diff --git a/CHANGES b/CHANGES index 914f27c825..5662dbd7ff 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4252. [func] Add support for automating the generation CDS and + CDNSKEY rrsets to named and dnssec-signzone. + [RT #40424] + 4251. [bug] NTAs were deleted when the server was reconfigured or reloaded. [RT #41058] diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index 1237c362d0..85cec76882 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -96,85 +96,85 @@ - -1 - - - Use SHA-1 as the digest algorithm (the default is to use - both SHA-1 and SHA-256). - - + -1 + + + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + + - -2 - - - Use SHA-256 as the digest algorithm. - - + -2 + + + Use SHA-256 as the digest algorithm. + + - -a algorithm - - - Select the digest algorithm. The value of - must be one of SHA-1 (SHA1), - SHA-256 (SHA256), GOST or SHA-384 (SHA384). - These values are case insensitive. - - + -a algorithm + + + Select the digest algorithm. The value of + must be one of SHA-1 (SHA1), + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. + + - -C - - - Generate CDS records rather than DS records. This is mutually + -C + + + Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records. - - + + - -T TTL - - - Specifies the TTL of the DS records. - + -T TTL + + + Specifies the TTL of the DS records. + - -K directory - - - Look for key files (or, in keyset mode, - keyset- files) in - . - - + -K directory + + + Look for key files (or, in keyset mode, + keyset- files) in + . + + - -f file - - - Zone file mode: in place of the keyfile name, the argument is - the DNS domain name of a zone master file, which can be read - from . If the zone name is the same as - , then it may be omitted. - - - If is set to "-", then - the zone data is read from the standard input. This makes it - possible to use the output of the dig - command as input, as in: - - - dig dnskey example.com | dnssec-dsfromkey -f - example.com - - + -f file + + + Zone file mode: in place of the keyfile name, the argument is + the DNS domain name of a zone master file, which can be read + from . If the zone name is the same as + , then it may be omitted. + + + If is set to "-", then + the zone data is read from the standard input. This makes it + possible to use the output of the dig + command as input, as in: + + + dig dnskey example.com | dnssec-dsfromkey -f - example.com + + @@ -189,64 +189,64 @@ - -l domain - - - Generate a DLV set instead of a DS set. The specified - is appended to the name for each - record in the set. - The DNSSEC Lookaside Validation (DLV) RR is described - in RFC 4431. This is mutually exclusive with generating + -l domain + + + Generate a DLV set instead of a DS set. The specified + is appended to the name for each + record in the set. + The DNSSEC Lookaside Validation (DLV) RR is described + in RFC 4431. This is mutually exclusive with generating CDS records. - - + + - -s - - - Keyset mode: in place of the keyfile name, the argument is - the DNS domain name of a keyset file. - - + -s + + + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. + + - -c class - - - Specifies the DNS class (default is IN). Useful only - in keyset or zone file mode. - + -c class + + + Specifies the DNS class (default is IN). Useful only + in keyset or zone file mode. + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + - -h - - - Prints usage information. - - + -h + + + Prints usage information. + + - -V - - - Prints version information. - - + -V + + + Prints version information. + + @@ -292,10 +292,10 @@ SEE ALSO - dnssec-keygen8 + dnssec-keygen8 , - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 3658, diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 9012ef3f94..b2ea6e1907 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -68,6 +68,9 @@ static isc_boolean_t setpub = ISC_FALSE, setdel = ISC_FALSE; static isc_boolean_t setttl = ISC_FALSE; static isc_stdtime_t pub = 0, del = 0; static dns_ttl_t ttl = 0; +static isc_stdtime_t syncadd = 0, syncdel = 0; +static isc_boolean_t setsyncadd = ISC_FALSE; +static isc_boolean_t setsyncdel = ISC_FALSE; static isc_result_t initname(char *setname) { @@ -236,6 +239,11 @@ emit(const char *dir, dns_rdata_t *rdata) { dst_key_settime(key, DST_TIME_PUBLISH, pub); if (setdel) dst_key_settime(key, DST_TIME_DELETE, del); + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd); + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel); + if (setttl) dst_key_setttl(key, ttl); @@ -278,8 +286,12 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set/unset key " "publication date\n"); + fprintf(stderr, " -P sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY publication date\n"); fprintf(stderr, " -D date/[+-]offset/none: set/unset key " "deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY deletion date\n"); exit (-1); } @@ -318,6 +330,18 @@ main(int argc, char **argv) { while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncdel) + fatal("-D sync specified more than " + "once"); + + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + break; + } + /* -Ddnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setdel) fatal("-D specified more than once"); @@ -334,6 +358,18 @@ main(int argc, char **argv) { setttl = ISC_TRUE; break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncadd) + fatal("-P sync specified more than " + "once"); + + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + break; + } + /* -Pdnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setpub) fatal("-P specified more than once"); diff --git a/bin/dnssec/dnssec-importkey.docbook b/bin/dnssec/dnssec-importkey.docbook index f4c3f172b3..3b6e3e51ae 100644 --- a/bin/dnssec/dnssec-importkey.docbook +++ b/bin/dnssec/dnssec-importkey.docbook @@ -20,6 +20,7 @@ 2014-02-20 + August 21, 2015 ISC Internet Systems Consortium, Inc. @@ -50,7 +51,9 @@ + + @@ -62,7 +65,9 @@ + + @@ -97,68 +102,68 @@ -f filename - - - Zone file mode: instead of a public keyfile name, the argument + + + Zone file mode: instead of a public keyfile name, the argument is the DNS domain name of a zone master file, which can be read - from . If the domain name is the same as - , then it may be omitted. - - - If is set to "-", then - the zone data is read from the standard input. - - + from . If the domain name is the same as + , then it may be omitted. + + + If is set to "-", then + the zone data is read from the standard input. + + - -K directory - - - Sets the directory in which the key files are to reside. - - + -K directory + + + Sets the directory in which the key files are to reside. + + - -L ttl - - - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. - - + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + -h - + Emit usage message and exit. - + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + -V - + Prints version information. - + @@ -180,25 +185,45 @@ - -P date/offset - - - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. - - + -P date/offset + + + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. + + - -D date/offset - - - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) - - + -P sync date/offset + + + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. + + + + + + -D date/offset + + + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + + + + + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records that match + this key are to be deleted. + + @@ -217,10 +242,10 @@ SEE ALSO - dnssec-keygen8 + dnssec-keygen8 , - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 5011. diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 47ff822a10..8bf85271e5 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -104,10 +104,14 @@ usage(void) { fprintf(stderr, " -V: print version information\n"); fprintf(stderr, "Date options:\n"); fprintf(stderr, " -P date/[+-]offset: set key publication date\n"); + fprintf(stderr, " -P sync date/[+-]offset: set CDS and CDNSKEY " + "publication date\n"); fprintf(stderr, " -A date/[+-]offset: set key activation date\n"); fprintf(stderr, " -R date/[+-]offset: set key revocation date\n"); fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n"); fprintf(stderr, " -D date/[+-]offset: set key deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset: set CDS and CDNSKEY " + "deletion date\n"); fprintf(stderr, " -G: generate key only; do not set -P or -A\n"); fprintf(stderr, " -C: generate a backward-compatible key, omitting" " all dates\n"); @@ -171,6 +175,9 @@ main(int argc, char **argv) { isc_boolean_t avoid_collisions = ISC_TRUE; isc_boolean_t exact; unsigned char c; + isc_stdtime_t syncadd = 0, syncdel = 0; + isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE; + isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE; if (argc == 1) usage(); @@ -255,6 +262,19 @@ main(int argc, char **argv) { genonly = ISC_TRUE; break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncadd || setsyncadd) + fatal("-P sync specified more than " + "once"); + + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + unsetsyncadd = !setsyncadd; + break; + } + /* -Pdnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) fatal("-P specified more than once"); @@ -287,6 +307,19 @@ main(int argc, char **argv) { unsetinact = !setinact; break; case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncdel || setsyncdel) + fatal("-D sync specified more than " + "once"); + + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + unsetsyncdel = !setsyncdel; + break; + } + /* -Ddnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) fatal("-D specified more than once"); @@ -621,10 +654,16 @@ main(int argc, char **argv) { if (setdel) dst_key_settime(key, DST_TIME_DELETE, delete); + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd); + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel); + } else { if (setpub || setact || setrev || setinact || setdel || unsetpub || unsetact || - unsetrev || unsetinact || unsetdel || genonly) + unsetrev || unsetinact || unsetdel || genonly || + setsyncadd || setsyncdel) fatal("cannot use -C together with " "-P, -A, -R, -I, -D, or -G options"); /* diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index b05b322330..353e1a894b 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -20,6 +20,7 @@ 2014-02-27 + August 27, 2015 ISC Internet Systems Consortium, Inc. @@ -57,6 +58,7 @@ + @@ -67,6 +69,7 @@ + @@ -100,113 +103,113 @@ - -a algorithm - + -a algorithm + Selects the cryptographic algorithm. The value of - must be one of RSAMD5, RSASHA1, + must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. - - If no algorithm is specified, then RSASHA1 will be used by - default, unless the option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) - - - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. - - - Note 2: DH automatically sets the -k flag. - - + + If no algorithm is specified, then RSASHA1 will be used by + default, unless the option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) + + + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. + + + Note 2: DH automatically sets the -k flag. + + - -3 - - + -3 + + Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. - - + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. + + - -E engine - - - Specifies the cryptographic hardware to use. - - - When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". - - + -E engine + + + Specifies the cryptographic hardware to use. + + + When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". + + - -l