-O option to ldns-signzone to only calc ZONEMD

diff --git a/Changelog b/Changelog
index bd5290c1447593a609263e6a7158438ab54fcec7..b32d92aca1ccb68ebd8e49de47ba4e7d48dcd6cb 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -6,6 +6,8 @@
          error, when size is 0
        * Fix to reserve enough space to convert the largest packets to
          presentation format in ldns_pkt2str_fmt. Thanks Peter Kästle
+       * The -O option to calculate (and sign) only the ZONEMD an input
+         zone with ldns-signzone
        
 1.9.0  2025-12-04
        * PR #246: Make ldns_calc_keytag() available for CDNSKEY RR

diff --git a/dnssec_zone.c b/dnssec_zone.c
index ef2359bbaab1f5effef4ff352b0f075194c149ef..d38f45b3d07022fd4fd29824bd57058d426fa2fb 100644 (file)
--- a/dnssec_zone.c
+++ b/dnssec_zone.c
@@ -1930,9 +1930,6 @@ rr_list2dnssec_rrs(ldns_rr_list *rr_list, ldns_dnssec_rrs **rrs,
 }
 
 
-ldns_status
-dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone,
-               ldns_rr_list *new_rrs, ldns_key_list *key_list, int signflags);
 ldns_status
 dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone,
                ldns_rr_list *new_rrs, ldns_key_list *key_list, int signflags)
@@ -1989,6 +1986,13 @@ dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone,
                zonemd_rrset->next = *rrset_ref;
                *rrset_ref = zonemd_rrset;
        }
+       if (signflags & LDNS_SIGN_ONLY_ZONEMD) {
+               size_t i;
+
+               for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+                       ldns_key_set_use(ldns_key_list_key(key_list, i), true);
+               }
+       }
        if ((zonemd_rrsigs = ldns_sign_public(zonemd_rr_list, key_list)))
                st = rr_list2dnssec_rrs(  zonemd_rrsigs
                                       , &zonemd_rrset->signatures, new_rrs);

diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1
index dc0a776e8dbb8658f3610de5e4e6cc09b5c57371..ac33f54cfe86545e5d7fb9746bfc2475b44c1645 100644 (file)
--- a/examples/ldns-signzone.1
+++ b/examples/ldns-signzone.1
@@ -80,6 +80,10 @@ Calculate the zone's digest and add those as ZONEMD RRs. The (optional)
 \fB-Z\fR
 Allow ZONEMDs to be added without signing
 
+.TP
+\fB-O\fR
+Only calculate (and sign) the ZONEMD for the input zone
+
 .TP
 \fB-A\fR
 Sign the DNSKEY record with all keys.  By default it is signed with a

diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index 509a023d1e24301dd0bc34fd3799c751df50cd44..294bcf366cd9c2105561341ecb2964b650e1dc19 100644 (file)
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -53,6 +53,7 @@ usage(FILE *fp, const char *prog) {
        fprintf(fp, "\t\t<hash> should be \"sha384\" or \"sha512\" (or 1 or 2)\n");
        fprintf(fp, "\t\tthis option can be given more than once\n");
        fprintf(fp, "  -Z\t\tAllow ZONEMDs to be added without signing\n");
+       fprintf(fp, "  -O\t\tOnly calculate (and sign) the ZONEMD for the input zone\n");
        fprintf(fp, "  -A\t\tsign DNSKEY with all keys instead of minimal\n");
        fprintf(fp, "  -U\t\tSign with every unique algorithm in the provided keys\n");
 #ifndef OPENSSL_NO_ENGINE
@@ -673,7 +674,7 @@ main(int argc, char *argv[])
        
        keys = ldns_key_list_new();
 
-       while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZAUE:K:")) != -1) {
+       while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZOAUE:K:")) != -1) {
                switch (c) {
                case 'a':
                        nsec3_algorithm = (uint8_t) atoi(optarg);
@@ -780,6 +781,9 @@ main(int argc, char *argv[])
                case 'Z':
                        signflags |= LDNS_SIGN_NO_KEYS_NO_NSECS;
                        break;
+               case 'O':
+                       signflags |= LDNS_SIGN_ONLY_ZONEMD;
+                       break;
                case 'A':
                        signflags |= LDNS_SIGN_DNSKEY_WITH_ZSK;
                        break;
@@ -1051,7 +1055,9 @@ main(int argc, char *argv[])
                result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone,
                        added_rrs,
                        keys,
-                       ldns_dnssec_default_replace_signatures,
+                       ( signflags & LDNS_SIGN_ONLY_ZONEMD
+                       ? ldns_dnssec_default_leave_signatures
+                       : ldns_dnssec_default_replace_signatures ),
                        NULL,
                        nsec3_algorithm,
                        nsec3_flags,
@@ -1064,7 +1070,9 @@ main(int argc, char *argv[])
                result = ldns_dnssec_zone_sign_flg(signed_zone,
                                added_rrs,
                                keys,
-                               ldns_dnssec_default_replace_signatures,
+                               ( signflags & LDNS_SIGN_ONLY_ZONEMD
+                               ? ldns_dnssec_default_leave_signatures
+                               : ldns_dnssec_default_replace_signatures ),
                                NULL,
                                signflags);
        }

diff --git a/ldns/dnssec_sign.h b/ldns/dnssec_sign.h
index 4523811f1aadbac8246eace6415c3429adbdf7ab..8ccce1017335fdb57443942af7578318668ad0fa 100644 (file)
--- a/ldns/dnssec_sign.h
+++ b/ldns/dnssec_sign.h
@@ -17,6 +17,7 @@ extern "C" {
 #define LDNS_SIGN_NO_KEYS_NO_NSECS           4
 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384  8
 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16
+#define LDNS_SIGN_ONLY_ZONEMD               32
 
 /**
  * Create an empty RRSIG RR (i.e. without the actual signature data)