The scripts are ancient, trivial and/or unmaintained.
Since switching to Meson, we don't even build `*.in` ones.
this.zone/domain.has.a.slash.dom10.example \
this.zone\\\\domain.has.backslash.dom10.example \
this.zone:domain.has.a.colon.dom.10.example; do
- # hashes below are generated by:
- # python ${TOP}/contrib/scripts/catzhash.py "${special}"
case "$special" in
this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example)
BIND 9. Contrib software is not supported by ISC, but reported bugs will
be fixed as time permits.
- - scripts/
-
- Assorted useful scripts, including 'zone-edit'
- which enables editing of a dynamic zone, and others.
-
- gitchangelog/
QA utility to produce changelog and release notes from git log.
+++ /dev/null
-check-secure-delegation.pl
-zone-edit.sh
+++ /dev/null
-#!/usr/bin/python
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-# catzhash.py: generate the SHA-1 hash of a domain name in wire format.
-#
-# This can be used to determine the label to use in a catalog zone to
-# represent the specified zone. For example, the zone
-# "domain.example" can be represented in a catalog zone called
-# "catalog.example" by adding the following record:
-#
-# 5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. \
-# IN PTR domain.example.
-#
-# The label "5960775ba382e7a4e09263fc06e7c00569b6a05c" is the output of
-# this script when run with the argument "domain.example".
-
-import sys
-import hashlib
-import dns.name
-
-if len(sys.argv) < 2:
- print("Usage: %s name" % sys.argv[0])
-
-NAME = dns.name.from_text(sys.argv[1]).to_wire()
-print(hashlib.sha1(NAME).hexdigest())
+++ /dev/null
-#!@PERL@
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-use warnings;
-use FileHandle;
-use IPC::Open2;
-use POSIX qw/strftime/;
-
-#
-# We only compare keyid / DNSSEC algorithm pairs. If this succeeds then
-# the crypto will likely succeed. If it fails then the crypto will definitely
-# fail.
-#
-$prefix = "@prefix@";
-$dig = "$prefix/bin/dig +cd +dnssec +noall +answer";
-$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin";
-
-# Get "now" in a RRSIG datestamp format.
-$now = strftime "%Y%m%d%H%M%S", gmtime;
-
-foreach $zone (@ARGV) {
- my %algorithms = ();
- my %dnskeygood = ();
- my %dnskeyalg = ();
- my %dnskey = ();
- my %dsgood = ();
- my %ds = ();
-
- # Read the DS records and extract the key id, algorithm pairs
- open(DS, "$dig -t DS -q $zone|") || die("dig DS failed");
- while(<DS>) {
- @words = split;
- if ($words[3] eq "RRSIG" && $words[4] eq "DS") {
- next if ($words[8] >= $now && $words[9] <= $now);
- print "BAD SIG DATES: $_";
- }
- next if ($words[3] ne "DS");
- $ds{"$words[4] $words[5]"} = 1;
- $algorithms{"$words[5]"} = 1;
- }
- close(DS);
-
- # Read the RRSIG(DNSKEY) records and extract the key id,
- # algorithm pairs. Set good if we have a match against the DS
- # records. DNSKEY records should be before the RRSIG records.
- open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed");
- while (<DNSKEY>) {
- @words = split;
- if ($words[3] eq "DNSKEY") {
- $dnskeyalg{"$words[6]"} = 1;
- next if (! -e "/dev/stdin");
- # get the key id ($dswords[3]).
- $pid = open2(*Reader, *Writer, "$dsfromkey $zone");
- die("dsfromkey failed") if ($pid == -1);
- print Writer "$_";
- close(Writer);
- $line = <Reader>;
- close(Reader);
- @dswords = split /\s/, $line;
- $dnskey{"$dswords[3] $dswords[4]"} = 1;
- next;
- }
- next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY");
- if ($words[8] >= $now && $words[9] <= $now) {
- # If we don't have /dev/stdin then just check for the
- # RRSIG otherwise check for both the DNSKEY and
- # RRSIG.
- $dsgood{"$words[5]"} = 1
- if (! -e "/dev/stdin" &&
- exists($ds{"$words[10] $words[5]"}));
- $dsgood{"$words[5]"} = 1
- if (exists($ds{"$words[10] $words[5]"}) &&
- exists($dnskey{"$words[10] $words[5]"}));
- $dnskeygood{"$words[5]"} = 1
- if (! -e "/dev/stdin");
- $dnskeygood{"$words[5]"} = 1
- if (exists($dnskey{"$words[10] $words[5]"}));
- } else {
- $dnskeygood{"$words[5]"} = 1;
- print "BAD SIG DATES: $_";
- }
- }
- close(DNSKEY);
-
- # Do we have signatures for all DNSKEY algorithms?