label - - - Specifies the label for a key pair in the crypto hardware. - - - When BIND 9 is built with OpenSSL-based - PKCS#11 support, the label is an arbitrary string that - identifies a particular key. It may be preceded by an - optional OpenSSL engine name, followed by a colon, as in - "pkcs11:keylabel". - - - When BIND 9 is built with native PKCS#11 - support, the label is a PKCS#11 URI string in the format - "pkcs11:=value;=value;..." - Keywords include "token", which identifies the HSM; "object", which - identifies the key; and "pin-source", which identifies a file from - which the HSM's PIN code can be obtained. The label will be - stored in the on-disk "private" file. - - - If the label contains a - field, tools using the generated - key files will be able to use the HSM for signing and other - operations without any need for an operator to manually enter - a PIN. Note: Making the HSM's PIN accessible in this manner - may reduce the security advantage of using an HSM; be sure - this is what you want to do before making use of this feature. - - + -l label + + + Specifies the label for a key pair in the crypto hardware. + + + When BIND 9 is built with OpenSSL-based + PKCS#11 support, the label is an arbitrary string that + identifies a particular key. It may be preceded by an + optional OpenSSL engine name, followed by a colon, as in + "pkcs11:keylabel". + + + When BIND 9 is built with native PKCS#11 + support, the label is a PKCS#11 URI string in the format + "pkcs11:=value;=value;..." + Keywords include "token", which identifies the HSM; "object", which + identifies the key; and "pin-source", which identifies a file from + which the HSM's PIN code can be obtained. The label will be + stored in the on-disk "private" file. + + + If the label contains a + field, tools using the generated + key files will be able to use the HSM for signing and other + operations without any need for an operator to manually enter + a PIN. Note: Making the HSM's PIN accessible in this manner + may reduce the security advantage of using an HSM; be sure + this is what you want to do before making use of this feature. + + - -n nametype - - - Specifies the owner type of the key. The value of - must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. - - + -n nametype + + + Specifies the owner type of the key. The value of + must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. + + - -C - - + -C + + Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keyfromlabel will include the key's creation date in the metadata stored @@ -214,150 +217,150 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the option suppresses them. - - + + - -c class - - - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - - + -c class + + + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + + - -f flag - - - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. - - + -f flag + + + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. + + - -G - - - Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. - - + -G + + + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. + + - -h - - - Prints a short summary of the options and arguments to - dnssec-keyfromlabel. - - + -h + + + Prints a short summary of the options and arguments to + dnssec-keyfromlabel. + + - -K directory - - - Sets the directory in which the key files are to be written. - - + -K directory + + + Sets the directory in which the key files are to be written. + + - -k - - - Generate KEY records rather than DNSKEY records. - - + -k + + + Generate KEY records rather than DNSKEY records. + + - -L ttl - - - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. Setting the default TTL to - 0 or none removes it. - - + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + - -p protocol - - - Sets the protocol value for the key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - - + -p protocol + + + Sets the protocol value for the key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + + - -S key - - - Generate a key as an explicit successor to an existing key. + -S key + + + Generate a key as an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the predecessor. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days. - - + + - -t type - - - Indicates the use of the key. must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - - + -t type + + + Indicates the use of the key. must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + -V - + Prints version information. - + - -y - - - Allows DNSSEC key files to be generated even if the key ID + -y + + + Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you - are sure you won't be using RFC 5011 trust anchor maintenance - with either of the keys involved.) - - + are sure you won't be using RFC 5011 trust anchor maintenance + with either of the keys involved.) + + @@ -380,60 +383,80 @@ - -P date/offset - - - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". - - + -P date/offset + + + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". + + - -A date/offset - - - Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". - - + -P sync date/offset + + + Sets the date on which the CDS and CDNSKEY records which match + this key are to be published to the zone. + + - -R date/offset - - - Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. - - + -A date/offset + + + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". + + - -I date/offset - - - Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. - - + -R date/offset + + + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. + + - -D date/offset - - - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) - - + -I date/offset + + + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. + + + + + + -D date/offset + + + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + + + + + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records which match + this key are to be deleted. + + @@ -477,18 +500,18 @@ - nnnn is the key name. - + nnnn is the key name. + - aaa is the numeric representation - of the algorithm. - + aaa is the numeric representation + of the algorithm. + - iiiii is the key identifier (or - footprint). - + iiiii is the key identifier (or + footprint). + dnssec-keyfromlabel @@ -515,10 +538,10 @@ SEE ALSO - dnssec-keygen8 + dnssec-keygen8 , - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 4034, diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index ddf5ddebcc..997d606907 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -153,13 +153,18 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set key publication date " "(default: now)\n"); + fprintf(stderr, " -P sync date/[+-]offset/none: set CDS and CDNSKEY " + "publication date\n"); fprintf(stderr, " -A date/[+-]offset/none: set key activation date " "(default: now)\n"); fprintf(stderr, " -R date/[+-]offset/none: set key " - "revocation date\n"); + "revocation date\n"); fprintf(stderr, " -I date/[+-]offset/none: set key " - "inactivation date\n"); + "inactivation date\n"); fprintf(stderr, " -D date/[+-]offset/none: set key deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset/none: set CDS and CDNSKEY " + "deletion date\n"); + fprintf(stderr, " -G: generate key only; do not set -P or -A\n"); fprintf(stderr, " -C: generate a backward-compatible key, omitting " "all dates\n"); @@ -254,6 +259,9 @@ main(int argc, char **argv) { isc_boolean_t quiet = ISC_FALSE; isc_boolean_t show_progress = ISC_FALSE; unsigned char c; + isc_stdtime_t syncadd = 0, syncdel = 0; + isc_boolean_t setsyncadd = ISC_FALSE; + isc_boolean_t setsyncdel = ISC_FALSE; if (argc == 1) usage(); @@ -409,6 +417,17 @@ main(int argc, char **argv) { genonly = ISC_TRUE; break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncadd) + fatal("-P sync specified more than " + "once"); + + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + break; + } + (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) fatal("-P specified more than once"); @@ -441,6 +460,17 @@ main(int argc, char **argv) { unsetinact = !setinact; break; case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (setsyncdel) + fatal("-D sync specified more than " + "once"); + + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + break; + } + (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) fatal("-D specified more than once"); @@ -973,10 +1003,20 @@ main(int argc, char **argv) { program); dst_key_settime(key, DST_TIME_DELETE, delete); } + + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, + syncadd); + + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, + syncdel); + } else { if (setpub || setact || setrev || setinact || setdel || unsetpub || unsetact || - unsetrev || unsetinact || unsetdel || genonly) + unsetrev || unsetinact || unsetdel || genonly || + setsyncadd || setsyncdel) fatal("cannot use -C together with " "-P, -A, -R, -I, -D, or -G options"); /* diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index e5c3e540ac..09d1fa8b23 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -21,6 +21,7 @@ 2014-02-06 + August 21, 2015 ISC Internet Systems Consortium, Inc. @@ -70,6 +71,7 @@ + @@ -78,9 +80,10 @@ - + + @@ -88,8 +91,8 @@ - + name @@ -115,94 +118,94 @@ - -a algorithm - - - Selects the cryptographic algorithm. For DNSSEC keys, the value - of must be one of RSAMD5, RSASHA1, + -a algorithm + + + Selects the cryptographic algorithm. For DNSSEC keys, the value + of must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. - - - If no algorithm is specified, then RSASHA1 will be used by - default, unless the option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) - - - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. + + + If no algorithm is specified, then RSASHA1 will be used by + default, unless the option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) + + + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - - - Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. - - + + + Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 + automatically set the -T KEY option. + + - -b keysize - - - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be - between 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. - - - The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with ). However, if an - algorithm is explicitly specified with the , - then there is no default key size, and the - must be used. - - + -b keysize + + + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC keys must be + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. + + + The key size does not need to be specified if using a default + algorithm. The default key size is 1024 bits for zone signing + keys (ZSKs) and 2048 bits for key signing keys (KSKs, + generated with ). However, if an + algorithm is explicitly specified with the , + then there is no default key size, and the + must be used. + + - -n nametype - - - Specifies the owner type of the key. The value of - must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY + -n nametype + + + Specifies the owner type of the key. The value of + must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. Defaults to ZONE for DNSKEY generation. - - + + - -3 - - + -3 + + Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. - - + + - -C - - + -C + + Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keygen will include the key's creation date in the metadata stored @@ -210,231 +213,231 @@ (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the option suppresses them. - - + + - -c class - - - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - - + -c class + + + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + + - -E engine - - - Specifies the cryptographic hardware to use, when applicable. - - - When BIND is built with OpenSSL PKCS#11 support, this defaults - to the string "pkcs11", which identifies an OpenSSL engine - that can drive a cryptographic accelerator or hardware service - module. When BIND is built with native PKCS#11 cryptography - (--enable-native-pkcs11), it defaults to the path of the PKCS#11 - provider library specified via "--with-pkcs11". - - + -E engine + + + Specifies the cryptographic hardware to use, when applicable. + + + When BIND is built with OpenSSL PKCS#11 support, this defaults + to the string "pkcs11", which identifies an OpenSSL engine + that can drive a cryptographic accelerator or hardware service + module. When BIND is built with native PKCS#11 cryptography + (--enable-native-pkcs11), it defaults to the path of the PKCS#11 + provider library specified via "--with-pkcs11". + + - -f flag - - - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flags are KSK (Key Signing Key) and REVOKE. - - + -f flag + + + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flags are KSK (Key Signing Key) and REVOKE. + + - -G - - - Generate a key, but do not publish it or sign with it. This - option is incompatible with -P and -A. - - + -G + + + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. + + - -g generator - - - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - - + -g generator + + + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + + - -h - - - Prints a short summary of the options and arguments to - dnssec-keygen. - - + -h + + + Prints a short summary of the options and arguments to + dnssec-keygen. + + - -K directory - - - Sets the directory in which the key files are to be written. - - + -K directory + + + Sets the directory in which the key files are to be written. + + - -k - - - Deprecated in favor of -T KEY. - - + -k + + + Deprecated in favor of -T KEY. + + - -L ttl - - - Sets the default TTL to use for this key when it is converted - into a DNSKEY RR. If the key is imported into a zone, - this is the TTL that will be used for it, unless there was - already a DNSKEY RRset in place, in which case the existing TTL - would take precedence. If this value is not set and there - is no existing DNSKEY RRset, the TTL will default to the - SOA TTL. Setting the default TTL to 0 - or none is the same as leaving it unset. - - + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. If this value is not set and there + is no existing DNSKEY RRset, the TTL will default to the + SOA TTL. Setting the default TTL to 0 + or none is the same as leaving it unset. + + - -p protocol - - - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - - + -p protocol + + + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + + - -q - - - Quiet mode: Suppresses unnecessary output, including - progress indication. Without this option, when - dnssec-keygen is run interactively - to generate an RSA or DSA key pair, it will print a string - of symbols to stderr indicating the - progress of the key generation. A '.' indicates that a - random number has been found which passed an initial - sieve test; '+' means a number has passed a single - round of the Miller-Rabin primality test; a space - means that the number has passed all the tests and is - a satisfactory key. - - + -q + + + Quiet mode: Suppresses unnecessary output, including + progress indication. Without this option, when + dnssec-keygen is run interactively + to generate an RSA or DSA key pair, it will print a string + of symbols to stderr indicating the + progress of the key generation. A '.' indicates that a + random number has been found which passed an initial + sieve test; '+' means a number has passed a single + round of the Miller-Rabin primality test; a space + means that the number has passed all the tests and is + a satisfactory key. + + - -r randomdev - - - Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. - - + -r randomdev + + + Specifies the source of randomness. If the operating + system does not provide a /dev/random + or equivalent device, the default source of randomness + is keyboard input. randomdev + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + keyboard indicates that keyboard + input should be used. + + - -S key - - - Create a new key which is an explicit successor to an - existing key. The name, algorithm, size, and type of the - key will be set to match the existing key. The activation - date of the new key will be set to the inactivation date of - the existing one. The publication date will be set to the - activation date minus the prepublication interval, which - defaults to 30 days. - - + -S key + + + Create a new key which is an explicit successor to an + existing key. The name, algorithm, size, and type of the + key will be set to match the existing key. The activation + date of the new key will be set to the inactivation date of + the existing one. The publication date will be set to the + activation date minus the prepublication interval, which + defaults to 30 days. + + - -s strength - - - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - - + -s strength + + + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + + - -T rrtype - - - Specifies the resource record type to use for the key. - must be either DNSKEY or KEY. The - default is DNSKEY when using a DNSSEC algorithm, but it can be - overridden to KEY for use with SIG(0). - - - Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. - - + -T