]> git.ipfire.org Git - thirdparty/ldns.git/commitdiff
SEP keys are now handled automatically (specify on generation)
authorJelte Jansen <jeltejan@NLnetLabs.nl>
Thu, 8 Sep 2005 09:47:25 +0000 (09:47 +0000)
committerJelte Jansen <jeltejan@NLnetLabs.nl>
Thu, 8 Sep 2005 09:47:25 +0000 (09:47 +0000)
updated signzone.c accordingly
fixed minor bugs

Makefile.in
TODO
dnssec.c
host2str.c
keygen.c
keys.c
ldns/dns.h
ldns/dnssec.h
ldns/keys.h
rr.c
signzone.c

index f127352eeb195d58753d695d94e6aa60e1b4880d..a8b32291675836fd7be81fdb1d42b5f123c829b3 100644 (file)
@@ -48,7 +48,7 @@ LIBDNS_HEADERS        =       ldns/error.h            \
                        ldns/dns.h              \
                        ldns/zone.h             \
                        ldns/util.h
-PROG_SOURCES   =       mx.c chaos.c keygen.c signzone.c key2ds.c version.c
+PROG_SOURCES   =       mx.c chaos.c keygen.c signzone.c version.c
 PROG_TARGETS   =       $(PROG_SOURCES:.c=)
 
 LIBDNS_OBJECTS =       $(LIBDNS_SOURCES:.c=.o)
@@ -68,7 +68,7 @@ LINK_LIB      = $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS)
 .PHONY: install uninstall install-doc uninstall-doc 
 .PHONY: install-h uninstall-h install-lib uninstall-lib snapshot release
 
-all:           lib
+all:           lib tools
 
 tools:         $(PROG_TARGETS)
 
diff --git a/TODO b/TODO
index 873a6f143fd801dc6775c9cae8404f081849c0c3..13f6b5150091b39bb2f18bf3b5e48a8ce62b8ca3 100644 (file)
--- a/TODO
+++ b/TODO
@@ -1,5 +1,7 @@
 Current TODO list
 
+o check todo list :p
+
 What actually doesn't work:
 ---------------------------
 o [dnssec] NSEC conversion frm str to host
@@ -12,6 +14,7 @@ o manual page for signzone
 
 Implementation:
 ---------------
+o really think one last time about the double pointers
 o str2host on string rdata types needs escapes and surrounding quotes
   support
 o check all conversion routines on missing types
index 5827d1affd36fb34bf153ce4150d12d42f9055c7..0bd268ee7f8887d0a6106dd3c2ce249f7e6d2827 100644 (file)
--- a/dnssec.c
+++ b/dnssec.c
@@ -82,7 +82,6 @@ ldns_status
 ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, ldns_rr_list *keys, ldns_rr_list *good_keys)
 {
        uint16_t i;
-       ldns_rr_list *result;
 /*     ldns_rr_list *keys_verified;*/
        bool valid;
        ldns_status verify_result = LDNS_STATUS_ERR;
@@ -94,7 +93,6 @@ printf("err 1\n");
 
        valid = false;
        
-       result = ldns_rr_list_new();
        for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
 
                verify_result = ldns_verify_rrsig_keylist(rrset,
@@ -289,8 +287,10 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr_list *key
        ldns_buffer_free(verify_buf);
        if (ldns_rr_list_rr_count(validkeys) == 0) {
                /* no keys were added, return last error */
+ldns_rr_list_free(validkeys);
                return result;
        } else {
+ldns_rr_list_free(validkeys);
                ldns_rr_list_cat(good_keys, validkeys);
                return LDNS_STATUS_OK;
        }
@@ -1104,103 +1104,108 @@ ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
                b64rdf = NULL;
 
