upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

4252. [func] Add support for automating the generation CDS and

Browse source 
CDNSKEY rrsets to named and dnssec-signzone.
                        [RT #40424]
This commit is contained in:
Mark Andrews 2015-11-05 12:09:48 +11:00
parent 2b39e7bde9
commit e939674d53
31 changed files with 1622 additions and 901 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
4252. [func] Add support for automating the generation CDS and
CDNSKEY rrsets to named and dnssec-signzone.
[RT #40424]
4251. [bug] NTAs were deleted when the server was reconfigured
or reloaded. [RT #41058]

204
bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -96,85 +96,85 @@
<variablelist>
<varlistentry>
<term>-1</term>
<listitem>
<para>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</para>
</listitem>
<term>-1</term>
<listitem>
<para>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-2</term>
<listitem>
<para>
Use SHA-256 as the digest algorithm.
</para>
</listitem>
<term>-2</term>
<listitem>
<para>
Use SHA-256 as the digest algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -189,64 +189,64 @@
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
@ -292,10 +292,10 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>,

36
bin/dnssec/dnssec-importkey.c
View file

@ -68,6 +68,9 @@ static isc_boolean_t setpub = ISC_FALSE, setdel = ISC_FALSE;
static isc_boolean_t setttl = ISC_FALSE;
static isc_stdtime_t pub = 0, del = 0;
static dns_ttl_t ttl = 0;
static isc_stdtime_t syncadd = 0, syncdel = 0;
static isc_boolean_t setsyncadd = ISC_FALSE;
static isc_boolean_t setsyncdel = ISC_FALSE;
static isc_result_t
initname(char *setname) {
@ -236,6 +239,11 @@ emit(const char *dir, dns_rdata_t *rdata) {
dst_key_settime(key, DST_TIME_PUBLISH, pub);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
if (setttl)
dst_key_setttl(key, ttl);
@ -278,8 +286,12 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
exit (-1);
}
@ -318,6 +330,18 @@ main(int argc, char **argv) {
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel)
fatal("-D specified more than once");
@ -334,6 +358,18 @@ main(int argc, char **argv) {
setttl = ISC_TRUE;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub)
fatal("-P specified more than once");

137
bin/dnssec/dnssec-importkey.docbook
View file

@ -20,6 +20,7 @@
<date>2014-02-20</date>
</info>
<refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
@ -50,7 +51,9 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
@ -62,7 +65,9 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
@ -97,68 +102,68 @@
<variablelist>
<varlistentry>
<term>-f <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Zone file mode: instead of a public keyfile name, the argument
<listitem>
<para>
Zone file mode: instead of a public keyfile name, the argument
is the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the domain name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input.
</para>
</listitem>
from <option>file</option>. If the domain name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</listitem>
</varlistentry>
</variablelist>
@ -180,25 +185,45 @@
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match
this key are to be deleted.
</para>
</listitem>
</varlistentry>
</variablelist>
@ -217,10 +242,10 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.

41
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -104,10 +104,14 @@ usage(void) {
fprintf(stderr, " -V: print version information\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -P sync date/[+-]offset: set CDS and CDNSKEY "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset: set CDS and CDNSKEY "
"deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" all dates\n");
@ -171,6 +175,9 @@ main(int argc, char **argv) {
isc_boolean_t avoid_collisions = ISC_TRUE;
isc_boolean_t exact;
unsigned char c;
isc_stdtime_t syncadd = 0, syncdel = 0;
isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE;
isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE;
if (argc == 1)
usage();
@ -255,6 +262,19 @@ main(int argc, char **argv) {
genonly = ISC_TRUE;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
/* -Pdnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
@ -287,6 +307,19 @@ main(int argc, char **argv) {
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncdel || setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
unsetsyncdel = !setsyncdel;
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel)
fatal("-D specified more than once");
@ -621,10 +654,16 @@ main(int argc, char **argv) {
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetinact || unsetdel || genonly)
unsetrev || unsetinact || unsetdel || genonly ||
setsyncadd || setsyncdel)
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
/*

483
bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -20,6 +20,7 @@
<date>2014-02-27</date>
</info>
<refentryinfo>
<date>August 27, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
@ -57,6 +58,7 @@
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
@ -67,6 +69,7 @@
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
@ -100,113 +103,113 @@
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</para>
<para>
Note 2: DH automatically sets the -k flag.
</para>
</listitem>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</para>
<para>
Note 2: DH automatically sets the -k flag.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label for a key pair in the crypto hardware.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</para>
<para>
If the label contains a
<option>pin-source</option> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</para>
</listitem>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label for a key pair in the crypto hardware.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</para>
<para>
If the label contains a
<option>pin-source</option> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</para>
</listitem>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keyfromlabel</command>
will include the key's creation date in the metadata stored
@ -214,150 +217,150 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Generate a key as an explicit successor to an existing key.
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</listitem>
</varlistentry>
<varlistentry>
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
</varlistentry>
</variablelist>
@ -380,60 +383,80 @@
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -477,18 +500,18 @@
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the algorithm.
</para>
<para><filename>aaa</filename> is the numeric representation
of the algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keyfromlabel</command>
@ -515,10 +538,10 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4034</citetitle>,

46
bin/dnssec/dnssec-keygen.c
View file

@ -153,13 +153,18 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set key publication date "
"(default: now)\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set CDS and CDNSKEY "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set key activation date "
"(default: now)\n");
fprintf(stderr, " -R date/[+-]offset/none: set key "
"revocation date\n");
"revocation date\n");
fprintf(stderr, " -I date/[+-]offset/none: set key "
"inactivation date\n");
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set key deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set CDS and CDNSKEY "
"deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"all dates\n");
@ -254,6 +259,9 @@ main(int argc, char **argv) {
isc_boolean_t quiet = ISC_FALSE;
isc_boolean_t show_progress = ISC_FALSE;
unsigned char c;
isc_stdtime_t syncadd = 0, syncdel = 0;
isc_boolean_t setsyncadd = ISC_FALSE;
isc_boolean_t setsyncdel = ISC_FALSE;
if (argc == 1)
usage();
@ -409,6 +417,17 @@ main(int argc, char **argv) {
genonly = ISC_TRUE;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncadd)
fatal("-P sync specified more than "
"once");
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
@ -441,6 +460,17 @@ main(int argc, char **argv) {
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (setsyncdel)
fatal("-D sync specified more than "
"once");
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel)
fatal("-D specified more than once");
@ -973,10 +1003,20 @@ main(int argc, char **argv) {
program);
dst_key_settime(key, DST_TIME_DELETE, delete);
}
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH,
syncadd);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE,
syncdel);
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetinact || unsetdel || genonly)
unsetrev || unsetinact || unsetdel || genonly ||
setsyncadd || setsyncdel)
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
/*