rrtype + + + Specifies the resource record type to use for the key. + must be either DNSKEY or KEY. The + default is DNSKEY when using a DNSSEC algorithm, but it can be + overridden to KEY for use with SIG(0). + + + Using any TSIG algorithm (HMAC-* or DH) forces this option + to KEY. + + - -t type - - - Indicates the use of the key. must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - - + -t type + + + Indicates the use of the key. must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + + - -v level - - - Sets the debugging level. - - + -v level + + + Sets the debugging level. + + -V - + Prints version information. - + @@ -457,62 +460,82 @@ - -P date/offset - - - Sets the date on which a key is to be published to the zone. - After that date, the key will be included in the zone but will - not be used to sign it. If not set, and if the -G option has - not been used, the default is "now". - - + -P date/offset + + + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". + + - -A date/offset - - - Sets the date on which the key is to be activated. After that - date, the key will be included in the zone and used to sign - it. If not set, and if the -G option has not been used, the - default is "now". If set, if and -P is not set, then - the publication date will be set to the activation date - minus the prepublication interval. - - + -P sync date/offset + + + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. + + - -R date/offset - - - Sets the date on which the key is to be revoked. After that - date, the key will be flagged as revoked. It will be included - in the zone and will be used to sign it. - - + -A date/offset + + + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". If set, if and -P is not set, then + the publication date will be set to the activation date + minus the prepublication interval. + + - -I date/offset - - - Sets the date on which the key is to be retired. After that - date, the key will still be included in the zone, but it - will not be used to sign it. - - + -R date/offset + + + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. + + - -D date/offset - - - Sets the date on which the key is to be deleted. After that - date, the key will no longer be included in the zone. (It - may remain in the key repository, however.) - - + -I date/offset + + + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. + + + + + + -D date/offset + + + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + + + + + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + + @@ -557,19 +580,19 @@ - nnnn is the key name. - + nnnn is the key name. + - aaa is the numeric representation - of the - algorithm. - + aaa is the numeric representation + of the + algorithm. + - iiiii is the key identifier (or - footprint). - + iiiii is the key identifier (or + footprint). + dnssec-keygen @@ -624,7 +647,7 @@ SEE ALSO - dnssec-signzone8 + dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 2539, diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 8d784a624b..c5bd3ae6a7 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -78,6 +78,8 @@ usage(void) { fprintf(stderr, "Timing options:\n"); fprintf(stderr, " -P date/[+-]offset/none: set/unset key " "publication date\n"); + fprintf(stderr, " -P sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY publication date\n"); fprintf(stderr, " -A date/[+-]offset/none: set/unset key " "activation date\n"); fprintf(stderr, " -R date/[+-]offset/none: set/unset key " @@ -86,9 +88,11 @@ usage(void) { "inactivation date\n"); fprintf(stderr, " -D date/[+-]offset/none: set/unset key " "deletion date\n"); + fprintf(stderr, " -D sync date/[+-]offset/none: set/unset " + "CDS and CDNSKEY deletion date\n"); fprintf(stderr, "Printing options:\n"); - fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time " - "value or values\n"); + fprintf(stderr, " -p C/P/Psync/A/R/I/D/Dsync/all: print a " + "particular time value or values\n"); fprintf(stderr, " -u: print times in unix epoch " "format\n"); fprintf(stderr, "Output:\n"); @@ -161,6 +165,10 @@ main(int argc, char **argv) { isc_boolean_t epoch = ISC_FALSE; isc_boolean_t changed = ISC_FALSE; isc_log_t *log = NULL; + isc_stdtime_t syncadd = 0, syncdel = 0; + isc_boolean_t unsetsyncadd = ISC_FALSE, setsyncadd = ISC_FALSE; + isc_boolean_t unsetsyncdel = ISC_FALSE, setsyncdel = ISC_FALSE; + isc_boolean_t printsyncadd = ISC_FALSE, printsyncdel = ISC_FALSE; if (argc == 1) usage(); @@ -198,6 +206,8 @@ main(int argc, char **argv) { printrev = ISC_TRUE; printinact = ISC_TRUE; printdel = ISC_TRUE; + printsyncadd = ISC_TRUE; + printsyncdel = ISC_TRUE; break; } @@ -207,6 +217,11 @@ main(int argc, char **argv) { printcreate = ISC_TRUE; break; case 'P': + if (!strncmp(p, "sync", 3)) { + p += 3; + printsyncadd = ISC_TRUE; + break; + } printpub = ISC_TRUE; break; case 'A': @@ -219,6 +234,11 @@ main(int argc, char **argv) { printinact = ISC_TRUE; break; case 'D': + if (!strncmp(p, "sync", 3)) { + p += 3; + printsyncdel = ISC_TRUE; + break; + } printdel = ISC_TRUE; break; case ' ': @@ -254,6 +274,19 @@ main(int argc, char **argv) { fatal("-v must be followed by a number"); break; case 'P': + /* -Psync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncadd || setsyncadd) + fatal("-P sync specified more than " + "once"); + + changed = ISC_TRUE; + syncadd = strtotime(isc_commandline_argument, + now, now, &setsyncadd); + unsetsyncadd = !setsyncadd; + break; + } + (void)isoptarg("dnskey", argv, usage); if (setpub || unsetpub) fatal("-P specified more than once"); @@ -290,6 +323,20 @@ main(int argc, char **argv) { unsetinact = !setinact; break; case 'D': + /* -Dsync ? */ + if (isoptarg("sync", argv, usage)) { + if (unsetsyncdel || setsyncdel) + fatal("-D