                current_key = ldns_key_list_key(keys, key_count);
-               current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
-               
-               /* set the type on the new signature */
-               /*orig_ttl = ldns_key_origttl(current_key);*/
-               orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
-
-               /* set the ttl from the priv key on the rrset */
-               for (i = 0; i < ldns_rr_list_rr_count(rrset); i++) {
-                       ldns_rr_set_ttl(
-                                       ldns_rr_list_rr(rrset_clone, i), orig_ttl);
-               }
-
-               ldns_rr_set_owner(current_sig, 
-                               ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, 0))));
-
-               /* fill in what we know of the signature */
-
-               /* set the orig_ttl */
-               (void)ldns_rr_rrsig_set_origttl(current_sig, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, orig_ttl));
-               /* the signers name */
-
-               (void)ldns_rr_rrsig_set_signame(current_sig, 
-                               ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
-               /* label count - get it from the first rr in the rr_list */
-               (void)ldns_rr_rrsig_set_labels(current_sig, 
-                               ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, ldns_rr_label_count(
-                                               ldns_rr_list_rr(rrset_clone, 0))));
-               /* inception, expiration */
-               /* TODO: is this a good place for default values? */
-               now = time(NULL);
-               if (ldns_key_inception(current_key) != 0) {
-                       (void)ldns_rr_rrsig_set_inception(current_sig,
-                                       ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_inception(current_key)));
-               } else {
-                       (void)ldns_rr_rrsig_set_inception(current_sig,
-                                       ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
-               }
-               if (ldns_key_expiration(current_key) != 0) {
-                       (void)ldns_rr_rrsig_set_expiration(current_sig,
-                                       ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_expiration(current_key)));
-               } else {
-                       (void)ldns_rr_rrsig_set_expiration(current_sig,
-                                       ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now + LDNS_DEFAULT_EXP_TIME));
-               }
+               if (
+                       ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY &&
+                       (!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY) ||
+                       ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)) == LDNS_RR_TYPE_DNSKEY)
+                  ) {
+                       current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
+                       
+                       /* set the type on the new signature */
+                       /*orig_ttl = ldns_key_origttl(current_key);*/
+                       orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
+
+                       /* set the ttl from the priv key on the rrset */
+                       for (i = 0; i < ldns_rr_list_rr_count(rrset); i++) {
+                               ldns_rr_set_ttl(
+                                               ldns_rr_list_rr(rrset_clone, i), orig_ttl);
+                       }
 
-               /* key-tag */
-               (void)ldns_rr_rrsig_set_keytag(current_sig,
-                               ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_key_keytag(current_key)));
-
-               /* algorithm - check the key and substitute that */
-               (void)ldns_rr_rrsig_set_algorithm(current_sig,
-                               ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(current_key)));
-               /* type-covered */
-               (void)ldns_rr_rrsig_set_typecovered(current_sig,
-                               ldns_native2rdf_int16(LDNS_RDF_TYPE_TYPE,
-                                       ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0))));
-               /* right now, we have: a key, a semi-sig and an rrset. For
-                * which we can create the sig and base64 encode that and
-                * add that to the signature */
-               
-               if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) {
-                       ldns_buffer_free(sign_buf);
-                       dprintf("%s\n", "couldn't convert to buffer 1");
-                       /* ERROR */
-                       return NULL;
-               }
-               /* add the rrset in sign_buf */
-               if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) {
-                       dprintf("%s\n", "couldn't convert to buffer 2");
-                       ldns_buffer_free(sign_buf);
-                       return NULL;
-               }
-               
-               switch(ldns_key_algorithm(current_key)) {
-                       case LDNS_SIGN_DSA:
-                               b64rdf = ldns_sign_public_dsa(sign_buf, ldns_key_dsa_key(current_key));
-                               break;
-                       case LDNS_SIGN_RSASHA1:
-                               b64rdf = ldns_sign_public_rsasha1(sign_buf, ldns_key_rsa_key(current_key));
-                               break;
-                       case LDNS_SIGN_RSAMD5:
-                               b64rdf = ldns_sign_public_rsamd5(sign_buf, ldns_key_rsa_key(current_key));
-                               break;
-                       default:
-                               /* do _you_ know this alg? */
-                               break;
-               }
-               if (!b64rdf) {
-                       /* signing went wrong */
-                       dprintf("%s", "couldn't sign!\n");
-                       return NULL;
-               }
-               ldns_rr_rrsig_set_sig(current_sig, b64rdf);
+                       ldns_rr_set_owner(current_sig, 
+                                       ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, 0))));
+
+                       /* fill in what we know of the signature */
+
+                       /* set the orig_ttl */
+                       (void)ldns_rr_rrsig_set_origttl(current_sig, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, orig_ttl));
+                       /* the signers name */
+
+                       (void)ldns_rr_rrsig_set_signame(current_sig, 
+                                       ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
+                       /* label count - get it from the first rr in the rr_list */
+                       (void)ldns_rr_rrsig_set_labels(current_sig, 
+                                       ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, ldns_rr_label_count(
+                                                       ldns_rr_list_rr(rrset_clone, 0))));
+                       /* inception, expiration */
+                       /* TODO: is this a good place for default values? */
+                       now = time(NULL);
+                       if (ldns_key_inception(current_key) != 0) {
+                               (void)ldns_rr_rrsig_set_inception(current_sig,
+                                               ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_inception(current_key)));
+                       } else {
+                               (void)ldns_rr_rrsig_set_inception(current_sig,
+                                               ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
+                       }
+                       if (ldns_key_expiration(current_key) != 0) {
+                               (void)ldns_rr_rrsig_set_expiration(current_sig,
+                                               ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_expiration(current_key)));
+                       } else {
+                               (void)ldns_rr_rrsig_set_expiration(current_sig,
+                                               ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now + LDNS_DEFAULT_EXP_TIME));
+                       }
 
