dnssec-keygen: allow -f and -k together

The 'dnssec-keygen' tool now allows the options '-k <dnssec-policy>'
and '-f <flags>' together to create keys from a DNSSEC policy that only
match the given role. Allow setting '-fZ' to only create ZSKs, while
'-fK' will only create KSKs.

diff --git a/CHANGES b/CHANGES
index 2809892098831232827689be625f70c3db4e6ae2..00c0720632bf9d08614b75a9bab8949fa24dde66 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6376.  [func]          Allow 'dnssec-keygen' options '-f' and '-k' to be used
+                       together to create a subset of keys from the DNSSEC
+                       policy.
+
 6375.  [func]          Allow multiple RNDC message to be processed from
                        a single TCP read. [GL #4416]
 

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index ba68504234a0c64b465655f36dde818f142a014a..a7df14c127e19926ec66813f924a500f93c41115 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -96,6 +96,7 @@ struct keygen_ctx {
        int options;
        int dbits;
        dns_ttl_t ttl;
+       uint16_t zskflag;
        uint16_t kskflag;
        uint16_t revflag;
        dns_secalg_t alg;
@@ -177,7 +178,7 @@ usage(void) {
        fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
        fprintf(stderr, "    -E <engine>:\n");
        fprintf(stderr, "        name of an OpenSSL engine to use\n");
-       fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
+       fprintf(stderr, "    -f <keyflag>: ZSK | KSK | REVOKE\n");
        fprintf(stderr, "    -F: FIPS mode\n");
        fprintf(stderr, "    -L <ttl>: default key TTL\n");
        fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
@@ -262,6 +263,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
        isc_result_t ret;
        dst_key_t *key = NULL;
        dst_key_t *prevkey = NULL;
+       uint16_t kskflag;
 
        UNUSED(argc);
 
@@ -551,10 +553,16 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                ctx->directory = ".";
        }
 
+       if (ctx->ksk) {
+               kskflag = DNS_KEYFLAG_KSK;
+       } else {
+               kskflag = ctx->kskflag;
+       }
+
        if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
                flags |= ctx->signatory;
        } else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-               flags |= ctx->kskflag;
+               flags |= kskflag;
                flags |= ctx->revflag;
        }
 
@@ -923,6 +931,8 @@ main(int argc, char **argv) {
                        c = (unsigned char)(isc_commandline_argument[0]);
                        if (toupper(c) == 'K') {
                                ctx.kskflag = DNS_KEYFLAG_KSK;
+                       } else if (toupper(c) == 'Z') {
+                               ctx.zskflag = 1;
                        } else if (toupper(c) == 'R') {
                                ctx.revflag = DNS_KEYFLAG_REVOKE;
                        } else {
@@ -1198,8 +1208,8 @@ main(int argc, char **argv) {
                if (ctx.size != -1) {
                        fatal("-k and -b cannot be used together");
                }
-               if (ctx.kskflag || ctx.revflag) {
-                       fatal("-k and -f cannot be used together");
+               if (ctx.revflag) {
+                       fatal("-k and -fR cannot be used together");
                }
                if (ctx.options & DST_TYPE_KEY) {
                        fatal("-k and -T KEY cannot be used together");
@@ -1214,9 +1224,9 @@ main(int argc, char **argv) {
                        ctx.use_nsec3 = false;
                        ctx.alg = DST_ALG_ECDSA256;
                        ctx.size = 0;
-                       ctx.kskflag = DNS_KEYFLAG_KSK;
                        ctx.ttl = 3600;
                        ctx.setttl = true;
+                       ctx.kskflag = DNS_KEYFLAG_KSK;
                        ctx.ksk = true;
                        ctx.zsk = true;
                        ctx.lifetime = 0;
@@ -1254,15 +1264,13 @@ main(int argc, char **argv) {
                        ctx.ttl = dns_kasp_dnskeyttl(kasp);
                        ctx.setttl = true;
 
-                       kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
-
-                       while (kaspkey != NULL) {
+                       for (kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+                            kaspkey != NULL;
+                            kaspkey = ISC_LIST_NEXT(kaspkey, link))
+                       {
                                ctx.use_nsec3 = false;
                                ctx.alg = dns_kasp_key_algorithm(kaspkey);
                                ctx.size = dns_kasp_key_size(kaspkey);
-                               ctx.kskflag = dns_kasp_key_ksk(kaspkey)
-                                                     ? DNS_KEYFLAG_KSK
-                                                     : 0;
                                ctx.ksk = dns_kasp_key_ksk(kaspkey);
                                ctx.zsk = dns_kasp_key_zsk(kaspkey);
                                ctx.lifetime = dns_kasp_key_lifetime(kaspkey);
@@ -1270,10 +1278,17 @@ main(int argc, char **argv) {
                                if (ctx.keystore != NULL) {
                                        check_keystore_options(&ctx);
                                }
-
+                               if (ctx.ksk && ctx.kskflag == 0 &&
+                                   ctx.zskflag != 0)
+                               {
+                                       continue;
+                               }
+                               if (ctx.zsk && ctx.zskflag == 0 &&
+                                   ctx.kskflag != 0)
+                               {
+                                       continue;
+                               }
                                keygen(&ctx, mctx, argc, argv);
-
-                               kaspkey = ISC_LIST_NEXT(kaspkey, link);
                        }
 
                        dns_kasp_detach(&kasp);

diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index cc721e0599d5190fe0b1acbff609cad0a694e25a..2e12fe60cd5e0529fd56e024350b67d42ef7f705 100644 (file)
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -105,7 +105,13 @@ Options
 .. option:: -f flag
 
    This option sets the specified flag in the flag field of the KEY/DNSKEY record.
-   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
+   The only recognized flags are ZSK (Zone-Signing Key), KSK (Key-Signing Key)
+   and REVOKE.
+
+   Note that ZSK is not a physical flag in the DNSKEY record, it is merely used
+   to explicitly tell that you want to create a ZSK. Setting :option:`-f` in
+   conjunction with :option:`-k` will result in generating keys that only
+   match the given role set with this option.
 
 .. option:: -F
 

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index f40a45f4d75d48eed5f81e70b3c1c0ad8ef5ee4c..11e9c68b01236b6d37bab078cbf43e46fe336a7c 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -44,6 +44,10 @@ Feature Changes
   ISC would like to thank Dominik Thalhammer for reporting the issue
   and preparing the initial patch. :gl:`#4416`
 
+- :iscman:`dnssec-keygen` now allows the options ``-k`` and ``-f`` to be
+  used together. This allows creating keys for a given :any:`dnssec-policy`
+  that match only the KSK (``-fK``) or ZSK (``-fZ``) role.
+
 Bug Fixes
 ~~~~~~~~~