605
bin/dnssec/dnssec-keygen.docbook
View file

@ -21,6 +21,7 @@
<date>2014-02-06</date>
</info>
<refentryinfo>
<date>August 21, 2015</date>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
@ -70,6 +71,7 @@
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
@ -78,9 +80,10 @@
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
@ -88,8 +91,8 @@
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
@ -115,94 +118,94 @@
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</para>
</listitem>
</para>
<para>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
</para>
</listitem>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored
@ -210,231 +213,231 @@
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the cryptographic hardware to use, when applicable.
</para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Deprecated in favor of -T KEY.
</para>
</listitem>
<term>-k</term>
<listitem>
<para>
Deprecated in favor of -T KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <literal>0</literal>
or <literal>none</literal> is the same as leaving it unset.
</para>
</listitem>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. If this value is not set and there
is no existing DNSKEY RRset, the TTL will default to the
SOA TTL. Setting the default TTL to <literal>0</literal>
or <literal>none</literal> is the same as leaving it unset.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</para>
</listitem>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</listitem>
</varlistentry>
</variablelist>
@ -457,62 +460,82 @@
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</para>
</listitem>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -557,19 +580,19 @@
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
@ -624,7 +647,7 @@
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,

69
bin/dnssec/dnssec-settime.c
View file

@ -78,6 +78,8 @@ usage(void) {
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -P sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
@ -86,9 +88,11 @@ usage(void) {
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, " -D sync date/[+-]offset/none: set/unset "
"CDS and CDNSKEY deletion date\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time "
"value or values\n");
fprintf(stderr, " -p C/P/Psync/A/R/I/D/Dsync/all: print a "
"particular time value or values\n");
fprintf(stderr, " -u: print times in unix epoch "
"format\n");
fprintf(stderr, "Output:\n");
@ -161,6 +165,10 @@ main(int argc, char **argv) {
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
isc_log_t *log = NULL;
isc_stdtime_t syncadd = 0, syncdel = 0;
isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE;
isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE;
isc_boolean_t printsyncadd = ISC_FALSE, printsyncdel = ISC_FALSE;
if (argc == 1)
usage();
@ -198,6 +206,8 @@ main(int argc, char **argv) {
printrev = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
printsyncadd = ISC_TRUE;
printsyncdel = ISC_TRUE;
break;
}
@ -207,6 +217,11 @@ main(int argc, char **argv) {
printcreate = ISC_TRUE;
break;
case 'P':
if (!strncmp(p, "sync", 3)) {
p += 3;
printsyncadd = ISC_TRUE;
break;
}
printpub = ISC_TRUE;
break;
case 'A':
@ -219,6 +234,11 @@ main(int argc, char **argv) {
printinact = ISC_TRUE;
break;
case 'D':
if (!strncmp(p, "sync", 3)) {
p += 3;
printsyncdel = ISC_TRUE;
break;
}
printdel = ISC_TRUE;
break;
case ' ':
@ -254,6 +274,19 @@ main(int argc, char **argv) {
fatal("-v must be followed by a number");
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd)
fatal("-P sync specified more than "
"once");
changed = ISC_TRUE;
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
@ -290,6 +323,20 @@ main(int argc, char **argv) {
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncdel || setsyncdel)
fatal("-D sync specified more than "
"once");
changed = ISC_TRUE;
syncdel = strtotime(isc_commandline_argument,
now, now, &setsyncdel);
unsetsyncdel = !setsyncdel;
break;
}
/* -Ddnskey ? */
(void)isoptarg("dnskey", argv, usage);
if (setdel || unsetdel)
fatal("-D specified more than once");
@ -533,6 +580,16 @@ main(int argc, char **argv) {
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
if (setsyncadd)
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
else if (unsetsyncadd)
dst_key_unsettime(key, DST_TIME_SYNCPUBLISH);
if (setsyncdel)
dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
else if (unsetsyncdel)
dst_key_unsettime(key, DST_TIME_SYNCDELETE);
if (setttl)
dst_key_setttl(key, ttl);
@ -570,6 +627,14 @@ main(int argc, char **argv) {
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
if (printsyncadd)
printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish",
epoch, stdout);
if (printsyncdel)
printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete",
epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,

76
bin/dnssec/dnssec-settime.docbook
View file

@ -17,7 +17,7 @@
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
<info>
<date>2014-02-06</date>
<date>2015-08-21</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
@ -53,10 +53,13 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
@ -97,10 +100,10 @@
<variablelist>
<varlistentry>
<term>-f</term>
<term>-f</term>
<listitem>
<para>
Force an update of an old-format key with no metadata fields.
<para>
Force an update of an old-format key with no metadata fields.
Without this option, <command>dnssec-settime</command> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
@ -108,7 +111,7 @@
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</para>
</para>
</listitem>
</varlistentry>
@ -138,20 +141,20 @@
</varlistentry>
<varlistentry>
<term>-h</term>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
@ -208,6 +211,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which CDS and CDNSKEY records that match this
key are to be published to the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
@ -252,6 +265,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the CDS and CDNSKEY records that match this
key are to be deleted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">predecessor key</replaceable></term>
<listitem>
@ -305,29 +328,32 @@
<variablelist>
<varlistentry>
<term>-u</term>
<term>-u</term>
<listitem>
<para>
Print times in UNIX epoch format.
</para>
<para>
Print times in UNIX epoch format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
<term>-p <replaceable class="parameter">C/P/Psync/A/R/I/D/Dsync/all</replaceable></term>
<listitem>
<para>
Print a specific metadata value or set of metadata values.
<para>
Print a specific metadata value or set of metadata values.
The <option>-p</option> option may be followed by one or more
of the following letters to indicate which value or values to print:
of the following letters or strings to indicate which value
or values to print:
<option>C</option> for the creation date,
<option>P</option> for the publication date,
<option>Psync</option> for the CDS and CDNSKEY publication date,
<option>A</option> for the activation date,
<option>R</option> for the revocation date,
<option>I</option> for the inactivation date, or
<option>D</option> for the deletion date.
<option>I</option> for the inactivation date,
<option>D</option> for the deletion date, and
<option>Dsync</option> for the CDS and CDNSKEY deletion date
To print all of the metadata, use <option>-p all</option>.
</para>
</para>
</listitem>
</varlistentry>

