From fa37777331785de83f8e926e41ff678f9a4d8494 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 22 May 2013 00:21:29 +0200
Subject: [PATCH] add secure-all-zones command to pdnssec

---
 pdns/docs/pdns.xml | 10 +++++++++-
 pdns/pdnssec.cc    | 25 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 7b15a0552d..9c8d94132c 100644
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -13104,6 +13104,14 @@ $ pdnssec rectify-zone powerdnssec.org
 	      </para>
 	    </listitem>
 	</varlistentry>
+	<varlistentry>
+	    <term>secure-all-zones</term>
+	    <listitem>
+	      <para>
+		Add keymaterial to all zones. You should manually run 'rectify-all-zones' afterwards.
+	      </para>
+	    </listitem>
+	</varlistentry>
 	<varlistentry>
 	    <term>set-nsec3 ZONE 'parameters' [narrow]</term>
 	    <listitem>
@@ -16217,7 +16225,7 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
 	  <varlistentry><term>disable-axfr-rectify=...</term>
 	    <listitem><para>
 		Disable the rectify step during an outgoing AXFR. Only required for regression testing.
-		Default is no."/>.
+		Default is no.
 	      </para></listitem></varlistentry>
 	  <varlistentry><term>disable-tcp=...</term>
 	    <listitem><para>
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 2f4affd3b5..c2cd0b826f 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -1126,6 +1126,7 @@ try
     cerr<<"rectify-zone ZONE [ZONE ..]        Fix up DNSSEC fields (order, auth)"<<endl;
     cerr<<"rectify-all-zones                  Rectify all zones."<<endl;
     cerr<<"remove-zone-key ZONE KEY-ID        Remove key with KEY-ID from ZONE"<<endl;
+    cerr<<"secure-all-zones                   Secure all zones without keys."<<endl;
     cerr<<"secure-zone ZONE [ZONE ..]         Add KSK and two ZSKs"<<endl;
     cerr<<"set-nsec3 ZONE ['params' [narrow]] Enable NSEC3 with PARAMs. Optionally narrow"<<endl;
     cerr<<"set-presigned ZONE                 Use presigned RRSIGs from storage"<<endl;
@@ -1399,6 +1400,30 @@ try
     }
     return 0;
   }
+  else if (cmds[0] == "secure-all-zones") {
+    UeberBackend B("default");
+
+    unsigned int zoneErrors=0;
+    vector<DomainInfo> domainInfo;
+    B.getAllDomains(&domainInfo);
+
+    dk.startTransaction();
+    BOOST_FOREACH(DomainInfo di, domainInfo) {
+      if(!dk.isSecuredZone(di.zone)) {
+        cout<<"Securing "<<di.zone<<": ";
+        if (!secureZone(dk, di.zone))
+          zoneErrors++;
+      }
+    }
+    dk.commitTransaction();
+
+    cout<<"Secured: "<<domainInfo.size()<<" zones. Errors: "<<zoneErrors<<endl;
+
+    if (zoneErrors) {
+      return 1;
+    }
+    return 0;
+  }
   else if(cmds[0]=="set-nsec3") {
     if(cmds.size() < 2) {
       cerr<<"Syntax: pdnssec set-nsec3 ZONE 'params' [narrow]"<<endl;
-- 
2.47.2