+2922 [contrib] Update zkt to version 1.0.
+
2921. [bug] The resolver could attempt to destroy a fetch context
to soon. [RT #19878]
+zkt 1.0 -- 15. June 2010
+
+* feat "/dev/urandom" check added to checkconfig()
+
+* feat Config compability switch (-C) added to zkt-conf
+
+* feat zkt-ls has a new switch -s to change sorting of domains from
+ subdomain before parent to subdomain below the parent
+
+* feat "zkt-ls -T" prints only parent trust anchor
+
+zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
+
+* feat Several config parameter are printed now in a more consistent and
+ user friendly form.
+ SerialFormat "Incremental" could be abbreviated as "inc" on input.
+
+* bug use of AC_ARG_ENABLE macros changed in a way that it is possible
+ to use it as a "--disable-FEATURE" switch.
+
+* port no longer checking for malloc() in configue script.
+ Mainly because it checks only if malloc(0) is allowed and we do
+ not need this.
+
+* port --disable-color-mode added to configure script
+
+* bug Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac
+
+* misc man page zkt-keyman added
+
+* misc New command zkt-keyman added as replacement for dnssec-zkt's key
+ management functionality
+
+* misc man page zkt-ls added
+
+* port Check for ncurses added to Makefile.in
+
+* misc Color mode (Option -C) added to zkt-ls (experimental)
+ New source file tcap.c.
+
+* misc Deprecate "single linked list" version of ZKT. The binary tree
+ version is the default for years, so the VERSION string does no
+ longer contain a "T". Now, if someone insist on the single link
+ list version (configure --disable-tree) a "S" is added to the
+ version string.
+ Anyway, the code for the single link list version does no longer
+ have the same functionality and will be removed in one of the later
+ releases.
+
+* misc New command zkt-ls added as replacement for dnssec-zkt's key
+ listing functionality
+
+* func New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
+ and zconf.c
+ New parameter NSEC3 added. Now it's possible to configure
+ an NSEC3_OPTOUT zone.
+
+* bug Token parsing function gettok() fixed to recognize tokens
+ with dashes ("zone-statistics" was seen as "zone").
+ Thanks to Andreas Baess for finding this bug.
+
+* bug Fixed bug in (re)salting dynamic zones.
+ sig_zone() and gensalt() needs parameter change for this
+
+* func New option -a added to zkt-conf
+
+* func In zconf.c CONF_TIMEINT parameter are now able to recognize
+ "unset" values (which is represented internaly as 0)
+
+* func Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
+ is less than 1.
+ max_ttl checks in checkconfig() fixed.
+
+* func printconfigdiff() added to zconf.c and used by zkt-conf.
+ Now local configs are printed as diff to site wide config.
+
+* misc man page zkt-signer.8 changed to new command syntax
+
+* func Per domain logging added. Use parameter LogDomainDir to
+ enable it. For more details see file README.logging.
+
+* func distribute.sh supports new action type "distkeys" but is
+ currently not used
+
+* misc LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
+
+* misc Default soa serial format changed from "Incremental"
+ to "Unixtime"
+
+* func dnssec-signer command renamed to zkt-signer. Man page updated.
+
+* func New command zkt-conf added as replacement for dnssec-zkt -Z
+
+* misc timeint2str() is now global (zconf.c)
+
+* func zfparse.c - a rudimentary zone file parser
+ scans minimum and maximum ttl values; adds $INCLUDE dnskey.db
+
+zkt 0.99d -- Not released
+
+* func Option SIG_DnsKeyKSK for DNSKEY signing with KSK only
+ added (only useful with BIND9.7)
+
+* misc For BIND 9.7 compability:
+ Run dnssec-signzone in compability mode ("-C") if
+ SigGenerateDS is true.
+ Run dnssec-keygen in compability mode ("-C -q")
+ Add option -u to dnssec-signzone if NSEC3 chaining is requested
+
zkt 0.99c -- 1. Aug 2009
* misc dnssec-signer command line option vars changed to storage
zkt 0.62 -- 13. May 2005
* func dnssec-signer: Option -o added.
- Now it works a little bit more like dnssec-signzone.
+ Now it works a bit more like dnssec-signzone.
* func strlist.c: prepstrlist and unprepstrlist functions get a
second parameter for the delimiter.
CFLAGS += -Wmissing-prototypes
CFLAGS += $(PROFILE) $(OPTIM)
LDFLAGS += $(PROFILE)
+LIBS = @LIBS@
PROJECT = @PACKAGE_TARNAME@
VERSION = @PACKAGE_VERSION@
HEADER = dki.h misc.h domaincmp.h zconf.h config_zkt.h \
config.h.in strlist.h zone.h zkt.h debug.h \
- ncparse.h log.h rollover.h nscomm.h soaserial.h
+ ncparse.h log.h rollover.h nscomm.h soaserial.h \
+ zfparse.h tcap.h
SRC_ALL = dki.c misc.c domaincmp.c zconf.c log.c
OBJ_ALL = $(SRC_ALL:.c=.o)
-SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c \
+SRC_SIG = zkt-signer.c zone.c ncparse.c rollover.c \
nscomm.c soaserial.c
OBJ_SIG = $(SRC_SIG:.c=.o)
-MAN_SIG = dnssec-signer.8
-PROG_SIG= dnssec-signer
+MAN_SIG = zkt-signer.8
+PROG_SIG= zkt-signer
-SRC_ZKT = dnssec-zkt.c strlist.c zkt.c
+SRC_CNF = zkt-conf.c zfparse.c
+OBJ_CNF = $(SRC_CNF:.c=.o)
+MAN_CNF = zkt-conf.8
+PROG_CNF= zkt-conf
+
+# shared sources
+SRC_KLS = strlist.c zkt.c tcap.c
+OBJ_KLS = $(SRC_KLS:.c=.o)
+
+SRC_KEY = zkt-keyman.c
+OBJ_KEY = $(SRC_KEY:.c=.o) $(OBJ_KLS)
+MAN_KEY = zkt-keyman.8
+PROG_KEY= zkt-keyman
+
+SRC_LS = zkt-ls.c
+OBJ_LS = $(SRC_LS:.c=.o) $(OBJ_KLS)
+MAN_LS = zkt-ls.8
+PROG_LS= zkt-ls
+
+SRC_ZKT = dnssec-zkt.c strlist.c zkt.c tcap.c
OBJ_ZKT = $(SRC_ZKT:.c=.o)
MAN_ZKT = dnssec-zkt.8
PROG_ZKT= dnssec-zkt
#MAN_SER = zkt-soaserial.8
PROG_SER= zkt-soaserial
-MAN_ALL = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
+SRC_PRG = $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_LS) $(SRC_SER) $(SRC_KEY)
+OBJ_PRG = $(SRC_PRG:.c=.o)
+PROG_PRG= $(PROG_SIG) $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SER) $(PROG_KEY)
+
+MAN_ALL = $(MAN_ZKT) $(MAN_SIG) $(MAN_LS) $(MAN_CNF) $(MAN_KEY)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
configure examples
-SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \
+SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_KLS) \
+ $(SRC_LS) $(SRC_KEY) $(SRC_SER) $(OTHER) \
man configure.ac config.h.in doc
#MNTSAVE = $(SAVE) configure.ac config.h.in doc
-all: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+all: $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SIG) $(PROG_SER) $(PROG_KEY)
macos: ## for MAC OS (depreciated)
macos:
$(PROG_SIG): $(OBJ_SIG) $(OBJ_ALL) Makefile
$(CC) $(LDFLAGS) $(OBJ_SIG) $(OBJ_ALL) -o $(PROG_SIG)
+ ln -f $(PROG_SIG) dnssec-signer
+
+$(PROG_CNF): $(OBJ_CNF) $(OBJ_ALL) Makefile
+ $(CC) $(LDFLAGS) $(OBJ_CNF) $(OBJ_ALL) -o $(PROG_CNF)
+
+$(PROG_KEY): $(OBJ_KEY) $(OBJ_ALL) Makefile
+ $(CC) $(LDFLAGS) $(LIBS) $(OBJ_KEY) $(OBJ_ALL) -o $(PROG_KEY)
$(PROG_ZKT): $(OBJ_ZKT) $(OBJ_ALL) Makefile
- $(CC) $(LDFLAGS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT)
+ $(CC) $(LDFLAGS) $(LIBS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT)
+
+$(PROG_LS): $(OBJ_LS) $(OBJ_ALL) Makefile
+ $(CC) $(LDFLAGS) $(LIBS) $(OBJ_LS) $(OBJ_ALL) -o $(PROG_LS)
$(PROG_SER): $(OBJ_SER) Makefile
$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
install: ## install binaries in prefix/bin
-install: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+install: $(PROG_PRG)
test -d $(prefix)/bin || mkdir -p $(prefix)/bin
- cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/
+ cp dnssec-signer $(PROG_PRG) $(prefix)/bin/
install-man: ## install man pages in mandir
install-man:
tags: ## create tags file
-tags: $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
- ctags $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
+#tags: $(SRC_ALL) $(SRC_PRG)
+tags: $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS)
+ ctags $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS)
clean: ## remove objectfiles and binaries
clean:
- -rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \
- $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+ -rm -f $(OBJ_PRG) $(OBJ_ALL) $(PROG_PRG)
distclean: ## remove objectfiles, binaries and distribution files
distclean: clean
configure: configure.ac Makefile.in
autoconf && autoheader
-man: man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
-
-man/$(MAN_ZKT).html: man/$(MAN_ZKT)
- groff -Thtml -man -mhtml man/$(MAN_ZKT) > man/$(MAN_ZKT).html
-man/$(MAN_ZKT).pdf: man/$(MAN_ZKT)
- groff -Tps -man man/$(MAN_ZKT) | ps2pdf - man/$(MAN_ZKT).pdf
+man: man/$(MAN_KEY).html man/$(MAN_KEY).pdf \
+ man/$(MAN_SIG).html man/$(MAN_SIG).pdf \
+ man/$(MAN_LS).html man/$(MAN_LS).pdf \
+ man/$(MAN_CNF).html man/$(MAN_CNF).pdf
+
+man/$(MAN_KEY).html: man/$(MAN_KEY)
+ groff -Thtml -man -mhtml man/$(MAN_KEY) > man/$(MAN_KEY).html
+man/$(MAN_KEY).pdf: man/$(MAN_KEY)
+ groff -Tps -man man/$(MAN_KEY) | ps2pdf - man/$(MAN_KEY).pdf
+man/$(MAN_LS).html: man/$(MAN_LS)
+ groff -Thtml -man -mhtml man/$(MAN_LS) > man/$(MAN_LS).html
+man/$(MAN_LS).pdf: man/$(MAN_LS)
+ groff -Tps -man man/$(MAN_LS) | ps2pdf - man/$(MAN_LS).pdf
man/$(MAN_SIG).html: man/$(MAN_SIG)
groff -Thtml -man -mhtml man/$(MAN_SIG) > man/$(MAN_SIG).html
man/$(MAN_SIG).pdf: man/$(MAN_SIG)
groff -Tps -man man/$(MAN_SIG) | ps2pdf - man/$(MAN_SIG).pdf
+man/$(MAN_CNF).html: man/$(MAN_CNF)
+ groff -Thtml -man -mhtml man/$(MAN_CNF) > man/$(MAN_CNF).html
+man/$(MAN_CNF).pdf: man/$(MAN_CNF)
+ groff -Tps -man man/$(MAN_CNF) | ps2pdf - man/$(MAN_CNF).pdf
$(PROJECT)-$(VERSION).tar.gz: $(SAVE)
)
depend:
- $(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
+ $(CC) -MM $(CFLAGS) $(SRC_PRG) $(SRC_ALL)
help:
@grep "^.*:[ ]*##" Makefile
## all dependicies
#:r !make depend
-#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
-dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
+#gcc -MM -g -DHAVE_CONFIG_H -I. -Wall -Wmissing-prototypes zkt-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c zkt-conf.c zfparse.c dnssec-zkt.c strlist.c zkt.c tcap.c zkt-ls.c strlist.c zkt.c tcap.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
+zkt-signer.o: zkt-signer.c config.h config_zkt.h zconf.h debug.h misc.h \
ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
-zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
- zone.h
+zone.o: zone.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
+ dki.h zone.h
ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
-rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
- log.h rollover.h
-nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \
- misc.h debug.h
-soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h
-dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
- dki.h zkt.h
+rollover.o: rollover.c config.h config_zkt.h zconf.h debug.h misc.h \
+ zone.h dki.h log.h rollover.h
+nscomm.o: nscomm.c config.h config_zkt.h zconf.h nscomm.h zone.h dki.h \
+ log.h misc.h debug.h
+soaserial.o: soaserial.c config.h config_zkt.h zconf.h log.h debug.h \
+ soaserial.h
+zkt-conf.o: zkt-conf.c config.h config_zkt.h debug.h misc.h zconf.h \
+ zfparse.h
+zfparse.o: zfparse.c config.h config_zkt.h zconf.h log.h debug.h \
+ zfparse.h
+dnssec-zkt.o: dnssec-zkt.c config.h config_zkt.h debug.h misc.h zconf.h \
+ strlist.h dki.h zkt.h
+strlist.o: strlist.c strlist.h
+zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \
+ domaincmp.h tcap.h zkt.h
+tcap.o: tcap.c config.h config_zkt.h tcap.h
+zkt-ls.o: zkt-ls.c config.h config_zkt.h debug.h misc.h zconf.h strlist.h \
+ dki.h tcap.h zkt.h
strlist.o: strlist.c strlist.h
-zkt.o: zkt.c config_zkt.h dki.h misc.h zconf.h strlist.h zkt.h
-zkt-soaserial.o: zkt-soaserial.c config_zkt.h
-dki.o: dki.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h
-misc.o: misc.c config_zkt.h zconf.h log.h debug.h misc.h
+zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \
+ domaincmp.h tcap.h zkt.h
+tcap.o: tcap.c config.h config_zkt.h tcap.h
+zkt-soaserial.o: zkt-soaserial.c config.h config_zkt.h
+dki.o: dki.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
+ dki.h
+misc.o: misc.c config.h config_zkt.h zconf.h log.h debug.h misc.h
domaincmp.o: domaincmp.c domaincmp.h
-zconf.o: zconf.c config_zkt.h debug.h misc.h zconf.h dki.h
-log.o: log.c config_zkt.h misc.h zconf.h debug.h log.h
+zconf.o: zconf.c config.h config_zkt.h debug.h misc.h zconf.h dki.h
+log.o: log.c config.h config_zkt.h misc.h zconf.h debug.h log.h
# README dnssec zone key tool
#
# (c) March 2005 - Aug 2009 by Holger Zuleger hznet
-# (c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
-# (c) for zconf.c by Jeroen Masar & Holger Zuleger
+# (c) domaincmp() Aug 2005 by Karle Boss & H. Zuleger (kaho)
+# (c) zconf.c by Jeroen Masar & Holger Zuleger
#
For more information about the DNSSEC Zone Key Tool please
You can also subscribe to the zkt-users@sourceforge.net mailing list
on the following website: https://lists.sourceforge.net/lists/listinfo/zkt-users
-The complete software stands under BSD licence (see LICENCE file)
+The ZKT software is licenced under BSD (see LICENCE file)
To build the software:
a) Get the current version of zkt
- $ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz
+ $ wget http://www.hznet.de/dns/zkt/zkt-1.0.tar.gz
b) Unpack
- $ tar xzvf zkt-0.99c.tar.gz
+ $ tar xzvf zkt-1.0.tar.gz
-c) Change to dir
- $ cd zkt-0.99c
+c) Change to source directory
+ $ cd zkt-1.0
d) Run configure script
$ ./configure
-e) (optional) Edit config_zkt.h
-
-f) Compile
+e) Compile
$ make
-g) Install
+f) Install
# make install
# make install-man
-h) (optional) Install and modify the default dnssec.conf file
- $ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
+
+Prepare your setup:
+a) (optional) Install or rebuild the default dnssec.conf file
+ $ zkt-conf -d -w # Install new file
+ or
+ $ zkt-conf -s -w # rebuild existing file
+
+b) (optional) Change default parameters
+ $ zkt-conf -s -O "Zonedir: /var/named/zones" -w
+ or use your prefered editor
$ vi /var/named/dnssec.conf
-i) Prepare your zones for zkt
- Have a look at the presentation I've held at the DE-CIX technical
- meeting (http://www.hznet.de/dns/dnssec-decix050916.pdf)
- It will give you an overview of how to configure a zone for zkt usage.
+c) Prepare one of your zone for zkt
+ $ cd /var/name/zones/net/example.net # change dir to zone directory
+ $ cp <zonefile> zone.db # copy and rename existing zone file to "zone.db"
+ $ zkt-conf -w zone.db # create local dnssec.conf file and include dnskey.db into zone file
#
# Introduction into the new logging feature
# available since v0.96
+# Per domain logging is enabled since v1.0
#
In previous version of dnssec-signer every message was written
was handled by a redirection of those chanels to the logger command
or to a file.
-Now, since version v0.96, the dnssec-signer command is able to log all
-messages by itself. File and SYSLOG logging is supported.
+Since v0.96, the dnssec-signer command is able to log all messages
+by itself. File and SYSLOG logging is supported.
To enable the logging into a file channel, you have to specify
the file or directory name via the commandline option -L (--logfile)
LogFile: ""|"<file>"|"<directory>" (default is "")
If a file is specified, than each run of dnssec-signer will append the
messages to that file. If a directory is specified, than a file with a
-name of zkt-<ISOdate&timeUTC>.log" will be created on each dnssec-signer run.
+name of zkt-<ISOdate&timeUTC>+log" will be created on each dnssec-signer run.
+
+Since v1.0 per domain logging is possible.
+If the parameter "LogDomainDir:" is not empty, than the domain specific messages
+are written to a separate log file with a name like "zkt-<domainname>+log" in the
+directory specified by the parameter.
+If "LogDomainDir:" is set to ".", then the logfile will be created in the domain
+directory of the zone.
Logging into the syslog channel could be enabled via the config file
parameter "SyslogFacility".
SyslogFacility: USER
SyslogLevel: NOTICE
VerboseLog: 2
-
--
TODO list as of zkt-0.99
general:
- Renaming of the tools to zkt-* ?
+ Renaming to zkt-? and split of the functions of dnssec-zkt to
+ separate commands
+ Fixed in zkt-1.0 (zkt-conf command)
dnssec-zkt:
feat option to specify the key age as remaining lifetime
The dnssec maintainer is responsible for the lifeliness of the
data in the hosted domain.
In other words: It's highly recommended to use the
- option -r when you use dnssec-signer on a production zone.
+ option -r when you use zkt-signer on a production zone.
Then the time of propagation is (more or less) equal to the timestamp
of the zone.db.signed file.
- bug The max_TTL and Key_TTL parameter should be set to the value found
- in the zone. A mechanism for setting up a dnssec.conf file for the
- zone specific TTL values is needed.
+ bug The max_TTL parameter should be set to the value found
+ in the zone. A mechanism for setting up a dnssec.conf file
+ for the zone specific TTL values is needed.
+ Fixed in zkt-1.0 (zkt-conf command)
+
+zkt-conf:
+ port Option -C (compability) to create older config files
+ misc Change syntax of config parameters to a more uniq form (e.g. no "_" char)
+
+zkt-rollover:
+ feat New command to roll keys independent of zone signing
+ (Usefull for dynamic zones managed by BIND9.7)
dki:
feat Use dynamic memory for dname in dki_t
-
/* Define to 1 if the `closedir' function returns void instead of `int'. */
#undef CLOSEDIR_VOID
+/* zkt-ls with colors */
+#undef COLOR_MODE
+
/* set path of config file (defaults to /var/named) */
#undef CONFIG_PATH
/* Define to 1 if you have the `alarm' function. */
#undef HAVE_ALARM
+/* Define to 1 if you have the <curses.h> header file. */
+#undef HAVE_CURSES_H
+
/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
*/
#undef HAVE_DIRENT_H
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
-/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
- to 0 otherwise. */
-#undef HAVE_MALLOC
+/* Define to 1 if you have the `ncurses' library (-lncurses). */
+#undef HAVE_LIBNCURSES
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
+/* Define to 1 if you have the <term.h> header file. */
+#undef HAVE_TERM_H
+
/* Define to 1 if you have the `timegm' function. */
#undef HAVE_TIMEGM
/* Define to the version of this package. */
#undef PACKAGE_VERSION
-/* print age of year */
-#undef PRINT_AGE_OF_YEAR
+/* print age with year */
+#undef PRINT_AGE_WITH_YEAR
/* print out timezone */
#undef PRINT_TIMEZONE
/* Use TREE data structure for dnssec-zkt */
#undef USE_TREE
+/* ZKT copyright string */
+#undef ZKT_COPYRIGHT
+
/* ZKT version string */
#undef ZKT_VERSION
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
-/* Define to rpl_malloc if the replacement function should be used. */
-#undef malloc
-
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
#ifndef CONFIG_ZKT_H
# define CONFIG_ZKT_H
-#ifndef LOG_FNAMETMPL
-# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
-#endif
-
/* don't change anything below this */
/* the values here are determined or settable via the ./configure script */
/* # define HAVE_GETOPT_LONG 1 */
/* # define HAVE_STRFTIME 1 */
+#ifndef COLOR_MODE
+# define COLOR_MODE 1
+#endif
+
#ifndef TTL_IN_KEYFILE_ALLOWED
# define TTL_IN_KEYFILE_ALLOWED 1
#endif
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for ZKT 0.99c.
+# Generated by GNU Autoconf 2.61 for ZKT 1.0.
#
# Report bugs to <Holger Zuleger hznet.de>.
#
# Identity of this package.
PACKAGE_NAME='ZKT'
PACKAGE_TARNAME='zkt'
-PACKAGE_VERSION='0.99c'
-PACKAGE_STRING='ZKT 0.99c'
+PACKAGE_VERSION='1.0'
+PACKAGE_STRING='ZKT 1.0'
PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
-ac_unique_file="dnssec-zkt.c"
+ac_unique_file="zkt-signer.c"
# Factoring default headers for most tests.
ac_includes_default="\
#include <stdio.h>
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ZKT 0.99c to adapt to many kinds of systems.
+\`configure' configures ZKT 1.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ZKT 0.99c:";;
+ short | recursive ) echo "Configuration of ZKT 1.0:";;
esac
cat <<\_ACEOF
Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
+ --disable-color-mode zkt without colors
--enable-print-timezone print out timezone
- --enable-print-age print age of year
+ --enable-print-age print age with year
--enable-log-progname log with progname
--disable-log-timestamp do not log with timestamp
--disable-log-level do not log with level
--disable-tree use single linked list instead of binary tree data
structure for dnssec-zkt
+Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+ --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
+ --without-curses Ignore presence of curses and disable color mode
+
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ZKT configure 0.99c
+ZKT configure 1.0
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ZKT $as_me 0.99c, which was
+It was created by ZKT $as_me 1.0, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
if test -z "$SIGNZONE_PROG" ; then
-# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
{ echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
else
_ACEOF
# define BIND_VERSION in config.h.in
- bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+ bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[0-9]\012" | sed "s/^\(...\).*/\1/"`
cat >>confdefs.h <<_ACEOF
#define BIND_VERSION $bind_version
### define configure arguments
+# Check whether --enable-color_mode was given.
+if test "${enable_color_mode+set}" = set; then
+ enableval=$enable_color_mode;
+fi
+
+color_mode=1
+if test "$enable_color_mode" = "no"; then
+ color_mode=0
+fi
+
+
+
+# Check whether --with-curses was given.
+if test "${with_curses+set}" = set; then
+ withval=$with_curses;
+fi
+
+
+if test "x$with_curses" != "xno"; then
+
+{ echo "$as_me:$LINENO: checking for tgetent in -lncurses" >&5
+echo $ECHO_N "checking for tgetent in -lncurses... $ECHO_C" >&6; }
+if test "${ac_cv_lib_ncurses_tgetent+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lncurses $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char tgetent ();
+int
+main ()
+{
+return tgetent ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ ac_cv_lib_ncurses_tgetent=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_ncurses_tgetent=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ncurses_tgetent" >&5
+echo "${ECHO_T}$ac_cv_lib_ncurses_tgetent" >&6; }
+if test $ac_cv_lib_ncurses_tgetent = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNCURSES 1
+_ACEOF
+
+ LIBS="-lncurses $LIBS"
+
+fi
+
+else
+ HAVE_LIB_NCURSES=0; color_mode=0
+fi
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define COLOR_MODE $color_mode
+_ACEOF
+
+
+
# Check whether --enable-printtimezone was given.
if test "${enable_printtimezone+set}" = set; then
- enableval=$enable_printtimezone; printtimezone=$enableval
+ enableval=$enable_printtimezone;
fi
printtimezone=0
-test "$printtimezone" = yes && printtimezone=1
+if test "$enable_printtimezone" = "yes"; then
+ printtimezone=1
+fi
+
cat >>confdefs.h <<_ACEOF
#define PRINT_TIMEZONE $printtimezone
# Check whether --enable-printyear was given.
if test "${enable_printyear+set}" = set; then
- enableval=$enable_printyear; printyear=$enableval
+ enableval=$enable_printyear;
fi
-printyear=0
test "$printyear" = yes && printyear=1
+printyear=0
+if test "$enable_printyear" = "yes"; then
+ printyear=1
+fi
+
cat >>confdefs.h <<_ACEOF
-#define PRINT_AGE_OF_YEAR $printyear
+#define PRINT_AGE_WITH_YEAR $printyear
_ACEOF
# Check whether --enable-logprogname was given.
if test "${enable_logprogname+set}" = set; then
- enableval=$enable_logprogname; logprogname=$enableval
+ enableval=$enable_logprogname;
fi
logprogname=0
-test "$logprogname" = yes && logprogname=1
+if test "$enable_logprogname" = "yes"; then
+ logprogname=1
+fi
+
cat >>confdefs.h <<_ACEOF
#define LOG_WITH_PROGNAME $logprogname
# Check whether --enable-logtimestamp was given.
if test "${enable_logtimestamp+set}" = set; then
- enableval=$enable_logtimestamp; logtimestamp=$enableval
+ enableval=$enable_logtimestamp;
fi
logtimestamp=1
-test "$logtimestamp" = no && logtimestamp=0
+if test "$enable_logtimestamp" = "no"; then
+ logtimestamp=0
+fi
+
cat >>confdefs.h <<_ACEOF
#define LOG_WITH_TIMESTAMP $logtimestamp
# Check whether --enable-loglevel was given.
if test "${enable_loglevel+set}" = set; then
- enableval=$enable_loglevel; loglevel=$enableval
+ enableval=$enable_loglevel;
fi
loglevel=1
-test "$loglevel" = no && loglevel=0
+if test "$enable_loglevel" = "no"; then
+ loglevel=0
+fi
+
cat >>confdefs.h <<_ACEOF
#define LOG_WITH_LEVEL $loglevel
# Check whether --enable-ttl_in_keyfile was given.
if test "${enable_ttl_in_keyfile+set}" = set; then
- enableval=$enable_ttl_in_keyfile; ttl_in_keyfile=$enableval
+ enableval=$enable_ttl_in_keyfile;
fi
ttl_in_keyfile=1
-test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+if test "$enable_ttl_in_keyfile" = "no"; then
+ ttl_in_keyfile=0
+fi
+
cat >>confdefs.h <<_ACEOF
#define TTL_IN_KEYFILE_ALLOWED $ttl_in_keyfile
usetree=1
-t="T"
+t=""
# Check whether --enable-tree was given.
if test "${enable_tree+set}" = set; then
enableval=$enable_tree; usetree=$enableval
if test "$usetree" = no
then
usetree=0
- t=""
+ t="S"
fi
cat >>confdefs.h <<_ACEOF
cat >>confdefs.h <<_ACEOF
-#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
+#define ZKT_VERSION "$t$PACKAGE_VERSION"
_ACEOF
-### Checks for libraries.
+cat >>confdefs.h <<_ACEOF
+#define ZKT_COPYRIGHT "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de"
+_ACEOF
+
+### Checks for libraries.
### Checks for header files.
-for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h
+
+
+for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
fi
-for ac_header in stdlib.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
- { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
- { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-else
- # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
- (eval "$ac_compile") 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } && {
- test -z "$ac_c_werror_flag" ||
- test ! -s conftest.err
- } && test -s conftest.$ac_objext; then
- ac_header_compiler=yes
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
- ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
- (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null && {
- test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
- test ! -s conftest.err
- }; then
- ac_header_preproc=yes
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
- ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So? What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
- yes:no: )
- { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
- { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
- ac_header_preproc=yes
- ;;
- no:yes:* )
- { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
- { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
- { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
- { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
- { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
- { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
- ( cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to Holger Zuleger hznet.de ##
-## -------------------------------------- ##
-_ASBOX
- ) | sed "s/^/$as_me: WARNING: /" >&2
- ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
- { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
- cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-{ echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
-echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6; }
-if test "${ac_cv_func_malloc_0_nonnull+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- if test "$cross_compiling" = yes; then
- ac_cv_func_malloc_0_nonnull=no
-else
- cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-#if defined STDC_HEADERS || defined HAVE_STDLIB_H
-# include <stdlib.h>
-#else
-char *malloc ();
-#endif
-
-int
-main ()
-{
-return ! malloc (0);
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
- (eval "$ac_link") 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_func_malloc_0_nonnull=yes
-else
- echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_func_malloc_0_nonnull=no
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
-echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6; }
-if test $ac_cv_func_malloc_0_nonnull = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_MALLOC 1
-_ACEOF
-
-else
- cat >>confdefs.h <<\_ACEOF
-#define HAVE_MALLOC 0
-_ACEOF
-
- case " $LIBOBJS " in
- *" malloc.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS malloc.$ac_objext"
- ;;
-esac
-
-
-cat >>confdefs.h <<\_ACEOF
-#define malloc rpl_malloc
-_ACEOF
-
-fi
-
-
-
-
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ZKT $as_me 0.99c, which was
+This file was extended by ZKT $as_me 1.0, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-ZKT config.status 0.99c
+ZKT config.status 1.0
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
# 2008-08-30 check for unsigned integer types
# 2008-10-01 if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
# 2009-07-30 check for timegm() added
+# 2009-12-02 the tr command in bind_version= didn't work well under solaris
#
-AC_PREREQ(2.59)
+dnl AC_PREREQ(2.59)
### Package name and current version
-AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de)
-dnl AC_REVISION($Revision: 1.1 $)
+AC_INIT(ZKT, 1.0, Holger Zuleger hznet.de)
+dnl AC_REVISION($Revision: 1.1.82.1 $)
### Files to test to check if src dir contains the package
-AC_CONFIG_SRCDIR([dnssec-zkt.c])
+AC_CONFIG_SRCDIR([zkt-signer.c])
AC_CONFIG_HEADER([config.h])
### find out the path to BIND utils and version
AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
if test -z "$SIGNZONE_PROG" ; then
-# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
else
bind_util_path=`dirname "$SIGNZONE_PROG"`
# define BIND_UTIL_PATH in config.h.in
AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
# define BIND_VERSION in config.h.in
- bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+ bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[[0-9]]\012" | sed "s/^\(...\).*/\1/"`
AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
fi
AC_CHECK_TYPE(uchar, unsigned char)
### define configure arguments
-AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval])
+AC_ARG_ENABLE([color_mode], AS_HELP_STRING([--disable-color-mode], [zkt without colors]))
+color_mode=1
+AS_IF([test "$enable_color_mode" = "no"], [color_mode=0])
+
+AC_ARG_WITH([curses],
+ AS_HELP_STRING([--without-curses], [Ignore presence of curses and disable color mode]))
+
+AS_IF([test "x$with_curses" != "xno"],
+ [AC_CHECK_LIB([ncurses],[tgetent])],
+ [HAVE_LIB_NCURSES=0; color_mode=0])
+
+AC_DEFINE_UNQUOTED(COLOR_MODE, $color_mode, zkt-ls with colors)
+
+
+dnl printtimezone is a default-disabled feature
+AC_ARG_ENABLE([printtimezone], AS_HELP_STRING( [--enable-print-timezone], [print out timezone]))
printtimezone=0
-test "$printtimezone" = yes && printtimezone=1
+AS_IF([test "$enable_printtimezone" = "yes"], [printtimezone=1])
AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
-AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval])
-printyear=0
+AC_ARG_ENABLE([printyear], AS_HELP_STRING( [--enable-print-age], [print age with year]))
test "$printyear" = yes && printyear=1
-AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year)
+printyear=0
+AS_IF([test "$enable_printyear" = "yes"], [printyear=1])
+AC_DEFINE_UNQUOTED(PRINT_AGE_WITH_YEAR, $printyear, print age with year)
-AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval])
+AC_ARG_ENABLE([logprogname], AS_HELP_STRING( [--enable-log-progname], [log with progname]))
logprogname=0
-test "$logprogname" = yes && logprogname=1
+AS_IF([test "$enable_logprogname" = "yes"], [logprogname=1])
AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
-AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval])
+dnl logtimestamp is a default-enabled feature
+AC_ARG_ENABLE([logtimestamp], AS_HELP_STRING([--disable-log-timestamp], [do not log with timestamp]))
logtimestamp=1
-test "$logtimestamp" = no && logtimestamp=0
+AS_IF([test "$enable_logtimestamp" = "no"], [logtimestamp=0])
AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
-AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval])
+AC_ARG_ENABLE([loglevel], AS_HELP_STRING([--disable-log-level], [do not log with level]))
loglevel=1
-test "$loglevel" = no && loglevel=0
+AS_IF([test "$enable_loglevel" = "no"], [loglevel=0])
AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
-AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval])
+AC_ARG_ENABLE([ttl_in_keyfile], AS_HELP_STRING([--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]))
ttl_in_keyfile=1
-test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+AS_IF([test "$enable_ttl_in_keyfile" = "no"], [ttl_in_keyfile=0])
AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
configpath="/var/named"
AC_ARG_ENABLE([configpath],
- AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
+ AS_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
[configpath=$enableval])
case "$configpath" in
yes)
AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
usetree=1
-t="T"
+t=""
AC_ARG_ENABLE([tree],
- AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
+ AS_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
[usetree=$enableval])
if test "$usetree" = no
then
usetree=0
- t=""
+ t="S"
fi
AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
-AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string)
+AC_DEFINE_UNQUOTED(ZKT_VERSION, "$t$PACKAGE_VERSION", ZKT version string)
+AC_DEFINE_UNQUOTED(ZKT_COPYRIGHT, "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de", ZKT copyright string)
### Checks for libraries.
-
### Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_STDC
-AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h])
+AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h])
### Checks for typedefs, structures, and compiler characteristics.
### Checks for library functions.
+dnl AC_FUNC_MALLOC
AC_FUNC_CLOSEDIR_VOID
AC_FUNC_ERROR_AT_LINE
-AC_FUNC_MALLOC
AC_FUNC_MKTIME
AC_FUNC_STAT
AC_FUNC_STRFTIME
}
#endif
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+# define KEYGEN_COMPMODE "-C -q " /* this is the compability mode needed by BIND 9.7 */
+#else
+# define KEYGEN_COMPMODE ""
+#endif
/*****************************************************************
** dki_new ()
** create new keyfile
if ( rfile && *rfile )
snprintf (randfile, sizeof (randfile), "-r %.250s ", rfile);
- if ( algo == DK_ALGO_RSA || algo == DK_ALGO_RSASHA1 )
+ if ( algo == DK_ALGO_RSA || algo == DK_ALGO_RSASHA1 || algo == DK_ALGO_RSASHA256 || algo == DK_ALGO_RSASHA512 )
expflag = "-e ";
if ( dir && *dir )
- snprintf (cmdline, sizeof (cmdline), "cd %s ; %s %s%s-n ZONE -a %s -b %d %s %s",
- dir, KEYGENCMD, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
+ snprintf (cmdline, sizeof (cmdline), "cd %s ; %s %s%s%s-n ZONE -a %s -b %d %s %s",
+ dir, KEYGENCMD, KEYGEN_COMPMODE, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
else
- snprintf (cmdline, sizeof (cmdline), "%s %s%s-n ZONE -a %s -b %d %s %s",
- KEYGENCMD, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
+ snprintf (cmdline, sizeof (cmdline), "%s %s%s%s-n ZONE -a %s -b %d %s %s",
+ KEYGENCMD, KEYGEN_COMPMODE, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
dbg_msg (cmdline);
case DK_ALGO_RSASHA1: return ("RSASHA1");
case DK_ALGO_NSEC3DSA: return ("NSEC3DSA");
case DK_ALGO_NSEC3RSASHA1: return ("NSEC3RSASHA1");
+ case DK_ALGO_RSASHA256: return ("RSASHA256");
+ case DK_ALGO_RSASHA512: return ("RSASHA512");
}
return ("unknown");
}
case DK_ALGO_RSASHA1: return ("RSASHA1");
case DK_ALGO_NSEC3DSA: return ("N3DSA");
case DK_ALGO_NSEC3RSASHA1: return ("N3RSA1");
+ case DK_ALGO_RSASHA256: return ("RSASHA2");
+ case DK_ALGO_RSASHA512: return ("RSASHA5");
}
return ("unknown");
}
return domaincmp (a->name, b->name);
}
+
+/*****************************************************************
+** dki_revnamecmp () return <0 | 0 | >0
+*****************************************************************/
+int dki_revnamecmp (const dki_t *a, const dki_t *b)
+{
+ if ( a == NULL ) return -1;
+ if ( b == NULL ) return 1;
+
+ return domaincmp_dir (a->name, b->name, 0);
+}
+
/*****************************************************************
** dki_tagcmp () return <0 | 0 | >0
*****************************************************************/
/*****************************************************************
** dki_tadd () add a key to the given tree
*****************************************************************/
-dki_t *dki_tadd (dki_t **tree, dki_t *new)
+dki_t *dki_tadd (dki_t **tree, dki_t *new, int sub_before)
{
dki_t **p;
- p = tsearch (new, tree, dki_namecmp);
+ if ( sub_before )
+ p = tsearch (new, tree, dki_namecmp);
+ else
+ p = tsearch (new, tree, dki_revnamecmp);
if ( *p == new )
dbg_val ("dki_tadd: New entry %s added\n", new->name);
else
# define MAX_PATHSIZE (MAX_DNAMESIZE + 1 + MAX_FNAMESIZE)
/* algorithm types */
-# define DK_ALGO_RSA 1 /* RFC2537 */
-# define DK_ALGO_DH 2 /* RFC2539 */
-# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */
-# define DK_ALGO_EC 4 /* */
-# define DK_ALGO_RSASHA1 5 /* RFC3110 */
+# define DK_ALGO_RSA 1 /* RFC2537 */
+# define DK_ALGO_DH 2 /* RFC2539 */
+# define DK_ALGO_DSA 3 /* RFC2536 (mandatory) */
+# define DK_ALGO_EC 4 /* */
+# define DK_ALGO_RSASHA1 5 /* RFC3110 */
# define DK_ALGO_NSEC3DSA 6 /* symlink to alg 3 RFC5155 */
# define DK_ALGO_NSEC3RSASHA1 7 /* symlink to alg 5 RFC5155 */
+# define DK_ALGO_RSASHA256 8 /* RFCxxx */
+# define DK_ALGO_RSASHA512 10 /* RFCxxx */
+# define DK_ALGO_NSEC3RSASHA256 DK_ALGO_RSASHA256 /* same as non nsec algorithm RFCxxx */
+# define DK_ALGO_NSEC3RSASHA512 DK_ALGO_RSASHA512 /* same as non nsec algorithm RFCxxx */
/* protocol types */
# define DK_PROTO_DNS 3
void twalk (const dki_t *root, void (*action)(const dki_t **nodep, VISIT which, int depth));
extern void dki_tfree (dki_t **tree);
-extern dki_t *dki_tadd (dki_t **tree, dki_t *new);
+extern dki_t *dki_tadd (dki_t **tree, dki_t *new, int sub_before);
extern int dki_tagcmp (const dki_t *a, const dki_t *b);
extern int dki_namecmp (const dki_t *a, const dki_t *b);
+extern int dki_revnamecmp (const dki_t *a, const dki_t *b);
extern int dki_allcmp (const dki_t *a, const dki_t *b);
#endif
/* it's better to do this before we read the whole directory tree */
if ( action == 'Z' )
{
+ fprintf (stderr, "The use of -Z is deprecated. Please use zkt-conf instead\n");
printconfig ("stdout", config);
return 0;
}
{
// fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
#if defined (USE_TREE) && USE_TREE
- dki_tadd (listp, dkp);
+ dki_tadd (listp, dkp, 1);
#else
dki_add (listp, dkp);
#endif
{
if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
#if defined (USE_TREE) && USE_TREE
- dki_tadd (listp, dkp); /* ... and add to tree */
+ dki_tadd (listp, dkp, 1); /* ... and add to tree */
#else
dki_add (listp, dkp); /* ... and add to list */
#endif
+++ /dev/null
-%!PS-Adobe-3.0
-%%Creator: groff version 1.19.2
-%%CreationDate: Mon Jul 14 23:23:30 2008
-%%DocumentNeededResources: font Times-Bold
-%%+ font Times-Roman
-%%+ font Courier
-%%+ font Symbol
-%%DocumentSuppliedResources: procset grops 1.19 2
-%%Pages: 1
-%%PageOrder: Ascend
-%%DocumentMedia: Default 595 842 0 () ()
-%%Orientation: Portrait
-%%EndComments
-%%BeginDefaults
-%%PageMedia: Default
-%%EndDefaults
-%%BeginProlog
-%%BeginResource: procset grops 1.19 2
-%!PS-Adobe-3.0 Resource-ProcSet
-/setpacking where{
-pop
-currentpacking
-true setpacking
-}if
-/grops 120 dict dup begin
-/SC 32 def
-/A/show load def
-/B{0 SC 3 -1 roll widthshow}bind def
-/C{0 exch ashow}bind def
-/D{0 exch 0 SC 5 2 roll awidthshow}bind def
-/E{0 rmoveto show}bind def
-/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
-/G{0 rmoveto 0 exch ashow}bind def
-/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/I{0 exch rmoveto show}bind def
-/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
-/K{0 exch rmoveto 0 exch ashow}bind def
-/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/M{rmoveto show}bind def
-/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
-/O{rmoveto 0 exch ashow}bind def
-/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/Q{moveto show}bind def
-/R{moveto 0 SC 3 -1 roll widthshow}bind def
-/S{moveto 0 exch ashow}bind def
-/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/SF{
-findfont exch
-[exch dup 0 exch 0 exch neg 0 0]makefont
-dup setfont
-[exch/setfont cvx]cvx bind def
-}bind def
-/MF{
-findfont
-[5 2 roll
-0 3 1 roll
-neg 0 0]makefont
-dup setfont
-[exch/setfont cvx]cvx bind def
-}bind def
-/level0 0 def
-/RES 0 def
-/PL 0 def
-/LS 0 def
-/MANUAL{
-statusdict begin/manualfeed true store end
-}bind def
-/PLG{
-gsave newpath clippath pathbbox grestore
-exch pop add exch pop
-}bind def
-/BP{
-/level0 save def
-1 setlinecap
-1 setlinejoin
-72 RES div dup scale
-LS{
-90 rotate
-}{
-0 PL translate
-}ifelse
-1 -1 scale
-}bind def
-/EP{
-level0 restore
-showpage
-}def
-/DA{
-newpath arcn stroke
-}bind def
-/SN{
-transform
-.25 sub exch .25 sub exch
-round .25 add exch round .25 add exch
-itransform
-}bind def
-/DL{
-SN
-moveto
-SN
-lineto stroke
-}bind def
-/DC{
-newpath 0 360 arc closepath
-}bind def
-/TM matrix def
-/DE{
-TM currentmatrix pop
-translate scale newpath 0 0 .5 0 360 arc closepath
-TM setmatrix
-}bind def
-/RC/rcurveto load def
-/RL/rlineto load def
-/ST/stroke load def
-/MT/moveto load def
-/CL/closepath load def
-/Fr{
-setrgbcolor fill
-}bind def
-/setcmykcolor where{
-pop
-/Fk{
-setcmykcolor fill
-}bind def
-}if
-/Fg{
-setgray fill
-}bind def
-/FL/fill load def
-/LW/setlinewidth load def
-/Cr/setrgbcolor load def
-/setcmykcolor where{
-pop
-/Ck/setcmykcolor load def
-}if
-/Cg/setgray load def
-/RE{
-findfont
-dup maxlength 1 index/FontName known not{1 add}if dict begin
-{
-1 index/FID ne{def}{pop pop}ifelse
-}forall
-/Encoding exch def
-dup/FontName exch def
-currentdict end definefont pop
-}bind def
-/DEFS 0 def
-/EBEGIN{
-moveto
-DEFS begin
-}bind def
-/EEND/end load def
-/CNT 0 def
-/level1 0 def
-/PBEGIN{
-/level1 save def
-translate
-div 3 1 roll div exch scale
-neg exch neg exch translate
-0 setgray
-0 setlinecap
-1 setlinewidth
-0 setlinejoin
-10 setmiterlimit
-[]0 setdash
-/setstrokeadjust where{
-pop
-false setstrokeadjust
-}if
-/setoverprint where{
-pop
-false setoverprint
-}if
-newpath
-/CNT countdictstack def
-userdict begin
-/showpage{}def
-/setpagedevice{}def
-}bind def
-/PEND{
-countdictstack CNT sub{end}repeat
-level1 restore
-}bind def
-end def
-/setpacking where{
-pop
-setpacking
-}if
-%%EndResource
-%%EndProlog
-%%BeginSetup
-%%BeginFeature: *PageSize Default
-<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
-%%EndFeature
-%%IncludeResource: font Times-Bold
-%%IncludeResource: font Times-Roman
-%%IncludeResource: font Courier
-%%IncludeResource: font Symbol
-grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
-def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
-/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
-/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
-/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
-/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
-/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
-/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
-/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
-/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
-/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
-/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
-/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
-/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
-/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
-/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
-/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
-/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
-/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
-/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
-/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
-/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
-/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
-/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
-/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
-/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
-/Times-Bold@0 ENC0/Times-Bold RE
-%%EndSetup
-%%Page: 1 1
-%%BeginPageSetup
-BP
-%%EndPageSetup
-/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
-(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
-(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
-(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
-(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
-(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
-SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
-26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
-/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
-E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
-(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
-26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
-17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
--.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
-(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
--.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
-(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
--64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
-46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
-61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
-(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
-(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
-E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
-280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
-196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
--.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
-(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
--2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
-(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
-318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
-.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
-(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
--.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
--.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
-33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
-297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
-362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
--.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
-(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
--.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
-F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
-428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
-(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
-(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
--.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
-(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
-(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
-5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
-402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
-(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
-(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
-F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
-.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
-(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
-Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
-(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
-33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
-(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
-Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
-(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
-(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
-DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
-2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
--.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
-(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
-2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
-(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
-SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
-%%Trailer
-end
-%%EOF
+++ /dev/null
-
-
-
-Intended Status: Informational O. Gudmundsson
-Network Working Group OGUD Consulting LLC
-Internet-Draft J. Ihren
-Expires: August 21, 2008 AAB
- February 18, 2008
-
-
- Names of States in the life of a DNSKEY
- draft-gudmundsson-life-of-dnskey-00
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on August 21, 2008.