20
bin/dnssec/dnssectool.c
View file

@ -27,15 +27,16 @@
#include <isc/base32.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <isc/print.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
@ -1834,3 +1835,20 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
}
}
}
isc_boolean_t
isoptarg(const char *arg, char **argv, void(*usage)(void)) {
if (!strcasecmp(isc_commandline_argument, arg)) {
if (argv[isc_commandline_index] == NULL) {
fprintf(stderr, "%s: missing argument -%c %s\n",
program, isc_commandline_option,
isc_commandline_argument);
usage();
}
isc_commandline_argument = argv[isc_commandline_index];
/* skip to next arguement */
isc_commandline_index++;
return (ISC_TRUE);
}
return (ISC_FALSE);
}

4
bin/dnssec/dnssectool.h
View file

@ -98,4 +98,8 @@ void
verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
isc_boolean_t
isoptarg(const char *arg, char **argv, void (*usage)(void));
#endif /* DNSSEC_DNSSECTOOL_H */

36
bin/tests/system/autosign/clean.sh
View file

@ -15,42 +15,44 @@
# PERFORMANCE OF THIS SOFTWARE.
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f active.key inact.key del.key unpub.key standby.key rev.key
rm -f activate-now-publish-1day.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f missingzsk.key inactivezsk.key
rm -f nsupdate.out
rm -f */core
rm -f */example.bk
rm -f */named.memstats
rm -f activate-now-publish-1day.key
rm -f active.key inact.key del.key unpub.key standby.key rev.key
rm -f sync.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f dig.out.*
rm -f digcomp.out.test*
rm -f missingzsk.key inactivezsk.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/named.lock
rm -f ns1/root.db
rm -f ns2/example.db
rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
rm -f ns3/sync.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
rm -f ns3/nsec.example.db
rm -f ns3/nsec3-to-nsec.example.db
rm -f ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
rm -f ns3/nsec3-to-nsec.example.db
rm -f ns3/oldsigs.example.db
rm -f ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
rm -f ns3/prepub.example.db
rm -f ns3/prepub.example.db.in
rm -f ns3/reconf.example.db
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/secure-to-insecure.example.db
rm -f ns3/secure-to-insecure2.example.db
rm -f ns3/secure.example.db
rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db
rm -f ns3/secure-to-insecure.example.db
rm -f ns3/prepub.example.db
rm -f ns3/prepub.example.db.in
rm -f ns3/secure-to-insecure2.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
rm -f ns3/reconf.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/ttl*.db
rm -f nsupdate.out
rm -f signing.out.*
rm -f ns3/*.nzf
rm -f digcomp.out.test*
rm -f ns*/named.lock

2
bin/tests/system/autosign/ns2/keygen.sh
View file

@ -20,7 +20,7 @@ SYSTEMTESTTOP=../..
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh )
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
do
cp ../ns3/dsset-$subdomain.example. .
done

10
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -262,3 +262,13 @@ setup reconf.example
cp secure.example.db.in $zonefile
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
#
# A zone which generates a CDS and CDNSEY RRsets automatically
#
setup sync.example
cp $infile $zonefile
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}.
echo ns3/$ksk > ../sync.key

8
bin/tests/system/autosign/ns3/named.conf
View file

@ -243,4 +243,12 @@ zone "inaczsk.example" {
allow-update { any; };
auto-dnssec maintain;
};
zone "sync.example" {
type master;
file "sync.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";

37
bin/tests/system/autosign/ns3/sync.example.db.in Normal file
View file

@ -0,0 +1,37 @@
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
private NS ns.private
ns.private A 10.53.0.2
insecure NS ns.insecure
ns.insecure A 10.53.0.2

28
bin/tests/system/autosign/tests.sh
View file

@ -1170,5 +1170,33 @@ if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:test CDS and CDNSKEY auto generation ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
n=`expr $n + 1`
if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
$SETTIME -D sync now+2 `cat sync.key`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys sync.example
echo "I:waiting for deletion to occur"
sleep 3
echo "I:checking that the CDS and CDNSKEY are deleted ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1
grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1
n=`expr $n + 1`
if [ "$lret" != 0 ]; then ret=$lret; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

2
bin/tests/system/dyndb/driver/driver.c
View file

@ -44,7 +44,7 @@ dns_dyndb_version_t dyndb_version;
* @code
* dyndb example-name "sample.so" { param1 param2 };
* @endcode
*
*
* @param[in] name User-defined string from dyndb "name" {}; definition
* in named.conf.
* The example above will have name = "example-name".

2
bin/tests/system/dyndb/driver/log.c
View file

@ -9,7 +9,7 @@
#include <dns/log.h>
#include "log.h"
void
log_write(int level, const char *format, ...) {
va_list args;

12
bin/tests/system/rrchecker/tests.sh
View file

@ -21,15 +21,15 @@ status=0
t=0
echo "I:class list"
$RRCHECKER -C > classlist.out
$RRCHECKER -C > classlist.out
diff classlist.out classlist.good || { echo "I:failed"; status=`expr $status + 1`; }
echo "I:type list"
$RRCHECKER -T > typelist.out
$RRCHECKER -T > typelist.out
diff typelist.out typelist.good || { echo "I:failed"; status=`expr $status + 1`; }
echo "I:private type list"
$RRCHECKER -P > privatelist.out
$RRCHECKER -P > privatelist.out
diff privatelist.out privatelist.good || { echo "I:failed"; status=`expr $status + 1`; }
myecho() {
@ -44,7 +44,7 @@ $SHELL ../genzone.sh 0 > tempzone
$CHECKZONE -Dq . tempzone | sed '/^;/d' |
while read -r n tt cl ty rest
do
myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || {
myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || {
ret=1
echo "I: '$cl $ty $rest' not handled."
}
@ -61,12 +61,12 @@ ret=0
$CHECKZONE -Dq . tempzone | sed '/^;/d' |
while read -r n tt cl ty rest
do
myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || {
myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || {
ret=1
echo "I: '$cl $ty $rest' not converted to unknown record format"
}
read -r clu tyu restu < checker.out
myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || {
myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || {
ret=1
echo "I: '$cl $ty $rest' not converted back to canonical format"
}