-               /* push the signature to the signatures list */
-               ldns_rr_list_push_rr(signatures, current_sig);
+                       /* key-tag */
+                       (void)ldns_rr_rrsig_set_keytag(current_sig,
+                                       ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_key_keytag(current_key)));
+
+                       /* algorithm - check the key and substitute that */
+                       (void)ldns_rr_rrsig_set_algorithm(current_sig,
+                                       ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(current_key)));
+                       /* type-covered */
+                       (void)ldns_rr_rrsig_set_typecovered(current_sig,
+                                       ldns_native2rdf_int16(LDNS_RDF_TYPE_TYPE,
+                                               ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0))));
+                       /* right now, we have: a key, a semi-sig and an rrset. For
+                        * which we can create the sig and base64 encode that and
+                        * add that to the signature */
+                       
+                       if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) {
+                               ldns_buffer_free(sign_buf);
+                               dprintf("%s\n", "couldn't convert to buffer 1");
+                               /* ERROR */
+                               return NULL;
+                       }
+                       /* add the rrset in sign_buf */
+                       if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) {
+                               dprintf("%s\n", "couldn't convert to buffer 2");
+                               ldns_buffer_free(sign_buf);
+                               return NULL;
+                       }
+                       
+                       switch(ldns_key_algorithm(current_key)) {
+                               case LDNS_SIGN_DSA:
+                                       b64rdf = ldns_sign_public_dsa(sign_buf, ldns_key_dsa_key(current_key));
+                                       break;
+                               case LDNS_SIGN_RSASHA1:
+                                       b64rdf = ldns_sign_public_rsasha1(sign_buf, ldns_key_rsa_key(current_key));
+                                       break;
+                               case LDNS_SIGN_RSAMD5:
+                                       b64rdf = ldns_sign_public_rsamd5(sign_buf, ldns_key_rsa_key(current_key));
+                                       break;
+                               default:
+                                       /* do _you_ know this alg? */
+                                       break;
+                       }
+                       if (!b64rdf) {
+                               /* signing went wrong */
+                               dprintf("%s", "couldn't sign!\n");
+                               return NULL;
+                       }
+                       ldns_rr_rrsig_set_sig(current_sig, b64rdf);
 
+                       /* push the signature to the signatures list */
+                       ldns_rr_list_push_rr(signatures, current_sig);
+               }
                ldns_buffer_free(sign_buf); /* restart for the next key */
         }
         ldns_rr_list_deep_free(rrset_clone);
@@ -1479,7 +1484,7 @@ printf("%s\n", "[ldns_pkt_verify]");
 }
 
 ldns_zone *
-ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list, ldns_key_list *key_signing_key_list)
+ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list)
 {
        /*
         * Algorithm to be created:
@@ -1558,21 +1563,13 @@ ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list, ldns_key_list *key_sign
 
