVHSGIemIyNvALXSI5UcoWAADQbith5663r1GgXHk2YGbyg1HgyrCZFoME3ZoIOUQ6yfN6tlixhpWmQdLW+pz3lULlTFBQ== -Prime2: A1pCUhsSF9J8i5Smp2KEO3Dw5LngamhRksJzKC4yfGMvjwJ/RHJByyVcUEtRhgLvd2C2uW89Z4nz8HM/HQI+u9uwIFM20SIFEzZceR62ghNamQ== -Exponent1: Azf7LwilgmHe2xJwMfQIJP5OnNsaZ1zm7Gk2i4lyA8+3hHNWetR1QRKl5E3AnzIzwOM5VEm2nO2XZeyHKPVOol6DM390oFXvp0c2G+ROabyQnQ== -Exponent2: ATQ6mNC7MpC5NlGdQ+XmlTkiNuCRuFf/jZeSiJkZWvTjwZXQUhRCFMiM7fYwx/b/cqnqZ7I/9VwzslorFu0T37GQaeugFNkrsDdRRvDOA7+qoQ== -Coefficient: AkhsG+b3Bel4MQ9fF/CnsPxv0cdoTphpLZPUGPlG451hqWFzMANEcTsiDya2UHoa5FAK825+47hVdihTdZkJwMNMsoI2Xnr07AEurDapOvChrg== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key deleted file mode 100644 index a28a8891fa..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090730151357 -;% lifetime=84d -example.net. IN DNSKEY 256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published deleted file mode 100644 index 6ed54839e2..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ== -PublicExponent: AQAAAAE= -PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ== -Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8= -Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8= -Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k= -Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc= -Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM= diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key deleted file mode 100644 index abf941e0f6..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090228113129 -;% lifetime=60d -example.net. IN DNSKEY 257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published deleted file mode 100644 index 443b143c31..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ== -PublicExponent: AQAAAAE= -PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ== -Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw== -Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw== -Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ== -Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ -Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated deleted file mode 100644 index 8e89f26564..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ== -PublicExponent: AQAAAAE= -PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q== -Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU= -Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU= -Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk= -Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk= -Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk= diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key deleted file mode 100644 index 7678a29cc6..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090615075841 -;% lifetime=14d -example.net. IN DNSKEY 256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key deleted file mode 100644 index f1df500b3c..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090630093509 -;% lifetime=14d -example.net. IN DNSKEY 256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private deleted file mode 100644 index fe31c85ddb..0000000000 --- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw== -PublicExponent: AQAAAAE= -PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ== -Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc= -Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0= -Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s= -Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE= -Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs= diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key new file mode 100644 index 0000000000..fa33d5a6a0 --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key @@ -0,0 +1,3 @@ +;% generationtime=20100311225233 +;% lifetime=60d +example.net. IN DNSKEY 257 3 8 BQEAAAABDUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkG TECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJ JBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9 SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPY BQ== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private new file mode 100644 index 0000000000..b2832b23a6 --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 8 (RSASHA256) +Modulus: DUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkGTECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJJBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPYBQ== +PublicExponent: AQAAAAE= +PrivateExponent: AeHyClC8SYdKB3mQtwWx/z08pCjHEs18KF9HbWddQnQrrJKP1lh1r6DGmJ5oigg3i2x/NEBUXw345FYQ7ynaVewt4KoQ2c6vT1ZyOXuoCmJknMxXKaVma5L3+hrGwdaS7tbJXGQrq6FHaYOO/2un8G7qRU5zoods+iR8qCRktkYVk2PS7wrdeQu9XaGUl5pPwh7fmNmjpfe16kyk3M2xoThEUQ== +Prime1: A9GgY74jQxKOqTEMivti0zJIuxjlN7k1+MlTDQliH8EiFy8b/6HqRqddgdeuPDt8s0jv1cGxnMig4761JszH7CQeHbefeoLw95OXu7v6hpw3Uw== +Prime2: A3qansKrFaIwWJw7n0//qO52mEKCxoljeMzbeXx4f+pgADmyMcv8ysHMUPP6BEwVxlxHVyv9a3lxQRa8ZdPtFV+QK3Zy3PfAV8SoahbYgi2ARw== +Exponent1: v6z/wlryoSYkgnlkxM6uC6AEc7ZQQdla7cG+iaeEJq8pfzPClkU+WiBP9MJroO8ExM1mj/bjIfw3/Vel5NuLD9uU+BIV1qzcWKbPwo7xZnqh +Exponent2: OPEA/pb22DU0GDyS1UmOmJGjyp2Irxe1LJL6J16bK/lCqPNenT8qIYbLY2EKUoRhAirvurd4/fXqnzNVYdw369C/DBtfZ6AeAfs4no/+Fnfx +Coefficient: /pte3nUM+M1VmAs7z3bhTdbPWIJZk7z0RkcBhFvUn4ZGgImUSFF8/psPzvQFy9pyGzinviE16aI0UVEBxL7NkFfSs9cMX0jpItFDyJTcxvjA diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key new file mode 100644 index 0000000000..3ded31f8fe --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key @@ -0,0 +1,3 @@ +;% generationtime=20100311225233 +;% lifetime=14d +example.net. IN DNSKEY 256 3 8 BQEAAAABy5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twH y339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ== diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private new file mode 100644 index 0000000000..d13ba75f20 --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 8 (RSASHA256) +Modulus: y5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twHy339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ== +PublicExponent: AQAAAAE= +PrivateExponent: uHA+A2dABi4t2afEHHud8MajxjMLqxw/+t0yzsRgye6eiAkJVuhYSdxxqmlqMmSayrBNSX2jYHdKmY49W6kmUQ== +Prime1: 6pzzNfud8Hzw9UdeitwJwVzFaAfV/RmRmTCm4OLBGD0= +Prime2: 3itJLwoOTYkb2rOQNjZ/4hMNov3plClxo5e9iPSARL0= +Exponent1: w/gumsQA0FOkuuMBp5PcTsbHbebL9SAVDURQgLo2ZMU= +Exponent2: ILYpsGsfTcHDSAmGbQBRSsFQEKw7Ghx/mIcWoUIN250= +Coefficient: cwmz0VwEQ4Jjc3+T0tDgH9fhUiyISbuV/0Bz25E5bYA= diff --git a/contrib/zkt/examples/flat/example.net/dnskey.db b/contrib/zkt/examples/flat/example.net/dnskey.db deleted file mode 100644 index 90a6e5b1ff..0000000000 --- a/contrib/zkt/examples/flat/example.net/dnskey.db +++ /dev/null @@ -1,45 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Jul 30 2009 17:13:57 -; - -; *** List of Key Signing Keys *** -; example.net. tag=33840 algo=RSASHA1 generated Feb 28 2009 12:31:29 -example.net. 14400 IN DNSKEY 257 3 5 ( - BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc - +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n - m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u - SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug - aQ== - ) ; key id = 33840 - -; example.net. tag=7308 algo=RSASHA1 generated Feb 28 2009 12:31:29 -example.net. 14400 IN DNSKEY 257 3 5 ( - BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ - oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ - w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU - t9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB - /Q== - ) ; key id = 7308 - -; *** List of Zone Signing Keys *** -; example.net. tag=34925 algo=RSASHA1 generated Jun 17 2009 16:36:16 -example.net. 14400 IN DNSKEY 256 3 5 ( - BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj - w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ== - ) ; key id = 34925 - -; example.net. tag=48089 algo=RSASHA1 generated Jun 30 2009 11:35:09 -example.net. 14400 IN DNSKEY 256 3 5 ( - BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd - IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw== - ) ; key id = 48089 - -; example.net. tag=24545 algo=RSASHA1 generated Jul 30 2009 17:13:57 -example.net. 14400 IN DNSKEY 256 3 5 ( - BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ - WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ== - ) ; key id = 24545 - diff --git a/contrib/zkt/examples/flat/example.net/dnssec.conf b/contrib/zkt/examples/flat/example.net/dnssec.conf new file mode 100644 index 0000000000..ea85a8b7b1 --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/dnssec.conf @@ -0,0 +1,2 @@ +Key_Algo: RSASHA256 # (Algorithm ID 8) +NSEC3: OPTOUT diff --git a/contrib/zkt/examples/flat/example.net/dsset-example.net. b/contrib/zkt/examples/flat/example.net/dsset-example.net. deleted file mode 100644 index ec2e02237f..0000000000 --- a/contrib/zkt/examples/flat/example.net/dsset-example.net. +++ /dev/null @@ -1,4 +0,0 @@ -example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445 -example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E -example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4 -example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key deleted file mode 100644 index a0d65e84e1..0000000000 --- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20080506212634 -;% lifetime=60d -;% expirationtime=20090228113128 -example.net. IN DNSKEY 385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w== diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private deleted file mode 100644 index 42b8b8066b..0000000000 --- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU8w== -PublicExponent: AQAAAAE= -PrivateExponent: AzPR74ljfqsl7qB92XeCowR3igYQrN59a2Z8VGB1PegjagkBltDzudzYyDKpvqdigjeFLL54f1MN5JCPo4J2Q6Ij49LAQ5GsXiEd/FWlwR+UztOcW/uZ3W6DNIwuMbSY7ruZmpv/zVPpyeY1PVXgCsJlX2Zj/Wt8QHASHp5rUugGQSPQfVSQ/mBdDXMZw2tEb3b10quziCmKuHegopRYeuNXwQ== -Prime1: A+5jXfxmP0Mfnjr4m8BPrPkDyokgFXZB3dXibxeZqp4ypcwpXeO0xTf1FjSZeIOi2RJOzpym914IYa3wPx4zbxmsGeozr1hTIWE+6Xuz0qjE0w== -Prime2: A2EOffOaSvEoTUf/0dF8Z9/dYxIrE9HBbXRjgrlPc+WoG57lCkjxe/KO5Eclg9o5nrTFcsxpsjrdxOAcIcyTIHsXW8YgxDAb1mFJ0V6tBsabYQ== -Exponent1: vmRAN3zHGTV28Oj4gslB/xA58sDyieCkDrpGaGChsPo7yUPOEeZQ8ep/FDnQoZLhLCn6XkKcN4D99Yo3JxVECBJOHZp8HrFsfF9BzpXk2yH9 -Exponent2: Aj8x3YdZJ0/KzwX2m6G2qZ5WktmkDITa+XHxvSashqlBm2niBCRFN5kNQNhkIO5ZAFWKEPuHSB5BZWTzgj8jeB8mRoYtbPlJom4KbNtCiZ6BYQ== -Coefficient: A87WfUPUBfYDuSAu6kcHLAyr0OnqoXnMeXSgyq28CJXdh3Vg39Al8me07wWeRDjMzfpZGdKEhxyvVIS8WhY3du0FYoGI5YhJMqaYq3XjwLfpsQ== diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key deleted file mode 100644 index fdf427b86e..0000000000 --- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20080415164557 -;% lifetime=20d -;% expirationtime=20080506212633 -example.net. IN DNSKEY 385 3 5 BQEAAAABCrDt76ODmeteohszxggclH3vAXO/NXOnXjOzIivP5LaUL4/U uAtafg5JXypl/nCUVap9FG0K1ebCCBCMJaPCoi7pIgD5EgFzHPnxZo2w GvtmWYwK3MaBP4U8YzwpVbGpJIBAW+IZyM89LD6b2cvkJL5YEviPNfMp rMTLo7BOMVjMBpG2IuULOHq7dzyIe/ym/RXKuuYc5AVtHCBBfGKU/Wzn 0Q== diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private deleted file mode 100644 index 10185613d5..0000000000 --- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: CrDt76ODmeteohszxggclH3vAXO/NXOnXjOzIivP5LaUL4/UuAtafg5JXypl/nCUVap9FG0K1ebCCBCMJaPCoi7pIgD5EgFzHPnxZo2wGvtmWYwK3MaBP4U8YzwpVbGpJIBAW+IZyM89LD6b2cvkJL5YEviPNfMprMTLo7BOMVjMBpG2IuULOHq7dzyIe/ym/RXKuuYc5AVtHCBBfGKU/Wzn0Q== -PublicExponent: AQAAAAE= -PrivateExponent: CWC6hC61oQC954Dcu2Z0NNmLk6Wnr33yh7VCuT7kh5fSOgA6Fm0qQgH+nvW2sv9fpy8JB4WBaa/CnysKkLwjDBFcWkrMw7wDR0KAiixe8bjXCZUy95x2t3B/o23jQtS/ejJgaSSOJFioRcPoT5sv9mm6QCe3ir3g9+3n4COrzf0DY1oGfDLzuhrYDT/AM5MuEjSamlblTPHHsKlI3UCl+AHDLQ== -Prime1: A3ZcDeyxt/SDgmgg4Yk7v66MbFU4GWreYp4/MYhEDsE4jA0cqEY28cAoN8FyPCB1H1t10IVqOs7/LSKrWdXMUKUv57DPMHJp539Wx2HYLmVIfw== -Prime2: AxZ8J01/Sbij24nloiVsDJdjFTAVApr4S6n/QRdBkWumQTLexnQ1ErcTEVc3Fn0po04ZToIO5JNINrWNdAuNiaHYLuiD4pkkHuSAmTajbVsnrw== -Exponent1: Iw7WPWd3zZeJ/b3zQcQtSosUXUWFy430aEsQWimMnibFm+qOVpsjhRkTHW/yZp227Y4sVb/ZhzCZWFGr6qWe0sdHIv5Yx6SkvIxv4rUiHdOL -Exponent2: AhiPWhKq+Iyy/HRZuWpIAalUZ7yE7FeHWFQYQLocatTCnY91VsgNxRLXRwcci6mflhIVoLBDHJal7x4SCRq0Xbze5PeMlMUhsDQdCT+QYTgCRw== -Coefficient: Auw2b1lPzp3gWxpnDNZWeuiwGcWTd9fNfN/4kBrCbulFngYTNVBpqathFqdwtojYXHfM2HZDKHqmZVZgON+FfxvauGvTDWO6MTBxUleeBlLmcg== diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key deleted file mode 100644 index 368d3537ea..0000000000 --- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20080420205422 -;% lifetime=60d -;% expirationtime=20081116175850 -example.net. IN DNSKEY 385 3 5 BQEAAAABDAnSCbSyScZdP2M6OQTbTGvZRD5avmDYgAwXv0EsnNautYn7 kzDGwY3oVTXWDTdII+syK0pt0unjUn2ActoXtyFzIk61VRKDroANM9/W O0PO/y50vNIGMJUL1TiMR6jCp23eSxQ39/1A+BeiU+fMjoJK0/Yc7hbM HWwD8myU0IEX8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjKT1YYVnoQ qw== diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private deleted file mode 100644 index 554cd12787..0000000000 --- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DAnSCbSyScZdP2M6OQTbTGvZRD5avmDYgAwXv0EsnNautYn7kzDGwY3oVTXWDTdII+syK0pt0unjUn2ActoXtyFzIk61VRKDroANM9/WO0PO/y50vNIGMJUL1TiMR6jCp23eSxQ39/1A+BeiU+fMjoJK0/Yc7hbMHWwD8myU0IEX8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjKT1YYVnoQqw== -PublicExponent: AQAAAAE= -PrivateExponent: CJPcx+j7bWxMzKCl395v2PxQRYc/YurHU25oJL9i+B/bkxC8sRzSrTe4rRW61vhtAE3R6+CGz1336igirbEWKjHbPyBg42QHu2OCHWcKv4jq8k9yvtYGb9rKVvSUj4HAfZolr130loWW+CNp5soQQcJG0qxP+YkdI/Z+GDQ9kDbn80+r3wtCtVzjhoq0RoUSH3UnKUbs+DvacQmvepMLcM3PgQ== -Prime1: A413lN4gpI+7Imn2Krm4CGyRCBoNwFa2PSr1ZQN195W5enKVZAkKg+49G7hoduMgjW2RAzwoJp0/4cGPx5nugSv93QT/mTMhYupL9KdGKcYUIQ== -Prime2: A2N7TbYY1Q67CsoqHPvogKEP0XtlN421eF+88Yu/YnAZ3Ikd1nMad7rO1bVWptabsNuw0JFkpOmrS3u/GvaWmKCNGBlGjF/XlKr8Bh63V/zLSw== -Exponent1: Aa0C6ssN8NTZIKsoGJEJLVbb9uB48nXtaMq2FxFARogrnmY0Gi/n8AWFc+ulPvAzJhhrjWF3VW38GcuPe3Ss8l3fpAbAexEnrJHOXxKLlOgmwQ== -Exponent2: j78LKeDXSgTL5WmsffdJHSRe32GfaX6SgTF0BKzKVRuNIiOf7vHjzkDn4gdcTsMLTSNVp/Zj4vkWMkfJNq+AqosHpBFvhmd+boUG4Xde4jSp -Coefficient: A1RWhKCgowdNAWs9OF3Q5CBBzC2Fq6O0CspJJD3cmNTEQVbxEbzSWyW7S1NsBgp+6de/HQ72IFtEAL9ChSy6pXWx27PGK6wE89rGbfaJ9Y2gzQ== diff --git a/contrib/zkt/examples/flat/example.net/keyset-example.net. b/contrib/zkt/examples/flat/example.net/keyset-example.net. deleted file mode 100644 index eba52b9ca6..0000000000 --- a/contrib/zkt/examples/flat/example.net/keyset-example.net. +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN . -example.net 7200 IN DNSKEY 257 3 5 ( - BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y - 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS - BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn - eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7 - grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8 - V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7 - Il5cqhugaQ== - ) ; key id = 33840 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh - Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl - Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl - SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO - g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy - A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5 - JT9+p0yB/Q== - ) ; key id = 7308 diff --git a/contrib/zkt/examples/flat/example.net/z.db b/contrib/zkt/examples/flat/example.net/z.db new file mode 100644 index 0000000000..4a12fed464 --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/z.db @@ -0,0 +1,34 @@ +;----------------------------------------------------------------- +; +; @(#) example.net/zone.db +; +;----------------------------------------------------------------- + +$TTL 7200 + +@ IN SOA ns1.example.net. hostmaster.example.net. ( + 353 ; Serial + 43200 ; Refresh + 1800 ; Retry + 2W ; Expire + 7200 ) ; Minimum + + IN NS ns1.example.net. + +ns1 IN A 1.0.0.5 + +example.net. 3600 IN DNSKEY 257 3 5 ( + BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc + +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n + m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u + SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug + aQ== + ) ; key id = 33840 + +example.net. 3600 IN DNSKEY 256 3 5 ( + BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd + IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw== + ) ; key id = 48089 + +_domainkey IN NS ns1.example.net. + diff --git a/contrib/zkt/examples/flat/example.net/zktlog-example.net. b/contrib/zkt/examples/flat/example.net/zktlog-example.net. new file mode 100644 index 0000000000..3363cabe43 --- /dev/null +++ b/contrib/zkt/examples/flat/example.net/zktlog-example.net. @@ -0,0 +1,274 @@ +2010-02-06 00:26:54.533: debug: Check RFC5011 status +2010-02-06 00:26:54.533: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:26:54.533: debug: Check KSK status +2010-02-06 00:26:54.533: debug: Check ZSK status +2010-02-06 00:26:54.533: debug: Re-signing not necessary! +2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy +2010-02-06 00:29:31.291: debug: Check RFC5011 status +2010-02-06 00:29:31.291: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:29:31.291: debug: Check KSK status +2010-02-06 00:29:31.292: debug: Check ZSK status +2010-02-06 00:29:31.292: debug: Re-signing not necessary! +2010-02-06 00:29:31.292: debug: Check if there is a parent file to copy +2010-02-06 00:40:35.043: debug: Check RFC5011 status +2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:40:35.043: debug: Check KSK status +2010-02-06 00:40:35.043: debug: Check ZSK status +2010-02-06 00:40:35.043: debug: Re-signing not necessary! +2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy +2010-02-06 00:52:55.403: debug: Check RFC5011 status +2010-02-06 00:52:55.403: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:52:55.403: debug: Check KSK status +2010-02-06 00:52:55.403: debug: Check ZSK status +2010-02-06 00:52:55.403: debug: Re-signing not necessary! +2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy +2010-02-07 13:53:48.304: debug: Check RFC5011 status +2010-02-07 13:53:48.304: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:53:48.304: debug: Check KSK status +2010-02-07 13:53:48.304: debug: Check ZSK status +2010-02-07 13:53:48.304: debug: Re-signing not necessary! +2010-02-07 13:53:48.304: debug: Check if there is a parent file to copy +2010-02-07 13:54:03.466: debug: Check RFC5011 status +2010-02-07 13:54:03.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:54:03.466: debug: Check KSK status +2010-02-07 13:54:03.466: debug: Check ZSK status +2010-02-07 13:54:03.466: debug: Re-signing not necessary! +2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy +2010-02-07 13:54:08.019: debug: Check RFC5011 status +2010-02-07 13:54:08.019: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:54:08.020: debug: Check KSK status +2010-02-07 13:54:08.020: debug: Check ZSK status +2010-02-07 13:54:08.020: debug: Re-signing necessary: Option -f +2010-02-07 13:54:08.020: notice: "example.net.": re-signing triggered: Option -f +2010-02-07 13:54:08.020: debug: Writing key file "./example.net/dnskey.db" +2010-02-07 13:54:08.020: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-07 13:54:08.020: debug: Signing zone "example.net." +2010-02-07 13:54:08.021: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-07 13:54:08.125: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 13:54:08.125: debug: Signing completed after 0s. +2010-02-07 13:54:08.125: notice: "example.net.": distribution triggered +2010-02-07 13:54:08.125: debug: Distribute zone "example.net." +2010-02-07 13:54:08.125: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed " +2010-02-07 13:54:08.129: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./" +2010-02-07 13:54:08.129: notice: "example.net.": reload triggered +2010-02-07 13:54:08.129: debug: Reload zone "example.net." +2010-02-07 13:54:08.129: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed " +2010-02-07 13:54:08.139: debug: ./dist.sh reload return: "rndc reload example.net. " +2010-02-07 14:06:27.670: debug: Check RFC5011 status +2010-02-07 14:06:27.670: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 14:06:27.670: debug: Check KSK status +2010-02-07 14:06:27.670: debug: Check ZSK status +2010-02-07 14:06:27.670: debug: Re-signing not necessary! +2010-02-07 14:06:27.671: debug: Check if there is a parent file to copy +2010-02-07 14:06:33.753: debug: Check RFC5011 status +2010-02-07 14:06:33.753: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 14:06:33.753: debug: Check KSK status +2010-02-07 14:06:33.753: debug: Check ZSK status +2010-02-07 14:06:33.753: debug: Re-signing necessary: Option -f +2010-02-07 14:06:33.753: notice: "example.net.": re-signing triggered: Option -f +2010-02-07 14:06:33.753: debug: Writing key file "./example.net/dnskey.db" +2010-02-07 14:06:33.754: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-07 14:06:33.754: debug: Signing zone "example.net." +2010-02-07 14:06:33.754: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-07 14:06:33.790: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 14:06:33.790: debug: Signing completed after 0s. +2010-02-07 14:06:33.790: notice: "example.net.": distribution triggered +2010-02-07 14:06:33.790: debug: Distribute zone "example.net." +2010-02-07 14:06:33.790: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed " +2010-02-07 14:06:33.794: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./" +2010-02-07 14:06:33.794: notice: "example.net.": reload triggered +2010-02-07 14:06:33.794: debug: Reload zone "example.net." +2010-02-07 14:06:33.794: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed " +2010-02-07 14:06:33.797: debug: ./dist.sh reload return: "rndc reload example.net. " +2010-02-21 12:50:43.587: debug: Check RFC5011 status +2010-02-21 12:50:43.587: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:50:43.587: debug: Check KSK status +2010-02-21 12:50:43.587: debug: Check ZSK status +2010-02-21 12:50:43.587: debug: Lifetime(1209600 +/-150 sec) of active key 33002 exceeded (2394625 sec) +2010-02-21 12:50:43.587: debug: ->depreciate it +2010-02-21 12:50:43.587: debug: ->activate published key 29240 +2010-02-21 12:50:43.587: notice: "example.net.": lifetime of zone signing key 33002 exceeded: ZSK rollover done +2010-02-21 12:50:43.587: debug: New key for publishing needed +2010-02-21 12:50:43.658: debug: ->creating new key 5525 +2010-02-21 12:50:43.658: info: "example.net.": new key 5525 generated for publishing +2010-02-21 12:50:43.658: debug: Re-signing necessary: Modfied zone key set +2010-02-21 12:50:43.658: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-02-21 12:50:43.658: debug: Writing key file "./example.net/dnskey.db" +2010-02-21 12:50:43.665: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-21 12:50:43.665: debug: Signing zone "example.net." +2010-02-21 12:50:43.665: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-21 12:50:43.733: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 12:50:43.733: debug: Signing completed after 0s. +2010-02-21 12:50:51.205: debug: Check RFC5011 status +2010-02-21 12:50:51.205: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:50:51.205: debug: Check KSK status +2010-02-21 12:50:51.205: debug: Check ZSK status +2010-02-21 12:50:51.205: debug: Re-signing not necessary! +2010-02-21 12:50:51.205: debug: Check if there is a parent file to copy +2010-02-21 12:51:23.497: debug: Check RFC5011 status +2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:51:23.497: debug: Check KSK status +2010-02-21 12:51:23.497: debug: Check ZSK status +2010-02-21 12:51:23.497: debug: Re-signing not necessary! +2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy +2010-02-21 19:16:18.594: debug: Check RFC5011 status +2010-02-21 19:16:18.594: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:16:18.594: debug: Check KSK status +2010-02-21 19:16:18.594: debug: Check ZSK status +2010-02-21 19:16:18.594: debug: Re-signing not necessary! +2010-02-21 19:16:18.594: debug: Check if there is a parent file to copy +2010-02-21 19:32:11.378: debug: Check RFC5011 status +2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:11.378: debug: Check KSK status +2010-02-21 19:32:11.378: debug: Check ZSK status +2010-02-21 19:32:11.378: debug: Re-signing not necessary! +2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy +2010-02-21 19:32:15.982: debug: Check RFC5011 status +2010-02-21 19:32:15.982: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:15.982: debug: Check KSK status +2010-02-21 19:32:15.982: debug: Check ZSK status +2010-02-21 19:32:15.982: debug: Re-signing necessary: Option -f +2010-02-21 19:32:15.982: notice: "example.net.": re-signing triggered: Option -f +2010-02-21 19:32:15.982: debug: Writing key file "./example.net/dnskey.db" +2010-02-21 19:32:15.982: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-21 19:32:15.982: debug: Signing zone "example.net." +2010-02-21 19:32:15.982: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-21 19:32:16.019: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:32:16.019: debug: Signing completed after 1s. +2010-02-21 19:32:32.232: debug: Check RFC5011 status +2010-02-21 19:32:32.232: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:32.233: debug: Check KSK status +2010-02-21 19:32:32.233: debug: Check ZSK status +2010-02-21 19:32:32.233: debug: Re-signing necessary: Option -f +2010-02-21 19:32:32.233: notice: "example.net.": re-signing triggered: Option -f +2010-02-21 19:32:32.233: debug: Writing key file "./example.net/dnskey.db" +2010-02-21 19:32:32.233: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-21 19:32:32.233: debug: Signing zone "example.net." +2010-02-21 19:32:32.233: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-21 19:32:32.273: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:32:32.273: debug: Signing completed after 0s. +2010-02-25 00:12:27.060: debug: Check RFC5011 status +2010-02-25 00:12:27.060: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 00:12:27.060: debug: Check KSK status +2010-02-25 00:12:27.060: debug: Check ZSK status +2010-02-25 00:12:27.060: debug: Lifetime(29100 sec) of depreciated key 33002 exceeded (300104 sec) +2010-02-25 00:12:27.060: info: "example.net.": old ZSK 33002 removed +2010-02-25 00:12:27.081: debug: ->remove it +2010-02-25 00:12:27.082: debug: Re-signing necessary: Modfied zone key set +2010-02-25 00:12:27.082: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-02-25 00:12:27.082: debug: Writing key file "./example.net/dnskey.db" +2010-02-25 00:12:27.086: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-25 00:12:27.086: debug: Signing zone "example.net." +2010-02-25 00:12:27.086: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-25 00:12:27.173: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-25 00:12:27.174: debug: Signing completed after 0s. +2010-02-25 23:42:21.013: debug: Check RFC5011 status +2010-02-25 23:42:21.013: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 23:42:21.013: debug: Check KSK status +2010-02-25 23:42:21.013: debug: Check ZSK status +2010-02-25 23:42:21.013: debug: Re-signing not necessary! +2010-02-25 23:42:21.013: debug: Check if there is a parent file to copy +2010-03-02 10:59:12.416: debug: Check RFC5011 status +2010-03-02 10:59:12.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-02 10:59:12.416: debug: Check KSK status +2010-03-02 10:59:12.416: debug: Check ZSK status +2010-03-02 10:59:12.416: debug: Re-signing necessary: re-signing interval (2d) reached +2010-03-02 10:59:12.416: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached +2010-03-02 10:59:12.416: debug: Writing key file "./example.net/dnskey.db" +2010-03-02 10:59:12.449: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-02 10:59:12.449: debug: Signing zone "example.net." +2010-03-02 10:59:12.450: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-02 10:59:12.530: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-02 10:59:12.530: debug: Signing completed after 0s. +2010-03-03 23:22:00.415: debug: Check RFC5011 status +2010-03-03 23:22:00.415: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-03 23:22:00.415: debug: Check KSK status +2010-03-03 23:22:00.415: debug: Check ZSK status +2010-03-03 23:22:00.416: debug: Re-signing not necessary! +2010-03-03 23:22:00.416: debug: Check if there is a parent file to copy +2010-03-08 23:11:50.170: debug: Check RFC5011 status +2010-03-08 23:11:50.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:11:50.170: debug: Check KSK status +2010-03-08 23:11:50.170: debug: Check ZSK status +2010-03-08 23:11:50.171: debug: Lifetime(1209600 +/-150 sec) of active key 29240 exceeded (1333267 sec) +2010-03-08 23:11:50.171: debug: ->depreciate it +2010-03-08 23:11:50.171: debug: ->activate published key 5525 +2010-03-08 23:11:50.171: notice: "example.net.": lifetime of zone signing key 29240 exceeded: ZSK rollover done +2010-03-08 23:11:50.171: debug: New key for publishing needed +2010-03-08 23:11:50.228: debug: ->creating new key 21482 +2010-03-08 23:11:50.228: info: "example.net.": new key 21482 generated for publishing +2010-03-08 23:11:50.228: debug: Re-signing necessary: Modfied zone key set +2010-03-08 23:11:50.228: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-08 23:11:50.228: debug: Writing key file "././example.net/dnskey.db" +2010-03-08 23:11:50.235: debug: Incrementing serial number in file "././example.net/zone.db" +2010-03-08 23:11:50.235: debug: Signing zone "example.net." +2010-03-08 23:11:50.235: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-08 23:11:50.294: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-08 23:11:50.294: debug: Signing completed after 0s. +2010-03-08 23:12:56.212: debug: Check RFC5011 status +2010-03-08 23:12:56.212: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:12:56.212: debug: Check KSK status +2010-03-08 23:12:56.212: debug: Check ZSK status +2010-03-08 23:12:56.212: debug: Re-signing necessary: Modfied zone key set +2010-03-08 23:12:56.212: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-08 23:12:56.212: debug: Writing key file "././example.net/dnskey.db" +2010-03-08 23:12:56.213: debug: Incrementing serial number in file "././example.net/zone.db" +2010-03-08 23:12:56.213: debug: Signing zone "example.net." +2010-03-08 23:12:56.213: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-08 23:12:56.278: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-08 23:12:56.279: debug: Signing completed after 0s. +2010-03-08 23:13:36.984: debug: Check RFC5011 status +2010-03-08 23:13:36.984: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:13:36.984: debug: Check KSK status +2010-03-08 23:13:36.984: debug: Check ZSK status +2010-03-08 23:13:36.985: debug: Re-signing not necessary! +2010-03-08 23:13:36.985: debug: Check if there is a parent file to copy +2010-03-08 23:18:52.287: debug: Check RFC5011 status +2010-03-08 23:18:52.287: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:18:52.287: debug: Check KSK status +2010-03-08 23:18:52.287: debug: Check ZSK status +2010-03-08 23:18:52.287: debug: Re-signing not necessary! +2010-03-08 23:18:52.287: debug: Check if there is a parent file to copy +2010-03-11 23:46:35.831: debug: Check RFC5011 status +2010-03-11 23:46:35.831: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:46:35.831: debug: Check KSK status +2010-03-11 23:46:35.831: debug: Check ZSK status +2010-03-11 23:46:35.831: debug: Lifetime(29100 sec) of depreciated key 29240 exceeded (261285 sec) +2010-03-11 23:46:35.831: info: "example.net.": old ZSK 29240 removed +2010-03-11 23:46:35.832: debug: ->remove it +2010-03-11 23:46:35.832: debug: Re-signing necessary: Modfied zone key set +2010-03-11 23:46:35.832: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-11 23:46:35.832: debug: Writing key file "./example.net/dnskey.db" +2010-03-11 23:46:35.841: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-11 23:46:35.841: debug: Signing zone "example.net." +2010-03-11 23:46:35.841: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-11 23:46:35.929: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-11 23:46:35.929: debug: Signing completed after 0s. +2010-03-11 23:52:33.132: debug: Check RFC5011 status +2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:52:33.133: debug: Check KSK status +2010-03-11 23:52:33.133: debug: No active KSK found: generate new one +2010-03-11 23:52:33.374: info: "example.net.": generated new KSK 8406 +2010-03-11 23:52:33.374: debug: Check ZSK status +2010-03-11 23:52:33.374: debug: No active ZSK found: generate new one +2010-03-11 23:52:33.400: info: "example.net.": generated new ZSK 36257 +2010-03-11 23:52:33.400: debug: Re-signing necessary: Modfied zone key set +2010-03-11 23:52:33.400: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-11 23:52:33.400: debug: Writing key file "./example.net/dnskey.db" +2010-03-11 23:52:33.400: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-11 23:52:33.400: debug: Signing zone "example.net." +2010-03-11 23:52:33.400: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 69AE05 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-11 23:52:33.408: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY" +2010-03-11 23:52:33.408: error: "example.net.": signing failed! +2010-03-11 23:53:27.856: debug: Check RFC5011 status +2010-03-11 23:53:27.856: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:53:27.856: debug: Check KSK status +2010-03-11 23:53:27.856: debug: Check ZSK status +2010-03-11 23:53:27.856: debug: Re-signing necessary: Modified keys +2010-03-11 23:53:27.856: notice: "example.net.": re-signing triggered: Modified keys +2010-03-11 23:53:27.856: debug: Writing key file "./example.net/dnskey.db" +2010-03-11 23:53:27.856: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-11 23:53:27.856: debug: Signing zone "example.net." +2010-03-11 23:53:27.856: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-11 23:53:27.920: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-11 23:53:27.920: debug: Signing completed after 0s. diff --git a/contrib/zkt/examples/flat/example.net/zone.db b/contrib/zkt/examples/flat/example.net/zone.db deleted file mode 100644 index 9310d4033b..0000000000 --- a/contrib/zkt/examples/flat/example.net/zone.db +++ /dev/null @@ -1,43 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) example.net/zone.db -; -;----------------------------------------------------------------- - -$TTL 7200 - -; Ensure that the serial number below is left -; justified in a field of at least 10 chars!! -; 0123456789; -; It's also possible to use the date format e.g. 2005040101 -@ IN SOA ns1.example.net. hostmaster.example.net. ( - 350 ; Serial - 43200 ; Refresh - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - IN NS ns1.example.net. - IN NS ns2.example.net. - -ns1 IN A 1.0.0.5 - IN AAAA 2001:db8::53 -ns2 IN A 1.2.0.6 - -localhost IN A 127.0.0.1 - -a IN A 1.2.3.1 -b IN MX 10 a -;c IN A 1.2.3.2 -d IN A 1.2.3.3 - IN AAAA 2001:0db8::3 - -; Delegation to secure zone; The DS resource record will -; be added by dnssec-signzone automatically if the -; keyset-sub.example.net file is present (run dnssec-signzone -; with option -g or use the dnssec-signer tool) ;-) -sub IN NS ns1.example.net. - -; this file will contain all the zone keys -$INCLUDE dnskey.db - diff --git a/contrib/zkt/examples/flat/example.net/zone.db.signed b/contrib/zkt/examples/flat/example.net/zone.db.signed deleted file mode 100644 index 761f0c4b0f..0000000000 --- a/contrib/zkt/examples/flat/example.net/zone.db.signed +++ /dev/null @@ -1,165 +0,0 @@ -; File written on Thu Jul 30 17:13:57 2009 -; dnssec_signzone version 9.7.0a1 -example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( - 350 ; serial - 43200 ; refresh (12 hours) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 5 2 7200 20090809141357 ( - 20090730141357 48089 example.net. - ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph - ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB - gOjVmH4Ywf+oKg== ) - 7200 NS ns1.example.net. - 7200 NS ns2.example.net. - 7200 RRSIG NS 5 2 7200 20090809141357 ( - 20090730141357 48089 example.net. - F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU - FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl - Mk6meHS+9wsneQ== ) - 7200 NSEC a.example.net. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 5 2 7200 20090809141357 ( - 20090730141357 48089 example.net. - OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ - 9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e - olkU38g+o0fkPQ== ) - 14400 DNSKEY 256 3 5 ( - BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk - mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY - m/hhC77xJoVwSeOtXdmKiQ== - ) ; key id = 34925 - 14400 DNSKEY 256 3 5 ( - BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0 - nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma - dHRQZDfu79tEz8MUid7aOw== - ) ; key id = 48089 - 14400 DNSKEY 256 3 5 ( - BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA - 1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc - oAhDVW0hZ6DSDuV/0kouMQ== - ) ; key id = 24545 - 14400 DNSKEY 257 3 5 ( - BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y - 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS - BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn - eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7 - grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8 - V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7 - Il5cqhugaQ== - ) ; key id = 33840 - 14400 DNSKEY 257 3 5 ( - BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh - Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl - Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl - SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO - g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy - A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5 - JT9+p0yB/Q== - ) ; key id = 7308 - 14400 RRSIG DNSKEY 5 2 14400 20090809141357 ( - 20090730141357 7308 example.net. - CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN - UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv - PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/ - r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8 - ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN - B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq - YQ== ) - 14400 RRSIG DNSKEY 5 2 14400 20090809141357 ( - 20090730141357 48089 example.net. - XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg - XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc - 62464sVZH+EfWg== ) -a.example.net. 7200 IN A 1.2.3.1 - 7200 RRSIG A 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg - 1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs - nzR8X0uN22BTIA== ) - 7200 NSEC b.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s - ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv - 0n6P1jVIBVTNOg== ) -b.example.net. 7200 IN MX 10 a.example.net. - 7200 RRSIG MX 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN - S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH - UGStzfIl/8troQ== ) - 7200 NSEC d.example.net. MX RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ - sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm - 5lDVj28RqfZ7Pw== ) -d.example.net. 7200 IN A 1.2.3.3 - 7200 RRSIG A 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh - Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn - 4OEF4w8WGhL67A== ) - 7200 AAAA 2001:db8::3 - 7200 RRSIG AAAA 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd - qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0 - J3JSNlXGbwHSgQ== ) - 7200 NSEC localhost.example.net. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb - YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a - zgIUX0pOt281Bw== ) -localhost.example.net. 7200 IN A 127.0.0.1 - 7200 RRSIG A 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw - EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m - kNSeEuoa+qR+eg== ) - 7200 NSEC ns1.