From: Willem Toorop Date: Thu, 22 Jan 2026 20:09:01 +0000 (+0100) Subject: -O option to ldns-signzone to only calc ZONEMD X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;p=thirdparty%2Fldns.git -O option to ldns-signzone to only calc ZONEMD --- diff --git a/Changelog b/Changelog index bd5290c1..b32d92ac 100644 --- a/Changelog +++ b/Changelog @@ -6,6 +6,8 @@ error, when size is 0 * Fix to reserve enough space to convert the largest packets to presentation format in ldns_pkt2str_fmt. Thanks Peter Kästle + * The -O option to calculate (and sign) only the ZONEMD an input + zone with ldns-signzone 1.9.0 2025-12-04 * PR #246: Make ldns_calc_keytag() available for CDNSKEY RR diff --git a/dnssec_zone.c b/dnssec_zone.c index ef2359bb..d38f45b3 100644 --- a/dnssec_zone.c +++ b/dnssec_zone.c @@ -1930,9 +1930,6 @@ rr_list2dnssec_rrs(ldns_rr_list *rr_list, ldns_dnssec_rrs **rrs, } -ldns_status -dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone, - ldns_rr_list *new_rrs, ldns_key_list *key_list, int signflags); ldns_status dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int signflags) @@ -1989,6 +1986,13 @@ dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone, zonemd_rrset->next = *rrset_ref; *rrset_ref = zonemd_rrset; } + if (signflags & LDNS_SIGN_ONLY_ZONEMD) { + size_t i; + + for (i = 0; i < ldns_key_list_key_count(key_list); i++) { + ldns_key_set_use(ldns_key_list_key(key_list, i), true); + } + } if ((zonemd_rrsigs = ldns_sign_public(zonemd_rr_list, key_list))) st = rr_list2dnssec_rrs( zonemd_rrsigs , &zonemd_rrset->signatures, new_rrs); diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1 index dc0a776e..ac33f54c 100644 --- a/examples/ldns-signzone.1 +++ b/examples/ldns-signzone.1 @@ -80,6 +80,10 @@ Calculate the zone's digest and add those as ZONEMD RRs. The (optional) \fB-Z\fR Allow ZONEMDs to be added without signing +.TP +\fB-O\fR +Only calculate (and sign) the ZONEMD for the input zone + .TP \fB-A\fR Sign the DNSKEY record with all keys. By default it is signed with a diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c index 509a023d..294bcf36 100644 --- a/examples/ldns-signzone.c +++ b/examples/ldns-signzone.c @@ -53,6 +53,7 @@ usage(FILE *fp, const char *prog) { fprintf(fp, "\t\t should be \"sha384\" or \"sha512\" (or 1 or 2)\n"); fprintf(fp, "\t\tthis option can be given more than once\n"); fprintf(fp, " -Z\t\tAllow ZONEMDs to be added without signing\n"); + fprintf(fp, " -O\t\tOnly calculate (and sign) the ZONEMD for the input zone\n"); fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n"); fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n"); #ifndef OPENSSL_NO_ENGINE @@ -673,7 +674,7 @@ main(int argc, char *argv[]) keys = ldns_key_list_new(); - while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZAUE:K:")) != -1) { + while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZOAUE:K:")) != -1) { switch (c) { case 'a': nsec3_algorithm = (uint8_t) atoi(optarg); @@ -780,6 +781,9 @@ main(int argc, char *argv[]) case 'Z': signflags |= LDNS_SIGN_NO_KEYS_NO_NSECS; break; + case 'O': + signflags |= LDNS_SIGN_ONLY_ZONEMD; + break; case 'A': signflags |= LDNS_SIGN_DNSKEY_WITH_ZSK; break; @@ -1051,7 +1055,9 @@ main(int argc, char *argv[]) result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone, added_rrs, keys, - ldns_dnssec_default_replace_signatures, + ( signflags & LDNS_SIGN_ONLY_ZONEMD + ? ldns_dnssec_default_leave_signatures + : ldns_dnssec_default_replace_signatures ), NULL, nsec3_algorithm, nsec3_flags, @@ -1064,7 +1070,9 @@ main(int argc, char *argv[]) result = ldns_dnssec_zone_sign_flg(signed_zone, added_rrs, keys, - ldns_dnssec_default_replace_signatures, + ( signflags & LDNS_SIGN_ONLY_ZONEMD + ? ldns_dnssec_default_leave_signatures + : ldns_dnssec_default_replace_signatures ), NULL, signflags); } diff --git a/ldns/dnssec_sign.h b/ldns/dnssec_sign.h index 4523811f..8ccce101 100644 --- a/ldns/dnssec_sign.h +++ b/ldns/dnssec_sign.h @@ -17,6 +17,7 @@ extern "C" { #define LDNS_SIGN_NO_KEYS_NO_NSECS 4 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 8 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16 +#define LDNS_SIGN_ONLY_ZONEMD 32 /** * Create an empty RRSIG RR (i.e. without the actual signature data)