simple do-not-add-dnskey option for ldns-signzone

author Jelte Jansen <jelte@NLnetLabs.nl>

Wed, 6 Aug 2008 14:42:07 +0000 (14:42 +0000)

committer Jelte Jansen <jelte@NLnetLabs.nl>

Wed, 6 Aug 2008 14:42:07 +0000 (14:42 +0000)
author Jelte Jansen <jelte@NLnetLabs.nl>
Wed, 6 Aug 2008 14:42:07 +0000 (14:42 +0000)
committer Jelte Jansen <jelte@NLnetLabs.nl>
Wed, 6 Aug 2008 14:42:07 +0000 (14:42 +0000)
diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1

index 8e4346665cc177ed0329210ae968a454f493e9ed..eaacc58a7cc412a3f1c25322d4b9b65c46613891 100644 (file)
--- a/examples/ldns-signzone.1
+++ b/examples/ldns-signzone.1
@@ -30,6 +30,13 @@ they are either already present in the zone, or specified in a .key
  file, and have the KSK bit set.
  
  .SH OPTIONS
+.TP
+\fB-d\fR
+Normally, if the DNSKEY RR for a key that is used to sign the zone is
+not found in the zone file, it will be read from .key, or derived from
+the private key (in that order). This option turns that feature off,
+so that only the signatures are added to the zone.
+
  .TP
  \fB-e\fR \fIdate\fR
  Set expiration date of the signatures to this date, the format can be
diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c

index 6d921a8817611b00a848f7be7034e03269e64131..62d37d0a25a9d1d9b88fb5264a8fcff6b807f682 100644 (file)
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -31,6 +31,7 @@ void
  usage(FILE *fp, const char *prog) {
         fprintf(fp, "%s [OPTIONS] zonefile key [key [key]]\n", prog);
         fprintf(fp, "  signs the zone with the given key(s)\n");
+       fprintf(fp, "  -d\t\tused keys are not added to the zone\n");
         fprintf(fp, "  -e <date>\texpiration date\n");
         fprintf(fp, "  -f <file>\toutput zone to file (default <name>.signed)\n");
         fprintf(fp, "  -i <date>\tinception date\n");
@@ -155,7 +156,9 @@ main(int argc, char *argv[])
         int eng_key_algo;
         
         bool use_nsec3 = false;
-       
+
+       /* Add the given keys to the zone if they are not yet present */
+       bool add_keys = true;
         uint8_t nsec3_algorithm = 1;
         /*uint8_t nsec3_flags = 0;*/
         size_t nsec3_iterations_cmd = 1;
@@ -183,11 +186,14 @@ main(int argc, char *argv[])
  
         OPENSSL_config(NULL);
  
-       while ((c = getopt(argc, argv, "a:e:f:i:k:lno:s:t:v:E:K:")) != -1) {
+       while ((c = getopt(argc, argv, "a:de:f:i:k:lno:s:t:v:E:K:")) != -1) {
                 switch (c) {
                 case 'a':
                         nsec3_algorithm = (uint8_t) atoi(optarg);
                         break;
+               case 'd':
+                       add_keys = false;
+                       break;
                 case 'e':
                         /* try to parse YYYYMMDD first,
                          * if that doesn't work, it
@@ -469,8 +475,12 @@ main(int argc, char *argv[])
                                  * if it matches, we drop our own. If not,
                                  * we try to see if there is a .key file present.
                                  * If not, we use our own generated one, with
-                                * some default values */
-                               
+                                * some default values 
+                                *
+                                * Even if -d (do-not-add-keys) is specified, 
+                                * we still need to do this, because we need
+                                * to have any key flags that are set this way
+                                */
                                 pubkey_gen = ldns_key2rr(key);
  
                                 if (verbosity >= 2) {
@@ -524,7 +534,10 @@ main(int argc, char *argv[])
                                                 ldns_key_set_flags(key, ldns_rdf2native_int16(ldns_rr_rdf(pubkey, 0)));
                                                 ldns_key_set_keytag(key, ldns_calc_keytag(pubkey));
                                         }
-                                       ldns_zone_push_rr(orig_zone, ldns_rr_clone(pubkey));
+                                       if (add_keys) {
+                                               ldns_zone_push_rr(orig_zone,
+                                                                          ldns_rr_clone(pubkey));
+                                       }
                                         ldns_rr_free(pubkey);
                                         fclose(keyfile);
                                         goto found;
@@ -535,8 +548,9 @@ main(int argc, char *argv[])
                                 if (verbosity >= 2) {
                                         fprintf(stderr, "Not in zone, no .key file, generating DNSKEY from .private\n");
                                 }
-                               ldns_zone_push_rr(orig_zone, pubkey_gen);
-                               
+                               if (add_keys) {
+                                       ldns_zone_push_rr(orig_zone, pubkey_gen);
+                               }
                                 
                         found:
                                 ldns_rr_free(pubkey_gen);
author	Jelte Jansen <jelte@NLnetLabs.nl>
	Wed, 6 Aug 2008 14:42:07 +0000 (14:42 +0000)
committer	Jelte Jansen <jelte@NLnetLabs.nl>
	Wed, 6 Aug 2008 14:42:07 +0000 (14:42 +0000)
examples/ldns-signzone.1		patch \| blob \| blame \| history
examples/ldns-signzone.c		patch \| blob \| blame \| history