4
doc/arm/man.dnstap-read.html
View file

@ -1,11 +1,11 @@
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

10
doc/arm/man.lwresd.html
View file

@ -1,11 +1,11 @@
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
@ -103,7 +103,7 @@
Use <em class="replaceable"><code>config-file</code></em> as the
configuration file instead of the default,
<code class="filename">/etc/lwresd.conf</code>.
<code class="option">-c</code> can not be used with <code class="option">-C</code>.
</p></dd>
<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
@ -117,7 +117,7 @@
<dd><p>
Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
Debugging traces from <span class="command"><strong>lwresd</strong></span> become
more verbose as the debug level increases.
more verbose as the debug level increases.
</p></dd>
<dt><span class="term">-f</span></dt>
<dd><p>
@ -158,7 +158,7 @@
<dd><p>
Listen for lightweight resolver queries on port
<em class="replaceable"><code>port</code></em>. If
not specified, the default is port 921.
not specified, the default is port 921.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>

4
doc/arm/man.named.conf.html
View file

@ -1,11 +1,11 @@
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

294
lib/dns/dnssec.c
View file

@ -660,28 +660,95 @@ dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
return (ISC_FALSE);
}
/*%<
* Indicate whether a key is scheduled to to have CDS/CDNSKEY records
* published now.
*
* Returns ISC_TRUE iff.
* - SyncPublish is set and in the past, AND
* - SyncDelete is unset or in the future
*/
static isc_boolean_t
syncpublish(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
isc_stdtime_t when;
int major, minor;
/*
* Is this an old-style key?
*/
result = dst_key_getprivateformat(key, &major, &minor);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
* Smart signing started with key format 1.3
*/
if (major == 1 && minor <= 2)
return (ISC_FALSE);
result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
if (result != ISC_R_SUCCESS)
return (ISC_TRUE);
if (when <= now)
return (ISC_FALSE);
return (ISC_TRUE);
}
/*%<
* Indicate whether a key is scheduled to to have CDS/CDNSKEY records
* deleted now.
*
* Returns ISC_TRUE iff. SyncDelete is set and in the past.
*/
static isc_boolean_t
syncdelete(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
isc_stdtime_t when;
int major, minor;
/*
* Is this an old-style key?
*/
result = dst_key_getprivateformat(key, &major, &minor);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
* Smart signing started with key format 1.3.
*/
if (major == 1 && minor <= 2)
return (ISC_FALSE);
result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
if (when <= now)
return (ISC_TRUE);
return (ISC_FALSE);
}
#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
== DNS_KEYOWNER_ZONE)
isc_result_t
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
const char *directory, isc_stdtime_t now,
isc_mem_t *mctx, unsigned int maxkeys,
dst_key_t **keys, unsigned int *nkeys)
{
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
dst_key_t *pubkey = NULL;
unsigned int count = 0;
isc_stdtime_t now;
REQUIRE(nkeys != NULL);
REQUIRE(keys != NULL);
isc_stdtime_get(&now);
*nkeys = 0;
memset(keys, 0, sizeof(*keys) * maxkeys);
dns_rdataset_init(&rdataset);
@ -827,14 +894,31 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
return (result);
}
isc_result_t
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
isc_stdtime_t now;
isc_stdtime_get(&now);
return (dns_dnssec_findzonekeys3(db, ver, node, name, directory, now,
mctx, maxkeys, keys, nkeys));
}
isc_result_t
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
maxkeys, keys, nkeys));
isc_stdtime_t now;
isc_stdtime_get(&now);
return (dns_dnssec_findzonekeys3(db, ver, node, name, NULL, now,
mctx, maxkeys, keys, nkeys));
}
isc_result_t
@ -1323,8 +1407,9 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
* Get a list of DNSSEC keys from the key repository
*/
isc_result_t
dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
isc_stdtime_t now, isc_mem_t *mctx,
dns_dnsseckeylist_t *keylist)
{
isc_result_t result = ISC_R_SUCCESS;
isc_boolean_t dir_open = ISC_FALSE;
@ -1335,7 +1420,6 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
char namebuf[DNS_NAME_FORMATSIZE];
isc_buffer_t b;
unsigned int len, i;
isc_stdtime_t now;
REQUIRE(keylist != NULL);
ISC_LIST_INIT(list);
@ -1351,8 +1435,6 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
RETERR(isc_dir_open(&dir, directory));
dir_open = ISC_TRUE;
isc_stdtime_get(&now);
while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
if (dir.entry.name[0] != 'K' ||
dir.entry.length < len + 1 ||
@ -1427,6 +1509,17 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
return (result);
}
isc_result_t
dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
{
isc_stdtime_t now;
isc_stdtime_get(&now);
return (dns_dnssec_findmatchingkeys2(origin, directory, now, mctx,
keylist));
}
/*%
* Add 'newkey' to 'keylist' if it's not already there.
*
@ -1706,6 +1799,36 @@ make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
return (ISC_R_SUCCESS);
}
static isc_result_t
publish(dns_rdata_t *rdata, dns_diff_t *diff, dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx)
{
isc_result_t result;
dns_difftuple_t *tuple = NULL;
RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
rdata, &tuple));
dns_diff_appendminimal(diff, &tuple);
failure:
return (result);
}
static isc_result_t
delete(dns_rdata_t *rdata, dns_diff_t *diff, dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx)
{
isc_result_t result;
dns_difftuple_t *tuple = NULL;
RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl,
rdata, &tuple));
dns_diff_appendminimal(diff, &tuple);
failure:
return (result);
}
static isc_result_t
publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
@ -1773,6 +1896,149 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
return (result);
}
static isc_boolean_t
exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
isc_result_t result;
dns_rdataset_t trdataset;
dns_rdataset_init(&trdataset);
dns_rdataset_clone(rdataset, &trdataset);
for (result = dns_rdataset_first(&trdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&trdataset)) {
dns_rdata_t current = DNS_RDATA_INIT;
dns_rdataset_current(&trdataset, &current);
if (dns_rdata_compare(rdata, &current) == 0) {
dns_rdataset_disassociate(&trdataset);
return (ISC_TRUE);
}
}
dns_rdataset_disassociate(&trdataset);
return (ISC_FALSE);
}
isc_result_t
dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
isc_stdtime_t now, dns_ttl_t ttl, dns_diff_t *diff,
isc_mem_t *mctx)
{
unsigned char dsbuf1[DNS_DS_BUFFERSIZE];
unsigned char dsbuf2[DNS_DS_BUFFERSIZE];
unsigned char keybuf[DST_KEY_MAXSIZE];
isc_result_t result;
dns_dnsseckey_t *key;
for (key = ISC_LIST_HEAD(*keys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
&cdnskeyrdata));
/*
* XXXMPA we need to be able to specify the DS algorithms
* to be used here and below with rmkeys.
*/
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA1, dsbuf1,
&cdsrdata1));
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA256, dsbuf2,
&cdsrdata2));
/*
* Now that the we have created the DS records convert
* the rdata to CDNSKEY and CDS for comparison.
*/
cdnskeyrdata.type = dns_rdatatype_cdnskey;
cdsrdata1.type = dns_rdatatype_cds;
cdsrdata2.type = dns_rdatatype_cds;
if (syncpublish(key->key, now)) {
if (!dns_rdataset_isassociated(cdnskey) ||
!exists(cdnskey, &cdnskeyrdata))
RETERR(publish(&cdnskeyrdata, diff, origin,
ttl, mctx));
if (!dns_rdataset_isassociated(cds) ||
!exists(cds, &cdsrdata1))
RETERR(publish(&cdsrdata1, diff, origin,
ttl, mctx));
if (!dns_rdataset_isassociated(cds) ||
!exists(cds, &cdsrdata2))
RETERR(publish(&cdsrdata2, diff, origin,
ttl, mctx));
}
if (dns_rdataset_isassociated(cds) &&
syncdelete(key->key, now)) {
if (exists(cds, &cdsrdata1))
RETERR(delete(&cdsrdata1, diff, origin,
cds->ttl, mctx));
if (exists(cds, &cdsrdata2))
RETERR(delete(&cdsrdata2, diff, origin,
cds->ttl, mctx));
}
if (dns_rdataset_isassociated(cdnskey) &&
syncdelete(key->key, now)) {
if (exists(cdnskey, &cdnskeyrdata))
RETERR(delete(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
}
}
if (!dns_rdataset_isassociated(cds) &&
!dns_rdataset_isassociated(cdnskey))
return (ISC_R_SUCCESS);
/*
* Unconditionaly remove CDS/DNSKEY records for removed keys.
*/
for (key = ISC_LIST_HEAD(*rmkeys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
&cdnskeyrdata));
if (dns_rdataset_isassociated(cds)) {
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA1, dsbuf1,
&cdsrdata1));
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA256, dsbuf2,
&cdsrdata2));
if (exists(cds, &cdsrdata1))
RETERR(delete(&cdsrdata1, diff, origin,
cds->ttl, mctx));
if (exists(cds, &cdsrdata2))
RETERR(delete(&cdsrdata2, diff, origin,
cds->ttl, mctx));
}
if (dns_rdataset_isassociated(cdnskey)) {
if (exists(cdnskey, &cdnskeyrdata))
RETERR(delete(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
}
}
result = ISC_R_SUCCESS;
failure:
return (result);
}
/*
* Update 'keys' with information from 'newkeys'.
*