-
-Copyright Notice
-
- Copyright (C) The IETF Trust (2008).
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 1]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-Abstract
-
- This document recommends a specific terminology to use when
- expressing the state that a DNSKEY is in at particular time. This
- does not affect how the protocol operates in any way.
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. DNSKEY timeline . . . . . . . . . . . . . . . . . . . . . . . 4
- 3. Life stages of a DNSKEY . . . . . . . . . . . . . . . . . . . 5
- 3.1. Generated . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.2. Published . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.2.1. Pre-Publication . . . . . . . . . . . . . . . . . . . 5
- 3.2.2. Out-Of-Band Publication . . . . . . . . . . . . . . . 5
- 3.3. Active . . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.4. Retired . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.5. Removed . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 3.5.1. Lame . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 3.5.2. Stale . . . . . . . . . . . . . . . . . . . . . . . . 6
- 3.6. Revoked . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 4. Security considerations . . . . . . . . . . . . . . . . . . . 7
- 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
- 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
- 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
- 6.2. Informative References . . . . . . . . . . . . . . . . . . 9
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
- Intellectual Property and Copyright Statements . . . . . . . . . . 11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 2]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-1. Introduction
-
- When the editors of this document where comparing their DNSSEC key
- management projects they discovered that they where discussing
- roughly the same thing but using different terminology.
-
- This document presents a unified terminology to use when describing
- the current state of a DNSKEY.
-
- The DNSSEC standards documents ([1], [2] and [3]) do not address the
- required states for the key management of a DNSSEC key. The DNSSEC
- Operational Practices [4] document does propose that keys be
- published before use but uses inconsistent or confusing terms. This
- document assumes basic understanding of DNSSEC and key management.
-
- The terms proposed in this document attempt to avoid any confusion
- and make the states of keys to be as clear as possible. The terms
- used in this document are intended as a operational supplement to the
- terms defined in Section 2 of [1].
-
- To large extent this discussion is motivated by Trust anchor keys but
- the same terminology can be used for zone signing keys.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 3]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-2. DNSKEY timeline
-
- The model in this document is that keys progress through a state
- machine along a one-way path, keys never move to an earlier states.
-
-
-
- GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
- | ^ | | | ^
- | | | | v |
- +--> Pre-PUBLISHED--+ +--------+---------> REVOKED ---+
-
-
- DNSKEY time line.
-
- There are few more states that are defined below but these apply only
- to the publisher of TA's and the consumer of TA's. Two of these are
- sub-sets of the Published state, the other two are error states.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 4]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-3. Life stages of a DNSKEY
-
-3.1. Generated
-
- Once a key is generated it enters state Generated and stays there
- until the next state. While in this state only the owner of the key
- is aware of its existence and can prepare for its future use.
-
-3.2. Published
-
- Once the key is added to the DNSKEY set of a zone the key is there
- for the world to see, or published. The key needs to remain in this
- state for some time to propagate to all validators that have cached
- the prior version of the DNSKEY set. In the case of KSK the key
- should remain in this state for a longer time as documented in DNSSEC
- Timers RFC [5].
-
-3.2.1. Pre-Publication
-
- In certain circumstances a zone owner may want to give out a new
- Trust Anchor before exposing the actual public key. In this case the
- zone can publish a DS record of the key. This allows others to
- configure the trust anchor but will not be able to use the key until
- the key is published in the DNSKEY RRset.
-
-3.2.2. Out-Of-Band Publication
-
- In certain circumstances a domain may want to give out a new Trust
- Anchor outside DNS to give others a long lead time to configure the
- new key as trust anchor. The reason people may want to do this is to
- keep the size of the DNSKEY set smaller and only add new trust anchor
- just before the key goes into use. One likely use for this is the
- DNS "." root key as it does not have a parent that can publish a DS
- record for it. The publication mechanism does not matter it can be
- any one of web-site, advertisement in Financial Times and other
- international publication, e-mail to DNS related mailing lists, etc..
-
-3.3. Active
-
- The key is in ACTIVE state while it is actively signing data in the
- zone it resides in. It is one of the the keys that are signing the
- zone or parts of the zone.
-
-3.4. Retired
-
- When the key is no longer used for signing the zone it enters state
- Retired. In this state there may still be signatures by the key in
- cached data from the zone available at recursive servers, but the
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 5]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
- authoritative servers for the zone do no longer carry any signatures
- generated by the key.
-
-3.5. Removed
-
- Once the key is removed from the DNSKEY RRset it enters the state
- Removed. At this point all signatures by the key that may still be
- temporarily valid will fail to verify once the validator refreshes
- the DNSKEY RRset in its memory.
-
- Therefore "removal" of a key is typically not done until all the
- cached signatures have expired. Entering this state too early may
- cause number of validators to end up with STALE Trust Anchors.
-
-3.5.1. Lame
-
- A Trust Anchor is Lame if the parent continues to publish DS pointing
- to the key after it has been removed from the DNSKEY RRset. A Trust
- Anchor is arguably Lame if there are no signatures by a Retired KSK
- in the zone.
-
-3.5.2. Stale
-
- A Stale Trust Anchor is an old TA that remains in a validators list
- of active key(s) after the key has been removed from the zone's
- DNSKEY RRset.
-
-3.6. Revoked
-
- There are times when a zone wants to signal that a particular key
- should not be used at all. The mechanism to do this is to set the
- REVOKE bit [5]. Any key in any of the while the key is the DNSSKEY
- set can be exited to Revoked state. After some time in the Revoke
- state the key will be Removed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 6]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-4. Security considerations
-
- TBD
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 7]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-5. IANA considerations
-
- This document does not have any IANA actions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 8]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-6. References
-
-6.1. Normative References
-
-6.2. Informative References
-
- [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "DNS Security Introduction and Requirements", RFC 4033,
- March 2005.
-
- [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "Resource Records for the DNS Security Extensions", RFC 4034,
- March 2005.
-
- [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "Protocol Modifications for the DNS Security Extensions",
- RFC 4035, March 2005.
-
- [4] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
- RFC 4641, September 2006.
-
- [5] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
- Anchors", RFC 5011, September 2007.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 9]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-Authors' Addresses
-
- Olafur Gudmundsson
- OGUD Consulting LLC
- 3821 Village Park Drive
- Chevy Chase, MD 20815
- USA
-
- Email: ogud@ogud.com
-
-
- Johan Ihren
- Automatica, AB
- Bellmansgatan 30
- Stockholm, SE-118 47
- Sweden
-
- Email: johani@automatica.se
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 10]
-\f
-Internet-Draft DNSSEC Key life stages. February 2008
-
-
-Full Copyright Statement
-
- Copyright (C) The IETF Trust (2008).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
- THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-
-Acknowledgment
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-Gudmundsson & Ihren Expires August 21, 2008 [Page 11]
-\f
+++ /dev/null
-
-
-
-DNSOP O. Kolkman
-Internet-Draft NLnet Labs
-Obsoletes: 2541 (if approved) R. Gieben
-Intended status: BCP
-Expires: September 8, 2009 March 7, 2009
-
-
- DNSSEC Operational Practices, Version 2
- draft-ietf-dnsop-rfc4641bis-01
-
-Status of This Memo
-
- This Internet-Draft is submitted to IETF in full conformance with the
- provisions of BCP 78 and BCP 79. This document may contain material
- from IETF Documents or IETF Contributions published or made publicly
- available before November 10, 2008. The person(s) controlling the
- copyright in some of this material may not have granted the IETF
- Trust the right to allow modifications of such material outside the
- IETF Standards Process. Without obtaining an adequate license from
- the person(s) controlling the copyright in such materials, this
- document may not be modified outside the IETF Standards Process, and
- derivative works of it may not be created outside the IETF Standards
- Process, except to format it for publication as an RFC or to
- translate it into languages other than English.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on September 8, 2009.
-
-Copyright Notice
-
- Copyright (c) 2009 IETF Trust and the persons identified as the
- document authors. All rights reserved.
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 1]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents in effect on the date of
- publication of this document (http://trustee.ietf.org/license-info).
- Please review these documents carefully, as they describe your rights
- and restrictions with respect to this document.
-
-Abstract
-
- This document describes a set of practices for operating the DNS with
- security extensions (DNSSEC). The target audience is zone
- administrators deploying DNSSEC.
-
- The document discusses operational aspects of using keys and
- signatures in the DNS. It discusses issues of key generation, key
- storage, signature generation, key rollover, and related policies.
-
- This document obsoletes RFC 2541, as it covers more operational
- ground and gives more up-to-date requirements with respect to key
- sizes and the new DNSSEC specification.
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 1.1. The Use of the Term 'key' . . . . . . . . . . . . . . . . 5
- 1.2. Time Definitions . . . . . . . . . . . . . . . . . . . . . 5
- 2. Keeping the Chain of Trust Intact . . . . . . . . . . . . . . 5
- 3. Keys Generation and Storage . . . . . . . . . . . . . . . . . 6
- 3.1. Zone and Key Signing Keys . . . . . . . . . . . . . . . . 6
- 3.1.1. Motivations for the KSK and ZSK Separation . . . . . . 7
- 3.1.2. Differentiation for 'High-Level' Zones . . . . . . . . 9
- 3.2. Key Generation . . . . . . . . . . . . . . . . . . . . . . 9
- 3.3. Key Effectivity Period . . . . . . . . . . . . . . . . . . 9
- 3.4. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . 10
- 3.5. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 10
- 3.6. Private Key Storage . . . . . . . . . . . . . . . . . . . 11
- 4. Signature Generation, Key Rollover, and Related Policies . . . 12
- 4.1. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
- 4.1.1. Time Considerations . . . . . . . . . . . . . . . . . 13
- 4.2. Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 15
- 4.2.1. Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
- 4.2.1.1. Pre-Publish Key Rollover . . . . . . . . . . . . . 15
- 4.2.1.2. Double Signature Zone Signing Key Rollover . . . . 17
- 4.2.1.3. Pros and Cons of the Schemes . . . . . . . . . . . 19
- 4.2.2. Key Signing Key Rollovers . . . . . . . . . . . . . . 19
- 4.2.3. Difference Between ZSK and KSK Rollovers . . . . . . . 21
- 4.2.4. Key algorithm rollover . . . . . . . . . . . . . . . . 22
- 4.2.5. Automated Key Rollovers . . . . . . . . . . . . . . . 23
- 4.3. Planning for Emergency Key Rollover . . . . . . . . . . . 24
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 2]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- 4.3.1. KSK Compromise . . . . . . . . . . . . . . . . . . . . 24
- 4.3.1.1. Keeping the Chain of Trust Intact . . . . . . . . 25
- 4.3.1.2. Breaking the Chain of Trust . . . . . . . . . . . 26
- 4.3.2. ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26
- 4.3.3. Compromises of Keys Anchored in Resolvers . . . . . . 26
- 4.4. Parental Policies . . . . . . . . . . . . . . . . . . . . 27
- 4.4.1. Initial Key Exchanges and Parental Policies
- Considerations . . . . . . . . . . . . . . . . . . . . 27
- 4.4.2. Storing Keys or Hashes? . . . . . . . . . . . . . . . 27
- 4.4.3. Security Lameness . . . . . . . . . . . . . . . . . . 28
- 4.4.4. DS Signature Validity Period . . . . . . . . . . . . . 28
- 4.4.5. (Non) Cooperating Registrars . . . . . . . . . . . . . 29
- 5. Security Considerations . . . . . . . . . . . . . . . . . . . 30
- 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30
- 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30
- 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
- 8.1. Normative References . . . . . . . . . . . . . . . . . . . 31
- 8.2. Informative References . . . . . . . . . . . . . . . . . . 31
- Appendix A. Terminology . . . . . . . . . . . . . . . . . . . . . 32
- Appendix B. Zone Signing Key Rollover How-To . . . . . . . . . . 34
- Appendix C. Typographic Conventions . . . . . . . . . . . . . . . 34
- Appendix D. Document Editing History . . . . . . . . . . . . . . 37
- D.1. draft-ietf-dnsop-rfc4641-00 . . . . . . . . . . . . . . . 37
- D.2. version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 3]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
-1. Introduction
-
- This document describes how to run a DNS Security (DNSSEC)-enabled
- environment. It is intended for operators who have knowledge of the
- DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
- See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the
- newly introduced Resource Records (RRs), and RFC 4035 [5] for the
- protocol changes.
-
- During workshops and early operational deployment tests, operators
- and system administrators have gained experience about operating the
- DNS with security extensions (DNSSEC). This document translates
- these experiences into a set of practices for zone administrators.
- At the time of writing, there exists very little experience with
- DNSSEC in production environments; this document should therefore
- explicitly not be seen as representing 'Best Current Practices'.
- [OK: Is this document ripe enough to shoot for BCP?]
-
- The procedures herein are focused on the maintenance of signed zones
- (i.e., signing and publishing zones on authoritative servers). It is
- intended that maintenance of zones such as re-signing or key
- rollovers be transparent to any verifying clients on the Internet.
-
- The structure of this document is as follows. In Section 2, we
- discuss the importance of keeping the "chain of trust" intact.
- Aspects of key generation and storage of private keys are discussed
- in Section 3; the focus in this section is mainly on the private part
- of the key(s). Section 4 describes considerations concerning the
- public part of the keys. Since these public keys appear in the DNS
- one has to take into account all kinds of timing issues, which are
- discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
- rollover, or supercession, of keys. Finally, Section 4.4 discusses
- considerations on how parents deal with their children's public keys
- in order to maintain chains of trust.
-
- The typographic conventions used in this document are explained in
- Appendix C.
-
- Since this is a document with operational suggestions and there are
- no protocol specifications, the RFC 2119 [6] language does not apply.
-
- This document [OK: when approved] obsoletes RFC 4641 [16].
-
- [OK: Editorial comments and questions are indicated by square
- brackets and editor innitials]
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 4]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
-1.1. The Use of the Term 'key'
-
- It is assumed that the reader is familiar with the concept of
- asymmetric keys on which DNSSEC is based (public key cryptography
- RFC4949 [17]). Therefore, this document will use the term 'key'
- rather loosely. Where it is written that 'a key is used to sign
- data' it is assumed that the reader understands that it is the
- private part of the key pair that is used for signing. It is also
- assumed that the reader understands that the public part of the key
- pair is published in the DNSKEY Resource Record and that it is the
- public part that is used in key exchanges.
-
-1.2. Time Definitions
-
- In this document, we will be using a number of time-related terms.
- The following definitions apply:
-
- o "Signature validity period" The period that a signature is valid.
- It starts at the time specified in the signature inception field
- of the RRSIG RR and ends at the time specified in the expiration
- field of the RRSIG RR.
-
- o "Signature publication period" Time after which a signature (made
- with a specific key) is replaced with a new signature (made with
- the same key). This replacement takes place by publishing the
- relevant RRSIG in the master zone file. After one stops
- publishing an RRSIG in a zone, it may take a while before the
- RRSIG has expired from caches and has actually been removed from
- the DNS.
-
- o "Key effectivity period" The period during which a key pair is
- expected to be effective. This period is defined as the time
- between the first inception time stamp and the last expiration
- date of any signature made with this key, regardless of any
- discontinuity in the use of the key. The key effectivity period
- can span multiple signature validity periods.
-
- o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
- value of the TTLs from the complete set of RRs in a zone. Note
- that the minimum TTL is not the same as the MINIMUM field in the
- SOA RR. See [9] for more information.
-
-2. Keeping the Chain of Trust Intact
-
- Maintaining a valid chain of trust is important because broken chains
- of trust will result in data being marked as Bogus (as defined in [3]
- Section 5), which may cause entire (sub)domains to become invisible
- to verifying clients. The administrators of secured zones have to
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 5]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- realize that their zone is, to verifying clients, part of a chain of
- trust.
-
- As mentioned in the introduction, the procedures herein are intended
- to ensure that maintenance of zones, such as re-signing or key
- rollovers, will be transparent to the verifying clients on the
- Internet.
-
- Administrators of secured zones will have to keep in mind that data
- published on an authoritative primary server will not be immediately
- seen by verifying clients; it may take some time for the data to be
- transferred to other secondary authoritative nameservers and clients
- may be fetching data from caching non-authoritative servers. In this
- light, note that the time for a zone transfer from master to slave is
- negligible when using NOTIFY [8] and incremental transfer (IXFR) [7].
- It increases when full zone transfers (AXFR) are used in combination
- with NOTIFY. It increases even more if you rely on full zone
- transfers based on only the SOA timing parameters for refresh.
-
- For the verifying clients, it is important that data from secured
- zones can be used to build chains of trust regardless of whether the
- data came directly from an authoritative server, a caching
- nameserver, or some middle box. Only by carefully using the
- available timing parameters can a zone administrator ensure that the
- data necessary for verification can be obtained.
-
- The responsibility for maintaining the chain of trust is shared by
- administrators of secured zones in the chain of trust. This is most
- obvious in the case of a 'key compromise' when a trade-off between
- maintaining a valid chain of trust and replacing the compromised keys
- as soon as possible must be made. Then zone administrators will have
- to make a trade-off, between keeping the chain of trust intact --
- thereby allowing for attacks with the compromised key -- or
- deliberately breaking the chain of trust and making secured
- subdomains invisible to security-aware resolvers. Also see
- Section 4.3.
-
-3. Keys Generation and Storage
-
- This section describes a number of considerations with respect to the
- security of keys. It deals with the generation, effectivity period,
- size, and storage of private keys.
-
-3.1. Zone and Key Signing Keys
-
- The DNSSEC validation protocol does not distinguish between different
- types of DNSKEYs. All DNSKEYs can be used during the validation. In
- practice, operators use Key Signing and Zone Signing Keys and use the
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 6]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- so-called Secure Entry Point (SEP) [5] flag to distinguish between
- them during operations. The dynamics and considerations are
- discussed below.
-
- To make zone re-signing and key rollover procedures easier to
- implement, it is possible to use one or more keys as Key Signing Keys
- (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone.
- Other keys can be used to sign all the RRSets in a zone and are
- referred to as Zone Signing Keys (ZSKs). In this document, we assume
- that KSKs are the subset of keys that are used for key exchanges with
- the parent and potentially for configuration as trusted anchors --
- the SEP keys. In this document, we assume a one-to-one mapping
- between KSK and SEP keys and we assume the SEP flag to be set on all
- KSKs.
-
-3.1.1. Motivations for the KSK and ZSK Separation
-
- Differentiating between the KSK and ZSK functions has several
- advantages:
-
- o No parent/child interaction is required when ZSKs are updated.
-
- o [OK: Bullet removed, strawman Paul Hoffman]
-
- o As the KSK is only used to sign a key set, which is most probably
- updated less frequently than other data in the zone, it can be
- stored separately from and in a safer location than the ZSK.
-
- o A KSK can have a longer key effectivity period.
-
- For almost any method of key management and zone signing, the KSK is
- used less frequently than the ZSK. Once a key set is signed with the
- KSK, all the keys in the key set can be used as ZSKs. If a ZSK is
- compromised, it can be simply dropped from the key set. The new key
- set is then re-signed with the KSK.
-
- Given the assumption that for KSKs the SEP flag is set, the KSK can
- be distinguished from a ZSK by examining the flag field in the DNSKEY
- RR. If the flag field is an odd number it is a KSK. If it is an
- even number it is a ZSK.
-
- The Zone Signing Key can be used to sign all the data in a zone on a
- regular basis. When a Zone Signing Key is to be rolled, no
- interaction with the parent is needed. This allows for signature
- validity periods on the order of days.
-
- The Key Signing Key is only to be used to sign the DNSKEY RRs in a
- zone. If a Key Signing Key is to be rolled over, there will be
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 7]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- interactions with parties other than the zone administrator. If
- there is a parent zone, these can include the registry of the parent
- zone or administrators of verifying resolvers that have the
- particular key configured as secure entry points. If this is a trust
- anchor, everyone relying on the trust anchor needs to roll over to
- the new key. The latter may be subject to stability costs if
- automated trust-anchor rollover mechanisms (such as e.g. RFC5011
- [18]) are not in place. Hence, the key effectivity period of these
- keys can and should be made much longer.
-
- There are two schools of thought on rolling a KSK that is not a trust
- anchor [OK: One can never be sure a KSK is _not_ a trust anchor]:
-
- o It should be done regularly (possibly every few months) so that a
- key rollover remains an operational routine.
-
- o It should only be done when it is known or strongly suspected that
- the key has been compromised in order to reduce the stability
- issues on systems where the rollover does not happen cleanly.
-
- There is no widespread agreement on which of these two schools of
- thought is better for different deployments of DNSSEC. There is a
- stability cost every time a non-anchor KSK is rolled over, but it is
- possibly low if the communication between the child and the parent is
- good. On the other hand, the only completely effective way to tell
- if the communication is good is to test it periodically. Thus,
- rolling a KSK with a parent is only done for two reasons: to test and
- verify the rolling system to prepare for an emergency, and in the
- case of an actual emergency.
-
- [OK: The paragraph below is a straw-man by Paul Hoffman] Because of
- the difficulty of getting all users of a trust anchor to replace an
- old trust anchor with a new one, a KSK that is a trust anchor should
- never be rolled unless it is known or strongly suspected that the key
- has been compromised.
-
- [OK: This is an alternative straw-man by Olaf Kolkman] The same
- operational concerns apply to the rollover of KSKs that are used as
- trust-anchors. Since the administrator of a zone can not be certain
- that the zone's KSK is in use as a trust-anchor she will have to
- assume that a rollover will cause a stability cost for the users that
- did configure her key as a trust-anchor. Those costs can be
- minimized by automating the rollover RFC5011 [18] and by rolling the
- key regularly, and advertising such, so that the operators of
- recursive nameservers will put the appropriate mechanism in place to
- deal with these stability costs, or, in other words, budget for these
- costs instead of incuring them unexpectedly.
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 8]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
-3.1.2. Differentiation for 'High-Level' Zones
-
- In an earlier version of this document we made a differentiation
- between KSKs used for zones that are high in the DNS hierarchy versus
- KSKs used for zones low in that hierarchy. We have come to realize
- that there are other considerations that argue such differentiation
- does not need to be made.
-
- Longer keys are not useful because the crypto guidance is that
- everyone should use keys that no one can break. Also, it is
- impossible to judge which zones are more or less valuable to an
- attacker. An attack can only be used if the compromise is unnoticed
- and the attacker can act as an man-in-the-middle attack (MITM) in an
- unnoticed way. If .example is compromised and the attacker forges
- answers for somebank.example and sends them out as an MITM, when the
- attack is discovered it will be simple to prove that .example has
- been compromised and the KSK will be rolled. Defining a long-term
- successful attack is difficult for keys at any level.
-
-3.2. Key Generation
-
- Careful generation of all keys is a sometimes overlooked but
- absolutely essential element in any cryptographically secure system.
- The strongest algorithms used with the longest keys are still of no
- use if an adversary can guess enough to lower the size of the likely
- key space so that it can be exhaustively searched. Technical
- suggestions for the generation of random keys will be found in RFC
- 4086 [14] and NIST SP 800-900 [20]. One should carefully assess if
- the random number generator used during key generation adheres to
- these suggestions.
-
- Keys with a long effectivity period are particularly sensitive as
- they will represent a more valuable target and be subject to attack
- for a longer time than short-period keys. It is strongly recommended
- that long-term key generation occur off-line in a manner isolated
- from the network via an air gap or, at a minimum, high-level secure
- hardware.
-
-3.3. Key Effectivity Period
-
- From a purely operational perspective, a reasonable key effectivity
- period for KSKs that have a parent zone is 13 months, with the intent
- to replace them after 12 months. An intended key effectivity period
- of a month is reasonable for Zone Signing Keys. This annual rollover
- gives operational practice to rollovers.
-
- Ignoring the operational perspective, a reasonable effectivity period
- for KSKs that have a parent zone is of the order of 2 decades or
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 9]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- longer. That is, if one does not plan to test the rollover
- procedure, the key should be effective essentially forever, and then
- only rolled over in case of emergency.
-
- The "operational habit" argument also applies to trust anchor
- reconfiguration. If a short key effectivity period is used and the
- trust anchor configuration has to be revisited on a regular basis,
- the odds that the configuration tends to be forgotten is smaller.
- The trade-off is against a system that is so dynamic that
- administrators of the validating clients will not be able to follow
- the modifications.Note that if a trust anchor replacement is done
- incorrectly, the entire zone that the trust anchor covers will become
- bogus until the trust anchor is corrected.
-
- Key effectivity periods can be made very short, as in a few minutes.
- But when replacing keys one has to take the considerations from
- Section 4.1 and Section 4.2 into account.
-
-3.4. Key Algorithm
-
- There are currently two types of signature algorithms that can be
- used in DNSSEC: RSA and DSA. Both are fully specified in many
- freely-available documents, and both are widely considered to be
- patent-free. The creation of signatures wiht RSA and DSA takes
- roughly the same time, but DSA is about ten times slower for
- signature verification.
-
- We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the
- preferred signature algorithms. Both have advantages and
- disadvantages. RSA/SHA-1 has been deployed for many years, while
- RSA/SHA-256 has only begun to be deployed. On the other hand, it is
- expected that if effective attacks on either algorithm appeark, they
- will appear for RSA/SHA-1 first. RSA/MD5 should not be considered
- for use because RSA/MD5 will very likely be the first common-use
- signature algorithm to have an effective attack.
-
- At the time of publication, it is known that the SHA-1 hash has
- cryptanalysis issues. There is work in progress on addressing these
- issues. We recommend the use of public key algorithms based on
- hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
- algorithms are available in protocol specifications (see [21] and
- [22]) and implementations.
-
-3.5. Key Sizes
-
- DNSSEC signing keys should be large enough to avoid all know
- cryptographic attacks during the lifetime of the key. To date,
- despite huge efforts, no one has broken a regular 1024-bit key; in
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 10]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- fact, the best completed attack is estimated to be the equivalent of
- a 700-bit key. An attacker breaking a 1024-bit signing key would
- need expend phenominal amounts of networked computing power in a way
- that would not be detected in order to break a single key. Because
- of this, it is estimated that most zones can safely use 1024-bit keys
- for at least the next ten years. A 1024-bit asymmetric key has an
- approximate equivalent strength of a symmetric 80-bit key.
-
- Keys that are used as extremely high value trust anchors, or non-
- anchor keys that may be difficult to roll over, may want to use
- lengths longer than 1024 bits. Typically, the next larger key size
- used is 2048 bits, which have the approximate equivalent strength of
- a symmetric 112-bit key. In a standard CPU, it takes about four
- times as long to sign or verify with a 2048-bit key as it does with a
- 1024-bit key.
-
- Another way to decide on the size of key to use is to remember that
- the phenominal effort it takes for an attacker to break a 1024-bit
- key is the same regardless of how the key is used. If an attacker
- has the capability of breaking a 1024-bit DNSSEC key, he also has the
- capability of breaking one of the many 1024-bit TLS trust anchor keys
- that are installed with web browsers. If the value of a DNSSEC key
- is lower to the attacker than the value of a TLS trust anchor, the
- attacker will use the resources to attack the TLS trust anchor.
-
- It is possible that there is a unexpected improvement in the ability
- for attackers to beak keys, and that such an attack would make it
- feasible to break 1024-bit keys but not 2048-bit keys. If such an
- improvement happens, it is likely that there will be a huge amount of
- publicity, particularly because of the large number of 1024-bit TLS
- trust anchors build into popular web browsers. At that time, all
- 1024-bit keys (both ones with parent zones and ones that are trust
- anchors) can be rolled over and replaced with larger keys.
-
- Earlier documents (including the previous version of this document)
- urged the use of longer keys in situations where a particular key was
- "heavily used". That advice may have been true 15 years ago, but it
- is not true today when using RSA or DSA algorithms and keys of 1024
- bits or higher.
-
-3.6. Private Key Storage
-
- It is recommended that, where possible, zone private keys and the
- zone file master copy that is to be signed be kept and used in off-
- line, non-network-connected, physically secure machines only.
- Periodically, an application can be run to add authentication to a
- zone by adding RRSIG and NSEC RRs. Then the augmented file can be
- transferred.
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 11]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- When relying on dynamic update to manage a signed zone [11], be aware
- that at least one private key of the zone will have to reside on the
- master server. This key is only as secure as the amount of exposure
- the server receives to unknown clients and the security of the host.
- Although not mandatory, one could administer the DNS in the following
- way. The master that processes the dynamic updates is unavailable
- from generic hosts on the Internet, it is not listed in the NS RRSet,
- although its name appears in the SOA RRs MNAME field. The
- nameservers in the NS RRSet are able to receive zone updates through
- NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This
- approach is known as the "hidden master" setup.
-
- The ideal situation is to have a one-way information flow to the
- network to avoid the possibility of tampering from the network.
- Keeping the zone master file on-line on the network and simply
- cycling it through an off-line signer does not do this. The on-line
- version could still be tampered with if the host it resides on is
- compromised. For maximum security, the master copy of the zone file
- should be off-net and should not be updated based on an unsecured
- network mediated communication.
-
- In general, keeping a zone file off-line will not be practical and
- the machines on which zone files are maintained will be connected to
- a network. Operators are advised to take security measures to shield
- unauthorized access to the master copy.
-
- For dynamically updated secured zones [11], both the master copy and
- the private key that is used to update signatures on updated RRs will
- need to be on-line.
-
-4. Signature Generation, Key Rollover, and Related Policies
-
-4.1. Time in DNSSEC
-
- Without DNSSEC, all times in the DNS are relative. The SOA fields
- REFRESH, RETRY, and EXPIRATION are timers used to determine the time
- elapsed after a slave server synchronized with a master server. The
- Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are
- used to determine how long a forwarder should cache data after it has
- been fetched from an authoritative server. By using a signature
- validity period, DNSSEC introduces the notion of an absolute time in
- the DNS. Signatures in DNSSEC have an expiration date after which
- the signature is marked as invalid and the signed data is to be
- considered Bogus.
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 12]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
-4.1.1. Time Considerations
-
- Because of the expiration of signatures, one should consider the
- following:
-
- o We suggest the Maximum Zone TTL of your zone data to be a fraction
- of your signature validity period.
-
- If the TTL would be of similar order as the signature validity
- period, then all RRSets fetched during the validity period
- would be cached until the signature expiration time. Section
- 7.1 of [3] suggests that "the resolver may use the time
- remaining before expiration of the signature validity period of
- a signed RRSet as an upper bound for the TTL". As a result,
- query load on authoritative servers would peak at signature
- expiration time, as this is also the time at which records
- simultaneously expire from caches.
-
- To avoid query load peaks, we suggest the TTL on all the RRs in
- your zone to be at least a few times smaller than your
- signature validity period.
-
- o We suggest the signature publication period to end at least one
- Maximum Zone TTL duration before the end of the signature validity
- period.
-
- Re-signing a zone shortly before the end of the signature
- validity period may cause simultaneous expiration of data from
- caches. This in turn may lead to peaks in the load on
- authoritative servers.
-
- o We suggest the Minimum Zone TTL to be long enough to both fetch
- and verify all the RRs in the trust chain. In workshop
- environments, it has been demonstrated [19] that a low TTL (under
- 5 to 10 minutes) caused disruptions because of the following two
- problems:
-
- 1. During validation, some data may expire before the
- validation is complete. The validator should be able to keep
- all data until it is completed. This applies to all RRs needed
- to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the
- final answers, i.e., the RRSet that is returned for the initial
- query.
-
- 2. Frequent verification causes load on recursive nameservers.
- Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit
- from caching. The TTL on those should be relatively long.
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 13]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- o Slave servers will need to be able to fetch newly signed zones
- well before the RRSIGs in the zone served by the slave server pass
- their signature expiration time.
-
- When a slave server is out of sync with its master and data in
- a zone is signed by expired signatures, it may be better for
- the slave server not to give out any answer.
-
- Normally, a slave server that is not able to contact a master
- server for an extended period will expire a zone. When that
- happens, the server will respond differently to queries for
- that zone. Some servers issue SERVFAIL, whereas others turn
- off the 'AA' bit in the answers. The time of expiration is set
- in the SOA record and is relative to the last successful
- refresh between the master and the slave servers. There exists
- no coupling between the signature expiration of RRSIGs in the
- zone and the expire parameter in the SOA.
-
- If the server serves a DNSSEC zone, then it may well happen
- that the signatures expire well before the SOA expiration timer
- counts down to zero. It is not possible to completely prevent
- this from happening by tweaking the SOA parameters.
-
- However, the effects can be minimized where the SOA expiration
- time is equal to or shorter than the signature validity period.
-
- The consequence of an authoritative server not being able to
- update a zone, whilst that zone includes expired signatures, is
- that non-secure resolvers will continue to be able to resolve
- data served by the particular slave servers while security-
- aware resolvers will experience problems because of answers
- being marked as Bogus.
-
- We suggest the SOA expiration timer being approximately one
- third or one fourth of the signature validity period. It will
- allow problems with transfers from the master server to be
- noticed before the actual signature times out.
-
- We also suggest that operators of nameservers that supply
- secondary services develop 'watch dogs' to spot upcoming
- signature expirations in zones they slave, and take appropriate
- action.
-
- When determining the value for the expiration parameter one has
- to take the following into account: What are the chances that
- all my secondaries expire the zone? How quickly can I reach an
- administrator of secondary servers to load a valid zone? These
- questions are not DNSSEC specific but may influence the choice
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 14]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- of your signature validity intervals.
-
-4.2. Key Rollovers
-
- Regardless of whether a zone uses periodic key rollovers in order to
- practice for emergencies, or only rolls over keys in an emergency,
- key rollovers are a fact of life when using DNSSEC. Zone
- administrators who are in the process of rolling their keys have to
- take into account that data published in previous versions of their
- zone still lives in caches. When deploying DNSSEC, this becomes an
- important consideration; ignoring data that may be in caches may lead
- to loss of service for clients.
-
- The most pressing example of this occurs when zone material signed
- with an old key is being validated by a resolver that does not have
- the old zone key cached. If the old key is no longer present in the
- current zone, this validation fails, marking the data "Bogus".
- Alternatively, an attempt could be made to validate data that is
- signed with a new key against an old key that lives in a local cache,
- also resulting in data being marked "Bogus".
-
-4.2.1. Zone Signing Key Rollovers
-
- For "Zone Signing Key rollovers", there are two ways to make sure
- that during the rollover data still cached can be verified with the
- new key sets or newly generated signatures can be verified with the
- keys still in caches. One schema, described in Section 4.2.1.2, uses
- double signatures; the other uses key pre-publication
- (Section 4.2.1.1). The pros, cons, and recommendations are described
- in Section 4.2.1.3.
-
-4.2.1.1. Pre-Publish Key Rollover
-
- This section shows how to perform a ZSK rollover without the need to
- sign all the data in a zone twice -- the "pre-publish key rollover".
- This method has advantages in the case of a key compromise. If the
- old key is compromised, the new key has already been distributed in
- the DNS. The zone administrator is then able to quickly switch to
- the new key and remove the compromised key from the zone. Another
- major advantage is that the zone size does not double, as is the case
- with the double signature ZSK rollover. A small "how-to" for this
- kind of rollover can be found in Appendix B.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 15]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- Pre-publish key rollover involves four stages as follows:
-
- ----------------------------------------------------------------
- initial new DNSKEY new RRSIGs DNSKEY removal
- ----------------------------------------------------------------
- SOA0 SOA1 SOA2 SOA3
- RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
-
- DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
- DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
- DNSKEY11 DNSKEY11
- RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
- RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
- ----------------------------------------------------------------
-
- Pre-Publish Key Rollover
-
- initial: Initial version of the zone: DNSKEY 1 is the Key Signing
- Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
- Signing Key.
-
- new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
- signatures are generated with this key yet, but this does not
- secure against brute force attacks on the public key. The minimum
- duration of this pre-roll phase is the time it takes for the data
- to propagate to the authoritative servers plus TTL value of the
- key set.
-
- new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
- used to sign the data in the zone exclusively (i.e., all the
- signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
- remains published in the key set. This way data that was loaded
- into caches from version 1 of the zone can still be verified with
- key sets fetched from version 2 of the zone. The minimum time
- that the key set including DNSKEY 10 is to be published is the
- time that it takes for zone data from the previous version of the
- zone to expire from old caches, i.e., the time it takes for this
- zone to propagate to all authoritative servers plus the Maximum
- Zone TTL value of any of the data in the previous version of the
- zone.
-
- DNSKEY removal: DNSKEY 10 is removed from the zone. The key set,
- now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
- DNSKEY 1.