                /* if we have KSKs, use them for DNSKEYS, otherwise
                   make them selfsigned (?) */
-               if (cur_rrset_type == LDNS_RR_TYPE_DNSKEY) {
-                       if (key_signing_key_list) {
-                               cur_rrsigs = ldns_sign_public(cur_rrset, key_signing_key_list);
-                       } else {
-                               cur_rrsigs = ldns_sign_public(cur_rrset, key_list);
-                       }
-                       ldns_zone_push_rr_list(signed_zone, cur_rrset);
-                       ldns_zone_push_rr_list(signed_zone, cur_rrsigs);
-                       ldns_rr_list_free(cur_rrsigs);
-               } else if (cur_rrset_type != LDNS_RR_TYPE_RRSIG &&
+               if (cur_rrset_type != LDNS_RR_TYPE_RRSIG &&
                    (ldns_dname_is_subdomain(cur_dname, ldns_rr_owner(ldns_zone_soa(zone))) ||
                     ldns_rdf_compare(cur_dname, ldns_rr_owner(ldns_zone_soa(zone))) == 0
                    )
                   ) {
                        cur_rrsigs = ldns_sign_public(cur_rrset, key_list);
+
                        ldns_zone_push_rr_list(signed_zone, cur_rrset);
                        ldns_zone_push_rr_list(signed_zone, cur_rrsigs);
                        ldns_rr_list_free(cur_rrsigs);
index 320c035b76b599d43b3c713224cba684bec35f75..dd27df1bd4155262e8144383d639a5fa4f71d3c4 100644 (file)
@@ -1037,7 +1037,7 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_key *k)
                                ldns_buffer_printf(output,"Private-key-format: v1.2\n");
                                if (ldns_key_algorithm(k) == LDNS_SIGN_RSAMD5) {
                                        ldns_buffer_printf(output,"Algorithm: 1 (RSA)\n");
-                               } else if (ldns_key_algorithm(k) == LDNS_SIGN_RSAMD5) {
+                               } else if (ldns_key_algorithm(k) == LDNS_SIGN_RSASHA1) {
                                        ldns_buffer_printf(output,"Algorithm: 5 (RSASHA1)\n");
                                }
 
index aeb38b8da3b0cb3a80e9f3bbf3d48a2695a6d941..e6eed59afa4cb67729cc141d13a75e29b061ab38 100644 (file)
--- a/keygen.c
+++ b/keygen.c
@@ -171,6 +171,21 @@ main(int argc, char *argv[])
                LDNS_FREE(filename);
        }
        
+       /* TEMP: create PEM format too */
+       filename = LDNS_XMALLOC(char, strlen(owner) + 17);
+       snprintf(filename, strlen(owner) + 16, "K%s+%03u+%05u.pem", owner, algorithm, ldns_key_keytag(key));
+       file = fopen(filename, "w");
+       if (!file) {
+               fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
+               exit(EXIT_FAILURE);
+       } else {
+                               
+PEM_write_DSAPrivateKey(file, key->_key.dsa, NULL, NULL, 0, NULL, NULL);
+               fclose(file);
+               LDNS_FREE(filename);
+       }
+
+
        fprintf(stdout, "K%s+%03u+%05u\n", owner, algorithm, ldns_key_keytag(key));
         exit(EXIT_SUCCESS);
 }
diff --git a/keys.c b/keys.c
index 77024eb7249e7344e7ea9f73ccc4717dd338f80a..dac02a3aa92bd6556902455da627bb05c7643d6a 100644 (file)
--- a/keys.c
+++ b/keys.c
@@ -47,7 +47,7 @@ ldns_key_new()
                return NULL;
        } else {
                /* some defaults - not sure wether to do this */
-               ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY_FLAG);
+               ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY);
                ldns_key_set_origttl(newkey, 0);
                ldns_key_set_keytag(newkey, 0);
                ldns_key_set_inception(newkey, 0);
@@ -395,7 +395,12 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
                        break;
                case LDNS_SIGN_DSA:
                        d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
-                       DSA_generate_key(d);
+                       if (!d) {
+                               return NULL;
+                       }
+                       if (DSA_generate_key(d) != 1) {
+                               return NULL;
+                       }
                        ldns_key_set_dsa_key(k, d);
                        break;
                case LDNS_SIGN_HMACMD5:
index b2f2b021140cef4e0296f0b6ace0ff589331c081..3078fe24a77bed522d1fd63aaa1492e6fcd9af7b 100644 (file)
@@ -41,7 +41,7 @@
 #define LDNS_IP6ADDRLEN      (128/8)
 #define LDNS_PORT      53
 #define LDNS_ROOT_LABEL        '\0'
-#define LDNS_DEFTTL            3600
+#define LDNS_DEFAULT_TTL       3600
 