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP - 0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw - 3OFb0GRqEXDc5w== ) -ns1.example.net. 7200 IN A 1.0.0.5 - 7200 RRSIG A 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr - o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6 - 89OCX/es/0rTtA== ) - 7200 AAAA 2001:db8::53 - 7200 RRSIG AAAA 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP - Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv - OVzIQY+ltEOSvg== ) - 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz - wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK - iovzZNBDetmiBg== ) -ns2.example.net. 7200 IN A 1.2.0.6 - 7200 RRSIG A 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2 - 3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up - ZESuqA8PJwq9hQ== ) - 7200 NSEC sub.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK - +NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32 - YVpaLtAlA5Gc1g== ) -sub.example.net. 7200 IN NS ns1.example.net. - 7200 NSEC example.net. NS RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090809141357 ( - 20090730141357 48089 example.net. - qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/ - bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw - +dpIoVdHzGqmdg== ) diff --git a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. deleted file mode 100644 index b9d0017467..0000000000 --- a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. +++ /dev/null @@ -1,2 +0,0 @@ -sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0 -sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE diff --git a/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net. b/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net. deleted file mode 100644 index f94666a617..0000000000 --- a/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net. +++ /dev/null @@ -1,2 +0,0 @@ -dyn.example.net. IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879 -dyn.example.net. IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6 diff --git a/contrib/zkt/examples/flat/keysets/dsset-example.net. b/contrib/zkt/examples/flat/keysets/dsset-example.net. deleted file mode 100644 index ec2e02237f..0000000000 --- a/contrib/zkt/examples/flat/keysets/dsset-example.net. +++ /dev/null @@ -1,4 +0,0 @@ -example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445 -example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E -example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4 -example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B diff --git a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dsset-sub.example.net. deleted file mode 100644 index 0ae4af62f4..0000000000 --- a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net. +++ /dev/null @@ -1,2 +0,0 @@ -sub.example.net. IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0 -sub.example.net. IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE diff --git a/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net. b/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net. deleted file mode 100644 index 002217b0dc..0000000000 --- a/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net. +++ /dev/null @@ -1,18 +0,0 @@ -$ORIGIN . -dyn.example.net 7200 IN DNSKEY 257 3 3 ( - CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V - NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K - S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s - m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA - EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI - r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i - 4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v - RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb - BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA - olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u - ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO - 6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT - dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5 - ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd - clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1 - ) ; key id = 42138 diff --git a/contrib/zkt/examples/flat/keysets/keyset-example.net. b/contrib/zkt/examples/flat/keysets/keyset-example.net. deleted file mode 100644 index eba52b9ca6..0000000000 --- a/contrib/zkt/examples/flat/keysets/keyset-example.net. +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN . -example.net 7200 IN DNSKEY 257 3 5 ( - BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y - 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS - BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn - eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7 - grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8 - V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7 - Il5cqhugaQ== - ) ; key id = 33840 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh - Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl - Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl - SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO - g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy - A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5 - JT9+p0yB/Q== - ) ; key id = 7308 diff --git a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net. b/contrib/zkt/examples/flat/keysets/keyset-sub.example.net. deleted file mode 100644 index 17e31b8381..0000000000 --- a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net. +++ /dev/null @@ -1,8 +0,0 @@ -$ORIGIN . -sub.example.net 7200 IN DNSKEY 257 3 7 ( - AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb - jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr - /5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9 - H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7 - ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3 - ) ; key id = 48516 diff --git a/contrib/zkt/examples/flat/named.conf b/contrib/zkt/examples/flat/named.conf deleted file mode 100644 index 2d4cb9f0e6..0000000000 --- a/contrib/zkt/examples/flat/named.conf +++ /dev/null @@ -1,109 +0,0 @@ -/***************************************************************** -** -** #(@) named.conf (c) 6. May 2004 (hoz) -** -*****************************************************************/ - -/***************************************************************** -** logging options -*****************************************************************/ -logging { - channel "named-log" { - file "/var/log/named" versions 3 size 2m; - print-time yes; - print-category yes; - print-severity yes; - severity info; - }; - channel "resolver-log" { - file "/var/log/named"; - print-time yes; - print-category yes; - print-severity yes; - severity debug 1; - }; - channel "dnssec-log" { -# file "/var/log/named-dnssec" ; - file "/var/log/named" ; - print-time yes; - print-category yes; - print-severity yes; - severity debug 3; - }; - category "dnssec" { "dnssec-log"; }; - category "default" { "named-log"; }; - category "resolver" { "resolver-log"; }; - category "client" { "resolver-log"; }; - category "queries" { "resolver-log"; }; -}; - -/***************************************************************** -** name server options -*****************************************************************/ -options { - directory "."; - - dump-file "/var/log/named_dump.db"; - statistics-file "/var/log/named.stats"; - - listen-on-v6 { any; }; - - query-source address * port 53; - transfer-source * port 53; - notify-source * port 53; - - recursion yes; - dnssec-enable yes; - edns-udp-size 4096; - -# dnssec-lookaside "." trust-anchor "trusted-keys.de."; - - querylog yes; - -}; - -/***************************************************************** -** include shared secrets... -*****************************************************************/ -/** for control sessions ... **/ -controls { - inet 127.0.0.1 - allow { localhost; }; - inet ::1 - allow { localhost; }; -}; - -/***************************************************************** -** ... and trusted_keys -*****************************************************************/ -# include "trusted-keys.conf" ; - -/***************************************************************** -** root server hints and required 127 stuff -*****************************************************************/ -zone "." in { - type hint; - file "root.hint"; -}; - -zone "localhost" in { - type master; - file "localhost.zone"; -}; - -zone "0.0.127.in-addr.ARPA" in { - type master; - file "127.0.0.zone"; -}; - -#include "zone.conf"; - -zone "example.NET." in { - type master; - file "example.net/zone.db.signed"; -}; - -zone "sub.example.NET." in { - type master; - file "sub.example.net/zone.db.signed"; -}; diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key new file mode 100644 index 0000000000..92cea13a34 --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key @@ -0,0 +1,3 @@ +;% generationtime=20100311224635 +;% lifetime=3d +sub.example.net. IN DNSKEY 256 3 7 AwEAAZeWiMSfoNTQkZhKHK2+OXmKRSXgBjad7VBC9tZ40aIr5pPtDWCg 8iELYF4M6ybq0M1ffUO+GHZt89A624SkWps= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published new file mode 100644 index 0000000000..da71bf9c49 --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: l5aIxJ+g1NCRmEocrb45eYpFJeAGNp3tUEL21njRoivmk+0NYKDyIQtgXgzrJurQzV99Q74Ydm3z0DrbhKRamw== +PublicExponent: AQAB +PrivateExponent: ItWA0E4uUzkqe+hr9rED3B4eDboRM3PPGOaKenaBFdbONA8X6GbCTCAE6oF7DGSebfi6I9HTjLs24ZItD7bHwQ== +Prime1: yLZLkD+0SqDwPDKXlK6qHMRKwGDcNw5MxELfv3ftyRM= +Prime2: wVginHuVgdmvAxTX51WmK922+KTwk/w+Od+/W2N6IVk= +Exponent1: XE5aGhDyHZA+a7DovVxGp8wuhKMHI9rTuz72H9xL4zk= +Exponent2: XemKfknFGBp9WNjR+kru+RWrn2C2fpsiOohE8YYDN5k= +Coefficient: ZmS8ZDDLz6CtwYEvGJgTsNTw/bj6JMaZ8cFh3x1Zd4Y= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated deleted file mode 100644 index 27036fe68d..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 7 (NSEC3RSASHA1) -Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ== -PublicExponent: AQAB -PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ== -Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE= -Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k= -Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE= -Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE= -Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key deleted file mode 100644 index 98cb5afb3a..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090624144422 -;% lifetime=3d -sub.example.net. IN DNSKEY 256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key deleted file mode 100644 index bd7002d907..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090630093509 -;% lifetime=3d -sub.example.net. IN DNSKEY 256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private deleted file mode 100644 index 03dfe535ff..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 7 (NSEC3RSASHA1) -Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ== -PublicExponent: AQAB -PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ== -Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU= -Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU= -Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190= -Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU= -Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key new file mode 100644 index 0000000000..d91daac257 --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key @@ -0,0 +1,3 @@ +;% generationtime=20100308221149 +;% lifetime=3d +sub.example.net. IN DNSKEY 256 3 7 AwEAAcIDTNHrG9ssCz/VueiPUQaw4IAM5GvECljWsX+SfXSCkhHg5loq +FXNRa80EJCyh5b0sicbdVOhJ9DVNaRKYxU= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private new file mode 100644 index 0000000000..749ba93907 --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: wgNM0esb2ywLP9W56I9RBrDggAzka8QKWNaxf5J9dIKSEeDmWir4Vc1FrzQQkLKHlvSyJxt1U6En0NU1pEpjFQ== +PublicExponent: AQAB +PrivateExponent: fYBY/ynROTQCiuacfh3HUka00uCEGloUP2eSJm4CjYyQyy/he5haU0hcJw5JvxhI0pGj+eDEzaE+5oq1pKntOQ== +Prime1: 4YRNB1cSh3F9+pQglY5/H4STx2pIADAO0mRFO2Lu+Mc= +Prime2: 3DzZhCWENMYZvx9ovZTtIUIUpXEPtN4p7FqYC0OFgUM= +Exponent1: Dk7UjEir9kfvFDzdrF90FU3WCmrl0o06A4M1GUV3n/U= +Exponent2: ppnBUZ2vrNxOja2M5hzKZOZACAbHAuMsg4bkjWC+lVE= +Coefficient: LA7G4rCRiDP8P+Cg+JQUKBUgZ8F+dpGA3E/aVOYhaWw= diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key new file mode 100644 index 0000000000..984cbbe6ed --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key @@ -0,0 +1,3 @@ +;% generationtime=20100124184339 +;% lifetime=7d +sub.example.net. IN DNSKEY 257 3 7 AwEAAfTQL8DTr3eYpPziT+cnKnzMewbEBtRxfkb697qoRK4pKkGYGVWu jIEyjts/aluYd+Nw85rvRFPNVJwmM63jvJapql1pKfyFPSl4YVJMxaCv OMhd1JATDnrTq70evQQmOHyxVKe8k9zk0GKeRgX8sl228AvdiGOfxWmT BoOxYowx diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private new file mode 100644 index 0000000000..a0f44d7982 --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: 9NAvwNOvd5ik/OJP5ycqfMx7BsQG1HF+Rvr3uqhErikqQZgZVa6MgTKO2z9qW5h343Dzmu9EU81UnCYzreO8lqmqXWkp/IU9KXhhUkzFoK84yF3UkBMOetOrvR69BCY4fLFUp7yT3OTQYp5GBfyyXbbwC92IY5/FaZMGg7FijDE= +PublicExponent: AQAB +PrivateExponent: nn1ZLQDejBKqXX02NXPJsdm/m/W0ZjzDf7hiQNlG/WlxDd4mKK5EEDBnA9HeTUY792bcjuVv2sEHkb+5nU3efHdZypvY8wsvKKNUtxWJl9O5ip7GXh4/7YQeNKW/zgE1Xz+Yu6ht3e8XuxaIXHuQ5mBC0E5AUUYPhVBCTR08CkE= +Prime1: /MeAn2UCjXS8VIoi5Zp90w2qB6ub0wqeLCI0zpXCxWlLTrDSpFORdGuPEctE5cNlDX7y9gq6a5vxnN/b+DnNdQ== +Prime2: 9+6zb1zEpyJzcscrSVVjacjNbyI9OwfrA7XjU5PppCyFLRvP3+L/pjqgDhyoZmCo3VMqnOjxpIeffvmDsUjATQ== +Exponent1: ddE+4AwifnAUf4rK7R1u2/oYb+7KeDkQtB1VY5xl5cFH+mtsIm9Y8lxXmMGXYUgLR5kOASPK8/EBUk78pdu7KQ== +Exponent2: OIT16sEfI2q7HsNAnusUSp04F8maY8aeUK46MGdbr81mXq4kaUl6Ng7PRehKi2wlkq7O3A5OZ89zEKMY3mVTUQ== +Coefficient: ZO4OrBf5SCcbAccN63xHAlm/Pelu4wWw3yo/BaWPYE3Sf+FJt0O3TJQsmm5B+KbrruLsX6lWWHf4ZerizKFhKQ== diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key deleted file mode 100644 index 717e2bed3e..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090624144206 -;% lifetime=7d -sub.example.net. IN DNSKEY 257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3 diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private deleted file mode 100644 index 78137a9516..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 7 (NSEC3RSASHA1) -Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc= -PublicExponent: AQAB -PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk= -Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw== -Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q== -Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw== -Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q== -Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g== diff --git a/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net. deleted file mode 100644 index 8537da0250..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net. +++ /dev/null @@ -1,2 +0,0 @@ -sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6 -sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC diff --git a/contrib/zkt/examples/flat/sub.example.net/dnskey.db b/contrib/zkt/examples/flat/sub.example.net/dnskey.db deleted file mode 100644 index e312396ea6..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/dnskey.db +++ /dev/null @@ -1,29 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Jun 30 2009 13:02:21 -; - -; *** List of Key Signing Keys *** -; sub.example.net. tag=48516 algo=NSEC3RSASHA1 generated Jun 24 2009 16:42:06 -sub.example.net. 3600 IN DNSKEY 257 3 7 ( - AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD - ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM - f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 - UPSENnx3 - ) ; key id = 48516 - -; *** List of Zone Signing Keys *** -; sub.example.net. tag=32345 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04 -sub.example.net. 3600 IN DNSKEY 256 3 7 ( - AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI - w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k= - ) ; key id = 32345 - -; sub.example.net. tag=14600 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04 -sub.example.net. 3600 IN DNSKEY 256 3 7 ( - AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 - +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak= - ) ; key id = 14600 - diff --git a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf b/contrib/zkt/examples/flat/sub.example.net/dnssec.conf deleted file mode 100644 index 8f90edb161..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf +++ /dev/null @@ -1,15 +0,0 @@ - -resigninterval 1d -sigvalidity 2d -max_ttl 90s - -Serialformat: unixtime -ksk_lifetime 1w -ksk_algo N3RSASHA1 -ksk_bits 1024 - -zsk_lifetime 3d -zsk_algo N3RSASHA1 -zsk_bits 512 - -dlv_domain "dlv.trusted-keys.de" diff --git a/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net. deleted file mode 100644 index f35581d0ce..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net. +++ /dev/null @@ -1,2 +0,0 @@ -sub.example.net. IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6 -sub.example.net. IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC diff --git a/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net. deleted file mode 100644 index 5c58fad59a..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net. +++ /dev/null @@ -1,8 +0,0 @@ -$ORIGIN . -sub.example.net 7200 IN DNSKEY 257 3 7 ( - AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G - 3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau - dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF - pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V - VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f - ) ; key id = 18846 diff --git a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt b/contrib/zkt/examples/flat/sub.example.net/maxhexsalt deleted file mode 100644 index 94bc5aff31..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt +++ /dev/null @@ -1 +0,0 @@ -1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE \ No newline at end of file diff --git a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1 b/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1 deleted file mode 100644 index 6f1f3b5ccb..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1 +++ /dev/null @@ -1 +0,0 @@ -1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE1 \ No newline at end of file diff --git a/contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net. new file mode 100644 index 0000000000..01111fd312 --- /dev/null +++ b/contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net. @@ -0,0 +1,321 @@ +2010-02-06 00:26:54.532: debug: Check RFC5011 status +2010-02-06 00:26:54.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:26:54.533: debug: Check KSK status +2010-02-06 00:26:54.533: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h43m15s +2010-02-06 00:26:54.533: debug: Check ZSK status +2010-02-06 00:26:54.533: debug: Re-signing not necessary! +2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy +2010-02-06 00:29:31.290: debug: Check RFC5011 status +2010-02-06 00:29:31.290: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:29:31.290: debug: Check KSK status +2010-02-06 00:29:31.290: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h45m52s +2010-02-06 00:29:31.290: debug: Check ZSK status +2010-02-06 00:29:31.290: debug: Re-signing not necessary! +2010-02-06 00:29:31.290: debug: Check if there is a parent file to copy +2010-02-06 00:40:35.043: debug: Check RFC5011 status +2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:40:35.043: debug: Check KSK status +2010-02-06 00:40:35.043: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h56m56s +2010-02-06 00:40:35.043: debug: Check ZSK status +2010-02-06 00:40:35.043: debug: Re-signing not necessary! +2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy +2010-02-06 00:52:55.402: debug: Check RFC5011 status +2010-02-06 00:52:55.402: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:52:55.402: debug: Check KSK status +2010-02-06 00:52:55.403: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d5h9m16s +2010-02-06 00:52:55.403: debug: Check ZSK status +2010-02-06 00:52:55.403: debug: Re-signing not necessary! +2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy +2010-02-07 13:53:47.883: debug: Check RFC5011 status +2010-02-07 13:53:47.883: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:53:47.883: debug: Check KSK status +2010-02-07 13:53:47.883: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m8s +2010-02-07 13:53:47.883: debug: Check ZSK status +2010-02-07 13:53:47.883: debug: Re-signing necessary: re-signing interval (1d) reached +2010-02-07 13:53:47.884: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached +2010-02-07 13:53:47.884: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-07 13:53:47.884: debug: Signing zone "sub.example.net." +2010-02-07 13:53:47.884: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 880820 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-07 13:53:48.303: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 13:53:48.304: debug: Signing completed after 1s. +2010-02-07 13:54:03.465: debug: Check RFC5011 status +2010-02-07 13:54:03.465: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:54:03.465: debug: Check KSK status +2010-02-07 13:54:03.466: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m24s +2010-02-07 13:54:03.466: debug: Check ZSK status +2010-02-07 13:54:03.466: debug: Re-signing not necessary! +2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy +2010-02-07 13:54:07.955: debug: Check RFC5011 status +2010-02-07 13:54:07.955: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:54:07.955: debug: Check KSK status +2010-02-07 13:54:07.955: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m28s +2010-02-07 13:54:07.955: debug: Check ZSK status +2010-02-07 13:54:07.956: debug: Re-signing necessary: Option -f +2010-02-07 13:54:07.956: notice: "sub.example.net.": re-signing triggered: Option -f +2010-02-07 13:54:07.956: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-07 13:54:07.956: debug: Signing zone "sub.example.net." +2010-02-07 13:54:07.956: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 325964 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-07 13:54:08.003: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 13:54:08.003: debug: Signing completed after 1s. +2010-02-07 13:54:08.003: notice: "sub.example.net.": distribution triggered +2010-02-07 13:54:08.003: debug: Distribute zone "sub.example.net." +2010-02-07 13:54:08.003: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed " +2010-02-07 13:54:08.013: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./" +2010-02-07 13:54:08.013: notice: "sub.example.net.": reload triggered +2010-02-07 13:54:08.013: debug: Reload zone "sub.example.net." +2010-02-07 13:54:08.013: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed " +2010-02-07 13:54:08.019: debug: ./dist.sh reload return: "rndc reload sub.example.net. " +2010-02-07 14:06:27.669: debug: Check RFC5011 status +2010-02-07 14:06:27.669: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 14:06:27.669: debug: Check KSK status +2010-02-07 14:06:27.669: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m48s +2010-02-07 14:06:27.669: debug: Check ZSK status +2010-02-07 14:06:27.669: debug: Re-signing not necessary! +2010-02-07 14:06:27.670: debug: Check if there is a parent file to copy +2010-02-07 14:06:33.713: debug: Check RFC5011 status +2010-02-07 14:06:33.713: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 14:06:33.713: debug: Check KSK status +2010-02-07 14:06:33.713: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m54s +2010-02-07 14:06:33.713: debug: Check ZSK status +2010-02-07 14:06:33.714: debug: Re-signing necessary: Option -f +2010-02-07 14:06:33.714: notice: "sub.example.net.": re-signing triggered: Option -f +2010-02-07 14:06:33.714: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-07 14:06:33.714: debug: Signing zone "sub.example.net." +2010-02-07 14:06:33.714: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 4A3DFB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-07 14:06:33.745: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 14:06:33.745: debug: Signing completed after 0s. +2010-02-07 14:06:33.745: notice: "sub.example.net.": distribution triggered +2010-02-07 14:06:33.745: debug: Distribute zone "sub.example.net." +2010-02-07 14:06:33.745: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed " +2010-02-07 14:06:33.749: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./" +2010-02-07 14:06:33.749: notice: "sub.example.net.": reload triggered +2010-02-07 14:06:33.749: debug: Reload zone "sub.example.net." +2010-02-07 14:06:33.749: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed " +2010-02-07 14:06:33.753: debug: ./dist.sh reload return: "rndc reload sub.example.net. " +2010-02-21 12:50:43.176: debug: Check RFC5011 status +2010-02-21 12:50:43.176: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:50:43.176: debug: Check KSK status +2010-02-21 12:50:43.176: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m4s +2010-02-21 12:50:43.176: debug: Check ZSK status +2010-02-21 12:50:43.176: debug: Lifetime(259200 +/-150 sec) of active key 7505 exceeded (1345179 sec) +2010-02-21 12:50:43.176: debug: ->depreciate it +2010-02-21 12:50:43.176: debug: ->activate published key 57167 +2010-02-21 12:50:43.176: notice: "sub.example.net.": lifetime of zone signing key 7505 exceeded: ZSK rollover done +2010-02-21 12:50:43.176: debug: New key for publishing needed +2010-02-21 12:50:43.445: debug: ->creating new key 49712 +2010-02-21 12:50:43.445: info: "sub.example.net.": new key 49712 generated for publishing +2010-02-21 12:50:43.445: debug: Re-signing necessary: Modfied zone key set +2010-02-21 12:50:43.445: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-02-21 12:50:43.445: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-21 12:50:43.445: debug: Signing zone "sub.example.net." +2010-02-21 12:50:43.445: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 2E31B5 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-21 12:50:43.580: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 12:50:43.580: debug: Signing completed after 0s. +2010-02-21 12:50:51.158: debug: Check RFC5011 status +2010-02-21 12:50:51.158: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:50:51.158: debug: Check KSK status +2010-02-21 12:50:51.159: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m12s +2010-02-21 12:50:51.159: debug: Check ZSK status +2010-02-21 12:50:51.159: debug: Re-signing necessary: Modfied zone key set +2010-02-21 12:50:51.159: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-02-21 12:50:51.159: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-21 12:50:51.159: debug: Signing zone "sub.example.net." +2010-02-21 12:50:51.159: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 41F65A -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-21 12:50:51.205: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 12:50:51.205: debug: Signing completed after 0s. +2010-02-21 12:51:23.497: debug: Check RFC5011 status +2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:51:23.497: debug: Check KSK status +2010-02-21 12:51:23.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m44s +2010-02-21 12:51:23.497: debug: Check ZSK status +2010-02-21 12:51:23.497: debug: Re-signing not necessary! +2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy +2010-02-21 19:16:18.384: debug: Check RFC5011 status +2010-02-21 19:16:18.384: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:16:18.384: debug: Check KSK status +2010-02-21 19:16:18.385: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h32m39s +2010-02-21 19:16:18.385: debug: Check ZSK status +2010-02-21 19:16:18.385: debug: Lifetime(390 sec) of depreciated key 7505 exceeded (23135 sec) +2010-02-21 19:16:18.385: info: "sub.example.net.": old ZSK 7505 removed +2010-02-21 19:16:18.401: debug: ->remove it +2010-02-21 19:16:18.401: debug: Re-signing necessary: Modfied zone key set +2010-02-21 19:16:18.401: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-02-21 19:16:18.401: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-21 19:16:18.401: debug: Signing zone "sub.example.net." +2010-02-21 19:16:18.401: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 3DADF2 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-21 19:16:18.593: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:16:18.593: debug: Signing completed after 0s. +2010-02-21 19:32:11.378: debug: Check RFC5011 status +2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:11.378: debug: Check KSK status +2010-02-21 19:32:11.378: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m32s +2010-02-21 19:32:11.378: debug: Check ZSK status +2010-02-21 19:32:11.378: debug: Re-signing not necessary! +2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy +2010-02-21 19:32:15.930: debug: Check RFC5011 status +2010-02-21 19:32:15.930: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:15.930: debug: Check KSK status +2010-02-21 19:32:15.930: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m36s +2010-02-21 19:32:15.930: debug: Check ZSK status +2010-02-21 19:32:15.930: debug: Re-signing necessary: Option -f +2010-02-21 19:32:15.930: notice: "sub.example.net.": re-signing triggered: Option -f +2010-02-21 19:32:15.930: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-21 19:32:15.931: debug: Signing zone "sub.example.net." +2010-02-21 19:32:15.931: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 623FD7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-21 19:32:15.982: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:32:15.982: debug: Signing completed after 0s. +2010-02-21 19:32:32.203: debug: Check RFC5011 status +2010-02-21 19:32:32.203: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:32.203: debug: Check KSK status +2010-02-21 19:32:32.203: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m53s +2010-02-21 19:32:32.203: debug: Check ZSK status +2010-02-21 19:32:32.203: debug: Re-signing necessary: Option -f +2010-02-21 19:32:32.203: notice: "sub.example.net.": re-signing triggered: Option -f +2010-02-21 19:32:32.203: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-21 19:32:32.203: debug: Signing zone "sub.example.net." +2010-02-21 19:32:32.203: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 C522CA -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-21 19:32:32.232: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:32:32.232: debug: Signing completed after 0s. +2010-02-25 00:12:26.443: debug: Check RFC5011 status +2010-02-25 00:12:26.443: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 00:12:26.443: debug: Check KSK status +2010-02-25 00:12:26.443: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w3d4h28m47s +2010-02-25 00:12:26.443: debug: Check ZSK status +2010-02-25 00:12:26.443: debug: Lifetime(259200 +/-150 sec) of active key 57167 exceeded (300103 sec) +2010-02-25 00:12:26.443: debug: ->depreciate it +2010-02-25 00:12:26.444: debug: ->activate published key 49712 +2010-02-25 00:12:26.444: notice: "sub.example.net.": lifetime of zone signing key 57167 exceeded: ZSK rollover done +2010-02-25 00:12:26.444: debug: New key for publishing needed +2010-02-25 00:12:26.902: debug: ->creating new key 65009 +2010-02-25 00:12:26.902: info: "sub.example.net.": new key 65009 generated for publishing +2010-02-25 00:12:26.902: debug: Re-signing necessary: Modfied zone key set +2010-02-25 00:12:26.902: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-02-25 00:12:26.902: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-25 00:12:26.902: debug: Signing zone "sub.example.net." +2010-02-25 00:12:26.902: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9AA7CB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-25 00:12:27.016: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-25 00:12:27.016: debug: Signing completed after 1s. +2010-02-25 23:42:20.653: debug: Check RFC5011 status +2010-02-25 23:42:20.653: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 23:42:20.653: debug: Check KSK status +2010-02-25 23:42:20.653: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w4d3h58m41s +2010-02-25 23:42:20.653: debug: Check ZSK status +2010-02-25 23:42:20.653: debug: Lifetime(390 sec) of depreciated key 57167 exceeded (84594 sec) +2010-02-25 23:42:20.653: info: "sub.example.net.": old ZSK 57167 removed +2010-02-25 23:42:20.661: debug: ->remove it +2010-02-25 23:42:20.661: debug: Re-signing necessary: Modfied zone key set +2010-02-25 23:42:20.661: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-02-25 23:42:20.661: debug: Writing key file "./sub.example.net/dnskey.db" +2010-02-25 23:42:20.662: debug: Signing zone "sub.example.net." +2010-02-25 23:42:20.662: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 2942EB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-02-25 23:42:21.012: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-25 23:42:21.012: debug: Signing completed after 1s. +2010-03-02 10:59:11.845: debug: Check RFC5011 status +2010-03-02 10:59:11.845: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-02 10:59:11.845: debug: Check KSK status +2010-03-02 10:59:11.846: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w1d15h15m32s +2010-03-02 10:59:11.846: debug: Check ZSK status +2010-03-02 10:59:11.846: debug: Lifetime(259200 +/-150 sec) of active key 49712 exceeded (470805 sec) +2010-03-02 10:59:11.846: debug: ->depreciate it +2010-03-02 10:59:11.846: debug: ->activate published key 65009 +2010-03-02 10:59:11.846: notice: "sub.example.net.": lifetime of zone signing key 49712 exceeded: ZSK rollover done +2010-03-02 10:59:11.846: debug: New key for publishing needed +2010-03-02 10:59:12.256: debug: ->creating new key 27377 +2010-03-02 10:59:12.256: info: "sub.example.net.": new key 27377 generated for publishing +2010-03-02 10:59:12.256: debug: Re-signing necessary: Modfied zone key set +2010-03-02 10:59:12.256: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-03-02 10:59:12.256: debug: Writing key file "./sub.example.net/dnskey.db" +2010-03-02 10:59:12.256: debug: Signing zone "sub.example.net." +2010-03-02 10:59:12.256: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 F9A34F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-03-02 10:59:12.415: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-02 10:59:12.416: debug: Signing completed after 0s. +2010-03-03 23:22:00.127: debug: Check RFC5011 status +2010-03-03 23:22:00.127: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-03 23:22:00.127: debug: Check KSK status +2010-03-03 23:22:00.127: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w3d3h38m21s +2010-03-03 23:22:00.127: debug: Check ZSK status +2010-03-03 23:22:00.127: debug: Lifetime(390 sec) of depreciated key 49712 exceeded (130969 sec) +2010-03-03 23:22:00.127: info: "sub.example.net.": old ZSK 49712 removed +2010-03-03 23:22:00.127: debug: ->remove it +2010-03-03 23:22:00.127: debug: Re-signing necessary: Modfied zone key set +2010-03-03 23:22:00.127: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-03-03 23:22:00.127: debug: Writing key file "./sub.example.net/dnskey.db" +2010-03-03 23:22:00.127: debug: Signing zone "sub.example.net." +2010-03-03 23:22:00.127: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 A3B721 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-03-03 23:22:00.394: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-03 23:22:00.394: debug: Signing completed after 0s. +2010-03-08 23:11:49.663: debug: Check RFC5011 status +2010-03-08 23:11:49.663: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:11:49.663: debug: Check KSK status +2010-03-08 23:11:49.663: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h28m10s +2010-03-08 23:11:49.664: debug: Check ZSK status +2010-03-08 23:11:49.664: debug: Lifetime(259200 +/-150 sec) of active key 65009 exceeded (562358 sec) +2010-03-08 23:11:49.664: debug: ->depreciate it +2010-03-08 23:11:49.664: debug: ->activate published key 27377 +2010-03-08 23:11:49.664: notice: "sub.example.net.": lifetime of zone signing key 65009 exceeded: ZSK rollover done +2010-03-08 23:11:49.664: debug: New key for publishing needed +2010-03-08 23:11:50.060: debug: ->creating new key 41747 +2010-03-08 23:11:50.060: info: "sub.example.net.": new key 41747 generated for publishing +2010-03-08 23:11:50.060: debug: Re-signing necessary: Modfied zone key set +2010-03-08 23:11:50.061: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-03-08 23:11:50.061: debug: Writing key file "././sub.example.net/dnskey.db" +2010-03-08 23:11:50.061: debug: Signing zone "sub.example.net." +2010-03-08 23:11:50.061: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 71C04F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-03-08 23:11:50.169: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-08 23:11:50.169: debug: Signing completed after 0s. +2010-03-08 23:18:52.243: debug: Check RFC5011 status +2010-03-08 23:18:52.243: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:18:52.243: debug: Check KSK status +2010-03-08 23:18:52.243: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h35m13s +2010-03-08 23:18:52.243: debug: Check ZSK status +2010-03-08 23:18:52.243: debug: Lifetime(390 sec) of depreciated key 65009 exceeded (423 sec) +2010-03-08 23:18:52.243: info: "sub.example.net.": old ZSK 65009 removed +2010-03-08 23:18:52.243: debug: ->remove it +2010-03-08 23:18:52.243: debug: Re-signing necessary: Modfied zone key set +2010-03-08 23:18:52.243: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-03-08 23:18:52.243: debug: Writing key file "././sub.example.net/dnskey.db" +2010-03-08 23:18:52.243: debug: Signing zone "sub.example.net." +2010-03-08 23:18:52.243: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 CF729B -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-03-08 23:18:52.287: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-08 23:18:52.287: debug: Signing completed after 0s. +2010-03-11 23:46:35.497: debug: Check RFC5011 status +2010-03-11 23:46:35.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:46:35.497: debug: Check KSK status +2010-03-11 23:46:35.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h2m56s +2010-03-11 23:46:35.498: debug: Check ZSK status +2010-03-11 23:46:35.498: debug: Lifetime(259200 +/-150 sec) of active key 27377 exceeded (261286 sec) +2010-03-11 23:46:35.498: debug: ->depreciate it +2010-03-11 23:46:35.498: debug: ->activate published key 41747 +2010-03-11 23:46:35.498: notice: "sub.example.net.": lifetime of zone signing key 27377 exceeded: ZSK rollover done +2010-03-11 23:46:35.498: debug: New key for publishing needed +2010-03-11 23:46:35.768: debug: ->creating new key 2048 +2010-03-11 23:46:35.768: info: "sub.example.net.": new key 2048 generated for publishing +2010-03-11 23:46:35.768: debug: Re-signing necessary: Modfied zone key set +2010-03-11 23:46:35.768: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-03-11 23:46:35.768: debug: Writing key file "./sub.example.net/dnskey.db" +2010-03-11 23:46:35.768: debug: Signing zone "sub.example.net." +2010-03-11 23:46:35.768: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B86C9F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-03-11 23:46:35.814: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-11 23:46:35.814: debug: Signing completed after 0s. +2010-03-11 23:52:33.132: debug: Check RFC5011 status +2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:52:33.132: debug: Check KSK status +2010-03-11 23:52:33.132: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h8m54s +2010-03-11 23:52:33.132: debug: Check ZSK status +2010-03-11 23:52:33.132: debug: Re-signing not necessary! +2010-03-11 23:52:33.132: debug: Check if there is a parent file to copy +2010-03-11 23:53:27.804: debug: Check RFC5011 status +2010-03-11 23:53:27.804: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:53:27.804: debug: Check KSK status +2010-03-11 23:53:27.804: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h9m48s +2010-03-11 23:53:27.804: debug: Check ZSK status +2010-03-11 23:53:27.804: debug: Lifetime(390 sec) of depreciated key 27377 exceeded (412 sec) +2010-03-11 23:53:27.804: info: "sub.example.net.": old ZSK 27377 removed +2010-03-11 23:53:27.804: debug: ->remove it +2010-03-11 23:53:27.804: debug: Re-signing necessary: Modfied zone key set +2010-03-11 23:53:27.804: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-03-11 23:53:27.804: debug: Writing key file "./sub.example.net/dnskey.db" +2010-03-11 23:53:27.804: debug: Signing zone "sub.example.net." +2010-03-11 23:53:27.805: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 67AA7F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1" +2010-03-11 23:53:27.856: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-11 23:53:27.856: debug: Signing completed after 0s. diff --git a/contrib/zkt/examples/flat/sub.example.net/zone.db b/contrib/zkt/examples/flat/sub.example.net/zone.db deleted file mode 100644 index 1eb2d9e106..