-
- The above scheme can be simplified by always publishing the "future"
- key immediately after the rollover. The scheme would look as follows
- (we show two rollovers); the future key is introduced in "new DNSKEY"
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 16]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
- (II)":
-
-
- initial new RRSIGs new DNSKEY
- -----------------------------------------------------------------
- SOA0 SOA1 SOA2
- RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
-
- DNSKEY1 DNSKEY1 DNSKEY1
- DNSKEY10 DNSKEY10 DNSKEY11
- DNSKEY11 DNSKEY11 DNSKEY12
- RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
- RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
- ----------------------------------------------------------------
-
- ----------------------------------------------------------------
- new RRSIGs (II) new DNSKEY (II)
- ----------------------------------------------------------------
- SOA3 SOA4
- RRSIG12(SOA3) RRSIG12(SOA4)
-
- DNSKEY1 DNSKEY1
- DNSKEY11 DNSKEY12
- DNSKEY12 DNSKEY13
- RRSIG1(DNSKEY) RRSIG1(DNSKEY)
- RRSIG12(DNSKEY) RRSIG12(DNSKEY)
- ----------------------------------------------------------------
-
- Pre-Publish Key Rollover, Showing Two Rollovers
-
- Note that the key introduced in the "new DNSKEY" phase is not used
- for production yet; the private key can thus be stored in a
- physically secure manner and does not need to be 'fetched' every time
- a zone needs to be signed.
-
-4.2.1.2. Double Signature Zone Signing Key Rollover
-
- This section shows how to perform a ZSK key rollover using the double
- zone data signature scheme, aptly named "double signature rollover".
-
- During the "new DNSKEY" stage the new version of the zone file will
- need to propagate to all authoritative servers and the data that
- exists in (distant) caches will need to expire, requiring at least
- the Maximum Zone TTL.
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 17]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- Double signature ZSK rollover involves three stages as follows:
-
- ----------------------------------------------------------------
- initial new DNSKEY DNSKEY removal
- ----------------------------------------------------------------
- SOA0 SOA1 SOA2
- RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
- RRSIG11(SOA1)
- DNSKEY1 DNSKEY1 DNSKEY1
- DNSKEY10 DNSKEY10 DNSKEY11
- DNSKEY11
- RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
- RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
- RRSIG11(DNSKEY)
- ----------------------------------------------------------------
-
- Double Signature Zone Signing Key Rollover
-
- initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
- Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
- Signing Key.
-
- new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
- introduced into the key set and all the data in the zone is signed
- with DNSKEY 10 and DNSKEY 11. The rollover period will need to
- continue until all data from version 0 of the zone has expired
- from remote caches. This will take at least the Maximum Zone TTL
- of version 0 of the zone.
-
- DNSKEY removal: DNSKEY 10 is removed from the zone. All the
- signatures from DNSKEY 10 are removed from the zone. The key set,
- now only containing DNSKEY 11, is re-signed with DNSKEY 1.
-
- At every instance, RRSIGs from the previous version of the zone can
- be verified with the DNSKEY RRSet from the current version and the
- other way around. The data from the current version can be verified
- with the data from the previous version of the zone. The duration of
- the "new DNSKEY" phase and the period between rollovers should be at
- least the Maximum Zone TTL.
-
- Making sure that the "new DNSKEY" phase lasts until the signature
- expiration time of the data in the initial version of the zone is
- recommended. This way all caches are cleared of the old signatures.
- However, this duration could be considerably longer than the Maximum
- Zone TTL, making the rollover a lengthy procedure.
-
- Note that in this example we assumed that the zone was not modified
- during the rollover. New data can be introduced in the zone as long
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 18]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- as it is signed with both keys.
-
-4.2.1.3. Pros and Cons of the Schemes
-
- Pre-publish key rollover: This rollover does not involve signing the
- zone data twice. Instead, before the actual rollover, the new key
- is published in the key set and thus is available for
- cryptanalysis attacks. A small disadvantage is that this process
- requires four steps. Also the pre-publish scheme involves more
- parental work when used for KSK rollovers as explained in
- Section 4.2.3.
-
- Double signature ZSK rollover: The drawback of this signing scheme
- is that during the rollover the number of signatures in your zone
- doubles; this may be prohibitive if you have very big zones. An
- advantage is that it only requires three steps.
-
-4.2.2. Key Signing Key Rollovers
-
- For the rollover of a Key Signing Key, the same considerations as for
- the rollover of a Zone Signing Key apply. However, we can use a
- double signature scheme to guarantee that old data (only the apex key
- set) in caches can be verified with a new key set and vice versa.
- Since only the key set is signed with a KSK, zone size considerations
- do not apply.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 19]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- --------------------------------------------------------------------
- initial new DNSKEY DS change DNSKEY removal
- --------------------------------------------------------------------
- Parent:
- SOA0 --------> SOA1 -------->
- RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
- DS1 --------> DS2 -------->
- RRSIGpar(DS) --------> RRSIGpar(DS) -------->
-
-
- Child:
- SOA0 SOA1 --------> SOA2
- RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
- -------->
- DNSKEY1 DNSKEY1 --------> DNSKEY2
- DNSKEY2 -------->
- DNSKEY10 DNSKEY10 --------> DNSKEY10
- RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
- RRSIG2 (DNSKEY) -------->
- RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
- --------------------------------------------------------------------
-
- Stages of Deployment for a Double Signature Key Signing Key Rollover
-
- initial: Initial version of the zone. The parental DS points to
- DNSKEY1. Before the rollover starts, the child will have to
- verify what the TTL is of the DS RR that points to DNSKEY1 -- it
- is needed during the rollover and we refer to the value as TTL_DS.
-
- new DNSKEY: During the "new DNSKEY" phase, the zone administrator
- generates a second KSK, DNSKEY2. The key is provided to the
- parent, and the child will have to wait until a new DS RR has been
- generated that points to DNSKEY2. After that DS RR has been
- published on all servers authoritative for the parent's zone, the
- zone administrator has to wait at least TTL_DS to make sure that
- the old DS RR has expired from caches.
-
- DS change: The parent replaces DS1 with DS2.
-
- DNSKEY removal: DNSKEY1 has been removed.
-
- The scenario above puts the responsibility for maintaining a valid
- chain of trust with the child. It also is based on the premise that
- the parent only has one DS RR (per algorithm) per zone. An
- alternative mechanism has been considered. Using an established
- trust relation, the interaction can be performed in-band, and the
- removal of the keys by the child can possibly be signaled by the
- parent. In this mechanism, there are periods where there are two DS
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 20]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- RRs at the parent. Since at the moment of writing the protocol for
- this interaction has not been developed, further discussion is out of
- scope for this document.
-
-4.2.3. Difference Between ZSK and KSK Rollovers
-
- Note that KSK rollovers and ZSK rollovers are different in the sense
- that a KSK rollover requires interaction with the parent (and
- possibly replacing of trust anchors) and the ensuing delay while
- waiting for it.
-
- A zone key rollover can be handled in two different ways: pre-publish
- (Section 4.2.1.1) and double signature (Section 4.2.1.2).
-
- As the KSK is used to validate the key set and because the KSK is not
- changed during a ZSK rollover, a cache is able to validate the new
- key set of the zone. The pre-publish method would also work for a
- KSK rollover. The records that are to be pre-published are the
- parental DS RRs. The pre-publish method has some drawbacks for KSKs.
- We first describe the rollover scheme and then indicate these
- drawbacks.
-
-
- --------------------------------------------------------------------
- initial new DS new DNSKEY DS/DNSKEY removal
- --------------------------------------------------------------------
- Parent:
- SOA0 SOA1 --------> SOA2
- RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
- DS1 DS1 --------> DS2
- DS2 -------->
- RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
-
- Child:
- SOA0 --------> SOA1 SOA1
- RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
- -------->
- DNSKEY1 --------> DNSKEY2 DNSKEY2
- -------->
- DNSKEY10 --------> DNSKEY10 DNSKEY10
- RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
- RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
- --------------------------------------------------------------------
-
- Stages of Deployment for a Pre-Publish Key Signing Key Rollover
-
- When the child zone wants to roll, it notifies the parent during the
- "new DS" phase and submits the new key (or the corresponding DS) to
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 21]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
- and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase),
- which can take place as soon as the new DS set propagated through the
- DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
- ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
- record can be deleted.
-
- The drawbacks of this scheme are that during the "new DS" phase the
- parent cannot verify the match between the DS2 RR and DNSKEY2 using
- the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
- "security lame" key (see Section 4.4.3). Finally, the child-parent
- interaction consists of two steps. The "double signature" method
- only needs one interaction.
-
-4.2.4. Key algorithm rollover
-
- [OK: The txt of this section is a strawman for the issue in: http://
- www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
- ]
-
- A special class of keyrollover is the rollover of key algorithms
- (either adding a new algorithm, removing an old algorithm, or both),
- additional steps are needed to retain integrity during the rollover.
-
- Because of the algorithm downgrade protection in RFC4035 section 2.2,
- you may not have a key of an algorithm for which you do not have
- signatures.
-
- When adding a new algorithm, the signatures should be added first.
- After the TTL has expired, and caches have dropped the old data
- covered by those signatures, the DNSKEY with the new algorithm can be
- added. When removing an old algorithm, the DNSKEY should be removed
- first.
-
- To do both, the following steps can be used. For simplicity, we use
- a zone that is only signed by one zone signing key.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 22]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- ----------------------------------------------------------------
- 1 Initial 2 New RRSIGS 3 New DNSKEY
- ----------------------------------------------------------------
- SOA0 SOA1 SOA2
- RRSIG1(SOA0) RRSIG1(SOA1) RRSIG1(SOA2)
- RRSIG2(SOA1) RRSIG2(SOA2)
-
- DNSKEY1 DNSKEY1 DNSKEY1
- RRSIG1(DNSKEY) RRSIG1(DNSKEY) DNSKEY2
- RRSIG2(DNSKEY) RRSIG1(DNSKEY)
- RRSIG2(DNSKEY)
- ----------------------------------------------------------------
- 4 Remove DNSKEY 5 Remove RRSIGS
- ----------------------------------------------------------------
- SOA3 SOA4
- RRSIG1(SOA3) RRSIG2(SOA4)
- RRSIG2(SOA3)
-
- DNSKEY2 DNSKEY2
- RRSIG1(DNSKEY) RRSIG2(DNSKEY)
- RRSIG2(DNSKEY)
- ----------------------------------------------------------------
-
- Stages of Deployment during an Algorithm Rollover.
-
- In step 2, the signatures for the new key are added, but the key
- itself is not. While in theory, the signatures of the keyset should
- always be synchronized with the keyset itself, it can be possible
- that RRSIGS are requested separately, so it might be prudent to also
- sign the DNSKEY set with the new signature.
-
- After the cache data has expired, the new key can be added to the
- zone, as done in step 3.
-
- The next step is to remove the old algorithm. This time the key
- needs to be removed first, before removing the signatures. The key
- is removed in step 4, and after the cache data has expired, the
- signatures can be removed in step 5.
-
- The above steps ensure that during the rollover to a new algorithm,
- the integrity of the zone is never broken.
-
-4.2.5. Automated Key Rollovers
-
- As keys must be renewed periodically, there is some motivation to
- automate the rollover process. Consider the following:
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 23]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- o ZSK rollovers are easy to automate as only the child zone is
- involved.
-
- o A KSK rollover needs interaction between parent and child. Data
- exchange is needed to provide the new keys to the parent;
- consequently, this data must be authenticated and integrity must
- be guaranteed in order to avoid attacks on the rollover.
-
-4.3. Planning for Emergency Key Rollover
-
- This section deals with preparation for a possible key compromise.
- Our advice is to have a documented procedure ready for when a key
- compromise is suspected or confirmed.
-
- When the private material of one of your keys is compromised it can
- be used for as long as a valid trust chain exists. A trust chain
- remains intact for
-
- o as long as a signature over the compromised key in the trust chain
- is valid,
-
- o as long as a parental DS RR (and signature) points to the
- compromised key,
-
- o as long as the key is anchored in a resolver and is used as a
- starting point for validation (this is generally the hardest to
- update).
-
- While a trust chain to your compromised key exists, your namespace is
- vulnerable to abuse by anyone who has obtained illegitimate
- possession of the key. Zone operators have to make a trade-off if
- the abuse of the compromised key is worse than having data in caches
- that cannot be validated. If the zone operator chooses to break the
- trust chain to the compromised key, data in caches signed with this
- key cannot be validated. However, if the zone administrator chooses
- to take the path of a regular rollover, the malicious key holder can
- spoof data so that it appears to be valid.
-
-4.3.1. KSK Compromise
-
- A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
- as long as the compromised KSK is configured as trust anchor or a
- parental DS points to it.
-
- A compromised KSK can be used to sign the key set of an attacker's
- zone. That zone could be used to poison the DNS.
-
- Therefore, when the KSK has been compromised, the trust anchor or the
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 24]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- parental DS should be replaced as soon as possible. It is local
- policy whether to break the trust chain during the emergency
- rollover. The trust chain would be broken when the compromised KSK
- is removed from the child's zone while the parent still has a DS
- pointing to the compromised KSK (the assumption is that there is only
- one DS at the parent. If there are multiple DSes this does not apply
- -- however the chain of trust of this particular key is broken).
-
- Note that an attacker's zone still uses the compromised KSK and the
- presence of a parental DS would cause the data in this zone to appear
- as valid. Removing the compromised key would cause the attacker's
- zone to appear as valid and the child's zone as Bogus. Therefore, we
- advise not to remove the KSK before the parent has a DS to a new KSK
- in place.
-
-4.3.1.1. Keeping the Chain of Trust Intact
-
- If we follow this advice, the timing of the replacement of the KSK is
- somewhat critical. The goal is to remove the compromised KSK as soon
- as the new DS RR is available at the parent. And also make sure that
- the signature made with a new KSK over the key set with the
- compromised KSK in it expires just after the new DS appears at the
- parent, thus removing the old cruft in one swoop.
-
- The procedure is as follows:
-
- 1. Introduce a new KSK into the key set, keep the compromised KSK in
- the key set.
-
- 2. Sign the key set, with a short validity period. The validity
- period should expire shortly after the DS is expected to appear
- in the parent and the old DSes have expired from caches.
-
- 3. Upload the DS for this new key to the parent.
-
- 4. Follow the procedure of the regular KSK rollover: Wait for the DS
- to appear in the authoritative servers and then wait as long as
- the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
- and modify/extend the expiration time.
-
- 5. Remove the compromised DNSKEY RR from the zone and re-sign the
- key set using your "normal" validity interval.
-
- An additional danger of a key compromise is that the compromised key
- could be used to facilitate a legitimate DNSKEY/DS rollover and/or
- nameserver changes at the parent. When that happens, the domain may
- be in dispute. An authenticated out-of-band and secure notify
- mechanism to contact a parent is needed in this case.
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 25]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- Note that this is only a problem when the DNSKEY and or DS records
- are used for authentication at the parent.
-
-4.3.1.2. Breaking the Chain of Trust
-
- There are two methods to break the chain of trust. The first method
- causes the child zone to appear 'Bogus' to validating resolvers. The
- other causes the child zone to appear 'insecure'. These are
- described below.
-
- In the method that causes the child zone to appear 'Bogus' to
- validating resolvers, the child zone replaces the current KSK with a
- new one and re-signs the key set. Next it sends the DS of the new
- key to the parent. Only after the parent has placed the new DS in
- the zone is the child's chain of trust repaired.
-
- An alternative method of breaking the chain of trust is by removing
- the DS RRs from the parent zone altogether. As a result, the child
- zone would become insecure.
-
-4.3.2. ZSK Compromise
-
- Primarily because there is no parental interaction required when a
- ZSK is compromised, the situation is less severe than with a KSK
- compromise. The zone must still be re-signed with a new ZSK as soon
- as possible. As this is a local operation and requires no
- communication between the parent and child, this can be achieved
- fairly quickly. However, one has to take into account that just as
- with a normal rollover the immediate disappearance of the old
- compromised key may lead to verification problems. Also note that as
- long as the RRSIG over the compromised ZSK is not expired the zone
- may be still at risk.
-
-4.3.3. Compromises of Keys Anchored in Resolvers
-
- A key can also be pre-configured in resolvers. For instance, if
- DNSSEC is successfully deployed the root key may be pre-configured in
- most security aware resolvers.
-
- If trust-anchor keys are compromised, the resolvers using these keys
- should be notified of this fact. Zone administrators may consider
- setting up a mailing list to communicate the fact that a SEP key is
- about to be rolled over. This communication will of course need to
- be authenticated, e.g., by using digital signatures.
-
- End-users faced with the task of updating an anchored key should
- always validate the new key. New keys should be authenticated out-
- of-band, for example, through the use of an announcement website that
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 26]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- is secured using secure sockets (TLS) [23].
-
-4.4. Parental Policies
-
-4.4.1. Initial Key Exchanges and Parental Policies Considerations
-
- The initial key exchange is always subject to the policies set by the
- parent. When designing a key exchange policy one should take into
- account that the authentication and authorization mechanisms used
- during a key exchange should be as strong as the authentication and
- authorization mechanisms used for the exchange of delegation
- information between parent and child. That is, there is no implicit
- need in DNSSEC to make the authentication process stronger than it
- was in DNS.
-
- Using the DNS itself as the source for the actual DNSKEY material,
- with an out-of-band check on the validity of the DNSKEY, has the
- benefit that it reduces the chances of user error. A DNSKEY query
- tool can make use of the SEP bit [5] to select the proper key from a
- DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
- sent. It can validate the self-signature over a key; thereby
- verifying the ownership of the private key material. Fetching the
- DNSKEY from the DNS ensures that the chain of trust remains intact
- once the parent publishes the DS RR indicating the child is secure.
-
- Note: the out-of-band verification is still needed when the key
- material is fetched via the DNS. The parent can never be sure
- whether or not the DNSKEY RRs have been spoofed.
-
-4.4.2. Storing Keys or Hashes?
-
- When designing a registry system one should consider which of the
- DNSKEYs and/or the corresponding DSes to store. Since a child zone
- might wish to have a DS published using a message digest algorithm
- not yet understood by the registry, the registry can't count on being
- able to generate the DS record from a raw DNSKEY. Thus, we recommend
- that registry systems at least support storing DS records.
-
- It may also be useful to store DNSKEYs, since having them may help
- during troubleshooting and, as long as the child's chosen message
- digest is supported, the overhead of generating DS records from them
- is minimal. Having an out-of-band mechanism, such as a registry
- directory (e.g., Whois), to find out which keys are used to generate
- DS Resource Records for specific owners and/or zones may also help
- with troubleshooting.
-
- The storage considerations also relate to the design of the customer
- interface and the method by which data is transferred between
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 27]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- registrant and registry; Will the child zone administrator be able to
- upload DS RRs with unknown hash algorithms or does the interface only
- allow DNSKEYs? In the registry-registrar model, one can use the
- DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
- which allows transfer of DS RRs and optionally DNSKEY RRs.
-
-4.4.3. Security Lameness
-
- Security lameness is defined as what happens when a parent has a DS
- RR pointing to a non-existing DNSKEY RR. When this happens, the
- child's zone may be marked "Bogus" by verifying DNS clients.
-
- As part of a comprehensive delegation check, the parent could, at key
- exchange time, verify that the child's key is actually configured in
- the DNS. However, if a parent does not understand the hashing
- algorithm used by child, the parental checks are limited to only
- comparing the key id.
-
- Child zones should be very careful in removing DNSKEY material,
- specifically SEP keys, for which a DS RR exists.
-
- Once a zone is "security lame", a fix (e.g., removing a DS RR) will
- take time to propagate through the DNS.
-
-4.4.4. DS Signature Validity Period
-
- Since the DS can be replayed as long as it has a valid signature, a
- short signature validity period over the DS minimizes the time a
- child is vulnerable in the case of a compromise of the child's
- KSK(s). A signature validity period that is too short introduces the
- possibility that a zone is marked "Bogus" in case of a configuration
- error in the signer. There may not be enough time to fix the
- problems before signatures expire. Something as mundane as operator
- unavailability during weekends shows the need for DS signature
- validity periods longer than 2 days. We recommend an absolute
- minimum for a DS signature validity period of a few days.
-
- The maximum signature validity period of the DS record depends on how
- long child zones are willing to be vulnerable after a key compromise.
- On the other hand, shortening the DS signature validity interval
- increases the operational risk for the parent. Therefore, the parent
- may have policy to use a signature validity interval that is
- considerably longer than the child would hope for.
-
- A compromise between the operational constraints of the parent and
- minimizing damage for the child may result in a DS signature validity
- period somewhere between a week and months.
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 28]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- In addition to the signature validity period, which sets a lower
- bound on the number of times the zone owner will need to sign the
- zone data and which sets an upper bound to the time a child is
- vulnerable after key compromise, there is the TTL value on the DS
- RRs. Shortening the TTL means that the authoritative servers will
- see more queries. But on the other hand, a short TTL lowers the
- persistence of DS RRSets in caches thereby increasing the speed with
- which updated DS RRSets propagate through the DNS.
-
-4.4.5. (Non) Cooperating Registrars
-
- [OK: this is a first strawman, and is intended to start the
- discussion of the issue. By no means this is intended to be a final
- text.]
-
- The parent-child relation is often described in terms of a (thin)
- registry model. Where a registry maintains the parent zone, and the
- registrant (the user of the child-domain name), deals with the
- registry through an intermediary called a registrar. (See [12] for a
- comprehensive definition). Registrants may out-source the
- maintenance of their DNS system, including the maintenance of DNSSEC
- key material, to the registrar or to another third party. The entity
- that has control over the DNS zone and its keys may prevent the
- registrant to make a timely move to a different registrar. [OK: I
- use the term registrar below while it is the operator of the DNS zone
- who is the actual culprit. For instance, the case also applies when
- a registrant passes a zone to another registrant. Should I just use
- "DNS Administrator"?]
-
- Suppose that the registrant wants to move from losing registrar A to
- gaining registrar B. Let us first look what would happen in a
- cooperative environment. The assumption is that registrar A will not
- hand off any private key material to registrar B because that would
- be a trivial case.
-
- In a cooperating environment one could proceed with a pre-publish ZSK
- rollover whereby registrar A pre-publishes the ZSK of registrar B,
- combined with a double signature KSK rollover where the two
- registrars exchange public keys and independently generate a
- signature over the keysets that they combine and both publish in the
- zone.
-
- In the non-cooperative case matters are more complicated. The
- loosing registrar A may not cooperate and leave the data in the DNS
- as is. In the extreme case registrar A may become obstructive and
- publish a DNSKEY RR with a high TTL and corresponding signature
- validity so that registrar A's DNSKEY, would end up in caches for, in
- theory, tens of years.
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 29]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- The problem arises when a validator tries to validate with A's key
- and there is no signature material produced with Registrars A
- available in the delegation path after redelegation from registrar A
- to registrar B has taken place. One could imagine a rollover
- scenario where registrar B pulls all RRSIGs created by registar A and
- publishes those in conjunction with its own signatures, but that
- would not allow any changes in the zone content. Since a
- redelegation took place the NS RRset has -- per definition-- changed
- so such rollover scenario will not work. Besides if zone transfers
- are not allowed by A and NSEC3 is deployed in the A's zone then
- registrar B will not have certainty that all of A's RRSIGs are
- transfered.
-
- The only viable option for the registrant is to publish its zone
- unsigned and ask the registry to remove the DS pointing to registrar
- A for as long as the DNSKEY of registrar A, or any of the signatures
- produced by registrar A are likely to appear in caches, which as
- mentioned above could in theory be for tens of years. [OK: Some
- implementations limit the time data is cached. Although that is not
- a protocol requirement (and may even be considered a protocol
- violation) it seems that that practice may limit the impact of this
- problem, is that worth mentioning?]
-
- [OK: This is really the point that I'm trying to make, is the above
- text needed?] There is no operational methodology to work around
- this business issue and proper contractual relations ships between
- registrants and their registrars seem to be the only solution to cope
- with these problems.
-
-5. Security Considerations
-
- DNSSEC adds data integrity to the DNS. This document tries to assess
- the operational considerations to maintain a stable and secure DNSSEC
- service. Not taking into account the 'data propagation' properties
- in the DNS will cause validation failures and may make secured zones
- unavailable to security-aware resolvers.
-
-6. IANA considerations
-
- There are no IANA considerations with respect to this document
-
-7. Acknowledgments
-
- Most of the text of this document is copied from RFC4641 [16] people
- involved in that work were in random order: Rip Loomis, Olafur
- Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van
- Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte
- Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman,
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 30]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian
- Bedford, and Lindy Foster, G. Guette, and O. Courtay.
-
- For this version of the document we would like to acknowldge:
-
- o Paul Hoffman for his contribution on the choice of cryptographic
- paramenters and addressing some of the trust anchor issues.
-
- o Jelte Jansen provided the text in Section 4.2.4
-
-8. References
-
-8.1. Normative References
-
- [1] Mockapetris, P., "Domain names - concepts and facilities",
- STD 13, RFC 1034, November 1987.
-
- [2] Mockapetris, P., "Domain names - implementation and
- specification", STD 13, RFC 1035, November 1987.
-
- [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "DNS Security Introduction and Requirements", RFC 4033,
- March 2005.
-
- [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "Resource Records for the DNS Security Extensions", RFC 4034,
- March 2005.
-
- [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "Protocol Modifications for the DNS Security Extensions",
- RFC 4035, March 2005.
-
-8.2. Informative References
-
- [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", BCP 14, RFC 2119, March 1997.
-
- [7] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
- August 1996.
-
- [8] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
- (DNS NOTIFY)", RFC 1996, August 1996.
-
- [9] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
- RFC 2308, March 1998.
-
- [10] Eastlake, D., "DNS Security Operational Considerations",
- RFC 2541, March 1999.
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 31]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic
- Update", RFC 3007, November 2000.
-
- [12] Hollenbeck, S., "Generic Registry-Registrar Protocol
- Requirements", RFC 3375, September 2002.
-
- [13] Orman, H. and P. Hoffman, "Determining Strengths For Public
- Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
- April 2004.
-
- [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
- Requirements for Security", BCP 106, RFC 4086, June 2005.
-
- [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
- Mapping for the Extensible Provisioning Protocol (EPP)",
- RFC 4310, December 2005.
-
- [16] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
- RFC 4641, September 2006.
-
- [17] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
- August 2007.
-
- [18] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
- Anchors", RFC 5011, September 2007.
-
- [19] Rose, S., "NIST DNSSEC workshop notes", , June 2001.
-
- [20] Barker, E. and J. Kelsey, "Recommendation for Random Number
- Generation Using Deterministic Random Bit Generators
- (Revised)", Nist Special Publication 800-90, March 2007.
-
- [21] Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
- RRSIG Resource Records for DNSSEC",
- draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress),
- July 2008.
-
- [22] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
- Resource Records (RRs)", RFC 4509, May 2006.
-
- [23] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
- T. Wright, "Transport Layer Security (TLS) Extensions",
- RFC 4366, April 2006.
-
-Appendix A. Terminology
-
- In this document, there is some jargon used that is defined in other
- documents. In most cases, we have not copied the text from the
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 32]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- documents defining the terms but have given a more elaborate
- explanation of the meaning. Note that these explanations should not
- be seen as authoritative.
-
- Anchored key: A DNSKEY configured in resolvers around the globe.
- This key is hard to update, hence the term anchored.
-
- Bogus: Also see Section 5 of [3]. An RRSet in DNSSEC is marked
- "Bogus" when a signature of an RRSet does not validate against a
- DNSKEY.
-
- Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is
- used exclusively for signing the apex key set. The fact that a
- key is a KSK is only relevant to the signing tool.
-
- Key size: The term 'key size' can be substituted by 'modulus size'
- throughout the document. It is mathematically more correct to use
- modulus size, but as this is a document directed at operators we
- feel more at ease with the term key size.
-
- Private and public keys: DNSSEC secures the DNS through the use of
- public key cryptography. Public key cryptography is based on the
- existence of two (mathematically related) keys, a public key and a
- private key. The public keys are published in the DNS by use of
- the DNSKEY Resource Record (DNSKEY RR). Private keys should
- remain private.
-
- Key rollover: A key rollover (also called key supercession in some
- environments) is the act of replacing one key pair with another at
- the end of a key effectivity period.
-
- Secure Entry Point (SEP) key: A KSK that has a parental DS record
- pointing to it or is configured as a trust anchor. Although not
- required by the protocol, we recommend that the SEP flag [5] is
- set on these keys.
-
- Self-signature: This only applies to signatures over DNSKEYs; a
- signature made with DNSKEY x, over DNSKEY x is called a self-
- signature. Note: without further information, self-signatures
- convey no trust. They are useful to check the authenticity of the
- DNSKEY, i.e., they can be used as a hash.
-
- Singing the zone file: The term used for the event where an
- administrator joyfully signs its zone file while producing melodic
- sound patterns.
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 33]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- Signer: The system that has access to the private key material and
- signs the Resource Record sets in a zone. A signer may be
- configured to sign only parts of the zone, e.g., only those RRSets
- for which existing signatures are about to expire.
-
- Zone Signing Key (ZSK): A key that is used for signing all data in a
- zone (except, perhaps, the DNSKEY RRSet). The fact that a key is
- a ZSK is only relevant to the signing tool.
-
- Zone administrator: The 'role' that is responsible for signing a
- zone and publishing it on the primary authoritative server.
-
-Appendix B. Zone Signing Key Rollover How-To
-
- Using the pre-published signature scheme and the most conservative
- method to assure oneself that data does not live in caches, here
- follows the "how-to".
-
- Step 0: The preparation: Create two keys and publish both in your
- key set. Mark one of the keys "active" and the other "published".
- Use the "active" key for signing your zone data. Store the
- private part of the "published" key, preferably off-line. The
- protocol does not provide for attributes to mark a key as active
- or published. This is something you have to do on your own,
- through the use of a notebook or key management tool.
-
- Step 1: Determine expiration: At the beginning of the rollover make
- a note of the highest expiration time of signatures in your zone
- file created with the current key marked as active. Wait until
- the expiration time marked in Step 1 has passed.
-
- Step 2: Then start using the key that was marked "published" to sign
- your data (i.e., mark it "active"). Stop using the key that was
- marked "active"; mark it "rolled".
-
- Step 3: It is safe to engage in a new rollover (Step 1) after at
- least one signature validity period.
-
-Appendix C. Typographic Conventions
-
- The following typographic conventions are used in this document:
-
- Key notation: A key is denoted by DNSKEYx, where x is a number or an
- identifier, x could be thought of as the key id.
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 34]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- RRSet notations: RRs are only denoted by the type. All other
- information -- owner, class, rdata, and TTL -- is left out. Thus:
- "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
- list of RRs. A example of this would be "A1, A2", specifying the
- RRSet containing two "A" records. This could again be abbreviated
- to just "A".
-
- Signature notation: Signatures are denoted as RRSIGx(RRSet), which
- means that RRSet is signed with DNSKEYx.
-
- Zone representation: Using the above notation we have simplified the
- representation of a signed zone by leaving out all unnecessary
- details such as the names and by representing all data by "SOAx"
-
- SOA representation: SOAs are represented as SOAx, where x is the
- serial number.
-
- Using this notation the following signed zone:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 35]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- example.net. 86400 IN SOA ns.example.net. bert.example.net. (
- 2006022100 ; serial
- 86400 ; refresh ( 24 hours)
- 7200 ; retry ( 2 hours)
- 3600000 ; expire (1000 hours)
- 28800 ) ; minimum ( 8 hours)
- 86400 RRSIG SOA 5 2 86400 20130522213204 (
- 20130422213204 14 example.net.
- cmL62SI6iAX46xGNQAdQ... )
- 86400 NS a.example.net.
- 86400 NS b.example.net.
- 86400 RRSIG NS 5 2 86400 20130507213204 (
- 20130407213204 14 example.net.
- SO5epiJei19AjXoUpFnQ ... )
- 86400 DNSKEY 256 3 5 (
- EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
- 86400 DNSKEY 257 3 5 (
- gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
- 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
- 20130422213204 14 example.net.
- J4zCe8QX4tXVGjV4e1r9... )
- 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
- 20130422213204 15 example.net.
- keVDCOpsSeDReyV6O... )
- 86400 RRSIG NSEC 5 2 86400 20130507213204 (
- 20130407213204 14 example.net.
- obj3HEp1GjnmhRjX... )
- a.example.net. 86400 IN TXT "A label"
- 86400 RRSIG TXT 5 3 86400 20130507213204 (
- 20130407213204 14 example.net.
- IkDMlRdYLmXH7QJnuF3v... )
- 86400 NSEC b.example.com. TXT RRSIG NSEC
- 86400 RRSIG NSEC 5 3 86400 20130507213204 (
- 20130407213204 14 example.net.
- bZMjoZ3bHjnEz0nIsPMM... )
- ...
-
- is reduced to the following representation:
-
- SOA2006022100
- RRSIG14(SOA2006022100)
- DNSKEY14
- DNSKEY15
-
- RRSIG14(KEY)
- RRSIG15(KEY)
-
- The rest of the zone data has the same signature as the SOA record,
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 36]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- i.e., an RRSIG created with DNSKEY 14.
-
-Appendix D. Document Editing History
-
- [To be removed prior to publication as an RFC]
-
-D.1. draft-ietf-dnsop-rfc4641-00
-
- Version 0 was differs from RFC4641 in the following ways.
-
- o Status of this memo appropriate for I-D
-
- o TOC formatting differs.
-
- o Whitespaces, linebreaks, and pagebreaks may be slightly different
- because of xml2rfc generation.
-
- o References slightly reordered.
-
- o Applied the errata from
- http://www.rfc-editor.org/errata_search.php?rfc=4641
-
- o Inserted trivial "IANA considertations" section.
-
- In other words it should not contain substantive changes in content
- as intended by the workinggroup for the original RFC4641.
-
-D.2. version 0->1
-
- Cryptography details rewritten. (See http://www.nlnetlabs.nl/svn/
- rfc4641bis/trunk/open-issues/cryptography_flawed)
-
- o Reference to NIST 800-90 added
-
- o RSA/SHA256 is being recommended in addition to RSA/SHA1.
-
- o Complete rewrite of Section 3.5 removing the table and suggesting
- a keysize of 1024 for keys in use for less than 8 years, issued up
- to at least 2015.
-
- o Replaced the reference to Schneiers' applied cryptograpy with a
- reference to RFC4949.
-
- o Removed the KSK for high level zones consideration
-
- Applied some differentiation with respect of the use of a KSK for
- parent or trust-anchor relation http://www.nlnetlabs.nl/svn/
- rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 37]
-\f
-Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
-
-
- http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
- rollover_assumptions
-
- Added Section 4.2.4 as suggested by Jelte Jansen in http://
- www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
-
- Added Section 4.4.5 Issue identified by Antoin Verschuur http://
- www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
- non-cooperative-registrars
-
- In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset.
-
- $Id: draft-ietf-dnsop-rfc4641bis-01.txt,v 1.1 2009/09/23 13:22:50 fdupont Exp $
-
-Authors' Addresses
-
- Olaf M. Kolkman
- NLnet Labs
- Kruislaan 419
- Amsterdam 1098 VA
- The Netherlands
-
- EMail: olaf@nlnetlabs.nl
- URI: http://www.nlnetlabs.nl
-
-
- Miek Gieben
-
-
- EMail: miek@miek.nl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Expires September 8, 2009 [Page 38]
-\f
+++ /dev/null
-
-
-
-
-
-
-Network Working Group O. Kolkman
-Request for Comments: 4641 R. Gieben
-Obsoletes: 2541 NLnet Labs
-Category: Informational September 2006
-
-
- DNSSEC Operational Practices
-
-Status of This Memo
-
- This memo provides information for the Internet community. It does
- not specify an Internet standard of any kind. Distribution of this
- memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes a set of practices for operating the DNS with
- security extensions (DNSSEC). The target audience is zone
- administrators deploying DNSSEC.
-
- The document discusses operational aspects of using keys and
- signatures in the DNS. It discusses issues of key generation, key
- storage, signature generation, key rollover, and related policies.
-
- This document obsoletes RFC 2541, as it covers more operational
- ground and gives more up-to-date requirements with respect to key
- sizes and the new DNSSEC specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 1]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-Table of Contents
-
- 1. Introduction ....................................................3
- 1.1. The Use of the Term 'key' ..................................4
- 1.2. Time Definitions ...........................................4
- 2. Keeping the Chain of Trust Intact ...............................5
- 3. Keys Generation and Storage .....................................6
- 3.1. Zone and Key Signing Keys ..................................6
- 3.1.1. Motivations for the KSK and ZSK Separation ..........6
- 3.1.2. KSKs for High-Level Zones ...........................7
- 3.2. Key Generation .............................................8
- 3.3. Key Effectivity Period .....................................8
- 3.4. Key Algorithm ..............................................9
- 3.5. Key Sizes ..................................................9
- 3.6. Private Key Storage .......................................11
- 4. Signature Generation, Key Rollover, and Related Policies .......12
- 4.1. Time in DNSSEC ............................................12
- 4.1.1. Time Considerations ................................12
- 4.2. Key Rollovers .............................................14
- 4.2.1. Zone Signing Key Rollovers .........................14
- 4.2.1.1. Pre-Publish Key Rollover ..................15
- 4.2.1.2. Double Signature Zone Signing Key
- Rollover ..................................17
- 4.2.1.3. Pros and Cons of the Schemes ..............18
- 4.2.2. Key Signing Key Rollovers ..........................18
- 4.2.3. Difference Between ZSK and KSK Rollovers ...........20
- 4.2.4. Automated Key Rollovers ............................21
- 4.3. Planning for Emergency Key Rollover .......................21
- 4.3.1. KSK Compromise .....................................22
- 4.3.1.1. Keeping the Chain of Trust Intact .........22
- 4.3.1.2. Breaking the Chain of Trust ...............23
- 4.3.2. ZSK Compromise .....................................23
- 4.3.3. Compromises of Keys Anchored in Resolvers ..........24
- 4.4. Parental Policies .........................................24
- 4.4.1. Initial Key Exchanges and Parental Policies
- Considerations .....................................24
- 4.4.2. Storing Keys or Hashes? ............................25
- 4.4.3. Security Lameness ..................................25
- 4.4.4. DS Signature Validity Period .......................26
- 5. Security Considerations ........................................26
- 6. Acknowledgments ................................................26
- 7. References .....................................................27
- 7.1. Normative References ......................................27
- 7.2. Informative References ....................................28
- Appendix A. Terminology ...........................................30
- Appendix B. Zone Signing Key Rollover How-To ......................31
- Appendix C. Typographic Conventions ...............................32
-
-
-
-
-Kolkman & Gieben Informational [Page 2]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-1. Introduction
-
- This document describes how to run a DNS Security (DNSSEC)-enabled
- environment. It is intended for operators who have knowledge of the
- DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
- See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
- newly introduced Resource Records (RRs), and RFC 4035 [6] for the
- protocol changes.
-
- During workshops and early operational deployment tests, operators
- and system administrators have gained experience about operating the
- DNS with security extensions (DNSSEC). This document translates
- these experiences into a set of practices for zone administrators.
- At the time of writing, there exists very little experience with
- DNSSEC in production environments; this document should therefore
- explicitly not be seen as representing 'Best Current Practices'.
-
- The procedures herein are focused on the maintenance of signed zones
- (i.e., signing and publishing zones on authoritative servers). It is
- intended that maintenance of zones such as re-signing or key
- rollovers be transparent to any verifying clients on the Internet.
-
- The structure of this document is as follows. In Section 2, we
- discuss the importance of keeping the "chain of trust" intact.
- Aspects of key generation and storage of private keys are discussed
- in Section 3; the focus in this section is mainly on the private part
- of the key(s). Section 4 describes considerations concerning the
- public part of the keys. Since these public keys appear in the DNS
- one has to take into account all kinds of timing issues, which are
- discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
- rollover, or supercession, of keys. Finally, Section 4.4 discusses
- considerations on how parents deal with their children's public keys
- in order to maintain chains of trust.
-
- The typographic conventions used in this document are explained in
- Appendix C.
-
- Since this is a document with operational suggestions and there are
- no protocol specifications, the RFC 2119 [7] language does not apply.
-
- This document obsoletes RFC 2541 [12] to reflect the evolution of the
- underlying DNSSEC protocol since then. Changes in the choice of
- cryptographic algorithms, DNS record types and type names, and the
- parent-child key and signature exchange demanded a major rewrite and
- additional information and explanation.
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 3]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-1.1. The Use of the Term 'key'
-
- It is assumed that the reader is familiar with the concept of
- asymmetric keys on which DNSSEC is based (public key cryptography
- [17]). Therefore, this document will use the term 'key' rather
- loosely. Where it is written that 'a key is used to sign data' it is
- assumed that the reader understands that it is the private part of
- the key pair that is used for signing. It is also assumed that the
- reader understands that the public part of the key pair is published
- in the DNSKEY Resource Record and that it is the public part that is
- used in key exchanges.
-
-1.2. Time Definitions
-
- In this document, we will be using a number of time-related terms.
- The following definitions apply:
-
- o "Signature validity period" The period that a signature is valid.
- It starts at the time specified in the signature inception field
- of the RRSIG RR and ends at the time specified in the expiration
- field of the RRSIG RR.
-
- o "Signature publication period" Time after which a signature (made
- with a specific key) is replaced with a new signature (made with
- the same key). This replacement takes place by publishing the
- relevant RRSIG in the master zone file. After one stops
- publishing an RRSIG in a zone, it may take a while before the
- RRSIG has expired from caches and has actually been removed from
- the DNS.
-
- o "Key effectivity period" The period during which a key pair is
- expected to be effective. This period is defined as the time
- between the first inception time stamp and the last expiration
- date of any signature made with this key, regardless of any
- discontinuity in the use of the key. The key effectivity period
- can span multiple signature validity periods.
-
- o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
- value of the TTLs from the complete set of RRs in a zone. Note
- that the minimum TTL is not the same as the MINIMUM field in the
- SOA RR. See [11] for more information.
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 4]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-2. Keeping the Chain of Trust Intact
-
- Maintaining a valid chain of trust is important because broken chains
- of trust will result in data being marked as Bogus (as defined in [4]
- Section 5), which may cause entire (sub)domains to become invisible
- to verifying clients. The administrators of secured zones have to
- realize that their zone is, to verifying clients, part of a chain of
- trust.