- foreach $alg ( keys %dnskeyalg ) {
- print "Missing $zone DNSKEY RRSIG for algorithm $alg\n"
- if (!exists($dnskeygood{$alg}));
- }
-
- # Do we have a matching self signed DNSKEY for all DNSSEC algorithms
- # in the DS records.
- $count = 0;
- foreach $alg ( keys %algorithms ) {
- if (exists($dsgood{$alg})) {
- print "$zone algorithm $alg good " .
- "(found DS / self signed DNSKEY pair)\n";
- } else {
- print "$zone algorithm $alg bad " .
- "(no DS / self signed DNSKEY pair found)\n";
- }
- $count++;
- }
- print "$zone has no secure delegation records\n"
- if (! $count);
-}
+++ /dev/null
-#!/usr/bin/perl
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-use warnings;
-use strict;
-
-use POSIX qw(strftime);
-my $now = strftime "%Y%m%d%H%M%S", gmtime;
-
-sub ext8601 ($) {
- my $d = shift;
- $d =~ s{(....)(..)(..)(..)(..)(..)}
- {$1-$2-$3.$4:$5:$6+0000};
- return $d;
-}
-
-sub getkey ($$) {
- my $h = shift;
- my $k = shift;
- m{\s+(\d+)\s+(\d+)\s+(\d+)\s+[(]\s*$};
- $k->{flags} = $1;
- $k->{protocol} = $2;
- $k->{algorithm} = $3;
- my $data = "(";
- while (<$h>) {
- s{^\s+}{};
- s{\s+$}{};
- last if m{^[)]};
- $data .= $_;
- }
- m{ alg = (\S+)\s*; key id = (\d+)};
- $k->{alg} = $1;
- $k->{id} = $2;
- $k->{data} = $data;
- return $k;
-}
-
-sub fmtkey ($) {
- my $k = shift;
- return sprintf "%16s tag %s", $k->{name}, $k->{id};
-}
-
-sub printstatus ($) {
- my $a = shift;
- if ($a->{removehd} ne "19700101000000") {
- printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd};
- } elsif ($a->{addhd} le $now) {
- printf " trusted\n";
- } else {
- printf " waiting for %s\n", ext8601 $a->{addhd};
- }
-}
-
-sub digkeys ($) {
- my $name = shift;
- my $keys;
- open my $d, "-|", qw{dig +multiline DNSKEY}, $name;
- while (<$d>) {
- next unless m{^([a-z0-9.-]*)\s+\d+\s+IN\s+DNSKEY\s+};
- next unless $name eq $1;
- push @$keys, getkey $d, { name => $name };
- }
- return $keys;
-}
-
-my $anchor;
-my $owner = ".";
-while (<>) {
- next unless m{^([a-z0-9.-]*)\s+KEYDATA\s+(\d+)\s+(\d+)\s+(\d+)\s+};
- my $k = getkey *ARGV, {
- name => $1,
- refresh => $2,
- addhd => $3,
- removehd => $4,
- };
- if ($k->{name} eq "") {
- $k->{name} = $owner;
- } else {
- $owner = $k->{name};
- }
- $k->{name} =~ s{[.]*$}{.};
- push @{$anchor->{$k->{name}}}, $k;
-}
-
-for my $name (keys %$anchor) {
- my $keys = digkeys $name;
- my $anchors = $anchor->{$name};
- for my $k (@$keys) {
- if ($k->{flags} & 1) {
- printf "%s %s", fmtkey $k, $k->{alg};
- } else {
- # ZSK - skipping
- next;
- }
- if ($k->{flags} & 512) {
- print " revoked;";
- }
- my $a;
- for my $t (@$anchors) {
- if ($t->{data} eq $k->{data} and
- $t->{protocol} eq $k->{protocol} and
- $t->{algorithm} eq $k->{algorithm}) {
- $t->{matched} = 1;
- $a = $t;
- last;
- }
- }
- if (not defined $a) {
- print " no trust anchor\n";
- next;
- }
- printstatus $a;
- }
- for my $a (@$anchors) {
- next if $a->{matched};
- printf "%s %s missing;", fmtkey $a, $a->{alg};
- printstatus $a;
- }
-}
-
-exit;
-
-__END__
-
-=head1 NAME
-
-check5011 - summarize DNSSEC trust anchor status
-
-=head1 SYNOPSIS
-
-check5011 <I<managed-keys.bind>>
-
-=head1 DESCRIPTION
-
-The BIND managed-keys file contains DNSSEC trust anchors
-that can be automatically updated according to RFC 5011. The
-B<check5011> program reads this file and prints a summary of the
-status of the trust anchors. It fetches the corresponding
-DNSKEY records using B<dig> and compares them to the trust anchors.