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/zone.db +++ /dev/null @@ -1,25 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) sub.example.net/zone.db -; -;----------------------------------------------------------------- - -$TTL 7200 - -@ IN SOA ns1.example.net. hostmaster.example.net. ( - 2 ; Serial - 86400 ; Refresh (RIPE recommendation if NOTIFY is used) - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - - IN NS ns1.example.net. - -$INCLUDE dnskey.db - -localhost IN A 127.0.0.1 - -a IN A 1.2.3.4 -b IN A 1.2.3.5 -c IN A 1.2.3.6 diff --git a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed b/contrib/zkt/examples/flat/sub.example.net/zone.db.signed deleted file mode 100644 index c82f3ff090..0000000000 --- a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed +++ /dev/null @@ -1,109 +0,0 @@ -; File written on Tue Jun 30 13:02:21 2009 -; dnssec_signzone version 9.7.0a1 -sub.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( - 1246359741 ; serial - 86400 ; refresh (1 day) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 7 3 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug - Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj - beUBuNmOKBwgQw== ) - 7200 NS ns1.example.net. - 7200 RRSIG NS 7 3 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY - jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK - LPErXQ8ObaggQA== ) - 3600 DNSKEY 256 3 7 ( - AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk - GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z - NwICF4QjetjqUGta4Ak= - ) ; key id = 14600 - 3600 DNSKEY 256 3 7 ( - AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw - hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf - fNq73SbkyknTyXYRe2k= - ) ; key id = 32345 - 3600 DNSKEY 257 3 7 ( - AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb - jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr - /5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9 - H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7 - ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3 - ) ; key id = 48516 - 3600 RRSIG DNSKEY 7 3 3600 20090702100221 ( - 20090630100221 32345 sub.example.net. - 2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB - dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9 - GcBg3KQvJl0+AQ== ) - 3600 RRSIG DNSKEY 7 3 3600 20090702100221 ( - 20090630100221 48516 sub.example.net. - PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx - f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/ - iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid - qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5 - F6avz0sLu3gtDu/nwyyK/5Hf3kM= ) - 0 NSEC3PARAM 1 0 100 86F43F - 0 RRSIG NSEC3PARAM 7 3 0 20090702100221 ( - 20090630100221 32345 sub.example.net. - e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0 - gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV - 3uTWjwSs7kyfDQ== ) -a.sub.example.net. 7200 IN A 1.2.3.4 - 7200 RRSIG A 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD - LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/ - hXTkHJif/0w78g== ) -b.sub.example.net. 7200 IN A 1.2.3.5 - 7200 RRSIG A 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4 - rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU - T10UWy4dnxfoNQ== ) -c.sub.example.net. 7200 IN A 1.2.3.6 - 7200 RRSIG A 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd - qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr - JJ+/QuqBHFyISQ== ) -localhost.sub.example.net. 7200 IN A 127.0.0.1 - 7200 RRSIG A 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5 - TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f - S06Z9C5YaKI7ig== ) -7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG - 7200 RRSIG NSEC3 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe - yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k - /t2mOvXB11pLqQ== ) -AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM - 7200 RRSIG NSEC3 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa - axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc - ivGHaozr64hBjg== ) -D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG - 7200 RRSIG NSEC3 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5 - h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo - wHjm0Ab+ez7COg== ) -K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG - 7200 RRSIG NSEC3 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB - 2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr - eARbsKjcsRJF7A== ) -L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG - 7200 RRSIG NSEC3 7 4 7200 20090702100221 ( - 20090630100221 32345 sub.example.net. - IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc - BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn - zBrGA0FxGvo4Pg== ) diff --git a/contrib/zkt/examples/flat/zkt.log b/contrib/zkt/examples/flat/zkt.log deleted file mode 100644 index 74582ddf26..0000000000 --- a/contrib/zkt/examples/flat/zkt.log +++ /dev/null @@ -1,1031 +0,0 @@ -2008-12-18 01:02:56.187: notice: ------------------------------------------------------------ -2008-12-18 01:02:56.187: notice: running ../../dnssec-signer -v -v -2008-12-18 01:02:56.589: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2008-12-18 01:02:56.589: debug: Check RFC5011 status -2008-12-18 01:02:56.589: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-12-18 01:02:56.589: debug: Check KSK status -2008-12-18 01:02:56.589: debug: Check ZSK status -2008-12-18 01:02:56.590: debug: Lifetime(390 sec) of depreciated key 45361 exceeded (124287 sec) -2008-12-18 01:02:56.590: info: "sub.example.net.": old ZSK 45361 removed -2008-12-18 01:02:56.604: debug: ->remove it -2008-12-18 01:02:56.604: debug: Re-signing necessary: Modfied zone key set -2008-12-18 01:02:56.604: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2008-12-18 01:02:56.604: debug: Writing key file "./sub.example.net/dnskey.db" -2008-12-18 01:02:56.605: debug: Signing zone "sub.example.net." -2008-12-18 01:02:56.605: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -3 BE70E4 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2008-12-18 01:02:56.970: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-12-18 01:02:56.971: debug: Signing completed after 0s. -2008-12-18 01:02:56.971: debug: -2008-12-18 01:02:56.971: debug: parsing zone "example.net." in dir "./example.net" -2008-12-18 01:02:56.971: debug: Check RFC5011 status -2008-12-18 01:02:56.971: debug: Check ZSK status -2008-12-18 01:02:56.971: debug: Re-signing necessary: Zone file edited -2008-12-18 01:02:56.971: notice: "example.net.": re-signing triggered: Zone file edited -2008-12-18 01:02:56.972: debug: Writing key file "./example.net/dnskey.db" -2008-12-18 01:02:56.972: debug: Incrementing serial number in file "./example.net/zone.db" -2008-12-18 01:02:56.973: debug: Signing zone "example.net." -2008-12-18 01:02:56.973: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2008-12-18 01:02:57.106: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-12-18 01:02:57.106: debug: Signing completed after 1s. -2008-12-18 01:02:57.106: debug: -2008-12-18 01:02:57.106: notice: end of run: 0 errors occured -2008-12-18 01:03:01.191: notice: ------------------------------------------------------------ -2008-12-18 01:03:01.192: notice: running ../../dnssec-signer -d -v -v -2008-12-18 01:03:01.194: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net" -2008-12-18 01:03:01.194: debug: Check RFC5011 status -2008-12-18 01:03:01.194: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-12-18 01:03:01.194: debug: Check KSK status -2008-12-18 01:03:01.194: warning: "dyn.example.net.": lifetime of key signing key 42138 exceeded since 10w4d3h1m4s -2008-12-18 01:03:01.194: debug: Check ZSK status -2008-12-18 01:03:01.195: debug: Lifetime(1209600 +/-150 sec) of active key 1355 exceeded (11588464 sec) -2008-12-18 01:03:01.195: debug: ->depreciate it -2008-12-18 01:03:01.195: debug: ->activate published key 10643 -2008-12-18 01:03:01.195: notice: "dyn.example.net.": lifetime of zone signing key 1355 exceeded: ZSK rollover done -2008-12-18 01:03:01.196: debug: Re-signing necessary: Modfied zone key set -2008-12-18 01:03:01.196: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set -2008-12-18 01:03:01.196: debug: Writing key file "./dyn.example.net/dnskey.db" -2008-12-18 01:03:01.196: debug: Signing zone "dyn.example.net." -2008-12-18 01:03:01.196: notice: "dyn.example.net.": freeze dynamic zone -2008-12-18 01:03:01.196: debug: freeze dynamic zone "dyn.example.net." -2008-12-18 01:03:01.197: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." -2008-12-18 01:03:01.628: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db -2008-12-18 01:03:01.653: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private" -2008-12-18 01:03:01.792: debug: Cmd dnssec-signzone return: "zone.db.dsigned" -2008-12-18 01:03:01.792: notice: "dyn.example.net.": thaw dynamic zone -2008-12-18 01:03:01.792: debug: thaw dynamic zone "dyn.example.net." -2008-12-18 01:03:01.792: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." -2008-12-18 01:03:01.802: debug: Signing completed after 0s. -2008-12-18 01:03:01.802: debug: -2008-12-18 01:03:01.802: notice: end of run: 0 errors occured -2008-12-28 23:06:27.762: notice: ------------------------------------------------------------ -2008-12-28 23:06:27.762: notice: running ../../dnssec-signer -v -v -2008-12-28 23:06:27.764: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2008-12-28 23:06:27.765: debug: Check RFC5011 status -2008-12-28 23:06:27.765: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-12-28 23:06:27.765: debug: Check KSK status -2008-12-28 23:06:27.765: debug: Check ZSK status -2008-12-28 23:06:27.765: debug: Lifetime(259200 +/-150 sec) of active key 22440 exceeded (1067698 sec) -2008-12-28 23:06:27.765: debug: ->depreciate it -2008-12-28 23:06:27.766: debug: ->activate published key 5823 -2008-12-28 23:06:27.766: notice: "sub.example.net.": lifetime of zone signing key 22440 exceeded: ZSK rollover done -2008-12-28 23:06:27.766: debug: New key for publishing needed -2008-12-28 23:06:28.696: debug: ->creating new key 4710 -2008-12-28 23:06:28.696: info: "sub.example.net.": new key 4710 generated for publishing -2008-12-28 23:06:28.696: debug: Re-signing necessary: Modfied zone key set -2008-12-28 23:06:28.696: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2008-12-28 23:06:28.696: debug: Writing key file "./sub.example.net/dnskey.db" -2008-12-28 23:06:28.697: debug: Signing zone "sub.example.net." -2008-12-28 23:06:28.697: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -3 B9D9AA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2008-12-28 23:06:28.804: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-12-28 23:06:28.804: debug: Signing completed after 0s. -2008-12-28 23:06:28.804: debug: -2008-12-28 23:06:28.804: debug: parsing zone "example.net." in dir "./example.net" -2008-12-28 23:06:28.804: debug: Check RFC5011 status -2008-12-28 23:06:28.804: debug: Check ZSK status -2008-12-28 23:06:28.804: debug: Re-signing necessary: re-signing interval (2d) reached -2008-12-28 23:06:28.804: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached -2008-12-28 23:06:28.804: debug: Writing key file "./example.net/dnskey.db" -2008-12-28 23:06:28.805: debug: Incrementing serial number in file "./example.net/zone.db" -2008-12-28 23:06:28.805: debug: Signing zone "example.net." -2008-12-28 23:06:28.805: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2008-12-28 23:06:28.898: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-12-28 23:06:28.898: debug: Signing completed after 0s. -2008-12-28 23:06:28.898: debug: -2008-12-28 23:06:28.899: notice: end of run: 0 errors occured -2008-12-28 23:07:39.896: notice: ------------------------------------------------------------ -2008-12-28 23:07:39.896: notice: running ../../dnssec-signer -v -v -N named.conf -2008-12-28 23:07:39.899: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2008-12-28 23:07:39.899: debug: Check RFC5011 status -2008-12-28 23:07:39.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-12-28 23:07:39.899: debug: Check KSK status -2008-12-28 23:07:39.899: debug: Check ZSK status -2008-12-28 23:07:39.899: debug: Re-signing not necessary! -2008-12-28 23:07:39.899: debug: Check if there is a parent file to copy -2008-12-28 23:07:39.899: debug: -2008-12-28 23:07:39.899: debug: parsing zone "example.net." in dir "././example.net" -2008-12-28 23:07:39.899: debug: Check RFC5011 status -2008-12-28 23:07:39.899: debug: Check ZSK status -2008-12-28 23:07:39.899: debug: Re-signing not necessary! -2008-12-28 23:07:39.899: debug: Check if there is a parent file to copy -2008-12-28 23:07:39.899: debug: -2008-12-28 23:07:39.899: notice: end of run: 0 errors occured -2008-12-28 23:08:02.141: notice: ------------------------------------------------------------ -2008-12-28 23:08:02.141: notice: running ../../dnssec-signer -f -v -v -N named.conf -2008-12-28 23:08:02.143: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2008-12-28 23:08:02.143: debug: Check RFC5011 status -2008-12-28 23:08:02.143: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-12-28 23:08:02.143: debug: Check KSK status -2008-12-28 23:08:02.143: debug: Check ZSK status -2008-12-28 23:08:02.143: debug: Re-signing necessary: Option -f -2008-12-28 23:08:02.143: notice: "sub.example.net.": re-signing triggered: Option -f -2008-12-28 23:08:02.143: debug: Writing key file "././sub.example.net/dnskey.db" -2008-12-28 23:08:02.144: debug: Signing zone "sub.example.net." -2008-12-28 23:08:02.144: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 B5EA98 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2008-12-28 23:08:02.266: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-12-28 23:08:02.266: debug: Signing completed after 0s. -2008-12-28 23:08:02.266: debug: -2008-12-28 23:08:02.266: debug: parsing zone "example.net." in dir "././example.net" -2008-12-28 23:08:02.266: debug: Check RFC5011 status -2008-12-28 23:08:02.266: debug: Check ZSK status -2008-12-28 23:08:02.266: debug: Re-signing necessary: Option -f -2008-12-28 23:08:02.266: notice: "example.net.": re-signing triggered: Option -f -2008-12-28 23:08:02.266: debug: Writing key file "././example.net/dnskey.db" -2008-12-28 23:08:02.267: debug: Incrementing serial number in file "././example.net/zone.db" -2008-12-28 23:08:02.267: debug: Signing zone "example.net." -2008-12-28 23:08:02.267: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2008-12-28 23:08:02.534: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-12-28 23:08:02.534: debug: Signing completed after 0s. -2008-12-28 23:08:02.534: debug: -2008-12-28 23:08:02.534: notice: end of run: 0 errors occured -2009-02-28 12:31:26.082: notice: ------------------------------------------------------------ -2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf -2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-02-28 12:31:26.100: debug: Check RFC5011 status -2009-02-28 12:31:26.100: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-02-28 12:31:26.100: debug: Check KSK status -2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s -2009-02-28 12:31:26.100: debug: Check ZSK status -2009-02-28 12:31:26.100: debug: Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec) -2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed -2009-02-28 12:31:26.101: debug: ->remove it -2009-02-28 12:31:26.101: debug: Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec) -2009-02-28 12:31:26.101: debug: ->depreciate it -2009-02-28 12:31:26.101: debug: ->activate published key 4710 -2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done -2009-02-28 12:31:26.101: debug: New key for publishing needed -2009-02-28 12:31:28.559: debug: ->creating new key 32820 -2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing -2009-02-28 12:31:28.559: debug: Re-signing necessary: Modfied zone key set -2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-02-28 12:31:28.560: debug: Writing key file "././sub.example.net/dnskey.db" -2009-02-28 12:31:28.560: debug: Signing zone "sub.example.net." -2009-02-28 12:31:28.560: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-02-28 12:31:28.803: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-02-28 12:31:28.803: debug: Signing completed after 0s. -2009-02-28 12:31:28.803: debug: -2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net" -2009-02-28 12:31:28.803: debug: Check RFC5011 status -2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover -2009-02-28 12:31:28.803: debug: Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover! -2009-02-28 12:31:28.803: debug: =>Generating new standby key signing key -2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840 -2009-02-28 12:31:29.067: debug: =>Activating old standby key 7308 -2009-02-28 12:31:29.068: debug: =>Revoking old active key 1764 -2009-02-28 12:31:29.068: debug: Check ZSK status -2009-02-28 12:31:29.068: debug: Re-signing necessary: Modfied zone key set -2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set -2009-02-28 12:31:29.068: debug: Writing key file "././example.net/dnskey.db" -2009-02-28 12:31:29.069: debug: Incrementing serial number in file "././example.net/zone.db" -2009-02-28 12:31:29.069: debug: Signing zone "example.net." -2009-02-28 12:31:29.069: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-02-28 12:31:29.206: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-02-28 12:31:29.206: debug: Signing completed after 0s. -2009-02-28 12:31:29.206: debug: -2009-02-28 12:31:29.206: notice: end of run: 0 errors occured -2009-02-28 12:31:34.121: notice: ------------------------------------------------------------ -2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-02-28 12:31:34.126: debug: Check RFC5011 status -2009-02-28 12:31:34.126: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-02-28 12:31:34.126: debug: Check KSK status -2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s -2009-02-28 12:31:34.126: debug: Check ZSK status -2009-02-28 12:31:34.126: debug: Re-signing not necessary! -2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy -2009-02-28 12:31:34.126: debug: -2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net" -2009-02-28 12:31:34.126: debug: Check RFC5011 status -2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-02-28 12:31:34.126: debug: Check ZSK status -2009-02-28 12:31:34.126: debug: Re-signing not necessary! -2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy -2009-02-28 12:31:34.126: debug: -2009-02-28 12:31:34.126: notice: end of run: 0 errors occured -2009-02-28 12:32:49.522: notice: ------------------------------------------------------------ -2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-02-28 12:32:49.525: debug: Check RFC5011 status -2009-02-28 12:32:49.525: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-02-28 12:32:49.525: debug: Check KSK status -2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s -2009-02-28 12:32:49.525: debug: Check ZSK status -2009-02-28 12:32:49.526: debug: Re-signing not necessary! -2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy -2009-02-28 12:32:49.526: debug: -2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net" -2009-02-28 12:32:49.526: debug: Check RFC5011 status -2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-02-28 12:32:49.526: debug: Check ZSK status -2009-02-28 12:32:49.526: debug: Re-signing not necessary! -2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy -2009-02-28 12:32:49.527: debug: -2009-02-28 12:32:49.527: notice: end of run: 0 errors occured -2009-02-28 12:42:47.999: notice: ------------------------------------------------------------ -2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:45:56.491: notice: ------------------------------------------------------------ -2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:50:13.057: notice: ------------------------------------------------------------ -2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:50:54.700: notice: ------------------------------------------------------------ -2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:52:23.926: notice: ------------------------------------------------------------ -2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-02-28 12:52:23.934: debug: Check RFC5011 status -2009-02-28 12:52:23.934: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-02-28 12:52:23.934: debug: Check KSK status -2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s -2009-02-28 12:52:23.934: debug: Check ZSK status -2009-02-28 12:52:23.934: debug: Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec) -2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed -2009-02-28 12:52:23.934: debug: ->remove it -2009-02-28 12:52:23.934: debug: Re-signing necessary: Modfied zone key set -2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-02-28 12:52:23.934: debug: Writing key file "././sub.example.net/dnskey.db" -2009-02-28 12:52:23.935: debug: Signing zone "sub.example.net." -2009-02-28 12:52:23.935: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-02-28 12:52:24.701: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-02-28 12:52:24.701: debug: Signing completed after 1s. -2009-02-28 12:52:24.701: debug: -2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net" -2009-02-28 12:52:24.701: debug: Check RFC5011 status -2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-02-28 12:52:24.701: debug: Check ZSK status -2009-02-28 12:52:24.701: debug: Re-signing not necessary! -2009-02-28 12:52:24.701: debug: Check if there is a parent file to copy -2009-02-28 12:52:24.701: debug: -2009-02-28 12:52:24.701: notice: end of run: 0 errors occured -2009-02-28 12:53:08.325: notice: ------------------------------------------------------------ -2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:53:48.858: notice: ------------------------------------------------------------ -2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:54:09.878: notice: ------------------------------------------------------------ -2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf -2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net" -2009-02-28 12:54:09.885: debug: Check RFC5011 status -2009-02-28 12:54:09.885: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-02-28 12:54:09.885: debug: Check KSK status -2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s -2009-02-28 12:54:09.886: debug: Check ZSK status -2009-02-28 12:54:09.886: debug: Re-signing not necessary! -2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy -2009-02-28 12:54:09.886: debug: -2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net" -2009-02-28 12:54:09.886: debug: Check RFC5011 status -2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-02-28 12:54:09.886: debug: Check ZSK status -2009-02-28 12:54:09.886: debug: Re-signing not necessary! -2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy -2009-02-28 12:54:09.886: debug: -2009-02-28 12:54:09.886: notice: end of run: 0 errors occured -2009-02-28 12:55:02.579: notice: ------------------------------------------------------------ -2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf -2009-03-03 19:13:47.524: notice: ------------------------------------------------------------ -2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf -2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net" -2009-03-03 19:13:47.532: debug: Check RFC5011 status -2009-03-03 19:13:47.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-03 19:13:47.532: debug: Check KSK status -2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s -2009-03-03 19:13:47.533: debug: Check ZSK status -2009-03-03 19:13:47.533: debug: Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec) -2009-03-03 19:13:47.533: debug: ->depreciate it -2009-03-03 19:13:47.533: debug: ->activate published key 32820 -2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done -2009-03-03 19:13:47.533: debug: New key for publishing needed -2009-03-03 19:13:48.366: debug: ->creating new key 49656 -2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing -2009-03-03 19:13:48.366: debug: Re-signing necessary: Modfied zone key set -2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-03-03 19:13:48.367: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db" -2009-03-03 19:13:48.367: debug: Signing zone "sub.example.net." -2009-03-03 19:13:48.367: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-03-03 19:13:48.543: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-03 19:13:48.543: debug: Signing completed after 0s. -2009-03-03 19:13:48.543: debug: -2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net" -2009-03-03 19:13:48.543: debug: Check RFC5011 status -2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-03-03 19:13:48.543: debug: Check ZSK status -2009-03-03 19:13:48.543: debug: Re-signing necessary: re-signing interval (2d) reached -2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached -2009-03-03 19:13:48.543: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db" -2009-03-03 19:13:48.544: debug: Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db" -2009-03-03 19:13:48.544: debug: Signing zone "example.net." -2009-03-03 19:13:48.544: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-03-03 19:13:48.723: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-03 19:13:48.723: debug: Signing completed after 0s. -2009-03-03 19:13:48.723: debug: -2009-03-03 19:13:48.724: notice: end of run: 0 errors occured -2009-03-03 19:14:16.121: notice: ------------------------------------------------------------ -2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf -2009-03-03 19:14:30.231: notice: ------------------------------------------------------------ -2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf -2009-03-03 19:15:37.851: notice: ------------------------------------------------------------ -2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf -2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net" -2009-03-03 19:15:37.853: debug: Check RFC5011 status -2009-03-03 19:15:37.853: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-03 19:15:37.853: debug: Check KSK status -2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s -2009-03-03 19:15:37.853: debug: Check ZSK status -2009-03-03 19:15:37.853: debug: Re-signing not necessary! -2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy -2009-03-03 19:15:37.853: debug: -2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net" -2009-03-03 19:15:37.853: debug: Check RFC5011 status -2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-03-03 19:15:37.853: debug: Check ZSK status -2009-03-03 19:15:37.853: debug: Re-signing not necessary! -2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy -2009-03-03 19:15:37.853: debug: -2009-03-03 19:15:37.853: notice: end of run: 0 errors occured -2009-03-03 19:15:44.219: notice: ------------------------------------------------------------ -2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf -2009-03-03 19:15:49.305: notice: ------------------------------------------------------------ -2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf -2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-03 19:15:49.308: debug: Check RFC5011 status -2009-03-03 19:15:49.308: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-03 19:15:49.308: debug: Check KSK status -2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s -2009-03-03 19:15:49.309: debug: Check ZSK status -2009-03-03 19:15:49.309: debug: Re-signing not necessary! -2009-03-03 19:15:49.309: debug: Check if there is a parent file to copy -2009-03-03 19:15:49.309: debug: -2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net" -2009-03-03 19:15:49.310: debug: Check RFC5011 status -2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28 -2009-03-03 19:15:49.310: debug: Check ZSK status -2009-03-03 19:15:49.310: debug: Re-signing not necessary! -2009-03-03 19:15:49.310: debug: Check if there is a parent file to copy -2009-03-03 19:15:49.310: debug: -2009-03-03 19:15:49.310: notice: end of run: 0 errors occured -2009-03-04 18:07:38.441: notice: ------------------------------------------------------------ -2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf -2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-04 18:07:38.459: debug: Check RFC5011 status -2009-03-04 18:07:38.459: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-04 18:07:38.459: debug: Check KSK status -2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s -2009-03-04 18:07:38.459: debug: Check ZSK status -2009-03-04 18:07:38.459: debug: Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec) -2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed -2009-03-04 18:07:38.459: debug: ->remove it -2009-03-04 18:07:38.459: debug: Re-signing necessary: Modfied zone key set -2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-03-04 18:07:38.459: debug: Writing key file "././sub.example.net/dnskey.db" -2009-03-04 18:07:38.460: debug: Signing zone "sub.example.net." -2009-03-04 18:07:38.460: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-03-04 18:07:38.635: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:07:38.635: debug: Signing completed after 0s. -2009-03-04 18:07:38.635: debug: -2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net" -2009-03-04 18:07:38.635: debug: Check RFC5011 status -2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-03-04 18:07:38.636: debug: Check ZSK status -2009-03-04 18:07:38.636: debug: Re-signing not necessary! -2009-03-04 18:07:38.636: debug: Check if there is a parent file to copy -2009-03-04 18:07:38.636: debug: -2009-03-04 18:07:38.636: notice: end of run: 0 errors occured -2009-03-04 18:07:54.353: notice: ------------------------------------------------------------ -2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf -2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-04 18:07:54.357: debug: Check RFC5011 status -2009-03-04 18:07:54.357: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-04 18:07:54.357: debug: Check KSK status -2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s -2009-03-04 18:07:54.357: debug: Check ZSK status -2009-03-04 18:07:54.357: debug: Re-signing not necessary! -2009-03-04 18:07:54.357: debug: Check if there is a parent file to copy -2009-03-04 18:07:54.357: debug: -2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net" -2009-03-04 18:07:54.357: debug: Check RFC5011 status -2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-03-04 18:07:54.358: debug: Check ZSK status -2009-03-04 18:07:54.358: debug: Re-signing not necessary! -2009-03-04 18:07:54.358: debug: Check if there is a parent file to copy -2009-03-04 18:07:54.358: debug: -2009-03-04 18:07:54.358: notice: end of run: 0 errors occured -2009-03-04 18:08:25.210: notice: ------------------------------------------------------------ -2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf -2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-04 18:08:25.212: debug: Check RFC5011 status -2009-03-04 18:08:25.213: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-04 18:08:25.213: debug: Check KSK status -2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s -2009-03-04 18:08:25.213: debug: Check ZSK status -2009-03-04 18:08:25.213: debug: Re-signing not necessary! -2009-03-04 18:08:25.213: debug: Check if there is a parent file to copy -2009-03-04 18:08:25.213: debug: -2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net" -2009-03-04 18:08:25.214: debug: Check RFC5011 status -2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-03-04 18:08:25.214: debug: Check ZSK status -2009-03-04 18:08:25.214: debug: Re-signing not necessary! -2009-03-04 18:08:25.214: debug: Check if there is a parent file to copy -2009-03-04 18:08:25.214: debug: -2009-03-04 18:08:25.216: notice: end of run: 0 errors occured -2009-03-04 18:08:32.379: notice: ------------------------------------------------------------ -2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf -2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-04 18:08:32.381: debug: Check RFC5011 status -2009-03-04 18:08:32.381: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-04 18:08:32.381: debug: Check KSK status -2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s -2009-03-04 18:08:32.381: debug: Check ZSK status -2009-03-04 18:08:32.381: debug: Re-signing necessary: Option -f -2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f -2009-03-04 18:08:32.381: debug: Writing key file "././sub.example.net/dnskey.db" -2009-03-04 18:08:32.382: debug: Signing zone "sub.example.net." -2009-03-04 18:08:32.382: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-03-04 18:08:32.896: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:08:32.896: debug: Signing completed after 0s. -2009-03-04 18:08:32.896: debug: -2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net" -2009-03-04 18:08:32.896: debug: Check RFC5011 status -2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-03-04 18:08:32.896: debug: Check ZSK status -2009-03-04 18:08:32.896: debug: Re-signing necessary: Option -f -2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f -2009-03-04 18:08:32.896: debug: Writing key file "././example.net/dnskey.db" -2009-03-04 18:08:32.897: debug: Incrementing serial number in file "././example.net/zone.db" -2009-03-04 18:08:32.897: debug: Signing zone "example.net." -2009-03-04 18:08:32.897: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-03-04 18:08:33.042: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:08:33.042: debug: Signing completed after 1s. -2009-03-04 18:08:33.042: debug: -2009-03-04 18:08:33.043: notice: end of run: 0 errors occured -2009-03-04 18:08:46.381: notice: ------------------------------------------------------------ -2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf -2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-04 18:08:46.385: debug: Check RFC5011 status -2009-03-04 18:08:46.385: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-04 18:08:46.385: debug: Check KSK status -2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s -2009-03-04 18:08:46.385: debug: Check ZSK status -2009-03-04 18:08:46.385: debug: Re-signing necessary: Option -f -2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f -2009-03-04 18:08:46.385: debug: Writing key file "././sub.example.net/dnskey.db" -2009-03-04 18:08:46.386: debug: Signing zone "sub.example.net." -2009-03-04 18:08:46.386: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-03-04 18:08:46.990: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:08:46.991: debug: Signing completed after 0s. -2009-03-04 18:08:46.991: debug: -2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net" -2009-03-04 18:08:46.991: debug: Check RFC5011 status -2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-03-04 18:08:46.991: debug: Check ZSK status -2009-03-04 18:08:46.991: debug: Re-signing necessary: Option -f -2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f -2009-03-04 18:08:46.991: debug: Writing key file "././example.net/dnskey.db" -2009-03-04 18:08:46.992: debug: Incrementing serial number in file "././example.net/zone.db" -2009-03-04 18:08:46.992: debug: Signing zone "example.net." -2009-03-04 18:08:46.993: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-03-04 18:08:47.149: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:08:47.149: debug: Signing completed after 1s. -2009-03-04 18:08:47.149: debug: -2009-03-04 18:08:47.149: notice: end of run: 0 errors occured -2009-03-04 18:08:59.141: notice: ------------------------------------------------------------ -2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf -2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net" -2009-03-04 18:08:59.145: debug: Check RFC5011 status -2009-03-04 18:08:59.145: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-03-04 18:08:59.145: debug: Check KSK status -2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s -2009-03-04 18:08:59.145: debug: Check ZSK status -2009-03-04 18:08:59.145: debug: Re-signing necessary: Option -f -2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f -2009-03-04 18:08:59.146: debug: Writing key file "././sub.example.net/dnskey.db" -2009-03-04 18:08:59.146: debug: Signing zone "sub.example.net." -2009-03-04 18:08:59.146: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-03-04 18:09:00.082: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:09:00.082: debug: Signing completed after 1s. -2009-03-04 18:09:00.082: debug: -2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net" -2009-03-04 18:09:00.083: debug: Check RFC5011 status -2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-03-04 18:09:00.083: debug: Check ZSK status -2009-03-04 18:09:00.083: debug: Re-signing necessary: Option -f -2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f -2009-03-04 18:09:00.083: debug: Writing key file "././example.net/dnskey.db" -2009-03-04 18:09:00.084: debug: Incrementing serial number in file "././example.net/zone.db" -2009-03-04 18:09:00.084: debug: Signing zone "example.net." -2009-03-04 18:09:00.084: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-03-04 18:09:00.238: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-03-04 18:09:00.238: debug: Signing completed after 0s. -2009-03-04 18:09:00.238: debug: -2009-03-04 18:09:00.238: notice: end of run: 0 errors occured -2009-06-15 09:58:41.205: notice: ------------------------------------------------------------ -2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v -2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-15 09:58:41.226: debug: Check RFC5011 status -2009-06-15 09:58:41.226: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-15 09:58:41.226: debug: Check KSK status -2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s -2009-06-15 09:58:41.227: debug: Check ZSK status -2009-06-15 09:58:41.227: debug: Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec) -2009-06-15 09:58:41.227: debug: ->depreciate it -2009-06-15 09:58:41.227: debug: ->activate published key 49656 -2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done -2009-06-15 09:58:41.227: debug: New key for publishing needed -2009-06-15 09:58:41.346: debug: ->creating new key 37135 -2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing -2009-06-15 09:58:41.346: debug: Re-signing necessary: Modfied zone key set -2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-15 09:58:41.346: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-15 09:58:41.346: debug: Signing zone "sub.example.net." -2009-06-15 