-
- As mentioned in the introduction, the procedures herein are intended
- to ensure that maintenance of zones, such as re-signing or key
- rollovers, will be transparent to the verifying clients on the
- Internet.
-
- Administrators of secured zones will have to keep in mind that data
- published on an authoritative primary server will not be immediately
- seen by verifying clients; it may take some time for the data to be
- transferred to other secondary authoritative nameservers and clients
- may be fetching data from caching non-authoritative servers. In this
- light, note that the time for a zone transfer from master to slave is
- negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
- It increases when full zone transfers (AXFR) are used in combination
- with NOTIFY. It increases even more if you rely on full zone
- transfers based on only the SOA timing parameters for refresh.
-
- For the verifying clients, it is important that data from secured
- zones can be used to build chains of trust regardless of whether the
- data came directly from an authoritative server, a caching
- nameserver, or some middle box. Only by carefully using the
- available timing parameters can a zone administrator ensure that the
- data necessary for verification can be obtained.
-
- The responsibility for maintaining the chain of trust is shared by
- administrators of secured zones in the chain of trust. This is most
- obvious in the case of a 'key compromise' when a trade-off between
- maintaining a valid chain of trust and replacing the compromised keys
- as soon as possible must be made. Then zone administrators will have
- to make a trade-off, between keeping the chain of trust intact --
- thereby allowing for attacks with the compromised key -- or
- deliberately breaking the chain of trust and making secured
- subdomains invisible to security-aware resolvers. Also see Section
- 4.3.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 5]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-3. Keys Generation and Storage
-
- This section describes a number of considerations with respect to the
- security of keys. It deals with the generation, effectivity period,
- size, and storage of private keys.
-
-3.1. Zone and Key Signing Keys
-
- The DNSSEC validation protocol does not distinguish between different
- types of DNSKEYs. All DNSKEYs can be used during the validation. In
- practice, operators use Key Signing and Zone Signing Keys and use the
- so-called Secure Entry Point (SEP) [3] flag to distinguish between
- them during operations. The dynamics and considerations are
- discussed below.
-
- To make zone re-signing and key rollover procedures easier to
- implement, it is possible to use one or more keys as Key Signing Keys
- (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone.
- Other keys can be used to sign all the RRSets in a zone and are
- referred to as Zone Signing Keys (ZSKs). In this document, we assume
- that KSKs are the subset of keys that are used for key exchanges with
- the parent and potentially for configuration as trusted anchors --
- the SEP keys. In this document, we assume a one-to-one mapping
- between KSK and SEP keys and we assume the SEP flag to be set on all
- KSKs.
-
-3.1.1. Motivations for the KSK and ZSK Separation
-
- Differentiating between the KSK and ZSK functions has several
- advantages:
-
- o No parent/child interaction is required when ZSKs are updated.
-
- o The KSK can be made stronger (i.e., using more bits in the key
- material). This has little operational impact since it is only
- used to sign a small fraction of the zone data. Also, the KSK is
- only used to verify the zone's key set, not for other RRSets in
- the zone.
-
- o As the KSK is only used to sign a key set, which is most probably
- updated less frequently than other data in the zone, it can be
- stored separately from and in a safer location than the ZSK.
-
- o A KSK can have a longer key effectivity period.
-
- For almost any method of key management and zone signing, the KSK is
- used less frequently than the ZSK. Once a key set is signed with the
- KSK, all the keys in the key set can be used as ZSKs. If a ZSK is
-
-
-
-Kolkman & Gieben Informational [Page 6]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- compromised, it can be simply dropped from the key set. The new key
- set is then re-signed with the KSK.
-
- Given the assumption that for KSKs the SEP flag is set, the KSK can
- be distinguished from a ZSK by examining the flag field in the DNSKEY
- RR. If the flag field is an odd number it is a KSK. If it is an
- even number it is a ZSK.
-
- The Zone Signing Key can be used to sign all the data in a zone on a
- regular basis. When a Zone Signing Key is to be rolled, no
- interaction with the parent is needed. This allows for signature
- validity periods on the order of days.
-
- The Key Signing Key is only to be used to sign the DNSKEY RRs in a
- zone. If a Key Signing Key is to be rolled over, there will be
- interactions with parties other than the zone administrator. These
- can include the registry of the parent zone or administrators of
- verifying resolvers that have the particular key configured as secure
- entry points. Hence, the key effectivity period of these keys can
- and should be made much longer. Although, given a long enough key,
- the key effectivity period can be on the order of years, we suggest
- planning for a key effectivity on the order of a few months so that a
- key rollover remains an operational routine.
-
-3.1.2. KSKs for High-Level Zones
-
- Higher-level zones are generally more sensitive than lower-level
- zones. Anyone controlling or breaking the security of a zone thereby
- obtains authority over all of its subdomains (except in the case of
- resolvers that have locally configured the public key of a subdomain,
- in which case this, and only this, subdomain wouldn't be affected by
- the compromise of the parent zone). Therefore, extra care should be
- taken with high-level zones, and strong keys should be used.
-
- The root zone is the most critical of all zones. Someone controlling
- or compromising the security of the root zone would control the
- entire DNS namespace of all resolvers using that root zone (except in
- the case of resolvers that have locally configured the public key of
- a subdomain). Therefore, the utmost care must be taken in the
- securing of the root zone. The strongest and most carefully handled
- keys should be used. The root zone private key should always be kept
- off-line.
-
- Many resolvers will start at a root server for their access to and
- authentication of DNS data. Securely updating the trust anchors in
- an enormous population of resolvers around the world will be
- extremely difficult.
-
-
-
-
-Kolkman & Gieben Informational [Page 7]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-3.2. Key Generation
-
- Careful generation of all keys is a sometimes overlooked but
- absolutely essential element in any cryptographically secure system.
- The strongest algorithms used with the longest keys are still of no
- use if an adversary can guess enough to lower the size of the likely
- key space so that it can be exhaustively searched. Technical
- suggestions for the generation of random keys will be found in RFC
- 4086 [14]. One should carefully assess if the random number
- generator used during key generation adheres to these suggestions.
-
- Keys with a long effectivity period are particularly sensitive as
- they will represent a more valuable target and be subject to attack
- for a longer time than short-period keys. It is strongly recommended
- that long-term key generation occur off-line in a manner isolated
- from the network via an air gap or, at a minimum, high-level secure
- hardware.
-
-3.3. Key Effectivity Period
-
- For various reasons, keys in DNSSEC need to be changed once in a
- while. The longer a key is in use, the greater the probability that
- it will have been compromised through carelessness, accident,
- espionage, or cryptanalysis. Furthermore, when key rollovers are too
- rare an event, they will not become part of the operational habit and
- there is risk that nobody on-site will remember the procedure for
- rollover when the need is there.
-
- From a purely operational perspective, a reasonable key effectivity
- period for Key Signing Keys is 13 months, with the intent to replace
- them after 12 months. An intended key effectivity period of a month
- is reasonable for Zone Signing Keys.
-
- For key sizes that match these effectivity periods, see Section 3.5.
-
- As argued in Section 3.1.2, securely updating trust anchors will be
- extremely difficult. On the other hand, the "operational habit"
- argument does also apply to trust anchor reconfiguration. If a short
- key effectivity period is used and the trust anchor configuration has
- to be revisited on a regular basis, the odds that the configuration
- tends to be forgotten is smaller. The trade-off is against a system
- that is so dynamic that administrators of the validating clients will
- not be able to follow the modifications.
-
- Key effectivity periods can be made very short, as in a few minutes.
- But when replacing keys one has to take the considerations from
- Section 4.1 and Section 4.2 into account.
-
-
-
-
-Kolkman & Gieben Informational [Page 8]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-3.4. Key Algorithm
-
- There are currently three different types of algorithms that can be
- used in DNSSEC: RSA, DSA, and elliptic curve cryptography. The
- latter is fairly new and has yet to be standardized for usage in
- DNSSEC.
-
- RSA has been developed in an open and transparent manner. As the
- patent on RSA expired in 2000, its use is now also free.
-
- DSA has been developed by the National Institute of Standards and
- Technology (NIST). The creation of signatures takes roughly the same
- time as with RSA, but is 10 to 40 times as slow for verification
- [17].
-
- We suggest the use of RSA/SHA-1 as the preferred algorithm for the
- key. The current known attacks on RSA can be defeated by making your
- key longer. As the MD5 hashing algorithm is showing cracks, we
- recommend the usage of SHA-1.
-
- At the time of publication, it is known that the SHA-1 hash has
- cryptanalysis issues. There is work in progress on addressing these
- issues. We recommend the use of public key algorithms based on
- hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
- algorithms are available in protocol specifications (see [19] and
- [20]) and implementations.
-
-3.5. Key Sizes
-
- When choosing key sizes, zone administrators will need to take into
- account how long a key will be used, how much data will be signed
- during the key publication period (see Section 8.10 of [17]), and,
- optionally, how large the key size of the parent is. As the chain of
- trust really is "a chain", there is not much sense in making one of
- the keys in the chain several times larger then the others. As
- always, it's the weakest link that defines the strength of the entire
- chain. Also see Section 3.1.1 for a discussion of how keys serving
- different roles (ZSK vs. KSK) may need different key sizes.
-
- Generating a key of the correct size is a difficult problem; RFC 3766
- [13] tries to deal with that problem. The first part of the
- selection procedure in Section 1 of the RFC states:
-
- 1. Determine the attack resistance necessary to satisfy the
- security requirements of the application. Do this by
- estimating the minimum number of computer operations that the
- attacker will be forced to do in order to compromise the
-
-
-
-
-Kolkman & Gieben Informational [Page 9]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- security of the system and then take the logarithm base two of
- that number. Call that logarithm value "n".
-
- A 1996 report recommended 90 bits as a good all-around choice
- for system security. The 90 bit number should be increased by
- about 2/3 bit/year, or about 96 bits in 2005.
-
- [13] goes on to explain how this number "n" can be used to calculate
- the key sizes in public key cryptography. This culminated in the
- table given below (slightly modified for our purpose):
-
- +-------------+-----------+--------------+
- | System | | |
- | requirement | Symmetric | RSA or DSA |
- | for attack | key size | modulus size |
- | resistance | (bits) | (bits) |
- | (bits) | | |
- +-------------+-----------+--------------+
- | 70 | 70 | 947 |
- | 80 | 80 | 1228 |
- | 90 | 90 | 1553 |
- | 100 | 100 | 1926 |
- | 150 | 150 | 4575 |
- | 200 | 200 | 8719 |
- | 250 | 250 | 14596 |
- +-------------+-----------+--------------+
-
- The key sizes given are rather large. This is because these keys are
- resilient against a trillionaire attacker. Assuming this rich
- attacker will not attack your key and that the key is rolled over
- once a year, we come to the following recommendations about KSK
- sizes: 1024 bits for low-value domains, 1300 bits for medium-value
- domains, and 2048 bits for high-value domains.
-
- Whether a domain is of low, medium, or high value depends solely on
- the views of the zone owner. One could, for instance, view leaf
- nodes in the DNS as of low value, and top-level domains (TLDs) or the
- root zone of high value. The suggested key sizes should be safe for
- the next 5 years.
-
- As ZSKs can be rolled over more easily (and thus more often), the key
- sizes can be made smaller. But as said in the introduction of this
- paragraph, making the ZSKs' key sizes too small (in relation to the
- KSKs' sizes) doesn't make much sense. Try to limit the difference in
- size to about 100 bits.
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 10]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- Note that nobody can see into the future and that these key sizes are
- only provided here as a guide. Further information can be found in
- [16] and Section 7.5 of [17]. It should be noted though that [16] is
- already considered overly optimistic about what key sizes are
- considered safe.
-
- One final note concerning key sizes. Larger keys will increase the
- sizes of the RRSIG and DNSKEY records and will therefore increase the
- chance of DNS UDP packet overflow. Also, the time it takes to
- validate and create RRSIGs increases with larger keys, so don't
- needlessly double your key sizes.
-
-3.6. Private Key Storage
-
- It is recommended that, where possible, zone private keys and the
- zone file master copy that is to be signed be kept and used in off-
- line, non-network-connected, physically secure machines only.
- Periodically, an application can be run to add authentication to a
- zone by adding RRSIG and NSEC RRs. Then the augmented file can be
- transferred.
-
- When relying on dynamic update to manage a signed zone [10], be aware
- that at least one private key of the zone will have to reside on the
- master server. This key is only as secure as the amount of exposure
- the server receives to unknown clients and the security of the host.
- Although not mandatory, one could administer the DNS in the following
- way. The master that processes the dynamic updates is unavailable
- from generic hosts on the Internet, it is not listed in the NS RR
- set, although its name appears in the SOA RRs MNAME field. The
- nameservers in the NS RRSet are able to receive zone updates through
- NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This
- approach is known as the "hidden master" setup.
-
- The ideal situation is to have a one-way information flow to the
- network to avoid the possibility of tampering from the network.
- Keeping the zone master file on-line on the network and simply
- cycling it through an off-line signer does not do this. The on-line
- version could still be tampered with if the host it resides on is
- compromised. For maximum security, the master copy of the zone file
- should be off-net and should not be updated based on an unsecured
- network mediated communication.
-
- In general, keeping a zone file off-line will not be practical and
- the machines on which zone files are maintained will be connected to
- a network. Operators are advised to take security measures to shield
- unauthorized access to the master copy.
-
-
-
-
-
-Kolkman & Gieben Informational [Page 11]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- For dynamically updated secured zones [10], both the master copy and
- the private key that is used to update signatures on updated RRs will
- need to be on-line.
-
-4. Signature Generation, Key Rollover, and Related Policies
-
-4.1. Time in DNSSEC
-
- Without DNSSEC, all times in the DNS are relative. The SOA fields
- REFRESH, RETRY, and EXPIRATION are timers used to determine the time
- elapsed after a slave server synchronized with a master server. The
- Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
- are used to determine how long a forwarder should cache data after it
- has been fetched from an authoritative server. By using a signature
- validity period, DNSSEC introduces the notion of an absolute time in
- the DNS. Signatures in DNSSEC have an expiration date after which
- the signature is marked as invalid and the signed data is to be
- considered Bogus.
-
-4.1.1. Time Considerations
-
- Because of the expiration of signatures, one should consider the
- following:
-
- o We suggest the Maximum Zone TTL of your zone data to be a fraction
- of your signature validity period.
-
- If the TTL would be of similar order as the signature validity
- period, then all RRSets fetched during the validity period
- would be cached until the signature expiration time. Section
- 7.1 of [4] suggests that "the resolver may use the time
- remaining before expiration of the signature validity period of
- a signed RRSet as an upper bound for the TTL". As a result,
- query load on authoritative servers would peak at signature
- expiration time, as this is also the time at which records
- simultaneously expire from caches.
-
- To avoid query load peaks, we suggest the TTL on all the RRs in
- your zone to be at least a few times smaller than your
- signature validity period.
-
- o We suggest the signature publication period to end at least one
- Maximum Zone TTL duration before the end of the signature validity
- period.
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 12]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- Re-signing a zone shortly before the end of the signature
- validity period may cause simultaneous expiration of data from
- caches. This in turn may lead to peaks in the load on
- authoritative servers.
-
- o We suggest the Minimum Zone TTL to be long enough to both fetch
- and verify all the RRs in the trust chain. In workshop
- environments, it has been demonstrated [18] that a low TTL (under
- 5 to 10 minutes) caused disruptions because of the following two
- problems:
-
- 1. During validation, some data may expire before the
- validation is complete. The validator should be able to
- keep all data until it is completed. This applies to all
- RRs needed to complete the chain of trust: DSes, DNSKEYs,
- RRSIGs, and the final answers, i.e., the RRSet that is
- returned for the initial query.
-
- 2. Frequent verification causes load on recursive nameservers.
- Data at delegation points, DSes, DNSKEYs, and RRSIGs
- benefit from caching. The TTL on those should be
- relatively long.
-
- o Slave servers will need to be able to fetch newly signed zones
- well before the RRSIGs in the zone served by the slave server pass
- their signature expiration time.
-
- When a slave server is out of sync with its master and data in
- a zone is signed by expired signatures, it may be better for
- the slave server not to give out any answer.
-
- Normally, a slave server that is not able to contact a master
- server for an extended period will expire a zone. When that
- happens, the server will respond differently to queries for
- that zone. Some servers issue SERVFAIL, whereas others turn
- off the 'AA' bit in the answers. The time of expiration is set
- in the SOA record and is relative to the last successful
- refresh between the master and the slave servers. There exists
- no coupling between the signature expiration of RRSIGs in the
- zone and the expire parameter in the SOA.
-
- If the server serves a DNSSEC zone, then it may well happen
- that the signatures expire well before the SOA expiration timer
- counts down to zero. It is not possible to completely prevent
- this from happening by tweaking the SOA parameters. However,
- the effects can be minimized where the SOA expiration time is
- equal to or shorter than the signature validity period. The
- consequence of an authoritative server not being able to update
-
-
-
-Kolkman & Gieben Informational [Page 13]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- a zone, whilst that zone includes expired signatures, is that
- non-secure resolvers will continue to be able to resolve data
- served by the particular slave servers while security-aware
- resolvers will experience problems because of answers being
- marked as Bogus.
-
- We suggest the SOA expiration timer being approximately one
- third or one fourth of the signature validity period. It will
- allow problems with transfers from the master server to be
- noticed before the actual signature times out. We also suggest
- that operators of nameservers that supply secondary services
- develop 'watch dogs' to spot upcoming signature expirations in
- zones they slave, and take appropriate action.
-
- When determining the value for the expiration parameter one has
- to take the following into account: What are the chances that
- all my secondaries expire the zone? How quickly can I reach an
- administrator of secondary servers to load a valid zone? These
- questions are not DNSSEC specific but may influence the choice
- of your signature validity intervals.
-
-4.2. Key Rollovers
-
- A DNSSEC key cannot be used forever (see Section 3.3). So key
- rollovers -- or supercessions, as they are sometimes called -- are a
- fact of life when using DNSSEC. Zone administrators who are in the
- process of rolling their keys have to take into account that data
- published in previous versions of their zone still lives in caches.
- When deploying DNSSEC, this becomes an important consideration;
- ignoring data that may be in caches may lead to loss of service for
- clients.
-
- The most pressing example of this occurs when zone material signed
- with an old key is being validated by a resolver that does not have
- the old zone key cached. If the old key is no longer present in the
- current zone, this validation fails, marking the data "Bogus".
- Alternatively, an attempt could be made to validate data that is
- signed with a new key against an old key that lives in a local cache,
- also resulting in data being marked "Bogus".
-
-4.2.1. Zone Signing Key Rollovers
-
- For "Zone Signing Key rollovers", there are two ways to make sure
- that during the rollover data still cached can be verified with the
- new key sets or newly generated signatures can be verified with the
- keys still in caches. One schema, described in Section 4.2.1.2, uses
-
-
-
-
-
-Kolkman & Gieben Informational [Page 14]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- double signatures; the other uses key pre-publication (Section
- 4.2.1.1). The pros, cons, and recommendations are described in
- Section 4.2.1.3.
-
-4.2.1.1. Pre-Publish Key Rollover
-
- This section shows how to perform a ZSK rollover without the need to
- sign all the data in a zone twice -- the "pre-publish key rollover".
- This method has advantages in the case of a key compromise. If the
- old key is compromised, the new key has already been distributed in
- the DNS. The zone administrator is then able to quickly switch to
- the new key and remove the compromised key from the zone. Another
- major advantage is that the zone size does not double, as is the case
- with the double signature ZSK rollover. A small "how-to" for this
- kind of rollover can be found in Appendix B.
-
- Pre-publish key rollover involves four stages as follows:
-
- ----------------------------------------------------------------
- initial new DNSKEY new RRSIGs DNSKEY removal
- ----------------------------------------------------------------
- SOA0 SOA1 SOA2 SOA3
- RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
-
- DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
- DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
- DNSKEY11 DNSKEY11
- RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
- RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
- ----------------------------------------------------------------
-
- Pre-Publish Key Rollover
-
- initial: Initial version of the zone: DNSKEY 1 is the Key Signing
- Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
- Signing Key.
-
- new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
- signatures are generated with this key yet, but this does not
- secure against brute force attacks on the public key. The minimum
- duration of this pre-roll phase is the time it takes for the data
- to propagate to the authoritative servers plus TTL value of the
- key set.
-
- new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
- used to sign the data in the zone exclusively (i.e., all the
- signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
- remains published in the key set. This way data that was loaded
-
-
-
-Kolkman & Gieben Informational [Page 15]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- into caches from version 1 of the zone can still be verified with
- key sets fetched from version 2 of the zone. The minimum time
- that the key set including DNSKEY 10 is to be published is the
- time that it takes for zone data from the previous version of the
- zone to expire from old caches, i.e., the time it takes for this
- zone to propagate to all authoritative servers plus the Maximum
- Zone TTL value of any of the data in the previous version of the
- zone.
-
- DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now
- only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
- DNSKEY 1.
-
- The above scheme can be simplified by always publishing the "future"
- key immediately after the rollover. The scheme would look as follows
- (we show two rollovers); the future key is introduced in "new DNSKEY"
- as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
- (II)":
-
- ----------------------------------------------------------------
- initial new RRSIGs new DNSKEY
- ----------------------------------------------------------------
- SOA0 SOA1 SOA2
- RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
-
- DNSKEY1 DNSKEY1 DNSKEY1
- DNSKEY10 DNSKEY10 DNSKEY11
- DNSKEY11 DNSKEY11 DNSKEY12
- RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
- RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
- ----------------------------------------------------------------
-
- ----------------------------------------------------------------
- new RRSIGs (II) new DNSKEY (II)
- ----------------------------------------------------------------
- SOA3 SOA4
- RRSIG12(SOA3) RRSIG12(SOA4)
-
- DNSKEY1 DNSKEY1
- DNSKEY11 DNSKEY12
- DNSKEY12 DNSKEY13
- RRSIG1(DNSKEY) RRSIG1(DNSKEY)
- RRSIG12(DNSKEY) RRSIG12(DNSKEY)
- ----------------------------------------------------------------
-
- Pre-Publish Key Rollover, Showing Two Rollovers
-
-
-
-
-
-Kolkman & Gieben Informational [Page 16]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- Note that the key introduced in the "new DNSKEY" phase is not used
- for production yet; the private key can thus be stored in a
- physically secure manner and does not need to be 'fetched' every time
- a zone needs to be signed.
-
-4.2.1.2. Double Signature Zone Signing Key Rollover
-
- This section shows how to perform a ZSK key rollover using the double
- zone data signature scheme, aptly named "double signature rollover".
-
- During the "new DNSKEY" stage the new version of the zone file will
- need to propagate to all authoritative servers and the data that
- exists in (distant) caches will need to expire, requiring at least
- the Maximum Zone TTL.
-
- Double signature ZSK rollover involves three stages as follows:
-
- ----------------------------------------------------------------
- initial new DNSKEY DNSKEY removal
- ----------------------------------------------------------------
- SOA0 SOA1 SOA2
- RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
- RRSIG11(SOA1)
-
- DNSKEY1 DNSKEY1 DNSKEY1
- DNSKEY10 DNSKEY10 DNSKEY11
- DNSKEY11
- RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
- RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
- RRSIG11(DNSKEY)
- ----------------------------------------------------------------
-
- Double Signature Zone Signing Key Rollover
-
- initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
- Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
- Signing Key.
-
- new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
- introduced into the key set and all the data in the zone is signed
- with DNSKEY 10 and DNSKEY 11. The rollover period will need to
- continue until all data from version 0 of the zone has expired
- from remote caches. This will take at least the Maximum Zone TTL
- of version 0 of the zone.
-
- DNSKEY removal: DNSKEY 10 is removed from the zone. All the
- signatures from DNSKEY 10 are removed from the zone. The key set,
- now only containing DNSKEY 11, is re-signed with DNSKEY 1.
-
-
-
-Kolkman & Gieben Informational [Page 17]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- At every instance, RRSIGs from the previous version of the zone can
- be verified with the DNSKEY RRSet from the current version and the
- other way around. The data from the current version can be verified
- with the data from the previous version of the zone. The duration of
- the "new DNSKEY" phase and the period between rollovers should be at
- least the Maximum Zone TTL.
-
- Making sure that the "new DNSKEY" phase lasts until the signature
- expiration time of the data in initial version of the zone is
- recommended. This way all caches are cleared of the old signatures.
- However, this duration could be considerably longer than the Maximum
- Zone TTL, making the rollover a lengthy procedure.
-
- Note that in this example we assumed that the zone was not modified
- during the rollover. New data can be introduced in the zone as long
- as it is signed with both keys.
-
-4.2.1.3. Pros and Cons of the Schemes
-
- Pre-publish key rollover: This rollover does not involve signing the
- zone data twice. Instead, before the actual rollover, the new key
- is published in the key set and thus is available for
- cryptanalysis attacks. A small disadvantage is that this process
- requires four steps. Also the pre-publish scheme involves more
- parental work when used for KSK rollovers as explained in Section
- 4.2.3.
-
- Double signature ZSK rollover: The drawback of this signing scheme is
- that during the rollover the number of signatures in your zone
- doubles; this may be prohibitive if you have very big zones. An
- advantage is that it only requires three steps.
-
-4.2.2. Key Signing Key Rollovers
-
- For the rollover of a Key Signing Key, the same considerations as for
- the rollover of a Zone Signing Key apply. However, we can use a
- double signature scheme to guarantee that old data (only the apex key
- set) in caches can be verified with a new key set and vice versa.
- Since only the key set is signed with a KSK, zone size considerations
- do not apply.
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 18]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- --------------------------------------------------------------------
- initial new DNSKEY DS change DNSKEY removal
- --------------------------------------------------------------------
- Parent:
- SOA0 --------> SOA1 -------->
- RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
- DS1 --------> DS2 -------->
- RRSIGpar(DS) --------> RRSIGpar(DS) -------->
-
-
- Child:
- SOA0 SOA1 --------> SOA2
- RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
- -------->
- DNSKEY1 DNSKEY1 --------> DNSKEY2
- DNSKEY2 -------->
- DNSKEY10 DNSKEY10 --------> DNSKEY10
- RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
- RRSIG2 (DNSKEY) -------->
- RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
- --------------------------------------------------------------------
-
- Stages of Deployment for a Double Signature Key Signing Key Rollover
-
- initial: Initial version of the zone. The parental DS points to
- DNSKEY1. Before the rollover starts, the child will have to
- verify what the TTL is of the DS RR that points to DNSKEY1 -- it
- is needed during the rollover and we refer to the value as TTL_DS.
-
- new DNSKEY: During the "new DNSKEY" phase, the zone administrator
- generates a second KSK, DNSKEY2. The key is provided to the
- parent, and the child will have to wait until a new DS RR has been
- generated that points to DNSKEY2. After that DS RR has been
- published on all servers authoritative for the parent's zone, the
- zone administrator has to wait at least TTL_DS to make sure that
- the old DS RR has expired from caches.
-
- DS change: The parent replaces DS1 with DS2.
-
- DNSKEY removal: DNSKEY1 has been removed.
-
- The scenario above puts the responsibility for maintaining a valid
- chain of trust with the child. It also is based on the premise that
- the parent only has one DS RR (per algorithm) per zone. An
- alternative mechanism has been considered. Using an established
- trust relation, the interaction can be performed in-band, and the
- removal of the keys by the child can possibly be signaled by the
- parent. In this mechanism, there are periods where there are two DS
-
-
-
-Kolkman & Gieben Informational [Page 19]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- RRs at the parent. Since at the moment of writing the protocol for
- this interaction has not been developed, further discussion is out of
- scope for this document.
-
-4.2.3. Difference Between ZSK and KSK Rollovers
-
- Note that KSK rollovers and ZSK rollovers are different in the sense
- that a KSK rollover requires interaction with the parent (and
- possibly replacing of trust anchors) and the ensuing delay while
- waiting for it.
-
- A zone key rollover can be handled in two different ways: pre-publish
- (Section 4.2.1.1) and double signature (Section 4.2.1.2).
-
- As the KSK is used to validate the key set and because the KSK is not
- changed during a ZSK rollover, a cache is able to validate the new
- key set of the zone. The pre-publish method would also work for a
- KSK rollover. The records that are to be pre-published are the
- parental DS RRs. The pre-publish method has some drawbacks for KSKs.
- We first describe the rollover scheme and then indicate these
- drawbacks.
-
- --------------------------------------------------------------------
- initial new DS new DNSKEY DS/DNSKEY removal
- --------------------------------------------------------------------
- Parent:
- SOA0 SOA1 --------> SOA2
- RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
- DS1 DS1 --------> DS2
- DS2 -------->
- RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
-
-
- Child:
- SOA0 --------> SOA1 SOA1
- RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
- -------->
- DNSKEY1 --------> DNSKEY2 DNSKEY2
- -------->
- DNSKEY10 --------> DNSKEY10 DNSKEY10
- RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
- RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
- --------------------------------------------------------------------
-
- Stages of Deployment for a Pre-Publish Key Signing Key Rollover
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 20]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- When the child zone wants to roll, it notifies the parent during the
- "new DS" phase and submits the new key (or the corresponding DS) to
- the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
- and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase),
- which can take place as soon as the new DS set propagated through the
- DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
- ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
- record can be deleted.
-
- The drawbacks of this scheme are that during the "new DS" phase the
- parent cannot verify the match between the DS2 RR and DNSKEY2 using
- the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
- "security lame" key (see Section 4.4.3). Finally, the child-parent
- interaction consists of two steps. The "double signature" method
- only needs one interaction.
-
-4.2.4. Automated Key Rollovers
-
- As keys must be renewed periodically, there is some motivation to
- automate the rollover process. Consider the following:
-
- o ZSK rollovers are easy to automate as only the child zone is
- involved.
-
- o A KSK rollover needs interaction between parent and child. Data
- exchange is needed to provide the new keys to the parent;
- consequently, this data must be authenticated and integrity must
- be guaranteed in order to avoid attacks on the rollover.
-
-4.3. Planning for Emergency Key Rollover
-
- This section deals with preparation for a possible key compromise.
- Our advice is to have a documented procedure ready for when a key
- compromise is suspected or confirmed.
-
- When the private material of one of your keys is compromised it can
- be used for as long as a valid trust chain exists. A trust chain
- remains intact for
-
- o as long as a signature over the compromised key in the trust chain
- is valid,
-
- o as long as a parental DS RR (and signature) points to the
- compromised key,
-
- o as long as the key is anchored in a resolver and is used as a
- starting point for validation (this is generally the hardest to
- update).
-
-
-
-Kolkman & Gieben Informational [Page 21]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- While a trust chain to your compromised key exists, your namespace is
- vulnerable to abuse by anyone who has obtained illegitimate
- possession of the key. Zone operators have to make a trade-off if
- the abuse of the compromised key is worse than having data in caches
- that cannot be validated. If the zone operator chooses to break the
- trust chain to the compromised key, data in caches signed with this
- key cannot be validated. However, if the zone administrator chooses
- to take the path of a regular rollover, the malicious key holder can
- spoof data so that it appears to be valid.
-
-4.3.1. KSK Compromise
-
- A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
- as long as the compromised KSK is configured as trust anchor or a
- parental DS points to it.
-
- A compromised KSK can be used to sign the key set of an attacker's
- zone. That zone could be used to poison the DNS.
-
- Therefore, when the KSK has been compromised, the trust anchor or the
- parental DS should be replaced as soon as possible. It is local
- policy whether to break the trust chain during the emergency
- rollover. The trust chain would be broken when the compromised KSK
- is removed from the child's zone while the parent still has a DS
- pointing to the compromised KSK (the assumption is that there is only
- one DS at the parent. If there are multiple DSes this does not apply
- -- however the chain of trust of this particular key is broken).
-
- Note that an attacker's zone still uses the compromised KSK and the
- presence of a parental DS would cause the data in this zone to appear
- as valid. Removing the compromised key would cause the attacker's
- zone to appear as valid and the child's zone as Bogus. Therefore, we
- advise not to remove the KSK before the parent has a DS to a new KSK
- in place.
-
-4.3.1.1. Keeping the Chain of Trust Intact
-
- If we follow this advice, the timing of the replacement of the KSK is
- somewhat critical. The goal is to remove the compromised KSK as soon
- as the new DS RR is available at the parent. And also make sure that
- the signature made with a new KSK over the key set with the
- compromised KSK in it expires just after the new DS appears at the
- parent, thus removing the old cruft in one swoop.
-
- The procedure is as follows:
-
- 1. Introduce a new KSK into the key set, keep the compromised KSK in
- the key set.
-
-
-
-Kolkman & Gieben Informational [Page 22]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- 2. Sign the key set, with a short validity period. The validity
- period should expire shortly after the DS is expected to appear
- in the parent and the old DSes have expired from caches.
-
- 3. Upload the DS for this new key to the parent.
-
- 4. Follow the procedure of the regular KSK rollover: Wait for the DS
- to appear in the authoritative servers and then wait as long as
- the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
- and modify/extend the expiration time.
-
- 5. Remove the compromised DNSKEY RR from the zone and re-sign the
- key set using your "normal" validity interval.
-
- An additional danger of a key compromise is that the compromised key
- could be used to facilitate a legitimate DNSKEY/DS rollover and/or
- nameserver changes at the parent. When that happens, the domain may
- be in dispute. An authenticated out-of-band and secure notify
- mechanism to contact a parent is needed in this case.
-
- Note that this is only a problem when the DNSKEY and or DS records
- are used for authentication at the parent.
-
-4.3.1.2. Breaking the Chain of Trust
-
- There are two methods to break the chain of trust. The first method
- causes the child zone to appear 'Bogus' to validating resolvers. The
- other causes the child zone to appear 'insecure'. These are
- described below.
-
- In the method that causes the child zone to appear 'Bogus' to
- validating resolvers, the child zone replaces the current KSK with a
- new one and re-signs the key set. Next it sends the DS of the new
- key to the parent. Only after the parent has placed the new DS in
- the zone is the child's chain of trust repaired.
-
- An alternative method of breaking the chain of trust is by removing
- the DS RRs from the parent zone altogether. As a result, the child
- zone would become insecure.
-
-4.3.2. ZSK Compromise
-
- Primarily because there is no parental interaction required when a
- ZSK is compromised, the situation is less severe than with a KSK
- compromise. The zone must still be re-signed with a new ZSK as soon
- as possible. As this is a local operation and requires no
- communication between the parent and child, this can be achieved
- fairly quickly. However, one has to take into account that just as
-
-
-
-Kolkman & Gieben Informational [Page 23]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- with a normal rollover the immediate disappearance of the old
- compromised key may lead to verification problems. Also note that as
- long as the RRSIG over the compromised ZSK is not expired the zone
- may be still at risk.
-
-4.3.3. Compromises of Keys Anchored in Resolvers
-
- A key can also be pre-configured in resolvers. For instance, if
- DNSSEC is successfully deployed the root key may be pre-configured in
- most security aware resolvers.
-
- If trust-anchor keys are compromised, the resolvers using these keys
- should be notified of this fact. Zone administrators may consider
- setting up a mailing list to communicate the fact that a SEP key is
- about to be rolled over. This communication will of course need to
- be authenticated, e.g., by using digital signatures.
-
- End-users faced with the task of updating an anchored key should
- always validate the new key. New keys should be authenticated out-
- of-band, for example, through the use of an announcement website that
- is secured using secure sockets (TLS) [21].
-
-4.4. Parental Policies
-
-4.4.1. Initial Key Exchanges and Parental Policies Considerations
-
- The initial key exchange is always subject to the policies set by the
- parent. When designing a key exchange policy one should take into
- account that the authentication and authorization mechanisms used
- during a key exchange should be as strong as the authentication and
- authorization mechanisms used for the exchange of delegation
- information between parent and child. That is, there is no implicit
- need in DNSSEC to make the authentication process stronger than it
- was in DNS.
-
- Using the DNS itself as the source for the actual DNSKEY material,
- with an out-of-band check on the validity of the DNSKEY, has the
- benefit that it reduces the chances of user error. A DNSKEY query
- tool can make use of the SEP bit [3] to select the proper key from a
- DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
- sent. It can validate the self-signature over a key; thereby
- verifying the ownership of the private key material. Fetching the
- DNSKEY from the DNS ensures that the chain of trust remains intact
- once the parent publishes the DS RR indicating the child is secure.
-
- Note: the out-of-band verification is still needed when the key
- material is fetched via the DNS. The parent can never be sure
- whether or not the DNSKEY RRs have been spoofed.
-
-
-
-Kolkman & Gieben Informational [Page 24]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-4.4.2. Storing Keys or Hashes?
-
- When designing a registry system one should consider which of the
- DNSKEYs and/or the corresponding DSes to store. Since a child zone
- might wish to have a DS published using a message digest algorithm
- not yet understood by the registry, the registry can't count on being
- able to generate the DS record from a raw DNSKEY. Thus, we recommend
- that registry systems at least support storing DS records.
-
- It may also be useful to store DNSKEYs, since having them may help
- during troubleshooting and, as long as the child's chosen message
- digest is supported, the overhead of generating DS records from them
- is minimal. Having an out-of-band mechanism, such as a registry
- directory (e.g., Whois), to find out which keys are used to generate
- DS Resource Records for specific owners and/or zones may also help
- with troubleshooting.
-
- The storage considerations also relate to the design of the customer
- interface and the method by which data is transferred between
- registrant and registry; Will the child zone administrator be able to
- upload DS RRs with unknown hash algorithms or does the interface only
- allow DNSKEYs? In the registry-registrar model, one can use the
- DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
- which allows transfer of DS RRs and optionally DNSKEY RRs.
-
-4.4.3. Security Lameness
-
- Security lameness is defined as what happens when a parent has a DS
- RR pointing to a non-existing DNSKEY RR. When this happens, the
- child's zone may be marked "Bogus" by verifying DNS clients.
-
- As part of a comprehensive delegation check, the parent could, at key
- exchange time, verify that the child's key is actually configured in
- the DNS. However, if a parent does not understand the hashing
- algorithm used by child, the parental checks are limited to only
- comparing the key id.
-
- Child zones should be very careful in removing DNSKEY material,
- specifically SEP keys, for which a DS RR exists.
-
- Once a zone is "security lame", a fix (e.g., removing a DS RR) will
- take time to propagate through the DNS.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 25]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-4.4.4. DS Signature Validity Period
-
- Since the DS can be replayed as long as it has a valid signature, a
- short signature validity period over the DS minimizes the time a
- child is vulnerable in the case of a compromise of the child's
- KSK(s). A signature validity period that is too short introduces the
- possibility that a zone is marked "Bogus" in case of a configuration
- error in the signer. There may not be enough time to fix the
- problems before signatures expire. Something as mundane as operator
- unavailability during weekends shows the need for DS signature
- validity periods longer than 2 days. We recommend an absolute
- minimum for a DS signature validity period of a few days.
-
- The maximum signature validity period of the DS record depends on how
- long child zones are willing to be vulnerable after a key compromise.
- On the other hand, shortening the DS signature validity interval
- increases the operational risk for the parent. Therefore, the parent
- may have policy to use a signature validity interval that is
- considerably longer than the child would hope for.
-
- A compromise between the operational constraints of the parent and
- minimizing damage for the child may result in a DS signature validity
- period somewhere between a week and months.
-
- In addition to the signature validity period, which sets a lower
- bound on the number of times the zone owner will need to sign the
- zone data and which sets an upper bound to the time a child is
- vulnerable after key compromise, there is the TTL value on the DS
- RRs. Shortening the TTL means that the authoritative servers will
- see more queries. But on the other hand, a short TTL lowers the
- persistence of DS RRSets in caches thereby increasing the speed with
- which updated DS RRSets propagate through the DNS.
-
-5. Security Considerations
-
- DNSSEC adds data integrity to the DNS. This document tries to assess
- the operational considerations to maintain a stable and secure DNSSEC
- service. Not taking into account the 'data propagation' properties
- in the DNS will cause validation failures and may make secured zones
- unavailable to security-aware resolvers.
-
-6. Acknowledgments
-
- Most of the ideas in this document were the result of collective
- efforts during workshops, discussions, and tryouts.
-
- At the risk of forgetting individuals who were the original
- contributors of the ideas, we would like to acknowledge people who
-
-
-
-Kolkman & Gieben Informational [Page 26]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- were actively involved in the compilation of this document. In
- random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
- Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
- Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
- Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
-
- Some material in this document has been copied from RFC 2541 [12].
-
- Mike StJohns designed the key exchange between parent and child
- mentioned in the last paragraph of Section 4.2.2
-
- Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
- Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
- the spelling and style issues.
-
- Kolkman and Gieben take the blame for introducing all miscakes (sic).
-
- While working on this document, Kolkman was employed by the RIPE NCC
- and Gieben was employed by NLnet Labs.
-
-7. References
-
-7.1. Normative References
-
- [1] Mockapetris, P., "Domain names - concepts and facilities", STD
- 13, RFC 1034, November 1987.
-
- [2] Mockapetris, P., "Domain names - implementation and
- specification", STD 13, RFC 1035, November 1987.
-
- [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
- KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
- Flag", RFC 3757, May 2004.
-
- [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "DNS Security Introduction and Requirements", RFC 4033, March
- 2005.
-
- [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "Resource Records for the DNS Security Extensions", RFC 4034,
- March 2005.
-
- [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
- "Protocol Modifications for the DNS Security Extensions", RFC
- 4035, March 2005.
-
-
-
-
-
-Kolkman & Gieben Informational [Page 27]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-7.2. Informative References
-
- [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
- Levels", BCP 14, RFC 2119, March 1997.
-
- [8] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
- 1996.
-
- [9] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
- (DNS NOTIFY)", RFC 1996, August 1996.
-
- [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic
- Update", RFC 3007, November 2000.
-
- [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
- RFC 2308, March 1998.
-
- [12] Eastlake, D., "DNS Security Operational Considerations", RFC
- 2541, March 1999.