 #ifndef LDNS_VERSION
 #define LDNS_VERSION   "0.60"
index 67f6e1f66b20459d489402e99d318e397ad506d3..efd88116b8cf1d4ad02408eb23b8a6fdac9f98a9 100644 (file)
@@ -179,7 +179,7 @@ ldns_status ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_li
  * \param[in] key_list the list of keys to sign the zone with
  * \return the signed zone
  */
-ldns_zone *ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list, ldns_key_list *key_signing_key_list);
+ldns_zone *ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list);
  
 ldns_status ldns_init_random(FILE *fd, uint16_t bytes);
 
index ed7f047a411aa12fe31cf8315002f1be51934ed5..8536cf6699c1a5f5b5861912b60da3c71abda259 100644 (file)
@@ -20,8 +20,8 @@
 
 extern ldns_lookup_table ldns_signing_algorithms[];
 
-#define LDNS_KEY_ZONE_KEY_FLAG 0x0100
-#define LDNS_KEY_SEP_KEY_FLAG 0x0001
+#define LDNS_KEY_ZONE_KEY 0x0100
+#define LDNS_KEY_SEP_KEY 0x0001
 
 /**
  * algorithms used in dns
diff --git a/rr.c b/rr.c
index 57e9c478035482fb3fb25ffb6ac3f55cc4e44a47..beed23a744e55b012600a9256a7a3b6a49770a2a 100644 (file)
--- a/rr.c
+++ b/rr.c
@@ -28,7 +28,7 @@ ldns_rr_new(void)
        rr->_rdata_fields = NULL; 
        ldns_rr_set_ttl(rr, 0);
        ldns_rr_set_class(rr, LDNS_RR_CLASS_IN);
-       ldns_rr_set_ttl(rr, LDNS_DEFTTL);
+       ldns_rr_set_ttl(rr, LDNS_DEFAULT_TTL);
         return rr;
 }
 
@@ -56,7 +56,7 @@ ldns_rr_new_frm_type(ldns_rr_type t)
        ldns_rr_set_rd_count(rr, 
                        ldns_rr_descriptor_minimum(desc));
        ldns_rr_set_class(rr, LDNS_RR_CLASS_IN);
-       ldns_rr_set_ttl(rr, LDNS_DEFTTL);
+       ldns_rr_set_ttl(rr, LDNS_DEFAULT_TTL);
        ldns_rr_set_type(rr, t);
        return rr;
 }
@@ -168,7 +168,7 @@ ldns_rr_new_frm_str(const char *str, uint16_t default_ttl, ldns_rdf *origin)
        if (ttl_val == 0) {
                /* ah, it's not there or something */
                if (default_ttl == 0) {
-                       ttl_val = LDNS_DEFTTL;
+                       ttl_val = LDNS_DEFAULT_TTL;
                } else {
                        ttl_val = default_ttl;
                }
index 10205a4b21e7cf04a40eb93ad56a3e7982b6e04d..a4204e049e60609383872585b2cc80f40d0be7df 100644 (file)
@@ -23,10 +23,12 @@ usage(FILE *fp, const char *prog) {
        fprintf(fp, "  -e <date>\t\texpiration date\n");
        fprintf(fp, "  -f <file>\t\toutput zone to file (default <name>.signed)\n");
        fprintf(fp, "  -i <date>\t\tinception date\n");
-       fprintf(fp, "  -k <keyfile>\t\tkey signing key\n");
        fprintf(fp, "\t\t\tdates can be in YYYYMMDD[HHmmSS] format or timestamps\n");
        fprintf(fp, "  -o <domain>\t\torigin for the zone\n");
-       fprintf(fp, "keys and keysigning keys (-k option) can be given multiple times\n");
+       fprintf(fp, "keys can be given multiple times\n");
+       fprintf(fp, "keys are specified by their base name, there should be a file\n");
+       fprintf(fp, "called <name>.key and <name>.private present. The .key should\n");
+       fprintf(fp, "contain the DNSKEY RR of the public key, and will be added to the zone\n");
 }
 
