activate-zone-key *ZONE* *KEY-ID*
Activate a key with id *KEY-ID* within a zone called *ZONE*.
-add-zone-key *ZONE* [**KSK**,\ **ZSK**] [**active**,\ **inactive**] [**published**,\ **unpublished**] *KEYBITS* *ALGORITHM*
+add-zone-key *ZONE* [**KSK**,\ **ZSK**] [**active**,\ **inactive**] [**published**,\ **unpublished**] [*KEYBITS*] [*ALGORITHM*]
Create a new key for zone *ZONE*, and make it a KSK or a ZSK (default), with
the specified algorithm. The key is inactive by default, set it to
**active** to immediately use it to sign *ZONE*. The key is published
- String
- Default: ecdsa256
-The algorithm that should be used for the KSK when running
+The default algorithm for creating zone keys when running
+:doc:`pdnsutil add-zone-key <manpages/pdnsutil.1>` if no algorithm is specified,
+and also the algorithm that should be used for the KSK when running
:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
to enable DNSSEC. Must be one of:
- String
- Default: (empty)
-The algorithm that should be used for the ZSK when running
+The default algorithm for creating zone keys when running
+:doc:`pdnsutil add-zone-key <manpages/pdnsutil.1>` if no algorithm is specified,
+and also the algorithm that should be used for the ZSK when running
:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>` or using the :doc:`Zone API endpoint <http-api/cryptokey>`
to enable DNSSEC. Must be one of:
return 0;
}
- // need to get algorithm, bits & ksk or zsk from commandline
+ // Try to get algorithm, bits & ksk or zsk from commandline
bool keyOrZone=false;
int tmp_algo=0;
int bits=0;
- int algorithm=DNSSECKeeper::ECDSA256;
+ int algorithm=-1;
bool active=false;
bool published=true;
for(unsigned int n=2; n < cmds.size(); ++n) { //NOLINT(readability-identifier-length)
return EXIT_FAILURE;
}
}
+ // Use configuration defaults for missing values
+ if (bits == 0) {
+ if (keyOrZone) {
+ bits = ::arg().asNum("default-ksk-size");
+ if (bits < 0) {
+ throw runtime_error("Default KSK key size must be equal to or greater than 0");
+ }
+ }
+ else {
+ bits = ::arg().asNum("default-zsk-size");
+ if (bits < 0) {
+ throw runtime_error("Default ZSK key size must be equal to or greater than 0");
+ }
+ }
+ }
+ if (algorithm == -1) {
+ algorithm=DNSSECKeeper::ECDSA256; // default if no override in conf
+ if (keyOrZone) {
+ string k_algo = ::arg()["default-ksk-algorithm"];
+ if (!k_algo.empty()) {
+ if ((tmp_algo = DNSSECKeeper::shorthand2algorithm(k_algo)) > 0) {
+ algorithm = tmp_algo;
+ }
+ else {
+ cout<<"[Warning] Default KSK algorithm is invalid, using ECDSA256"<<endl;
+ }
+ }
+ }
+ else {
+ string z_algo = ::arg()["default-zsk-algorithm"];
+ if (!z_algo.empty()) {
+ if ((tmp_algo = DNSSECKeeper::shorthand2algorithm(z_algo)) > 0) {
+ algorithm = tmp_algo;
+ }
+ else {
+ cout<<"[Warning] Default ZSK algorithm is invalid, using ECDSA256"<<endl;
+ }
+ }
+ }
+ }
int64_t id{-1}; //NOLINT(readability-identifier-length)
if (!dk.addKey(zone, keyOrZone, algorithm, id, bits, active, published)) {
cerr<<"Adding key failed, perhaps DNSSEC not enabled in configuration?"<<endl;
projects / thirdparty / pdns.git / commitdiff