-
- [13] Orman, H. and P. Hoffman, "Determining Strengths For Public
- Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
- April 2004.
-
- [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
- Requirements for Security", BCP 106, RFC 4086, June 2005.
-
- [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
- Mapping for the Extensible Provisioning Protocol (EPP)", RFC
- 4310, December 2005.
-
- [16] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
- Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
- [17] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
- Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
- (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
- 1996.
-
- [18] Rose, S., "NIST DNSSEC workshop notes", June 2001.
-
- [19] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
- Records in DNSSEC", Work in Progress, January 2006.
-
- [20] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
- Resource Records (RRs)", RFC 4509, May 2006.
-
-
-
-
-
-Kolkman & Gieben Informational [Page 28]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- [21] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
- T. Wright, "Transport Layer Security (TLS) Extensions", RFC
- 4366, April 2006.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 29]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-Appendix A. Terminology
-
- In this document, there is some jargon used that is defined in other
- documents. In most cases, we have not copied the text from the
- documents defining the terms but have given a more elaborate
- explanation of the meaning. Note that these explanations should not
- be seen as authoritative.
-
- Anchored key: A DNSKEY configured in resolvers around the globe.
- This key is hard to update, hence the term anchored.
-
- Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked
- "Bogus" when a signature of an RRSet does not validate against a
- DNSKEY.
-
- Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
- exclusively for signing the apex key set. The fact that a key is
- a KSK is only relevant to the signing tool.
-
- Key size: The term 'key size' can be substituted by 'modulus size'
- throughout the document. It is mathematically more correct to use
- modulus size, but as this is a document directed at operators we
- feel more at ease with the term key size.
-
- Private and public keys: DNSSEC secures the DNS through the use of
- public key cryptography. Public key cryptography is based on the
- existence of two (mathematically related) keys, a public key and a
- private key. The public keys are published in the DNS by use of
- the DNSKEY Resource Record (DNSKEY RR). Private keys should
- remain private.
-
- Key rollover: A key rollover (also called key supercession in some
- environments) is the act of replacing one key pair with another at
- the end of a key effectivity period.
-
- Secure Entry Point (SEP) key: A KSK that has a parental DS record
- pointing to it or is configured as a trust anchor. Although not
- required by the protocol, we recommend that the SEP flag [3] is
- set on these keys.
-
- Self-signature: This only applies to signatures over DNSKEYs; a
- signature made with DNSKEY x, over DNSKEY x is called a self-
- signature. Note: without further information, self-signatures
- convey no trust. They are useful to check the authenticity of the
- DNSKEY, i.e., they can be used as a hash.
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 30]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- Singing the zone file: The term used for the event where an
- administrator joyfully signs its zone file while producing melodic
- sound patterns.
-
- Signer: The system that has access to the private key material and
- signs the Resource Record sets in a zone. A signer may be
- configured to sign only parts of the zone, e.g., only those RRSets
- for which existing signatures are about to expire.
-
- Zone Signing Key (ZSK): A key that is used for signing all data in a
- zone. The fact that a key is a ZSK is only relevant to the
- signing tool.
-
- Zone administrator: The 'role' that is responsible for signing a zone
- and publishing it on the primary authoritative server.
-
-Appendix B. Zone Signing Key Rollover How-To
-
- Using the pre-published signature scheme and the most conservative
- method to assure oneself that data does not live in caches, here
- follows the "how-to".
-
- Step 0: The preparation: Create two keys and publish both in your key
- set. Mark one of the keys "active" and the other "published".
- Use the "active" key for signing your zone data. Store the
- private part of the "published" key, preferably off-line. The
- protocol does not provide for attributes to mark a key as active
- or published. This is something you have to do on your own,
- through the use of a notebook or key management tool.
-
- Step 1: Determine expiration: At the beginning of the rollover make a
- note of the highest expiration time of signatures in your zone
- file created with the current key marked as active. Wait until
- the expiration time marked in Step 1 has passed.
-
- Step 2: Then start using the key that was marked "published" to sign
- your data (i.e., mark it "active"). Stop using the key that was
- marked "active"; mark it "rolled".
-
- Step 3: It is safe to engage in a new rollover (Step 1) after at
- least one signature validity period.
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 31]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-Appendix C. Typographic Conventions
-
- The following typographic conventions are used in this document:
-
- Key notation: A key is denoted by DNSKEYx, where x is a number or an
- identifier, x could be thought of as the key id.
-
- RRSet notations: RRs are only denoted by the type. All other
- information -- owner, class, rdata, and TTL--is left out. Thus:
- "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
- list of RRs. A example of this would be "A1, A2", specifying the
- RRSet containing two "A" records. This could again be abbreviated to
- just "A".
-
- Signature notation: Signatures are denoted as RRSIGx(RRSet), which
- means that RRSet is signed with DNSKEYx.
-
- Zone representation: Using the above notation we have simplified the
- representation of a signed zone by leaving out all unnecessary
- details such as the names and by representing all data by "SOAx"
-
- SOA representation: SOAs are represented as SOAx, where x is the
- serial number.
-
- Using this notation the following signed zone:
-
- example.net. 86400 IN SOA ns.example.net. bert.example.net. (
- 2006022100 ; serial
- 86400 ; refresh ( 24 hours)
- 7200 ; retry ( 2 hours)
- 3600000 ; expire (1000 hours)
- 28800 ) ; minimum ( 8 hours)
- 86400 RRSIG SOA 5 2 86400 20130522213204 (
- 20130422213204 14 example.net.
- cmL62SI6iAX46xGNQAdQ... )
- 86400 NS a.iana-servers.net.
- 86400 NS b.iana-servers.net.
- 86400 RRSIG NS 5 2 86400 20130507213204 (
- 20130407213204 14 example.net.
- SO5epiJei19AjXoUpFnQ ... )
- 86400 DNSKEY 256 3 5 (
- EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
- 86400 DNSKEY 257 3 5 (
- gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
- 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
- 20130422213204 14 example.net.
- J4zCe8QX4tXVGjV4e1r9... )
-
-
-
-
-Kolkman & Gieben Informational [Page 32]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
- 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
- 20130422213204 15 example.net.
- keVDCOpsSeDReyV6O... )
- 86400 RRSIG NSEC 5 2 86400 20130507213204 (
- 20130407213204 14 example.net.
- obj3HEp1GjnmhRjX... )
- a.example.net. 86400 IN TXT "A label"
- 86400 RRSIG TXT 5 3 86400 20130507213204 (
- 20130407213204 14 example.net.
- IkDMlRdYLmXH7QJnuF3v... )
- 86400 NSEC b.example.com. TXT RRSIG NSEC
- 86400 RRSIG NSEC 5 3 86400 20130507213204 (
- 20130407213204 14 example.net.
- bZMjoZ3bHjnEz0nIsPMM... )
- ...
-
- is reduced to the following representation:
-
- SOA2006022100
- RRSIG14(SOA2006022100)
- DNSKEY14
- DNSKEY15
-
- RRSIG14(KEY)
- RRSIG15(KEY)
-
- The rest of the zone data has the same signature as the SOA record,
- i.e., an RRSIG created with DNSKEY 14.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 33]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-Authors' Addresses
-
- Olaf M. Kolkman
- NLnet Labs
- Kruislaan 419
- Amsterdam 1098 VA
- The Netherlands
-
- EMail: olaf@nlnetlabs.nl
- URI: http://www.nlnetlabs.nl
-
-
- R. (Miek) Gieben
-
- EMail: miek@miek.nl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 34]
-\f
-RFC 4641 DNSSEC Operational Practices September 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Kolkman & Gieben Informational [Page 35]
-\f
** @(#) domaincmp.c -- compare two domain names
**
** Copyright (c) Aug 2005, Karle Boss, Holger Zuleger (kaho).
+** isparentdomain() (c) Mar 2010 by Holger Zuleger
** All rights reserved.
**
** This software is open source.
** thus domaincmp ("z.example.net", "example.net") return < 0 !!
*****************************************************************/
int domaincmp (const char *a, const char *b)
+{
+ return domaincmp_dir (a, b, 1);
+}
+
+/*****************************************************************
+** int domaincmp_dir (a, b, subdomain_above)
+** compare a and b as fqdns.
+** return <0 | 0 | >0 as in strcmp
+** A subdomain is less than the corresponding parent domain,
+** thus domaincmp ("z.example.net", "example.net") return < 0 !!
+*****************************************************************/
+int domaincmp_dir (const char *a, const char *b, int subdomain_above)
{
register const char *pa;
register const char *pb;
+ int dir;
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
+ if ( subdomain_above )
+ dir = 1;
+ else
+ dir = -1;
+
if ( *a == '.' ) /* skip a leading dot */
a++;
if ( *b == '.' ) /* same at the other string */
{
if ( pa > a )
if ( pa[-1] == '.' )
- return -1;
+ return -1 * dir;
else
goto_labelstart (a, pa);
else if ( pb > b )
if ( pb[-1] == '.' )
- return 1;
+ return 1 * dir;
else
goto_labelstart (b, pb);
else
return *pa - *pb;
}
+/*****************************************************************
+**
+** int issubdomain ("child", "parent")
+**
+** "child" and "parent" are standardized domain names in such
+** a way that even both domain names are ending with a dot,
+** or none of them.
+**
+** returns 1 if "child" is a subdomain of "parent"
+** returns 0 if "child" is not a subdomain of "parent"
+**
+*****************************************************************/
+int issubdomain (const char *child, const char *parent)
+{
+ const char *p;
+ const char *cdot;
+ const char *pdot;
+ int ccnt;
+ int pcnt;
+
+ if ( !child || !parent || *child == '\0' || *parent == '\0' )
+ return 0;
+
+ pdot = cdot = NULL;
+ pcnt = 0;
+ for ( p = parent; *p; p++ )
+ if ( *p == '.' )
+ {
+ if ( pcnt == 0 )
+ pdot = p;
+ pcnt++;
+ }
+
+ ccnt = 0;
+ for ( p = child; *p; p++ )
+ if ( *p == '.' )
+ {
+ if ( ccnt == 0 )
+ cdot = p;
+ ccnt++;
+ }
+ if ( ccnt == 0 ) /* child is not a fqdn or is not deep enough ? */
+ return 0;
+ if ( pcnt == 0 ) /* parent is not a fqdn ? */
+ return 0;
+
+ if ( pcnt >= ccnt ) /* parent has more levels than child ? */
+ return 0;
+
+ /* is child a (one level) subdomain of parent ? */
+ if ( strcmp (cdot+1, parent) == 0 ) /* the domains are equal ? */
+ return 1;
+
+ return 0;
+}
+
+/*****************************************************************
+**
+** int isparentdomain ("child", "parent", level)
+**
+** "child" and "parent" are standardized domain names in such
+** a way that even both domain names are ending with a dot,
+** or none of them.
+**
+** returns 1 if "child" is a subdomain of "parent"
+** returns 0 if "child" is not a subdomain of "parent"
+** returns -1 if "child" and "parent" are the same domain
+**
+*****************************************************************/
+int isparentdomain (const char *child, const char *parent, int level)
+{
+ const char *p;
+ const char *cdot;
+ const char *pdot;
+ int ccnt;
+ int pcnt;
+
+ if ( !child || !parent || *child == '\0' || *parent == '\0' )
+ return 0;
+
+ pdot = cdot = NULL;
+ pcnt = 0;
+ for ( p = parent; *p; p++ )
+ if ( *p == '.' )
+ {
+ if ( pcnt == 0 )
+ pdot = p;
+ pcnt++;
+ }
+
+ ccnt = 0;
+ for ( p = child; *p; p++ )
+ if ( *p == '.' )
+ {
+ if ( ccnt == 0 )
+ cdot = p;
+ ccnt++;
+ }
+ if ( ccnt == 0 || ccnt < level ) /* child is not a fqdn or is not deep enough ? */
+ return 0;
+ if ( pcnt == 0 ) /* parent is not a fqdn ? */
+ return 0;
+
+ if ( pcnt > ccnt ) /* parent has more levels than child ? */
+ return 0;
+
+ if ( pcnt == ccnt ) /* both are at the same level ? */
+ {
+ /* let's check the domain part */
+ if ( strcmp (cdot, pdot) == 0 ) /* the domains are equal ? */
+ return -1;
+ return 0;
+ }
+
+ if ( pcnt > ccnt ) /* parent has more levels than child ? */
+ return 0;
+
+ /* is child a (one level) subdomain of parent ? */
+ if ( strcmp (cdot+1, parent) == 0 ) /* the domains are equal ? */
+ return 1;
+
+ return 0;
+}
+
#ifdef DOMAINCMP_TEST
static struct {
char *a;
{ "example.de.", "xy.example.de.", 1 },
{ "example.de.", "ab.example.de.", 1 },
{ "example.de", "ab.example.de", 1 },
+ { "xy.example.de.", "example.de.", -1 },
+ { "ab.example.de.", "example.de.", -1 },
{ "ab.example.de", "example.de", -1 },
{ "ab.mast.de", "axt.de", 1 },
{ "ab.mast.de", "obt.de", -1 },
c = '>';
else
c = '=';
- printf ("%-20s %-20s ==> %c 0 ", ex[i].a, ex[i].b, c);
+ printf ("%-20s %-20s ", ex[i].a, ex[i].b);
+ printf ("%3d ", issubdomain (ex[i].a, ex[i].b));
+ printf ("\t==> 0 %c ", c);
fflush (stdout);
res = domaincmp (ex[i].a, ex[i].b);
printf ("%3d ", res);
#ifndef DOMAINCMP_H
# define DOMAINCMP_H
extern int domaincmp (const char *a, const char *b);
+extern int domaincmp_dir (const char *a, const char *b, int subdomain_above);
+extern int isparentdomain (const char *child, const char *parent, int level);
+extern int issubdomain (const char *child, const char *parent);
#endif
#
-# @(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de
+# @(#) dnssec.conf vT0.99d (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "."
-Recursive: True
-PrintTime: False
-PrintAge: True
+Recursive: False
+PrintTime: True
+PrintAge: False
LeftJustify: False
# zone specific values
-ResignInterval: 2d # (172800 seconds)
-Sigvalidity: 6d # (518400 seconds)
+ResignInterval: 1w # (604800 seconds)
+Sigvalidity: 10d # (864000 seconds)
Max_TTL: 8h # (28800 seconds)
Propagation: 5m # (300 seconds)
-KEY_TTL: 1h # (3600 seconds)
+KEY_TTL: 4h # (14400 seconds)
Serialformat: incremental
# signing key parameters
Key_algo: RSASHA1 # (Algorithm ID 5)
-KSK_lifetime: 60d # (5184000 seconds)
+KSK_lifetime: 1y # (31536000 seconds)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
-ZSK_lifetime: 2w # (1209600 seconds)
+ZSK_lifetime: 12w # (7257600 seconds)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
SaltBits: 24
# dnssec-signer options
-LogFile: "zkt.log"
-LogLevel: DEBUG
-SyslogFacility: USER
+LogFile: ""
+LogLevel: ERROR
+SyslogFacility: NONE
SyslogLevel: NOTICE
-VerboseLog: 2
+VerboseLog: 0
Keyfile: "dnskey.db"
Zonefile: "zone.db"
-KeySetDir: "../keysets"
DLV_Domain: ""
-Sig_Pseudorand: True
+Sig_Pseudorand: False
Sig_GenerateDS: True
-Sig_Parameter: "-n 1"
-Distribute_Cmd: "./dist.sh"
+Sig_Parameter: ""
+++ /dev/null
-#################################################################
-#
-# @(#) dist.sh -- distribute and reload command for dnssec-signer
-#
-# (c) Jul 2008 Holger Zuleger hznet.de
-#
-# This shell script will be run by dnssec-signer as a distribution
-# and reload command if:
-#
-# a) the dnssec.conf file parameter Distribute_Cmd: points
-# to this file
-# and
-# b) the user running the dnssec-signer command is not
-# root (uid==0)
-# and
-# c) the owner of this shell script is the same as the
-# running user and the access rights don't allow writing
-# for anyone except the owner
-# or
-# d) the group of this shell script is the same as the
-# running user and the access rights don't allow writing
-# for anyone except the group
-#
-#################################################################
-
-# set path to rndc and scp
-PATH="/bin:/usr/bin:/usr/local/sbin"
-
-# remote server and directory
-server=localhost # fqdn of remote name server
-dir=/var/named # zone directory on remote name server
-
-progname=$0
-usage()
-{
- echo "usage: $progname distribute|reload <domain> <path_to_zonefile> [<viewname>]" 1>&2
- test $# -gt 0 && echo $* 1>&2
- exit 1
-}
-
-if test $# -lt 3
-then
- usage
-fi
-action="$1"
-domain="$2"
-zonefile="$3"
-view=""
-test $# -gt 3 && view="$4"
-
-case $action in
-distribute)
- if test -n "$view"
- then
- echo "scp $zonefile $server:$dir/$view/$domain/"
- : scp $zonefile $server:$dir/$view/$domain/
- else
- echo "scp $zonefile $server:$dir/$domain/"
- : scp $zonefile $server:$dir/$domain/
- fi
- ;;
-reload)
- echo "rndc $action $domain $view"
- : rndc $action $domain $view
- ;;
-*)
- usage "illegal action $action"
- ;;
-esac
-
+++ /dev/null
-#!/bin/sh
-#
-# Shell script to start the dnssec-signer
-# command out of the example directory
-#
-
-chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
-
-if test ! -f dnssec.conf
-then
- echo Please start this skript out of the flat or hierarchical sub directory
- exit 1
-fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
+++ /dev/null
-;% generationtime=20080609224426
-;% lifetime=60d
-dyn.example.net. IN DNSKEY 257 3 3 CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+VNGd4RjwWpEDj8RhEAhQ7 LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+AB KLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOf Ny/jtz4v+asIr6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i4RBVWgHH JMmtyqq+SqEkPhZvsTuo2sXgIH9vRS3XgfkGtw/KyTUM29bhZ2eB+Ldq +bggp1gbBDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjAolJwCtaPCD4e 4infmw+YSxjGau+YGgI0Cc0uItzQmNNpSoejM3IWGV+SN/YuPJIzw8wi xDfO6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOTdQjsJWLLdLTApVEH 10kjAGfa30Tm92lQhhG5ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): 4bble5+VNGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asIr6/d992V80G9wMKMvTM=
-Subprime(q): 20V1WtRQn0w8PLMag+b61IpSCdc=
-Base(g): EKAq+EqfbNibm1u/YuEQVVoBxyTJrcqqvkqhJD4Wb7E7qNrF4CB/b0Ut14H5BrcPysk1DNvW4Wdngfi3avm4IKdYGwQ4krMWT48XIosyP5gs11m6vAXX2ei7HXTIwKJScArWjwg+HuIp35sPmEsYxmrvmBoCNAnNLiLc0JjTaUo=
-Private_value(x): xY/GSk3U4oHIsvUiAs/9/n+6ttk=
-Public_value(y): h6MzchYZX5I39i48kjPDzCLEN87qQI2I+xbjkW+rfXXjxwC9S/CKpg9Dd84145N1COwlYst0tMClUQfXSSMAZ9rfROb3aVCGEbmi9atYIxsWXDgtu+Wif5faydY8263RrU/PhZ1yUNyY1Tx3GLWUW8ZtwnQTioGglUEjMOHgdfU=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7wBS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: dAiTob6wk4h5l6frfh49NAzd3RBsVRxqqCsMao52fJvlK06wmOb9PkqOaEMTDroJEGgN6zD/sWcGPK7nYwDMHQ==
-Prime1: 731n5xPK9UQqQsQtattcC4MxtL6+OP1CyLy8e2tsd/8=
-Prime2: 5NwPUBy32o2zzpw4TDH3omB6yk0fmFItJx4ek3RaBYs=
-Exponent1: jzq6en2c8SwS5uQwY3/vFY549HMSTxP58kyS/GJ9hqE=
-Exponent2: y52KLCquniy3EwUypKRkPZPftjBoqZkXeQLXSk4b850=
-Coefficient: vHnxG4D4n+IKETXrutOFT+iREDDcfj6GpYubIP/goZc=
+++ /dev/null
-;% generationtime=20080609224426
-;% lifetime=14d
-dyn.example.net. IN DNSKEY 256 3 5 BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7w BS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ==
+++ /dev/null
-;% generationtime=20081216133142
-;% lifetime=14d
-dyn.example.net. IN DNSKEY 256 3 5 BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6q Exelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6qExelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw==
-PublicExponent: AQAAAAE=
-PrivateExponent: sW8IqcOjr/1xymzxbq91KQiCxBY/8nDvDO/m4Re6aTrTXr450nw8eBZZQuOnHsSEyc4YA8Gs8AwxO1IGAyjHYQ==
-Prime1: 94n25jivIMy9SIV890Kp6CIGfeG/6g9eBFG+igw5JPM=
-Prime2: 6qYnXtPI7mxsinhBVf+/2Ncv+V48/790y+jUhJXFGXE=
-Exponent1: 4uCtm1fxo8apOydY+plF8duFa4BQq2rZkG4XCKQFpo0=
-Exponent2: DBPT/6Xc9NryN5/MaOWZhmEWha//SPrGIHrcOwRhE8E=
-Coefficient: tmkhFA718p1qDTkmOa2MqYox+Cz1LsuNCraAK0srL1U=
--- /dev/null
+;% generationtime=20100221184315
+;% lifetime=14d
+dyn.example.net. IN DNSKEY 256 3 7 AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8Ris63E/oRRGQEH5U/ZS3A xz3aOhPFKzAAhjfaG3vTNW3Wl4bl4ITFZrk=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: +obStv0Rqv4+/vEGD2Vz1zMX7ZhRrxGKzrcT+hFEZAQflT9lLcDHPdo6E8UrMACGN9obe9M1bdaXhuXghMVmuQ==
+PublicExponent: AQAB
+PrivateExponent: 4osOepin5GdakfFkGIIWWZCDX7/whY4oZjtZnjUFEiZ6YGdQV8FwihgQ9ZdQwTY2QgaCiI/7l0yFE3X2YOk5HQ==
+Prime1: /eFIXmTu+XNTuXVfHYcXJTFc4UaThJszaKPmg/xm3ts=
+Prime2: /J5fOUcGkFGv4prHDAmige180r7zaYznUicuDvNwkvs=
+Exponent1: Alf7EAwEfL8IzdR8jUw69XfwMJAzOm0oW1XwAdXpqTM=
+Exponent2: FBUbCNimou57hw466LATZTTWCYL4otl6wkMvHC0qM+U=
+Coefficient: Q9eSjjf/S3Is3mcOn2RsloJKVzLuHiv54HaF7mwkbU4=
--- /dev/null
+;% generationtime=20100221184315
+;% lifetime=60d
+dyn.example.net. IN DNSKEY 257 3 7 AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmOoBYx8s1uLzmS/3APsh1e WCeoBgAjRry1tpM/bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjEnG4H CT58TuAVxjiefN+vb1pvyFlAL58YOkuGf9tG/NJMNc+XrULAU1ey2dT9 Fh+SCVO3
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 6oQNiADmWezVWwwmJl9NYwSC5qZ5WY6gFjHyzW4vOZL/cA+yHV5YJ6gGACNGvLW2kz9s+jDK7KATgfQunM1Aub1FuMOakM3wbCLcCMScbgcJPnxO4BXGOJ58369vWm/IWUAvnxg6S4Z/20b80kw1z5etQsBTV7LZ1P0WH5IJU7c=
+PublicExponent: AQAB
+PrivateExponent: F5/Z5RuCGQj8rUFaDn+HQjRQI4AdtWHiypmZhgxVgY1HYjiSjtbUNpp8kEL9e0Eq9UZsaf/EUXYGwQ6iK3WZ0WrVP72bkjcWQAB2THYIxP7DwmL4JcsbJ7uiMYeLrvUddoLwS3nKIFpc010iHA0y4hE/k/ny4zOyDCEhVr3WvQE=
+Prime1: /R+fSD2bb3N6UoapSNFXYRFyBpHWtcv/AZqsJx60/4UTGOCWNj52kcGsI/ROz/Pwbdicxi8CQqjX0f4QjSCAdw==
+Prime2: 7S5MPtJNSa+fHZBavW6vDnqpiHxAO7lIAcgtGxMM3L3553OzarlJV88Z452tn4HhfCCaIUW20j8cOJvTLkPWwQ==
+Exponent1: 9v56YPWszM40GH9KhMGxsAhj6cE5cGBEz33saqfuGj/yaJ4ONZQyAvynStZEaWsxux5ZrJGGdSFop4JxCCUk9Q==
+Exponent2: W8dembCnV6wt1jLV6he6hc/Rao8qC/JWetoLGj706zZYTcfn1ZR9XQ02521MkjygFHhJLDbd192z/fPOdEisAQ==
+Coefficient: +W6uvg4HkWaKi6OCpCz/0fRQwaRtPSbpKJ2Anam4PAy+B6cgM3Yo48OB7o+WoexlgySsNL0ui5p4BvJWvtca7w==
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Dec 18 2008 01:03:01
-;
-
-; *** List of Key Signing Keys ***
-; dyn.example.net. tag=42138 algo=DSA generated Aug 05 2008 23:01:57
-dyn.example.net. 3600 IN DNSKEY 257 3 3 (
- CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+VNGd4RjwWpEDj8RhEAhQ7
- LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+AB
- KLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOf
- Ny/jtz4v+asIr6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i4RBVWgHH
- JMmtyqq+SqEkPhZvsTuo2sXgIH9vRS3XgfkGtw/KyTUM29bhZ2eB+Ldq
- +bggp1gbBDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjAolJwCtaPCD4e
- 4infmw+YSxjGau+YGgI0Cc0uItzQmNNpSoejM3IWGV+SN/YuPJIzw8wi
- xDfO6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOTdQjsJWLLdLTApVEH
- 10kjAGfa30Tm92lQhhG5ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
- clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
- ) ; key id = 42138
-
-; *** List of Zone Signing Keys ***
-; dyn.example.net. tag=1355 algo=RSASHA1 generated Aug 05 2008 23:01:57
-dyn.example.net. 3600 IN DNSKEY 256 3 5 (
- BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7w
- BS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ==
- ) ; key id = 1355
-
-; dyn.example.net. tag=10643 algo=RSASHA1 generated Dec 16 2008 14:31:42
-dyn.example.net. 3600 IN DNSKEY 256 3 5 (
- BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6q
- Exelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw==
- ) ; key id = 10643
-
+++ /dev/null
-# signing key parameters
-KSK_lifetime: 60d # (5184000 seconds)
-KSK_algo: DSA
-KSK_bits: 1024
-KSK_randfile: "/dev/urandom"
+++ /dev/null
-dyn.example.net. IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879
-dyn.example.net. IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6
+++ /dev/null
-$ORIGIN .
-dyn.example.net 7200 IN DNSKEY 257 3 3 (
- CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
- NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
- S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
- m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
- EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
- r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
- 4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
- RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
- BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
- olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
- ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
- 6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
- dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
- ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
- clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
- ) ; key id = 42138
--- /dev/null
+2010-02-21 19:43:15.018: debug: Check RFC5011 status
+2010-02-21 19:43:15.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:43:15.018: debug: Check KSK status
+2010-02-21 19:43:15.018: debug: No active KSK found: generate new one
+2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935
+2010-02-21 19:43:15.330: debug: Check ZSK status
+2010-02-21 19:43:15.330: debug: No active ZSK found: generate new one
+2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323
+2010-02-21 19:43:15.368: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 19:43:15.368: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:43:15.368: debug: Signing zone "dyn.example.net."
+2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:43:15.368: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:43:15.368: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:43:15.374: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:43:15.374: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:43:15.382: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3."
+2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed!
+2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:43:15.382: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:43:15.382: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:45:36.415: debug: Check RFC5011 status
+2010-02-21 19:45:36.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:45:36.416: debug: Check KSK status
+2010-02-21 19:45:36.416: debug: Check ZSK status
+2010-02-21 19:45:36.416: debug: Re-signing not necessary!
+2010-02-21 19:45:36.416: debug: Check if there is a parent file to copy
+2010-02-21 19:45:41.448: debug: Check RFC5011 status
+2010-02-21 19:45:41.448: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:45:41.448: debug: Check KSK status
+2010-02-21 19:45:41.448: debug: Check ZSK status
+2010-02-21 19:45:41.448: debug: Re-signing necessary: Option -f
+2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:45:41.448: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:45:41.448: debug: Signing zone "dyn.example.net."
+2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:45:41.448: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:45:41.448: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:45:41.457: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:45:41.458: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:45:41.473: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
+2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed!
+2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:45:41.473: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:45:41.473: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:47:06.899: debug: Check RFC5011 status
+2010-02-21 19:47:06.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:47:06.899: debug: Check KSK status
+2010-02-21 19:47:06.899: debug: Check ZSK status
+2010-02-21 19:47:06.899: debug: Re-signing necessary: Option -f
+2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:47:06.899: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:47:06.900: debug: Signing zone "dyn.example.net."
+2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:47:06.900: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:47:06.900: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:47:06.910: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:47:06.910: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:47:06.926: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
+2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed!
+2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:47:06.926: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:47:06.926: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:58:40.972: debug: Check RFC5011 status
+2010-02-21 19:58:40.972: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:58:40.972: debug: Check KSK status
+2010-02-21 19:58:40.972: debug: Check ZSK status
+2010-02-21 19:58:40.973: debug: Re-signing necessary: Option -f
+2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:58:40.973: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:58:40.973: debug: Signing zone "dyn.example.net."
+2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:58:40.973: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:58:40.973: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:58:40.982: debug: Dynamic Zone signing: zone file manually edited: Use it as new input file
+2010-02-21 19:58:40.982: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:58:40.983: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:58:40.999: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
+2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed!
+2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:58:40.999: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:58:40.999: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:00:48.833: debug: Check RFC5011 status
+2010-02-21 20:00:48.833: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:00:48.833: debug: Check KSK status
+2010-02-21 20:00:48.833: debug: Check ZSK status
+2010-02-21 20:00:48.833: debug: Re-signing necessary: Option -f
+2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 20:00:48.833: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 20:00:48.834: debug: Signing zone "dyn.example.net."
+2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 20:00:48.834: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 20:00:48.834: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 20:00:48.844: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 20:00:48.844: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 20:00:48.878: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 20:00:48.878: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 20:00:48.878: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:00:48.884: debug: Signing completed after 0s.
+2010-02-21 20:01:11.175: debug: Check RFC5011 status
+2010-02-21 20:01:11.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:01:11.175: debug: Check KSK status
+2010-02-21 20:01:11.175: debug: Check ZSK status
+2010-02-21 20:01:11.176: debug: Re-signing necessary: Option -f
+2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 20:01:11.176: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 20:01:11.176: debug: Signing zone "dyn.example.net."
+2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 20:01:11.176: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 20:01:11.176: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 20:01:11.181: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 20:01:11.181: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 20:01:11.202: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 20:01:11.203: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 20:01:11.203: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:01:11.208: debug: Signing completed after 0s.
+2010-02-21 20:01:17.175: debug: Check RFC5011 status
+2010-02-21 20:01:17.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:01:17.175: debug: Check KSK status
+2010-02-21 20:01:17.175: debug: Check ZSK status
+2010-02-21 20:01:17.176: debug: Re-signing not necessary!
+2010-02-21 20:01:17.176: debug: Check if there is a parent file to copy
+2010-02-25 23:42:29.326: debug: Check RFC5011 status
+2010-02-25 23:42:29.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:29.326: debug: Check KSK status
+2010-02-25 23:42:29.326: debug: Check ZSK status
+2010-02-25 23:42:29.326: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-02-25 23:42:29.326: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-25 23:42:29.327: debug: Signing zone "dyn.example.net."
+2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-25 23:42:29.327: debug: freeze dynamic zone "dyn.example.net."
+2010-02-25 23:42:29.327: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-25 23:42:29.388: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-25 23:42:29.425: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-25 23:42:29.471: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-25 23:42:29.471: debug: thaw dynamic zone "dyn.example.net."
+2010-02-25 23:42:29.471: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-25 23:42:29.486: debug: Signing completed after 0s.
+2010-03-02 10:59:46.770: debug: Check RFC5011 status
+2010-03-02 10:59:46.770: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:46.770: debug: Check KSK status
+2010-03-02 10:59:46.770: debug: Check ZSK status
+2010-03-02 10:59:46.770: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-03-02 10:59:46.770: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-03-02 10:59:46.770: debug: Signing zone "dyn.example.net."
+2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone
+2010-03-02 10:59:46.770: debug: freeze dynamic zone "dyn.example.net."
+2010-03-02 10:59:46.770: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-03-02 10:59:46.852: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-03-02 10:59:46.875: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-03-02 10:59:46.950: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone
+2010-03-02 10:59:46.950: debug: thaw dynamic zone "dyn.example.net."
+2010-03-02 10:59:46.950: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-03-02 10:59:46.964: debug: Signing completed after 0s.
+++ /dev/null
-; File written on Tue Dec 16 14:31:43 2008
-; dnssec_signzone version 9.6.0rc1
-dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 9 ; serial
- 43200 ; refresh (12 hours)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 5 3 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- G4QPBPbeEnPfKggesblu+QPI6rlt8gOaqnJB
- k/98pbkDxhgLmpPP9RdjD3bftSFRgOdPGN1Y
- xE4AxSdo4AR5NA== )
- 7200 NS ns1.example.net.
- 7200 NS ns2.example.net.
- 7200 RRSIG NS 5 3 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- le7/8D28Oia0Ai/aSZsno5TILSCaPKNnuauM
- MGEGfCixiCXFIOCuND54qMpUR3wNEnTkHkyl
- OBYt6dGy5pH0dw== )
- 7200 NSEC localhost.dyn.example.net. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 3 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- ovWzUD/vXa15hxBDTtMKP4TcJEpG3RX+2CrZ
- ztcRdF9uy3JXI3+dEgmB+cPaDVW1AiNIrIYF
- 3MRaCHa4jhJISw== )
-$INCLUDE dnskey.db
- 3600 RRSIG DNSKEY 3 3 3600 20081222123143 (
- 20081216123143 42138 dyn.example.net.
- CL4xO8K27EV8Aq25hhFsk7Q5uL7sGO0HnsBH
- tr6Iomd+JCqxBGvZSBg= )
- 3600 RRSIG DNSKEY 5 3 3600 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- DkobINneyOshuB+T7nfnGx/O7JvEBRPT/svs
- ysxDmzZ8CaPF04lskwrLPFcRfMhrGX2JFYjE
- uIWUFMbDBVHilA== )
-localhost.dyn.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- HDt+/eQ8d52VglJFPDwO3W7Gez2TUbvdz8Gk
- SVDqIjHSTvJWN3L0vnBdHXOYUT8WLIMtQXXm
- Y+JU8nNWxrD8yQ== )
- 7200 NSEC ns1.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- d+CMf40oITbKKIV2AE3JTmGKtxb1RJPEEm2p
- z8RHSPFrdcC9ieJrdZIx1+Uxs5PjNbZcjdft
- oiLcZ/pr+2QXew== )
-ns1.dyn.example.net. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- p99aPrpCC+FU8uRCJuRCo4aibhuFelbDXR1q
- 9WRVJBJiDV4FO6EH/tCBAUQmNT0fh+mERKNd
- 39Qjr5mH5gFcQw== )
- 7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- ajT50HHhQUY5mD8SH1nPd+mf4HosL1lVvDVN
- HTnpoqCjG0guDuRk/BCLTBj1MPcPDYlkdDcd
- Rpv5xbYbYNu5qQ== )
- 7200 NSEC ns2.dyn.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- lQESBjK8+FQmGgndAMbPvQ2WMomT3sa1ozPQ
- /7ykGFFgM3YeUyA2h0AlUWHatLNDvMy2HeaM
- C1ozcV9M/iHR0A== )
-ns2.dyn.example.net. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- OrkPhnVeL0kTY6hJzrBgXy1NGeiQQR+5ykSh
- qFOOwR1C0YiBWGF3kkLE0ZAZ7XD+CPxc6Z/H
- WL/+o/AVAtWrtg== )
- 7200 NSEC x.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- ZE+qfvafm4vmGkkpcI1Z1ND2doEwnGELDiYQ
- SpNu3bWTHDO6B8vHql1QayGPLzDH8licFAXL
- FdyUOVHrXZMZNw== )
-x.dyn.example.net. 7200 IN A 1.2.3.4
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- kYuQrOUinJDCsIGlv+qAPROyDOP6vCI11Us4
- V0c6HK18FaaNE0BeivHAMN9QkliHF9GjYVm2
- JbklfT3DUMSuIA== )
- 7200 NSEC y.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- AR2flkOCH0YPbmTGxPj4v8Ug/L2dasQElmZW
- +NZK4vlyxwtGFowBDtcjiD10defZNP3Wuzus
- YjuVA5JpZpTW8A== )
-y.dyn.example.net. 7200 IN A 1.2.3.5
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- HYDO2JtuRZWZ+XyDj7GZOlC3b2Y2rozEzzEf
- OC/CChOsplwm1MDx+5nXPHM8wcIUUofrlq+b
- lRLJfqwLt9erxg== )
- 7200 NSEC z.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- mtz25BnhPmwYaHG2DLth2f3XTUeAMFDnmXby
- /kUWbflanujxvWDnB2hFs4qKGeE+WL36F/aw
- /Ui1oFyMOcdvPg== )
-z.dyn.example.net. 7200 IN A 1.2.3.6
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- CxCptk9vpGT/9oG9WXiLmgKrWrxvuxFkgjEu
- gBsp7loIM6x3Pr+CDXdsvbjDW1DwsjYBPyCa
- JL7B7wczIlxQrA== )
- 7200 NSEC dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- hOjfx9YA8O7tSXycALMnI+cQw3hs4euTVNPf
- fCiYukAFjwpQAmS8xVbtydTH7TVs5UcObyqB
- 8gsnXboAW9x07g== )
+++ /dev/null
-; File written on Thu Dec 18 01:03:01 2008
-; dnssec_signzone version 9.6.0rc1
-dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 10 ; serial
- 43200 ; refresh (12 hours)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 5 3 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- srn4ZqDvq1V4YWAn+s1UuC3pk9DFhyxo7w6h
- 6LnIeqAvnt6naBfgu0IHKt62fCMlq2LaW3n5
- LYdW5XD0aMU2pA== )
- 7200 NS ns1.example.net.
- 7200 NS ns2.example.net.
- 7200 RRSIG NS 5 3 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- le7/8D28Oia0Ai/aSZsno5TILSCaPKNnuauM
- MGEGfCixiCXFIOCuND54qMpUR3wNEnTkHkyl
- OBYt6dGy5pH0dw== )
- 7200 RRSIG NS 5 3 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- IAaofnTCtf2xoxW+NxUyosdLTj2+ueDnv8tz
- hgGwtzUeHn+AXZgwB3pe5AgMO+Y8WNg7AZJ7
- TlJkTe3CnL6/Uw== )
- 7200 NSEC localhost.dyn.example.net. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 3 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- ovWzUD/vXa15hxBDTtMKP4TcJEpG3RX+2CrZ
- ztcRdF9uy3JXI3+dEgmB+cPaDVW1AiNIrIYF
- 3MRaCHa4jhJISw== )
- 7200 RRSIG NSEC 5 3 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- S0ngwduIYE7H5DZ9A8OfeY9h0Sb6mdBQpN2+
- TzK3hsS6d92m7IoTkLMv8V1iGMY9cUasauwl
- bzMUUgXpBSzFqA== )
- 3600 DNSKEY 256 3 5 (
- BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQu
- IkM+jbh+s79ZpErpCR7wBS5TswdoTeglX9Uj
- P0D6hLmHfTcsdHQLLeMidQ==
- ) ; key id = 1355
- 3600 DNSKEY 256 3 5 (
- BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzev
- MxDoizMthpHUkBf+8U6qExelm+aQQYnoyoe5
- NrreKBzt3jmqUYnn19QKQw==
- ) ; key id = 10643
- 3600 DNSKEY 257 3 3 (
- CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
- NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
- S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
- m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
- EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
- r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
- 4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
- RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
- BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
- olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
- ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
- 6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
- dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
- ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
- clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
- ) ; key id = 42138
- 3600 RRSIG DNSKEY 3 3 3600 20081222123143 (
- 20081216123143 42138 dyn.example.net.