09:58:41.346: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-15 09:58:41.399: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-15 09:58:41.399: debug: Signing completed after 0s. -2009-06-15 09:58:41.399: debug: -2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net" -2009-06-15 09:58:41.399: debug: Check RFC5011 status -2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time -2009-06-15 09:58:41.399: debug: Remove revoked key 1764 which is older than 30 days -2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764 -2009-06-15 09:58:41.400: debug: Check ZSK status -2009-06-15 09:58:41.400: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec) -2009-06-15 09:58:41.400: debug: ->waiting for published key -2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key -2009-06-15 09:58:41.400: debug: New key for publishing needed -2009-06-15 09:58:41.499: debug: ->creating new key 34925 -2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing -2009-06-15 09:58:41.499: debug: Re-signing necessary: Modfied zone key set -2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set -2009-06-15 09:58:41.499: debug: Writing key file "./example.net/dnskey.db" -2009-06-15 09:58:41.499: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-15 09:58:41.499: debug: Signing zone "example.net." -2009-06-15 09:58:41.499: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-06-15 09:58:41.543: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-15 09:58:41.543: debug: Signing completed after 0s. -2009-06-15 09:58:41.543: debug: -2009-06-15 09:58:41.543: notice: end of run: 0 errors occured -2009-06-17 16:36:16.761: notice: ------------------------------------------------------------ -2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v -2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-17 16:36:16.792: debug: Check RFC5011 status -2009-06-17 16:36:16.792: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-17 16:36:16.792: debug: Check KSK status -2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s -2009-06-17 16:36:16.792: debug: Check ZSK status -2009-06-17 16:36:16.792: debug: Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec) -2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed -2009-06-17 16:36:16.792: debug: ->remove it -2009-06-17 16:36:16.792: debug: Re-signing necessary: Modfied zone key set -2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-17 16:36:16.792: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-17 16:36:16.793: debug: Signing zone "sub.example.net." -2009-06-17 16:36:16.793: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-17 16:36:16.984: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-17 16:36:16.984: debug: Signing completed after 0s. -2009-06-17 16:36:16.984: debug: -2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net" -2009-06-17 16:36:16.984: debug: Check RFC5011 status -2009-06-17 16:36:16.984: debug: Check ZSK status -2009-06-17 16:36:16.984: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec) -2009-06-17 16:36:16.984: debug: ->depreciate it -2009-06-17 16:36:16.984: debug: ->activate published key 34925 -2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done -2009-06-17 16:36:16.984: debug: Re-signing necessary: Modfied zone key set -2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set -2009-06-17 16:36:16.984: debug: Writing key file "./example.net/dnskey.db" -2009-06-17 16:36:16.985: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-17 16:36:16.985: debug: Signing zone "example.net." -2009-06-17 16:36:16.985: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-06-17 16:36:17.102: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-17 16:36:17.102: debug: Signing completed after 1s. -2009-06-17 16:36:17.102: debug: -2009-06-17 16:36:17.102: notice: end of run: 0 errors occured -2009-06-24 16:33:27.617: notice: ------------------------------------------------------------ -2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v -2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:33:27.619: debug: Check RFC5011 status -2009-06-24 16:33:27.620: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:33:27.620: debug: Check KSK status -2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s -2009-06-24 16:33:27.620: debug: Check ZSK status -2009-06-24 16:33:27.620: debug: Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec) -2009-06-24 16:33:27.620: debug: ->depreciate it -2009-06-24 16:33:27.620: debug: ->activate published key 37135 -2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done -2009-06-24 16:33:27.620: debug: New key for publishing needed -2009-06-24 16:33:27.751: debug: ->creating new key 25272 -2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing -2009-06-24 16:33:27.751: debug: Re-signing necessary: Modfied zone key set -2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-24 16:33:27.751: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:33:27.751: debug: Signing zone "sub.example.net." -2009-06-24 16:33:27.751: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed! -2009-06-24 16:33:27.859: debug: Signing completed after 0s. -2009-06-24 16:33:27.859: debug: -2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:33:27.859: debug: Check RFC5011 status -2009-06-24 16:33:27.859: debug: Check ZSK status -2009-06-24 16:33:27.859: debug: Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec) -2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed -2009-06-24 16:33:27.860: debug: ->remove it -2009-06-24 16:33:27.860: debug: Re-signing necessary: Modfied zone key set -2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set -2009-06-24 16:33:27.860: debug: Writing key file "./example.net/dnskey.db" -2009-06-24 16:33:27.860: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-24 16:33:27.860: debug: Signing zone "example.net." -2009-06-24 16:33:27.860: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-06-24 16:33:27.966: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:33:27.966: debug: Signing completed after 0s. -2009-06-24 16:33:27.966: debug: -2009-06-24 16:33:27.966: notice: end of run: 1 error occured -2009-06-24 16:42:06.709: notice: ------------------------------------------------------------ -2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v -2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:42:06.711: debug: Check RFC5011 status -2009-06-24 16:42:06.711: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:42:06.711: debug: Check KSK status -2009-06-24 16:42:06.711: debug: No active KSK found: generate new one -2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516 -2009-06-24 16:42:06.855: debug: Check ZSK status -2009-06-24 16:42:06.855: debug: No active ZSK found: generate new one -2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383 -2009-06-24 16:42:06.883: debug: Re-signing necessary: Modfied zone key set -2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-24 16:42:06.883: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:42:06.883: debug: Signing zone "sub.example.net." -2009-06-24 16:42:06.883: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed! -2009-06-24 16:42:06.905: debug: Signing completed after 0s. -2009-06-24 16:42:06.905: debug: -2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:42:06.905: debug: Check RFC5011 status -2009-06-24 16:42:06.905: debug: Check ZSK status -2009-06-24 16:42:06.905: debug: Re-signing not necessary! -2009-06-24 16:42:06.905: debug: Check if there is a parent file to copy -2009-06-24 16:42:06.905: debug: -2009-06-24 16:42:06.905: notice: end of run: 1 error occured -2009-06-24 16:42:31.402: notice: ------------------------------------------------------------ -2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v -2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:42:31.404: debug: Check RFC5011 status -2009-06-24 16:42:31.404: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:42:31.404: debug: Check KSK status -2009-06-24 16:42:31.404: debug: Check ZSK status -2009-06-24 16:42:31.404: debug: Re-signing necessary: Modified keys -2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys -2009-06-24 16:42:31.405: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:42:31.405: debug: Signing zone "sub.example.net." -2009-06-24 16:42:31.405: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed! -2009-06-24 16:42:31.450: debug: Signing completed after 0s. -2009-06-24 16:42:31.450: debug: -2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:42:31.450: debug: Check RFC5011 status -2009-06-24 16:42:31.450: debug: Check ZSK status -2009-06-24 16:42:31.450: debug: Re-signing not necessary! -2009-06-24 16:42:31.450: debug: Check if there is a parent file to copy -2009-06-24 16:42:31.450: debug: -2009-06-24 16:42:31.450: notice: end of run: 1 error occured -2009-06-24 16:42:48.193: notice: ------------------------------------------------------------ -2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v -2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:42:48.195: debug: Check RFC5011 status -2009-06-24 16:42:48.195: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:42:48.195: debug: Check KSK status -2009-06-24 16:42:48.195: debug: Check ZSK status -2009-06-24 16:42:48.195: debug: Re-signing necessary: Modified keys -2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys -2009-06-24 16:42:48.195: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:42:48.195: debug: Signing zone "sub.example.net." -2009-06-24 16:42:48.195: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed! -2009-06-24 16:42:48.212: debug: Signing completed after 0s. -2009-06-24 16:42:48.212: debug: -2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:42:48.212: debug: Check RFC5011 status -2009-06-24 16:42:48.212: debug: Check ZSK status -2009-06-24 16:42:48.212: debug: Re-signing not necessary! -2009-06-24 16:42:48.212: debug: Check if there is a parent file to copy -2009-06-24 16:42:48.212: debug: -2009-06-24 16:42:48.212: notice: end of run: 1 error occured -2009-06-24 16:44:22.959: notice: ------------------------------------------------------------ -2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v -2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:44:22.961: debug: Check RFC5011 status -2009-06-24 16:44:22.961: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:44:22.961: debug: Check KSK status -2009-06-24 16:44:22.961: debug: Check ZSK status -2009-06-24 16:44:22.961: debug: No active ZSK found: generate new one -2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600 -2009-06-24 16:44:23.008: debug: Re-signing necessary: Modfied zone key set -2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-24 16:44:23.009: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:44:23.009: debug: Signing zone "sub.example.net." -2009-06-24 16:44:23.009: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:44:23.040: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:44:23.040: debug: Signing completed after 0s. -2009-06-24 16:44:23.040: debug: -2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:44:23.040: debug: Check RFC5011 status -2009-06-24 16:44:23.040: debug: Check ZSK status -2009-06-24 16:44:23.040: debug: Re-signing not necessary! -2009-06-24 16:44:23.040: debug: Check if there is a parent file to copy -2009-06-24 16:44:23.040: debug: -2009-06-24 16:44:23.040: notice: end of run: 0 errors occured -2009-06-24 16:50:36.189: notice: ------------------------------------------------------------ -2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v -2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:50:36.191: debug: Check RFC5011 status -2009-06-24 16:50:36.191: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:50:36.191: debug: Check KSK status -2009-06-24 16:50:36.192: debug: Check ZSK status -2009-06-24 16:50:36.192: debug: Re-signing not necessary! -2009-06-24 16:50:36.192: debug: Check if there is a parent file to copy -2009-06-24 16:50:36.192: debug: -2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:50:36.192: debug: Check RFC5011 status -2009-06-24 16:50:36.192: debug: Check ZSK status -2009-06-24 16:50:36.193: debug: Re-signing not necessary! -2009-06-24 16:50:36.193: debug: Check if there is a parent file to copy -2009-06-24 16:50:36.193: debug: -2009-06-24 16:50:36.193: notice: end of run: 0 errors occured -2009-06-24 16:50:42.877: notice: ------------------------------------------------------------ -2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f -2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:50:42.879: debug: Check RFC5011 status -2009-06-24 16:50:42.879: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:50:42.879: debug: Check KSK status -2009-06-24 16:50:42.879: debug: Check ZSK status -2009-06-24 16:50:42.879: debug: Re-signing necessary: Option -f -2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-24 16:50:42.879: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:50:42.879: debug: Signing zone "sub.example.net." -2009-06-24 16:50:42.879: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:50:42.932: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:50:42.932: debug: Signing completed after 0s. -2009-06-24 16:50:42.932: debug: -2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:50:42.932: debug: Check RFC5011 status -2009-06-24 16:50:42.932: debug: Check ZSK status -2009-06-24 16:50:42.932: debug: Re-signing necessary: Option -f -2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f -2009-06-24 16:50:42.932: debug: Writing key file "./example.net/dnskey.db" -2009-06-24 16:50:42.933: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-24 16:50:42.933: debug: Signing zone "example.net." -2009-06-24 16:50:42.933: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-06-24 16:50:42.978: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:50:42.978: debug: Signing completed after 0s. -2009-06-24 16:50:42.978: debug: -2009-06-24 16:50:42.979: notice: end of run: 0 errors occured -2009-06-24 16:50:51.923: notice: ------------------------------------------------------------ -2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f -2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:50:51.924: debug: Check RFC5011 status -2009-06-24 16:50:51.924: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:50:51.924: debug: Check KSK status -2009-06-24 16:50:51.924: debug: Check ZSK status -2009-06-24 16:50:51.925: debug: Re-signing necessary: Option -f -2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-24 16:50:51.925: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:50:51.925: debug: Signing zone "sub.example.net." -2009-06-24 16:50:51.925: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:50:51.972: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:50:51.973: debug: Signing completed after 0s. -2009-06-24 16:50:51.973: debug: -2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:50:51.973: debug: Check RFC5011 status -2009-06-24 16:50:51.973: debug: Check ZSK status -2009-06-24 16:50:51.973: debug: Re-signing necessary: Option -f -2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f -2009-06-24 16:50:51.973: debug: Writing key file "./example.net/dnskey.db" -2009-06-24 16:50:51.973: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-24 16:50:51.973: debug: Signing zone "example.net." -2009-06-24 16:50:51.973: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-06-24 16:50:52.017: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:50:52.017: debug: Signing completed after 1s. -2009-06-24 16:50:52.017: debug: -2009-06-24 16:50:52.017: notice: end of run: 0 errors occured -2009-06-24 16:51:19.914: notice: ------------------------------------------------------------ -2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f -2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:51:19.916: debug: Check RFC5011 status -2009-06-24 16:51:19.916: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:51:19.916: debug: Check KSK status -2009-06-24 16:51:19.916: debug: Check ZSK status -2009-06-24 16:51:19.916: debug: Re-signing necessary: Option -f -2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-24 16:51:19.916: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:51:19.917: debug: Signing zone "sub.example.net." -2009-06-24 16:51:19.917: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private" -2009-06-24 16:51:19.969: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:51:19.969: debug: Signing completed after 0s. -2009-06-24 16:51:19.969: debug: -2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:51:19.969: debug: Check RFC5011 status -2009-06-24 16:51:19.969: debug: Check ZSK status -2009-06-24 16:51:19.969: debug: Re-signing necessary: Option -f -2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f -2009-06-24 16:51:19.969: debug: Writing key file "./example.net/dnskey.db" -2009-06-24 16:51:19.969: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-24 16:51:19.969: debug: Signing zone "example.net." -2009-06-24 16:51:19.969: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private" -2009-06-24 16:51:20.018: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 16:51:20.018: debug: Signing completed after 1s. -2009-06-24 16:51:20.018: debug: -2009-06-24 16:51:20.018: notice: end of run: 0 errors occured -2009-06-24 16:55:38.094: notice: ------------------------------------------------------------ -2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f -2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 16:55:38.096: debug: Check RFC5011 status -2009-06-24 16:55:38.096: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 16:55:38.096: debug: Check KSK status -2009-06-24 16:55:38.096: debug: Check ZSK status -2009-06-24 16:55:38.096: debug: Re-signing necessary: Option -f -2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-24 16:55:38.096: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 16:55:38.097: debug: Signing zone "sub.example.net." -2009-06-24 16:55:38.097: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1" -2009-06-24 16:55:38.144: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1." -2009-06-24 16:55:38.144: debug: Signing completed after 0s. -2009-06-24 16:55:38.144: debug: -2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 16:55:38.144: debug: Check RFC5011 status -2009-06-24 16:55:38.144: debug: Check ZSK status -2009-06-24 16:55:38.144: debug: Re-signing necessary: Option -f -2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f -2009-06-24 16:55:38.144: debug: Writing key file "./example.net/dnskey.db" -2009-06-24 16:55:38.144: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-24 16:55:38.144: debug: Signing zone "example.net." -2009-06-24 16:55:38.144: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" -2009-06-24 16:55:38.182: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1." -2009-06-24 16:55:38.182: debug: Signing completed after 0s. -2009-06-24 16:55:38.182: debug: -2009-06-24 16:55:38.182: notice: end of run: 0 errors occured -2009-06-24 17:12:06.145: notice: ------------------------------------------------------------ -2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f -2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-24 17:12:06.147: debug: Check RFC5011 status -2009-06-24 17:12:06.147: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-24 17:12:06.147: debug: Check KSK status -2009-06-24 17:12:06.147: debug: Check ZSK status -2009-06-24 17:12:06.147: debug: Re-signing necessary: Option -f -2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-24 17:12:06.147: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-24 17:12:06.147: debug: Signing zone "sub.example.net." -2009-06-24 17:12:06.147: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1" -2009-06-24 17:12:06.204: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 17:12:06.204: debug: Signing completed after 0s. -2009-06-24 17:12:06.204: debug: -2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net" -2009-06-24 17:12:06.204: debug: Check RFC5011 status -2009-06-24 17:12:06.204: debug: Check ZSK status -2009-06-24 17:12:06.204: debug: Re-signing necessary: Option -f -2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f -2009-06-24 17:12:06.205: debug: Writing key file "./example.net/dnskey.db" -2009-06-24 17:12:06.205: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-24 17:12:06.205: debug: Signing zone "example.net." -2009-06-24 17:12:06.205: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" -2009-06-24 17:12:06.259: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-24 17:12:06.259: debug: Signing completed after 0s. -2009-06-24 17:12:06.259: debug: -2009-06-24 17:12:06.259: notice: end of run: 0 errors occured -2009-06-30 11:35:09.298: notice: ------------------------------------------------------------ -2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v -2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-30 11:35:09.326: debug: Check RFC5011 status -2009-06-30 11:35:09.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-30 11:35:09.326: debug: Check KSK status -2009-06-30 11:35:09.326: debug: Check ZSK status -2009-06-30 11:35:09.326: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec) -2009-06-30 11:35:09.326: debug: ->waiting for published key -2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key -2009-06-30 11:35:09.326: debug: New key for publishing needed -2009-06-30 11:35:09.482: debug: ->creating new key 32345 -2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing -2009-06-30 11:35:09.482: debug: Re-signing necessary: Modfied zone key set -2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-30 11:35:09.483: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-30 11:35:09.483: debug: Signing zone "sub.example.net." -2009-06-30 11:35:09.483: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1" -2009-06-30 11:35:09.838: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 11:35:09.838: debug: Signing completed after 0s. -2009-06-30 11:35:09.838: debug: -2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net" -2009-06-30 11:35:09.838: debug: Check RFC5011 status -2009-06-30 11:35:09.838: debug: Check ZSK status -2009-06-30 11:35:09.838: debug: New key for publishing needed -2009-06-30 11:35:09.896: debug: ->creating new key 48089 -2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing -2009-06-30 11:35:09.896: debug: Re-signing necessary: Modfied zone key set -2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set -2009-06-30 11:35:09.897: debug: Writing key file "./example.net/dnskey.db" -2009-06-30 11:35:09.897: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-30 11:35:09.897: debug: Signing zone "example.net." -2009-06-30 11:35:09.897: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" -2009-06-30 11:35:09.997: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 11:35:09.997: debug: Signing completed after 0s. -2009-06-30 11:35:09.997: debug: -2009-06-30 11:35:09.997: notice: end of run: 0 errors occured -2009-06-30 12:01:53.878: notice: ------------------------------------------------------------ -2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v -2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-30 12:01:53.881: debug: Check RFC5011 status -2009-06-30 12:01:53.881: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-30 12:01:53.881: debug: Check KSK status -2009-06-30 12:01:53.881: debug: Check ZSK status -2009-06-30 12:01:53.881: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec) -2009-06-30 12:01:53.881: debug: ->waiting for published key -2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key -2009-06-30 12:01:53.881: debug: Re-signing not necessary! -2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy -2009-06-30 12:01:53.881: debug: -2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net" -2009-06-30 12:01:53.881: debug: Check RFC5011 status -2009-06-30 12:01:53.881: debug: Check ZSK status -2009-06-30 12:01:53.881: debug: Re-signing not necessary! -2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy -2009-06-30 12:01:53.881: debug: -2009-06-30 12:01:53.881: notice: end of run: 0 errors occured -2009-06-30 12:02:05.490: notice: ------------------------------------------------------------ -2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v -2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-30 12:02:05.492: debug: Check RFC5011 status -2009-06-30 12:02:05.492: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-30 12:02:05.492: debug: Check KSK status -2009-06-30 12:02:05.492: debug: Check ZSK status -2009-06-30 12:02:05.492: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec) -2009-06-30 12:02:05.492: debug: ->waiting for published key -2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key -2009-06-30 12:02:05.492: debug: Re-signing necessary: Option -f -2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-30 12:02:05.492: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-30 12:02:05.492: debug: Signing zone "sub.example.net." -2009-06-30 12:02:05.492: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1" -2009-06-30 12:02:05.543: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 12:02:05.543: debug: Signing completed after 0s. -2009-06-30 12:02:05.543: debug: -2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net" -2009-06-30 12:02:05.543: debug: Check RFC5011 status -2009-06-30 12:02:05.543: debug: Check ZSK status -2009-06-30 12:02:05.543: debug: Re-signing necessary: Option -f -2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f -2009-06-30 12:02:05.543: debug: Writing key file "./example.net/dnskey.db" -2009-06-30 12:02:05.544: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-30 12:02:05.544: debug: Signing zone "example.net." -2009-06-30 12:02:05.544: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" -2009-06-30 12:02:05.602: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 12:02:05.602: debug: Signing completed after 0s. -2009-06-30 12:02:05.602: debug: -2009-06-30 12:02:05.602: notice: end of run: 0 errors occured -2009-06-30 13:02:04.436: notice: ------------------------------------------------------------ -2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v -2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-30 13:02:04.438: debug: Check RFC5011 status -2009-06-30 13:02:04.438: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-30 13:02:04.438: debug: Check KSK status -2009-06-30 13:02:04.438: debug: Check ZSK status -2009-06-30 13:02:04.438: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec) -2009-06-30 13:02:04.438: debug: ->depreciate it -2009-06-30 13:02:04.439: debug: ->activate published key 32345 -2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done -2009-06-30 13:02:04.439: debug: Re-signing necessary: Modfied zone key set -2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set -2009-06-30 13:02:04.439: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-30 13:02:04.439: debug: Signing zone "sub.example.net." -2009-06-30 13:02:04.439: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1" -2009-06-30 13:02:04.491: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 13:02:04.491: debug: Signing completed after 0s. -2009-06-30 13:02:04.491: debug: -2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net" -2009-06-30 13:02:04.491: debug: Check RFC5011 status -2009-06-30 13:02:04.491: debug: Check ZSK status -2009-06-30 13:02:04.491: debug: Re-signing not necessary! -2009-06-30 13:02:04.491: debug: Check if there is a parent file to copy -2009-06-30 13:02:04.491: debug: -2009-06-30 13:02:04.491: notice: end of run: 0 errors occured -2009-06-30 13:02:21.019: notice: ------------------------------------------------------------ -2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v -2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net" -2009-06-30 13:02:21.021: debug: Check RFC5011 status -2009-06-30 13:02:21.021: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2009-06-30 13:02:21.021: debug: Check KSK status -2009-06-30 13:02:21.021: debug: Check ZSK status -2009-06-30 13:02:21.022: debug: Re-signing necessary: Option -f -2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f -2009-06-30 13:02:21.022: debug: Writing key file "./sub.example.net/dnskey.db" -2009-06-30 13:02:21.022: debug: Signing zone "sub.example.net." -2009-06-30 13:02:21.022: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1" -2009-06-30 13:02:21.070: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 13:02:21.070: debug: Signing completed after 0s. -2009-06-30 13:02:21.070: debug: -2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net" -2009-06-30 13:02:21.070: debug: Check RFC5011 status -2009-06-30 13:02:21.070: debug: Check ZSK status -2009-06-30 13:02:21.070: debug: Re-signing necessary: Option -f -2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f -2009-06-30 13:02:21.071: debug: Writing key file "./example.net/dnskey.db" -2009-06-30 13:02:21.071: debug: Incrementing serial number in file "./example.net/zone.db" -2009-06-30 13:02:21.071: debug: Signing zone "example.net." -2009-06-30 13:02:21.071: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" -2009-06-30 13:02:21.121: debug: Cmd dnssec-signzone return: "zone.db.signed" -2009-06-30 13:02:21.121: debug: Signing completed after 0s. -2009-06-30 13:02:21.121: debug: -2009-06-30 13:02:21.121: notice: end of run: 0 errors occured diff --git a/contrib/zkt/examples/flat/zone.conf b/contrib/zkt/examples/flat/zone.conf deleted file mode 100644 index 54487af2f0..0000000000 --- a/contrib/zkt/examples/flat/zone.conf +++ /dev/null @@ -1,10 +0,0 @@ - -zone "example.NET." in { - type master; - file "example.net/zone.db.signed"; -}; - -zone "sub.example.NET." in { - type master; - file "sub.example.net/zone.db.signed"; -}; diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key new file mode 100644 index 0000000000..e00ff0f004 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key @@ -0,0 +1,3 @@ +;% generationtime=20100331230548 +;% lifetime=28d +example.de. IN DNSKEY 256 3 5 BQEAAAABx4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/ 2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published new file mode 100644 index 0000000000..52e1797fa2 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: x4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ== +PublicExponent: AQAAAAE= +PrivateExponent: MWWd0AvKmimZrtVrPrTAK/UD0ZrJuL3Rcxw6qzxPWE5S3KcdJNtt5HzOPeGWIZVN8rBtPCSRhiksjugrMqkMRQ== +Prime1: 48VMTrU7heYjFQ5ou7rSOpqt2Eot+EBDjYUPKeOR268= +Prime2: 4EGLA3LuyNrDfBHTn0xmGHdO3DvHn6YUmJKh/98WzFc= +Exponent1: WhbPWcw2bisYr9cS59vOFmLxvbXUQgJZTZVYSDW3EF0= +Exponent2: BoCEx7RES9scWl7PFrUZzrzjDIZiBUICbw4BViSUVWs= +Coefficient: DmwngpeIb8+dzC9ETnQOojRJTv1MRpW4k0Jo1NfAC+c= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key deleted file mode 100644 index 55364ea623..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081116180040 -;% lifetime=365d -example.de. IN DNSKEY 257 3 5 BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU jQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published deleted file mode 100644 index b120c0c6a6..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mUjQ== -PublicExponent: AQAAAAE= -PrivateExponent: AcxmOS9ewHH4UTWVHOSEyONodDImWb5DFyMOUzn3FCkdBEnsOAYTO8/noT3PP0uoMK0s7/BlIReEqsyCVcgQVrTbJszoKlwhHT+XO60i3wPJIWF9u8ouFDnGLkbSRpw6L72uRZy9SdSWUWHdlRayK6T3uJGrcsCLIlzaSue1vXjdUobHMVxQ+mPCFNjSgRWOvTxGcsoXPKx5MjrmAUEnLyQuoQ== -Prime1: A50KZhIYCkyx48okZHgirDXs0cVYf2OOvLcNKF4AvBBTwoV9+oFfTd+wKy9f+G/FqVBV1s4rv/M7UCpAFJPCqaDkt+EEv5DNnX69RgvwBrHyxQ== -Prime2: A5KoV2IkWEM9Djm8pZay/fQpM8coQxVutNDb9G4ADMwpwK5ddGifS38jPlHenUKDxSFtfOZBQbyf7ra/lSttpOqSnr/e6s6HHRn5TYfdR9IXKQ== -Exponent1: eWP9FtwMjnnrsAhQlO7Fbko74gKGRVaygSe4Pd+TGM22dHDZCCoc//IBL+s2Dhezy1l8xiOPVbcxzxHMbqrQhPENi7HihDwiR1WfuSaoIfod -Exponent2: AweXUxlW7qBg+v2qV5cCZl+gvTBW/1vP7llsoOqbHR69xLklXEV96TlEbKU8hoSnq8ts8qqh4/HFj1d+KRTeHWpseUm0GXdK/k7ZvYfr7KVHUQ== -Coefficient: AwVZtbgFX0bAOj9J2p48qYAn3EaIuCvzDYoIE3E/m3NZS8UXQ5MK12AFhulRYpWOgZCIWK9fH0MTvtDFk3I5vyFTMhovDBrSWNn/+TJ47CwrBQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key new file mode 100644 index 0000000000..316ed4061f --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key @@ -0,0 +1,3 @@ +;% generationtime=20100224232104 +;% lifetime=28d +example.de. IN DNSKEY 256 3 5 BQEAAAABsbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFes ZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private new file mode 100644 index 0000000000..da24c84685 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: sbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFesZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ== +PublicExponent: AQAAAAE= +PrivateExponent: PHPdKKwdgE+02a+6R+2xk7RfPUmjIW0dclILS0uQ2GL2lYJCaFKoMEZJb/30CkJLWBBGUS4XUPzplYQ8VLn6gQ== +Prime1: 5efr+OinaF8nLpI/N1EuTxuoSbILnPn5pSWVpwJPgTk= +Prime2: xdzEgtE9CEHT06oa0yM+lLMJp2K6RlBiByRo13Sd8VE= +Exponent1: dE2UZNfo/uln1Yq9lz3pImp5gWDjeT+sYIdBBk8qfOk= +Exponent2: TPXU6D9veGi9J41RR3KvLo4s3u/rQWHXyQrO6jQwX0E= +Coefficient: t1ysP5l5JUhi+d3GvFN0EyZAv1nW31lsL+4979deLsw= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key deleted file mode 100644 index cf983b6961..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080914221502 -;% lifetime=365d -example.de. IN DNSKEY 257 3 5 BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E uw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private deleted file mode 100644 index fed718b586..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8Euw== -PublicExponent: AQAAAAE= -PrivateExponent: CxINUgbVqMf0BnMNYq3aL8ucN4fael2ljQYgDCpcTMfqVuRo+Vo6sMEr3C6Bw8MTHWo2jMxdulyS4tsiMQVVjWUArFL/sfFYLwopjOExcneji6noi8n9dzgslNpo3QAdnKwDGUwj+k7CBzCbLSZ5xpt/eaHcN4l1buQ0tcqShthdh7sNHFX1nAqjsLa7xxCiBsliA6LD/QTAAzcbED0Xw7SJWQ== -Prime1: A+RY6jx9urFg5GeyRqrAiqqClEzyWgEM4HsJn/oQ38PE6NrPzcG9U95um79u1WwWtXe5xTifInhN40CpxQYH45NFjZEuEvROvkXk5JHV9b5UHw== -Prime2: A2949khdV+cKgI2EHmRIu7PJUFkBgrMXacwVpGdaN41NpJYFRYW8qoPmKRrw/Fji7GZj0rrro51XT7JNDbC44dX/bGdNa/eWvslPJGfCR4Gb5Q== -Exponent1: rVHNFnlV2HXIOzi9+2Hit8m7bNXrVXA/DJ3lGCzDL2PzpvQcrL6mMXzaYznP9XaSgyR9M8u+Tdwqq11lHsnWhNLyWKTyAlO5WP3syQD3+0Jp -Exponent2: ArQCCQS8lPgDvu7LI3q5tanr2nmM2uMzPNud9EPSqAql8iEIgOZDLDsMDZd9QHm2Dicjc2UifTcJgQlc3OACSVYkkxjvHKO7t03KNoZkhceTTQ== -Coefficient: GUOOUFWtz0iCPZx1ljdxpP3T4hW7Jux1zcfV6PwX+Nx+8KcawXFfNxjsC1+Sla9Txv02Kgqg9Mh3mCNGynimcbkmmOcfyozKOttAD1sheFK0 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key deleted file mode 100644 index d59a22387b..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090615065826 -;% lifetime=28d -example.de. IN DNSKEY 256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private deleted file mode 100644 index e9662eb0d2..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ== -PublicExponent: AQAAAAE= -PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q== -Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM= -Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c= -Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0= -Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc= -Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db deleted file mode 100644 index 71d47f267f..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db +++ /dev/null @@ -1,33 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Jul 04 2009 01:30:24 -; - -; *** List of Key Signing Keys *** -; example.de. tag=47280 algo=RSASHA1 generated Dec 28 2008 23:55:28 -example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR - mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t - CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2 - 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E - uw== - ) ; key id = 47280 - -; example.de. tag=37983 algo=RSASHA1 generated Dec 28 2008 23:55:28 -example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU - YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT - m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB - q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU - jQ== - ) ; key id = 37983 - -; *** List of Zone Signing Keys *** -; example.de. tag=55529 algo=RSASHA1 generated Jun 24 2009 17:12:33 -example.de. 3600 IN DNSKEY 256 3 5 ( - BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC - XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ== - ) ; key id = 55529 - diff --git a/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de. b/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de. deleted file mode 100644 index 86ba183b06..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de. +++ /dev/null @@ -1,4 +0,0 @@ -example.de. IN DS 37983 5 1 635B486D53D19B16BC4A87366BC2D5626978F4B9 -example.de. IN DS 37983 5 2 5B8412FE443D8F4F77AC4C89FF12289DA88998D864EC68E3E5A4EE2C B192F9DC -example.de. IN DS 47280 5 1 149C886C8175B220A964D4293EB4FCFAC1650974 -example.de. IN DS 47280 5 2 466E738B6913F7081DE5E17FC3567771618AB1D6CB0A333270A4AC24 7DB14DD0 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key deleted file mode 100644 index 19861178a3..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20080506225722 -;% lifetime=20d -;% expirationtime=20080711220959 -example.de. IN DNSKEY 385 3 5 BQEAAAABCyg92L7v21N3lc/gR07/2iLmvt6dUn1KKauLvmkRuT040XT+ Rd3Iq20iq6BqVPsPS+hCOTRA3xikTIn5YzmPLPutIRtjIodHhsrML4D9 Pp1dzgEDKWLam96v+E7KC0GGH/BI6/WelqeqjS5BjI4Gjv4roaTyDCi6 3oXwcMFDVwrSjws4A/5AGANka41Aky+UCGse6+64YmNP/QkSXDAeBZqw rw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private deleted file mode 100644 index 62b7ca4ca4..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: Cyg92L7v21N3lc/gR07/2iLmvt6dUn1KKauLvmkRuT040XT+Rd3Iq20iq6BqVPsPS+hCOTRA3xikTIn5YzmPLPutIRtjIodHhsrML4D9Pp1dzgEDKWLam96v+E7KC0GGH/BI6/WelqeqjS5BjI4Gjv4roaTyDCi63oXwcMFDVwrSjws4A/5AGANka41Aky+UCGse6+64YmNP/QkSXDAeBZqwrw== -PublicExponent: AQAAAAE= -PrivateExponent: CGYBtGSIMmSFoqnh6yYuoYlvTP2O7vkBdRrfkN43NwdlQVhco+wQO55QxCZNhCcbp2xau9IdejetNH0pQ3Zfg2Vllx78F8VMTMqkgw2HudWS/RahkMg+Hq6DBUaX/LYt90ToGyy5+FmyBm4fOV8FxJVrmTFMw4m7ULp3FgRcxmzS5zNjKYP2LKU/pYz0wFpyAr88DGNjChgwvRN/GE4obsoJgQ== -Prime1: A18v8idXV3o9tpIzalTEpOeDX7OxKumhUsoDpPhOJf7XqHLS6hYoYwFbRObF23Zi/3kHiAoGffR1Dkd+ji3xZhFOSEcUDuikQ2jdzdY8NxbzQQ== -Prime2: A08XMjIEpsViYvYB+ChuYxPbq7Z/eHtT/r5f8zS+nuEUwYAlKeq/i+U5sIydC1txv5XQuRPqpjtlZTClJ85BpS0GnSspG5PcY3OMwkA2smLX7w== -Exponent1: AcLu8YM68M8LtP7Dr7vYI+vJK6RK5SN/mAnz4ALt53igCUB/iVrfvBWCHp7hEgkRZUQQoItbT9C6YXrC3G9DW+IldSP8vrtqYva4YDBD2X1LAQ== -Exponent2: JdJVp3CAJPPcx0KiKDS8gHDiu22CBV2w1cycnXgwFmJl4aQkbTA7/xlgl15r3lByacAc19JreArqgCQRQV3bS7NG2PiQmzO26XkwCq+Kj7OJ -Coefficient: i6sKgv2zpCvdY9fChryaf5nZyb4nFd2dG/vnjQScBz8YVw4LnfL/XqKIego0Ez6/KlL4AnvkcafzogJ+MtmBB7V4RXEyObcbR6M/MLGMhpL8 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key deleted file mode 100644 index 868d2f14b5..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20080608210458 -;% lifetime=20d -;% expirationtime=20080914221502 -example.de. IN DNSKEY 385 3 5 BQEAAAABDrm5aXRPuZOmwT4nINnY2qXyXWLtutggFAJgBW5Ua7uzAR+7 r/DcOE7IfjnT5FQhbYXIuKy61uOEqPu1TYvDsGb1pseKSB4J0jmXDU9N tu9TDp6X6ZXE11+cFdATa4TPnsAUMSxVkLZanrbyACmcNr1gjT3dz6qI VBVPb5OnUldndbgtlOX3wcE0aR/MIsIjz1UQl/QoxbVclZVOUNdJQGb9 zQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private deleted file mode 100644 index b0466be3f1..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: Drm5aXRPuZOmwT4nINnY2qXyXWLtutggFAJgBW5Ua7uzAR+7r/DcOE7IfjnT5FQhbYXIuKy61uOEqPu1TYvDsGb1pseKSB4J0jmXDU9Ntu9TDp6X6ZXE11+cFdATa4TPnsAUMSxVkLZanrbyACmcNr1gjT3dz6qIVBVPb5OnUldndbgtlOX3wcE0aR/MIsIjz1UQl/QoxbVclZVOUNdJQGb9zQ== -PublicExponent: AQAAAAE= -PrivateExponent: AQM2fRAmc6coPLeTHAK1DCHOYCRPSjsHYXoOzwMzzdIpHschjfxka35UdNSGKYpqM9E+VTZmV96w9ZZK5recxYak/6F72ZYTIYtsWYqCkej18nzhpnlt4nASnRt0nsS9UVVwc1Y7QxqRtSVXEcgcbiW3lr0jq+PSBf/HjY9qOHV4ExXlz7KPYOWbJa1YLFnvGlMd/W7hmQvXNEfTvOwjKURV4Q== -Prime1: A/0Yax4evJzC7VSw0Swt0KNM7gtIJ9nwzDCrTymulzKhu6Wgeu0veU9OAGDhv0Yfmn0kr1JLITpMu4uo3a5jfLb18yZEAyPphejZBA+wPIll+Q== -Prime2: A7EcplBfPWZmeCeL6UnFz4h45nxi3jRfQT00k34Nu5aFt5v+ngExbatcoOMnEKZSq2SQKDQRTp6XBOiwPNB9mVaLmzl9k9tyX6JvkCBEDrM7dQ== -Exponent1: AjoJbjmJarH7I4Zj5UPc9r0I5NtVgrAx4ZltcqPN07/1cBS2QAnZuMSLUvv8pkK+Lng9Wdy9c2FL0XjWY5Q+ORYj4ONGl9OWpi2zKqpTw4WgOQ== -Exponent2: AZfFGuYsztbn6tHFUIdIeXfaFTYyVbSfCEUp2Uv8N75QMyyuT4dzAlkU2cfSg3oAefrlCKWqXtLv9XlOJ1hTeXZOz8jyYAyhvGWGoHmSbeaNKQ== -Coefficient: AX6DKJRk0GXwCnkpfbn91myfZ2wgsUTXKjqasdlTqm3JL9Rtpq8J2MWPhexcSSz8DNa5LQlGduE1nh4eqqntnSNckD6CeImMdWgTNbQS3zV8Bw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key deleted file mode 100644 index b1fede6429..