6
lib/dns/dst_parse.c
View file

@ -67,7 +67,9 @@ static const char *timetags[TIMING_NTAGS] = {
"Revoke:",
"Inactive:",
"Delete:",
"DSPublish:"
"DSPublish:",
"SyncPublish:",
"SyncDelete:"
};
#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
@ -163,7 +165,7 @@ find_metadata(const char *s, const char *tags[], int ntags) {
int i;
for (i = 0; i < ntags; i++) {
if (strcasecmp(s, tags[i]) == 0)
if (tags[i] != NULL && strcasecmp(s, tags[i]) == 0)
return (i);
}

23
lib/dns/include/dns/dnssec.h
View file

@ -181,6 +181,14 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys);
isc_result_t
dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_stdtime_t now,
isc_mem_t *mctx, unsigned int maxkeys,
dst_key_t **keys, unsigned int *nkeys);
/*%<
* Finds a set of zone keys.
* XXX temporary - this should be handled in dns_zone_t.
@ -290,6 +298,11 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp);
isc_result_t
dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
isc_mem_t *mctx, dns_dnsseckeylist_t *keylist);
isc_result_t
dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
isc_stdtime_t now, isc_mem_t *mctx,
dns_dnsseckeylist_t *keylist);
/*%<
* Search 'directory' for K* key files matching the name in 'origin'.
* Append all such keys, along with use hints gleaned from their
@ -360,6 +373,16 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
*
* On completion, any remaining keys in 'newkeys' are freed.
*/
isc_boolean_t
dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
isc_stdtime_t now, dns_ttl_t hint_ttl, dns_diff_t *diff,
isc_mem_t *mctx);
/*%<
* Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_DNSSEC_H */

4
lib/dns/include/dst/dst.h
View file

@ -96,7 +96,9 @@ typedef struct dst_context dst_context_t;
#define DST_TIME_INACTIVE 4
#define DST_TIME_DELETE 5
#define DST_TIME_DSPUBLISH 6
#define DST_MAX_TIMES 6
#define DST_TIME_SYNCPUBLISH 7
#define DST_TIME_SYNCDELETE 8
#define DST_MAX_TIMES 8
/* Numeric metadata definitions */
#define DST_NUM_PREDECESSOR 0

4
lib/dns/win32/libdns.def.in
View file

@ -296,8 +296,10 @@ dns_dns64_destroy
dns_dns64_next
dns_dns64_unlink
dns_dnssec_findmatchingkeys
dns_dnssec_findmatchingkeys2
dns_dnssec_findzonekeys
dns_dnssec_findzonekeys2
dns_dnssec_findzonekeys3
dns_dnssec_keyactive
dns_dnssec_keyfromrdata
dns_dnssec_keylistfromrdataset
@ -305,6 +307,8 @@ dns_dnssec_selfsigns
dns_dnssec_sign
dns_dnssec_signmessage
dns_dnssec_signs
dns_dnssec_syncupdate
dns_dnssec_syncupdate
dns_dnssec_updatekeys
dns_dnssec_verify
dns_dnssec_verify2

