From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 15 Oct 2025 13:52:58 +0000 (+0200)
Subject: Add verbose option to rndc dnssec -status
X-Git-Tag: v9.21.16~11^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ff66f2924e46369db5baacba031e3b6764f3e53;p=thirdparty%2Fbind9.git

Add verbose option to rndc dnssec -status

This can be used to hide noisy details such as key states, and keys that
have been fully retired.
---

diff --git a/bin/named/server.c b/bin/named/server.c
index 8994022812b..7c370ddb247 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14169,6 +14169,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 	dst_algorithm_t algorithm = 0;
 	/* variables for -status */
 	bool status = false;
+	bool verbose = false;
 	char output[4096];
 	isc_stdtime_t now, when;
 	isc_time_t timenow, timewhen;
@@ -14208,6 +14209,25 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 		CHECK(DNS_R_SYNTAX);
 	}
 
+	if (status) {
+		/* Check for options */
+		for (;;) {
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				msg = "Bad format";
+				CHECK(ISC_R_UNEXPECTEDEND);
+			} else if (argcheck(ptr, "v")) {
+				verbose = true;
+			} else if (ptr[0] == '-') {
+				msg = "Unknown option";
+				CHECK(DNS_R_SYNTAX);
+			} else {
+				zonetext = ptr;
+			}
+			break;
+		}
+	}
+
 	if (rollover || checkds) {
 		/* Check for options */
 		for (;;) {
diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst
index 53804fef570..0a47fba5fee 100644
--- a/bin/rndc/rndc.rst
+++ b/bin/rndc/rndc.rst
@@ -180,13 +180,13 @@ Currently supported commands are:
 
    See also :option:`rndc addzone` and :option:`rndc modzone`.
 
-.. option:: dnssec (-status | -step | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
+.. option:: dnssec (-status [-v] | -step | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time]  published | withdrawn)) zone [class [view]]
 
    This command allows you to interact with the "dnssec-policy" of a given
    zone.
 
    ``rndc dnssec -status`` show the DNSSEC signing state for the specified
-   zone.
+   zone. Add ``-v`` to show more verbose output on key states.
 
    ``rndc dnssec -step`` sends a signal to an instance of :iscman:`named` for a
    zone configured with ``dnssec-policy`` in manual mode, telling it to