- CL4xO8K27EV8Aq25hhFsk7Q5uL7sGO0HnsBH
- tr6Iomd+JCqxBGvZSBg= )
- 3600 RRSIG DNSKEY 5 3 3600 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- DkobINneyOshuB+T7nfnGx/O7JvEBRPT/svs
- ysxDmzZ8CaPF04lskwrLPFcRfMhrGX2JFYjE
- uIWUFMbDBVHilA== )
- 3600 RRSIG DNSKEY 5 3 3600 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- 0W2AHhTCCVK1UAhfGkZTkrLuPfRNBgQHysKw
- dHimxjMq/IlVwamPkmrW0NmYdt15C+E9SZja
- HYu8RuXqyqxQzQ== )
-localhost.dyn.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- HDt+/eQ8d52VglJFPDwO3W7Gez2TUbvdz8Gk
- SVDqIjHSTvJWN3L0vnBdHXOYUT8WLIMtQXXm
- Y+JU8nNWxrD8yQ== )
- 7200 RRSIG A 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- vTo/zPTFUEK92lpo3XTuSai3VsUO5FuYuS0T
- L3w3iIQHOdOSHunPy2brF6BzsznZXLuYvDvr
- cZuxxYJpYRrecg== )
- 7200 NSEC ns1.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- d+CMf40oITbKKIV2AE3JTmGKtxb1RJPEEm2p
- z8RHSPFrdcC9ieJrdZIx1+Uxs5PjNbZcjdft
- oiLcZ/pr+2QXew== )
- 7200 RRSIG NSEC 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- G/Tw47gQNzuCEJTLHbCOcrBoEEP28QrwzLdw
- 7Y+WXP7XFMsLDkdLGrsL6CGLDL/L9WBGU75x
- QKKBPFshzJUeUQ== )
-ns1.dyn.example.net. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- p99aPrpCC+FU8uRCJuRCo4aibhuFelbDXR1q
- 9WRVJBJiDV4FO6EH/tCBAUQmNT0fh+mERKNd
- 39Qjr5mH5gFcQw== )
- 7200 RRSIG A 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- QPGkC3aXCaNaGauAaEs5AWlBoftcP/HbrVGe
- JlzZN2LbwwbTNDtvotnW7PeWJaaj6vRInkOt
- TjSz43Sfn4FJvg== )
- 7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- ajT50HHhQUY5mD8SH1nPd+mf4HosL1lVvDVN
- HTnpoqCjG0guDuRk/BCLTBj1MPcPDYlkdDcd
- Rpv5xbYbYNu5qQ== )
- 7200 RRSIG AAAA 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- BXvwGdoLeAuj709j3KGvK7RvgQ4MbJmew8De
- ZbTBaoVt4Z79Tf0m67Vj+VqHRgTDjyIvnSNZ
- Bawk6lWw5dvroA== )
- 7200 NSEC ns2.dyn.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- lQESBjK8+FQmGgndAMbPvQ2WMomT3sa1ozPQ
- /7ykGFFgM3YeUyA2h0AlUWHatLNDvMy2HeaM
- C1ozcV9M/iHR0A== )
- 7200 RRSIG NSEC 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- fYIG2W8qnQYoahLfwJqLf4Tigl93xfqXZO20
- qn/wPBW4jy+JnJ/ShptEZCeuyTTsVBw4ZnJI
- 7o15ZBW1UlZy9g== )
-ns2.dyn.example.net. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- OrkPhnVeL0kTY6hJzrBgXy1NGeiQQR+5ykSh
- qFOOwR1C0YiBWGF3kkLE0ZAZ7XD+CPxc6Z/H
- WL/+o/AVAtWrtg== )
- 7200 RRSIG A 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- gDre5yf6WCDCute4lg1ktW9+mM4qPn5D5Oy6
- hsu3+9NRjOdAdQhV9HMzdOODooIOvLGKINOY
- 6PFS66OvTcfNpA== )
- 7200 NSEC x.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- ZE+qfvafm4vmGkkpcI1Z1ND2doEwnGELDiYQ
- SpNu3bWTHDO6B8vHql1QayGPLzDH8licFAXL
- FdyUOVHrXZMZNw== )
- 7200 RRSIG NSEC 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- FZGn3y2M+YWoH6gk06gTUMZ49PIq+yDr708Y
- fxPcEsRljuYU2GrmETQKJTDY1HjYomTBGoKm
- StupQrHzOOasAA== )
-x.dyn.example.net. 7200 IN A 1.2.3.4
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- kYuQrOUinJDCsIGlv+qAPROyDOP6vCI11Us4
- V0c6HK18FaaNE0BeivHAMN9QkliHF9GjYVm2
- JbklfT3DUMSuIA== )
- 7200 RRSIG A 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- pYCB8HDdv9WxX1GxNWdafGZGSKrveweoOixc
- uddF++dPA1m+ro/6Qw28Cj5Coth7IKu+TyM0
- JPWTJgOUck73zw== )
- 7200 NSEC y.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- AR2flkOCH0YPbmTGxPj4v8Ug/L2dasQElmZW
- +NZK4vlyxwtGFowBDtcjiD10defZNP3Wuzus
- YjuVA5JpZpTW8A== )
- 7200 RRSIG NSEC 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- Ant5JHyVUh8+mMG5+WGgimDGiItGVRWhb3B5
- C4KYb7DM8+qJ98W0KPIxFT9Sj9bsKyyOzvf3
- Bik/f7DSdcr6sg== )
-y.dyn.example.net. 7200 IN A 1.2.3.5
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- HYDO2JtuRZWZ+XyDj7GZOlC3b2Y2rozEzzEf
- OC/CChOsplwm1MDx+5nXPHM8wcIUUofrlq+b
- lRLJfqwLt9erxg== )
- 7200 RRSIG A 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- 1zS6xszu0hrKaJOLS6YOuFthmDCRp3PQIAjh
- u6uPX6Kjpb8Svhdo7yFp7ukJU5OX6BEKiSon
- qHajnJvPg72T6w== )
- 7200 NSEC z.dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- mtz25BnhPmwYaHG2DLth2f3XTUeAMFDnmXby
- /kUWbflanujxvWDnB2hFs4qKGeE+WL36F/aw
- /Ui1oFyMOcdvPg== )
- 7200 RRSIG NSEC 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- 3fCQpAl+OjtWt9ZIpTrYVLhpZoaLqAJ8hy2v
- ZTu9MtmmS3W/cdp6qdSi+bUZuiptGoxTBAjh
- aC7QpOrobV9C/w== )
-z.dyn.example.net. 7200 IN A 1.2.3.6
- 7200 RRSIG A 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- CxCptk9vpGT/9oG9WXiLmgKrWrxvuxFkgjEu
- gBsp7loIM6x3Pr+CDXdsvbjDW1DwsjYBPyCa
- JL7B7wczIlxQrA== )
- 7200 RRSIG A 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- MAJ85Q1cFh7yqewaQyJ3YxS3KwTK/rxW+leY
- HLwxfcijXkUrxVaRtO/gTcFdo4aTJjeDrPhV
- ESwQbI+NNVkVRw== )
- 7200 NSEC dyn.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 4 7200 20081222123143 (
- 20081216123143 1355 dyn.example.net.
- hOjfx9YA8O7tSXycALMnI+cQw3hs4euTVNPf
- fCiYukAFjwpQAmS8xVbtydTH7TVs5UcObyqB
- 8gsnXboAW9x07g== )
- 7200 RRSIG NSEC 5 4 7200 20081223230301 (
- 20081217230301 10643 dyn.example.net.
- hRnT7XWT+KFHsxZ8rNiqWJ2/5WyLQRxht/QQ
- NXaYz2OeSGfgsRmdHc6UfjeVLyeXYn7Tkikr
- Pg7pX/nmF4eldQ== )
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) dyn.example.net/zone.org
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ IN SOA ns1.example.net. hostmaster.example.net. (
- 1 ; Serial
- 43200 ; Refresh
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
- IN NS ns1.example.net.
- IN NS ns2.example.net.
-
-ns1 IN A 1.0.0.5
- IN AAAA 2001:db8::53
-ns2 IN A 1.2.0.6
-
-localhost IN A 127.0.0.1
-
-x IN A 1.2.3.4
-y IN A 1.2.3.5
-z IN A 1.2.3.6
-
-$INCLUDE dnskey.db
-
+++ /dev/null
-;% generationtime=20081116175850
-;% lifetime=365d
-example.net. IN DNSKEY 257 3 5 BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU t9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB /Q==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB/Q==
-PublicExponent: AQAAAAE=
-PrivateExponent: CfS81MH9GT1CGQtK94PvSgggeQnSullWOmqQsKGndfJVpv4AJj/XCaEhgboIVshezJmUdHf3RWSOkSYfHAID89fTFAYvL4ZVSmkha1EivkY+tOeohM9zBzs5CfE9fmAlMCmxEQsYggZtjuddncKCNC4IYSkV6ez21S//3vnGvUtic+2ywaXF03MwhjKkOed6g8ukZJnj7B9Z5wu3rdiyOe85IQ==
-Prime1: A7Wh1oSpETxNT/ptPVHSGIemIyNvALXSI5UcoWAADQbith5663r1GgXHk2YGbyg1HgyrCZFoME3ZoIOUQ6yfN6tlixhpWmQdLW+pz3lULlTFBQ==
-Prime2: A1pCUhsSF9J8i5Smp2KEO3Dw5LngamhRksJzKC4yfGMvjwJ/RHJByyVcUEtRhgLvd2C2uW89Z4nz8HM/HQI+u9uwIFM20SIFEzZceR62ghNamQ==
-Exponent1: Azf7LwilgmHe2xJwMfQIJP5OnNsaZ1zm7Gk2i4lyA8+3hHNWetR1QRKl5E3AnzIzwOM5VEm2nO2XZeyHKPVOol6DM390oFXvp0c2G+ROabyQnQ==
-Exponent2: ATQ6mNC7MpC5NlGdQ+XmlTkiNuCRuFf/jZeSiJkZWvTjwZXQUhRCFMiM7fYwx/b/cqnqZ7I/9VwzslorFu0T37GQaeugFNkrsDdRRvDOA7+qoQ==
-Coefficient: AkhsG+b3Bel4MQ9fF/CnsPxv0cdoTphpLZPUGPlG451hqWFzMANEcTsiDya2UHoa5FAK825+47hVdihTdZkJwMNMsoI2Xnr07AEurDapOvChrg==
+++ /dev/null
-;% generationtime=20090730151357
-;% lifetime=84d
-example.net. IN DNSKEY 256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ==
-Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8=
-Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8=
-Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k=
-Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc=
-Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM=
+++ /dev/null
-;% generationtime=20090228113129
-;% lifetime=60d
-example.net. IN DNSKEY 257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ==
-Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw==
-Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw==
-Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ==
-Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ
-Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q==
-Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU=
-Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU=
-Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk=
-Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk=
-Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk=
+++ /dev/null
-;% generationtime=20090615075841
-;% lifetime=14d
-example.net. IN DNSKEY 256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+++ /dev/null
-;% generationtime=20090630093509
-;% lifetime=14d
-example.net. IN DNSKEY 256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
-PublicExponent: AQAAAAE=
-PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ==
-Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc=
-Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0=
-Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s=
-Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE=
-Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs=
--- /dev/null
+;% generationtime=20100311225233
+;% lifetime=60d
+example.net. IN DNSKEY 257 3 8 BQEAAAABDUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkG TECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJ JBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9 SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPY BQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: DUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkGTECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJJBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPYBQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: AeHyClC8SYdKB3mQtwWx/z08pCjHEs18KF9HbWddQnQrrJKP1lh1r6DGmJ5oigg3i2x/NEBUXw345FYQ7ynaVewt4KoQ2c6vT1ZyOXuoCmJknMxXKaVma5L3+hrGwdaS7tbJXGQrq6FHaYOO/2un8G7qRU5zoods+iR8qCRktkYVk2PS7wrdeQu9XaGUl5pPwh7fmNmjpfe16kyk3M2xoThEUQ==
+Prime1: A9GgY74jQxKOqTEMivti0zJIuxjlN7k1+MlTDQliH8EiFy8b/6HqRqddgdeuPDt8s0jv1cGxnMig4761JszH7CQeHbefeoLw95OXu7v6hpw3Uw==
+Prime2: A3qansKrFaIwWJw7n0//qO52mEKCxoljeMzbeXx4f+pgADmyMcv8ysHMUPP6BEwVxlxHVyv9a3lxQRa8ZdPtFV+QK3Zy3PfAV8SoahbYgi2ARw==
+Exponent1: v6z/wlryoSYkgnlkxM6uC6AEc7ZQQdla7cG+iaeEJq8pfzPClkU+WiBP9MJroO8ExM1mj/bjIfw3/Vel5NuLD9uU+BIV1qzcWKbPwo7xZnqh
+Exponent2: OPEA/pb22DU0GDyS1UmOmJGjyp2Irxe1LJL6J16bK/lCqPNenT8qIYbLY2EKUoRhAirvurd4/fXqnzNVYdw369C/DBtfZ6AeAfs4no/+Fnfx
+Coefficient: /pte3nUM+M1VmAs7z3bhTdbPWIJZk7z0RkcBhFvUn4ZGgImUSFF8/psPzvQFy9pyGzinviE16aI0UVEBxL7NkFfSs9cMX0jpItFDyJTcxvjA
--- /dev/null
+;% generationtime=20100311225233
+;% lifetime=14d
+example.net. IN DNSKEY 256 3 8 BQEAAAABy5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twH y339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: y5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twHy339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: uHA+A2dABi4t2afEHHud8MajxjMLqxw/+t0yzsRgye6eiAkJVuhYSdxxqmlqMmSayrBNSX2jYHdKmY49W6kmUQ==
+Prime1: 6pzzNfud8Hzw9UdeitwJwVzFaAfV/RmRmTCm4OLBGD0=
+Prime2: 3itJLwoOTYkb2rOQNjZ/4hMNov3plClxo5e9iPSARL0=
+Exponent1: w/gumsQA0FOkuuMBp5PcTsbHbebL9SAVDURQgLo2ZMU=
+Exponent2: ILYpsGsfTcHDSAmGbQBRSsFQEKw7Ghx/mIcWoUIN250=
+Coefficient: cwmz0VwEQ4Jjc3+T0tDgH9fhUiyISbuV/0Bz25E5bYA=
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Jul 30 2009 17:13:57
-;
-
-; *** List of Key Signing Keys ***
-; example.net. tag=33840 algo=RSASHA1 generated Feb 28 2009 12:31:29
-example.net. 14400 IN DNSKEY 257 3 5 (
- BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
- +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
- m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
- SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
- aQ==
- ) ; key id = 33840
-
-; example.net. tag=7308 algo=RSASHA1 generated Feb 28 2009 12:31:29
-example.net. 14400 IN DNSKEY 257 3 5 (
- BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ
- oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ
- w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU
- t9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB
- /Q==
- ) ; key id = 7308
-
-; *** List of Zone Signing Keys ***
-; example.net. tag=34925 algo=RSASHA1 generated Jun 17 2009 16:36:16
-example.net. 14400 IN DNSKEY 256 3 5 (
- BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj
- w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
- ) ; key id = 34925
-
-; example.net. tag=48089 algo=RSASHA1 generated Jun 30 2009 11:35:09
-example.net. 14400 IN DNSKEY 256 3 5 (
- BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
- IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
- ) ; key id = 48089
-
-; example.net. tag=24545 algo=RSASHA1 generated Jul 30 2009 17:13:57
-example.net. 14400 IN DNSKEY 256 3 5 (
- BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ
- WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
- ) ; key id = 24545
-
--- /dev/null
+Key_Algo: RSASHA256 # (Algorithm ID 8)
+NSEC3: OPTOUT
+++ /dev/null
-example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
-example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
-example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
-example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
+++ /dev/null
-;% generationtime=20080506212634
-;% lifetime=60d
-;% expirationtime=20090228113128
-example.net. IN DNSKEY 385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU8w==
-PublicExponent: AQAAAAE=
-PrivateExponent: AzPR74ljfqsl7qB92XeCowR3igYQrN59a2Z8VGB1PegjagkBltDzudzYyDKpvqdigjeFLL54f1MN5JCPo4J2Q6Ij49LAQ5GsXiEd/FWlwR+UztOcW/uZ3W6DNIwuMbSY7ruZmpv/zVPpyeY1PVXgCsJlX2Zj/Wt8QHASHp5rUugGQSPQfVSQ/mBdDXMZw2tEb3b10quziCmKuHegopRYeuNXwQ==
-Prime1: A+5jXfxmP0Mfnjr4m8BPrPkDyokgFXZB3dXibxeZqp4ypcwpXeO0xTf1FjSZeIOi2RJOzpym914IYa3wPx4zbxmsGeozr1hTIWE+6Xuz0qjE0w==
-Prime2: A2EOffOaSvEoTUf/0dF8Z9/dYxIrE9HBbXRjgrlPc+WoG57lCkjxe/KO5Eclg9o5nrTFcsxpsjrdxOAcIcyTIHsXW8YgxDAb1mFJ0V6tBsabYQ==
-Exponent1: vmRAN3zHGTV28Oj4gslB/xA58sDyieCkDrpGaGChsPo7yUPOEeZQ8ep/FDnQoZLhLCn6XkKcN4D99Yo3JxVECBJOHZp8HrFsfF9BzpXk2yH9
-Exponent2: Aj8x3YdZJ0/KzwX2m6G2qZ5WktmkDITa+XHxvSashqlBm2niBCRFN5kNQNhkIO5ZAFWKEPuHSB5BZWTzgj8jeB8mRoYtbPlJom4KbNtCiZ6BYQ==
-Coefficient: A87WfUPUBfYDuSAu6kcHLAyr0OnqoXnMeXSgyq28CJXdh3Vg39Al8me07wWeRDjMzfpZGdKEhxyvVIS8WhY3du0FYoGI5YhJMqaYq3XjwLfpsQ==
+++ /dev/null
-;% generationtime=20080415164557
-;% lifetime=20d
-;% expirationtime=20080506212633
-example.net. IN DNSKEY 385 3 5 BQEAAAABCrDt76ODmeteohszxggclH3vAXO/NXOnXjOzIivP5LaUL4/U uAtafg5JXypl/nCUVap9FG0K1ebCCBCMJaPCoi7pIgD5EgFzHPnxZo2w GvtmWYwK3MaBP4U8YzwpVbGpJIBAW+IZyM89LD6b2cvkJL5YEviPNfMp rMTLo7BOMVjMBpG2IuULOHq7dzyIe/ym/RXKuuYc5AVtHCBBfGKU/Wzn 0Q==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: CrDt76ODmeteohszxggclH3vAXO/NXOnXjOzIivP5LaUL4/UuAtafg5JXypl/nCUVap9FG0K1ebCCBCMJaPCoi7pIgD5EgFzHPnxZo2wGvtmWYwK3MaBP4U8YzwpVbGpJIBAW+IZyM89LD6b2cvkJL5YEviPNfMprMTLo7BOMVjMBpG2IuULOHq7dzyIe/ym/RXKuuYc5AVtHCBBfGKU/Wzn0Q==
-PublicExponent: AQAAAAE=
-PrivateExponent: CWC6hC61oQC954Dcu2Z0NNmLk6Wnr33yh7VCuT7kh5fSOgA6Fm0qQgH+nvW2sv9fpy8JB4WBaa/CnysKkLwjDBFcWkrMw7wDR0KAiixe8bjXCZUy95x2t3B/o23jQtS/ejJgaSSOJFioRcPoT5sv9mm6QCe3ir3g9+3n4COrzf0DY1oGfDLzuhrYDT/AM5MuEjSamlblTPHHsKlI3UCl+AHDLQ==
-Prime1: A3ZcDeyxt/SDgmgg4Yk7v66MbFU4GWreYp4/MYhEDsE4jA0cqEY28cAoN8FyPCB1H1t10IVqOs7/LSKrWdXMUKUv57DPMHJp539Wx2HYLmVIfw==
-Prime2: AxZ8J01/Sbij24nloiVsDJdjFTAVApr4S6n/QRdBkWumQTLexnQ1ErcTEVc3Fn0po04ZToIO5JNINrWNdAuNiaHYLuiD4pkkHuSAmTajbVsnrw==
-Exponent1: Iw7WPWd3zZeJ/b3zQcQtSosUXUWFy430aEsQWimMnibFm+qOVpsjhRkTHW/yZp227Y4sVb/ZhzCZWFGr6qWe0sdHIv5Yx6SkvIxv4rUiHdOL
-Exponent2: AhiPWhKq+Iyy/HRZuWpIAalUZ7yE7FeHWFQYQLocatTCnY91VsgNxRLXRwcci6mflhIVoLBDHJal7x4SCRq0Xbze5PeMlMUhsDQdCT+QYTgCRw==
-Coefficient: Auw2b1lPzp3gWxpnDNZWeuiwGcWTd9fNfN/4kBrCbulFngYTNVBpqathFqdwtojYXHfM2HZDKHqmZVZgON+FfxvauGvTDWO6MTBxUleeBlLmcg==
+++ /dev/null
-;% generationtime=20080420205422
-;% lifetime=60d
-;% expirationtime=20081116175850
-example.net. IN DNSKEY 385 3 5 BQEAAAABDAnSCbSyScZdP2M6OQTbTGvZRD5avmDYgAwXv0EsnNautYn7 kzDGwY3oVTXWDTdII+syK0pt0unjUn2ActoXtyFzIk61VRKDroANM9/W O0PO/y50vNIGMJUL1TiMR6jCp23eSxQ39/1A+BeiU+fMjoJK0/Yc7hbM HWwD8myU0IEX8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjKT1YYVnoQ qw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DAnSCbSyScZdP2M6OQTbTGvZRD5avmDYgAwXv0EsnNautYn7kzDGwY3oVTXWDTdII+syK0pt0unjUn2ActoXtyFzIk61VRKDroANM9/WO0PO/y50vNIGMJUL1TiMR6jCp23eSxQ39/1A+BeiU+fMjoJK0/Yc7hbMHWwD8myU0IEX8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjKT1YYVnoQqw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CJPcx+j7bWxMzKCl395v2PxQRYc/YurHU25oJL9i+B/bkxC8sRzSrTe4rRW61vhtAE3R6+CGz1336igirbEWKjHbPyBg42QHu2OCHWcKv4jq8k9yvtYGb9rKVvSUj4HAfZolr130loWW+CNp5soQQcJG0qxP+YkdI/Z+GDQ9kDbn80+r3wtCtVzjhoq0RoUSH3UnKUbs+DvacQmvepMLcM3PgQ==
-Prime1: A413lN4gpI+7Imn2Krm4CGyRCBoNwFa2PSr1ZQN195W5enKVZAkKg+49G7hoduMgjW2RAzwoJp0/4cGPx5nugSv93QT/mTMhYupL9KdGKcYUIQ==
-Prime2: A2N7TbYY1Q67CsoqHPvogKEP0XtlN421eF+88Yu/YnAZ3Ikd1nMad7rO1bVWptabsNuw0JFkpOmrS3u/GvaWmKCNGBlGjF/XlKr8Bh63V/zLSw==
-Exponent1: Aa0C6ssN8NTZIKsoGJEJLVbb9uB48nXtaMq2FxFARogrnmY0Gi/n8AWFc+ulPvAzJhhrjWF3VW38GcuPe3Ss8l3fpAbAexEnrJHOXxKLlOgmwQ==
-Exponent2: j78LKeDXSgTL5WmsffdJHSRe32GfaX6SgTF0BKzKVRuNIiOf7vHjzkDn4gdcTsMLTSNVp/Zj4vkWMkfJNq+AqosHpBFvhmd+boUG4Xde4jSp
-Coefficient: A1RWhKCgowdNAWs9OF3Q5CBBzC2Fq6O0CspJJD3cmNTEQVbxEbzSWyW7S1NsBgp+6de/HQ72IFtEAL9ChSy6pXWx27PGK6wE89rGbfaJ9Y2gzQ==
+++ /dev/null
-$ORIGIN .
-example.net 7200 IN DNSKEY 257 3 5 (
- BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
- 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
- BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
- eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
- grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
- V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
- Il5cqhugaQ==
- ) ; key id = 33840
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
- Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
- Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
- SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
- g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
- A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
- JT9+p0yB/Q==
- ) ; key id = 7308
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 353 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+ IN NS ns1.example.net.
+
+ns1 IN A 1.0.0.5
+
+example.net. 3600 IN DNSKEY 257 3 5 (
+ BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+ +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
+ m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
+ SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
+ aQ==
+ ) ; key id = 33840
+
+example.net. 3600 IN DNSKEY 256 3 5 (
+ BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
+ IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+ ) ; key id = 48089
+
+_domainkey IN NS ns1.example.net.
+
--- /dev/null
+2010-02-06 00:26:54.533: debug: Check RFC5011 status
+2010-02-06 00:26:54.533: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:26:54.533: debug: Check KSK status
+2010-02-06 00:26:54.533: debug: Check ZSK status
+2010-02-06 00:26:54.533: debug: Re-signing not necessary!
+2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy
+2010-02-06 00:29:31.291: debug: Check RFC5011 status
+2010-02-06 00:29:31.291: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:29:31.291: debug: Check KSK status
+2010-02-06 00:29:31.292: debug: Check ZSK status
+2010-02-06 00:29:31.292: debug: Re-signing not necessary!
+2010-02-06 00:29:31.292: debug: Check if there is a parent file to copy
+2010-02-06 00:40:35.043: debug: Check RFC5011 status
+2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:40:35.043: debug: Check KSK status
+2010-02-06 00:40:35.043: debug: Check ZSK status
+2010-02-06 00:40:35.043: debug: Re-signing not necessary!
+2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy
+2010-02-06 00:52:55.403: debug: Check RFC5011 status
+2010-02-06 00:52:55.403: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:52:55.403: debug: Check KSK status
+2010-02-06 00:52:55.403: debug: Check ZSK status
+2010-02-06 00:52:55.403: debug: Re-signing not necessary!
+2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy
+2010-02-07 13:53:48.304: debug: Check RFC5011 status
+2010-02-07 13:53:48.304: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:53:48.304: debug: Check KSK status
+2010-02-07 13:53:48.304: debug: Check ZSK status
+2010-02-07 13:53:48.304: debug: Re-signing not necessary!
+2010-02-07 13:53:48.304: debug: Check if there is a parent file to copy
+2010-02-07 13:54:03.466: debug: Check RFC5011 status
+2010-02-07 13:54:03.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:03.466: debug: Check KSK status
+2010-02-07 13:54:03.466: debug: Check ZSK status
+2010-02-07 13:54:03.466: debug: Re-signing not necessary!
+2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy
+2010-02-07 13:54:08.019: debug: Check RFC5011 status
+2010-02-07 13:54:08.019: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:08.020: debug: Check KSK status
+2010-02-07 13:54:08.020: debug: Check ZSK status
+2010-02-07 13:54:08.020: debug: Re-signing necessary: Option -f
+2010-02-07 13:54:08.020: notice: "example.net.": re-signing triggered: Option -f
+2010-02-07 13:54:08.020: debug: Writing key file "./example.net/dnskey.db"
+2010-02-07 13:54:08.020: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-07 13:54:08.020: debug: Signing zone "example.net."
+2010-02-07 13:54:08.021: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-07 13:54:08.125: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:54:08.125: debug: Signing completed after 0s.
+2010-02-07 13:54:08.125: notice: "example.net.": distribution triggered
+2010-02-07 13:54:08.125: debug: Distribute zone "example.net."
+2010-02-07 13:54:08.125: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
+2010-02-07 13:54:08.129: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
+2010-02-07 13:54:08.129: notice: "example.net.": reload triggered
+2010-02-07 13:54:08.129: debug: Reload zone "example.net."
+2010-02-07 13:54:08.129: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
+2010-02-07 13:54:08.139: debug: ./dist.sh reload return: "rndc reload example.net. "
+2010-02-07 14:06:27.670: debug: Check RFC5011 status
+2010-02-07 14:06:27.670: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:27.670: debug: Check KSK status
+2010-02-07 14:06:27.670: debug: Check ZSK status
+2010-02-07 14:06:27.670: debug: Re-signing not necessary!
+2010-02-07 14:06:27.671: debug: Check if there is a parent file to copy
+2010-02-07 14:06:33.753: debug: Check RFC5011 status
+2010-02-07 14:06:33.753: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:33.753: debug: Check KSK status
+2010-02-07 14:06:33.753: debug: Check ZSK status
+2010-02-07 14:06:33.753: debug: Re-signing necessary: Option -f
+2010-02-07 14:06:33.753: notice: "example.net.": re-signing triggered: Option -f
+2010-02-07 14:06:33.753: debug: Writing key file "./example.net/dnskey.db"
+2010-02-07 14:06:33.754: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-07 14:06:33.754: debug: Signing zone "example.net."
+2010-02-07 14:06:33.754: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-07 14:06:33.790: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 14:06:33.790: debug: Signing completed after 0s.
+2010-02-07 14:06:33.790: notice: "example.net.": distribution triggered
+2010-02-07 14:06:33.790: debug: Distribute zone "example.net."
+2010-02-07 14:06:33.790: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
+2010-02-07 14:06:33.794: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
+2010-02-07 14:06:33.794: notice: "example.net.": reload triggered
+2010-02-07 14:06:33.794: debug: Reload zone "example.net."
+2010-02-07 14:06:33.794: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
+2010-02-07 14:06:33.797: debug: ./dist.sh reload return: "rndc reload example.net. "
+2010-02-21 12:50:43.587: debug: Check RFC5011 status
+2010-02-21 12:50:43.587: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:43.587: debug: Check KSK status
+2010-02-21 12:50:43.587: debug: Check ZSK status
+2010-02-21 12:50:43.587: debug: Lifetime(1209600 +/-150 sec) of active key 33002 exceeded (2394625 sec)
+2010-02-21 12:50:43.587: debug: ->depreciate it
+2010-02-21 12:50:43.587: debug: ->activate published key 29240
+2010-02-21 12:50:43.587: notice: "example.net.": lifetime of zone signing key 33002 exceeded: ZSK rollover done
+2010-02-21 12:50:43.587: debug: New key for publishing needed
+2010-02-21 12:50:43.658: debug: ->creating new key 5525
+2010-02-21 12:50:43.658: info: "example.net.": new key 5525 generated for publishing
+2010-02-21 12:50:43.658: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:43.658: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:43.658: debug: Writing key file "./example.net/dnskey.db"
+2010-02-21 12:50:43.665: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 12:50:43.665: debug: Signing zone "example.net."
+2010-02-21 12:50:43.665: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-21 12:50:43.733: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:43.733: debug: Signing completed after 0s.
+2010-02-21 12:50:51.205: debug: Check RFC5011 status
+2010-02-21 12:50:51.205: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:51.205: debug: Check KSK status
+2010-02-21 12:50:51.205: debug: Check ZSK status
+2010-02-21 12:50:51.205: debug: Re-signing not necessary!
+2010-02-21 12:50:51.205: debug: Check if there is a parent file to copy
+2010-02-21 12:51:23.497: debug: Check RFC5011 status
+2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:51:23.497: debug: Check KSK status
+2010-02-21 12:51:23.497: debug: Check ZSK status
+2010-02-21 12:51:23.497: debug: Re-signing not necessary!
+2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy
+2010-02-21 19:16:18.594: debug: Check RFC5011 status
+2010-02-21 19:16:18.594: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:16:18.594: debug: Check KSK status
+2010-02-21 19:16:18.594: debug: Check ZSK status
+2010-02-21 19:16:18.594: debug: Re-signing not necessary!
+2010-02-21 19:16:18.594: debug: Check if there is a parent file to copy
+2010-02-21 19:32:11.378: debug: Check RFC5011 status
+2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:11.378: debug: Check KSK status
+2010-02-21 19:32:11.378: debug: Check ZSK status
+2010-02-21 19:32:11.378: debug: Re-signing not necessary!
+2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy
+2010-02-21 19:32:15.982: debug: Check RFC5011 status
+2010-02-21 19:32:15.982: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:15.982: debug: Check KSK status
+2010-02-21 19:32:15.982: debug: Check ZSK status
+2010-02-21 19:32:15.982: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:15.982: notice: "example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:15.982: debug: Writing key file "./example.net/dnskey.db"
+2010-02-21 19:32:15.982: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 19:32:15.982: debug: Signing zone "example.net."
+2010-02-21 19:32:15.982: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-21 19:32:16.019: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:16.019: debug: Signing completed after 1s.
+2010-02-21 19:32:32.232: debug: Check RFC5011 status
+2010-02-21 19:32:32.232: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:32.233: debug: Check KSK status
+2010-02-21 19:32:32.233: debug: Check ZSK status
+2010-02-21 19:32:32.233: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:32.233: notice: "example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:32.233: debug: Writing key file "./example.net/dnskey.db"
+2010-02-21 19:32:32.233: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 19:32:32.233: debug: Signing zone "example.net."
+2010-02-21 19:32:32.233: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-21 19:32:32.273: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:32.273: debug: Signing completed after 0s.
+2010-02-25 00:12:27.060: debug: Check RFC5011 status
+2010-02-25 00:12:27.060: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 00:12:27.060: debug: Check KSK status
+2010-02-25 00:12:27.060: debug: Check ZSK status
+2010-02-25 00:12:27.060: debug: Lifetime(29100 sec) of depreciated key 33002 exceeded (300104 sec)
+2010-02-25 00:12:27.060: info: "example.net.": old ZSK 33002 removed
+2010-02-25 00:12:27.081: debug: ->remove it
+2010-02-25 00:12:27.082: debug: Re-signing necessary: Modfied zone key set
+2010-02-25 00:12:27.082: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 00:12:27.082: debug: Writing key file "./example.net/dnskey.db"
+2010-02-25 00:12:27.086: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-25 00:12:27.086: debug: Signing zone "example.net."
+2010-02-25 00:12:27.086: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-25 00:12:27.173: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 00:12:27.174: debug: Signing completed after 0s.
+2010-02-25 23:42:21.013: debug: Check RFC5011 status
+2010-02-25 23:42:21.013: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:21.013: debug: Check KSK status
+2010-02-25 23:42:21.013: debug: Check ZSK status
+2010-02-25 23:42:21.013: debug: Re-signing not necessary!
+2010-02-25 23:42:21.013: debug: Check if there is a parent file to copy
+2010-03-02 10:59:12.416: debug: Check RFC5011 status
+2010-03-02 10:59:12.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:12.416: debug: Check KSK status
+2010-03-02 10:59:12.416: debug: Check ZSK status
+2010-03-02 10:59:12.416: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-03-02 10:59:12.416: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-03-02 10:59:12.416: debug: Writing key file "./example.net/dnskey.db"
+2010-03-02 10:59:12.449: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-02 10:59:12.449: debug: Signing zone "example.net."
+2010-03-02 10:59:12.450: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-02 10:59:12.530: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-02 10:59:12.530: debug: Signing completed after 0s.
+2010-03-03 23:22:00.415: debug: Check RFC5011 status
+2010-03-03 23:22:00.415: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-03 23:22:00.415: debug: Check KSK status
+2010-03-03 23:22:00.415: debug: Check ZSK status
+2010-03-03 23:22:00.416: debug: Re-signing not necessary!
+2010-03-03 23:22:00.416: debug: Check if there is a parent file to copy
+2010-03-08 23:11:50.170: debug: Check RFC5011 status
+2010-03-08 23:11:50.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:11:50.170: debug: Check KSK status
+2010-03-08 23:11:50.170: debug: Check ZSK status
+2010-03-08 23:11:50.171: debug: Lifetime(1209600 +/-150 sec) of active key 29240 exceeded (1333267 sec)
+2010-03-08 23:11:50.171: debug: ->depreciate it
+2010-03-08 23:11:50.171: debug: ->activate published key 5525
+2010-03-08 23:11:50.171: notice: "example.net.": lifetime of zone signing key 29240 exceeded: ZSK rollover done
+2010-03-08 23:11:50.171: debug: New key for publishing needed
+2010-03-08 23:11:50.228: debug: ->creating new key 21482
+2010-03-08 23:11:50.228: info: "example.net.": new key 21482 generated for publishing
+2010-03-08 23:11:50.228: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:11:50.228: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:11:50.228: debug: Writing key file "././example.net/dnskey.db"
+2010-03-08 23:11:50.235: debug: Incrementing serial number in file "././example.net/zone.db"
+2010-03-08 23:11:50.235: debug: Signing zone "example.net."
+2010-03-08 23:11:50.235: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-08 23:11:50.294: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:11:50.294: debug: Signing completed after 0s.
+2010-03-08 23:12:56.212: debug: Check RFC5011 status
+2010-03-08 23:12:56.212: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:12:56.212: debug: Check KSK status
+2010-03-08 23:12:56.212: debug: Check ZSK status
+2010-03-08 23:12:56.212: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:12:56.212: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:12:56.212: debug: Writing key file "././example.net/dnskey.db"
+2010-03-08 23:12:56.213: debug: Incrementing serial number in file "././example.net/zone.db"
+2010-03-08 23:12:56.213: debug: Signing zone "example.net."
+2010-03-08 23:12:56.213: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-08 23:12:56.278: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:12:56.279: debug: Signing completed after 0s.
+2010-03-08 23:13:36.984: debug: Check RFC5011 status
+2010-03-08 23:13:36.984: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:13:36.984: debug: Check KSK status
+2010-03-08 23:13:36.984: debug: Check ZSK status
+2010-03-08 23:13:36.985: debug: Re-signing not necessary!
+2010-03-08 23:13:36.985: debug: Check if there is a parent file to copy
+2010-03-08 23:18:52.287: debug: Check RFC5011 status
+2010-03-08 23:18:52.287: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:18:52.287: debug: Check KSK status
+2010-03-08 23:18:52.287: debug: Check ZSK status
+2010-03-08 23:18:52.287: debug: Re-signing not necessary!
+2010-03-08 23:18:52.287: debug: Check if there is a parent file to copy
+2010-03-11 23:46:35.831: debug: Check RFC5011 status
+2010-03-11 23:46:35.831: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:46:35.831: debug: Check KSK status
+2010-03-11 23:46:35.831: debug: Check ZSK status
+2010-03-11 23:46:35.831: debug: Lifetime(29100 sec) of depreciated key 29240 exceeded (261285 sec)
+2010-03-11 23:46:35.831: info: "example.net.": old ZSK 29240 removed
+2010-03-11 23:46:35.832: debug: ->remove it
+2010-03-11 23:46:35.832: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:46:35.832: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:46:35.832: debug: Writing key file "./example.net/dnskey.db"
+2010-03-11 23:46:35.841: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:46:35.841: debug: Signing zone "example.net."
+2010-03-11 23:46:35.841: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-11 23:46:35.929: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:46:35.929: debug: Signing completed after 0s.
+2010-03-11 23:52:33.132: debug: Check RFC5011 status
+2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:52:33.133: debug: Check KSK status
+2010-03-11 23:52:33.133: debug: No active KSK found: generate new one
+2010-03-11 23:52:33.374: info: "example.net.": generated new KSK 8406
+2010-03-11 23:52:33.374: debug: Check ZSK status
+2010-03-11 23:52:33.374: debug: No active ZSK found: generate new one
+2010-03-11 23:52:33.400: info: "example.net.": generated new ZSK 36257
+2010-03-11 23:52:33.400: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:52:33.400: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:52:33.400: debug: Writing key file "./example.net/dnskey.db"
+2010-03-11 23:52:33.400: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:52:33.400: debug: Signing zone "example.net."
+2010-03-11 23:52:33.400: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 69AE05 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-11 23:52:33.408: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
+2010-03-11 23:52:33.408: error: "example.net.": signing failed!
+2010-03-11 23:53:27.856: debug: Check RFC5011 status
+2010-03-11 23:53:27.856: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:53:27.856: debug: Check KSK status
+2010-03-11 23:53:27.856: debug: Check ZSK status
+2010-03-11 23:53:27.856: debug: Re-signing necessary: Modified keys
+2010-03-11 23:53:27.856: notice: "example.net.": re-signing triggered: Modified keys
+2010-03-11 23:53:27.856: debug: Writing key file "./example.net/dnskey.db"
+2010-03-11 23:53:27.856: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:53:27.856: debug: Signing zone "example.net."
+2010-03-11 23:53:27.856: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-11 23:53:27.920: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:53:27.920: debug: Signing completed after 0s.
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-; Ensure that the serial number below is left
-; justified in a field of at least 10 chars!!
-; 0123456789;
-; It's also possible to use the date format e.g. 2005040101
-@ IN SOA ns1.example.net. hostmaster.example.net. (
- 350 ; Serial
- 43200 ; Refresh
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
- IN NS ns1.example.net.
- IN NS ns2.example.net.
-
-ns1 IN A 1.0.0.5
- IN AAAA 2001:db8::53
-ns2 IN A 1.2.0.6
-
-localhost IN A 127.0.0.1
-
-a IN A 1.2.3.1
-b IN MX 10 a
-;c IN A 1.2.3.2
-d IN A 1.2.3.3
- IN AAAA 2001:0db8::3
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.net file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub IN NS ns1.example.net.
-
-; this file will contain all the zone keys
-$INCLUDE dnskey.db
-
+++ /dev/null
-; File written on Thu Jul 30 17:13:57 2009
-; dnssec_signzone version 9.7.0a1
-example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 350 ; serial
- 43200 ; refresh (12 hours)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 5 2 7200 20090809141357 (
- 20090730141357 48089 example.net.
- ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph
- ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB
- gOjVmH4Ywf+oKg== )
- 7200 NS ns1.example.net.
- 7200 NS ns2.example.net.
- 7200 RRSIG NS 5 2 7200 20090809141357 (
- 20090730141357 48089 example.net.
- F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU
- FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl
- Mk6meHS+9wsneQ== )
- 7200 NSEC a.example.net. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 2 7200 20090809141357 (
- 20090730141357 48089 example.net.
- OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ
- 9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e
- olkU38g+o0fkPQ== )
- 14400 DNSKEY 256 3 5 (
- BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk
- mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY
- m/hhC77xJoVwSeOtXdmKiQ==
- ) ; key id = 34925
- 14400 DNSKEY 256 3 5 (
- BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0
- nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma
- dHRQZDfu79tEz8MUid7aOw==
- ) ; key id = 48089
- 14400 DNSKEY 256 3 5 (
- BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA
- 1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc
- oAhDVW0hZ6DSDuV/0kouMQ==
- ) ; key id = 24545
- 14400 DNSKEY 257 3 5 (
- BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
- 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
- BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
- eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
- grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
- V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
- Il5cqhugaQ==
- ) ; key id = 33840
- 14400 DNSKEY 257 3 5 (
- BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
- Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
- Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
- SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
- g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
- A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
- JT9+p0yB/Q==
- ) ; key id = 7308
- 14400 RRSIG DNSKEY 5 2 14400 20090809141357 (
- 20090730141357 7308 example.net.
- CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN
- UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv
- PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/
- r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8
- ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN
- B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq
- YQ== )
- 14400 RRSIG DNSKEY 5 2 14400 20090809141357 (
- 20090730141357 48089 example.net.
- XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg
- XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc
- 62464sVZH+EfWg== )
-a.example.net. 7200 IN A 1.2.3.1
- 7200 RRSIG A 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg
- 1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs
- nzR8X0uN22BTIA== )
- 7200 NSEC b.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s
- ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv
- 0n6P1jVIBVTNOg== )
-b.example.net. 7200 IN MX 10 a.example.net.