78
lib/dns/zone.c
View file

@ -5787,7 +5787,7 @@ was_dumping(dns_zone_t *zone) {
static isc_result_t
find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
isc_mem_t *mctx, unsigned int maxkeys,
isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
dst_key_t **keys, unsigned int *nkeys)
{
isc_result_t result;
@ -5796,8 +5796,8 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
memset(keys, 0, sizeof(*keys) * maxkeys);
result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
directory, mctx, maxkeys, keys,
result = dns_dnssec_findzonekeys3(db, ver, node, dns_db_origin(db),
directory, now, mctx, maxkeys, keys,
nkeys);
if (result == ISC_R_NOTFOUND)
result = ISC_R_SUCCESS;
@ -6240,8 +6240,10 @@ zone_resigninc(dns_zone_t *zone) {
goto failure;
}
result = find_zone_keys(zone, db, version, zone->mctx, DNS_MAXZONEKEYS,
zone_keys, &nkeys);
isc_stdtime_get(&now);
result = find_zone_keys(zone, db, version, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"zone_resigninc:find_zone_keys -> %s",
@ -6249,7 +6251,6 @@ zone_resigninc(dns_zone_t *zone) {
goto failure;
}
isc_stdtime_get(&now);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
/*
@ -7173,7 +7174,9 @@ zone_nsec3chain(dns_zone_t *zone) {
goto failure;
}
result = find_zone_keys(zone, db, version, zone->mctx,
isc_stdtime_get(&now);
result = find_zone_keys(zone, db, version, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
@ -7182,7 +7185,6 @@ zone_nsec3chain(dns_zone_t *zone) {
goto failure;
}
isc_stdtime_get(&now);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
@ -8026,7 +8028,9 @@ zone_sign(dns_zone_t *zone) {
goto failure;
}
result = find_zone_keys(zone, db, version, zone->mctx,
isc_stdtime_get(&now);
result = find_zone_keys(zone, db, version, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
@ -8035,7 +8039,6 @@ zone_sign(dns_zone_t *zone) {
goto failure;
}
isc_stdtime_get(&now);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
@ -17070,17 +17073,17 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
static isc_result_t
sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_diff_t *diff, zonediff_t *zonediff)
isc_stdtime_t now, dns_diff_t *diff, zonediff_t *zonediff)
{
isc_result_t result;
isc_stdtime_t now, inception, soaexpire;
isc_stdtime_t inception, soaexpire;
isc_boolean_t check_ksk, keyset_kskonly;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
unsigned int nkeys = 0, i;
dns_difftuple_t *tuple;
result = find_zone_keys(zone, db, ver, zone->mctx, DNS_MAXZONEKEYS,
zone_keys, &nkeys);
result = find_zone_keys(zone, db, ver, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"sign_apex:find_zone_keys -> %s",
@ -17088,7 +17091,6 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
return (result);
}
isc_stdtime_get(&now);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
@ -17286,7 +17288,7 @@ zone_rekey(dns_zone_t *zone) {
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
dns_dbversion_t *ver = NULL;
dns_rdataset_t soaset, soasigs, keyset, keysigs;
dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset;
dns_dnsseckeylist_t dnskeys, keys, rmkeys;
dns_dnsseckey_t *key;
dns_diff_t diff, _sig_diff;
@ -17311,6 +17313,8 @@ zone_rekey(dns_zone_t *zone) {
dns_rdataset_init(&soasigs);
dns_rdataset_init(&keyset);
dns_rdataset_init(&keysigs);
dns_rdataset_init(&cdsset);
dns_rdataset_init(&cdnskeyset);
dir = dns_zone_getkeydirectory(zone);
mctx = zone->mctx;
dns_diff_init(mctx, &diff);
@ -17345,13 +17349,27 @@ zone_rekey(dns_zone_t *zone) {
} else if (result != ISC_R_NOTFOUND)
goto failure;
/* Get the CDS rdataset */
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds,
dns_rdatatype_none, 0, &cdsset, NULL);
if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset))
dns_rdataset_disassociate(&cdsset);
/* Get the CDNSKEY rdataset */
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey,
dns_rdatatype_none, 0, &cdnskeyset, NULL);
if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset))
dns_rdataset_disassociate(&cdnskeyset);
/*
* True when called from "rndc sign". Indicates the zone should be
* fully signed now.
*/
fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0);
result = dns_dnssec_findmatchingkeys(&zone->origin, dir, mctx, &keys);
result = dns_dnssec_findmatchingkeys2(&zone->origin, dir, now, mctx,
&keys);
if (result == ISC_R_SUCCESS) {
isc_boolean_t check_ksk;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@ -17360,9 +17378,10 @@ zone_rekey(dns_zone_t *zone) {
&zone->origin, ttl, &diff,
ISC_TF(!check_ksk),
mctx, logmsg);
/* Keys couldn't be updated for some reason;
* try again later. */
/*
* Keys couldn't be updated for some reason;
* try again later.
*/
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
"couldn't update zone keys: %s",
@ -17370,6 +17389,19 @@ zone_rekey(dns_zone_t *zone) {
goto failure;
}
/*
* Update CDS / CDNSKEY records.
*/
result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
&cdnskeyset, now, ttl,
&diff, mctx);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
"couldn't update CDS/CDNSKEY: %s",
isc_result_totext(result));
goto failure;
}
/*
* See if any pre-existing keys have newly become active;
* also, see if any new key is for a new algorithm, as in that
@ -17413,7 +17445,7 @@ zone_rekey(dns_zone_t *zone) {
CHECK(update_soa_serial(db, ver, &diff, mctx,
zone->updatemethod));
CHECK(add_chains(zone, db, ver, &diff));
CHECK(sign_apex(zone, db, ver, &diff, &zonediff));
CHECK(sign_apex(zone, db, ver, now, &diff, &zonediff));
CHECK(zone_journal(zone, zonediff.diff, NULL,
"zone_rekey"));
commit = ISC_TRUE;
@ -17596,12 +17628,16 @@ zone_rekey(dns_zone_t *zone) {
if (ver != NULL)
dns_db_closeversion(db, &ver, ISC_FALSE);
if (dns_rdataset_isassociated(&cdsset))
dns_rdataset_disassociate(&cdsset);
if (dns_rdataset_isassociated(&keyset))
dns_rdataset_disassociate(&keyset);
if (dns_rdataset_isassociated(&keysigs))
dns_rdataset_disassociate(&keysigs);
if (dns_rdataset_isassociated(&soasigs))
dns_rdataset_disassociate(&soasigs);
if (dns_rdataset_isassociated(&cdnskeyset))
dns_rdataset_disassociate(&cdnskeyset);
if (node != NULL)
dns_db_detachnode(db, &node);
if (db != NULL)