 int
@@ -40,20 +42,25 @@ main(int argc, char *argv[])
        ldns_rr_list *orig_rrs = NULL;
        ldns_rr *orig_soa = NULL;
 
+       const char *keyfile_name_base;
+       char *keyfile_name;
        FILE *keyfile = NULL;
        ldns_key *key = NULL;
+       ldns_rr *pubkey = NULL;
        ldns_key_list *keys;
 
+
        char *outputfile_name = NULL;
        FILE *outputfile;
        
        /* we need to know the origin before reading ksk's,
         * so keep an array of filenames until we know it
         */
+/*
        int key_signing_key_nr = 0;
        char **key_signing_key_filenames = NULL;
        ldns_key_list *key_signing_keys;
-       
+*/     
        struct tm tm;
        uint32_t inception;
        uint32_t expiration;
@@ -73,7 +80,7 @@ main(int argc, char *argv[])
        inception = 0;
        expiration = 0;
        
-       while ((c = getopt(argc, argv, "e:f:i:k:o:")) != -1) {
+       while ((c = getopt(argc, argv, "e:f:i:o:")) != -1) {
                switch (c) {
                case 'e':
                        /* try to parse YYYYMMDD first,
@@ -105,14 +112,6 @@ main(int argc, char *argv[])
                                inception = atol(optarg);
                        }
                        break;
-               case 'k':
-                       key_signing_key_filenames = LDNS_XREALLOC(key_signing_key_filenames, char *, key_signing_key_nr + 1);
-                       if (!key_signing_key_filenames) {
-                               fprintf(stderr, "Out of memory\n");
-                       }
-                       key_signing_key_filenames[key_signing_key_nr] = optarg;
-                       key_signing_key_nr++;
-                       break;
                case 'o':
                        if (ldns_str2rdf_dname(&origin, optarg) != LDNS_STATUS_OK) {
                                fprintf(stderr, "Bad origin, not a correct domain name\n");
@@ -175,15 +174,17 @@ main(int argc, char *argv[])
        /* read the ZSKs */
        argi = 1;
        while (argi < argc) {
-               keyfile = fopen(argv[argi], "r");
+               keyfile_name_base = argv[argi];
+               keyfile_name = LDNS_XMALLOC(char, strlen(keyfile_name_base) + 9);
+               sprintf(keyfile_name, "%s.private", keyfile_name_base);
+               keyfile = fopen(keyfile_name, "r");
+               line_nr = 0;
                if (!keyfile) {
-                       fprintf(stderr, "Error: unable to read k%s (%s)\n", argv[argi], strerror(errno));
+                       fprintf(stderr, "Error: unable to read %s: %s\n", keyfile_name, strerror(errno));
                } else {
-                       key = ldns_key_new_frm_fp(keyfile);
+                       key = ldns_key_new_frm_fp_l(keyfile, &line_nr);
+                       fclose(keyfile);
                        if (key) {
-                               /* TODO: should this be in frm_fp? */
-                               ldns_key_set_pubkey_owner(key, ldns_rdf_clone(origin));
-
                                /* set times in key? they will end up
                                   in the rrsigs
                                */
@@ -194,14 +195,32 @@ main(int argc, char *argv[])
                                        ldns_key_set_inception(key, inception);
                                }
 