- 7200 RRSIG MX 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN
- S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH
- UGStzfIl/8troQ== )
- 7200 NSEC d.example.net. MX RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ
- sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm
- 5lDVj28RqfZ7Pw== )
-d.example.net. 7200 IN A 1.2.3.3
- 7200 RRSIG A 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh
- Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn
- 4OEF4w8WGhL67A== )
- 7200 AAAA 2001:db8::3
- 7200 RRSIG AAAA 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd
- qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0
- J3JSNlXGbwHSgQ== )
- 7200 NSEC localhost.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb
- YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a
- zgIUX0pOt281Bw== )
-localhost.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw
- EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m
- kNSeEuoa+qR+eg== )
- 7200 NSEC ns1.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP
- 0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw
- 3OFb0GRqEXDc5w== )
-ns1.example.net. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr
- o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6
- 89OCX/es/0rTtA== )
- 7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP
- Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv
- OVzIQY+ltEOSvg== )
- 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz
- wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK
- iovzZNBDetmiBg== )
-ns2.example.net. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2
- 3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up
- ZESuqA8PJwq9hQ== )
- 7200 NSEC sub.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK
- +NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32
- YVpaLtAlA5Gc1g== )
-sub.example.net. 7200 IN NS ns1.example.net.
- 7200 NSEC example.net. NS RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090809141357 (
- 20090730141357 48089 example.net.
- qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/
- bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw
- +dpIoVdHzGqmdg== )
+++ /dev/null
-sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
-sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
+++ /dev/null
-dyn.example.net. IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879
-dyn.example.net. IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6
+++ /dev/null
-example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
-example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
-example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
-example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
+++ /dev/null
-sub.example.net. IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
-sub.example.net. IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
+++ /dev/null
-$ORIGIN .
-dyn.example.net 7200 IN DNSKEY 257 3 3 (
- CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
- NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
- S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
- m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
- EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
- r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
- 4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
- RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
- BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
- olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
- ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
- 6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
- dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
- ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
- clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
- ) ; key id = 42138
+++ /dev/null
-$ORIGIN .
-example.net 7200 IN DNSKEY 257 3 5 (
- BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
- 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
- BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
- eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
- grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
- V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
- Il5cqhugaQ==
- ) ; key id = 33840
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
- Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
- Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
- SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
- g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
- A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
- JT9+p0yB/Q==
- ) ; key id = 7308
+++ /dev/null
-$ORIGIN .
-sub.example.net 7200 IN DNSKEY 257 3 7 (
- AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
- jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
- /5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
- H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
- ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
- ) ; key id = 48516
+++ /dev/null
-/*****************************************************************
-**
-** #(@) named.conf (c) 6. May 2004 (hoz)
-**
-*****************************************************************/
-
-/*****************************************************************
-** logging options
-*****************************************************************/
-logging {
- channel "named-log" {
- file "/var/log/named" versions 3 size 2m;
- print-time yes;
- print-category yes;
- print-severity yes;
- severity info;
- };
- channel "resolver-log" {
- file "/var/log/named";
- print-time yes;
- print-category yes;
- print-severity yes;
- severity debug 1;
- };
- channel "dnssec-log" {
-# file "/var/log/named-dnssec" ;
- file "/var/log/named" ;
- print-time yes;
- print-category yes;
- print-severity yes;
- severity debug 3;
- };
- category "dnssec" { "dnssec-log"; };
- category "default" { "named-log"; };
- category "resolver" { "resolver-log"; };
- category "client" { "resolver-log"; };
- category "queries" { "resolver-log"; };
-};
-
-/*****************************************************************
-** name server options
-*****************************************************************/
-options {
- directory ".";
-
- dump-file "/var/log/named_dump.db";
- statistics-file "/var/log/named.stats";
-
- listen-on-v6 { any; };
-
- query-source address * port 53;
- transfer-source * port 53;
- notify-source * port 53;
-
- recursion yes;
- dnssec-enable yes;
- edns-udp-size 4096;
-
-# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
-
- querylog yes;
-
-};
-
-/*****************************************************************
-** include shared secrets...
-*****************************************************************/
-/** for control sessions ... **/
-controls {
- inet 127.0.0.1
- allow { localhost; };
- inet ::1
- allow { localhost; };
-};
-
-/*****************************************************************
-** ... and trusted_keys
-*****************************************************************/
-# include "trusted-keys.conf" ;
-
-/*****************************************************************
-** root server hints and required 127 stuff
-*****************************************************************/
-zone "." in {
- type hint;
- file "root.hint";
-};
-
-zone "localhost" in {
- type master;
- file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.ARPA" in {
- type master;
- file "127.0.0.zone";
-};
-
-#include "zone.conf";
-
-zone "example.NET." in {
- type master;
- file "example.net/zone.db.signed";
-};
-
-zone "sub.example.NET." in {
- type master;
- file "sub.example.net/zone.db.signed";
-};
--- /dev/null
+;% generationtime=20100311224635
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAZeWiMSfoNTQkZhKHK2+OXmKRSXgBjad7VBC9tZ40aIr5pPtDWCg 8iELYF4M6ybq0M1ffUO+GHZt89A624SkWps=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: l5aIxJ+g1NCRmEocrb45eYpFJeAGNp3tUEL21njRoivmk+0NYKDyIQtgXgzrJurQzV99Q74Ydm3z0DrbhKRamw==
+PublicExponent: AQAB
+PrivateExponent: ItWA0E4uUzkqe+hr9rED3B4eDboRM3PPGOaKenaBFdbONA8X6GbCTCAE6oF7DGSebfi6I9HTjLs24ZItD7bHwQ==
+Prime1: yLZLkD+0SqDwPDKXlK6qHMRKwGDcNw5MxELfv3ftyRM=
+Prime2: wVginHuVgdmvAxTX51WmK922+KTwk/w+Od+/W2N6IVk=
+Exponent1: XE5aGhDyHZA+a7DovVxGp8wuhKMHI9rTuz72H9xL4zk=
+Exponent2: XemKfknFGBp9WNjR+kru+RWrn2C2fpsiOohE8YYDN5k=
+Coefficient: ZmS8ZDDLz6CtwYEvGJgTsNTw/bj6JMaZ8cFh3x1Zd4Y=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ==
-PublicExponent: AQAB
-PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ==
-Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE=
-Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k=
-Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE=
-Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE=
-Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI=
+++ /dev/null
-;% generationtime=20090624144422
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
+++ /dev/null
-;% generationtime=20090630093509
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ==
-PublicExponent: AQAB
-PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ==
-Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU=
-Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU=
-Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190=
-Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU=
-Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo=
--- /dev/null
+;% generationtime=20100308221149
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAcIDTNHrG9ssCz/VueiPUQaw4IAM5GvECljWsX+SfXSCkhHg5loq +FXNRa80EJCyh5b0sicbdVOhJ9DVNaRKYxU=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: wgNM0esb2ywLP9W56I9RBrDggAzka8QKWNaxf5J9dIKSEeDmWir4Vc1FrzQQkLKHlvSyJxt1U6En0NU1pEpjFQ==
+PublicExponent: AQAB
+PrivateExponent: fYBY/ynROTQCiuacfh3HUka00uCEGloUP2eSJm4CjYyQyy/he5haU0hcJw5JvxhI0pGj+eDEzaE+5oq1pKntOQ==
+Prime1: 4YRNB1cSh3F9+pQglY5/H4STx2pIADAO0mRFO2Lu+Mc=
+Prime2: 3DzZhCWENMYZvx9ovZTtIUIUpXEPtN4p7FqYC0OFgUM=
+Exponent1: Dk7UjEir9kfvFDzdrF90FU3WCmrl0o06A4M1GUV3n/U=
+Exponent2: ppnBUZ2vrNxOja2M5hzKZOZACAbHAuMsg4bkjWC+lVE=
+Coefficient: LA7G4rCRiDP8P+Cg+JQUKBUgZ8F+dpGA3E/aVOYhaWw=
--- /dev/null
+;% generationtime=20100124184339
+;% lifetime=7d
+sub.example.net. IN DNSKEY 257 3 7 AwEAAfTQL8DTr3eYpPziT+cnKnzMewbEBtRxfkb697qoRK4pKkGYGVWu jIEyjts/aluYd+Nw85rvRFPNVJwmM63jvJapql1pKfyFPSl4YVJMxaCv OMhd1JATDnrTq70evQQmOHyxVKe8k9zk0GKeRgX8sl228AvdiGOfxWmT BoOxYowx
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 9NAvwNOvd5ik/OJP5ycqfMx7BsQG1HF+Rvr3uqhErikqQZgZVa6MgTKO2z9qW5h343Dzmu9EU81UnCYzreO8lqmqXWkp/IU9KXhhUkzFoK84yF3UkBMOetOrvR69BCY4fLFUp7yT3OTQYp5GBfyyXbbwC92IY5/FaZMGg7FijDE=
+PublicExponent: AQAB
+PrivateExponent: nn1ZLQDejBKqXX02NXPJsdm/m/W0ZjzDf7hiQNlG/WlxDd4mKK5EEDBnA9HeTUY792bcjuVv2sEHkb+5nU3efHdZypvY8wsvKKNUtxWJl9O5ip7GXh4/7YQeNKW/zgE1Xz+Yu6ht3e8XuxaIXHuQ5mBC0E5AUUYPhVBCTR08CkE=
+Prime1: /MeAn2UCjXS8VIoi5Zp90w2qB6ub0wqeLCI0zpXCxWlLTrDSpFORdGuPEctE5cNlDX7y9gq6a5vxnN/b+DnNdQ==
+Prime2: 9+6zb1zEpyJzcscrSVVjacjNbyI9OwfrA7XjU5PppCyFLRvP3+L/pjqgDhyoZmCo3VMqnOjxpIeffvmDsUjATQ==
+Exponent1: ddE+4AwifnAUf4rK7R1u2/oYb+7KeDkQtB1VY5xl5cFH+mtsIm9Y8lxXmMGXYUgLR5kOASPK8/EBUk78pdu7KQ==
+Exponent2: OIT16sEfI2q7HsNAnusUSp04F8maY8aeUK46MGdbr81mXq4kaUl6Ng7PRehKi2wlkq7O3A5OZ89zEKMY3mVTUQ==
+Coefficient: ZO4OrBf5SCcbAccN63xHAlm/Pelu4wWw3yo/BaWPYE3Sf+FJt0O3TJQsmm5B+KbrruLsX6lWWHf4ZerizKFhKQ==
+++ /dev/null
-;% generationtime=20090624144206
-;% lifetime=7d
-sub.example.net. IN DNSKEY 257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc=
-PublicExponent: AQAB
-PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk=
-Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw==
-Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q==
-Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw==
-Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q==
-Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g==
+++ /dev/null
-sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Jun 30 2009 13:02:21
-;
-
-; *** List of Key Signing Keys ***
-; sub.example.net. tag=48516 algo=NSEC3RSASHA1 generated Jun 24 2009 16:42:06
-sub.example.net. 3600 IN DNSKEY 257 3 7 (
- AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD
- ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM
- f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5
- UPSENnx3
- ) ; key id = 48516
-
-; *** List of Zone Signing Keys ***
-; sub.example.net. tag=32345 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04
-sub.example.net. 3600 IN DNSKEY 256 3 7 (
- AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI
- w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
- ) ; key id = 32345
-
-; sub.example.net. tag=14600 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04
-sub.example.net. 3600 IN DNSKEY 256 3 7 (
- AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5
- +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
- ) ; key id = 14600
-
+++ /dev/null
-
-resigninterval 1d
-sigvalidity 2d
-max_ttl 90s
-
-Serialformat: unixtime
-ksk_lifetime 1w
-ksk_algo N3RSASHA1
-ksk_bits 1024
-
-zsk_lifetime 3d
-zsk_algo N3RSASHA1
-zsk_bits 512
-
-dlv_domain "dlv.trusted-keys.de"
+++ /dev/null
-sub.example.net. IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net. IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+++ /dev/null
-$ORIGIN .
-sub.example.net 7200 IN DNSKEY 257 3 7 (
- AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
- 3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
- dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
- pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
- VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
- ) ; key id = 18846
+++ /dev/null
-1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE
\ No newline at end of file
+++ /dev/null
-1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE1
\ No newline at end of file
--- /dev/null
+2010-02-06 00:26:54.532: debug: Check RFC5011 status
+2010-02-06 00:26:54.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:26:54.533: debug: Check KSK status
+2010-02-06 00:26:54.533: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h43m15s
+2010-02-06 00:26:54.533: debug: Check ZSK status
+2010-02-06 00:26:54.533: debug: Re-signing not necessary!
+2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy
+2010-02-06 00:29:31.290: debug: Check RFC5011 status
+2010-02-06 00:29:31.290: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:29:31.290: debug: Check KSK status
+2010-02-06 00:29:31.290: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h45m52s
+2010-02-06 00:29:31.290: debug: Check ZSK status
+2010-02-06 00:29:31.290: debug: Re-signing not necessary!
+2010-02-06 00:29:31.290: debug: Check if there is a parent file to copy
+2010-02-06 00:40:35.043: debug: Check RFC5011 status
+2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:40:35.043: debug: Check KSK status
+2010-02-06 00:40:35.043: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h56m56s
+2010-02-06 00:40:35.043: debug: Check ZSK status
+2010-02-06 00:40:35.043: debug: Re-signing not necessary!
+2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy
+2010-02-06 00:52:55.402: debug: Check RFC5011 status
+2010-02-06 00:52:55.402: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:52:55.402: debug: Check KSK status
+2010-02-06 00:52:55.403: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d5h9m16s
+2010-02-06 00:52:55.403: debug: Check ZSK status
+2010-02-06 00:52:55.403: debug: Re-signing not necessary!
+2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy
+2010-02-07 13:53:47.883: debug: Check RFC5011 status
+2010-02-07 13:53:47.883: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:53:47.883: debug: Check KSK status
+2010-02-07 13:53:47.883: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m8s
+2010-02-07 13:53:47.883: debug: Check ZSK status
+2010-02-07 13:53:47.883: debug: Re-signing necessary: re-signing interval (1d) reached
+2010-02-07 13:53:47.884: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached
+2010-02-07 13:53:47.884: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 13:53:47.884: debug: Signing zone "sub.example.net."
+2010-02-07 13:53:47.884: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 880820 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-07 13:53:48.303: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:53:48.304: debug: Signing completed after 1s.
+2010-02-07 13:54:03.465: debug: Check RFC5011 status
+2010-02-07 13:54:03.465: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:03.465: debug: Check KSK status
+2010-02-07 13:54:03.466: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m24s
+2010-02-07 13:54:03.466: debug: Check ZSK status
+2010-02-07 13:54:03.466: debug: Re-signing not necessary!
+2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy
+2010-02-07 13:54:07.955: debug: Check RFC5011 status
+2010-02-07 13:54:07.955: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:07.955: debug: Check KSK status
+2010-02-07 13:54:07.955: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m28s
+2010-02-07 13:54:07.955: debug: Check ZSK status
+2010-02-07 13:54:07.956: debug: Re-signing necessary: Option -f
+2010-02-07 13:54:07.956: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-07 13:54:07.956: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 13:54:07.956: debug: Signing zone "sub.example.net."
+2010-02-07 13:54:07.956: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 325964 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-07 13:54:08.003: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:54:08.003: debug: Signing completed after 1s.
+2010-02-07 13:54:08.003: notice: "sub.example.net.": distribution triggered
+2010-02-07 13:54:08.003: debug: Distribute zone "sub.example.net."
+2010-02-07 13:54:08.003: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 13:54:08.013: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
+2010-02-07 13:54:08.013: notice: "sub.example.net.": reload triggered
+2010-02-07 13:54:08.013: debug: Reload zone "sub.example.net."
+2010-02-07 13:54:08.013: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 13:54:08.019: debug: ./dist.sh reload return: "rndc reload sub.example.net. "
+2010-02-07 14:06:27.669: debug: Check RFC5011 status
+2010-02-07 14:06:27.669: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:27.669: debug: Check KSK status
+2010-02-07 14:06:27.669: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m48s
+2010-02-07 14:06:27.669: debug: Check ZSK status
+2010-02-07 14:06:27.669: debug: Re-signing not necessary!
+2010-02-07 14:06:27.670: debug: Check if there is a parent file to copy
+2010-02-07 14:06:33.713: debug: Check RFC5011 status
+2010-02-07 14:06:33.713: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:33.713: debug: Check KSK status
+2010-02-07 14:06:33.713: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m54s
+2010-02-07 14:06:33.713: debug: Check ZSK status
+2010-02-07 14:06:33.714: debug: Re-signing necessary: Option -f
+2010-02-07 14:06:33.714: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-07 14:06:33.714: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 14:06:33.714: debug: Signing zone "sub.example.net."
+2010-02-07 14:06:33.714: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 4A3DFB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-07 14:06:33.745: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 14:06:33.745: debug: Signing completed after 0s.
+2010-02-07 14:06:33.745: notice: "sub.example.net.": distribution triggered
+2010-02-07 14:06:33.745: debug: Distribute zone "sub.example.net."
+2010-02-07 14:06:33.745: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 14:06:33.749: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
+2010-02-07 14:06:33.749: notice: "sub.example.net.": reload triggered
+2010-02-07 14:06:33.749: debug: Reload zone "sub.example.net."
+2010-02-07 14:06:33.749: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 14:06:33.753: debug: ./dist.sh reload return: "rndc reload sub.example.net. "
+2010-02-21 12:50:43.176: debug: Check RFC5011 status
+2010-02-21 12:50:43.176: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:43.176: debug: Check KSK status
+2010-02-21 12:50:43.176: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m4s
+2010-02-21 12:50:43.176: debug: Check ZSK status
+2010-02-21 12:50:43.176: debug: Lifetime(259200 +/-150 sec) of active key 7505 exceeded (1345179 sec)
+2010-02-21 12:50:43.176: debug: ->depreciate it
+2010-02-21 12:50:43.176: debug: ->activate published key 57167
+2010-02-21 12:50:43.176: notice: "sub.example.net.": lifetime of zone signing key 7505 exceeded: ZSK rollover done
+2010-02-21 12:50:43.176: debug: New key for publishing needed
+2010-02-21 12:50:43.445: debug: ->creating new key 49712
+2010-02-21 12:50:43.445: info: "sub.example.net.": new key 49712 generated for publishing
+2010-02-21 12:50:43.445: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:43.445: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:43.445: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 12:50:43.445: debug: Signing zone "sub.example.net."
+2010-02-21 12:50:43.445: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 2E31B5 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 12:50:43.580: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:43.580: debug: Signing completed after 0s.
+2010-02-21 12:50:51.158: debug: Check RFC5011 status
+2010-02-21 12:50:51.158: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:51.158: debug: Check KSK status
+2010-02-21 12:50:51.159: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m12s
+2010-02-21 12:50:51.159: debug: Check ZSK status
+2010-02-21 12:50:51.159: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:51.159: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:51.159: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 12:50:51.159: debug: Signing zone "sub.example.net."
+2010-02-21 12:50:51.159: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 41F65A -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 12:50:51.205: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:51.205: debug: Signing completed after 0s.
+2010-02-21 12:51:23.497: debug: Check RFC5011 status
+2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:51:23.497: debug: Check KSK status
+2010-02-21 12:51:23.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m44s
+2010-02-21 12:51:23.497: debug: Check ZSK status
+2010-02-21 12:51:23.497: debug: Re-signing not necessary!
+2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy
+2010-02-21 19:16:18.384: debug: Check RFC5011 status
+2010-02-21 19:16:18.384: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:16:18.384: debug: Check KSK status
+2010-02-21 19:16:18.385: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h32m39s
+2010-02-21 19:16:18.385: debug: Check ZSK status
+2010-02-21 19:16:18.385: debug: Lifetime(390 sec) of depreciated key 7505 exceeded (23135 sec)
+2010-02-21 19:16:18.385: info: "sub.example.net.": old ZSK 7505 removed
+2010-02-21 19:16:18.401: debug: ->remove it
+2010-02-21 19:16:18.401: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 19:16:18.401: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 19:16:18.401: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:16:18.401: debug: Signing zone "sub.example.net."
+2010-02-21 19:16:18.401: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 3DADF2 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:16:18.593: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:16:18.593: debug: Signing completed after 0s.
+2010-02-21 19:32:11.378: debug: Check RFC5011 status
+2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:11.378: debug: Check KSK status
+2010-02-21 19:32:11.378: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m32s
+2010-02-21 19:32:11.378: debug: Check ZSK status
+2010-02-21 19:32:11.378: debug: Re-signing not necessary!
+2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy
+2010-02-21 19:32:15.930: debug: Check RFC5011 status
+2010-02-21 19:32:15.930: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:15.930: debug: Check KSK status
+2010-02-21 19:32:15.930: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m36s
+2010-02-21 19:32:15.930: debug: Check ZSK status
+2010-02-21 19:32:15.930: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:15.930: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:15.930: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:32:15.931: debug: Signing zone "sub.example.net."
+2010-02-21 19:32:15.931: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 623FD7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:32:15.982: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:15.982: debug: Signing completed after 0s.
+2010-02-21 19:32:32.203: debug: Check RFC5011 status
+2010-02-21 19:32:32.203: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:32.203: debug: Check KSK status
+2010-02-21 19:32:32.203: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m53s
+2010-02-21 19:32:32.203: debug: Check ZSK status
+2010-02-21 19:32:32.203: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:32.203: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:32.203: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:32:32.203: debug: Signing zone "sub.example.net."
+2010-02-21 19:32:32.203: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 C522CA -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:32:32.232: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:32.232: debug: Signing completed after 0s.
+2010-02-25 00:12:26.443: debug: Check RFC5011 status
+2010-02-25 00:12:26.443: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 00:12:26.443: debug: Check KSK status
+2010-02-25 00:12:26.443: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w3d4h28m47s
+2010-02-25 00:12:26.443: debug: Check ZSK status
+2010-02-25 00:12:26.443: debug: Lifetime(259200 +/-150 sec) of active key 57167 exceeded (300103 sec)
+2010-02-25 00:12:26.443: debug: ->depreciate it
+2010-02-25 00:12:26.444: debug: ->activate published key 49712
+2010-02-25 00:12:26.444: notice: "sub.example.net.": lifetime of zone signing key 57167 exceeded: ZSK rollover done
+2010-02-25 00:12:26.444: debug: New key for publishing needed
+2010-02-25 00:12:26.902: debug: ->creating new key 65009
+2010-02-25 00:12:26.902: info: "sub.example.net.": new key 65009 generated for publishing
+2010-02-25 00:12:26.902: debug: Re-signing necessary: Modfied zone key set
+2010-02-25 00:12:26.902: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 00:12:26.902: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-25 00:12:26.902: debug: Signing zone "sub.example.net."
+2010-02-25 00:12:26.902: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9AA7CB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-25 00:12:27.016: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 00:12:27.016: debug: Signing completed after 1s.
+2010-02-25 23:42:20.653: debug: Check RFC5011 status
+2010-02-25 23:42:20.653: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:20.653: debug: Check KSK status
+2010-02-25 23:42:20.653: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w4d3h58m41s
+2010-02-25 23:42:20.653: debug: Check ZSK status
+2010-02-25 23:42:20.653: debug: Lifetime(390 sec) of depreciated key 57167 exceeded (84594 sec)
+2010-02-25 23:42:20.653: info: "sub.example.net.": old ZSK 57167 removed
+2010-02-25 23:42:20.661: debug: ->remove it
+2010-02-25 23:42:20.661: debug: Re-signing necessary: Modfied zone key set
+2010-02-25 23:42:20.661: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:20.661: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-25 23:42:20.662: debug: Signing zone "sub.example.net."
+2010-02-25 23:42:20.662: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 2942EB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-25 23:42:21.012: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 23:42:21.012: debug: Signing completed after 1s.
+2010-03-02 10:59:11.845: debug: Check RFC5011 status
+2010-03-02 10:59:11.845: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:11.845: debug: Check KSK status
+2010-03-02 10:59:11.846: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w1d15h15m32s
+2010-03-02 10:59:11.846: debug: Check ZSK status
+2010-03-02 10:59:11.846: debug: Lifetime(259200 +/-150 sec) of active key 49712 exceeded (470805 sec)
+2010-03-02 10:59:11.846: debug: ->depreciate it
+2010-03-02 10:59:11.846: debug: ->activate published key 65009
+2010-03-02 10:59:11.846: notice: "sub.example.net.": lifetime of zone signing key 49712 exceeded: ZSK rollover done
+2010-03-02 10:59:11.846: debug: New key for publishing needed
+2010-03-02 10:59:12.256: debug: ->creating new key 27377
+2010-03-02 10:59:12.256: info: "sub.example.net.": new key 27377 generated for publishing
+2010-03-02 10:59:12.256: debug: Re-signing necessary: Modfied zone key set
+2010-03-02 10:59:12.256: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-02 10:59:12.256: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-02 10:59:12.256: debug: Signing zone "sub.example.net."
+2010-03-02 10:59:12.256: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 F9A34F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-02 10:59:12.415: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-02 10:59:12.416: debug: Signing completed after 0s.
+2010-03-03 23:22:00.127: debug: Check RFC5011 status
+2010-03-03 23:22:00.127: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-03 23:22:00.127: debug: Check KSK status
+2010-03-03 23:22:00.127: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w3d3h38m21s
+2010-03-03 23:22:00.127: debug: Check ZSK status
+2010-03-03 23:22:00.127: debug: Lifetime(390 sec) of depreciated key 49712 exceeded (130969 sec)
+2010-03-03 23:22:00.127: info: "sub.example.net.": old ZSK 49712 removed
+2010-03-03 23:22:00.127: debug: ->remove it
+2010-03-03 23:22:00.127: debug: Re-signing necessary: Modfied zone key set
+2010-03-03 23:22:00.127: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-03 23:22:00.127: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-03 23:22:00.127: debug: Signing zone "sub.example.net."
+2010-03-03 23:22:00.127: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 A3B721 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-03 23:22:00.394: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-03 23:22:00.394: debug: Signing completed after 0s.
+2010-03-08 23:11:49.663: debug: Check RFC5011 status
+2010-03-08 23:11:49.663: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:11:49.663: debug: Check KSK status
+2010-03-08 23:11:49.663: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h28m10s
+2010-03-08 23:11:49.664: debug: Check ZSK status
+2010-03-08 23:11:49.664: debug: Lifetime(259200 +/-150 sec) of active key 65009 exceeded (562358 sec)
+2010-03-08 23:11:49.664: debug: ->depreciate it
+2010-03-08 23:11:49.664: debug: ->activate published key 27377
+2010-03-08 23:11:49.664: notice: "sub.example.net.": lifetime of zone signing key 65009 exceeded: ZSK rollover done
+2010-03-08 23:11:49.664: debug: New key for publishing needed
+2010-03-08 23:11:50.060: debug: ->creating new key 41747
+2010-03-08 23:11:50.060: info: "sub.example.net.": new key 41747 generated for publishing
+2010-03-08 23:11:50.060: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:11:50.061: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:11:50.061: debug: Writing key file "././sub.example.net/dnskey.db"
+2010-03-08 23:11:50.061: debug: Signing zone "sub.example.net."
+2010-03-08 23:11:50.061: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 71C04F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-08 23:11:50.169: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:11:50.169: debug: Signing completed after 0s.
+2010-03-08 23:18:52.243: debug: Check RFC5011 status
+2010-03-08 23:18:52.243: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:18:52.243: debug: Check KSK status
+2010-03-08 23:18:52.243: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h35m13s
+2010-03-08 23:18:52.243: debug: Check ZSK status
+2010-03-08 23:18:52.243: debug: Lifetime(390 sec) of depreciated key 65009 exceeded (423 sec)
+2010-03-08 23:18:52.243: info: "sub.example.net.": old ZSK 65009 removed
+2010-03-08 23:18:52.243: debug: ->remove it
+2010-03-08 23:18:52.243: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:18:52.243: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:18:52.243: debug: Writing key file "././sub.example.net/dnskey.db"
+2010-03-08 23:18:52.243: debug: Signing zone "sub.example.net."
+2010-03-08 23:18:52.243: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 CF729B -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-08 23:18:52.287: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:18:52.287: debug: Signing completed after 0s.
+2010-03-11 23:46:35.497: debug: Check RFC5011 status
+2010-03-11 23:46:35.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:46:35.497: debug: Check KSK status
+2010-03-11 23:46:35.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h2m56s
+2010-03-11 23:46:35.498: debug: Check ZSK status
+2010-03-11 23:46:35.498: debug: Lifetime(259200 +/-150 sec) of active key 27377 exceeded (261286 sec)
+2010-03-11 23:46:35.498: debug: ->depreciate it
+2010-03-11 23:46:35.498: debug: ->activate published key 41747
+2010-03-11 23:46:35.498: notice: "sub.example.net.": lifetime of zone signing key 27377 exceeded: ZSK rollover done
+2010-03-11 23:46:35.498: debug: New key for publishing needed
+2010-03-11 23:46:35.768: debug: ->creating new key 2048
+2010-03-11 23:46:35.768: info: "sub.example.net.": new key 2048 generated for publishing
+2010-03-11 23:46:35.768: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:46:35.768: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:46:35.768: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-11 23:46:35.768: debug: Signing zone "sub.example.net."
+2010-03-11 23:46:35.768: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B86C9F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-11 23:46:35.814: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:46:35.814: debug: Signing completed after 0s.
+2010-03-11 23:52:33.132: debug: Check RFC5011 status
+2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:52:33.132: debug: Check KSK status
+2010-03-11 23:52:33.132: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h8m54s
+2010-03-11 23:52:33.132: debug: Check ZSK status
+2010-03-11 23:52:33.132: debug: Re-signing not necessary!
+2010-03-11 23:52:33.132: debug: Check if there is a parent file to copy
+2010-03-11 23:53:27.804: debug: Check RFC5011 status
+2010-03-11 23:53:27.804: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:53:27.804: debug: Check KSK status
+2010-03-11 23:53:27.804: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h9m48s
+2010-03-11 23:53:27.804: debug: Check ZSK status
+2010-03-11 23:53:27.804: debug: Lifetime(390 sec) of depreciated key 27377 exceeded (412 sec)
+2010-03-11 23:53:27.804: info: "sub.example.net.": old ZSK 27377 removed
+2010-03-11 23:53:27.804: debug: ->remove it
+2010-03-11 23:53:27.804: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:53:27.804: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:53:27.804: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-11 23:53:27.804: debug: Signing zone "sub.example.net."
+2010-03-11 23:53:27.805: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 67AA7F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-11 23:53:27.856: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:53:27.856: debug: Signing completed after 0s.
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) sub.example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ IN SOA ns1.example.net. hostmaster.example.net. (
- 2 ; Serial
- 86400 ; Refresh (RIPE recommendation if NOTIFY is used)
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
-
- IN NS ns1.example.net.
-
-$INCLUDE dnskey.db
-
-localhost IN A 127.0.0.1
-
-a IN A 1.2.3.4
-b IN A 1.2.3.5
-c IN A 1.2.3.6
+++ /dev/null
-; File written on Tue Jun 30 13:02:21 2009
-; dnssec_signzone version 9.7.0a1
-sub.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 1246359741 ; serial
- 86400 ; refresh (1 day)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 7 3 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug
- Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj
- beUBuNmOKBwgQw== )
- 7200 NS ns1.example.net.
- 7200 RRSIG NS 7 3 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY
- jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK
- LPErXQ8ObaggQA== )
- 3600 DNSKEY 256 3 7 (
- AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk
- GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z
- NwICF4QjetjqUGta4Ak=
- ) ; key id = 14600
- 3600 DNSKEY 256 3 7 (
- AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw
- hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf
- fNq73SbkyknTyXYRe2k=
- ) ; key id = 32345
- 3600 DNSKEY 257 3 7 (
- AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
- jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
- /5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
- H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
- ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
- ) ; key id = 48516
- 3600 RRSIG DNSKEY 7 3 3600 20090702100221 (
- 20090630100221 32345 sub.example.net.
- 2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB
- dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9
- GcBg3KQvJl0+AQ== )
- 3600 RRSIG DNSKEY 7 3 3600 20090702100221 (
- 20090630100221 48516 sub.example.net.
- PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx
- f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/
- iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid
- qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5
- F6avz0sLu3gtDu/nwyyK/5Hf3kM= )
- 0 NSEC3PARAM 1 0 100 86F43F
- 0 RRSIG NSEC3PARAM 7 3 0 20090702100221 (
- 20090630100221 32345 sub.example.net.
- e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0
- gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV
- 3uTWjwSs7kyfDQ== )
-a.sub.example.net. 7200 IN A 1.2.3.4
- 7200 RRSIG A 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD
- LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/
- hXTkHJif/0w78g== )
-b.sub.example.net. 7200 IN A 1.2.3.5
- 7200 RRSIG A 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4
- rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU
- T10UWy4dnxfoNQ== )
-c.sub.example.net. 7200 IN A 1.2.3.6
- 7200 RRSIG A 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd
- qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr
- JJ+/QuqBHFyISQ== )
-localhost.sub.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5
- TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f
- S06Z9C5YaKI7ig== )
-7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG
- 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe
- yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k
- /t2mOvXB11pLqQ== )
-AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM
- 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa
- axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc
- ivGHaozr64hBjg== )
-D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG
- 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5
- h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo
- wHjm0Ab+ez7COg== )
-K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG
- 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB
- 2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr
- eARbsKjcsRJF7A== )
-L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG
- 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
- 20090630100221 32345 sub.example.net.
- IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc
- BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn
- zBrGA0FxGvo4Pg== )
+++ /dev/null
-2008-12-18 01:02:56.187: notice: ------------------------------------------------------------
-2008-12-18 01:02:56.187: notice: running ../../dnssec-signer -v -v
-2008-12-18 01:02:56.589: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2008-12-18 01:02:56.589: debug: Check RFC5011 status
-2008-12-18 01:02:56.589: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-18 01:02:56.589: debug: Check KSK status
-2008-12-18 01:02:56.589: debug: Check ZSK status
-2008-12-18 01:02:56.590: debug: Lifetime(390 sec) of depreciated key 45361 exceeded (124287 sec)
-2008-12-18 01:02:56.590: info: "sub.example.net.": old ZSK 45361 removed
-2008-12-18 01:02:56.604: debug: ->remove it
-2008-12-18 01:02:56.604: debug: Re-signing necessary: Modfied zone key set
-2008-12-18 01:02:56.604: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2008-12-18 01:02:56.604: debug: Writing key file "./sub.example.net/dnskey.db"
-2008-12-18 01:02:56.605: debug: Signing zone "sub.example.net."
-2008-12-18 01:02:56.605: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -3 BE70E4 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2008-12-18 01:02:56.970: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-18 01:02:56.971: debug: Signing completed after 0s.
-2008-12-18 01:02:56.971: debug:
-2008-12-18 01:02:56.971: debug: parsing zone "example.net." in dir "./example.net"
-2008-12-18 01:02:56.971: debug: Check RFC5011 status
-2008-12-18 01:02:56.971: debug: Check ZSK status
-2008-12-18 01:02:56.971: debug: Re-signing necessary: Zone file edited
-2008-12-18 01:02:56.971: notice: "example.net.": re-signing triggered: Zone file edited
-2008-12-18 01:02:56.972: debug: Writing key file "./example.net/dnskey.db"
-2008-12-18 01:02:56.972: debug: Incrementing serial number in file "./example.net/zone.db"
-2008-12-18 01:02:56.973: debug: Signing zone "example.net."
-2008-12-18 01:02:56.973: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2008-12-18 01:02:57.106: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-18 01:02:57.106: debug: Signing completed after 1s.
-2008-12-18 01:02:57.106: debug:
-2008-12-18 01:02:57.106: notice: end of run: 0 errors occured
-2008-12-18 01:03:01.191: notice: ------------------------------------------------------------
-2008-12-18 01:03:01.192: notice: running ../../dnssec-signer -d -v -v
-2008-12-18 01:03:01.194: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
-2008-12-18 01:03:01.194: debug: Check RFC5011 status
-2008-12-18 01:03:01.194: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-18 01:03:01.194: debug: Check KSK status
-2008-12-18 01:03:01.194: warning: "dyn.example.net.": lifetime of key signing key 42138 exceeded since 10w4d3h1m4s
-2008-12-18 01:03:01.194: debug: Check ZSK status
-2008-12-18 01:03:01.195: debug: Lifetime(1209600 +/-150 sec) of active key 1355 exceeded (11588464 sec)
-2008-12-18 01:03:01.195: debug: ->depreciate it
-2008-12-18 01:03:01.195: debug: ->activate published key 10643
-2008-12-18 01:03:01.195: notice: "dyn.example.net.": lifetime of zone signing key 1355 exceeded: ZSK rollover done
-2008-12-18 01:03:01.196: debug: Re-signing necessary: Modfied zone key set
-2008-12-18 01:03:01.196: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
-2008-12-18 01:03:01.196: debug: Writing key file "./dyn.example.net/dnskey.db"
-2008-12-18 01:03:01.196: debug: Signing zone "dyn.example.net."
-2008-12-18 01:03:01.196: notice: "dyn.example.net.": freeze dynamic zone
-2008-12-18 01:03:01.196: debug: freeze dynamic zone "dyn.example.net."
-2008-12-18 01:03:01.197: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
-2008-12-18 01:03:01.628: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
-2008-12-18 01:03:01.653: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private"
-2008-12-18 01:03:01.792: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
-2008-12-18 01:03:01.792: notice: "dyn.example.net.": thaw dynamic zone
-2008-12-18 01:03:01.792: debug: thaw dynamic zone "dyn.example.net."
-2008-12-18 01:03:01.792: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
-2008-12-18 01:03:01.802: debug: Signing completed after 0s.
-2008-12-18 01:03:01.802: debug:
-2008-12-18 01:03:01.802: notice: end of run: 0 errors occured
-2008-12-28 23:06:27.762: notice: ------------------------------------------------------------
-2008-12-28 23:06:27.762: notice: running ../../dnssec-signer -v -v
-2008-12-28 23:06:27.764: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2008-12-28 23:06:27.765: debug: Check RFC5011 status
-2008-12-28 23:06:27.765: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-28 23:06:27.765: debug: Check KSK status
-2008-12-28 23:06:27.765: debug: Check ZSK status
-2008-12-28 23:06:27.765: debug: Lifetime(259200 +/-150 sec) of active key 22440 exceeded (1067698 sec)
-2008-12-28 23:06:27.765: debug: ->depreciate it
-2008-12-28 23:06:27.766: debug: ->activate published key 5823
-2008-12-28 23:06:27.766: notice: "sub.example.net.": lifetime of zone signing key 22440 exceeded: ZSK rollover done
-2008-12-28 23:06:27.766: debug: New key for publishing needed
-2008-12-28 23:06:28.696: debug: ->creating new key 4710
-2008-12-28 23:06:28.696: info: "sub.example.net.": new key 4710 generated for publishing
-2008-12-28 23:06:28.696: debug: Re-signing necessary: Modfied zone key set
-2008-12-28 23:06:28.696: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2008-12-28 23:06:28.696: debug: Writing key file "./sub.example.net/dnskey.db"
-2008-12-28 23:06:28.697: debug: Signing zone "sub.example.net."
-2008-12-28 23:06:28.697: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -3 B9D9AA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2008-12-28 23:06:28.804: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:06:28.804: debug: Signing completed after 0s.
-2008-12-28 23:06:28.804: debug:
-2008-12-28 23:06:28.804: debug: parsing zone "example.net." in dir "./example.net"
-2008-12-28 23:06:28.804: debug: Check RFC5011 status
-2008-12-28 23:06:28.804: debug: Check ZSK status
-2008-12-28 23:06:28.804: debug: Re-signing necessary: re-signing interval (2d) reached
-2008-12-28 23:06:28.804: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
-2008-12-28 23:06:28.804: debug: Writing key file "./example.net/dnskey.db"
-2008-12-28 23:06:28.805: debug: Incrementing serial number in file "./example.net/zone.db"
-2008-12-28 23:06:28.805: debug: Signing zone "example.net."
-2008-12-28 23:06:28.805: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2008-12-28 23:06:28.898: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:06:28.898: debug: Signing completed after 0s.
-2008-12-28 23:06:28.898: debug:
-2008-12-28 23:06:28.899: notice: end of run: 0 errors occured
-2008-12-28 23:07:39.896: notice: ------------------------------------------------------------
-2008-12-28 23:07:39.896: notice: running ../../dnssec-signer -v -v -N named.conf
-2008-12-28 23:07:39.899: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2008-12-28 23:07:39.899: debug: Check RFC5011 status
-2008-12-28 23:07:39.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-28 23:07:39.899: debug: Check KSK status
-2008-12-28 23:07:39.899: debug: Check ZSK status
-2008-12-28 23:07:39.899: debug: Re-signing not necessary!
-2008-12-28 23:07:39.899: debug: Check if there is a parent file to copy
-2008-12-28 23:07:39.899: debug:
-2008-12-28 23:07:39.899: debug: parsing zone "example.net." in dir "././example.net"
-2008-12-28 23:07:39.899: debug: Check RFC5011 status
-2008-12-28 23:07:39.899: debug: Check ZSK status
-2008-12-28 23:07:39.899: debug: Re-signing not necessary!
-2008-12-28 23:07:39.899: debug: Check if there is a parent file to copy
-2008-12-28 23:07:39.899: debug:
-2008-12-28 23:07:39.899: notice: end of run: 0 errors occured
-2008-12-28 23:08:02.141: notice: ------------------------------------------------------------
-2008-12-28 23:08:02.141: notice: running ../../dnssec-signer -f -v -v -N named.conf
-2008-12-28 23:08:02.143: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2008-12-28 23:08:02.143: debug: Check RFC5011 status
-2008-12-28 23:08:02.143: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-28 23:08:02.143: debug: Check KSK status
-2008-12-28 23:08:02.143: debug: Check ZSK status
-2008-12-28 23:08:02.143: debug: Re-signing necessary: Option -f
-2008-12-28 23:08:02.143: notice: "sub.example.net.": re-signing triggered: Option -f
-2008-12-28 23:08:02.143: debug: Writing key file "././sub.example.net/dnskey.db"
-2008-12-28 23:08:02.144: debug: Signing zone "sub.example.net."
-2008-12-28 23:08:02.144: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 B5EA98 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2008-12-28 23:08:02.266: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:08:02.266: debug: Signing completed after 0s.
