if(sd.qname == name) {
nrc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
auto keyset = d_dk.getKeys(name);
- if (!keyset.empty()) {
- nrc.set(QType::DNSKEY);
- string publishCDNSKEY;
- d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
- if (publishCDNSKEY == "1")
- nrc.set(QType::CDNSKEY);
- string publishCDS;
- d_dk.getPublishCDS(name, publishCDS);
- if (! publishCDS.empty())
- nrc.set(QType::CDS);
+ for(const auto& value: keyset) {
+ if (value.second.published) {
+ nrc.set(QType::DNSKEY);
+ string publishCDNSKEY;
+ d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
+ if (publishCDNSKEY == "1")
+ nrc.set(QType::CDNSKEY);
+ string publishCDS;
+ d_dk.getPublishCDS(name, publishCDS);
+ if (! publishCDS.empty())
+ nrc.set(QType::CDS);
+ break;
+ }
}
}
n3rc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
n3rc.set(QType::NSEC3PARAM);
auto keyset = d_dk.getKeys(name);
- if (!keyset.empty()) {
- n3rc.set(QType::DNSKEY);
- string publishCDNSKEY;
- d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
- if (publishCDNSKEY == "1")
- n3rc.set(QType::CDNSKEY);
- string publishCDS;
- d_dk.getPublishCDS(name, publishCDS);
- if (! publishCDS.empty())
- n3rc.set(QType::CDS);
+ for(const auto& value: keyset) {
+ if (value.second.published) {
+ n3rc.set(QType::DNSKEY);
+ string publishCDNSKEY;
+ d_dk.getPublishCDNSKEY(name, publishCDNSKEY);
+ if (publishCDNSKEY == "1")
+ n3rc.set(QType::CDNSKEY);
+ string publishCDS;
+ d_dk.getPublishCDS(name, publishCDS);
+ if (! publishCDS.empty())
+ n3rc.set(QType::CDS);
+ break;
+ }
}
}
a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com
9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa
99c73e8b5db5781fec1ac3fa6a2662a9 ../regression-tests/zones/cryptokeys.org
+1f9e19be0cff67330f3a0a5347654f91 ../regression-tests/zones/hiddencryptokeys.org
52a95993ada0b4ed986a2fe6463a27e0 ../modules/tinydnsbackend/data.cdb
fi
if [ $zone != insecure.dnssec-parent.com ]
then
- securezone $zone bind
+ securezone $zone bind
+ if [ $zone = hiddencryptokeys.org ]
+ then
+ keyid=$($PDNSUTIL --config-dir=. --config-name=bind list-keys $zone | grep hiddencryptokeys.org | awk '{ print $5 }')
+ $PDNSUTIL --config-dir=. --config-name=bind unpublish-zone-key $zone $keyid
+ fi
if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
then
$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
then
$PDNSUTIL --config-dir=. --config-name=$backend set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
fi
- securezone $zone ${backend}
+ securezone $zone ${backend}
+ if [ $zone = hiddencryptokeys.org ]
+ then
+ keyid=$($PDNSUTIL --config-dir=. --config-name=$backend list-keys $zone | grep hiddencryptokeys.org | awk '{ print $5 }')
+ $PDNSUTIL --config-dir=. --config-name=$backend unpublish-zone-key $zone $keyid
+ fi
if [ $zone = cryptokeys.org ]
then
$PDNSUTIL --config-dir=. --config-name=$backend add-zone-key $zone zsk 384 active unpublished ecdsa384
$PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
fi
securezone $zone lmdb
+ if [ $zone = hiddencryptokeys.org ]
+ then
+ keyid=$($PDNSUTIL --config-dir=. --config-name=lmdb list-keys $zone | grep hiddencryptokeys.org | awk '{ print $5 }')
+ $PDNSUTIL --config-dir=. --config-name=lmdb unpublish-zone-key $zone $keyid
+ fi
if [ $zone = cryptokeys.org ]
then
$PDNSUTIL --config-dir=. --config-name=lmdb add-zone-key $zone zsk 384 active unpublished ecdsa384
file "cryptokeys.org";
};
+zone "hiddencryptokeys.org"{
+ type master;
+ file "hiddencryptokeys.org";
+};
+
#!/bin/sh
cleandig cryptokeys.org DNSKEY dnssec
+cleandig hiddencryptokeys.org DNSKEY dnssec
2 . IN OPT 32768
Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='cryptokeys.org.', qtype=DNSKEY
+1 hiddencryptokeys.org. IN NSEC 3600 hiddencryptokeys.org. A NS SOA RRSIG NSEC
+1 hiddencryptokeys.org. IN RRSIG 3600 NSEC 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ...