-                               ldns_key_set_flags(key, ldns_key_flags(key) | LDNS_KEY_ZONE_KEY_FLAG);
-                               ldns_key_list_push_key(keys, key);
+                               LDNS_FREE(keyfile_name);
+                               keyfile_name = LDNS_XMALLOC(char, strlen(keyfile_name_base) + 5);
+                               sprintf(keyfile_name, "%s.key", keyfile_name_base);
+                               keyfile = fopen(keyfile_name, "r");
+                               line_nr = 0;
+                               if (!keyfile) {
+                                       fprintf(stderr, "Error: unable to read %s: %s\n", keyfile_name, strerror(errno));
+                               } else {
+                                       pubkey = ldns_rr_new_frm_fp_l(keyfile, LDNS_DEFAULT_TTL, NULL, &line_nr);
+                                       if (pubkey) {
+                                               ldns_key_set_pubkey_owner(key, ldns_rdf_clone(ldns_rr_owner(pubkey)));
+                                               ldns_key_set_flags(key, ldns_rdf2native_int16(ldns_rr_rdf(pubkey, 0)));
+                                       }
+                                       /*ldns_key_set_flags(key, ldns_key_flags(key) | LDNS_KEY_ZONE_KEY);*/
+                                       ldns_key_list_push_key(keys, key);
+               /*
+                                       ldns_zone_push_rr(orig_zone, ldns_rr_clone(pubkey));
+               */                      ldns_rr_free(pubkey);
+                               }
+
                                
                        } else {
-                               fprintf(stderr, "Error reading key from %s\n", argv[argi]);
+                               fprintf(stderr, "Error reading key from %s at line %d\n", argv[argi], line_nr);
                        }
-                       fclose(keyfile);
                }
+
                argi++;
        }
        
@@ -211,40 +230,7 @@ main(int argc, char *argv[])
                exit(EXIT_FAILURE);
        }
                        
-       /* read the KSKs */
-       key_signing_keys = ldns_key_list_new();
-
-       for (argi = 0; argi < key_signing_key_nr; argi++) {
-               keyfile = fopen(key_signing_key_filenames[argi], "r");
-               if (!keyfile) {
-                       fprintf(stderr, "Error: unable to read KSK %s (%s)\n", argv[argi], strerror(errno));
-               } else {
-                       key = ldns_key_new_frm_fp(keyfile);
-                       if (key) {
-                               /* TODO: should this be in frm_fp? */
-                               ldns_key_set_pubkey_owner(key, ldns_rdf_clone(origin));
-
-                               /* set times in key? they will end up
-                                  in the rrsigs
-                               */
-                               if (expiration != 0) {
-                                       ldns_key_set_expiration(key, expiration);
-                               }
-                               if (inception != 0) {
-                                       ldns_key_set_inception(key, inception);
-                               }
-
-                               ldns_key_set_flags(key, ldns_key_flags(key) | LDNS_KEY_ZONE_KEY_FLAG | LDNS_KEY_SEP_KEY_FLAG);
-                               ldns_key_list_push_key(key_signing_keys, key);
-                       } else {
-                               fprintf(stderr, "Error reading KSK from %s\n", argv[argi]);
-                       }
-                       fclose(keyfile);
-               }
-       }
-
-       signed_zone = ldns_zone_sign(orig_zone, keys, key_signing_keys);
-       
+       signed_zone = ldns_zone_sign(orig_zone, keys);
 
        if (!outputfile_name) {
                outputfile_name = LDNS_XMALLOC(char, MAX_FILENAME_LEN);
@@ -266,10 +252,8 @@ main(int argc, char *argv[])
        }
        
        ldns_key_list_free(keys);
-       ldns_key_list_free(key_signing_keys);
        ldns_zone_deep_free(orig_zone);
        
        LDNS_FREE(outputfile_name);
-       LDNS_FREE(key_signing_key_filenames);
         exit(EXIT_SUCCESS);
 }