sync specified more than " + "once"); + + changed = ISC_TRUE; + syncdel = strtotime(isc_commandline_argument, + now, now, &setsyncdel); + unsetsyncdel = !setsyncdel; + break; + } + /* -Ddnskey ? */ + (void)isoptarg("dnskey", argv, usage); if (setdel || unsetdel) fatal("-D specified more than once"); @@ -533,6 +580,16 @@ main(int argc, char **argv) { else if (unsetdel) dst_key_unsettime(key, DST_TIME_DELETE); + if (setsyncadd) + dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd); + else if (unsetsyncadd) + dst_key_unsettime(key, DST_TIME_SYNCPUBLISH); + + if (setsyncdel) + dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel); + else if (unsetsyncdel) + dst_key_unsettime(key, DST_TIME_SYNCDELETE); + if (setttl) dst_key_setttl(key, ttl); @@ -570,6 +627,14 @@ main(int argc, char **argv) { if (printdel) printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout); + if (printsyncadd) + printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish", + epoch, stdout); + + if (printsyncdel) + printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete", + epoch, stdout); + if (changed) { isc_buffer_init(&buf, newname, sizeof(newname)); result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index ceb2fe02aa..8bc5b5898c 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -17,7 +17,7 @@ - 2014-02-06 + 2015-08-21 ISC @@ -53,10 +53,13 @@ + - + + + @@ -97,10 +100,10 @@ - -f + -f - - Force an update of an old-format key with no metadata fields. + + Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the @@ -108,7 +111,7 @@ set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time. - + @@ -138,20 +141,20 @@ - -h + -h - - Emit usage message and exit. - + + Emit usage message and exit. + - -V + -V - - Prints version information. - + + Prints version information. + @@ -208,6 +211,16 @@ + + -P sync date/offset + + + Sets the date on which CDS and CDNSKEY records that match this + key are to be published to the zone. + + + + -A date/offset @@ -252,6 +265,16 @@ + + -D sync date/offset + + + Sets the date on which the CDS and CDNSKEY records that match this + key are to be deleted. + + + + -S predecessor key @@ -305,29 +328,32 @@ - -u + -u - - Print times in UNIX epoch format. - + + Print times in UNIX epoch format. + - -p C/P/A/R/I/D/all + -p C/P/Psync/A/R/I/D/Dsync/all - - Print a specific metadata value or set of metadata values. + + Print a specific metadata value or set of metadata values. The option may be followed by one or more - of the following letters to indicate which value or values to print: + of the following letters or strings to indicate which value + or values to print: for the creation date, for the publication date, + for the CDS and CDNSKEY publication date, for the activation date, for the revocation date, - for the inactivation date, or - for the deletion date. + for the inactivation date, + for the deletion date, and + for the CDS and CDNSKEY deletion date To print all of the metadata, use . - + diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 42936414ab..0e25e6733b 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -27,15 +27,16 @@ #include #include +#include #include #include #include #include #include +#include #include #include #include -#include #include #include @@ -1834,3 +1835,20 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver, } } } + +isc_boolean_t +isoptarg(const char *arg, char **argv, void(*usage)(void)) { + if (!strcasecmp(isc_commandline_argument, arg)) { + if (argv[isc_commandline_index] == NULL) { + fprintf(stderr, "%s: missing argument -%c %s\n", + program, isc_commandline_option, + isc_commandline_argument); + usage(); + } + isc_commandline_argument = argv[isc_commandline_index]; + /* skip to next arguement */ + isc_commandline_index++; + return (ISC_TRUE); + } + return (ISC_FALSE); +} diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 2ad83d3d86..48c4725927 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -98,4 +98,8 @@ void verifyzone(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, isc_mem_t *mctx, isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly); + +isc_boolean_t +isoptarg(const char *arg, char **argv, void (*usage)(void)); + #endif /* DNSSEC_DNSSECTOOL_H */ diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 32eb915ac8..2ca92e0950 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -15,42 +15,44 @@ # PERFORMANCE OF THIS SOFTWARE. rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk -rm -f active.key inact.key del.key unpub.key standby.key rev.key -rm -f activate-now-publish-1day.key -rm -f nopriv.key vanishing.key del1.key del2.key -rm -f delayksk.key delayzsk.key autoksk.key autozsk.key -rm -f missingzsk.key inactivezsk.key -rm -f nsupdate.out rm -f */core rm -f */example.bk rm -f */named.memstats +rm -f activate-now-publish-1day.key +rm -f active.key inact.key del.key unpub.key standby.key rev.key +rm -f sync.key +rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* +rm -f digcomp.out.test* +rm -f missingzsk.key inactivezsk.key +rm -f nopriv.key vanishing.key del1.key del2.key +rm -f ns*/named.lock rm -f ns1/root.db rm -f ns2/example.db rm -f ns2/private.secure.example.db ns2/bar.db +rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db +rm -f ns3/sync.example.db +rm -f ns3/kg.out ns3/s.out ns3/st.out +rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/nsec.example.db +rm -f ns3/nsec3-to-nsec.example.db rm -f ns3/nsec3.example.db rm -f ns3/nsec3.nsec3.example.db rm -f ns3/nsec3.optout.example.db -rm -f ns3/nsec3-to-nsec.example.db rm -f ns3/oldsigs.example.db rm -f ns3/optout.example.db rm -f ns3/optout.nsec3.example.db rm -f ns3/optout.optout.example.db +rm -f ns3/prepub.example.db +rm -f ns3/prepub.example.db.in +rm -f ns3/reconf.example.db rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db +rm -f ns3/secure-to-insecure.example.db +rm -f ns3/secure-to-insecure2.example.db rm -f ns3/secure.example.db rm -f ns3/secure.nsec3.example.db rm -f ns3/secure.optout.example.db -rm -f ns3/secure-to-insecure.example.db -rm -f ns3/prepub.example.db -rm -f ns3/prepub.example.db.in -rm -f ns3/secure-to-insecure2.example.db -rm -f ns3/nozsk.example.db ns3/inaczsk.example.db -rm -f ns3/reconf.example.db -rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/ttl*.db +rm -f nsupdate.out rm -f signing.out.