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20080711221000 -;% lifetime=20d -;% expirationtime=20081116180039 -example.de. IN DNSKEY 385 3 5 BQEAAAABDfaBERX9p+FUi1OXYVig7zLCQFZoRYpwDDuLzBcC7k+G1+wW dftyA1vBm5HMpyq0OifT0Hsez4+H+0CIWHZP8oPCYfKrq+wM2EgMzDDO Yv+O1TQU4i3G+iONxB1RAwH/J2lA+U0zCbrdf0KLq/enNquchhPw4gCX 0RB9HC+TkpoPf2u7aKFcjlpw4C4uhDl1s6FpfdXe6NQWW6c+ONUcLAEt +w== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private deleted file mode 100644 index b7f28dba73..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DfaBERX9p+FUi1OXYVig7zLCQFZoRYpwDDuLzBcC7k+G1+wWdftyA1vBm5HMpyq0OifT0Hsez4+H+0CIWHZP8oPCYfKrq+wM2EgMzDDOYv+O1TQU4i3G+iONxB1RAwH/J2lA+U0zCbrdf0KLq/enNquchhPw4gCX0RB9HC+TkpoPf2u7aKFcjlpw4C4uhDl1s6FpfdXe6NQWW6c+ONUcLAEt+w== -PublicExponent: AQAAAAE= -PrivateExponent: /MDd0rAZf9mm/3cDi6TjTqeegMmnidhKYIzxyz1+quzwOA16L3jLf3ucWjz/BlEiOYh1CZbAroGRYqBAskys8u7FDinOQEP5cEn5NUyL5z0WebSCO+qnaqaQSokRs0oUx3+e9tJc9GhhmZIVNXQe4mYxfeYCl6KZS9CXe22y31PkvJ+SQIBh/I+SQnM4rbW012rKroAxdHfTvmalofx+Qb1h -Prime1: A/5Pkk5UAGvEa06GrEcATMOjsxZ0BbgalPuJKLLTFzvtYhdlJY738oY0QfsHba9hEC+iiSwfjWYyNlH/7bcVqSFtbLJiJ0aUfvObj75qw4HjXQ== -Prime2: A38aQzy3UrARKcwUqCiQrSOTM5P7xIDfbruW7ywmaWA1lXCvP3EJAal6MYs0pG2vx1cxVTIPva3Se26NkGaBqZw+RgHxmRmfgxvSoCfWXGZZNw== -Exponent1: OvPYJBkVUbncb0mBtTe5uwa9RgGlCgW4ges93zf3UQuHGvAesUFNnMh6y9zi4vgyVNbz2KOSnA91onc9l42b6NwqRNbExGhDsMc8NQi16vnF -Exponent2: AkkCNzHuGv3HaQ4MpRT/PLPA2UONseMBvJHWlgK+aO2xb6/7I09sPqKnJ4f6Bj5jL8efNZYHWsaN4l335V9lc5791opU+07LHHpULn2qVRpJYw== -Coefficient: An94juF2F5cDtoMC6gwI5iaWDH/qxkeuZ62fnMFoMY18XO0/clTVfdW7XvXCOn1DQyDLDOYpxR5MfeDKkbxtGGYKABWBOWlyaS1A5D5wTQRJzw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de. b/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de. deleted file mode 100644 index 27a14419fa..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de. +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN . -example.de 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+ - Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl - z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH - z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R - 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/ - us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4 - 8Mlp1+mUjQ== - ) ; key id = 37983 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4 - LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx - 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq - vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO - lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM - GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs - K9bqDM8Euw== - ) ; key id = 47280 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. deleted file mode 100644 index 9b0fba30be..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. +++ /dev/null @@ -1,7 +0,0 @@ -; KSK rollover phase2 (this is the new key) -sub.example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn - W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny - j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY - 04a9eVgvhME= - ) ; key id = 26451 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key deleted file mode 100644 index 2448a3d3d0..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090624151233 -;% lifetime=2d -sub.example.de. IN DNSKEY 256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published deleted file mode 100644 index e3416b959a..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 1 (RSA) -Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ== -PublicExponent: AQAAAAE= -PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ== -Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok= -Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk= -Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE= -Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE= -Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key deleted file mode 100644 index 901a1ff9a1..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090615065624 -;% lifetime=2d -sub.example.de. IN DNSKEY 256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private deleted file mode 100644 index ea34cfeae6..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 1 (RSA) -Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw== -PublicExponent: AQAAAAE= -PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ== -Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE= -Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs= -Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E= -Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88= -Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key deleted file mode 100644 index eb466736a1..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090703233023 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private deleted file mode 100644 index 819b8ec9e5..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 1 (RSA) -Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM= -PublicExponent: AQAAAAE= -PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E= -Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw== -Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ== -Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ== -Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ== -Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key new file mode 100644 index 0000000000..ac38acdc2e --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key @@ -0,0 +1,3 @@ +;% generationtime=20100311230027 +;% lifetime=3d +sub.example.de. IN DNSKEY 256 3 5 BQEAAAABxKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+ fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private new file mode 100644 index 0000000000..3aec6098e3 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: xKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ== +PublicExponent: AQAAAAE= +PrivateExponent: LDta/Lx7ETLqQamSm9XAERno+ixf6Dl/cq10zcd8QNLuvleFqMvtRURxfhFhNlrvFTuckz1IzIX7ufecSrarYQ== +Prime1: 5x1rjqJnLrLUd+i4DUmSutQQrQZWg+vzwurpGkxBCTc= +Prime2: 2dmVy5A1h7avKD9Ez0rcg1G96wxVkdp+/8AvXEYe+QM= +Exponent1: Fx9QLrquictb9W74f5gmRs5wQcsyWjkNVXUE/eb84l0= +Exponent2: kexPooMJG2rfGbnWG0Mnav28EcV7q7xNnIHELjRCfWU= +Coefficient: Liq85Ma7Ki3tZePKv/v+he9UgH7J5tgDnmHof0370/M= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key new file mode 100644 index 0000000000..dcc3432e88 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key @@ -0,0 +1,3 @@ +;% generationtime=20100311234526 +;% lifetime=7d +sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13 EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W9 6dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZ lvW8DPh+/CM= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private new file mode 100644 index 0000000000..a7d615d82b --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: 5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W96dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZlvW8DPh+/CM= +PublicExponent: AQAAAAE= +PrivateExponent: fWmnzNBw5Pz/Zk7x3dJwg36L+myF19pas+uYon6bL1WuIYGSu5TnZbmPemkyo2XrWedlv5+sXdpY5H2axgpmKtDyBCmjCSL00ohcjQlFNmp5U4YPU1cvlfnCCCUMRVzzTwp1iZ39Y1rGKTALITOazux161s1V+C8xErGnMYXjhE= +Prime1: +H/1W3Qgd6CCwi3cwrtfWzhosSjbb7+6WVo7bX2Rn6EBWyo07Y7WpIGAEdkBGsPn9Ow8JANPjzNzqrcF4LvUtw== +Prime2: 7YuVHcg7Fa4MysfTgaLKupaCVKkJxQ3SDVp2mVABgu9GkKzKgPRlwznLANgKC2kWudUqKG0+jO97GxV6Jhff9Q== +Exponent1: sCr44sRCtIX9o2izqQZAca6koln9//yloHgwXyQepvJGeuxWsfpSGmUf5gJlvaovrTdN4fpy5mA0b4vZnQRsBw== +Exponent2: k3Q0J6VvHwFresOiQ8Ekzw/AHXgGY+X0+MJWJ+6IEy2dCQWOHPhguXyAKP8B8ootNijjM2Bzb76eeT0vz3mKXQ== +Coefficient: A9rqRcjvB0xOPfSUAQDclV8JQPq+xHBOXIpOm5xDtrzQpjv/6uams+bgNeV7m9CPi5jyjWaM5XGwUQv+3itRyQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key deleted file mode 100644 index 66523d4e1c..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090630103352 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private deleted file mode 100644 index fd15204068..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk= -PublicExponent: AQAAAAE= -PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0= -Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw== -Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew== -Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w== -Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw== -Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key deleted file mode 100644 index abcbd117d9..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090615065826 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private deleted file mode 100644 index 78a8c1f19d..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME= -PublicExponent: AQAAAAE= -PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0= -Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw== -Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw== -Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw== -Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ== -Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key new file mode 100644 index 0000000000..fef043b892 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key @@ -0,0 +1,3 @@ +;% generationtime=20100224232104 +;% lifetime=5d +sub.example.de. IN DNSKEY 257 3 5 BQEAAAABw7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfe S9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87c vsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgX HLeDoqHQAFM= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private new file mode 100644 index 0000000000..6df96f50b0 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: w7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfeS9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87cvsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgXHLeDoqHQAFM= +PublicExponent: AQAAAAE= +PrivateExponent: uoruJIZElyAQA+KeL5wBYD8hdNbr9/By0IHg/cPVZd6526ahZpWob5ucps4xjq02rgLl/i0FvG+o/iJJKQ072Wvp4LoSzFpLKRQPQhrC8tf2Zqaup03gDlaMSe+mav59pisU/yRi42xkLdFCq9qAqOolhMYH/5rTTIQjLGm4N+E= +Prime1: 6WHxgLrUdEcx9ByQvaC1+POsQpA77D9kAqrgR2iPXlmlBsp6JD/lImNCZCUcnt1TRJWEDmMoP3U1diWvvV69MQ== +Prime2: 1qy3KTqZNxlxGOJ3GvtUT9AGvZrKCNDDvPYGW6UT1aMCaR7rVKOjuxsdTZGBgVQMSynTVhrsirOsUodhYfskww== +Exponent1: gJeuTs2r2TORC6JlxWb7cWyKpTwlAiVZPO8V1bHwT9XoT5upILso6ozh8IB+o2SdxhxNSx0gXmnU9xPk58SJMQ== +Exponent2: qT/gYLKfcgWDpIQ1/ZSaCNqeBuyzUVpR1+HTySxFSUD9+yu7Ra07/E+N5EFlfW4WshA762j1Ums8GtKNNZ3nKw== +Coefficient: SwfLMVH9qp/SuXcmnOsYQd0kF9JcYdVyi3HiP3EvI/G97sKT2P/RXVi1hSPQ1AocBX6Fwke2FYQpFGyV0/IuwQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key deleted file mode 100644 index c621dacc14..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090630100243 -;% lifetime=2d -sub.example.de. IN DNSKEY 256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private deleted file mode 100644 index 0cfadf3542..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w== -PublicExponent: AQAAAAE= -PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ== -Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0= -Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs= -Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk= -Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs= -Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key new file mode 100644 index 0000000000..1cc8af8d35 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key @@ -0,0 +1,3 @@ +;% generationtime=20100331230548 +;% lifetime=3d +sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2 uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published new file mode 100644 index 0000000000..a6a00f8211 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: wp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew== +PublicExponent: AQAAAAE= +PrivateExponent: Xgmu9fyg1QoKridDOUywH7mZg92dEvGVIcz5QrpXMYZDhi/Z1NLB4UJwaO4Kmbg9EyAT+ms3fjjC8ncy+mVnEQ== +Prime1: 9wrDpiFEJkYGuCC0JriZgA+uaLBYtzudTzUByr8BGU0= +Prime2: yavdgu+a7BloewO3Fzg6JwxYvJYrfeAgYLVr4uXzwec= +Exponent1: Z8tEYnN2N5LxFjL9+mdfnOjNhVxAouZ/wyyokWf0C4U= +Exponent2: axnHnwpVRfb5Xt25+8oIVoVH4YdTXDCbr4nkcjru4As= +Coefficient: dvqfAzS1VFtC6dvzFTgh+GoFt3EwIxHDXcskNmbFDto= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key deleted file mode 100644 index 34d554cfe9..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081002230219 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/ zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnU ISRyLtFdi10= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private deleted file mode 100644 index bcb0e1634d..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: 1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10= -PublicExponent: AQAAAAE= -PrivateExponent: esuIKav5AkrTaOu06kDZnh1+fL3BRkH6D6IZBBZxmidd6zwEvTR9dQ8kkoDSY0WTZxZDKYOJtWha5jrDnLaqKvPizEnfxs7P4yCe9fpGy/BZ6BkvVWECKeQ9o8ZacALg8If1NagdhTmueflj39qquBogoe7TWiWxsNTJzq0os4E= -Prime1: 74wMDEa4SeFhMLIWgOz6hwdP86ak+JLjdRsTmj1qFykYHTlG+h3y8ic79fimHaD0P1Tbk91pOgh1rBeLWTXzOQ== -Prime2: 5H2Pik/CdxqcIBCyqBSN0hwfzwCry3t2mPVtDmc79XyGLOwiGhzWkbMeZro5hjBxpN3U4Kb5WuUGu7+paEnlRQ== -Exponent1: 6QSyuPdI58qXPZQogATGykz9nR+n1FySUWtanLUlQcNDS2Nl1zaZy9+fzAuiekF3EZQxlSL/dTNoUP/dei4pyQ== -Exponent2: R5IuojoV16bq6HTDRahO756zqMwaG+Kp8DGijSjzHchNywnCpzvlHK2+WXbjx/7Smno5zrB1cOYMQ0xRwOAn1Q== -Coefficient: Bc9CyTQt6wEU/ShcJLXYGKVnBMdzM4JjB7y7sj05E4kLocYaQw2slxBFZyc7oGKEaAFKsqIC2JyurCo4Z6mDrQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key new file mode 100644 index 0000000000..06b80bfaa2 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key @@ -0,0 +1,3 @@ +;% generationtime=20100302100015 +;% lifetime=5d +sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQ Q2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo 9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwq c3x8BzbIorM= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private new file mode 100644 index 0000000000..f6628daa90 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: 5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQQ2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwqc3x8BzbIorM= +PublicExponent: AQAAAAE= +PrivateExponent: y+rt5sGw902oNDr4JAP2+erGfuYpp1g3UavEEPplKcyFZNg21fMasVCIyerS5ORCr/ktaNP9ZCuOkv/Ob9CY6hbbMMFKHIKGtBb7eu+et+fbbr71fdxyqHlcpqfAiRjsqYLuLw1r93Odw1HyCRpiIVR3Esiq7xTTsbd6v+mjqHE= +Prime1: 9deZ3ccGM9abtuCR/vGI2v8dOR3WwzhClE+kmRKhB+++ON5hvg1Y+cJc60FpWLHTxKs96t4axX/6ijiRWZpyKw== +Prime2: 7hv6lVRo8UCdt/q4n9OKbDnPu8z7GokPSXcqT5O8W7p/O7Yvuy0YMRbL8CTJw2A4IP202bScW5Lg5EWdPUa1mQ== +Exponent1: TM/bBQFxZfgGdjnJ58qGE9e5GNuqjNgT7HacbqTtnvHKQmRTp6Z+es8qV7U6ise0Glyz/zwB9BuYynUU+XKpsw== +Exponent2: MHiLBFWwhaeg21jfCAqblY6elrqmLWiq6qkk8mRPTHtyaCkr1fa4/4u6q54XiyIBQxLKUf3prhjzq+o+hagIYQ== +Coefficient: fi1lTsYNS1ka3RHT8SxGcwur8oRZLPAaLu8UYFxy9bfAInYkUg/jnR3q3i5BcKcr4+UL6Pp9iPzl1AfMQj//fg== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key deleted file mode 100644 index abcde6965c..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20090703233023 -;% lifetime=2d -sub.example.de. IN DNSKEY 256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published deleted file mode 100644 index dbaaaea977..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw== -PublicExponent: AQAAAAE= -PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ== -Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU= -Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks= -Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k= -Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0= -Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated new file mode 100644 index 0000000000..6bfb3dcaec --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated @@ -0,0 +1,10 @@ +Private-key-format: v1.2 +Algorithm: 5 (RSASHA1) +Modulus: wBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4QlglYkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw== +PublicExponent: AQAAAAE= +PrivateExponent: mcrUc9cypiq7j30rntMoCrIxE9SemJxzTJ/USNZPGqfa4MpfsfvIt6A+8JzgS0Sx+6piSk9d8QSdr55aVqgEYQ== +Prime1: 6dRm4EGvg7WN5LFAMv/8HzeyZbNu7FlQwf08QZOmgYc= +Prime2: 0lM7LrrOzTThb372TCC+7Wz0S6GuqfjhM33MWwNEeZE= +Exponent1: Q8jFuxbjffHEGZxuUdLkkmWka0hDlACozr31blXYgCc= +Exponent2: yqc1ijD9jaK8b5IUIqsx42nbJ6boeMyx77wfOUoXw7E= +Coefficient: R4QnEkjxtLd7bPChAqblYPb9A8lcsD7KGh5fTR9LcFM= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key new file mode 100644 index 0000000000..776c4a95e5 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key @@ -0,0 +1,3 @@ +;% generationtime=20100302100004 +;% lifetime=2d +sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4Qlgl YkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. deleted file mode 100644 index 0a83288d8b..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. +++ /dev/null @@ -1,8 +0,0 @@ -sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961 -sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2 -sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E -sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A -sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A -sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1 -sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75 -sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db deleted file mode 100644 index 68d9dfb627..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db +++ /dev/null @@ -1,65 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Jul 04 2009 01:30:24 -; - -; *** List of Key Signing Keys *** -; sub.example.de. tag=40956 algo=RSASHA1 generated Dec 28 2008 23:55:28 -sub.example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg - CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/ - zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnU - ISRyLtFdi10= - ) ; key id = 40956 - -; sub.example.de. tag=26451 algo=RSASHA1 generated Jun 15 2009 08:58:26 -sub.example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn - W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny - j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY - 04a9eVgvhME= - ) ; key id = 26451 - -; sub.example.de. tag=24426 algo=RSASHA1 generated Jun 30 2009 12:33:52 -sub.example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D - xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp - 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 - vlXrwWNo4Pk= - ) ; key id = 24426 - -; sub.example.de. tag=60332 algo=RSAMD5 generated Jul 04 2009 01:30:23 -sub.example.de. 3600 IN DNSKEY 257 3 1 ( - BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ - f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg - oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ - jyZPu//rrNM= - ) ; key id = 60332 - -; *** List of Zone Signing Keys *** -; sub.example.de. tag=11091 algo=RSAMD5 generated Jun 24 2009 17:12:33 -sub.example.de. 3600 IN DNSKEY 256 3 1 ( - BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ - 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ== - ) ; key id = 11091 - -; sub.example.de. tag=38598 algo=RSAMD5 generated Jun 24 2009 17:12:33 -sub.example.de. 3600 IN DNSKEY 256 3 1 ( - BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe - zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw== - ) ; key id = 38598 - -; sub.example.de. tag=37547 algo=RSASHA1 generated Jun 30 2009 12:02:43 -sub.example.de. 3600 IN DNSKEY 256 3 5 ( - BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy - 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w== - ) ; key id = 37547 - -; sub.example.de. tag=57863 algo=RSASHA1 generated Jul 04 2009 01:30:23 -sub.example.de. 3600 IN DNSKEY 256 3 5 ( - BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 - XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw== - ) ; key id = 57863 - diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf deleted file mode 100644 index d7d33ca802..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf +++ /dev/null @@ -1,17 +0,0 @@ -## -## dnssec-zkt v0.4 (c) Jan 2005 hoz hznet de ## -## - -resigninterval 36h -sigvalidity 2d -max_ttl 90s - -ksk_lifetime 5d -ksk_algo RSASHA1 -ksk_bits 1024 - -zsk_lifetime 2d -zsk_algo RSAMD5 -zsk_bits 512 - -dlv_domain "dlv.trusted-keys.net" diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. deleted file mode 100644 index e34d70d4ea..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. +++ /dev/null @@ -1,8 +0,0 @@ -sub.example.de. IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961 -sub.example.de. IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2 -sub.example.de. IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E -sub.example.de. IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A -sub.example.de. IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A -sub.example.de. IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1 -sub.example.de. IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75 -sub.example.de. IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. deleted file mode 100644 index d2f21e1707..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. +++ /dev/null @@ -1,29 +0,0 @@ -$ORIGIN . -sub.example.de 7200 IN DNSKEY 257 3 1 ( - BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4 - LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW - /iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6 - gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb - vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM= - ) ; key id = 60332 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4 - WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c - pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ - uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X - 0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk= - ) ; key id = 24426 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q - W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr - yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ - ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY - 0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME= - ) ; key id = 26451 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4 - 8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv - yVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTi - dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB - geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10= - ) ; key id = 40956 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key deleted file mode 100644 index c880c4fad1..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080818053647 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAABvYDREzYgpwbapQq47TOdCxf0+0vn0rFKNv0HedmV0uSQ8mkt PRHKKQNgeBDWN99JjV47XEFeYRmMYIixsEjjMTv7jBbYYlf+pMEnDfip wj1bvaQRsQ8KFLHnII0syARkZfxVllNulIYsYLA0QOH1bqUXCy3WOUO+ ykohqGTWSgs= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private deleted file mode 100644 index b9141de44c..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: vYDREzYgpwbapQq47TOdCxf0+0vn0rFKNv0HedmV0uSQ8mktPRHKKQNgeBDWN99JjV47XEFeYRmMYIixsEjjMTv7jBbYYlf+pMEnDfipwj1bvaQRsQ8KFLHnII0syARkZfxVllNulIYsYLA0QOH1bqUXCy3WOUO+ykohqGTWSgs= -PublicExponent: AQAAAAE= -PrivateExponent: XMRzabB2jRdVLpnDth8Zr1okVfyBA9U0f2/qRnQT0ltPBomFgazQlrN1cyvt34vuqHsk+Nb44/HZLzl369HK9iO99sD3N+gKDXv0rB+r0QOSoku8eImkk6p0G5VLkdROSggo+GgUJmWMa0BGg4Y9XnStN0+bwyr/cJDkdPLnKqE= -Prime1: +UoUiIMjAVNDQ4BRYUhW9PIiXCFMUOJQNQ5bIcYLBJBtkKJl1exS8MTNxTQgcRy3YNgUx7u4Fh6FEsBfVlL8kQ== -Prime2: wpq74Cv2kvENsDlAXpYcigtNB8rtiOXGpe/eUl3Pj6aahS97KYyXivoHK+xZpoxLTz5dE28v2jRc+o7Dedma2w== -Exponent1: toMLd17tND5W6ifexKH0olazwhokTxSyL1JrSjmSo2BqKjohREv3alaIq/+2epKuDoX1/jI6kOL5JJHvX0ngEQ== -Exponent2: JR1w0pvriWfzXCwPel0crw+JUUpDM8bFiYDZX/zkNyuOrplqbh2REi5bCf0AUOgxie78WjxTvhyewwiByHtF/w== -Coefficient: RADyZiLO+IXAJ4pFGsX5m0fZvixCmQdN1mmN9NnzZws43mb2KhKs+UwOsDpU1R5RddoCWgFhz58dgMS2VId8XA== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key deleted file mode 100644 index 1ff71b831d..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081216163213 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji qj6JGXl48/0= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private deleted file mode 100644 index 2bf7a9956a..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: vFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVjiqj6JGXl48/0= -PublicExponent: AQAAAAE= -PrivateExponent: BKxnBi6a/3ziyfbN1FifPRo0QzGrQaZsVmJK3KF5keyYTRbImsVEFuYyc2sD7YZdACRvX1MIFoxMiORhxXlU7rrawQHtGXHHFIdBCE+/GINg9NtAijz/I8LCFexsttRGUESyXQjx0QCOr2j/qGpLU2jDspoQnOuAJNABDQeXtNk= -Prime1: 8ta4x0uQsfcfBqvGUoX4Ngtr/zWExLRDY+THy9DV7aKNw7UBvOnPjL7NQD4RTHRp52buZbh33XDB2ujA6lV/Yw== -Prime2: xo3tGYInbtnFZe6/Itwz+uihogLj5lWpn+e1VT6aa2SdSES53MrVnu7+Swsv7KAZHGnT99pLjwaTsNvo1MeNHw== -Exponent1: 6ALwJf4uypQi4g+zXXfnhNnkU6xHhG8MolwpE2UlfJ02GovKsgWbxNnoqdQyGeOMhSeHaj1Fzyca0TmJqx0oQQ== -Exponent2: iA6ciyRLclAnq3HMo1uul8ssrtyRF4FhfFJ+/nhSvqYX6uvcUH3HqV4Tarq0Irf79jq+wwEUKmG6VLP6wMnwRQ== -Coefficient: Z7PYXTT7y8EHoHTBE1ioOegzTgJ3gNnb6Pd4atgsyANeFxbUPukgr/rf4ahkipp+r6RcjBm4yJtEp0kSlJnhCw== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key deleted file mode 100644 index 9c7c36c833..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080726221746 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAABpL4/T8z6mCbTm46Y9+KJOgCAk+dGHBoyg75N1f0lwYSZOLyy yOLWwDxlsfkb5WwvZ1ZG6NFmg/3o5N3Zd7TEkkvHZafRMrzHFicdIMSv jmOWVBR0GsEb+reREu5X0sdZbqOuxT6CkKoTXRpRZgU9ouus6W5bSWQA fdQIegTBBKk= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private deleted file mode 100644 index 3e39f5acef..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: pL4/T8z6mCbTm46Y9+KJOgCAk+dGHBoyg75N1f0lwYSZOLyyyOLWwDxlsfkb5WwvZ1ZG6NFmg/3o5N3Zd7TEkkvHZafRMrzHFicdIMSvjmOWVBR0GsEb+reREu5X0sdZbqOuxT6CkKoTXRpRZgU9ouus6W5bSWQAfdQIegTBBKk= -PublicExponent: AQAAAAE= -PrivateExponent: CrFKdhkCOgyF27Jc4GPfo7A6v2q0OgRE2nBdkw7XFUEADEHSVLA6XYUm3AZmAOWxTmrGU8EK+76hfC22DjA6O0BljTNdxLB5cGRL2Dxey603jCIEVt/ahIqyb2STr0pWYEVc3qAKJL93iP4v5r7fJt157sJhQF8F5Zpqj24QvmE= -Prime1: 1EpVvo011F2qgjesKSKplhqtvbmRPjTuhijb7531zIbxDzBF+lXCDyjt3Y/LrWS240t74vbZpo9FUZIETIf/FQ== -Prime2: xqm8Bk18u2WJZ9uUr+/MMPKfh6OgAFqtBwFi81FFJ62kHGL9i8AcychE9tD5IRu74KLCGW+Vk87lyLOF3WU0RQ== -Exponent1: JmLNa+QmMjHVDmAM833bF024/+NIyZgfNSDLnGXxTqYZ3PK/llLHIwBChLMKAQgFvt5PP0id1Nkc9N16xjkuFQ== -Exponent2: rZW7rMmQxQQRHD8TKQTAhCX+31n8jnq7gW9dyVpjY85GDuQe6+3rox6xvsMfUzEOgXk1lgnm46FAIHOH6DhMuQ== -Coefficient: MPoirwMUkLzLWeynO1Izy+lff70hnDnOcZEckS+Sy1TlUkk22uHBF4uNLkgoF26XqeKzK9pG1rCGfccfWTCayQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key deleted file mode 100644 index 1ee44bbb0b..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081003212715 -;% lifetime=5d -sub.example.de. IN DNSKEY 257 3 5 BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n GLv3a4BbGFc= diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private deleted file mode 100644 index 4b444504ba..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: olXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc= -PublicExponent: AQAAAAE= -PrivateExponent: OZyxcY+HDUm3QnD5ZKQNlUHg5m5SuiUNpDUPzsguED89tgWM12U8IgsChJd2kVlM2Ntayu3KhtUs0/bwFk7yMEyrHPkRcMCInAlB28cXKailxaad5pIvHOu+xt5/44C+j5p125Xd7N29dhRjH7afQY7eYV7FYmDcnXrPyrTkBeE= -Prime1: 0GylzPNywg5QbH9EzgBTjb1J87G2gmKW2eSePiAFq6g4LKUh/HTeCX9TkXmszC/xaA5X96h7UoiPTyl/uq5mRw== -Prime2: x2Pq+Edr4PVN9PaZ/RImYjQGk3gs0J5SbJ9kNKFTPw2ZsWr9wtN5n1KKUCHDqsJ0I9XbOmdI94Ze96uju5L1cQ== -Exponent1: K1098oZ5S8EV4rjvzRrJRe+zLNhvCOeyKQLeE0pZk9G60aMxRTm1HAYyof1kcw43G8BgPU2+26kzFAFQHQIK+w== -Exponent2: oL+7Esi69/qc5yJFk65FJld6jfvv5XHiZOLmj5K/Sagk1mYpj+vveitQzPaNb5G2cl7sN1rW8jgiYdKsyCe0QQ== -Coefficient: MoX+4JTGDuR2nPCAjwMRBDIu6hCTn65zU2EHAFMWaf7hvvhWVEBn0YTK1/sYFzz0LxJUJxa/JJltY7ZYulk7uQ== diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. deleted file mode 100644 index 9b0fba30be..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. +++ /dev/null @@ -1,7 +0,0 @@ -; KSK rollover phase2 (this is the new key) -sub.example.de. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn - W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny - j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY - 04a9eVgvhME= - ) ; key id = 26451 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db deleted file mode 100644 index 466908a22f..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db +++ /dev/null @@ -1,25 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) sub.example.de/zone.db -; -;----------------------------------------------------------------- - -$TTL 7200 - -@ IN SOA ns1.example.de. hostmaster.example.de. ( - 2009070301; Serial (up to 10 digits) - 86400 ; Refresh (RIPE recommendation if NOTIFY is used) - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - - IN NS ns1.example.de. - -$INCLUDE dnskey.db - -localhost IN A 127.0.0.1 - -a IN A 1.2.3.4 -b IN A 1.2.3.5 -c IN A 1.2.3.6 diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed deleted file mode 100644 index ef53f5741e..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed +++ /dev/null @@ -1,215 +0,0 @@ -; File written on Sat Jul 4 01:32:17 2009 -; dnssec_signzone version 9.7.0a1 -sub.example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. ( - 2009070301 ; serial - 86400 ; refresh (1 day) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 1 3 7200 20090705220522 ( - 20090703223217 38598 sub.example.de. - JgCBS7//ArxzV4ZFw1uu5ermsqBelp/HnmeF - 1V/2j71/lSIS+1H/o2appt6Ox11KnAqML0Zi - D6KRnBt1xAbXmA== ) - 7200 RRSIG SOA 5 3 7200 20090705220711 ( - 20090703223217 37547 sub.example.de. - gt/Cnm3ltYYKX1h1xUEM8xfGlovwilUCf9TK - E6lUZL9w56DY8WDaz+5kdh4FfiXbprTgzjGA - LMGc9HSP79dRuA== ) - 7200 NS ns1.example.de. - 7200 RRSIG NS 1 3 7200 20090705222744 ( - 20090703223217 38598 sub.example.de. - Gor5vVdsREkojunDB1+1EOzQcsOhjO+RP+CQ - 9MEdAtqXqfJaqn2BxAkjANy7UWiPbIei3QnT - MBmpop2wmSzjHg== ) - 7200 RRSIG NS 5 3 7200 20090705221546 ( - 20090703223217 37547 sub.example.de. - GOWmEt+2ye6zuH1BdUrzEpmjbLTjrqzTwpOP - CBop0iM/TeSKv3OIpzbCscn68XsKdALKx6J5 - vsnk1e7z4qdMnQ== ) - 7200 NSEC a.sub.example.de. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 1 3 7200 20090705222040 ( - 20090703223217 38598 sub.example.de. - DzeJgkKvZsVnlRG6x1CjJsqE7ZW7STTfq0ND - v3whxX6+ODSLWtttakOYZU5ih6YKKbqtxxOi - WpV1PcoUZ0g2PQ== ) - 7200 RRSIG NSEC 5 3 7200 20090705222545 ( - 20090703223217 37547 sub.example.de. - fG3D1B9ERox7BwFF2pFOT7D89+6f/3Ti1xUK - rc/kv17mlcxJDzzNtBx7dmKl/jPIccWFEe+d - WaeKi5AZKRsCsg== ) - 3600 DNSKEY 256 3 1 ( - BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOml - gVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVU - BgwiMj4XdqFLLuNzjJbGiw== - ) ; key id = 38598 - 3600 DNSKEY 256 3 1 ( - BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpv - StPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQ - euyJ87LiXfGpR/X/MCtTEQ== - ) ; key id = 11091 - 3600 DNSKEY 256 3 5 ( - BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjt - YHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hx - CoFgziaYXEnU0OjHM/Vatw== - ) ; key id = 57863 - 3600 DNSKEY 256 3 5 ( - BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yG - BvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqe - abWDGzKm3MbybdKLLtGD/w== - ) ; key id = 37547 - 3600 DNSKEY 257 3 1 ( - BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4 - LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW - /iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6 - gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb - vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM= - ) ; key id = 60332 - 3600 DNSKEY 257 3 5 ( - BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4 - WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c - pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ - uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X - 0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk= - ) ; key id = 24426 - 3600 DNSKEY 257 3 5 ( - BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q - W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr - yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ - ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY - 0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME= - ) ; key id = 26451 - 3600 DNSKEY 257 3 5 ( - BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4 - 8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv - yVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTi - dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB - geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10= - ) ; key id = 40956 - 3600 RRSIG DNSKEY 1 3 3600 20090705221028 ( - 20090703223217 60332 sub.example.de. - xVnKSgfSjfIEzeJVBlSPfJWDmkG/sGvQQaUc - P6kHUugus9z+MwnPpXKCwvSufQQJHzmUuMG4 - hk29luebSAK+bm8s6lExQQDpUTNWnOxlIrb/ - pQJp7tsBfN8wfZnOg+FrtLSiWzbN+jRyq+Us - 6IUopL10tPSalhTp9UleZSUkZyA= ) - 3600 RRSIG DNSKEY 1 3 3600 20090705221035 ( - 20090703223217 38598 sub.example.de. - fq6OWIKGHtdavvZx8pkieeF+DdA7P13nvW1c - cSmrRsfFFBx8SMJ6H9zFX4FPuoDSsNb8xnNB - i7LKN5hMK+uKvw== ) - 3600 RRSIG DNSKEY 5 3 3600 20090705220958 ( - 20090703223217 40956 sub.example.de. - z3M5xdXXWOywAa9BPtVMzsMWmHumq4rbYyNB - e/in7ijwMwRTZ2pOfK5ccOBMhFE8TaRQrZD5 - 2eP2uqdUE4Jkhr42y5e8+o8ShuKxXIlkGao3 - oFdCIwPElIUswnWs3i44Hz2SCFVnnCz8PXQL - VtxuyGMtrFGuRFh3xC14bi/U5LE= ) - 3600 RRSIG DNSKEY 5 3 3600 20090705221542 ( - 20090703223217 37547 sub.example.de. - bRPadfI4qu6Xl4SCQ+i97/IANaCsE78L+LTG - 1ckVTUmWbDZwj6RjJofdx5Mm1LlM6pi5hAJ2 - 7vDjTlynq0uFyg== ) - 3600 RRSIG DNSKEY 5 3 3600 20090705222555 ( - 20090703223217 26451 sub.example.de. - Eu2lW/SJDyKHZ0zLIV3Co80+D9ykkULXEJpR - BpvhG6wa9R9i0z/QEQc3QWUt2sDPOYDX61wh - iP87yVmb2B1IFMU/VW33d2xZgcK2NGSMk0QI - g2T6jXk+uWd9ribgfWT57Xf3Qr2D+Zl23mOR - Q/C/bJgOmq9mZt4vNOBTvgmuHqw= ) - 3600 RRSIG DNSKEY 5 3 3600 20090705222912 ( - 20090703223217 24426 sub.example.de. - ktIrKORfmsOtyUj47zBb1p/3wp/aA2GIT9dI - e+mDK6Kvvc3Rb+UZe2689vAMwq7/lMvRhHQR - 25Od0UIU77XuW/trIczippIl78ISPwKSiEN0 - LUO9kUf9yZ2dqsZMxMKXWZMSVYXY0ja8zSY5 - v9HafpYQx24FTD99v6DcjMvQu/M= ) -a.sub.example.de. 7200 IN A 1.2.3.4 - 7200 RRSIG A 1 4 7200 20090705222143 ( - 20090703223217 38598 sub.example.de. - A9WVnbcBJW3L+GOND3BJdtrzK3G/klcIWp8l - 0WW1HTbiJAFMxizNWVjyGKU3ciydtawT7gVS - guDWYW++F1vv4w== ) - 7200 RRSIG A 5 4 7200 20090705223053 ( - 20090703223217 37547 sub.example.de. - kZWrAPgslp1YjZtfWhSgQfpegRrVVjVGLPhi - 5OAwpJ14sWmXe+Ty7PbDM1icKdt3DwmGHtk7 - jkFkcdEu6pH3rQ== ) - 7200 NSEC b.sub.example.de. A RRSIG NSEC - 7200 RRSIG NSEC 1 4 7200 20090705221732 ( - 20090703223217 38598 sub.example.de. - Jb666TyzO/8OaJKtEsg/baMAwV3WgLzplwKi - 0FcSu89AMMTEtYDkJx3PSinttrkK/74SHCQI - QprLeptnAT88wQ== ) - 7200 RRSIG NSEC 5 4 7200 20090705223013 ( - 20090703223217 37547 sub.example.de. - L7pmPJgNOV4XpcN2BsUti0OyVNp3SZu58z8w - nJk6Na21sO6gorCh0T9r9GYK0JbJVk6BC+9D - BBQkH4YqqkPxXQ== ) -b.sub.example.de. 7200 IN A 1.2.3.5 - 7200 RRSIG A 1 4 7200 20090705223139 ( - 20090703223217 38598 sub.example.de. - gaoCOBLTR+bfk7O73vH80nP37xchqjh4S8gk - aIhiXZwmVYwWatlzhB8ZK/qhs4mRLqs3Rpte - QVYtDIC2+AOstw== ) - 7200 RRSIG A 5 4 7200 20090705221720 ( - 20090703223217 37547 sub.example.de. - A4+jPotrDIV4JgxRNjH/2vtFW9RNM4g0acRI - tpEoOAphse9Ki7/KDJDYRyjlNqNOYoPSlDlz - rWlKXai3MYg7VQ== ) - 7200 NSEC c.sub.example.de. A RRSIG NSEC - 7200 RRSIG NSEC 1 4 7200 20090705223117 ( - 20090703223217 38598 sub.example.de. - DuFAapyfyrTDnYkgkkGZG6JyiWa2yWbSbvB/ - EbiaA//ffEEFvoHPt+md+ctHtw7inP3WZ0jf - IBAStKfocnPfxA== ) - 7200 RRSIG NSEC 5 4 7200 20090705222451 ( - 20090703223217 37547 sub.example.de. - y4eQUHYVVEDsXXjtx3YZ5mGtrdL8x7e3F5HK - J/jTwHDYvCq+/xqaXdOGIDl1TZYN4Z+/mgud - ePUilJqZI7+d0A== ) -c.sub.example.de. 7200 IN A 1.2.3.6 - 7200 RRSIG A 1 4 7200 20090705220747 ( - 20090703223217 38598 sub.example.de. - AhUeZDcL2x0nT4K1ueLzpti37wP0p+nBCO1h - N1asQJycnjayQ49nVwXuOPjFtO5SpUijl/gf - rsvFrG2Eyf8KyQ== ) - 7200 RRSIG A 5 4 7200 20090705221402 ( - 20090703223217 37547 sub.example.de. - I9UX1XpqYmFXZKfS0SJn7eAahEGlDvTO/miW - 5sAvWS1PDIPiGs6eNIKEjmCcy1bTCR8TdCF4 - eDzbZncW5J57bA== ) - 7200 NSEC localhost.sub.example.de. A RRSIG NSEC - 7200 RRSIG NSEC 1 4 7200 20090705221655 ( - 20090703223217 38598 sub.example.de. - spoeS9+UVDFk3i6OuzJDg+dYm1UGVd1dd/1H - c0Cg7Wn5FjKwAuxVh6Fkwo+gnfFeuNqXULp7 - 2oZVaizjK0xxdA== ) - 7200 RRSIG NSEC 5 4 7200 20090705220501 ( - 20090703223217 37547 sub.example.de. - qjJcnn8GAR948AasHOuT3grziFXevNKdIdd0 - JsThsXekPAFoe/o/Wj7a/aRBQpdSQHfbHs66 - ehXm31OmY1Z1MQ== ) -localhost.sub.example.de. 7200 IN A 127.0.0.1 - 7200 RRSIG A 1 4 7200 20090705223018 ( - 20090703223217 38598 sub.example.de. - KKzhk8TIfVygE1HXHyno+5JRUa/HjZXlCyqO - IXPpEh2AGQjbEy9lJOXbfH15explsbFUl8iS - oFdkIwDqvk/ldw== ) - 7200 RRSIG A 5 4 7200 20090705221933 ( - 20090703223217 37547 sub.example.de. - X5HZEaT+hbuvxoOng20cDqYGepR2ud7q7ASs - ADVuZx38VBtj02Gbp0xyM8LnjjrKD6McQC35 - lqRrrcEvaMIFYA== ) - 7200 NSEC sub.example.de. A RRSIG NSEC - 7200 RRSIG NSEC 1 4 7200 20090705223031 ( - 20090703223217 38598 sub.example.de. - nUE795F1yE6+61N2UQb2Kmm4PpTBpdwGiPD5 - RfETf5J3Y/7M6GuUw7Rrl5G5FHN9vzz4IJLB - XeLxR6WY4FdXFg== ) - 7200 RRSIG NSEC 5 4 7200 20090705222830 ( - 20090703223217 37547 sub.example.de. - YitlICV/U/5iwY5vYd4Huwpyx3O317WuufiP - 8Ci4kDa6pp7bzM+q5INYGn5ZuFUb6bk1LrJG - hu9IzPp4IpAwhQ== ) diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/zone.db deleted file mode 100644 index b3d0034372..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db +++ /dev/null @@ -1,38 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) example.de/zone.db -; -;----------------------------------------------------------------- - -$TTL 7200 - -; Ensure that the serial number below is left -; justified in a field of at least 10 chars!! -; 0123456789; -; It's also possible to use the date format e.g. 2005040101 -@ IN SOA ns1.example.de. hostmaster.example.de. ( - 277 ; Serial - 43200 ; Refresh - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - - IN NS ns1.example.de. - IN NS ns2.example.de. - -ns1 IN A 1.0.0.5 - IN AAAA 2001:db8::53 -ns2 IN A 1.2.0.6 - -localhost IN A 127.0.0.1 - -; Delegation to secure zone; The DS resource record will -; be added by dnssec-signzone automatically if the -; keyset-sub.example.de file is present (run dnssec-signzone -; with option -g or use the dnssec-signer tool) ;-) -sub IN NS ns1.example.de. - -; this file will contain all the zone keys -$INCLUDE dnskey.db - diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed deleted file mode 100644 index 1bfd112b77..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed +++ /dev/null @@ -1,124 +0,0 @@ -; File written on Sat Jul 4 01:33:59 2009 -; dnssec_signzone version 9.7.0a1 -example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. ( - 277 ; serial - 43200 ; refresh (12 hours) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 5 2 7200 20090713220611 ( - 20090703223359 55529 example.de. - rwMt/rMQ9Ioun/qZlL4nTW9J7rg3hZs+8Jxu - +GJ3IWDRFzf3ri9A5+ZWubnZs+eXkDtlxDQ5 - hsQYk04gxowbNw== ) - 7200 NS ns1.example.de. - 7200 NS ns2.example.de. - 7200 RRSIG NS 5 2 7200 20090713221949 ( - 20090703223359 55529 example.de. - ehIVNiOaHHevfb3GkYt79MSmwzzMUCHvOGOf - MSI3QqG+Z0rS+wjI1pXdJxnVbzLldkZThBAZ - wwZVvOnfyye+Bg== ) - 7200 NSEC localhost.example.de. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 5 2 7200 20090713221831 ( - 20090703223359 55529 example.de. - B4vUFaDg29C95e0nstt6d6hsOYqiGWfMchp3 - MHb2FuYZN369T+OjJxBO3jaxhB6JLhQQT+CA - Kbdednz3+3mpbw== ) - 3600 DNSKEY 256 3 5 ( - BQEAAAABty5HRSBzUDY5SVgORw+KKE64Sjmq - EpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqB - k/zizzUe4+dbj+jORPirtQ== - ) ; key id = 55529 - 3600 DNSKEY 257 3 5 ( - BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+ - Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl - z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH - z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R - 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/ - us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4 - 8Mlp1+mUjQ== - ) ; key id = 37983 - 3600 DNSKEY 257 3 5 ( - BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4 - LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx - 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq - vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO - lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM - GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs - K9bqDM8Euw== - ) ; key id = 47280 - 3600 RRSIG DNSKEY 5 2 3600 20090713222248 ( - 20090703223359 47280 example.de. - AnxgMlrm0RcJPTcgO40Ul+k8T0B5YYF3PE4O - DjZ6GwdU0RGtIswtrD5JQoaEm0rJcckU7zaP - 372CkCbdapzMbTafjx90KpnPGNka2umUEoU+ - wE1T0EmEHPsNy1UnxXpNgrtUlLQ7+wypX85h - H4xIhkZLt3rc/xfztObawFkw1PvjdBMp1ySY - 9jz8TPWSotfItRz2UDSWmFz2+Mt3fuKhvnWp - sw== ) - 3600 RRSIG DNSKEY 5 2 3600 20090713222256 ( - 20090703223359 55529 example.de. - kahO5eo6d+HIuROuIhprEG5vMnsVK1c8jueZ - ThPa3YVVL3hSP7h79FPugMb6paqBSi0CW/0x - X32Vx3fHL2R7Cw== ) -localhost.example.de. 7200 IN A 127.0.0.1 - 7200 RRSIG A 5 3 7200 20090713220920 ( - 20090703223359 55529 example.de. - hQddObpj6XKM06r/fZB3uXW5K44vepmmJs9Z - 4IDPRBwG+YzZCkUly58N5soSFxiF50Ieaq4M - pmC47X42c1EHKg== ) - 7200 NSEC ns1.example.de. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090713222053 ( - 20090703223359 55529 example.de. - OednWdOSDAxJXwuc3OugwSYPvOFl29c98R1s - cPyovg8NoQnSAyXlqANUrOEHKzXekelzGV53 - wzfFHCmIuJZ5Fw== ) -ns1.example.de. 7200 IN A 1.0.0.5 - 7200 RRSIG A 5 3 7200 20090713221855 ( - 20090703223359 55529 example.de. - TXWHh/P5XR0krzYb0io4o1/42AeNGcPcdHob - iiFJCKHmyX8hVVysHfvvN6wB1XqLOWsSNxsZ - pwPbr9JcTJDMPA== ) - 7200 AAAA 2001:db8::53 - 7200 RRSIG AAAA 5 3 7200 20090713221023 ( - 20090703223359 55529 example.de. - meShWaTBanhROgGlnwQq0KNmEKJbjLluTj7Z - ELbMUvgmTc1qLBCDHzWtp8sWWXz5UbMacL9X - F7Ncp5dAbBO2lQ== ) - 7200 NSEC ns2.example.de. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090713221918 ( - 20090703223359 55529 example.de. - B4mBvLOjzjuahaarR0UJwf+2IpLo0Hj6Jxj9 - WfKlMrUVJOmm2Hbq0Amk/L0NSeqD+W1eNlux - 6EVYdyJm4f+wlw== ) -ns2.example.de. 7200 IN A 1.2.0.6 - 7200 RRSIG A 5 3 7200 20090713221339 ( - 20090703223359 55529 example.de. - FPMu/4JWrPbRMPXm8Hyx3AD+lRn4jCZ70WZh - LSADXIx3lZfEGy14x4UD7iLUiC/9TPl1aY6w - q9R3ZLNhVmMbyw== ) - 7200 NSEC sub.example.de. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090713221447 ( - 20090703223359 55529 example.de. - DINiU0MiPkSyMjyJzKYuj3FgRlE92LubLU7v - eFufAQJM8hXe7oc+JfOSVDhpKdyF2ayd+w/e - TTnmaF7c65FZvw== ) -sub.example.de. 7200 IN NS ns1.example.de. - 7200 DS 26451 5 1 ( - 317B8B00E2518957ED982C4872659A5E7F85 - 783E ) - 7200 DS 26451 5 2 ( - C5492796671C24EA74C30B39371E94AD1A3D - D2EA8977B4949B08422C16217B2A ) - 7200 RRSIG DS 5 3 7200 20090713222900 ( - 20090703223359 55529 example.de. - hfoghbLW7Xd1CnLwcA/k6NM54/U34M1j5ELo - 0S+r5jbhy6rBj3kE8PRWCvLkpFclVyTAt0nq - pS69INoz+7pmeg== ) - 7200 NSEC example.de. NS DS RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20090713220837 ( - 20090703223359 55529 example.de. - mrR2sfL826pwQ3+/3X3/z8b3eOecBVYTdAmT - tVml23Zegq0EYJlQUiaTH5uP47vu/tsBRba8 - TzIh0TVdyfiFyw== ) diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.soa b/contrib/zkt/examples/hierarchical/de/example.de/zone.soa deleted file mode 100644 index 9b200c1bd7..0000000000 --- a/contrib/zkt/examples/hierarchical/de/example.de/zone.soa +++ /dev/null @@ -1,10 +0,0 @@ -; Be sure that the serial number below is left -; justified in a field of at least 10 chars!! -; 0123456789; -; It's also possible to use the date form e.g. 2005040101 -@ IN SOA ns1.example.de. hostmaster.example.de. ( - 267 ; Serial - 43200 ; Refresh - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum diff --git a/contrib/zkt/examples/hierarchical/de/keyset-example.de. b/contrib/zkt/examples/hierarchical/de/keyset-example.de. deleted file mode 100644 index 27a14419fa..0000000000 --- a/contrib/zkt/examples/hierarchical/de/keyset-example.de. +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN . -example.de 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+ - Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl - z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH - z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R - 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/ - us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4 - 8Mlp1+mUjQ== - ) ; key id = 37983 - 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4 - LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx - 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq - vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO - lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM - GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs - K9bqDM8Euw== - ) ; key id = 47280 diff --git a/contrib/zkt/examples/hierarchical/dnssec.conf b/contrib/zkt/examples/hierarchical/dnssec.conf deleted file mode 100644 index 12da654b53..0000000000 --- a/contrib/zkt/examples/hierarchical/dnssec.conf +++ /dev/null @@ -1,40 +0,0 @@ -# -# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de -# - -# dnssec-zkt options -Zonedir: "." -Recursive: True -PrintTime: False -PrintAge: True -LeftJustify: False - -# zone specific values -ResignInterval: 1w # (604800 seconds) -Sigvalidity: 10d # (864000 seconds) -Max_TTL: 6h # (21600 seconds) -Propagation: 5m # (300 seconds) -KEY_TTL: 1h # (3600 seconds) -Serialformat: incremental - -# signing key parameters -KSK_lifetime: 20d # (1728000 seconds) -KSK_algo: RSASHA1 # (Algorithm ID 5) -KSK_bits: 1300 -KSK_randfile: "/dev/urandom" -ZSK_lifetime: 4w # (2419200 seconds) -ZSK_algo: RSASHA1 # (Algorithm ID 5) -ZSK_bits: 512 -ZSK_randfile: "/dev/urandom" - -# dnssec-signer options -LogFile: "log" -LogLevel: "info" -SyslogFacility: "user" -SyslogLevel: "notice" -Keyfile: "dnskey.db" -Zonefile: "zone.db" -KeySetDir: ".." -DLV_Domain: "" -Sig_Pseudorand: True -Sig_Parameter: "-j 1800" diff --git a/contrib/zkt/examples/hierarchical/log/zktlog-example.de. b/contrib/zkt/examples/hierarchical/log/zktlog-example.de. new file mode 100644 index 0000000000..ffae0f0dde --- /dev/null +++ b/contrib/zkt/examples/hierarchical/log/zktlog-example.de. @@ -0,0 +1,16 @@ +2010-02-06 00:54:11.045: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain +2010-02-21 12:51:38.667: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain +2010-02-25 00:21:05.030: info: "example.de.": new key 39599 generated for publishing +2010-02-25 00:21:05.030: notice: "example.de.": re-signing triggered: Modfied zone key set +2010-02-25 00:22:32.667: notice: "example.de.": re-signing triggered: Modfied zone key set +2010-02-25 23:42:40.317: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain +2010-03-02 11:00:04.526: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain +2010-03-02 11:00:16.077: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain +2010-03-03 23:22:07.163: notice: "example.de.": lifetime of zone signing key 63077 exceeded: ZSK rollover done +2010-03-03 23:22:07.163: notice: "example.de.": re-signing triggered: Modfied zone key set +2010-03-12 00:00:27.706: info: "example.de.": old ZSK 63077 removed +2010-03-12 00:00:27.710: notice: "example.de.": re-signing triggered: Modfied zone key set +2010-03-12 00:45:26.305: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain +2010-04-01 01:05:48.848: notice: "example.de.": lifetime of zone signing key 39599 exceeded since 43m41s: ZSK rollover deferred: waiting for published key +2010-04-01 01:05:48.928: info: "example.de.": new key 9743 generated for publishing +2010-04-01 01:05:48.929: notice: "example.de.": re-signing triggered: Modfied zone key set diff --git a/contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de. b/contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de. new file mode 100644 index 0000000000..d0d0e12e28 --- /dev/null +++ b/contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de. @@ -0,0 +1,33 @@ +2010-02-06 00:54:11.044: info: "sub.example.de.": kskrollover phase2: send new key 33580 to the parent zone +2010-02-21 12:51:38.487: info: "sub.example.de.": kskrollover phase3: Remove old key 3831 +2010-02-21 12:51:38.488: notice: "sub.example.de.": lifetime of zone signing key 320 exceeded: ZSK rollover done +2010-02-21 12:51:38.556: info: "sub.example.de.": new key 17513 generated for publishing +2010-02-21 12:51:38.556: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-02-25 00:21:04.838: info: "sub.example.de.": kskrollover phase1: New key 27861 generated +2010-02-25 00:21:04.838: info: "sub.example.de.": old ZSK 320 removed +2010-02-25 00:21:04.838: notice: "sub.example.de.": lifetime of zone signing key 65003 exceeded: ZSK rollover done +2010-02-25 00:21:04.876: info: "sub.example.de.": new key 31547 generated for publishing +2010-02-25 00:21:04.876: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-02-25 01:01:09.615: info: "sub.example.de.": old ZSK 65003 removed +2010-02-25 01:01:09.615: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-02-25 23:42:40.316: info: "sub.example.de.": kskrollover phase2: send new key 9663 to the parent zone +2010-03-02 11:00:04.328: info: "sub.example.de.": kskrollover phase3: Remove old key 59961 +2010-03-02 11:00:04.328: notice: "sub.example.de.": lifetime of zone signing key 17513 exceeded: ZSK rollover done +2010-03-02 11:00:04.444: info: "sub.example.de.": new key 63530 generated for publishing +2010-03-02 11:00:04.444: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-03-02 11:00:16.024: info: "sub.example.de.": kskrollover phase1: New key 42639 generated +2010-03-02 11:00:16.025: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-03-03 23:22:07.066: info: "sub.example.de.": kskrollover phase2: send new key 27861 to the parent zone +2010-03-03 23:22:07.066: info: "sub.example.de.": old ZSK 17513 removed +2010-03-03 23:22:07.067: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-03-12 00:00:27.495: info: "sub.example.de.": kskrollover phase3: Remove old key 9663 +2010-03-12 00:00:27.495: notice: "sub.example.de.": lifetime of zone signing key 31547 exceeded: ZSK rollover done +2010-03-12 00:00:27.609: info: "sub.example.de.": new key 7295 generated for publishing +2010-03-12 00:00:27.609: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-03-12 00:45:26.265: info: "sub.example.de.": kskrollover phase1: New key 8544 generated +2010-03-12 00:45:26.265: info: "sub.example.de.": old ZSK 31547 removed +2010-03-12 00:45:26.266: notice: "sub.example.de.": re-signing triggered: Modfied zone key set +2010-04-01 01:05:48.169: info: "sub.example.de.": kskrollover phase2: send new key 42639 to the parent zone +2010-04-01 01:05:48.169: notice: "sub.example.de.": lifetime of zone signing key 63530 exceeded: ZSK rollover done +2010-04-01 01:05:48.650: info: "sub.example.de.": new key 40559 generated for publishing +2010-04-01 01:05:48.650: notice: "sub.example.de.": re-signing triggered: Modfied zone key set diff --git a/contrib/zkt/examples/hierarchical/named.conf b/contrib/zkt/examples/hierarchical/named.conf deleted file mode 100644 index 8bd3f9db7c..0000000000 --- a/contrib/zkt/examples/hierarchical/named.conf +++ /dev/null @@ -1,102 +0,0 @@ -/***************************************************************** -** -** #(@) named.conf (c) 6. May 2004 (hoz) -** -*****************************************************************/ - -/***************************************************************** -** logging options -*****************************************************************/ -logging { - channel "named-log" { - file "/var/log/named" versions 3 size 2m; - print-time yes; - print-category yes; - print-severity yes; - severity info; - }; - channel "resolver-log" { - file "/var/log/named"; - print-time yes; - print-category yes; - print-severity yes; - severity debug 1; - }; - channel "dnssec-log" { -# file "/var/log/named-dnssec" ; - file "/var/log/named" ; - print-time yes; - print-category yes; - print-severity yes; - severity debug 3; - }; - category "dnssec" { "dnssec-log"; }; - category "default" { "named-log"; }; - category "resolver" { "resolver-log"; }; - category "client" { "resolver-log"; }; - category "queries" { "resolver-log"; }; -}; - -/***************************************************************** -** name server options -*****************************************************************/ -options { - directory "."; - - dump-file "/var/log/named_dump.db"; - statistics-file "/var/log/named.stats"; - - listen-on-v6 { any; }; - - query-source address * port 53; - transfer-source * port 53; - notify-source * port 53; - - recursion yes; - dnssec-enable yes; - edns-udp-size 4096; - -# dnssec-lookaside "." trust-anchor "trusted-keys.de."; - - querylog yes; - -}; - -/***************************************************************** -** include shared secrets... -*****************************************************************/ -/** for control sessions ... **/ -# include "rndc.key"; -controls { - inet 127.0.0.1 - allow { localhost; } - keys { "rndc-key"; }; - inet ::1 - allow { localhost; } - keys { "rndc-key"; }; -}; - -/***************************************************************** -** ... and trusted_keys -*****************************************************************/ -# include "trusted-keys.conf" ; - -/***************************************************************** -** root server hints and required 127 stuff -*****************************************************************/ -zone "." in { - type hint; - file "root.hint"; -}; - -zone "localhost" in { - type master; - file "localhost.zone"; -}; - -zone "0.0.127.in-addr.arpa" in { - type master; - file "127.0.0.zone"; -}; - -include "zone.conf"; diff --git a/contrib/zkt/examples/hierarchical/zone.conf b/contrib/zkt/examples/hierarchical/zone.conf deleted file mode 100644 index afd5a739fb..0000000000 --- a/contrib/zkt/examples/hierarchical/zone.conf +++ /dev/null @@ -1,10 +0,0 @@ - -zone "example.de." in { - type master; - file "de/example.de/zone.db.signed"; -}; - -zone "sub.example.de." in { - type master; - file "de/example.de/sub.example.de/zone.db.signed"; -}; diff --git a/contrib/zkt/examples/views/dnssec-extern.conf b/contrib/zkt/examples/views/dnssec-extern.conf deleted file mode 100644 index 728dcc9431..0000000000 --- a/contrib/zkt/examples/views/dnssec-extern.conf +++ /dev/null @@ -1,39 +0,0 @@ -# -# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de -# - -# dnssec-zkt options -Zonedir: "extern" -Recursive: True -PrintTime: False -PrintAge: True -LeftJustify: False - -# zone specific values -ResignInterval: 1w # (604800 seconds) -Sigvalidity: 10d # (864000 seconds) -Max_TTL: 8h # (28800 seconds) -Propagation: 5m # (300 seconds) -KEY_TTL: 1h # (3600 seconds) -Serialformat: unixtime - -# signing key parameters -KSK_lifetime: 1y # (31536000 seconds) -KSK_algo: RSASHA1 # (Algorithm ID 5) -KSK_bits: 1300 -KSK_randfile: "/dev/urandom" -ZSK_lifetime: 30d # (2592000 seconds) -ZSK_algo: RSASHA1 # (Algorithm ID 5) -ZSK_bits: 512 -ZSK_randfile: "/dev/urandom" - -# dnssec-signer options -LogFile: "zkt-ext.log" -LogLevel: "debug" -SyslogFacility: "none" -SyslogLevel: "notice" -VerboseLog: 2 -Keyfile: "dnskey.db" -Zonefile: "zone.db" -DLV_Domain: "" -Sig_Pseudorand: True diff --git a/contrib/zkt/examples/views/dnssec-intern.conf b/contrib/zkt/examples/views/dnssec-intern.conf deleted file mode 100644 index d49fc94664..0000000000 --- a/contrib/zkt/examples/views/dnssec-intern.conf +++ /dev/null @@ -1,39 +0,0 @@ -# -# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de -# - -# dnssec-zkt options -Zonedir: "intern" -Recursive: True -PrintTime: False -PrintAge: True -LeftJustify: False - -# zone specific values -ResignInterval: 5h # (18000 seconds) -Sigvalidity: 1d # (86400 seconds) -Max_TTL: 30m # (1800 seconds) -Propagation: 1m # (60 seconds) -KEY_TTL: 30m # (1800 seconds) -Serialformat: unixtime - -# signing key parameters -KSK_lifetime: 1y # (31536000 seconds) -KSK_algo: RSASHA1 # (Algorithm ID 5) -KSK_bits: 1300 -KSK_randfile: "/dev/urandom" -ZSK_lifetime: 30d # (2592000 seconds) -ZSK_algo: RSASHA1 # (Algorithm ID 5) -ZSK_bits: 512 -ZSK_randfile: "/dev/urandom" - -# dnssec-signer options -LogFile: "zkt-int.log" -LogLevel: "debug" -SyslogFacility: "none" -SyslogLevel: "notice" -VerboseLog: 2 -Keyfile: "dnskey.db" -Zonefile: "zone.db" -DLV_Domain: "" -Sig_Pseudorand: True diff --git a/contrib/zkt/examples/views/dnssec-signer-extern b/contrib/zkt/examples/views/dnssec-signer-extern deleted file mode 100755 index 910e82aa8d..0000000000 --- a/contrib/zkt/examples/views/dnssec-signer-extern +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -# -# Shell script to start the dnssec-signer -# command out of the view directory -# - -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@" diff --git a/contrib/zkt/examples/views/dnssec-signer-intern b/contrib/zkt/examples/views/dnssec-signer-intern deleted file mode 100755 index 915ed153c4..0000000000 --- a/contrib/zkt/examples/views/dnssec-signer-intern +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -# -# Shell script to start the dnssec-signer -# command out of the view directory -# - -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@" diff --git a/contrib/zkt/examples/views/dnssec-zkt-extern b/contrib/zkt/examples/views/dnssec-zkt-extern deleted file mode 100755 index 129b4e1004..0000000000 --- a/contrib/zkt/examples/views/dnssec-zkt-extern +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -# -# Shell script to start the dnssec-zkt command -# out of the view directory -# - -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@" diff --git a/contrib/zkt/examples/views/dnssec-zkt-intern b/contrib/zkt/examples/views/dnssec-zkt-intern deleted file mode 100755 index 1836840f8d..0000000000 --- a/contrib/zkt/examples/views/dnssec-zkt-intern +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -# -# Shell script to start the dnssec-zkt command -# out of the view directory -# - -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@" diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key deleted file mode 100644 index 54ba934b62..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080609231143 -;% lifetime=30d -example.net. IN DNSKEY 256 3 5 BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4 ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw== diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private deleted file mode 100644 index 7240075f63..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: 3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw== -PublicExponent: AQAAAAE= -PrivateExponent: Q3TKb2j5AMk4wn9q5vvgtEy7o1VAhCvv/Nw3QRpXi7xGeHb7WJHj2ia2I44vQQk9fB+Kck1M8KNRMgYt0d0xCQ== -Prime1: 7l4yn7VYrTSOaZu+lubsFvE+JB7asyYyymAEQeod2p0= -Prime2: 7a4LEAmrtZTI/PHjdk/Ij/hbpDmtOe1H0lnWTVG+GfM= -Exponent1: DTpyBBW39+d9b8LqCo7hJf5KQ3oVw9tdnUuHNstGZd0= -Exponent2: b+aBbhRPr/a9ZCNM2JTjZJrrSebtMQCy1GcE33o64HM= -Coefficient: UdvxnKd2GL6In82yHG40rU35WTZ2SUYQ+1mfz3DQqnE= diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key deleted file mode 100644 index 08bebc1e36..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081002230045 -;% lifetime=30d -example.net. IN DNSKEY 256 3 5 BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0 QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw== diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published deleted file mode 100644 index fc9402abfe..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: zPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw== -PublicExponent: AQAAAAE= -PrivateExponent: UPJ5tLih3Wxu/lvoTctyw53YqaVngGRH+fSTLNchJfqXrwwKdP0LqiNMjWHv1m+OtDZJgbU8sZmXCXUVZOgCAQ== -Prime1: /0fbhjXuq926sklBidVvZ5KPmAJPlbAeCprKhXi7GwE= -Prime2: zYhpS9+p5PR1MisPZ5jf456zfJZg/XsuLZ288+5VH0c= -Exponent1: rrZnAccK6f+4bRRLZEzM6V5tVopoZuSo3StxdGFIuAE= -Exponent2: ChoiCjVQLac7g0/XOTbjeCoqrgcz9KB/z/36ZbuGRQ0= -Coefficient: Lria2iu3j2EXiZal1YUyoUleY2jM64c4Dv5SYVzrsVU= diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key deleted file mode 100644 index ec11dcb5e4..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key +++ /dev/null @@ -1 +0,0 @@ -example.net. IN DNSKEY 257 3 5 BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1 sQ== diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private deleted file mode 100644 index ea294474c0..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: DEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1sQ== -PublicExponent: AQAAAAE= -PrivateExponent: A3ZXTF8afjlxddgO/sDxotc0XLBMa3sNrXhCpdFzeDV1HszZbz1lP8rrZjA1wQgSo56DjiGRKTsHjAAm4xN1lGYKBZuVF4U3uiWie2PhJStt7kckNduKOfV9Nofow5Jh8I2lXKqcOJ8Qd+EJYIsajdBoGQ72PGGfDaHphbN/mW13n59PlilMF4RRRybcMA6jTAOfvIcv5Mes3+ADh0TktHdHQQ== -Prime1: A+SKyrgtNzGVpAXPQysMQ9O/10B/+nhy6//1F5Epxihyuln+d2euh+TjVneojx4D2JUflDUSD5BQAdflDb+KiBXdQjBEmqfWwY+INwSQzv4M5Q== -Prime2: AyXovkiIs7ywIRS6FfRolMMUeh3yeYNtCVAvLB6EC2MiNCzfkDOFB7rpmUkZR8HYUWuz1hQfR781RDO81Sp3RIpSyL7SwOqkpMZyaSgK/GKE3Q== -Exponent1: D1vC405mkcUVfno92EuBXomRiOG7VeSyjwofgCpa0JKR6J2BThdCGrcVbq68ucIddn+cbkD8JsZB3k4aeDYFxm6d1En1Z2C1cVHrzCFi2zFV -Exponent2: N+iliM1Qp3spcsR06kXImb/N4FosHrZkXtcbRIMWhV8NBcyqLDIfGlNluaiztv4rf6Kn2UyVeiGC822nqZHcW5PiXJnBEWs9AC4Di1QzZh0h -Coefficient: AtZ4sYqGgyB5kfdcQBBlIkPbsRRNKrUVAsZkjabdZTQa+ox6tYnlVjh7BgPMHJlj/Z4VTRJ5rfAUPnB4ZwO/r1eAJLd+vxjJb9M7DaGMc+RqQA== diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated deleted file mode 100644 index ca789ebfff..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: sQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6wiAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q== -PublicExponent: AQAAAAE= -PrivateExponent: fZs/S7/pOPP1C9Jjdb7KhnbfiLfCIXdc7d8LDWmm7d9rL2kZK77WMp+o5WRQhoIDDQPAdv+phoIdFEIiXKLN8Q== -Prime1: 6NEgG3Z86nn9fNjG+3E9OqF/7oaCvrVnb1XogalZgr0= -Prime2: wq0aosO1mWXo38HuxO5JiR2mX/9LWjxxqwK6I9gnJp0= -Exponent1: ZvI2y//PImr1OqeVLoWfFHop2iorgT4+SYiz1Gw9FME= -Exponent2: TBUeoolmnFcOfWO6T1v0S6za7LEib2H1Pgt95UvDA40= -Coefficient: eHmKka0EVRfjDfEpcwRp5nZ36ZHfLxuKF5tGQ1YclBI= diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key deleted file mode 100644 index 1809a9357d..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key +++ /dev/null @@ -1,4 +0,0 @@ -;% generationtime=20071217224527 -;% lifetime=30 -;% expiretime=20080116224527 -example.net. IN DNSKEY 256 3 5 BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6w iAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q== diff --git a/contrib/zkt/examples/views/extern/example.net/dnskey.db b/contrib/zkt/examples/views/extern/example.net/dnskey.db deleted file mode 100644 index 0ed196ef0d..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/dnskey.db +++ /dev/null @@ -1,36 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Oct 03 2008 01:00:45 -; - -; *** List of Key Signing Keys *** -; example.net. tag=23553 algo=RSASHA1 generated Aug 05 2008 23:01:57 -example.net. 3600 IN DNSKEY 257 3 5 ( - BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI - ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ - uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T - u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1 - sQ== - ) ; key id = 23553 - -; *** List of Zone Signing Keys *** -; example.net. tag=35744 algo=RSASHA1 generated Aug 05 2008 23:01:57 -example.net. 3600 IN DNSKEY 256 3 5 ( - BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6w - iAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q== - ) ; key id = 35744 - -; example.net. tag=10367 algo=RSASHA1 generated Aug 05 2008 23:01:57 -example.net. 3600 IN DNSKEY 256 3 5 ( - BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4 - ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw== - ) ; key id = 10367 - -; example.net. tag=14714 algo=RSASHA1 generated Oct 03 2008 01:00:45 -example.net. 3600 IN DNSKEY 256 3 5 ( - BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0 - QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw== - ) ; key id = 14714 - diff --git a/contrib/zkt/examples/views/extern/example.net/dsset-example.net. b/contrib/zkt/examples/views/extern/example.net/dsset-example.net. deleted file mode 100644 index cbcd3d0220..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/dsset-example.net. +++ /dev/null @@ -1,2 +0,0 @@ -example.net. IN DS 23553 5 1 A1A6D06CB84D619730F605AEF2A6DD4148DD9D5B -example.net. IN DS 23553 5 2 B0DCAB8A32C230495CEC1FD61CEC03849450909CA6636FD9BC53D1B3 3B4F3A2D diff --git a/contrib/zkt/examples/views/extern/example.net/keyset-example.net. b/contrib/zkt/examples/views/extern/example.net/keyset-example.net. deleted file mode 100644 index b84524567e..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/keyset-example.net. +++ /dev/null @@ -1,10 +0,0 @@ -$ORIGIN . -example.net 7200 IN DNSKEY 257 3 5 ( - BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF - YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+ - pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN - 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY - 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi - XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM - 6DaiC6E1sQ== - ) ; key id = 23553 diff --git a/contrib/zkt/examples/views/extern/example.net/zone.db b/contrib/zkt/examples/views/extern/example.net/zone.db deleted file mode 100644 index 4c72928f0b..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/zone.db +++ /dev/null @@ -1,33 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) extern/example.net/zone.db -; -;----------------------------------------------------------------- - -$TTL 7200 - -@ IN SOA ns1.example.net. hostmaster.example.net. ( - 0 ; Serial - 43200 ; Refresh - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - IN NS ns1.example.net. - IN NS ns2.example.net. - -ns1 IN A 1.0.0.5 - IN AAAA 2001:db8::53 -ns2 IN A 1.2.0.6 - -localhost IN A 127.0.0.1 - -; Delegation to secure zone; The DS resource record will -; be added by dnssec-signzone automatically if the -; keyset-sub.example.net file is present (run dnssec-signzone -; with option -g or use the dnssec-signer tool) ;-) -sub IN NS ns1.example.net. - -; this file will have all the zone keys -$INCLUDE dnskey.db - diff --git a/contrib/zkt/examples/views/extern/example.net/zone.db.signed b/contrib/zkt/examples/views/extern/example.net/zone.db.signed deleted file mode 100644 index 271ac0f20c..0000000000 --- a/contrib/zkt/examples/views/extern/example.net/zone.db.signed +++ /dev/null @@ -1,114 +0,0 @@ -; File written on Fri Oct 3 01:00:46 2008 -; dnssec_signzone version 9.5.1b2 -example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( - 1222988445 ; serial - 43200 ; refresh (12 hours) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 5 2 7200 20081012220045 ( - 20081002220045 10367 example.net. - LCFqUSzaxGi6kFs/IV6OuWgB77TzF4cYCH0S - UKrZ2PBlf7iR10Y1t7UsG/RGy/mBZxMMebf+ - IzaEcsJynOXTOA== ) - 7200 NS ns1.example.net. - 7200 NS ns2.example.net. - 7200 RRSIG NS 5 2 7200 20081012220045 ( - 20081002220045 10367 example.net. - hc9aE9RI0TQr9IlIv7A6Xl3D+O7IT4B2vmAj - 7HA6znKCJMoA42h/EBNaSpc7lwLQmsHVpjP6 - I1cAjynNC+KCwA== ) - 7200 NSEC localhost.example.net. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 5 2 7200 20081012220045 ( - 20081002220045 10367 example.net. - mRRRKkwqB3r09e9vBGCGj4d+TiPmKAFnldyd - bWIoh7zT/cJm/HH8nDR1zUXXdeKp3/k8ddup - rXE8rdS4LHa7sg== ) - 3600 DNSKEY 256 3 5 ( - BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5 - yYSeERYtaO2Wxi+kHz6wiAyKkbBYFUGtmbPJ - 6JFt+4f9KnNPi1txiBg76Q== - ) ; key id = 35744 - 3600 DNSKEY 256 3 5 ( - BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrk - AidjF2+ndxtzw5OCLZG0QfmUumSh2Cq+g1dZ - w2lIKan+blLCD7vRCX6cRw== - ) ; key id = 14714 - 3600 DNSKEY 256 3 5 ( - BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzN - vJUMaOc++HqN2N1sKSX4ZTf2V5gtamPZ/1kM - rg8gYImKCl6n3K37EjXYBw== - ) ; key id = 10367 - 3600 DNSKEY 257 3 5 ( - BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF - YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+ - pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN - 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY - 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi - XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM - 6DaiC6E1sQ== - ) ; key id = 23553 - 3600 RRSIG DNSKEY 5 2 3600 20081012220045 ( - 20081002220045 10367 example.net. - RfMpx9krw1j7GCBGHnLU1NvvoBFOw2+HA08j - zhrSrOd0iKlSxyewCf0r2LVUV0EXFEzwbrqy - Wyt1l1ojfDX7mQ== ) - 3600 RRSIG DNSKEY 5 2 3600 20081012220045 ( - 20081002220045 23553 example.net. - AYHR7rcPmwdcr3UP8jPBNesQ3aC8RdeB8vtg - V01vPtvNIpp1OtMPIEx7bot9eWfmD/gVNuyS - xOAp77KxECFIULPvq6Pk1dyTUOWXn19JOMDU - CPyIxJs9gjD9AQ+UYo7UhhipOV1w5Y/g3Kvj - TiPEMprIF2xBUSRDSn8+qTZdvQE8QymU4ujj - 0gTF8egaCwgSmdeBajS3Vb6/L8M+GGP1tSOb - Sg== ) -localhost.example.net. 7200 IN A 127.0.0.1 - 7200 RRSIG A 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - ngq0qDdgR3JILUgNpXzafmJd16pMcIJBlX3Q - URIhGFOXTgUvRmOGsZvhqEqSCQQwkPYkpsNd - 6NEKo5ZMZujTzA== ) - 7200 NSEC ns1.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - KoYaIavkKL8/oYzk1DQIy9SodaCd8yYC6QMD - Ry4PfyiaoKchq45KFlQ5SVkaPfXQmGffbJdT - mndSk+Txu7C2aw== ) -ns1.example.net. 7200 IN A 1.0.0.5 - 7200 RRSIG A 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - TZnIpUO6Odm6FaN2fzXslFfPjN0BmueDUco8 - T/sxtBpVAMbLkgSopaTEKgvV/J+pZfR1ehIh - GZfIki/kSWfXxg== ) - 7200 AAAA 2001:db8::53 - 7200 RRSIG AAAA 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - Kr+R4GvcpfWp6RGMauy1MFK9iRwIuvxFfAxd - ZAa/RiGOAB6BnLuGP6JHbJg25n6e+zPT7HeB - cHmHAn4azykZDg== ) - 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - t7VkcKKR55956Kv9ASpw5vJCIFtZ1jYoBOU/ - aaB5OFsrN8706ARrlkUw6aFBCh1sd9vzi+SU - vkgWg0dE7bbUpg== ) -ns2.example.net. 7200 IN A 1.2.0.6 - 7200 RRSIG A 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - lpYgf61HD7a7hAPtZuMnMxnVsjFSwY7qyRce - cVzUeaxlqHTBbgXazldKYyYkBsPR1f7x7JUI - m39kBVe4kf9byg== ) - 7200 NSEC sub.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - fC8u/dDkso6U3eBqyQrhohlnsMOZjHvn/vOx - PxNCoJ3ideGp6g/WWExRdLA+SdQJqm40QJoQ - +72LfvnXzQ+tRg== ) -sub.example.net. 7200 IN NS ns1.example.net. - 7200 NSEC example.net. NS RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081012220045 ( - 20081002220045 10367 example.net. - OGaRT/2gV7fgQ88YXhqbP08cH+x/otO5qOEX - WJ7PvCMhForeY7z66e1LZufRqU2HchNpx94o - cz9+z1t7ECFYhw== ) diff --git a/contrib/zkt/examples/views/extern/zkt-ext.log b/contrib/zkt/examples/views/extern/zkt-ext.log deleted file mode 100644 index d070ca23f3..0000000000 --- a/contrib/zkt/examples/views/extern/zkt-ext.log +++ /dev/null @@ -1,51 +0,0 @@ -2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v -2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net." -2008-06-12 17:59:04.196: debug: Check RFC5011 status -2008-06-12 17:59:04.196: debug: ->ksk5011status returns 0 -2008-06-12 17:59:04.196: debug: Check ksk status -2008-06-12 17:59:04.196: debug: Re-signing not necessary! -2008-06-12 17:59:04.196: notice: end of run: 0 errors occured -2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v -2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net." -2008-06-12 17:59:17.436: debug: Check RFC5011 status -2008-06-12 17:59:17.436: debug: ->ksk5011status returns 0 -2008-06-12 17:59:17.436: debug: Check ksk status -2008-06-12 17:59:17.436: debug: Re-signing not necessary! -2008-06-12 17:59:17.436: notice: end of run: 0 errors occured -2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v -2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net." -2008-06-12 18:00:07.819: debug: Check RFC5011 status -2008-06-12 18:00:07.819: debug: ->ksk5011status returns 0 -2008-06-12 18:00:07.819: debug: Check ksk status -2008-06-12 18:00:07.819: debug: Re-signing not necessary! -2008-06-12 18:00:07.819: notice: end of run: 0 errors occured -2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v -2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net." -2008-06-12 18:00:39.020: debug: Check RFC5011 status -2008-06-12 18:00:39.020: debug: ->ksk5011status returns 0 -2008-06-12 18:00:39.020: debug: Check ksk status -2008-06-12 18:00:39.020: debug: Re-signing not necessary! -2008-06-12 18:00:39.020: notice: end of run: 0 errors occured -2008-10-03 01:00:45.544: notice: ------------------------------------------------------------ -2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v -2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net" -2008-10-03 01:00:45.545: debug: Check RFC5011 status -2008-10-03 01:00:45.545: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-10-03 01:00:45.545: debug: Check KSK status -2008-10-03 01:00:45.545: debug: Check ZSK status -2008-10-03 01:00:45.545: debug: Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec) -2008-10-03 01:00:45.546: debug: ->depreciate it -2008-10-03 01:00:45.546: debug: ->activate published key 10367 -2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done -2008-10-03 01:00:45.546: debug: New key for publishing needed -2008-10-03 01:00:45.614: debug: ->creating new key 14714 -2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing -2008-10-03 01:00:45.614: debug: Re-signing necessary: New zone key -2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key -2008-10-03 01:00:45.614: debug: Writing key file "extern/example.net/dnskey.db" -2008-10-03 01:00:45.614: debug: Signing zone "example.net" -2008-10-03 01:00:45.614: debug: Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +864000 -N unixtime zone.db K*.private" -2008-10-03 01:00:46.114: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-10-03 01:00:46.114: debug: Signing completed after 1s. -2008-10-03 01:00:46.114: debug: -2008-10-03 01:00:46.114: notice: end of run: 0 errors occured diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key deleted file mode 100644 index 316e4cfeaf..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key +++ /dev/null @@ -1 +0,0 @@ -example.net. IN DNSKEY 257 3 5 BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9 +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq Lw== diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private deleted file mode 100644 index 96e1ff6e08..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: C+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYqLw== -PublicExponent: AQAAAAE= -PrivateExponent: CF6/bss8OtQFdcjO6kJh9EamPFXAsaXFCdcYpHF55CU4H3jBuu7teLFEanvgm6M+wROYF0Yohiyb2aeSBdGLRIfTC9l3xfHD+XixuZVoNk6DqR1/8Wlxwu/a/hW9dq7pUXqDfTbzdZKR6SVRPa4MAdQ0p8aSF4S926NRqZC6E/anqhqNPSlBpxTs3TrRk+wY6u8wMXxPGNjJYoID8Y0Qau/H6Q== -Prime1: A50B7etEtQCDudL8+KBxU1/2sVT3ORMfoZPsOe+ZLFrwcOO9Iyrr6saymuD4QvcIHECdLUM5rsT1JBo87wgvVysibco7oVLxlIfsTcbM70l2Kw== -Prime2: A0n3+qM3ng3WAFzlpYRNUZpH/CW1pMq3nOHjx2olWwDxDZ4tAsUPKuW9n3kVZAR+4FkeUKn2ePR7xRtO3AzvA6QmZuZN6EHuLPlSKRufzeZ+DQ== -Exponent1: Hk5KY5PiXs6pf8T8rSvVs6PJqDX491R01ZDdAIDYjmhIUHKWQ2STAlPEpSAGXi+oqOo4dD1eJWgw36hT0JakjXU4aIvPoSdmVPMs8aod0NUh -Exponent2: AXKBZ5sYApCCj/0fGBTkmU6Zc89/ddQNrFm2lVLrwSTILHQWm/aXDvI+5icpF5kdrukVcNHUeCz1R/RTgeV4N9/qvr5YzbPWieqDNvpG1RcNRQ== -Coefficient: BZxK+fKwUNWoJ5huBqLsi8UMWgrCMqAfXvge4+Y4n4IL0VCU1UUEXZQEEeiATh0g52CuetOMej6FZ4QKbNryWg036ZKl81ataMGtDX/i/yZG diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated deleted file mode 100644 index b519641670..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: sMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHxpyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ== -PublicExponent: AQAAAAE= -PrivateExponent: fpWuYAOXJWdjMrZnI91hTi1wwuje4sKjDu8xvfnKvqKhr61QxK1gR9TB3mc2FM+Awivphb3xfi8+y2cacq9iUQ== -Prime1: 6DE1tFJXGIm2SW3fSwQymX7Zcw8VSIMWiHQPCqX1FA0= -Prime2: wuHS7u0I9aYOFkDAndfEVyDi8vOh96CcY/BuSvEZ6+0= -Exponent1: sn7RttKPap3cgw2sddmgwcuVSaEpwOswF/O42Ou3fMk= -Exponent2: LoJ305VksT7SWWR6bM5OybcdTm39PTZM0g3V2hOceK0= -Coefficient: SwRF9S9ICVeyeYw3djxbg7kUZjz5AkbHIgz9VeX4mzM= diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key deleted file mode 100644 index 8be3973c54..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key +++ /dev/null @@ -1 +0,0 @@ -example.net. IN DNSKEY 256 3 5 BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHx pyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ== diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key deleted file mode 100644 index 160110ec89..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20080612154545 -;% lifetime=30d -example.net. IN DNSKEY 256 3 5 BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9Lc TpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw== diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private deleted file mode 100644 index 60e43160e2..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: zbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9LcTpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw== -PublicExponent: AQAAAAE= -PrivateExponent: XZK4eHRUrFka7O0Q/RBuBG3iW8KFng5em4FnjCSBQpwSAvFzTBebqwfNSOcgqKihz8VzvKHxEd6BxVZRGI2dgQ== -Prime1: 8Jji5R57Y4ROxrO5EuEFjxL723VQ/Ym+4KYG+tM3bP8= -Prime2: 2uhGRdJU3UJvnPwx0gJGio6KmRBC6CmDqTMORhYrS1E= -Exponent1: cqVno4KLgMmKN5VPWaYA+pB5e55r6UEIaxqj6WMXATs= -Exponent2: EqSKzb/r02jmNCTv5aX7wHl+57LYR40rJvzgVTfh/tE= -Coefficient: 37ywfYlNFmtR/jZwoZBHNdIEy+C+jIeJ+fEepesSpoI= diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key deleted file mode 100644 index e8977b334c..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key +++ /dev/null @@ -1,3 +0,0 @@ -;% generationtime=20081002230038 -;% lifetime=30d -example.net. IN DNSKEY 256 3 5 BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb 6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw== diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published deleted file mode 100644 index 08c8f20b03..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published +++ /dev/null @@ -1,10 +0,0 @@ -Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: 1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw== -PublicExponent: AQAAAAE= -PrivateExponent: dQ8votLvyw0GPMsOp8k0mmhnjV07S4auujNLDyYZAiuHzVAXnGNz3xT2SnFW8w8DefMPcsV5xcIrRK7e0IwFQQ== -Prime1: /cDlq0uko2XS08z5G6tedDY2VMrpPBHtZfPFv+deJNU= -Prime2: 1/NwlY7J6WKGV/OIF6rlhn4UUitvTW7fpvUtyVEm+zs= -Exponent1: omnudnzEz+TTOSfoandcrZGS9x4qxU7hN+WjpRI7sCU= -Exponent2: rrt9FPIRiwGDSRtlsUaPNqgcgk4l/EQdWciqnhWu5ms= -Coefficient: GFA1bGcsWxRZza80zKnL/V9YsfoNaI4id7pwU7FOtAE= diff --git a/contrib/zkt/examples/views/intern/example.net/dnskey.db b/contrib/zkt/examples/views/intern/example.net/dnskey.db deleted file mode 100644 index 76e992dec1..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/dnskey.db +++ /dev/null @@ -1,36 +0,0 @@ -; -; !!! Don't edit this file by hand. -; !!! It will be generated by dnssec-signer. -; -; Last generation time Oct 03 2008 01:00:38 -; - -; *** List of Key Signing Keys *** -; example.net. tag=126 algo=RSASHA1 generated Aug 05 2008 23:01:57 -example.net. 1800 IN DNSKEY 257 3 5 ( - BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W - ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI - wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9 - +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq - Lw== - ) ; key id = 126 - -; *** List of Zone Signing Keys *** -; example.net. tag=23375 algo=RSASHA1 generated Aug 05 2008 23:01:57 -example.net. 1800 IN DNSKEY 256 3 5 ( - BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9Lc - TpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw== - ) ; key id = 23375 - -; example.net. tag=5972 algo=RSASHA1 generated Aug 05 2008 23:01:57 -example.net. 1800 IN DNSKEY 256 3 5 ( - BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHx - pyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ== - ) ; key id = 5972 - -; example.net. tag=55745 algo=RSASHA1 generated Oct 03 2008 01:00:38 -example.net. 1800 IN DNSKEY 256 3 5 ( - BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb - 6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw== - ) ; key id = 55745 - diff --git a/contrib/zkt/examples/views/intern/example.net/dsset-example.net. b/contrib/zkt/examples/views/intern/example.net/dsset-example.net. deleted file mode 100644 index b61c1b6fd5..