update pdnssec error message & documentation based on feedback by Leen Besselink.

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1927 d19b8d6e-7fed-0310-83ef-9ca221ded41b

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 2236494a8fecb3c8930363ba96f4d11e9fe0f521..a725658bc6c7e85f5c974878d2689c13e8f0da13 100644 (file)
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -118,7 +118,7 @@
        This release has received exceptional levels of community support, and we'd like to thank the following people 
        in addition to those mentioned explicitly below:
        Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN),
-       Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet),  
+       Leen Besselink, Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet),  
        Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull,
        Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT),
        Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and 
@@ -9801,7 +9801,8 @@ $ pdnssec rectify-zone
       'bindbackend' operation in full DNSSEC mode. 
     </para>
     <para>
-      To benefit from this mode, include at least one database-based backend in the 'launch' statement.
+      To benefit from this mode, include at least one database-based backend in the 'launch' statement. The Generic SQLite backend
+      version 3 (gsqlite3) probably complements BIND mode best, since it does not require a database server process.
     </para>
     <warning>
     <para>
@@ -9886,6 +9887,7 @@ $ pdnssec rectify-zone
     <listitem><para>Stefan Arentz</para></listitem>
     <listitem><para>Martin van Hensbergen (Fox-IT)</para></listitem>
     <listitem><para>Christoph Meerwald</para></listitem>
+    <listitem><para>Leen Besselink</para></listitem>
     <listitem><para>.. this list is far from complete yet .. </para></listitem>
     </itemizedlist>
 

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 61f93f43cfdaaf75c462d2129efb6de8a2b6375d..4ca9a2e07c0290c2842025bc0fb1bc2cb38d246b 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -214,6 +214,15 @@ void verifyCrypto(const string& zone)
     cerr<<"Calculated DS: "<<apex<<" IN DS "<<makeDSFromDNSKey(apex, drc, dsrc.d_digesttype).getZoneRepresentation()<<endl;
     cerr<<"Original DS:   "<<apex<<" IN DS "<<dsrc.getZoneRepresentation()<<endl;
   }
+#if 0
+  DNSPrivateKey*key=DNSPrivateKey::makeFromISCString(drc, "Private-key-format: v1.2\n"
+      "Algorithm: 12 (ECC-GOST)\n"
+      "GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQg/9MiXtXKg9FDXDN/R9CmVhJDyuzRAIgh4tPwCu4NHIs=\n");
+  string resign=key->sign(hash);
+  cerr<<Base64Encode(resign)<<endl;
+  cerr<<"Verify: "<<DNSPrivateKey::makeFromPublicKeyString(drc.d_algorithm, drc.d_key)->verify(hash, resign)<<endl;
+#endif
+
 }
 
 void showZone(DNSSECKeeper& dk, const std::string& zone)
@@ -405,7 +414,11 @@ try
     dk.secureZone(zone, 8);
 
     if(!dk.isSecuredZone(zone)) {
-      cerr << "This should not happen, still no key!" << endl;
+      cerr<<"Failed to secure zone - if you run with the BIND backend, make sure to also\n";
+      cerr<<"launch another backend which supports storage of DNSSEC settings.\n";
+      cerr<<"In addition, add '"<<zone<<"' to this backend, possibly like this: \n\n";
+      cerr<<"   insert into domains (name, type) values ('"<<zone<<"', 'NATIVE');\n\n";
+      cerr<<"And then rerun secure-zone"<<endl;
       return 0;
     }