+1 hiddencryptokeys.org. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ...
+1 hiddencryptokeys.org. IN SOA 3600 cryptokeys.ds9a.nl. ahu.ds9a.nl. 2009071301 14400 3600 604800 3600
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='hiddencryptokeys.org.', qtype=DNSKEY
--- /dev/null
+0 cryptokeys.org. IN DNSKEY 3600 256 3 10 ...
+0 cryptokeys.org. IN DNSKEY 3600 257 3 13 ...
+0 cryptokeys.org. IN RRSIG 3600 DNSKEY 13 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ...
+0 cryptokeys.org. IN RRSIG 3600 DNSKEY 14 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ...
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cryptokeys.org.', qtype=DNSKEY
+1 hiddencryptokeys.org. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ...
+1 hiddencryptokeys.org. IN SOA 3600 cryptokeys.ds9a.nl. ahu.ds9a.nl. 2009071301 14400 3600 604800 3600
+1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN NSEC3 3600 1 [flags] 1 abcd VD844E5OI5854H79FNAA0F80NQO8BRF1 A NS SOA RRSIG NSEC3PARAM
+1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN RRSIG 3600 NSEC3 13 3 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ...
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='hiddencryptokeys.org.', qtype=DNSKEY
--- /dev/null
+0 cryptokeys.org. IN DNSKEY 3600 256 3 10 ...
+0 cryptokeys.org. IN DNSKEY 3600 257 3 13 ...
+0 cryptokeys.org. IN RRSIG 3600 DNSKEY 13 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ...
+0 cryptokeys.org. IN RRSIG 3600 DNSKEY 14 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ...
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cryptokeys.org.', qtype=DNSKEY
+1 hiddencryptokeys.org. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ...
+1 hiddencryptokeys.org. IN SOA 3600 cryptokeys.ds9a.nl. ahu.ds9a.nl. 2009071301 14400 3600 604800 3600
+1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN NSEC3 3600 1 [flags] 1 abcd VD844E5OI5854H79FNAA0F80NQO8BRF0 A NS SOA RRSIG NSEC3PARAM
+1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN RRSIG 3600 NSEC3 13 3 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ...
+2 . IN OPT 32768
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='hiddencryptokeys.org.', qtype=DNSKEY
#!/usr/bin/env bash
-for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(cryptokeys.org\|example.com\|nztest.com\|insecure.dnssec-parent.com\)$')
+for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(hiddencryptokeys.org\|cryptokeys.org\|example.com\|nztest.com\|insecure.dnssec-parent.com\)$')
do
TFILE=$(mktemp tmp.XXXXXXXXXX)
drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE
--- /dev/null
+hiddencryptokeys.org. 3600 IN SOA cryptokeys.ds9a.nl. ahu.ds9a.nl. (
+ 2009071301 ; serial
+ 14400 ; refresh (2 hours 30 minutes)
+ 3600 ; retry (7 minutes 30 seconds)
+ 604800 ; expire (1 week)
+ 3600 ; minimum (7 minutes 30 seconds)
+ )
+ 3600 NS cryptokeys.ds9a.nl.
+ 3600 NS cryptokeys.ds9a.nl.
+ 3600 A 212.123.148.70
projects / thirdparty / pdns.git / commitdiff