-
-Each key is printed on a line with its name, its tag, and its
-algorithm, followed by a summary of its status.
-
-=over
-
-=item C<trusted>
-
-The key is currently trusted.
-
-=item C<waiting for ...>
-
-The key is new, and B<named> is waiting for the "add hold-down" period
-to pass before the key will be trusted.
-
-=item C<untrusted and to be removed at ...>
-
-The key was revoked and will be removed at the stated time.
-
-=item C<no trust anchor>
-
-The key is present in the DNS but not in the managed-keys file.
-
-=item C<revoked>
-
-The key has its revoked flag set. This is printed before the key's
-trust anchor status which should normally be C<untrusted...> if
-B<named> has observed the revocation.
-
-=item C<missing>
-
-There is no DNSKEY record for this trust anchor. This is printed
-before the key's trust anchor status.
-
-=back
-
-By default the managed keys are stored in a file called
-F<managed-keys.bind> in B<named>'s working directory. This location
-can be changed with B<named>'s B<managed-keys-directory> option. If
-you are using views the file may be named with the SHA256 hash of a
-view name with a F<.mkeys> extension added.
-
-=head1 AUTHOR
-
-=over
-
-=item Written by Tony Finch <fanf2@cam.ac.uk> <dot@dotat.at>
-
-=item at the University of Cambridge Computing Service.
-
-=item You may do anything with this. It has no warranty.
-
-=item L<http://creativecommons.org/publicdomain/zero/1.0/>
-
-=back
-
-=head1 SEE ALSO
-
-dig(1), named(8)
-
-=cut
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-dir=/tmp/zone-edit.$$
-mkdir ${dir} || exit 1
-trap "/bin/rm -rf ${dir}" 0
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-bindir=@bindir@
-
-dig=${bindir}/dig
-checkzone=${bindir}/named-checkzone
-nsupdate=${bindir}/nsupdate
-
-case $# in
- 0)
- echo "Usage: zone-edit <zone> [dig options] [ -- nsupdate options ]"
- exit 0
- ;;
-esac
-
-# What kind of echo are we using?
-try=$(echo -n "")
-if test "X$try" = "X-n "; then
- echo_arg=""
- bsc="\\c"
-else
- echo_arg="-n"
- bsc=""
-fi
-
-zone="${1}"
-shift
-digopts=
-while test $# -ne 0; do
- case "${1}" in
- --)
- shift
- break
- ;;
- *)
- digopts="$digopts $1"
- shift
- ;;
- esac
-done
-
-${dig} axfr "$zone" $digopts \
- | awk '$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next; } { print; }' >${dir}/old
-
-if test -s ${dir}/old; then
- ${checkzone} -q -D "$zone" ${dir}/old >${dir}/ooo
-fi
-
-if test -s ${dir}/ooo; then
- cp ${dir}/ooo ${dir}/new
- while :; do
- if ${VISUAL:-${EDITOR:-/bin/ed}} ${dir}/new; then
- if ${checkzone} -q -D "$zone" ${dir}/new >${dir}/nnn; then
- sort ${dir}/ooo >${dir}/s1
- sort ${dir}/nnn >${dir}/s2
- comm -23 ${dir}/s1 ${dir}/s2 \
- | sed 's/^/update delete /' >${dir}/ccc
- comm -13 ${dir}/s1 ${dir}/s2 \
- | sed 's/^/update add /' >>${dir}/ccc
- if test -s ${dir}/ccc; then
- cat ${dir}/ccc | more
- while :; do
- echo ${echo_arg} "Update (u), Abort (a), Redo (r), Modify (m), Display (d) : $bsc"
- read ans
- case "$ans" in
- u)
- (
- echo zone "$zone"
- cat ${dir}/ccc
- echo send
- ) | ${nsupdate} "$@"
- break 2
- ;;
- a)
- break 2
- ;;
- d)
- cat ${dir}/ccc | more
- ;;
- r)
- cp ${dir}/ooo ${dir}/new
- break
- ;;
- m)
- break
- ;;
- esac
- done
- else
- while :; do
- echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc"
- read ans
- case "$ans" in
- a)
- break 2
- ;;
- r)
- cp ${dir}/ooo ${dir}/new
- break
- ;;
- m)
- break
- ;;
- esac
- done
- fi
- else
- while :; do
- echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc"
- read ans
- case "$ans" in
- a)
- break 2
- ;;
- r)
- cp ${dir}/ooo ${dir}/new
- break
- ;;
- m)
- break
- ;;
- esac
- done
- fi
- fi
- done
-fi
projects / thirdparty / bind9.git / commitdiff