234
lib/isc/win32/libisc.mak.in
View file

@ -2,28 +2,28 @@
!IF "$(CFG)" == ""
CFG=libisc - @PLATFORM@ Debug
!MESSAGE No configuration specified. Defaulting to libisc - @PLATFORM@ Debug.
!ENDIF
!ENDIF
!IF "$(CFG)" != "libisc - @PLATFORM@ Release" && "$(CFG)" != "libisc - @PLATFORM@ Debug"
!MESSAGE Invalid configuration "$(CFG)" specified.
!MESSAGE You can specify a configuration when running NMAKE
!MESSAGE by defining the macro CFG on the command line. For example:
!MESSAGE
!MESSAGE
!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - @PLATFORM@ Debug"
!MESSAGE
!MESSAGE
!MESSAGE Possible choices for configuration are:
!MESSAGE
!MESSAGE
!MESSAGE "libisc - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
!MESSAGE "libisc - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
!MESSAGE
!MESSAGE
!ERROR An invalid configuration is specified.
!ENDIF
!ENDIF
!IF "$(OS)" == "Windows_NT"
NULL=
!ELSE
!ELSE
NULL=nul
!ENDIF
!ENDIF
CPP=cl.exe
MTL=midl.exe
@ -216,17 +216,17 @@ CLEAN :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
@IF PKCS11
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../dns/win32/include" /I "../../dns/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../dns/win32/include" /I "../../dns/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
@ELSE PKCS11
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
@END PKCS11
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
BSC32_SBRS= \
LINK32=link.exe
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) @OPENSSL_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib"
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) @OPENSSL_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib"
DEF_FILE= \
".\libisc.def"
LINK32_OBJS= \
@ -535,13 +535,13 @@ CLEAN :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
@IF PKCS11
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../dns/win32/include" /I "../../dns/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../dns/win32/include" /I "../../dns/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
@ELSE PKCS11
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ @OPENSSL_INC@ /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
@END PKCS11
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
BSC32_SBRS= \
"$(INTDIR)\app.sbr" \
"$(INTDIR)\condition.sbr" \
@ -644,7 +644,7 @@ BSC32_SBRS= \
<<
LINK32=link.exe
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) @OPENSSL_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) @OPENSSL_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept
DEF_FILE= \
".\libisc.def"
LINK32_OBJS= \
@ -749,46 +749,46 @@ LINK32_OBJS= \
<<
$(_VC_MANIFEST_EMBED_DLL)
!ENDIF
!ENDIF
.c{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
$(CPP_PROJ) $<
<<
.cpp{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
$(CPP_PROJ) $<
<<
.cxx{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
$(CPP_PROJ) $<
<<
.c{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
$(CPP_PROJ) $<
<<
.cpp{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
$(CPP_PROJ) $<
<<
.cxx{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
$(CPP_PROJ) $<
<<
!IF "$(NO_EXTERNAL_DEPS)" != "1"
!IF EXISTS("libisc.dep")
!INCLUDE "libisc.dep"
!ELSE
!ELSE
!MESSAGE Warning: cannot find "libisc.dep"
!ENDIF
!ENDIF
!ENDIF
!ENDIF
!IF "$(CFG)" == "libisc - @PLATFORM@ Release" || "$(CFG)" == "libisc - @PLATFORM@ Debug"
@ -806,7 +806,7 @@ SOURCE=.\app.c
"$(INTDIR)\app.obj" "$(INTDIR)\app.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\condition.c
@ -822,7 +822,7 @@ SOURCE=.\condition.c
"$(INTDIR)\condition.obj" "$(INTDIR)\condition.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\dir.c
@ -838,7 +838,7 @@ SOURCE=.\dir.c
"$(INTDIR)\dir.obj" "$(INTDIR)\dir.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\DLLMain.c
@ -854,7 +854,7 @@ SOURCE=.\DLLMain.c
"$(INTDIR)\DLLMain.obj" "$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\entropy.c
@ -870,7 +870,7 @@ SOURCE=.\entropy.c
"$(INTDIR)\entropy.obj" "$(INTDIR)\entropy.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\errno2result.c
@ -886,7 +886,7 @@ SOURCE=.\errno2result.c
"$(INTDIR)\errno2result.obj" "$(INTDIR)\errno2result.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\file.c
@ -902,7 +902,7 @@ SOURCE=.\file.c
"$(INTDIR)\file.obj" "$(INTDIR)\file.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\fsaccess.c
@ -918,7 +918,7 @@ SOURCE=.\fsaccess.c
"$(INTDIR)\fsaccess.obj" "$(INTDIR)\fsaccess.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\interfaceiter.c
@ -934,7 +934,7 @@ SOURCE=.\interfaceiter.c
"$(INTDIR)\interfaceiter.obj" "$(INTDIR)\interfaceiter.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\ipv6.c
@ -950,7 +950,7 @@ SOURCE=.\ipv6.c
"$(INTDIR)\ipv6.obj" "$(INTDIR)\ipv6.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\keyboard.c
@ -967,7 +967,7 @@ SOURCE=.\keyboard.c
"$(INTDIR)\keyboard.obj" "$(INTDIR)\keyboard.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\meminfo.c
@ -983,7 +983,7 @@ SOURCE=.\meminfo.c
"$(INTDIR)\meminfo.obj" "$(INTDIR)\meminfo.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\net.c
@ -999,7 +999,7 @@ SOURCE=.\net.c
"$(INTDIR)\net.obj" "$(INTDIR)\net.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\ntpaths.c
@ -1015,7 +1015,7 @@ SOURCE=.\ntpaths.c
"$(INTDIR)\ntpaths.obj" "$(INTDIR)\ntpaths.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\once.c
@ -1031,7 +1031,7 @@ SOURCE=.\once.c
"$(INTDIR)\once.obj" "$(INTDIR)\once.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\os.c
@ -1047,7 +1047,7 @@ SOURCE=.\os.c
"$(INTDIR)\os.obj" "$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\pk11_api.c
@ -1065,7 +1065,7 @@ SOURCE=.\pk11_api.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=.\resource.c
@ -1081,7 +1081,7 @@ SOURCE=.\resource.c
"$(INTDIR)\resource.obj" "$(INTDIR)\resource.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\socket.c
@ -1097,7 +1097,7 @@ SOURCE=.\socket.c
"$(INTDIR)\socket.obj" "$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\stdio.c
@ -1113,7 +1113,7 @@ SOURCE=.\stdio.c
"$(INTDIR)\stdio.obj" "$(INTDIR)\stdio.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\stdtime.c
@ -1129,7 +1129,7 @@ SOURCE=.\stdtime.c
"$(INTDIR)\stdtime.obj" "$(INTDIR)\stdtime.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\strerror.c
@ -1145,7 +1145,7 @@ SOURCE=.\strerror.c
"$(INTDIR)\strerror.obj" "$(INTDIR)\strerror.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\syslog.c
@ -1161,7 +1161,7 @@ SOURCE=.\syslog.c
"$(INTDIR)\syslog.obj" "$(INTDIR)\syslog.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\thread.c
@ -1177,7 +1177,7 @@ SOURCE=.\thread.c
"$(INTDIR)\thread.obj" "$(INTDIR)\thread.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\time.c
@ -1193,7 +1193,7 @@ SOURCE=.\time.c