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/dsset-example.net. +++ /dev/null @@ -1,2 +0,0 @@ -example.net. IN DS 126 5 1 D32161DCFCA120944CB9C0394CBED1389FDB72CA -example.net. IN DS 126 5 2 351C6807B25E47223D7A6AA222291E8D7D7DDDA61D64CE839F937F22 47481FC9 diff --git a/contrib/zkt/examples/views/intern/example.net/keyset-example.net. b/contrib/zkt/examples/views/intern/example.net/keyset-example.net. deleted file mode 100644 index 0aa2c7d464..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/keyset-example.net. +++ /dev/null @@ -1,10 +0,0 @@ -$ORIGIN . -example.net 7200 IN DNSKEY 257 3 5 ( - BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk - gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI - uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS - 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s - ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE - 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q - grOD6IYqLw== - ) ; key id = 126 diff --git a/contrib/zkt/examples/views/intern/example.net/zone.db b/contrib/zkt/examples/views/intern/example.net/zone.db deleted file mode 100644 index d3e90f7fe2..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/zone.db +++ /dev/null @@ -1,33 +0,0 @@ -;----------------------------------------------------------------- -; -; @(#) intern/example.net/zone.db -; -;----------------------------------------------------------------- - -$TTL 7200 - -@ IN SOA ns1.example.net. hostmaster.example.net. ( - 0 ; Serial - 43200 ; Refresh - 1800 ; Retry - 2W ; Expire - 7200 ) ; Minimum - - IN NS ns1.example.net. - IN NS ns2.example.net. - -ns1 IN A 192.168.1.53 - IN AAAA fd12:063c:cdbb::53 -ns2 IN A 10.1.2.3 - -localhost IN A 127.0.0.1 - -; Delegation to secure zone; The DS resource record will -; be added by dnssec-signzone automatically if the -; keyset-sub.example.net file is present (run dnssec-signzone -; with option -g or use the dnssec-signer tool) ;-) -sub IN NS ns1.example.net. - -; this file will have all the zone keys -$INCLUDE dnskey.db - diff --git a/contrib/zkt/examples/views/intern/example.net/zone.db.signed b/contrib/zkt/examples/views/intern/example.net/zone.db.signed deleted file mode 100644 index 14beb42401..0000000000 --- a/contrib/zkt/examples/views/intern/example.net/zone.db.signed +++ /dev/null @@ -1,114 +0,0 @@ -; File written on Fri Oct 3 01:00:38 2008 -; dnssec_signzone version 9.5.1b2 -example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( - 1222988438 ; serial - 43200 ; refresh (12 hours) - 1800 ; retry (30 minutes) - 1209600 ; expire (2 weeks) - 7200 ; minimum (2 hours) - ) - 7200 RRSIG SOA 5 2 7200 20081003220038 ( - 20081002220038 23375 example.net. - EaJUHwT7koYW6b+W6LZ/1L3zXvs/SMSW+d94 - PjdcgdSR4b8mhJetzWj2ZO/n5uy7CUl496Hx - RU+QoCF8K6HkVw== ) - 7200 NS ns1.example.net. - 7200 NS ns2.example.net. - 7200 RRSIG NS 5 2 7200 20081003220038 ( - 20081002220038 23375 example.net. - b0W8xa7AgV6IWMSYtVCuix1bEHeohx2oboqs - HqCrVPgd0OtYdSpxgcIJhLiUv/9ux9YihjKC - aKsw9D8YtpOmpg== ) - 7200 NSEC localhost.example.net. NS SOA RRSIG NSEC DNSKEY - 7200 RRSIG NSEC 5 2 7200 20081003220038 ( - 20081002220038 23375 example.net. - mHJnc/UsTztaTRWQCTVc7vgM8bt5mgFJTIlJ - 52+Rn74uzak2fDTfR4jHEHCqsinx9EA+iAcN - 2na44xgRs2dCNQ== ) - 1800 DNSKEY 256 3 5 ( - BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb - 11l0HC5kGIDp+JPQIQHxpyCWa/LaLgcvK3IA - 1HR8YaO3QXB2LAHEz5B/CQ== - ) ; key id = 5972 - 1800 DNSKEY 256 3 5 ( - BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0Q - Qv96Qwy5/zuOa/3Zy9LcTpbE13DtEAqOfVGS - Q79S4WgKalFJxq6lSk0xrw== - ) ; key id = 23375 - 1800 DNSKEY 256 3 5 ( - BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMg - H3nDnWBT3BD75hEuz/Cb6YapmxaZybxc+EE/ - Ts8bhXGqPEwoADjxfW1UFw== - ) ; key id = 55745 - 1800 DNSKEY 257 3 5 ( - BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk - gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI - uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS - 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s - ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE - 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q - grOD6IYqLw== - ) ; key id = 126 - 1800 RRSIG DNSKEY 5 2 1800 20081003220038 ( - 20081002220038 126 example.net. - CLKVhqz7zOAEyJrQq/WAEaRsnTfNEnCwYEMj - KPrAgiXXF+RJy18cHN7QoXb4kc8KA/TrOU1w - WN8IjdESlPj9pQKqUs/uO9RLzIcv6jOlOKQP - oKOjjnOxAL52+WNK94TUpunlvfd53ovC8YK4 - /nOsSjpLoqTbmL1r45vqpL/C6jqJR8bTouwy - rjAYEtkWRND0QZ9R6IAHfxO6onmX1GOtu5Ji - ew== ) - 1800 RRSIG DNSKEY 5 2 1800 20081003220038 ( - 20081002220038 23375 example.net. - WXsmdMkwYcvzrf8qevByn+BMPjTE8aEcze7q - uzZI+3NOcbZ4MMlAdauc6jhfc9xmgSiJu52q - EUX5JLL8xQ7tDg== ) -localhost.example.net. 7200 IN A 127.0.0.1 - 7200 RRSIG A 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - FoSR7rfi2wfgEz5wj+qILnVwV7mAmL4XknQA - b1uGLJ8Wcnkn4sqjaISgfVwG/GVxwuBOuVne - SqXIFVVvKQtEUg== ) - 7200 NSEC ns1.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - iwB4+BZVreVKVnmBZdVdz/NxRy1tyYpd0JgK - otoiLA6dESoC29tHQL/hBx92Q7lETZI+8gSE - II0sRQv+1PL+JQ== ) -ns1.example.net. 7200 IN A 192.168.1.53 - 7200 RRSIG A 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - oBiQfEsq72v6NMONwgdewLtvNyH1K/Btz1b5 - hEYqdoX1QpaduXlQNodFPf15PdwEp4v4FwZ0 - rOtPt7kO4EQnww== ) - 7200 AAAA fd12:63c:cdbb::53 - 7200 RRSIG AAAA 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - mmNK/6aWk1nr7lWhVt9m6A9vgenngt1hsOxs - 43jwarEb7SeYRanHMnML/g101mk7czXAiRxq - np4Cjs3lo1M/Bg== ) - 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - jTnbufp39i9n9cZwasJ6IsRwqWIIeTU1Z/wy - ECBmyYQlfAuYmWTYmX4BPsQ9SwFZVIICg40I - /BYlDBm7ihxUyw== ) -ns2.example.net. 7200 IN A 10.1.2.3 - 7200 RRSIG A 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - Rdu1WWzZdPJ5CjfMd9n31XY6Df4NiO2wPnxy - Wp6x3EyLrABDdM95fwf8DBgjarppJNtOaV5j - Lr5CujYtAoXksA== ) - 7200 NSEC sub.example.net. A RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - GcxFEovqwXtJ/tYRG4G4tNKyVY7Vg9HULhbj - JZfi8IlaR3bloMVMj2bHWhNQvvXTFY+N59UG - PNWE+krE+L4yfQ== ) -sub.example.net. 7200 IN NS ns1.example.net. - 7200 NSEC example.net. NS RRSIG NSEC - 7200 RRSIG NSEC 5 3 7200 20081003220038 ( - 20081002220038 23375 example.net. - SgCqYEbpzuCcVDLi5PcyUEG8qKm+EQ0lj3mz - uiSDDTh6OsCKOVqW8dKs15P8v3i5LDJwM/Eu - OaqT7RJgB2UOkQ== ) diff --git a/contrib/zkt/examples/views/intern/zkt-int.log b/contrib/zkt/examples/views/intern/zkt-int.log deleted file mode 100644 index d6d4593cd9..0000000000 --- a/contrib/zkt/examples/views/intern/zkt-int.log +++ /dev/null @@ -1,192 +0,0 @@ -2008-06-12 18:02:13.593: notice: running as ../../dnssec-signer -V intern -v -v -2008-06-12 18:02:13.594: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:02:13.594: debug: Check RFC5011 status -2008-06-12 18:02:13.595: debug: ->ksk5011status returns 0 -2008-06-12 18:02:13.595: debug: Check ksk status -2008-06-12 18:02:13.595: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727466 sec) -2008-06-12 18:02:13.595: debug: ->waiting for pre-publish key -2008-06-12 18:02:13.595: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h17m46s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:02:13.595: debug: Re-signing necessary: Modified keys -2008-06-12 18:02:13.595: notice: "example.net.": re-signing triggered: Modified keys -2008-06-12 18:02:13.595: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:02:13.596: debug: Signing zone "example.net." -2008-06-12 18:02:13.596: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:02:13.705: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:02:13.705: debug: Signing completed after 0s. -2008-06-12 18:02:13.705: debug: -2008-06-12 18:02:13.705: notice: end of run: 0 errors occured -2008-06-12 18:03:13.208: notice: running as ../../dnssec-signer -V intern -r -v -v -2008-06-12 18:03:13.209: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:03:13.209: debug: Check RFC5011 status -2008-06-12 18:03:13.209: debug: ->ksk5011status returns 0 -2008-06-12 18:03:13.209: debug: Check ksk status -2008-06-12 18:03:13.209: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727526 sec) -2008-06-12 18:03:13.209: debug: ->waiting for pre-publish key -2008-06-12 18:03:13.209: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m46s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:03:13.209: debug: Re-signing not necessary! -2008-06-12 18:03:13.209: notice: end of run: 0 errors occured -2008-06-12 18:03:19.287: notice: running as ../../dnssec-signer -V intern -r -v -v -2008-06-12 18:03:19.288: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:03:19.288: debug: Check RFC5011 status -2008-06-12 18:03:19.289: debug: ->ksk5011status returns 0 -2008-06-12 18:03:19.289: debug: Check ksk status -2008-06-12 18:03:19.289: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727532 sec) -2008-06-12 18:03:19.289: debug: ->waiting for pre-publish key -2008-06-12 18:03:19.289: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m52s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:03:19.289: debug: Re-signing not necessary! -2008-06-12 18:03:19.289: notice: end of run: 0 errors occured -2008-06-12 18:03:23.617: notice: running as ../../dnssec-signer -V intern -f -r -v -v -2008-06-12 18:03:23.618: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:03:23.618: debug: Check RFC5011 status -2008-06-12 18:03:23.618: debug: ->ksk5011status returns 0 -2008-06-12 18:03:23.618: debug: Check ksk status -2008-06-12 18:03:23.618: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727536 sec) -2008-06-12 18:03:23.618: debug: ->waiting for pre-publish key -2008-06-12 18:03:23.618: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m56s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:03:23.618: debug: Re-signing necessary: Option -f -2008-06-12 18:03:23.618: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:03:23.618: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:03:23.619: debug: Signing zone "example.net." -2008-06-12 18:03:23.619: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:03:23.719: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:03:23.719: debug: Signing completed after 0s. -2008-06-12 18:03:23.720: notice: ""example.net." in view "intern"": reload triggered -2008-06-12 18:03:23.772: debug: -2008-06-12 18:03:23.772: notice: end of run: 0 errors occured -2008-06-12 18:05:39.532: notice: running as ../../dnssec-signer -V intern -f -r -v -v -2008-06-12 18:05:39.533: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:05:39.533: debug: Check RFC5011 status -2008-06-12 18:05:39.533: debug: ->ksk5011status returns 0 -2008-06-12 18:05:39.533: debug: Check ksk status -2008-06-12 18:05:39.533: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727672 sec) -2008-06-12 18:05:39.533: debug: ->waiting for pre-publish key -2008-06-12 18:05:39.533: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h21m12s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:05:39.533: debug: Re-signing necessary: Option -f -2008-06-12 18:05:39.533: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:05:39.533: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:05:39.534: debug: Signing zone "example.net." -2008-06-12 18:05:39.534: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:05:39.629: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:05:39.630: debug: Signing completed after 0s. -2008-06-12 18:05:39.630: notice: ""example.net."": reload triggered -2008-06-12 18:05:39.640: debug: -2008-06-12 18:05:39.640: notice: end of run: 0 errors occured -2008-06-12 18:07:47.753: notice: running as ../../dnssec-signer -V intern -f -r -v -v -2008-06-12 18:07:47.754: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:07:47.754: debug: Check RFC5011 status -2008-06-12 18:07:47.754: debug: ->ksk5011status returns 0 -2008-06-12 18:07:47.754: debug: Check ksk status -2008-06-12 18:07:47.754: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727800 sec) -2008-06-12 18:07:47.754: debug: ->waiting for pre-publish key -2008-06-12 18:07:47.754: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h23m20s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:07:47.754: debug: Re-signing necessary: Option -f -2008-06-12 18:07:47.754: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:07:47.754: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:07:47.754: debug: Signing zone "example.net." -2008-06-12 18:07:47.754: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:07:47.856: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:07:47.856: debug: Signing completed after 0s. -2008-06-12 18:07:47.856: notice: ""example.net."": reload triggered -2008-06-12 18:07:47.866: debug: -2008-06-12 18:07:47.867: notice: end of run: 0 errors occured -2008-06-12 18:10:57.978: notice: running as ../../dnssec-signer -V intern -f -r -v -v -2008-06-12 18:10:57.978: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:10:57.978: debug: Check RFC5011 status -2008-06-12 18:10:57.978: debug: ->ksk5011status returns 0 -2008-06-12 18:10:57.978: debug: Check ksk status -2008-06-12 18:10:57.978: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727990 sec) -2008-06-12 18:10:57.978: debug: ->waiting for pre-publish key -2008-06-12 18:10:57.978: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h26m30s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:10:57.978: debug: Re-signing necessary: Option -f -2008-06-12 18:10:57.978: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:10:57.978: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:10:57.979: debug: Signing zone "example.net." -2008-06-12 18:10:57.979: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:10:58.081: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:10:58.081: debug: Signing completed after 1s. -2008-06-12 18:10:58.081: notice: ""example.net." in view "intern"": reload triggered -2008-06-12 18:10:58.093: debug: -2008-06-12 18:10:58.093: notice: end of run: 0 errors occured -2008-06-12 18:13:29.511: notice: running as ../../dnssec-signer -V intern -f -r -v -v -2008-06-12 18:13:29.512: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:13:29.512: debug: Check RFC5011 status -2008-06-12 18:13:29.512: debug: ->ksk5011status returns 0 -2008-06-12 18:13:29.512: debug: Check ksk status -2008-06-12 18:13:29.512: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728142 sec) -2008-06-12 18:13:29.512: debug: ->waiting for pre-publish key -2008-06-12 18:13:29.512: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m2s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:13:29.512: debug: Re-signing necessary: Option -f -2008-06-12 18:13:29.512: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:13:29.512: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:13:29.513: debug: Signing zone "example.net." -2008-06-12 18:13:29.513: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:13:29.612: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:13:29.612: debug: Signing completed after 0s. -2008-06-12 18:13:29.612: notice: ""example.net." in view "intern"": reload triggered -2008-06-12 18:13:29.612: debug: Reload zone "example.net." in view "intern" -2008-06-12 18:13:29.612: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern" -2008-06-12 18:13:29.623: debug: -2008-06-12 18:13:29.623: notice: end of run: 0 errors occured -2008-06-12 18:13:38.707: notice: running as ../../dnssec-signer -V intern -f -r -v -2008-06-12 18:13:38.708: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:13:38.709: debug: Check RFC5011 status -2008-06-12 18:13:38.709: debug: ->ksk5011status returns 0 -2008-06-12 18:13:38.709: debug: Check ksk status -2008-06-12 18:13:38.709: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728151 sec) -2008-06-12 18:13:38.709: debug: ->waiting for pre-publish key -2008-06-12 18:13:38.709: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m11s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:13:38.709: debug: Re-signing necessary: Option -f -2008-06-12 18:13:38.709: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:13:38.709: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:13:38.710: debug: Signing zone "example.net." -2008-06-12 18:13:38.710: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:13:39.163: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:13:39.163: debug: Signing completed after 1s. -2008-06-12 18:13:39.163: notice: ""example.net." in view "intern"": reload triggered -2008-06-12 18:13:39.163: debug: Reload zone "example.net." in view "intern" -2008-06-12 18:13:39.163: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern" -2008-06-12 18:13:39.174: debug: -2008-06-12 18:13:39.174: notice: end of run: 0 errors occured -2008-06-12 18:13:43.163: notice: running as ../../dnssec-signer -V intern -f -r -v -v -2008-06-12 18:13:43.164: debug: parsing zone "example.net." in dir "intern/example.net." -2008-06-12 18:13:43.164: debug: Check RFC5011 status -2008-06-12 18:13:43.164: debug: ->ksk5011status returns 0 -2008-06-12 18:13:43.164: debug: Check ksk status -2008-06-12 18:13:43.164: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728156 sec) -2008-06-12 18:13:43.164: debug: ->waiting for pre-publish key -2008-06-12 18:13:43.164: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m16s: ZSK rollover deferred: waiting for pre-publish key -2008-06-12 18:13:43.164: debug: Re-signing necessary: Option -f -2008-06-12 18:13:43.164: notice: "example.net.": re-signing triggered: Option -f -2008-06-12 18:13:43.164: debug: Writing key file "intern/example.net./dnskey.db" -2008-06-12 18:13:43.164: debug: Signing zone "example.net." -2008-06-12 18:13:43.164: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" -2008-06-12 18:13:43.262: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-06-12 18:13:43.262: debug: Signing completed after 0s. -2008-06-12 18:13:43.262: notice: ""example.net." in view "intern"": reload triggered -2008-06-12 18:13:43.262: debug: Reload zone "example.net." in view "intern" -2008-06-12 18:13:43.262: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern" -2008-06-12 18:13:43.273: debug: -2008-06-12 18:13:43.273: notice: end of run: 0 errors occured -2008-10-03 01:00:38.404: notice: ------------------------------------------------------------ -2008-10-03 01:00:38.404: notice: running ../../dnssec-signer -V intern -2008-10-03 01:00:38.405: debug: parsing zone "example.net" in dir "intern/example.net" -2008-10-03 01:00:38.405: debug: Check RFC5011 status -2008-10-03 01:00:38.405: debug: ->not a rfc5011 zone, looking for a regular ksk rollover -2008-10-03 01:00:38.405: debug: Check KSK status -2008-10-03 01:00:38.405: debug: Check ZSK status -2008-10-03 01:00:38.405: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (5018321 sec) -2008-10-03 01:00:38.405: debug: ->depreciate it -2008-10-03 01:00:38.405: debug: ->activate published key 23375 -2008-10-03 01:00:38.405: notice: "example.net": lifetime of zone signing key 5972 exceeded: ZSK rollover done -2008-10-03 01:00:38.405: debug: New key for publishing needed -2008-10-03 01:00:38.491: debug: ->creating new key 55745 -2008-10-03 01:00:38.492: info: "example.net": new key 55745 generated for publishing -2008-10-03 01:00:38.492: debug: Re-signing necessary: New zone key -2008-10-03 01:00:38.492: notice: "example.net": re-signing triggered: New zone key -2008-10-03 01:00:38.492: debug: Writing key file "intern/example.net/dnskey.db" -2008-10-03 01:00:38.492: debug: Signing zone "example.net" -2008-10-03 01:00:38.492: debug: Run cmd "cd intern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +86400 -N unixtime zone.db K*.private" -2008-10-03 01:00:38.796: debug: Cmd dnssec-signzone return: "zone.db.signed" -2008-10-03 01:00:38.796: debug: Signing completed after 0s. -2008-10-03 01:00:38.796: debug: -2008-10-03 01:00:38.796: notice: end of run: 0 errors occured diff --git a/contrib/zkt/examples/views/named.conf b/contrib/zkt/examples/views/named.conf deleted file mode 100644 index c7034e2f5f..0000000000 --- a/contrib/zkt/examples/views/named.conf +++ /dev/null @@ -1,97 +0,0 @@ -/***************************************************************** -** -** #(@) named.conf (c) 6. May 2004 (hoz) -*****************************************************************/ - -/***************************************************************** -** logging options -*****************************************************************/ -logging { - channel "named-log" { - file "named.log"; - print-time yes; - print-category yes; - print-severity yes; - severity info; - }; - category "dnssec" { "named-log"; }; - category "edns-disabled" { "named-log"; }; - category "default" { "named-log"; }; -}; - -/***************************************************************** -** name server options -*****************************************************************/ -options { - directory "."; - - pid-file "named.pid"; - listen-on-v6 port 1053 { any; }; - listen-on port 1053 { any; }; - - empty-zones-enable no; - - port 1053; - query-source address * port 1053; - query-source-v6 address * port 1053; - transfer-source * port 53; - transfer-source-v6 * port 53; - use-alt-transfer-source no; - notify-source * port 53; - notify-source-v6 * port 53; - - recursion yes; - dnssec-enable yes; - dnssec-validation yes; /* required by BIND 9.4.0 */ - dnssec-accept-expired false; /* added since BIND 9.5.0 */ - edns-udp-size 1460; /* (M4) */ - max-udp-size 1460; /* (M5) */ - - # allow-query { localhost; }; /* default in 9.4.0 */ - # allow-query-cache { localhost; }; /* default in 9.4.0 */ - - dnssec-must-be-secure "." no; - - querylog yes; - - stats-server 127.0.0.1 port 8881; /* added since BIND 9.5.0 */ -}; - -/***************************************************************** -** view intern -*****************************************************************/ -view "intern" { - match-clients { 127.0.0.1; ::1; }; - recursion yes; - zone "." in { - type hint; - file "root.hint"; - }; - - zone "0.0.127.in-addr.arpa" in { - type master; - file "127.0.0.zone"; - }; - - zone "example.net" in { - type master; - file "intern/example.net/zone.db.signed"; - }; -}; - -/***************************************************************** -** view extern -*****************************************************************/ -view "extern" { - match-clients { any; }; - recursion no; - zone "." in { - type hint; - file "root.hint"; - }; - - zone "example.net" in { - type master; - file "extern/example.net/zone.db.signed"; - }; -}; diff --git a/contrib/zkt/examples/views/named.log b/contrib/zkt/examples/views/named.log deleted file mode 100644 index 15d5f7b927..0000000000 --- a/contrib/zkt/examples/views/named.log +++ /dev/null @@ -1,17 +0,0 @@ -20-Nov-2007 17:12:58.092 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied -20-Nov-2007 17:12:58.092 general: critical: exiting (due to early fatal error) -20-Nov-2007 17:20:24.941 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied -20-Nov-2007 17:20:24.941 general: critical: exiting (due to early fatal error) -20-Nov-2007 17:28:22.686 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied -20-Nov-2007 17:28:22.686 general: critical: exiting (due to early fatal error) -20-Nov-2007 17:40:12.389 general: error: zone 0.0.127.in-addr.arpa/IN/intern: loading from master file 127.0.0.zone failed: file not found -20-Nov-2007 17:40:12.391 general: info: zone example.net/IN/intern: loaded serial 1195574789 (signed) -20-Nov-2007 17:40:12.393 general: info: zone example.net/IN/extern: loaded serial 1195561217 (signed) -20-Nov-2007 17:40:12.393 general: notice: running -20-Nov-2007 17:40:12.393 notify: info: zone example.net/IN/intern: sending notifies (serial 1195574789) -20-Nov-2007 17:40:12.394 notify: info: zone example.net/IN/extern: sending notifies (serial 1195561217) -20-Nov-2007 19:07:04.016 general: info: shutting down -20-Nov-2007 19:07:04.017 network: info: no longer listening on ::#1053 -20-Nov-2007 19:07:04.017 network: info: no longer listening on 127.0.0.1#1053 -20-Nov-2007 19:07:04.017 network: info: no longer listening on 145.253.100.51#1053 -20-Nov-2007 19:07:04.020 general: notice: exiting diff --git a/contrib/zkt/examples/views/root.hint b/contrib/zkt/examples/views/root.hint deleted file mode 100644 index 2b5c167a31..0000000000 --- a/contrib/zkt/examples/views/root.hint +++ /dev/null @@ -1,45 +0,0 @@ -; <<>> DiG 9.5.0a6 <<>> ns . @a.root-servers.net -;; global options: printcmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33355 -;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 -;; WARNING: recursion requested but not available - -;; QUESTION SECTION: -;. IN NS - -;; ANSWER SECTION: -. 518400 IN NS H.ROOT-SERVERS.NET. -. 518400 IN NS I.ROOT-SERVERS.NET. -. 518400 IN NS J.ROOT-SERVERS.NET. -. 518400 IN NS K.ROOT-SERVERS.NET. -. 518400 IN NS L.ROOT-SERVERS.NET. -. 518400 IN NS M.ROOT-SERVERS.NET. -. 518400 IN NS A.ROOT-SERVERS.NET. -. 518400 IN NS B.ROOT-SERVERS.NET. -. 518400 IN NS C.ROOT-SERVERS.NET. -. 518400 IN NS D.ROOT-SERVERS.NET. -. 518400 IN NS E.ROOT-SERVERS.NET. -. 518400 IN NS F.ROOT-SERVERS.NET. -. 518400 IN NS G.ROOT-SERVERS.NET. - -;; ADDITIONAL SECTION: -A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 -B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 -C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 -D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 -E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 -F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 -G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 -H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 -I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 -J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30 -K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 -L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42 -M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 - -;; Query time: 114 msec -;; SERVER: 198.41.0.4#53(198.41.0.4) -;; WHEN: Mon Nov 5 07:28:00 2007 -;; MSG SIZE rcvd: 436 - diff --git a/contrib/zkt/examples/views/viewtest.sh b/contrib/zkt/examples/views/viewtest.sh deleted file mode 100755 index f0a17543ac..0000000000 --- a/contrib/zkt/examples/views/viewtest.sh +++ /dev/null @@ -1,20 +0,0 @@ - - -ZKT_CONFFILE=dnssec.conf -export ZKT_CONFFILE - -if true -then - echo "All internal keys:" - ./dnssec-zkt-intern - echo - - echo "All external keys:" - ./dnssec-zkt-extern - echo -fi - -echo "Sign both views" -./dnssec-signer-intern -v -v -f -r -echo -./dnssec-signer-extern -v -v diff --git a/contrib/zkt/examples/dnssec-zkt.sh b/contrib/zkt/examples/zkt-ls.sh similarity index 62% rename from contrib/zkt/examples/dnssec-zkt.sh rename to contrib/zkt/examples/zkt-ls.sh index f3976ce9bc..c784a8684b 100755 --- a/contrib/zkt/examples/dnssec-zkt.sh +++ b/contrib/zkt/examples/zkt-ls.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Shell script to start the dnssec-zkt command +# Shell script to start the zkt-ls command # out of the example directory # @@ -9,4 +9,4 @@ then echo Please start this skript out of the flat or hierarchical sub directory exit 1 fi -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt "$@" +ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@" diff --git a/contrib/zkt/examples/dnssec-signer.sh b/contrib/zkt/examples/zkt-signer.sh similarity index 63% rename from contrib/zkt/examples/dnssec-signer.sh rename to contrib/zkt/examples/zkt-signer.sh index ee4bfc03da..12fc926565 100755 --- a/contrib/zkt/examples/dnssec-signer.sh +++ b/contrib/zkt/examples/zkt-signer.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Shell script to start the dnssec-signer +# Shell script to start the zkt-signer # command out of the example directory # @@ -9,4 +9,4 @@ then echo Please start this skript out of the flat or hierarchical sub directory exit 1 fi -ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@" +ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@" diff --git a/contrib/zkt/log.c b/contrib/zkt/log.c index 021be98f97..f72ac6c13d 100644 --- a/contrib/zkt/log.c +++ b/contrib/zkt/log.c @@ -60,6 +60,7 @@ ** module internal vars & declarations *****************************************************************/ static FILE *lg_fp; +static FILE *lg_fpsave; static int lg_minfilelevel; static int lg_syslogging; static int lg_minsyslevel; @@ -299,6 +300,47 @@ int lg_close () return ret; } +/***************************************************************** +** lg_zone_start (domain) +** -- reopen the log channel +** return values: +** 0 on success +** -1 on file open error +*****************************************************************/ +int lg_zone_start (const char *dir, const char *domain) +{ + char fname[255+1]; + + dbg_val2 ("lg_zone_start (%s, %s)\n", dir, domain); + + snprintf (fname, sizeof (fname), LOG_DOMAINTMPL, domain); + if ( lg_fp ) + lg_fpsave = lg_fp; + lg_fp = lg_fileopen (dir, fname); + + return lg_fp != NULL; +} + +/***************************************************************** +** lg_zone_end (domain) +** -- close the (reopened) log channel +** return values: +** 0 on success +** -1 on file open error +*****************************************************************/ +int lg_zone_end () +{ + if ( lg_fp && lg_fpsave ) + { + lg_close (); + lg_fp = lg_fpsave; + lg_fpsave = NULL; + return 1; + } + + return 0; +} + /***************************************************************** ** ** lg_args (level, argc, argv[]) diff --git a/contrib/zkt/log.h b/contrib/zkt/log.h index 9a5d3abd5f..754ba781a5 100644 --- a/contrib/zkt/log.h +++ b/contrib/zkt/log.h @@ -42,6 +42,15 @@ # include # include +#ifndef LOG_FNAMETMPL +# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ+log" +#endif + +#ifndef LOG_DOMAINTMPL +# define LOG_DOMAINTMPL "zktlog-%s" +#endif + + typedef enum { LG_NONE = 0, LG_DEBUG, @@ -61,6 +70,8 @@ extern long lg_seterrcnt (long value); extern long lg_reseterrcnt (void); extern int lg_open (const char *progname, const char *facility, const char *syslevel, const char *path, const char *file, const char *filelevel); extern int lg_close (void); +extern int lg_zone_start (const char *dir, const char *domain); +extern int lg_zone_end (void); extern void lg_args (lg_lvl_t level, int argc, char * const argv[]); extern void lg_mesg (int level, char *fmt, ...); #endif diff --git a/contrib/zkt/man/dnssec-signer.8.pdf b/contrib/zkt/man/dnssec-signer.8.pdf deleted file mode 100644 index a98456525d6450d46ade07fbb8145eb3c5b320fb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12482 zcmch-WmsLw(l(3+*f<1t3qiNw?(P!YgF|q4g1ZwSNC*zWEx5aT2oiz?cMbND%*;76 zlbLfpf4+D9*=yITuD-jfx~f`e6h+0Ez|0T;P2XP3djK0bh}_o562Qv~lr^z2b22Aq zf21e_#VxFzOdQC8;?{;vCZZ-UZH-O%`2mhj4km`L0B-5~S_=+DeVE?g)Mc+}hMrc= z-}G$cN=KWAgfVhaexQH5+J(gf#jdqC*@WC_w~eg)9q0aK<2QcTBjw^NIkkr8_INCO zOWyKX2OZ_qM&A2YpgkSM9|& z%jKKrfbtJ;z3o$=^C?KUL7%(#>YZJ5)=ZtKe-@m(kf~wdSbzvozwZEzt~G+RUTZ6L z+a(Fj)w^vqx81Z?IOcP!40&Yv zCYeKb%N;(hs7qW;J;6Qdq|J7K1N8UQ$1VkPr@o}~4Mzzu#Fw`jco)eA9=H$C2s&j= zU$>N%RtrAojA`zSqFLeJOjH}~_%I)B#LvxLAY`EG^Ds-_@d7ud%07>O)<0XC9H?st z8sUU7c!qrf#zT;=MWFPC?K<06ZdzfBIu%s*$rmOyv7Ta7oXOn#4m^yF`i@S{&2?Y% zrb8z3m)dy!gpA+{Y=WmaF9XO=wv2W{?v9~)QnTRuVzi6bOvNysKH%B;*}ew$d`0HG z|F}BN!#qiJAyRG0O{>rHpvmT+*CY*sC#|4YPU@?WvCM-zQ@2LSfAj5)udnCv+U@Fy zl^GLi#Pw$>W67sfuVb?F1t(I{SgW=;-WHcgvBZb(1@Bzovg)&)EtI(=&|M4_@-D)~ zlo=N-GaxuwY!;#=4`F&0wJaiJTfZDml*Kg$8 zT~@*BwIautP;KYJ`(%M~)ZkpPiKqpZxmYbx)=HYY@!gsRswZ=B-T*~_FusHjfz~tR z>R5|FO%(Q(?-R6m*j-8n;&4>&h){@JzKvToF*N z3aVKVK{8>o%(2>2Q99{DPP)4#M}%KtxQwd3fm=Mj=71a(V(k8{Z8N{ zyqc@N%=w}V?t+yBe}IcUx_PFq^vTtdXh@UFC$`Y8#gg{irhFsz)KpSonCJO=CtC@Cz+0$r~o`@=c+4_Y_z_=*2bP9KVTUl#+MnGoL!vAiinb()hrB#~HUT`DOvv$3Q*?`SS~r zsp>w6LDQ4HCV$_q?@u4NN~L^x*u2dW7!<2UFFix57<)P##Z4m#hJARB1&t`eU-Vwc zTGZN49PfXMMI{#-(t)FO>4YQ57lWgAl1_({W_z9V1GR)Yecn!Ht}_T9D$K z86Um28O6@>b0q5Yk;=`ElA3XQE~ESw zBx6VU0>952TD7`JJTw{~C^yp`zFcT-9(WQ&^Msz%2=a-hz9rq#i%2sA1_kapY$V_P%{i_oA zr^t;&s}4d?{qk=niebfa8IJvsp5KIiAv~fCg|Bhv8n;K~->ENQ>qTuw{A&C{Y1SGf z`4mM1>Pj+LRQb#Pcn*;IuA``WI-4>09(4=jz~$YErmo?!vyK|BsnvG^+MWPrrNqp* zQR|oSi(}`VJQ7jRjPJ>PgrnW@@t^1G=nf=mD?y?201)AvQWxZ4x1U54vg7P9G6Mvr zUbv4!_DsDwPJkW zC&y;z^-d9nLzSv%dmm~`q8u?@_j46=kX*r}y+G+iElD0*sXKq*xPLoWk_yK7444Ad zK8h`nwf_mWakd(s_ritCo{-lTz)6D40Zy>+HDR|~J5fVwm78&q?*29{b@p4nhVU|P z=BfagJop4HF$`+29%OkMKSAgl*!i%1+(HWSY(h*pd6sZmPDIA1$%j1lAD%k{>ICVQ z8u%m)r}es=iT1gxC69An3E?gqoI(XoFg-yJBi8Is0&;DH^V2Yhp7P!KQy5k60M;}#qnk8$BPp4?5PytZQh3SDH zX-JhI7e)IlaQKx#bktT<9!8Pm5{g$K5(zU-=loGCpZK7lcVX~GB_`e5*v>VH0+aiO zsr$E6lOZ>n{6mr}w@St?WsOX$J!mCt{q6fv{Hv%RbukAOpl$;7R}`(h^6q|2TN}|3C&4S75CX7DFa5va|}az)E+Sae_I84EkxR@ zupmHL@l|RuJYP>dmbA{(&x{|snzya^ZC;1-5N(w&m|8yr;B&5p6O(P%r()QO?|M~Z ztm5Fq1m0f=a;rrkX}!JdU)Zlp?#i_&Ov8Opx}3UEiB?#A;^f!KdoYBYt#kZoI2+#H z7iGG+moa;pT)w0(^#ai$F+t<0_ITz&-6$fi$38W;o_If|&D$_^PHy#-HEgg(kG-^^ z`u&0>6jkgOf_<;|!PphLFQFBS_ddOYt1WCy+a^o%fTgFONP^N2*Bxe$m?J9tEMs2f zDC6<&Wb64+R{9CuXNIqfd7dI3UW!xaqaj}_DY|Jae3nDVc(1?BG%zS_xxJrp8t@8P zt^Qn>;E#dHKL0>`^sH&K3bH-GV-$HaqF0R(9mS$M^J4JhoM3NM2ee2ZSPgE59r?9s z6cNn3HkwivTPV77;?&*RS~h9c;D$+wQT&P4qIO)&8xn7o<6vE7-rJGr8+Cd6pw%2& zs+H!L)icZ3;tH70`UyMpEfyc8seQ69)k81~3g+Ee)Pz&Ddxwy@dv3}SJ=(W6+;?HYXu#X&JxdZt8@%T0+c(3Ud0m+2lha{NL=HT zvhUBaO;8+;bTT>>a3>A0*O(29gSF=r#lwDw6qc)gx6{gCc+PU^4NiV ziqESr3x-bX>%x>QQ2P1CdC>NSEc(L>f?TX_n8cQ+9N(PQ+bX=Y&*ZRON=43nX~1g8 zo5F=%pr!1LFUF1~cxhO#_>P=0BNEyb;tYm}P)s44@fO02NQrHP$igKZq36S)Q5v~d z$>4?^ro{Kzmxp%D$_11*Zv ziBwb~rW7MKuyxNd{^8K20IN&Vmp-{dZleqR{XRi zV6WuPC;6)&1hYXal zN(3V_7)cklT85+{ILysOHt#Nljs5%Hh?K*?a+Eub({3>id2@N7%@K5sMJ_b;GoC8U z7TC4 zVFFsHJ&+|eFV1fW_>hK;@vwpF=nl1^v4qn4sZ7#MoN`6<0u=SNdQ~&DjVmkbmgxQ# z9U_KfY+_^l`!e$J?Z?vd$Aa_6FAF;>8{l^u_}6tQ`2Vypt<_v`Sp10TJ*U1hlAaj+ ztlhKWWJQ3CwP1lyzXEiy+!D5O}b`FT0zI+HmRBv$z> zes9A2Ab5T==sSq-o11Ds?*IV~v$k~mb5s`JB+rYP&As!GME+0KV`s?ed9U-7y4i24 zK`3{M6(e1#>TKS?A!q$BtW`}XRV6q)cjmR%w6jCQ9)_K>SJg$M%>~N7Nio_;0!XJQ z3lsHOF7d6nKEv#J)liv$Q(mw_hQNdfG+!sI09zJ+(yP<$&CAn`uHmtG-b|n^dSmaU zRBSaH-kG2vLh~7a|9d0LS`l>==Y@)!q|iI^^&<5>v?{ZGLxcTf)cW{y*QyT!1L21D zzO~T-?KhZNuISFd8Q7%7G7Qu9oNflRCZTfKnCeC|lKmN%k~Z5`9&LnH#gNW1veD+< zuAL-)lLI0@<`xh2(%oKW!f%!nnS9etBu&YC<3oe$Lz-8!N|89Tyd4VgGcgg=-9DL{ zRI&R@@i|j+xin!+XP?fV-tK z-?ByLMfu-ci{{DL3TsMq9_$Kl{|@N4Y}Nm_IukT|wh@Rfu5;V!h2KA9%)(s}*> zYB6cf@yTh^l-; zf1Iuw`Mw2)eBianZWRRZ%zj&X0PvJ};Hkeg;7b1$)!1>RG^XO*)$wplp!;#Y-E#~r zfR2Z5ZG!ihWlOwnqs^0fiwO)RxCv06-tyoM@rHb4{#xYxpz`!g|5mRk<(cbQq?Gdq zWhSyuW1E;=>Y?d;`Mlh`DJpeew9P5A7U;Rp!g*swpfEMGj^l!sij^)6-Mq3plp2P;MLx)$Xs@nD?LNMBX_n>@wOZ=26e7Zt3B4$_Lfo-|_E$=yMDd=#6nxK~UrEZ#TlljS4GxUUnsTXufs z{2WKCN>ePqa(Pa7;W>QianqbuhmeEe{GM}s73EuiIU19*^ycfB7|8~75^tS%yA@3I z-(6f)4Od8<$1BHXHHwNOgm#8KLU+qP3iaXkgUK9uC!xpuk$qJspFZQqQ>ph(VZno6 zlbpS~GI0`K_M41KYI0<{RUxXgUBj^HIjUUtkf3P5VhxGa3xKsXnZTP{SFHO$XQwzz zGQNmNUBxTDaWP(<)_wZ5j@dS>S+2x6P$UsM;x_bk0#ue9bJ+31lC(XY#Kx(oRT}AKoJ}(a9Uw0Y0*xp#yA`6v3`hwoByFUEM_l?f_70GjdG~USiFH_Ci)cQzmQq`XiO^P2p-oNjJj*$*tG5bTzbFt#Vk~j* zrxa32l|EfB%m((dL_rhhC>?T&27?9eNYF6t1^-uf5ARm;zCga(>U4`@wYi6f zMO}{t1ilWuQzW00IDfDPEj;gL7k$!aRG^5Qm-S1bp-29!5 zVDa`q*_8rDdFbXWd{)|9KqNSf83wOj0v`%;3_s&{w`ZAxKO?lq6whvyoBKWUI9vQ$ zwyxTYeTQl+A#oH#KX4f!@|d^TK58D6ZYVi+52; zE)y(Eiw znjOIP+K>HKMNKxrW1x&B++(UPceuWaaW(AEi_oxzL)>nnjA9-&YhogEpJAxXPS?ut|Op zg9}C~ITdJ9T|vW%_HYv8^H2N6S!t;SO0UvNXO(<~Ol-R-?D+NB9$YzaF;cHlJ)O1_ z=3V-ws(lHPiaush$xY9U-sl}C|B{(~scTvBzOi5A_`7`^S@-Xsv%BREG z%!v-|poBKkeGUWF5X9qgn#;)ayHB z@wi%LOeca`sAaZ8&&XbV7V^3E=_0RgP=-2Ek^_F9sShFQ9ZN-gt>Yc0QC%qs?|tIq zc!78Oodcy~9pjf$_GgXyqn3rRbAbO-%X0m4#sUHTUk+LFH1=&4*>Ud#6gptwi#6Tw z!{4{Y_Pmc?dphOZSI9R4Q;Ub}F1k?67SCW|t&r7G9`Cx>lKWhlC4n`95@|0K%UxiU z?^5Sp9{(JvOW0}6GGd=G(Ssp!h23&;!ozOITKg*>}{QE z$9c+!opbJzm6E~ZSGwQgbv&mYn0*7spLv_ZegZ-Ay*y&_Iqko(!qc7?Lr6Pa`0|Y1 zfeag#7~+W?L@g!U73PXT9i_HO_V@%RI*Bw5aqD0!ExW>HC)4?~P_k_dqq5u3XM-OS zZay?l`5e5u(drZ~9g&Zk7gp?$dwN`3M7C2gahs3scWl2|4fln8fIFo0?Kha!aOk$N zL@qzgq=u9UauCw%FG)=b2L8zSLS6lEBP9!6^D}Yr8Rt7i{YL^X)mP!#kZwktlDCV? zZ2H0g(Dofign{_%d&VrwGIsPvetAAfT`(PvDD?~Qk-dw}?i(aCDx{F|`QmXpeK+*u z<$)GK=-aT_DyXZoK^zN`#Z0%ym(739`BLiP>%GtHEZ#e zb!mFpnepWU?p2F3Iucy{x>Wi{4M_MZ>2Rj&8*Gec4J*QQ1Y8#4=mts94xm&+7;}!- zH0&QM*-sr+UDnK@x^GF+9S2F$VRg~I5=dGQA^~{Or?aQ_PocgG6;F~B6z$M1H)|!m z)q&kMR7Iq4ZP2sHxbN^s36!I@kDjCM7a?3hs*8y{<>aT^WCgUHLscXNI(TTTl5aCMu>h2)V9+YOzNfWqi z@HVtYaw64o{4*b#Foi*Kl6bIzoPQJnhPN{U26IGfM&e1GN@JBP57@VF zAOVgP2>UPV;`ce|6?D|2#qfAJ-@1JnEBHc@_O2<-X!d9vyth`o;!{ zr7YZY%~=xloHt#s^0^b9O= zk$X?|*;idP)=Gk~0z+SD2L_J*(MBlcJoQOUZg;%QGE?!5IztWGRs)Ue_e3P5L>LQhqRK ztaqUOd?w$*5AYo`w8vka16|Q-^lDs&zYJ5P;1WTnr4jadpMmb<2#r!DjAqI#%T(R(ZKv_Gz03}WYc=CaAE36NNTE^(x!=_ z?fMi)c+r_~T+s5sU0H@#Pf?xO5Op*5rpX2h7^tmv2Z%9{TBuOiVhdTYRr)itVezRW zJDX1A@yNd6sbD0@g1%+|eYkZQ2l|R)GN>b)*CMWuo2sXVGPWlzg4*squiFw%dqU7p zt5qCH3>llcQ`cS`$T;UXe#FrFwwQE|DvB8XaBefT)r+`XuYV*&iyYHJJk(6yOHFXI z%xf}2#OBg`{b3c>EMYwD&PFA13B{JcgGDI8cS81USAbq|MAXvQK$%gHkS15tZC_HO zW$cV9C}X~!6 z#x#92xtz495R0?942!2QmPs*8&kZ(PGi&b8lxVc?*x`bsS-4q{9Fi9GjLaUq==YNP zPurZ{d%liz!5@%GXSI2>4h7`)D6f52nJ-MFWSukTGt_)>vVekuiCz9d_} z-2{LGwe&d9ab<)Y>t?&nri97#2`~~h*t=QcRT83 z-zBYs4DkptSN=AXI-e$`J!RIxa7d2(m7}b+&9#>F=J%@L28k4HUeqb#{JxBv;`Sbv zP2}TzFiI)=O0*a0m(c^4NyI~SIp>MIa~?s=mpc|Al4y!Sj(m*>h!{q`;Mx;aKdh^? zZ0CY9Dp%Il%pD=Qb`0Vb{AXBGScnzQ9yzcX$^sy5Qrm-2Us1v8d`ob5`-K%WKbNk& zPq2V5jP?Q@$uDKk&vNEx*#iMV{wRAOEWegLtpAs?$N9yA!zw3+_cw;dO_PmMa_TR& zH=_9Q6(WAn1$Cz6wI-3|%YGS^VxNXNhRgQ^2qc%R47j9)YtuY@{rpE!=-=+1Mw!r|TGVea^ zMQG%?n|k4`(=Z=3$BUun`Ilj$Xg>jQYqh247_(N0`K1a+8XGFfHAZc3V$f{iy(h!T zba~}yI@Ru9M>0A7QD4B^HlNR#G_Ycqv%Z?%b%cq%*MQO50W9F4tCU;$1Ws>IxH`%( zmHzofi4!dgjxEKgTI>cuFQzEDhlqIH1z9>7K!sn0IPchXnNq1i+q{I_TzAOHw!CG- z>y6H3ce?_2&HTj%V{PtEO+CYUhjC$g>ex$Mq%@j-dFF1LG9)+~(Mlve2_#)_l4>^N zjCb8*(vG?;h?oPJBvNRVMW}b3py8G)fu0@GXXG8wSc$EtT;iom6n-6EM{v5Le}`4! z6(9rif|&?67#95%A-nRsE=K^r)$?JgwEho?44=#xPzrF|`EC$JS~4U78lO86U0H(z zpf^9Vhec41PA?q3sQh?TL=+kfI{}{@bwbbhy73;IRo<&npruHJy)&C{?cEv1#%bv; ze*$xGGqtSi`c$(spYlw2vV{}{VFFKZVT7FU+>GTTfkHMiwv1gkOr4agr6HKW)f)@d z1HJ3u=`-}H0k_!#XYGtR#-l>K)y5HTLdYheY_$(rW7quEgXL^w);HwAXwR~z*DmYM zQf^c%EE#2^w8=L69`*fdQZ2mBpI*C}(Y6Ydtod0rF>m;D0y1Q6J(wNS847W2s*h@1 z&vw&?uc^FD{;tLnqM6K7mzV5eKwsJq7*y~*M2TW~|o zlI2w;8mJ#@;_MniNZ^n3Xp!a=9v?Tkkh(=a$(-JW`jcy5Od{TC5Ux zze`uYr*)2yod-IsB(=`U!*fQj8ed| z=>Ki*V@%}(kv{!Q+GbD>>@+c+@f6)`*u52s>Rpbdlc`t3)ke|g+?)cY4^ogunvKD0 zhl1_c10UGi!LvrN2dB&J=gplApXu+BV+vG;Yg4}ljUU0_N6_HnWc?#%{6TuWji%~u zX983-G&2FpnHXCb3fsDoYyVg^v4bJx99$4x08rW1>G5tFIp~qg!NkUi{71Y|ek7YX z+B!SDG;w?sqUd1zQpLnc8~AwXjU1?I;^y?&PTcm98T=df&Bz^M9fGCpbUc?%&`j7+G7` zJO5^lpJ5UJ{1*g&Qp0d_qkJwm#+mQPgY(KyLF7AI}`v-mhDMUUdBV*^6CJxWVR20c2%xxW=9A7$E z*g27NGK1OZ9`n%S-D)QbTN}~GtoB@#8v+7xfjB{|5HJf1E9CLJoUQRcf8yu=Jpj2m zn3w`UaR2wjvpHP3l02Z6o03IxHuj|=3n_hoWJscS-F1U14GzajHCFDRA3lEb=|091a&TJoxtRLBq94KXDYD@kz^8tWTqU74o@Adi@ rT=w}7BfhuF5ILFG)BQ@({gH.conf +View specific global configuration file. +.TP +.I ./dnssec.conf +Local configuration file (additionally used in +.B \-l +mode). + +.SH AUTHORS +Holger Zuleger + +.SH COPYRIGHT +Copyright (c) 2005 \- 2010 by Holger Zuleger. +Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or +FITNESS FOR A PARTICULAR PURPOSE. +.\"-------------------------------------------------- +.SH SEE ALSO +dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), zkt-ls(8), zkt-keyman(8), +.br +RFC4641 +"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman, +.br +DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC +.br +(http://www.nlnetlabs.nl/dnssec_howto/) diff --git a/contrib/zkt/man/zkt-conf.8.html b/contrib/zkt/man/zkt-conf.8.html new file mode 100644 index 0000000000..9b188078ba --- /dev/null +++ b/contrib/zkt/man/zkt-conf.8.html @@ -0,0 +1,312 @@ + + + + + + + + + +zkt-conf + + + + +

