From: Peter Thomassen <peter@desec.io>
Date: Thu, 10 Jul 2025 12:57:34 +0000 (+0200)
Subject: auth: add pdnsutil set-signaling-zone
X-Git-Tag: rec-5.4.0-alpha0~21^2~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b67b455ca86e2bedadf277a115efbe26a31e9b0c;p=thirdparty%2Fpdns.git

auth: add pdnsutil set-signaling-zone
---

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index abb2e1aa69..d43bb2387c 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -3668,6 +3668,64 @@ static int setPublishCDs(vector<string>& cmds, const std::string_view synopsis)
   return 0;
 }
 
+static int setSignalingZone(vector<string>& cmds, const std::string_view synopsis)
+{
+  if(cmds.size() < 2) {
+    return usage(synopsis);
+  }
+
+  if(cmds.size() > 2) {
+    cerr << "Too many arguments" << endl;
+    return 1;
+  }
+
+  ZoneName zone(cmds.at(1));
+
+  if(zone.operator const DNSName&().getRawLabel(0) != "_signal") {
+    cerr << "Signaling zone's first label must be '_signal': " << zone << endl;
+    return 1;
+  }
+
+  DNSSECKeeper dk; //NOLINT(readability-identifier-length)
+
+  // pdnsutil secure-zone $zone
+  if(!dk.isSecuredZone(zone)) {
+    dk.startTransaction(zone);
+    bool success = secureZone(dk, zone);
+    dk.commitTransaction();
+    if(!success) {
+      return 1;
+    }
+  }
+
+  // pdnsutil set-nsec3 $zone "1 0 0 -" narrow
+  try {
+    if (!dk.setNSEC3PARAM(zone, NSEC3PARAMRecordContent("1 0 0 -"), true)) {
+      cerr<<"Cannot set NSEC3 param for " << zone << endl;
+      return 1;
+    }
+  }
+  catch (const runtime_error& err) {
+    cerr << err.what() << endl;
+    return 1;
+  }
+
+  // pdnsutil rectify-zone $zone
+  if(!rectifyZone(dk, zone)) {
+    cerr<<"Cannot rectify zone " << zone << endl;
+    return 1;
+  }
+
+  // pdnsutil set-meta $zone SIGNALING-ZONE 1
+  if(addOrSetMeta(zone, "SIGNALING-ZONE", {"1"}, true)) {
+    cerr<<"Cannot set meta for zone " << zone << endl;
+    return 1;
+  }
+
+  cerr << "Successfully configured signaling zone " << zone << endl;
+  return 0;
+}
+
 static int unsetPresigned(vector<string>& cmds, const std::string_view synopsis)
 {
   if(cmds.size() < 2) {
@@ -5051,6 +5109,10 @@ static const std::unordered_map<std::string, commandDispatcher> commands{
    "\tEnable sending CDS responses for ZONE, using DIGESTALGOS as signature\n"
    "\talgorithms; DIGESTALGOS should be a comma-separated list of numbers,\n"
    "\t(default: '2')"}},
+  {"set-signaling-zone", {true, setSignalingZone, GROUP_CDNSKEY,
+   "set-signaling-zone ZONE",
+   "\tConfigure zone for RFC 9615 DNSSEC bootstrapping\n"
+   "(zone name must begin with _signal.)"}},
   {"show-zone", {true, showZone, GROUP_DNSSEC,
    "show-zone ZONE",
    "\tShow DNSSEC (public) key details about a zone"}},