echo " name the files br.anchor se.anchor ..., and include them in"
echo " the validating resolver config file."
echo " put keys for the root in a file with the name root.anchor."
- exit 1
+ echo ""
+ echo "Exit code 0 means anchors updated, 1 no changes, others are errors."
+ exit 2
}
if test $# -eq 0; then
# arguments: <zonename> <keyfile>
zonename="$1"
keyfile="$2"
+ tmp2=$tmpfile.2
tmpfile="/tmp/update-anchor.$$"
$ubhost -v $filearg "$keyfile" -t DNSKEY "$zonename" >$tmpfile
if test $bindformat = "yes"; then
# are there any KSK keys on board?
- echo 'trusted-keys {' > "$keyfile"
+ echo 'trusted-keys {' > "$tmp2"
if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then
# store KSK keys in anchor file
grep '(secure)$' $tmpfile | \
grep ' has DNSKEY record 257' | \
sed -e 's/ (secure)$/";/' | \
sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
- sed -e 's/^\.\././' >> "$keyfile"
+ sed -e 's/^\.\././' >> "$tmp2"
else
# store all keys in the anchor file
grep '(secure)$' $tmpfile | \
sed -e 's/ (secure)$/";/' | \
sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
- sed -e 's/^\.\././' >> "$keyfile"
+ sed -e 's/^\.\././' >> "$tmp2"
fi
- echo '};' >> "$keyfile"
+ echo '};' >> "$tmp2"
else #not bindformat
# are there any KSK keys on board?
if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then
grep ' has DNSKEY record 257' | \
sed -e 's/ (secure)$//' | \
sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
- sed -e 's/^\.\././' > "$keyfile"
+ sed -e 's/^\.\././' > "$tmp2"
else
# store all keys in the anchor file
grep '(secure)$' $tmpfile | \
sed -e 's/ (secure)$//' | \
sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
- sed -e 's/^\.\././' > "$keyfile"
+ sed -e 's/^\.\././' > "$tmp2"
fi
fi # endif-bindformat
- echo "$zonename key file $keyfile updated."
+ # copy over if changed
+ diff $tmp2 $keyfile >/dev/null 2>&1
+ if test $? -eq 1; then # 0 means no change, 2 means trouble.
+ cat $tmp2 > $keyfile
+ no_updated=0
+ echo "$zonename key file $keyfile updated."
+ else
+ echo "$zonename key file $keyfile unchanged."
+ fi
- rm -f $tmpfile
+ rm -f $tmpfile $tmp2
}
+no_updated=1
if test X"$1" = "X-d"; then
tdir="$2"
echo "start updating in $2"
fi
kfile="$2"
do_update $zname $kfile
- exit $?
fi
-
-exit 0
+exit $no_updated
2 October 2008: Wouter
- fixup unlink of pidfile.
- fixup SHA256 algorithm collation code.
+ - contrib/update-anchor.sh does not overwrite anchors if not needed.
+ exits 0 when a restart is needed, other values if not.
+ so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
+ can restart unbound exactly when needed.
30 September 2008: Wouter
- fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
projects / thirdparty / unbound.git / commitdiff
