return result;
}
/* check whether we need to add nsecs */
- if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
+ if ((flags & LDNS_SIGN_NO_KEYS_NO_NSECS)
+ && ldns_key_list_key_count(key_list) < 1)
+ ; /* pass */
+
+ else if (zone->names
+ && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
+
result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
if (result != LDNS_STATUS_OK) {
return result;
}
nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
- if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
+
+ /* check whether we need to add nsecs */
+ if ((signflags & LDNS_SIGN_NO_KEYS_NO_NSECS)
+ && ldns_key_list_key_count(key_list) < 1)
+ ; /* pass */
+
+ else if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
/* no need to recreate */
} else {
if (!ldns_dnssec_zone_find_rrset(zone,
`scheme' must be `simple` (or 1) and `hash' should be `sha384' (or 1) or
`sha512' (or 2). This option can be given more than once.
+.TP
+\fB-Z\fR
+Allow ZONEMDs to be added without signing
+
.TP
\fB-A\fR
Sign the DNSKEY record with all keys. By default it is signed with a
fprintf(fp, "\t\t<scheme> should be \"simple\" (or 1)\n");
fprintf(fp, "\t\t<hash> should be \"sha384\" or \"sha512\" (or 1 or 2)\n");
fprintf(fp, "\t\tthis option can be given more than once\n");
+ fprintf(fp, " -Z\t\tAllow ZONEMDs to be added without signing\n");
fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n");
fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n");
#ifndef OPENSSL_NO_ENGINE
keys = ldns_key_list_new();
- while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:AUE:K:")) != -1) {
+ while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZAUE:K:")) != -1) {
switch (c) {
case 'a':
nsec3_algorithm = (uint8_t) atoi(optarg);
exit(EXIT_FAILURE);
}
break;
+ case 'Z':
+ signflags |= LDNS_SIGN_NO_KEYS_NO_NSECS;
+ break;
case 'A':
signflags |= LDNS_SIGN_DNSKEY_WITH_ZSK;
break;
inception,
expiration );
#endif
-
- if (ldns_key_list_key_count(keys) < 1) {
+ if (ldns_key_list_key_count(keys) < 1
+ && !(signflags & LDNS_SIGN_NO_KEYS_NO_NSECS)) {
+
fprintf(stderr, "Error: no keys to sign with. Aborting.\n\n");
usage(stderr, prog);
exit(EXIT_FAILURE);
size_t
ldns_key_list_key_count(const ldns_key_list *key_list)
{
- return key_list->_key_count;
+ return key_list ? key_list->_key_count : 0;
}
ldns_key *
/* sign functions */
/** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
-#define LDNS_SIGN_DNSKEY_WITH_ZSK 1
-#define LDNS_SIGN_WITH_ALL_ALGORITHMS 2
-#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 4
-#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 8
+#define LDNS_SIGN_DNSKEY_WITH_ZSK 1
+#define LDNS_SIGN_WITH_ALL_ALGORITHMS 2
+#define LDNS_SIGN_NO_KEYS_NO_NSECS 4
+#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 8
+#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16
/**
* Create an empty RRSIG RR (i.e. without the actual signature data)
projects / thirdparty / ldns.git / commitdiff