"$(INTDIR)\time.obj" "$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\version.c
@ -1209,7 +1209,7 @@ SOURCE=.\version.c
"$(INTDIR)\version.obj" "$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
SOURCE=.\win32os.c
@ -1225,7 +1225,7 @@ SOURCE=.\win32os.c
"$(INTDIR)\win32os.obj" "$(INTDIR)\win32os.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
@IF AES
SOURCE=..\aes.c
@ -1242,7 +1242,7 @@ SOURCE=..\aes.c
"$(INTDIR)\aes.obj" "$(INTDIR)\aes.sbr" : $(SOURCE) "$(INTDIR)"
!ENDIF
!ENDIF
@END AES
SOURCE=..\assertions.c
@ -1261,7 +1261,7 @@ SOURCE=..\assertions.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\backtrace.c
@ -1279,7 +1279,7 @@ SOURCE=..\backtrace.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\backtrace-emptytbl.c
@ -1297,7 +1297,7 @@ SOURCE=..\backtrace-emptytbl.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\base32.c
@ -1315,7 +1315,7 @@ SOURCE=..\base32.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\base64.c
@ -1333,7 +1333,7 @@ SOURCE=..\base64.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\bind9.c
@ -1351,7 +1351,7 @@ SOURCE=..\bind9.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\buffer.c
@ -1369,7 +1369,7 @@ SOURCE=..\buffer.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\bufferlist.c
@ -1387,7 +1387,7 @@ SOURCE=..\bufferlist.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\commandline.c
@ -1405,7 +1405,7 @@ SOURCE=..\commandline.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\counter.c
@ -1423,7 +1423,7 @@ SOURCE=..\counter.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\crc64.c
@ -1441,7 +1441,7 @@ SOURCE=..\crc64.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\error.c
@ -1459,7 +1459,7 @@ SOURCE=..\error.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\event.c
@ -1477,7 +1477,7 @@ SOURCE=..\event.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\hash.c
@ -1495,7 +1495,7 @@ SOURCE=..\hash.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\heap.c
@ -1513,7 +1513,7 @@ SOURCE=..\heap.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\hex.c
@ -1531,7 +1531,7 @@ SOURCE=..\hex.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\hmacmd5.c
@ -1549,7 +1549,7 @@ SOURCE=..\hmacmd5.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\hmacsha.c
@ -1567,7 +1567,7 @@ SOURCE=..\hmacsha.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\httpd.c
@ -1585,7 +1585,7 @@ SOURCE=..\httpd.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\inet_aton.c
@ -1603,7 +1603,7 @@ SOURCE=..\inet_aton.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\inet_ntop.c
@ -1621,7 +1621,7 @@ SOURCE=..\inet_ntop.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\inet_pton.c
@ -1639,7 +1639,7 @@ SOURCE=..\inet_pton.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\iterated_hash.c
@ -1657,7 +1657,7 @@ SOURCE=..\iterated_hash.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\lex.c
@ -1675,7 +1675,7 @@ SOURCE=..\lex.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\lfsr.c
@ -1693,7 +1693,7 @@ SOURCE=..\lfsr.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\lib.c
@ -1711,7 +1711,7 @@ SOURCE=..\lib.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\log.c
@ -1729,7 +1729,7 @@ SOURCE=..\log.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\md5.c
@ -1747,7 +1747,7 @@ SOURCE=..\md5.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\mem.c
@ -1765,7 +1765,7 @@ SOURCE=..\mem.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\nls\msgcat.c
@ -1783,7 +1783,7 @@ SOURCE=..\nls\msgcat.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\mutexblock.c
@ -1801,7 +1801,7 @@ SOURCE=..\mutexblock.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\netaddr.c
@ -1819,7 +1819,7 @@ SOURCE=..\netaddr.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\netscope.c
@ -1837,7 +1837,7 @@ SOURCE=..\netscope.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\ondestroy.c
@ -1855,7 +1855,7 @@ SOURCE=..\ondestroy.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\parseint.c
@ -1873,7 +1873,7 @@ SOURCE=..\parseint.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\pk11.c
@ -1891,7 +1891,7 @@ SOURCE=..\pk11.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\pk11_result.c
@ -1909,7 +1909,7 @@ SOURCE=..\pk11_result.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\pool.c
@ -1927,7 +1927,7 @@ SOURCE=..\pool.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\portset.c
@ -1945,7 +1945,7 @@ SOURCE=..\portset.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\quota.c
@ -1963,7 +1963,7 @@ SOURCE=..\quota.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\radix.c
@ -1981,7 +1981,7 @@ SOURCE=..\radix.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\random.c
@ -1999,7 +1999,7 @@ SOURCE=..\random.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\ratelimiter.c
@ -2017,7 +2017,7 @@ SOURCE=..\ratelimiter.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\refcount.c
@ -2035,7 +2035,7 @@ SOURCE=..\refcount.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\regex.c
@ -2053,7 +2053,7 @@ SOURCE=..\regex.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\region.c
@ -2072,7 +2072,7 @@ SOURCE=..\region.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\result.c
@ -2090,7 +2090,7 @@ SOURCE=..\result.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\rwlock.c
@ -2108,7 +2108,7 @@ SOURCE=..\rwlock.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\safe.c
@ -2126,7 +2126,7 @@ SOURCE=..\safe.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\serial.c
@ -2144,7 +2144,7 @@ SOURCE=..\serial.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\sha1.c
@ -2162,7 +2162,7 @@ SOURCE=..\sha1.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\sha2.c
@ -2180,7 +2180,7 @@ SOURCE=..\sha2.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\sockaddr.c
@ -2198,7 +2198,7 @@ SOURCE=..\sockaddr.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\stats.c
@ -2216,7 +2216,7 @@ SOURCE=..\stats.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\string.c
@ -2234,7 +2234,7 @@ SOURCE=..\string.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\symtab.c
@ -2252,7 +2252,7 @@ SOURCE=..\symtab.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\task.c
@ -2270,7 +2270,7 @@ SOURCE=..\task.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\taskpool.c
@ -2288,7 +2288,7 @@ SOURCE=..\taskpool.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\timer.c
@ -2306,7 +2306,7 @@ SOURCE=..\timer.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
SOURCE=..\tm.c
@ -2324,10 +2324,10 @@ SOURCE=..\tm.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
!ENDIF
!ENDIF
####################################################
# Commands to generate initial empty manifest file and the RC file