#include <dns/dnssec.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
+#include <dns/kasp.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
static bool set_maxttl = false;
static dns_ttl_t maxttl = 0;
static bool no_max_check = false;
+static bool ignore_sync = false;
#define INCSTAT(counter) \
if (printstats) { \
dns_dnsseckeylist_t rmkeys, matchkeys;
char name[DNS_NAME_FORMATSIZE];
dns_rdataset_t cdsset, cdnskeyset, soaset;
+ dns_kasp_digestlist_t digests;
+ dns_kasp_digest_t digest = {
+ .digest = DNS_DSDIGEST_SHA256,
+ .link = ISC_LINK_INITIALIZER,
+ };
ISC_LIST_INIT(rmkeys);
ISC_LIST_INIT(matchkeys);
+ ISC_LIST_INIT(digests);
+ if (!ignore_sync) {
+ ISC_LIST_APPEND(digests, &digest, link);
+ }
+
dns_rdataset_init(&soaset);
dns_rdataset_init(&cdsset);
dns_rdataset_init(&cdnskeyset);
/*
* Update keylist with sync records.
*/
+
dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now,
- DNS_DSDIGEST_SHA256, keyttl, &diff, mctx);
+ &digests, keyttl, &diff, mctx);
dns_name_format(gorigin, name, sizeof(name));
clear_keylist(&rmkeys);
clear_keylist(&matchkeys);
+
+ if (!ignore_sync) {
+ ISC_LIST_UNLINK(digests, &digest, link);
+ }
+ INSIST(ISC_LIST_EMPTY(digests));
}
static void
atomic_init(&finished, false);
/* Unused letters: Bb G J q Yy (and F is reserved). */
-#define CMDLINE_FLAGS \
- "3:AaCc:Dd:E:e:f:FghH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
+#define CMDLINE_FLAGS \
+ "3:AaCc:Dd:E:e:f:FgGhH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
"VX:xzZ:"
/*
generateds = true;
break;
+ case 'G':
+ ignore_sync = true;
+ break;
+
case 'H':
set_iter = true;
/* too-many is NOT DOCUMENTED */
Synopsis
~~~~~~~~
-:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
+:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-G**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
file. Existing DS records are removed.
+.. option:: -G
+
+ This option indicates that CDS and CDNSKEY records should not be generated from the given key set.
+
.. option:: -K directory
This option specifies the directory to search for DNSSEC keys. If not
projects / thirdparty / bind9.git / commitdiff
