From: Jelte Jansen Date: Wed, 6 Aug 2008 14:42:07 +0000 (+0000) Subject: simple do-not-add-dnskey option for ldns-signzone X-Git-Tag: release-1.4.0~89 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4e0d23ecc8ce8babb33e3c1468bb1dfca9be6445;p=thirdparty%2Fldns.git simple do-not-add-dnskey option for ldns-signzone (zones created with this will not verify with verify-zone atm) --- diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1 index 8e434666..eaacc58a 100644 --- a/examples/ldns-signzone.1 +++ b/examples/ldns-signzone.1 @@ -30,6 +30,13 @@ they are either already present in the zone, or specified in a .key file, and have the KSK bit set. .SH OPTIONS +.TP +\fB-d\fR +Normally, if the DNSKEY RR for a key that is used to sign the zone is +not found in the zone file, it will be read from .key, or derived from +the private key (in that order). This option turns that feature off, +so that only the signatures are added to the zone. + .TP \fB-e\fR \fIdate\fR Set expiration date of the signatures to this date, the format can be diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c index 6d921a88..62d37d0a 100644 --- a/examples/ldns-signzone.c +++ b/examples/ldns-signzone.c @@ -31,6 +31,7 @@ void usage(FILE *fp, const char *prog) { fprintf(fp, "%s [OPTIONS] zonefile key [key [key]]\n", prog); fprintf(fp, " signs the zone with the given key(s)\n"); + fprintf(fp, " -d\t\tused keys are not added to the zone\n"); fprintf(fp, " -e \texpiration date\n"); fprintf(fp, " -f \toutput zone to file (default .signed)\n"); fprintf(fp, " -i \tinception date\n"); @@ -155,7 +156,9 @@ main(int argc, char *argv[]) int eng_key_algo; bool use_nsec3 = false; - + + /* Add the given keys to the zone if they are not yet present */ + bool add_keys = true; uint8_t nsec3_algorithm = 1; /*uint8_t nsec3_flags = 0;*/ size_t nsec3_iterations_cmd = 1; @@ -183,11 +186,14 @@ main(int argc, char *argv[]) OPENSSL_config(NULL); - while ((c = getopt(argc, argv, "a:e:f:i:k:lno:s:t:v:E:K:")) != -1) { + while ((c = getopt(argc, argv, "a:de:f:i:k:lno:s:t:v:E:K:")) != -1) { switch (c) { case 'a': nsec3_algorithm = (uint8_t) atoi(optarg); break; + case 'd': + add_keys = false; + break; case 'e': /* try to parse YYYYMMDD first, * if that doesn't work, it @@ -469,8 +475,12 @@ main(int argc, char *argv[]) * if it matches, we drop our own. If not, * we try to see if there is a .key file present. * If not, we use our own generated one, with - * some default values */ - + * some default values + * + * Even if -d (do-not-add-keys) is specified, + * we still need to do this, because we need + * to have any key flags that are set this way + */ pubkey_gen = ldns_key2rr(key); if (verbosity >= 2) { @@ -524,7 +534,10 @@ main(int argc, char *argv[]) ldns_key_set_flags(key, ldns_rdf2native_int16(ldns_rr_rdf(pubkey, 0))); ldns_key_set_keytag(key, ldns_calc_keytag(pubkey)); } - ldns_zone_push_rr(orig_zone, ldns_rr_clone(pubkey)); + if (add_keys) { + ldns_zone_push_rr(orig_zone, + ldns_rr_clone(pubkey)); + } ldns_rr_free(pubkey); fclose(keyfile); goto found; @@ -535,8 +548,9 @@ main(int argc, char *argv[]) if (verbosity >= 2) { fprintf(stderr, "Not in zone, no .key file, generating DNSKEY from .private\n"); } - ldns_zone_push_rr(orig_zone, pubkey_gen); - + if (add_keys) { + ldns_zone_push_rr(orig_zone, pubkey_gen); + } found: ldns_rr_free(pubkey_gen);