* -rm -f ns3/*.nzf -rm -f digcomp.out.test* -rm -f ns*/named.lock diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index a7686e06a4..06e0cabc82 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -20,7 +20,7 @@ SYSTEMTESTTOP=../.. # Have the child generate subdomain keys and pass DS sets to us. ( cd ../ns3 && $SHELL keygen.sh ) -for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs +for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync do cp ../ns3/dsset-$subdomain.example. . done diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index f2ba8755f9..70532dbf3a 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -262,3 +262,13 @@ setup reconf.example cp secure.example.db.in $zonefile $KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out + +# +# A zone which generates a CDS and CDNSEY RRsets automatically +# +setup sync.example +cp $infile $zonefile +ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out +$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}. +echo ns3/$ksk > ../sync.key diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index dbeebfd633..67135500ff 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -243,4 +243,12 @@ zone "inaczsk.example" { allow-update { any; }; auto-dnssec maintain; }; + +zone "sync.example" { + type master; + file "sync.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/sync.example.db.in b/bin/tests/system/autosign/ns3/sync.example.db.in new file mode 100644 index 0000000000..1aed9c4460 --- /dev/null +++ b/bin/tests/system/autosign/ns3/sync.example.db.in @@ -0,0 +1,37 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 6b6ddb7641..3986540498 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -1170,5 +1170,33 @@ if [ "$lret" != 0 ]; then ret=$lret; fi if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:test CDS and CDNSKEY auto generation ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n +grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 +grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ "$lret" != 0 ]; then ret=$lret; fi +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" +$SETTIME -D sync now+2 `cat sync.key` +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys sync.example +echo "I:waiting for deletion to occur" +sleep 3 + +echo "I:checking that the CDS and CDNSKEY are deleted ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n +grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null && ret=1 +grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ "$lret" != 0 ]; then ret=$lret; fi +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/dyndb/driver/driver.c b/bin/tests/system/dyndb/driver/driver.c index f9c9213a3c..1d0274e35b 100644 --- a/bin/tests/system/dyndb/driver/driver.c +++ b/bin/tests/system/dyndb/driver/driver.c @@ -44,7 +44,7 @@ dns_dyndb_version_t dyndb_version; * @code * dyndb example-name "sample.so" { param1 param2 }; * @endcode - * + * * @param[in] name User-defined string from dyndb "name" {}; definition * in named.conf. * The example above will have name = "example-name". diff --git a/bin/tests/system/dyndb/driver/log.c b/bin/tests/system/dyndb/driver/log.c index 2238c7e087..10980424f7 100644 --- a/bin/tests/system/dyndb/driver/log.c +++ b/bin/tests/system/dyndb/driver/log.c @@ -9,7 +9,7 @@ #include #include "log.h" - + void log_write(int level, const char *format, ...) { va_list args; diff --git a/bin/tests/system/rrchecker/tests.sh b/bin/tests/system/rrchecker/tests.sh index 9d47c23c8e..fd79c7e2f3 100644 --- a/bin/tests/system/rrchecker/tests.sh +++ b/bin/tests/system/rrchecker/tests.sh @@ -21,15 +21,15 @@ status=0 t=0 echo "I:class list" -$RRCHECKER -C > classlist.out +$RRCHECKER -C > classlist.out diff classlist.out classlist.good || { echo "I:failed"; status=`expr $status + 1`; } echo "I:type list" -$RRCHECKER -T > typelist.out +$RRCHECKER -T > typelist.out diff typelist.out typelist.good || { echo "I:failed"; status=`expr $status + 1`; } echo "I:private type list" -$RRCHECKER -P > privatelist.out +$RRCHECKER -P > privatelist.out diff privatelist.out privatelist.good || { echo "I:failed"; status=`expr $status + 1`; } myecho() { @@ -44,7 +44,7 @@ $SHELL ../genzone.sh 0 > tempzone $CHECKZONE -Dq . tempzone | sed '/^;/d' | while read -r n tt cl ty rest do - myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || { + myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || { ret=1 echo "I: '$cl $ty $rest' not handled." } @@ -61,12 +61,12 @@ ret=0 $CHECKZONE -Dq . tempzone | sed '/^;/d' | while read -r n tt cl ty rest do - myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || { + myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || { ret=1 echo "I: '$cl $ty $rest' not converted to unknown record format" } read -r clu tyu restu < checker.out - myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || { + myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || { ret=1 echo "I: '$cl $ty $rest' not converted back to canonical format" } diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index f1c6872c94..50aa7eda6c 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -1,11 +1,11 @@