zkt-conf

+ +NAME
+SYNOPSYS
+DESCRIPTION
+COMMAND OPTIONS
+OPTIONS
+SAMPLE USAGE
+ENVIRONMENT VARIABLES
+FILES
+AUTHORS
+COPYRIGHT
+SEE ALSO
+ +
+ + +

NAME + +

+ + +

zkt-conf +— Secure DNS zone key config tool

+ +

SYNOPSYS + +

+ + + +

zkt-conf +[−V name] [−w] +−d [−O optstr]
+zkt-conf [−V name] [−w] +[−s] [−c file] +[−O optstr]
+zkt-conf [−V name] [−w] +−l [−a] [−c +file] [−O optstr]

+ + +

zkt-conf +[−c file] [−w] +zonefile

+ +

DESCRIPTION + +

+ + +

The +zkt-conf command helps to create and show a config +file for use by the Zone Key Tool commands, which are +currently zkt-ls(8) , zkt-keyman(8) , and +zkt-signer(8).

+ +

In general, the +ZKT commands uses up to three consequitive sources for +config parameter settings:

+ +

a) The build-in +default parameters

+ +

b) The side +wide config file or the file specified with option -c +overloads the built-in vars. The file is +/var/named/dnssec.conf or the one set by the +environment variable ZKT_CONFFILE.

+ +

c) The local +config file dnssec.conf in the current zone directory +also overloads the parameter read so far.

+ +

Because of the +overload feature, none of the config files has to have a +complete parameter set. Typically the local config file will +have only those parameters which are different from the +global or built-in ones.

+ +

The default +operation of zkt-conf(8) is to print the site wide +config file (same as option −s). Option +−d will print out the built-in defaults while +−l print those local parameters which are +different to the global ones. In the last case +−a gives the fully (−−all) +parameter list.

+ +

In all forms of +the command, the parameters are changeable via option +−O (−−config-option).

+ +

With option +−w (−−write) the confg +parameters are written back to the config file. This is +useful in case of an ZKT upgrade or if one or more +parameters are changed by option −O.

+ +

Option +−t checks some of the parameter for reasonable +values.

+ +

Which config +file is shown (or modified or checked) is determined by an +option. −d means the built-in defaults, option +−l is for the local config file and +−s specifies the site wide config file. Option +−s is the default.

+ +

In the last +form of the command, the maximum TTL value of all the +resource records of zonefile is calculated and print +on stdout. Additional, the zonefile is checked if the key +database (dnskey.db) is included in the zone file. If +option −w is set, than the INCLUDE directive +will be added to the zone file if necessary, and the maximum +ttl value is written to a local config file.

+ +

COMMAND OPTIONS + +

+ + + +

−h, +−−help

+ +

Print out the online help.

+ +

−d, +−−built-in-defaults

+ +

List all the built-in default +parameter.

+ +

−s, +−−sitecfg

+ +

List all site wide config +parameter (this is the default).

+ +

−l, +−−localcfg

+ +

List local config parameter +which are different to the site wide config parameter. With +otion −a (−−all) all config +parameters will be shown.

+ +

OPTIONS + +

+ + + +

−V +view, −−view=view

+ +

Try to read the default +configuration out of a file named +dnssec-<view>.conf . Instead of specifying the +−V or −−view option every +time, it is also possible to create a hard or softlink to +the executable file and name it like +zkt-conf-<view> .

+ +

−c file, +−−config=file

+ +

Read all parameter from the +specified config file. Otherwise the default config file is +read or build in defaults will be used.

+ +

−O +optstr, +−−config-option=optstr

+ +

Set any config file parameter +via the commandline. Several config file options could be +specified at the argument string but have to be delimited by +semicolon (or newline).

+ +

−a, +−−all

+ +

In case of showing the local +config file parameter (−l) this prints all +parameter, not just the ones different to the site wide or +built-in defaults.

+ +

SAMPLE USAGE + +

+ + +

zkt-conf +−d

+ +

Print the built-in default +config pars.

+ +

zkt-conf −d +−w

+ +

Write all the built-in defaults +into the site wide config file.

+ +

zkt-conf −s −O +"SerialFormat: Incremental; Zonedir: +/var/named/zones"
+−w

+ +

Change two parameters in the +site wide dnssec.conf file.

+ +

zkt-conf −w +zone.db

+ +

Add $INCLUDE dnskey.db +to the zone file and set the maximum ttl paramter in the +local config file to the maximum ttl fond in any RR of +zone.db.

+ +

ENVIRONMENT VARIABLES + +

+ + + +

ZKT_CONFFILE

+ +

Specifies the name of the +default global configuration files.

+ +

FILES + +

+ + + +

/var/named/dnssec.conf

+ +

Default global configuration +file. The name of the default global config file is settable +via the environment variable ZKT_CONFFILE.

+ + +

/var/named/dnssec-<view>.conf

+ +

View specific global +configuration file.

+ +

./dnssec.conf

+ +

Local configuration file +(additionally used in −l mode).

+ +

AUTHORS + +

+ + +

Holger +Zuleger

+ +

COPYRIGHT + +

+ + +

Copyright (c) +2005 − 2010 by Holger Zuleger. Licensed under the BSD +Licences. There is NO warranty; not even for MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE.

+ +

SEE ALSO + +

+ + + +

dnssec-keygen(8), +dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), +zkt-ls(8), zkt-keyman(8),
+RFC4641 "DNSSEC Operational Practices" by Miek +Gieben and Olaf Kolkman,
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+ (http://www.nlnetlabs.nl/dnssec_howto/)

+
+ + diff --git a/contrib/zkt/man/zkt-conf.8.org b/contrib/zkt/man/zkt-conf.8.org new file mode 100644 index 0000000000..617f10ebd4 --- /dev/null +++ b/contrib/zkt/man/zkt-conf.8.org @@ -0,0 +1,227 @@ +.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" "" +\" turn off hyphenation +.\" if n .nh +.nh +.SH NAME +zkt-conf \(em Secure DNS zone key config tool + +.SH SYNOPSYS +.na +.B zkt-conf +.RB [ \-V|\-\-view +.IR "name" ] +.RB [ \-w|\-\-write ] +.B \-d|\-\-default +.RB [ \-O|\-\-option +.IR "optstr" ] +.br +.B zkt-conf +.RB [ \-V|\-\-view +.IR "name" ] +.RB [ \-w|\-\-write ] +.RB [ \-s ] +.RB [ \-c|\-\-config +.IR "file" ] +.RB [ \-O|\-\-option +.IR "optstr" ] +.br +.B zkt-conf +.RB [ \-V|\-\-view +.IR "name" ] +.RB [ \-w|\-\-write ] +.B \-l|\-\-local +.RB [ \-c|\-\-config +.IR "file" ] +.RB [ \-O|\-\-option +.IR "optstr" ] + +.B zkt-conf +.RB [ \-c +.IR "file" ] +.RB [ \-w|\-\-write ] +.I "zonefile" + +.br +.ad + +.SH DESCRIPTION +The +.I zkt-conf +command helps to create and show a config file for use by +the Zone Key Tool commands, which are currently +.I dnssec-zkt(8) +and +.IR zkt-signer(8) . +.PP +In general, the ZKT commands uses three sources for the config parameters: +.HP 3 +a) +The build-in default parameters +.HP 3 +b) +The side wide config file or the file specified with option -c +will overload the built-in vars. +The site wide config file is the file +.I /var/named/dnssec.conf +or the one set by the environment variable ZKT_CONF. +.HP 3 +c) +The local config file +.I dnssec.conf +in the current zone directory will also overload the parameters read so far. +.PP +Because of this overloading feature, none of the config files has to have +a complete parameter set. +Typically the local config file will have only those parameters which are +different from the global or built-in ones. +.PP +The default operation of +.I zkt-conf(8) +is to print the site wide config file (same as option +.BR \-s ). +Option +.B \-d +will print out the built-in defaults while +.B \-l +just print the local config parameters which are different to the global ones. +In the last case +.B \-a +gives the complete +.RB ( \-\-all ) +parameter list. +.PP +In all forms of the command, the parameters are changeable via option +.B \-O +.RB ( \-\-config-option ). +.PP +With option +.B \-w +.RB ( \-\-write ) +the parameters will be written back to the config file. +This is useful in case of an ZKT upgrade or if one or more parameters are changed +by option +.BR \-O . +.PP +Option +.B \-t +checks some of the parameter for reasonable values. +.PP +If the option +.B \-t +is given, all config parameters are checked against reasonable values. +.PP +Which config file is shown (or modified or checked) is determined by option +.B \-d +which means the built-in defaults, option +.B \-l +which means the local config file or +.B \-s +which specifies the site wide config file. +Option +.B \-s +is the default. + +.SH GENERAL OPTIONS +.TP +.BI \-V " view" ", \-\-view=" view +Try to read the default configuration out of a file named +.I dnssec-.conf . +Instead of specifying the \-V or \-\-view option every time, +it is also possible to create a hard or softlink to the +executable file to give it an additional name like +.I zkt-conf- . +.TP +.BI \-c " file" ", \-\-config=" file +Read all parameter from the specified config file. +Otherwise the default config file is read or build in defaults +will be used. +.TP +.BI \-O " optstr" ", \-\-config-option=" optstr +Set any config file parameter via the commandline. +Several config file options could be specified at the argument string +but have to be delimited by semicolon (or newline). +.TP +.BR \-a ", " \-\-all +In case of showing the local config file parameter +.RI ( \-l ) +print all parameter, not just the ones different o the site wide or built-in defaults. + +.SH COMMAND OPTIONS +.TP +.BR \-h ", " \-\-help +Print out the online help. +.TP +.BR \-d ", " \-\-built-in-defaults +List all the built-in default paremeter. +.TP +.BR \-s ", " \-\-sidecfg +List all side wide config parameters (this is the default). +.TP +.BR \-l ", " \-\-localconf +List all local config parameters which are different to the site-wide config +parameters. +With otion +.B \-a +.RB ( \-\-all ) +all config parameters will be shown. + + +.SH SAMPLE USAGE +.TP +.fam C +.B "zkt-conf \-d +.fam T +Print the built-in default config pars. +.TP +.fam C +.B "zkt-conf \-d \-w +.fam T +Write all the built-in defaults into the site wide config file. +.TP +.fam C +.B "zkt-conf \-s \-\--option "SerialFormat: unixtime; Zonedir: /var/named/zones" "\-w +.fam T +Change two parameters in the site wide dnssec.conf file. + +.SH ENVIRONMENT VARIABLES +.TP +ZKT_CONFFILE +Specifies the name of the default global configuration files. + +.SH FILES +.TP +.I /var/named/dnssec.conf +Default global configuration file. +The name of the default global config file is settable via +the environment variable ZKT_CONFFILE. +.TP +.I /var/named/dnssec-.conf +View specific global configuration file. +.TP +.I ./dnssec.conf +Local configuration file (additionallx used in +.B \-l +mode). + +.SH BUGS +.PP +Some of the general options will not be meaningful in all of the command modes. +.PP + +.SH AUTHORS +Holger Zuleger + +.SH COPYRIGHT +Copyright (c) 2010 by Holger Zuleger. +Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or +FITNESS FOR A PARTICULAR PURPOSE. +.\"-------------------------------------------------- +.SH SEE ALSO +dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), dnssec-zkt(8), +.br +RFC4641 +"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman, +.br +DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC +.br +(http://www.nlnetlabs.nl/dnssec_howto/) diff --git a/contrib/zkt/man/zkt-conf.8.pdf b/contrib/zkt/man/zkt-conf.8.pdf new file mode 100644 index 0000000000000000000000000000000000000000..2ae54ed06d29954d6109d1af36f1f78e412fe66e GIT binary patch literal 7672 zcmch6c|4SD*tW47yDVjE6oqJJFk@e`k3CCd7lSEg7$aNuEy}(x*&<{qOSY6PB$2Ib zkw|16LU!-)Y&}oU^ZnlMpLhOY&ilO1>$s0|xsSPSK0ResVd!NMAYbQFOdb#hf`BkL zZUSXwz*i{p< zLJ-J+YX`BVpB@PHT3z-h0#6x`lk?5F3`t2}Z}bmdmAY7`7RuIc*Dm3=5~XwD=v<0d z0|vXkyC1)AYAm_)@oWz9fU+!S-|QIUYzs0^jx;j6kt#ORugvpvG^kBdPY^Y>-~`S;>6`*k;cyhm z<<3No%RcHK#pdLcc`{L7$)!TH;qFRX&N^srL~T#kCq3}K*avDk6MU(g9|pkNHiigG z73rd*E7lz7?8_3&@Z(33Zbv6}x7DcE@&ek4D+{_x%I|P0omN^5y^vuHY^!_^T*TF{ z%c>$di>&-D{Y;OjEPnKt5S^ZU?|tYv5rtx?XD2(lUxBz*yqZoGl*$XwA4n3(nq;jt znl!1H6C$H2c`u{E!YmV@6URTT7(g1yB`;O-+L;a>ziwDKQ}|4UVUW~+!iEPoeu1KH z;c-vX(!KK2eD{@FTPt2Ze}`C%XX%5a&p-D~2yzt)Gfe8R7$A!B@KPFUT#Q_(ISAfL zw~-Vmw0(Ci=CmBja*C+O(#~l7tAH#oHPw(qiD|*=&HnSjJ=8lQJ(6BbIk;B66fofH{a;YV;xW7eiJ%k&%VC!ft-!5En5jjFk!@?Vkq~A~wB2glrYV>7p6_#xW7B2QNHwg=hJ-3uE@c+#jxKDRtf)cb~zUJTI`1^jf5W!&Xu zaYlT;E039^bI}xm)vtOoN=J&&%{VmH2%GU}Qs54zdzU;jsCOVUfXh|_FwmE-6S%{^ zouK+zA#UN$5>s2?%c*pdMQMrAzLg}6Ld6EC+Mn|eOB;Y|sTarmf?hdnC zc?oF_v(8ljR?$(+-F)*Uhdyi$F3gIu0+fl+R_F7;<)AGB_YQ1*h>O@(GPXn&ZUDZq z%bKcMhlcWOa?W`wRw1oSZr*%esm~Gu22A?dZLgLNFeqFNwSf%sBgW&zP~V}w3V9VA z=ez^Ye0D;|qdPTt@>KGC;tr-qNA74#s!`A|wZ=dHd^dPakb+^J#7WLa5E4<_mh z^cv>MQ#_QoBkB{Z!ouI=Ek{uDvakel_JalaC4fn9%iRr&nTNim{xB1ktVOtIlt_A7 z@qQO(qyW9U$dN+kQSHi=1F;OtGGr?c3qLK*^QEY!5y_re9?zhZJ2_GC*vZ)lE~=+>P8 zc#+lEma~3?>&n;Wmw8+ht8#7;&rGoSDVJ zcL0vBL6I>%Y^UY)f>c))l5Xh`kGc=`3UgnHGI_py#mKcqX|9k}{UCja`xJ>cDb*FF zTV6Fwr?u>Sp5uF}l1Tfh8LcBpg=rocQ;X&##gkLIM*^50nf=h}_J_^Jwm4ATN!hO& zS@y7d;YWeoBPo5Jqg=*oqg8b_8TvB1jp)*L>B@C)~OpuH2o>l)Nk zAl7k(z3a41v&niAvz9sIBuwcm-TA={9UK{!FAVdSMfxDP`bhk}%mA>Z{q?|{jIt(q zP9G)l`-%d@HMVe_m2VoPGoj?Dec>1d*jvT#p4Qy{yrcLJsv4re%&vS*bS#v1k0Zpo zB`Vi*Le)WM!^d{T?BN>np7?2YF@q?|3eV}O0Wg-lJS7+qzOH&&5%#n*CxAlms;5?) zr6H>R9Ye~Syy9EFEK@b7JML9Qp(cvqA-Tv)UiR>gt#dSsoY&52ndH5bl=k0T0YCY) zvA1C2_?asm|F)N|LbR$$rj9@Ny7emj-Nu@b3rhn)?lmOek1jn{y`LV|9NjjCdR_8n zu+cf;t1GA;?-%QH!KbiGp^xfQ*_(sO#3<9UMGaA&r*0L`KzBrQTZ--8SShW;*&ah9 zO+hXmxw{L~2YV@VPr5=I3}g>OKM!tM_qkqV*S$#UG)py^p<@{$c}a$1D7;_wsxhAy zkNbqiMYb9H?(A&YcP?|l{cmiDPiUb_AZ3__cXf1~*E3IwykY$`_)OKj^%}Hs;cH_< zS+iQ<;E=N2Y=^kheXU3{djznej+@%BYcI4ekh}az)_qn1h+gaz`a*XOpA3?>G z<)tF;f`l$v4fV{ueHtC`o}`5FV)xXWPG{9I&GOZo`*WAkU9si$@3mxe6Db0o?Iu$c z_1sh~nhbw4sSw27HhcMtLg?2=XN;tr<~7x2?k=^D?>`zP>0#{ErTURtILU&KtS(_z zYMLz7J*4qJq`i1p>Vrhv{VszE{~b%`W5ImvSqov{7LBiF~6M)is+ zO5$-l4|n(X#Ri4j(v?r6gbsBN%$+G%cS(=LgFjK!cm@x}yl3^jOTNkm@MkEazy?PV z2N5q!#pXFmyAad+T#no#nR(agT_?D{`G9dUt>{O}nFI1LMMy|-r?aG74r_c}wZxs=OgEz_j$>1p_!oX3(GS1Z}C;F{34 zk>-Ue(UBHWk+8`A;rqEVla>vas3LN)50h#M>SVI=sZzdXZB6{Vyo?4F?`&!Z6w*(7NlfrYr zWdrRd_v>h32lw97aP?%nq6Xz-FJFQ89(6%TEDBJY2U2$uL}_4 zGMr`U9&k1#*}60kA%he8-1DC&aF*TRmveM@uf((O#%cScf$~kH5m;MTXyyL-PgHfY zb?oKfH0A7>hJy}TcAlJH&9zyOZWkqvfo$JLkP6MP%91pQ+u~wSCrKqw_v}1w79ud9$M@ z-E1Z@Tzgw+qFQm)NZcr%r!lInr`}g_i8IPFxq|N?%}6&`l02O~?2P5e45RxiHtBX&!PBdP-H-EA6@okZld?B@m-V{A!#<<_|XeKx1z zQdwMD*@{m#?gXE`I5^xF7ano8=0ZWa-nTh!_;kq)rq=Q87~FG`sH>NlriAhp$8rU( z4%BF0sov5|r_fAs8UD}^pwt|_l#;$@V~TIJzhmOEFsBY-;&z-c7(T#xOYqXZ z3*-*D6j2;z(2kPev?jl|@ZqkmY8?-i(~^?MTxl+&|E>ED;t8Qt8N$QZsGX(no~*eX z2|l_!OAp)aHf*FUxzB$1y4(G(|EPDa>fXIBoDk(RgC@<PD0 zS~t8lEXt(3cVr_MoZTp+UjV=ijJ4}TyfkHT`Sf&REiPiXuc^(xp{k+~vX$JaKf)mK ziEml1!0@4QE0OHtP*HMefTg4+{~10b%G7Y*FGaIYKjK)_?Pydb8z#61@2bdz5J7%qG(An)Kyb zPEm{y`HpXfbKtGbhklGgHm`L2FjV608RjL?9p|sR!#c#9UT)HxP}zM7^0s8DZT)=u zdgrC7Q=~AH$cFTuIL9{YQ>O;1$3%J;+jP&JFDEODAMm4peFd0cDn^DE4t8^ zZOr?H{p#qBHJJ$hyQiz4WV*@)KJ&)Vj`=n_sR+MWrnMVPJssVA4XNNhN{h6iFjOdm zwZmZT7YPRK-Y10*$r>6g&3jU2Fzb&fXd`ZGjGIJvI*M8JTJ@AX{?U0zk$U;kI`_fy zH>Wo28gz|D;F3{8m)9u+-ENud#a3kX);l}>GxT*MQ{C5#ui+`Kzu%d8%?C1{^Py{5 z5}*}R^6M+U-`-xo82r}%hii>_^t=B3h^|Ts);hr%BU(ygSBlhw%u2Nl0pt%Mw)GoX z?YB0nx}-1g1zxp_aT!S4Z&uj$7@S|N4XgB)#C$kla&HPGhwS3L6UuuZqNAj*+)K2u zaM6BqFrT?-W|)1CHK7EW{vf+V?n=%giLZj09**uyjFVFu5ed_F2ibG5hpU%DNM=MO z^Pag*Hti#-ANHKIha^Xb#Qs~Kj($;NCo=0qj)}s={*+_lzsfO*|BW0o((OjKLKqrX zjhFh9+2v13uP_#u4P_PG5xl|@LPQ+TJpCrm$|?g}toqOwW$*EhKUF!-HO85q*ow)+ zh1@G+O14_IR|fBq!Qn^kPaJVA*FF6`oiF{^wNk-;HIRI#UiHjVXY~oaedDYCM9xpu zH#kgU!4%@isB{ z+`V*ReVuH_^E-c9PN>)$_Vtft;7=vpEJ@x9eED_XG#;k9U49W4qC8iXCG+-_A7B-) zy!b0^$8?;~29@}OwPV40Y$BWu8+y4Q!Fo0hNU%224rQZ=@dTMc2$x}!Fpz|phy@U= zkHHa6ia`*97Z!=efsO^RKEaH1!?>r8^{cJ^78`-J!VlK2t7IF2U>s#0o{+Y^)u0b=b7MQ zgR^nMIQ$Xtx6J;OnB(OAo)~>`;0Z3UJ`@6k9#@DySYHx&f*-6e0X%8CpO*gg`r-d~ z>2b_|?D|*WpZZd)o($2zbw%HAGHsChz>n*pJs5@4jWosF9#5Gn=%+oOO`aZ#`{3hnM@ z@mH`DW_}O$Cq6bw9Xl24E-Pn#s1fb$P_#{@qVR68Z}kn5fvVSVSa#!2*+n6Z+!s@nE9xU;PLi|I-itZ+nQre!&bUB;=R1 z;xIy2{e54!gyc_aaabFa6B0{!x`Mz4C~qVo=ODsU6hn9#9*<2B7=gCOfKHkW2u3J_ v%=jVDn +.RB [ \-V|--view +.IR "view" ] +.RB [ \-c +.IR "file" ] +.RB [ \-krpz ] +.RI [{ keyfile | dir } +.RI "" ... ] +.br +.B zkt\-keyman +.BR \-\-create=