-2008-12-28 23:08:02.266: debug:
-2008-12-28 23:08:02.266: debug: parsing zone "example.net." in dir "././example.net"
-2008-12-28 23:08:02.266: debug: Check RFC5011 status
-2008-12-28 23:08:02.266: debug: Check ZSK status
-2008-12-28 23:08:02.266: debug: Re-signing necessary: Option -f
-2008-12-28 23:08:02.266: notice: "example.net.": re-signing triggered: Option -f
-2008-12-28 23:08:02.266: debug: Writing key file "././example.net/dnskey.db"
-2008-12-28 23:08:02.267: debug: Incrementing serial number in file "././example.net/zone.db"
-2008-12-28 23:08:02.267: debug: Signing zone "example.net."
-2008-12-28 23:08:02.267: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2008-12-28 23:08:02.534: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:08:02.534: debug: Signing completed after 0s.
-2008-12-28 23:08:02.534: debug:
-2008-12-28 23:08:02.534: notice: end of run: 0 errors occured
-2009-02-28 12:31:26.082: notice: ------------------------------------------------------------
-2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf
-2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:31:26.100: debug: Check RFC5011 status
-2009-02-28 12:31:26.100: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:31:26.100: debug: Check KSK status
-2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s
-2009-02-28 12:31:26.100: debug: Check ZSK status
-2009-02-28 12:31:26.100: debug: Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec)
-2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed
-2009-02-28 12:31:26.101: debug: ->remove it
-2009-02-28 12:31:26.101: debug: Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec)
-2009-02-28 12:31:26.101: debug: ->depreciate it
-2009-02-28 12:31:26.101: debug: ->activate published key 4710
-2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done
-2009-02-28 12:31:26.101: debug: New key for publishing needed
-2009-02-28 12:31:28.559: debug: ->creating new key 32820
-2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing
-2009-02-28 12:31:28.559: debug: Re-signing necessary: Modfied zone key set
-2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-02-28 12:31:28.560: debug: Writing key file "././sub.example.net/dnskey.db"
-2009-02-28 12:31:28.560: debug: Signing zone "sub.example.net."
-2009-02-28 12:31:28.560: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-02-28 12:31:28.803: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-02-28 12:31:28.803: debug: Signing completed after 0s.
-2009-02-28 12:31:28.803: debug:
-2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:31:28.803: debug: Check RFC5011 status
-2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover
-2009-02-28 12:31:28.803: debug: Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover!
-2009-02-28 12:31:28.803: debug: =>Generating new standby key signing key
-2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840
-2009-02-28 12:31:29.067: debug: =>Activating old standby key 7308
-2009-02-28 12:31:29.068: debug: =>Revoking old active key 1764
-2009-02-28 12:31:29.068: debug: Check ZSK status
-2009-02-28 12:31:29.068: debug: Re-signing necessary: Modfied zone key set
-2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-02-28 12:31:29.068: debug: Writing key file "././example.net/dnskey.db"
-2009-02-28 12:31:29.069: debug: Incrementing serial number in file "././example.net/zone.db"
-2009-02-28 12:31:29.069: debug: Signing zone "example.net."
-2009-02-28 12:31:29.069: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-02-28 12:31:29.206: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-02-28 12:31:29.206: debug: Signing completed after 0s.
-2009-02-28 12:31:29.206: debug:
-2009-02-28 12:31:29.206: notice: end of run: 0 errors occured
-2009-02-28 12:31:34.121: notice: ------------------------------------------------------------
-2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:31:34.126: debug: Check RFC5011 status
-2009-02-28 12:31:34.126: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:31:34.126: debug: Check KSK status
-2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s
-2009-02-28 12:31:34.126: debug: Check ZSK status
-2009-02-28 12:31:34.126: debug: Re-signing not necessary!
-2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy
-2009-02-28 12:31:34.126: debug:
-2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:31:34.126: debug: Check RFC5011 status
-2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:31:34.126: debug: Check ZSK status
-2009-02-28 12:31:34.126: debug: Re-signing not necessary!
-2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy
-2009-02-28 12:31:34.126: debug:
-2009-02-28 12:31:34.126: notice: end of run: 0 errors occured
-2009-02-28 12:32:49.522: notice: ------------------------------------------------------------
-2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:32:49.525: debug: Check RFC5011 status
-2009-02-28 12:32:49.525: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:32:49.525: debug: Check KSK status
-2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s
-2009-02-28 12:32:49.525: debug: Check ZSK status
-2009-02-28 12:32:49.526: debug: Re-signing not necessary!
-2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy
-2009-02-28 12:32:49.526: debug:
-2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:32:49.526: debug: Check RFC5011 status
-2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:32:49.526: debug: Check ZSK status
-2009-02-28 12:32:49.526: debug: Re-signing not necessary!
-2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy
-2009-02-28 12:32:49.527: debug:
-2009-02-28 12:32:49.527: notice: end of run: 0 errors occured
-2009-02-28 12:42:47.999: notice: ------------------------------------------------------------
-2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:45:56.491: notice: ------------------------------------------------------------
-2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:50:13.057: notice: ------------------------------------------------------------
-2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:50:54.700: notice: ------------------------------------------------------------
-2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:52:23.926: notice: ------------------------------------------------------------
-2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:52:23.934: debug: Check RFC5011 status
-2009-02-28 12:52:23.934: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:52:23.934: debug: Check KSK status
-2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s
-2009-02-28 12:52:23.934: debug: Check ZSK status
-2009-02-28 12:52:23.934: debug: Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec)
-2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed
-2009-02-28 12:52:23.934: debug: ->remove it
-2009-02-28 12:52:23.934: debug: Re-signing necessary: Modfied zone key set
-2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-02-28 12:52:23.934: debug: Writing key file "././sub.example.net/dnskey.db"
-2009-02-28 12:52:23.935: debug: Signing zone "sub.example.net."
-2009-02-28 12:52:23.935: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-02-28 12:52:24.701: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-02-28 12:52:24.701: debug: Signing completed after 1s.
-2009-02-28 12:52:24.701: debug:
-2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:52:24.701: debug: Check RFC5011 status
-2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:52:24.701: debug: Check ZSK status
-2009-02-28 12:52:24.701: debug: Re-signing not necessary!
-2009-02-28 12:52:24.701: debug: Check if there is a parent file to copy
-2009-02-28 12:52:24.701: debug:
-2009-02-28 12:52:24.701: notice: end of run: 0 errors occured
-2009-02-28 12:53:08.325: notice: ------------------------------------------------------------
-2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:53:48.858: notice: ------------------------------------------------------------
-2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:54:09.878: notice: ------------------------------------------------------------
-2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
-2009-02-28 12:54:09.885: debug: Check RFC5011 status
-2009-02-28 12:54:09.885: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:54:09.885: debug: Check KSK status
-2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s
-2009-02-28 12:54:09.886: debug: Check ZSK status
-2009-02-28 12:54:09.886: debug: Re-signing not necessary!
-2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy
-2009-02-28 12:54:09.886: debug:
-2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
-2009-02-28 12:54:09.886: debug: Check RFC5011 status
-2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:54:09.886: debug: Check ZSK status
-2009-02-28 12:54:09.886: debug: Re-signing not necessary!
-2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy
-2009-02-28 12:54:09.886: debug:
-2009-02-28 12:54:09.886: notice: end of run: 0 errors occured
-2009-02-28 12:55:02.579: notice: ------------------------------------------------------------
-2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-03-03 19:13:47.524: notice: ------------------------------------------------------------
-2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
-2009-03-03 19:13:47.532: debug: Check RFC5011 status
-2009-03-03 19:13:47.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-03 19:13:47.532: debug: Check KSK status
-2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s
-2009-03-03 19:13:47.533: debug: Check ZSK status
-2009-03-03 19:13:47.533: debug: Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec)
-2009-03-03 19:13:47.533: debug: ->depreciate it
-2009-03-03 19:13:47.533: debug: ->activate published key 32820
-2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done
-2009-03-03 19:13:47.533: debug: New key for publishing needed
-2009-03-03 19:13:48.366: debug: ->creating new key 49656
-2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing
-2009-03-03 19:13:48.366: debug: Re-signing necessary: Modfied zone key set
-2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-03-03 19:13:48.367: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db"
-2009-03-03 19:13:48.367: debug: Signing zone "sub.example.net."
-2009-03-03 19:13:48.367: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-03 19:13:48.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-03 19:13:48.543: debug: Signing completed after 0s.
-2009-03-03 19:13:48.543: debug:
-2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
-2009-03-03 19:13:48.543: debug: Check RFC5011 status
-2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-03-03 19:13:48.543: debug: Check ZSK status
-2009-03-03 19:13:48.543: debug: Re-signing necessary: re-signing interval (2d) reached
-2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
-2009-03-03 19:13:48.543: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db"
-2009-03-03 19:13:48.544: debug: Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db"
-2009-03-03 19:13:48.544: debug: Signing zone "example.net."
-2009-03-03 19:13:48.544: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-03-03 19:13:48.723: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-03 19:13:48.723: debug: Signing completed after 0s.
-2009-03-03 19:13:48.723: debug:
-2009-03-03 19:13:48.724: notice: end of run: 0 errors occured
-2009-03-03 19:14:16.121: notice: ------------------------------------------------------------
-2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf
-2009-03-03 19:14:30.231: notice: ------------------------------------------------------------
-2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf
-2009-03-03 19:15:37.851: notice: ------------------------------------------------------------
-2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf
-2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net"
-2009-03-03 19:15:37.853: debug: Check RFC5011 status
-2009-03-03 19:15:37.853: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-03 19:15:37.853: debug: Check KSK status
-2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s
-2009-03-03 19:15:37.853: debug: Check ZSK status
-2009-03-03 19:15:37.853: debug: Re-signing not necessary!
-2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy
-2009-03-03 19:15:37.853: debug:
-2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net"
-2009-03-03 19:15:37.853: debug: Check RFC5011 status
-2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-03-03 19:15:37.853: debug: Check ZSK status
-2009-03-03 19:15:37.853: debug: Re-signing not necessary!
-2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy
-2009-03-03 19:15:37.853: debug:
-2009-03-03 19:15:37.853: notice: end of run: 0 errors occured
-2009-03-03 19:15:44.219: notice: ------------------------------------------------------------
-2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf
-2009-03-03 19:15:49.305: notice: ------------------------------------------------------------
-2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-03 19:15:49.308: debug: Check RFC5011 status
-2009-03-03 19:15:49.308: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-03 19:15:49.308: debug: Check KSK status
-2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s
-2009-03-03 19:15:49.309: debug: Check ZSK status
-2009-03-03 19:15:49.309: debug: Re-signing not necessary!
-2009-03-03 19:15:49.309: debug: Check if there is a parent file to copy
-2009-03-03 19:15:49.309: debug:
-2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-03 19:15:49.310: debug: Check RFC5011 status
-2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-03-03 19:15:49.310: debug: Check ZSK status
-2009-03-03 19:15:49.310: debug: Re-signing not necessary!
-2009-03-03 19:15:49.310: debug: Check if there is a parent file to copy
-2009-03-03 19:15:49.310: debug:
-2009-03-03 19:15:49.310: notice: end of run: 0 errors occured
-2009-03-04 18:07:38.441: notice: ------------------------------------------------------------
-2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf
-2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:07:38.459: debug: Check RFC5011 status
-2009-03-04 18:07:38.459: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:07:38.459: debug: Check KSK status
-2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s
-2009-03-04 18:07:38.459: debug: Check ZSK status
-2009-03-04 18:07:38.459: debug: Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec)
-2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed
-2009-03-04 18:07:38.459: debug: ->remove it
-2009-03-04 18:07:38.459: debug: Re-signing necessary: Modfied zone key set
-2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-03-04 18:07:38.459: debug: Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:07:38.460: debug: Signing zone "sub.example.net."
-2009-03-04 18:07:38.460: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:07:38.635: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:07:38.635: debug: Signing completed after 0s.
-2009-03-04 18:07:38.635: debug:
-2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:07:38.635: debug: Check RFC5011 status
-2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:07:38.636: debug: Check ZSK status
-2009-03-04 18:07:38.636: debug: Re-signing not necessary!
-2009-03-04 18:07:38.636: debug: Check if there is a parent file to copy
-2009-03-04 18:07:38.636: debug:
-2009-03-04 18:07:38.636: notice: end of run: 0 errors occured
-2009-03-04 18:07:54.353: notice: ------------------------------------------------------------
-2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf
-2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:07:54.357: debug: Check RFC5011 status
-2009-03-04 18:07:54.357: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:07:54.357: debug: Check KSK status
-2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s
-2009-03-04 18:07:54.357: debug: Check ZSK status
-2009-03-04 18:07:54.357: debug: Re-signing not necessary!
-2009-03-04 18:07:54.357: debug: Check if there is a parent file to copy
-2009-03-04 18:07:54.357: debug:
-2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:07:54.357: debug: Check RFC5011 status
-2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:07:54.358: debug: Check ZSK status
-2009-03-04 18:07:54.358: debug: Re-signing not necessary!
-2009-03-04 18:07:54.358: debug: Check if there is a parent file to copy
-2009-03-04 18:07:54.358: debug:
-2009-03-04 18:07:54.358: notice: end of run: 0 errors occured
-2009-03-04 18:08:25.210: notice: ------------------------------------------------------------
-2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf
-2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:25.212: debug: Check RFC5011 status
-2009-03-04 18:08:25.213: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:25.213: debug: Check KSK status
-2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s
-2009-03-04 18:08:25.213: debug: Check ZSK status
-2009-03-04 18:08:25.213: debug: Re-signing not necessary!
-2009-03-04 18:08:25.213: debug: Check if there is a parent file to copy
-2009-03-04 18:08:25.213: debug:
-2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:08:25.214: debug: Check RFC5011 status
-2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:08:25.214: debug: Check ZSK status
-2009-03-04 18:08:25.214: debug: Re-signing not necessary!
-2009-03-04 18:08:25.214: debug: Check if there is a parent file to copy
-2009-03-04 18:08:25.214: debug:
-2009-03-04 18:08:25.216: notice: end of run: 0 errors occured
-2009-03-04 18:08:32.379: notice: ------------------------------------------------------------
-2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf
-2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:32.381: debug: Check RFC5011 status
-2009-03-04 18:08:32.381: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:32.381: debug: Check KSK status
-2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s
-2009-03-04 18:08:32.381: debug: Check ZSK status
-2009-03-04 18:08:32.381: debug: Re-signing necessary: Option -f
-2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:32.381: debug: Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:08:32.382: debug: Signing zone "sub.example.net."
-2009-03-04 18:08:32.382: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:08:32.896: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:32.896: debug: Signing completed after 0s.
-2009-03-04 18:08:32.896: debug:
-2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:08:32.896: debug: Check RFC5011 status
-2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:08:32.896: debug: Check ZSK status
-2009-03-04 18:08:32.896: debug: Re-signing necessary: Option -f
-2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:32.896: debug: Writing key file "././example.net/dnskey.db"
-2009-03-04 18:08:32.897: debug: Incrementing serial number in file "././example.net/zone.db"
-2009-03-04 18:08:32.897: debug: Signing zone "example.net."
-2009-03-04 18:08:32.897: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-03-04 18:08:33.042: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:33.042: debug: Signing completed after 1s.
-2009-03-04 18:08:33.042: debug:
-2009-03-04 18:08:33.043: notice: end of run: 0 errors occured
-2009-03-04 18:08:46.381: notice: ------------------------------------------------------------
-2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf
-2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:46.385: debug: Check RFC5011 status
-2009-03-04 18:08:46.385: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:46.385: debug: Check KSK status
-2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s
-2009-03-04 18:08:46.385: debug: Check ZSK status
-2009-03-04 18:08:46.385: debug: Re-signing necessary: Option -f
-2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:46.385: debug: Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:08:46.386: debug: Signing zone "sub.example.net."
-2009-03-04 18:08:46.386: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:08:46.990: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:46.991: debug: Signing completed after 0s.
-2009-03-04 18:08:46.991: debug:
-2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:08:46.991: debug: Check RFC5011 status
-2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:08:46.991: debug: Check ZSK status
-2009-03-04 18:08:46.991: debug: Re-signing necessary: Option -f
-2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:46.991: debug: Writing key file "././example.net/dnskey.db"
-2009-03-04 18:08:46.992: debug: Incrementing serial number in file "././example.net/zone.db"
-2009-03-04 18:08:46.992: debug: Signing zone "example.net."
-2009-03-04 18:08:46.993: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-03-04 18:08:47.149: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:47.149: debug: Signing completed after 1s.
-2009-03-04 18:08:47.149: debug:
-2009-03-04 18:08:47.149: notice: end of run: 0 errors occured
-2009-03-04 18:08:59.141: notice: ------------------------------------------------------------
-2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf
-2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:59.145: debug: Check RFC5011 status
-2009-03-04 18:08:59.145: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:59.145: debug: Check KSK status
-2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s
-2009-03-04 18:08:59.145: debug: Check ZSK status
-2009-03-04 18:08:59.145: debug: Re-signing necessary: Option -f
-2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:59.146: debug: Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:08:59.146: debug: Signing zone "sub.example.net."
-2009-03-04 18:08:59.146: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:09:00.082: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:09:00.082: debug: Signing completed after 1s.
-2009-03-04 18:09:00.082: debug:
-2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:09:00.083: debug: Check RFC5011 status
-2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:09:00.083: debug: Check ZSK status
-2009-03-04 18:09:00.083: debug: Re-signing necessary: Option -f
-2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f
-2009-03-04 18:09:00.083: debug: Writing key file "././example.net/dnskey.db"
-2009-03-04 18:09:00.084: debug: Incrementing serial number in file "././example.net/zone.db"
-2009-03-04 18:09:00.084: debug: Signing zone "example.net."
-2009-03-04 18:09:00.084: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-03-04 18:09:00.238: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:09:00.238: debug: Signing completed after 0s.
-2009-03-04 18:09:00.238: debug:
-2009-03-04 18:09:00.238: notice: end of run: 0 errors occured
-2009-06-15 09:58:41.205: notice: ------------------------------------------------------------
-2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v
-2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-15 09:58:41.226: debug: Check RFC5011 status
-2009-06-15 09:58:41.226: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-15 09:58:41.226: debug: Check KSK status
-2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s
-2009-06-15 09:58:41.227: debug: Check ZSK status
-2009-06-15 09:58:41.227: debug: Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec)
-2009-06-15 09:58:41.227: debug: ->depreciate it
-2009-06-15 09:58:41.227: debug: ->activate published key 49656
-2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done
-2009-06-15 09:58:41.227: debug: New key for publishing needed
-2009-06-15 09:58:41.346: debug: ->creating new key 37135
-2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing
-2009-06-15 09:58:41.346: debug: Re-signing necessary: Modfied zone key set
-2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-15 09:58:41.346: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-15 09:58:41.346: debug: Signing zone "sub.example.net."
-2009-06-15 09:58:41.346: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-15 09:58:41.399: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-15 09:58:41.399: debug: Signing completed after 0s.
-2009-06-15 09:58:41.399: debug:
-2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-15 09:58:41.399: debug: Check RFC5011 status
-2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-06-15 09:58:41.399: debug: Remove revoked key 1764 which is older than 30 days
-2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764
-2009-06-15 09:58:41.400: debug: Check ZSK status
-2009-06-15 09:58:41.400: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec)
-2009-06-15 09:58:41.400: debug: ->waiting for published key
-2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key
-2009-06-15 09:58:41.400: debug: New key for publishing needed
-2009-06-15 09:58:41.499: debug: ->creating new key 34925
-2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing
-2009-06-15 09:58:41.499: debug: Re-signing necessary: Modfied zone key set
-2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-15 09:58:41.499: debug: Writing key file "./example.net/dnskey.db"
-2009-06-15 09:58:41.499: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-15 09:58:41.499: debug: Signing zone "example.net."
-2009-06-15 09:58:41.499: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-06-15 09:58:41.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-15 09:58:41.543: debug: Signing completed after 0s.
-2009-06-15 09:58:41.543: debug:
-2009-06-15 09:58:41.543: notice: end of run: 0 errors occured
-2009-06-17 16:36:16.761: notice: ------------------------------------------------------------
-2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v
-2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-17 16:36:16.792: debug: Check RFC5011 status
-2009-06-17 16:36:16.792: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-17 16:36:16.792: debug: Check KSK status
-2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s
-2009-06-17 16:36:16.792: debug: Check ZSK status
-2009-06-17 16:36:16.792: debug: Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec)
-2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed
-2009-06-17 16:36:16.792: debug: ->remove it
-2009-06-17 16:36:16.792: debug: Re-signing necessary: Modfied zone key set
-2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-17 16:36:16.792: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-17 16:36:16.793: debug: Signing zone "sub.example.net."
-2009-06-17 16:36:16.793: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-17 16:36:16.984: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-17 16:36:16.984: debug: Signing completed after 0s.
-2009-06-17 16:36:16.984: debug:
-2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-17 16:36:16.984: debug: Check RFC5011 status
-2009-06-17 16:36:16.984: debug: Check ZSK status
-2009-06-17 16:36:16.984: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec)
-2009-06-17 16:36:16.984: debug: ->depreciate it
-2009-06-17 16:36:16.984: debug: ->activate published key 34925
-2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done
-2009-06-17 16:36:16.984: debug: Re-signing necessary: Modfied zone key set
-2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-17 16:36:16.984: debug: Writing key file "./example.net/dnskey.db"
-2009-06-17 16:36:16.985: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-17 16:36:16.985: debug: Signing zone "example.net."
-2009-06-17 16:36:16.985: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-06-17 16:36:17.102: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-17 16:36:17.102: debug: Signing completed after 1s.
-2009-06-17 16:36:17.102: debug:
-2009-06-17 16:36:17.102: notice: end of run: 0 errors occured
-2009-06-24 16:33:27.617: notice: ------------------------------------------------------------
-2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v
-2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:33:27.619: debug: Check RFC5011 status
-2009-06-24 16:33:27.620: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:33:27.620: debug: Check KSK status
-2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s
-2009-06-24 16:33:27.620: debug: Check ZSK status
-2009-06-24 16:33:27.620: debug: Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec)
-2009-06-24 16:33:27.620: debug: ->depreciate it
-2009-06-24 16:33:27.620: debug: ->activate published key 37135
-2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done
-2009-06-24 16:33:27.620: debug: New key for publishing needed
-2009-06-24 16:33:27.751: debug: ->creating new key 25272
-2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing
-2009-06-24 16:33:27.751: debug: Re-signing necessary: Modfied zone key set
-2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:33:27.751: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:33:27.751: debug: Signing zone "sub.example.net."
-2009-06-24 16:33:27.751: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed!
-2009-06-24 16:33:27.859: debug: Signing completed after 0s.
-2009-06-24 16:33:27.859: debug:
-2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:33:27.859: debug: Check RFC5011 status
-2009-06-24 16:33:27.859: debug: Check ZSK status
-2009-06-24 16:33:27.859: debug: Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec)
-2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed
-2009-06-24 16:33:27.860: debug: ->remove it
-2009-06-24 16:33:27.860: debug: Re-signing necessary: Modfied zone key set
-2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:33:27.860: debug: Writing key file "./example.net/dnskey.db"
-2009-06-24 16:33:27.860: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:33:27.860: debug: Signing zone "example.net."
-2009-06-24 16:33:27.860: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-06-24 16:33:27.966: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:33:27.966: debug: Signing completed after 0s.
-2009-06-24 16:33:27.966: debug:
-2009-06-24 16:33:27.966: notice: end of run: 1 error occured
-2009-06-24 16:42:06.709: notice: ------------------------------------------------------------
-2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v
-2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:42:06.711: debug: Check RFC5011 status
-2009-06-24 16:42:06.711: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:42:06.711: debug: Check KSK status
-2009-06-24 16:42:06.711: debug: No active KSK found: generate new one
-2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516
-2009-06-24 16:42:06.855: debug: Check ZSK status
-2009-06-24 16:42:06.855: debug: No active ZSK found: generate new one
-2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383
-2009-06-24 16:42:06.883: debug: Re-signing necessary: Modfied zone key set
-2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:42:06.883: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:42:06.883: debug: Signing zone "sub.example.net."
-2009-06-24 16:42:06.883: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed!
-2009-06-24 16:42:06.905: debug: Signing completed after 0s.
-2009-06-24 16:42:06.905: debug:
-2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:42:06.905: debug: Check RFC5011 status
-2009-06-24 16:42:06.905: debug: Check ZSK status
-2009-06-24 16:42:06.905: debug: Re-signing not necessary!
-2009-06-24 16:42:06.905: debug: Check if there is a parent file to copy
-2009-06-24 16:42:06.905: debug:
-2009-06-24 16:42:06.905: notice: end of run: 1 error occured
-2009-06-24 16:42:31.402: notice: ------------------------------------------------------------
-2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v
-2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:42:31.404: debug: Check RFC5011 status
-2009-06-24 16:42:31.404: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:42:31.404: debug: Check KSK status
-2009-06-24 16:42:31.404: debug: Check ZSK status
-2009-06-24 16:42:31.404: debug: Re-signing necessary: Modified keys
-2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys
-2009-06-24 16:42:31.405: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:42:31.405: debug: Signing zone "sub.example.net."
-2009-06-24 16:42:31.405: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed!
-2009-06-24 16:42:31.450: debug: Signing completed after 0s.
-2009-06-24 16:42:31.450: debug:
-2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:42:31.450: debug: Check RFC5011 status
-2009-06-24 16:42:31.450: debug: Check ZSK status
-2009-06-24 16:42:31.450: debug: Re-signing not necessary!
-2009-06-24 16:42:31.450: debug: Check if there is a parent file to copy
-2009-06-24 16:42:31.450: debug:
-2009-06-24 16:42:31.450: notice: end of run: 1 error occured
-2009-06-24 16:42:48.193: notice: ------------------------------------------------------------
-2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v
-2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:42:48.195: debug: Check RFC5011 status
-2009-06-24 16:42:48.195: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:42:48.195: debug: Check KSK status
-2009-06-24 16:42:48.195: debug: Check ZSK status
-2009-06-24 16:42:48.195: debug: Re-signing necessary: Modified keys
-2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys
-2009-06-24 16:42:48.195: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:42:48.195: debug: Signing zone "sub.example.net."
-2009-06-24 16:42:48.195: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed!
-2009-06-24 16:42:48.212: debug: Signing completed after 0s.
-2009-06-24 16:42:48.212: debug:
-2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:42:48.212: debug: Check RFC5011 status
-2009-06-24 16:42:48.212: debug: Check ZSK status
-2009-06-24 16:42:48.212: debug: Re-signing not necessary!
-2009-06-24 16:42:48.212: debug: Check if there is a parent file to copy
-2009-06-24 16:42:48.212: debug:
-2009-06-24 16:42:48.212: notice: end of run: 1 error occured
-2009-06-24 16:44:22.959: notice: ------------------------------------------------------------
-2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v
-2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:44:22.961: debug: Check RFC5011 status
-2009-06-24 16:44:22.961: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:44:22.961: debug: Check KSK status
-2009-06-24 16:44:22.961: debug: Check ZSK status
-2009-06-24 16:44:22.961: debug: No active ZSK found: generate new one
-2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600
-2009-06-24 16:44:23.008: debug: Re-signing necessary: Modfied zone key set
-2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:44:23.009: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:44:23.009: debug: Signing zone "sub.example.net."
-2009-06-24 16:44:23.009: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:44:23.040: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:44:23.040: debug: Signing completed after 0s.
-2009-06-24 16:44:23.040: debug:
-2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:44:23.040: debug: Check RFC5011 status
-2009-06-24 16:44:23.040: debug: Check ZSK status
-2009-06-24 16:44:23.040: debug: Re-signing not necessary!
-2009-06-24 16:44:23.040: debug: Check if there is a parent file to copy
-2009-06-24 16:44:23.040: debug:
-2009-06-24 16:44:23.040: notice: end of run: 0 errors occured
-2009-06-24 16:50:36.189: notice: ------------------------------------------------------------
-2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v
-2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:50:36.191: debug: Check RFC5011 status
-2009-06-24 16:50:36.191: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:50:36.191: debug: Check KSK status
-2009-06-24 16:50:36.192: debug: Check ZSK status
-2009-06-24 16:50:36.192: debug: Re-signing not necessary!
-2009-06-24 16:50:36.192: debug: Check if there is a parent file to copy
-2009-06-24 16:50:36.192: debug:
-2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:50:36.192: debug: Check RFC5011 status
-2009-06-24 16:50:36.192: debug: Check ZSK status
-2009-06-24 16:50:36.193: debug: Re-signing not necessary!
-2009-06-24 16:50:36.193: debug: Check if there is a parent file to copy
-2009-06-24 16:50:36.193: debug:
-2009-06-24 16:50:36.193: notice: end of run: 0 errors occured
-2009-06-24 16:50:42.877: notice: ------------------------------------------------------------
-2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f
-2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:50:42.879: debug: Check RFC5011 status
-2009-06-24 16:50:42.879: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:50:42.879: debug: Check KSK status
-2009-06-24 16:50:42.879: debug: Check ZSK status
-2009-06-24 16:50:42.879: debug: Re-signing necessary: Option -f
-2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:42.879: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:50:42.879: debug: Signing zone "sub.example.net."
-2009-06-24 16:50:42.879: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:50:42.932: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:42.932: debug: Signing completed after 0s.
-2009-06-24 16:50:42.932: debug:
-2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:50:42.932: debug: Check RFC5011 status
-2009-06-24 16:50:42.932: debug: Check ZSK status
-2009-06-24 16:50:42.932: debug: Re-signing necessary: Option -f
-2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:42.932: debug: Writing key file "./example.net/dnskey.db"
-2009-06-24 16:50:42.933: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:50:42.933: debug: Signing zone "example.net."
-2009-06-24 16:50:42.933: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-06-24 16:50:42.978: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:42.978: debug: Signing completed after 0s.
-2009-06-24 16:50:42.978: debug:
-2009-06-24 16:50:42.979: notice: end of run: 0 errors occured
-2009-06-24 16:50:51.923: notice: ------------------------------------------------------------
-2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f
-2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:50:51.924: debug: Check RFC5011 status
-2009-06-24 16:50:51.924: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:50:51.924: debug: Check KSK status
-2009-06-24 16:50:51.924: debug: Check ZSK status
-2009-06-24 16:50:51.925: debug: Re-signing necessary: Option -f
-2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:51.925: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:50:51.925: debug: Signing zone "sub.example.net."
-2009-06-24 16:50:51.925: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:50:51.972: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:51.973: debug: Signing completed after 0s.
-2009-06-24 16:50:51.973: debug:
-2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:50:51.973: debug: Check RFC5011 status
-2009-06-24 16:50:51.973: debug: Check ZSK status
-2009-06-24 16:50:51.973: debug: Re-signing necessary: Option -f
-2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:51.973: debug: Writing key file "./example.net/dnskey.db"
-2009-06-24 16:50:51.973: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:50:51.973: debug: Signing zone "example.net."
-2009-06-24 16:50:51.973: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-06-24 16:50:52.017: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:52.017: debug: Signing completed after 1s.
-2009-06-24 16:50:52.017: debug:
-2009-06-24 16:50:52.017: notice: end of run: 0 errors occured
-2009-06-24 16:51:19.914: notice: ------------------------------------------------------------
-2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f
-2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:51:19.916: debug: Check RFC5011 status
-2009-06-24 16:51:19.916: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:51:19.916: debug: Check KSK status
-2009-06-24 16:51:19.916: debug: Check ZSK status
-2009-06-24 16:51:19.916: debug: Re-signing necessary: Option -f
-2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:51:19.916: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:51:19.917: debug: Signing zone "sub.example.net."
-2009-06-24 16:51:19.917: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:51:19.969: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:51:19.969: debug: Signing completed after 0s.
-2009-06-24 16:51:19.969: debug:
-2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:51:19.969: debug: Check RFC5011 status
-2009-06-24 16:51:19.969: debug: Check ZSK status
-2009-06-24 16:51:19.969: debug: Re-signing necessary: Option -f
-2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:51:19.969: debug: Writing key file "./example.net/dnskey.db"
-2009-06-24 16:51:19.969: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:51:19.969: debug: Signing zone "example.net."
-2009-06-24 16:51:19.969: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
-2009-06-24 16:51:20.018: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:51:20.018: debug: Signing completed after 1s.
-2009-06-24 16:51:20.018: debug:
-2009-06-24 16:51:20.018: notice: end of run: 0 errors occured
-2009-06-24 16:55:38.094: notice: ------------------------------------------------------------
-2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f
-2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:55:38.096: debug: Check RFC5011 status
-2009-06-24 16:55:38.096: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:55:38.096: debug: Check KSK status
-2009-06-24 16:55:38.096: debug: Check ZSK status
-2009-06-24 16:55:38.096: debug: Re-signing necessary: Option -f
-2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:55:38.096: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:55:38.097: debug: Signing zone "sub.example.net."
-2009-06-24 16:55:38.097: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-24 16:55:38.144: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1."
-2009-06-24 16:55:38.144: debug: Signing completed after 0s.
-2009-06-24 16:55:38.144: debug:
-2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:55:38.144: debug: Check RFC5011 status
-2009-06-24 16:55:38.144: debug: Check ZSK status
-2009-06-24 16:55:38.144: debug: Re-signing necessary: Option -f
-2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:55:38.144: debug: Writing key file "./example.net/dnskey.db"
-2009-06-24 16:55:38.144: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:55:38.144: debug: Signing zone "example.net."
-2009-06-24 16:55:38.144: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
-2009-06-24 16:55:38.182: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1."
-2009-06-24 16:55:38.182: debug: Signing completed after 0s.
-2009-06-24 16:55:38.182: debug:
-2009-06-24 16:55:38.182: notice: end of run: 0 errors occured
-2009-06-24 17:12:06.145: notice: ------------------------------------------------------------
-2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f
-2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 17:12:06.147: debug: Check RFC5011 status
-2009-06-24 17:12:06.147: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 17:12:06.147: debug: Check KSK status
-2009-06-24 17:12:06.147: debug: Check ZSK status
-2009-06-24 17:12:06.147: debug: Re-signing necessary: Option -f
-2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 17:12:06.147: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 17:12:06.147: debug: Signing zone "sub.example.net."
-2009-06-24 17:12:06.147: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-24 17:12:06.204: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 17:12:06.204: debug: Signing completed after 0s.
-2009-06-24 17:12:06.204: debug:
-2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 17:12:06.204: debug: Check RFC5011 status
-2009-06-24 17:12:06.204: debug: Check ZSK status
-2009-06-24 17:12:06.204: debug: Re-signing necessary: Option -f
-2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 17:12:06.205: debug: Writing key file "./example.net/dnskey.db"
-2009-06-24 17:12:06.205: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 17:12:06.205: debug: Signing zone "example.net."
-2009-06-24 17:12:06.205: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
-2009-06-24 17:12:06.259: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 17:12:06.259: debug: Signing completed after 0s.
-2009-06-24 17:12:06.259: debug:
-2009-06-24 17:12:06.259: notice: end of run: 0 errors occured
-2009-06-30 11:35:09.298: notice: ------------------------------------------------------------
-2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v
-2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 11:35:09.326: debug: Check RFC5011 status
-2009-06-30 11:35:09.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 11:35:09.326: debug: Check KSK status
-2009-06-30 11:35:09.326: debug: Check ZSK status
-2009-06-30 11:35:09.326: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec)
-2009-06-30 11:35:09.326: debug: ->waiting for published key
-2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key
-2009-06-30 11:35:09.326: debug: New key for publishing needed
-2009-06-30 11:35:09.482: debug: ->creating new key 32345
-2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing
-2009-06-30 11:35:09.482: debug: Re-signing necessary: Modfied zone key set
-2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-30 11:35:09.483: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 11:35:09.483: debug: Signing zone "sub.example.net."
-2009-06-30 11:35:09.483: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 11:35:09.838: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 11:35:09.838: debug: Signing completed after 0s.
-2009-06-30 11:35:09.838: debug:
-2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 11:35:09.838: debug: Check RFC5011 status
-2009-06-30 11:35:09.838: debug: Check ZSK status
-2009-06-30 11:35:09.838: debug: New key for publishing needed
-2009-06-30 11:35:09.896: debug: ->creating new key 48089
-2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing
-2009-06-30 11:35:09.896: debug: Re-signing necessary: Modfied zone key set
-2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-30 11:35:09.897: debug: Writing key file "./example.net/dnskey.db"
-2009-06-30 11:35:09.897: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-30 11:35:09.897: debug: Signing zone "example.net."
-2009-06-30 11:35:09.897: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
-2009-06-30 11:35:09.997: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 11:35:09.997: debug: Signing completed after 0s.
-2009-06-30 11:35:09.997: debug:
-2009-06-30 11:35:09.997: notice: end of run: 0 errors occured
-2009-06-30 12:01:53.878: notice: ------------------------------------------------------------
-2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v
-2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 12:01:53.881: debug: Check RFC5011 status
-2009-06-30 12:01:53.881: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 12:01:53.881: debug: Check KSK status
-2009-06-30 12:01:53.881: debug: Check ZSK status
-2009-06-30 12:01:53.881: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec)
-2009-06-30 12:01:53.881: debug: ->waiting for published key
-2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key
-2009-06-30 12:01:53.881: debug: Re-signing not necessary!
-2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy
-2009-06-30 12:01:53.881: debug:
-2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 12:01:53.881: debug: Check RFC5011 status
-2009-06-30 12:01:53.881: debug: Check ZSK status
-2009-06-30 12:01:53.881: debug: Re-signing not necessary!
-2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy
-2009-06-30 12:01:53.881: debug:
-2009-06-30 12:01:53.881: notice: end of run: 0 errors occured
-2009-06-30 12:02:05.490: notice: ------------------------------------------------------------
-2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v
-2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 12:02:05.492: debug: Check RFC5011 status
-2009-06-30 12:02:05.492: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 12:02:05.492: debug: Check KSK status
-2009-06-30 12:02:05.492: debug: Check ZSK status
-2009-06-30 12:02:05.492: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec)
-2009-06-30 12:02:05.492: debug: ->waiting for published key
-2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key
-2009-06-30 12:02:05.492: debug: Re-signing necessary: Option -f
-2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-30 12:02:05.492: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 12:02:05.492: debug: Signing zone "sub.example.net."
-2009-06-30 12:02:05.492: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 12:02:05.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 12:02:05.543: debug: Signing completed after 0s.
-2009-06-30 12:02:05.543: debug:
-2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 12:02:05.543: debug: Check RFC5011 status
-2009-06-30 12:02:05.543: debug: Check ZSK status
-2009-06-30 12:02:05.543: debug: Re-signing necessary: Option -f
-2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f
-2009-06-30 12:02:05.543: debug: Writing key file "./example.net/dnskey.db"
-2009-06-30 12:02:05.544: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-30 12:02:05.544: debug: Signing zone "example.net."
-2009-06-30 12:02:05.544: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
-2009-06-30 12:02:05.602: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 12:02:05.602: debug: Signing completed after 0s.
-2009-06-30 12:02:05.602: debug:
-2009-06-30 12:02:05.602: notice: end of run: 0 errors occured
-2009-06-30 13:02:04.436: notice: ------------------------------------------------------------
-2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v
-2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 13:02:04.438: debug: Check RFC5011 status
-2009-06-30 13:02:04.438: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 13:02:04.438: debug: Check KSK status
-2009-06-30 13:02:04.438: debug: Check ZSK status
-2009-06-30 13:02:04.438: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec)
-2009-06-30 13:02:04.438: debug: ->depreciate it
-2009-06-30 13:02:04.439: debug: ->activate published key 32345
-2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done
-2009-06-30 13:02:04.439: debug: Re-signing necessary: Modfied zone key set
-2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-30 13:02:04.439: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 13:02:04.439: debug: Signing zone "sub.example.net."
-2009-06-30 13:02:04.439: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 13:02:04.491: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 13:02:04.491: debug: Signing completed after 0s.
-2009-06-30 13:02:04.491: debug:
-2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 13:02:04.491: debug: Check RFC5011 status
-2009-06-30 13:02:04.491: debug: Check ZSK status
-2009-06-30 13:02:04.491: debug: Re-signing not necessary!
-2009-06-30 13:02:04.491: debug: Check if there is a parent file to copy
-2009-06-30 13:02:04.491: debug:
-2009-06-30 13:02:04.491: notice: end of run: 0 errors occured
-2009-06-30 13:02:21.019: notice: ------------------------------------------------------------
-2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v
-2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 13:02:21.021: debug: Check RFC5011 status
-2009-06-30 13:02:21.021: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 13:02:21.021: debug: Check KSK status
-2009-06-30 13:02:21.021: debug: Check ZSK status
-2009-06-30 13:02:21.022: debug: Re-signing necessary: Option -f
-2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-30 13:02:21.022: debug: Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 13:02:21.022: debug: Signing zone "sub.example.net."
-2009-06-30 13:02:21.022: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 13:02:21.070: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 13:02:21.070: debug: Signing completed after 0s.
-2009-06-30 13:02:21.070: debug:
-2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 13:02:21.070: debug: Check RFC5011 status
-2009-06-30 13:02:21.070: debug: Check ZSK status
-2009-06-30 13:02:21.070: debug: Re-signing necessary: Option -f
-2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f
-2009-06-30 13:02:21.071: debug: Writing key file "./example.net/dnskey.db"
-2009-06-30 13:02:21.071: debug: Incrementing serial number in file "./example.net/zone.db"
-2009-06-30 13:02:21.071: debug: Signing zone "example.net."
-2009-06-30 13:02:21.071: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
-2009-06-30 13:02:21.121: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 13:02:21.121: debug: Signing completed after 0s.
-2009-06-30 13:02:21.121: debug:
-2009-06-30 13:02:21.121: notice: end of run: 0 errors occured
+++ /dev/null
-
-zone "example.NET." in {
- type master;
- file "example.net/zone.db.signed";
-};
-
-zone "sub.example.NET." in {
- type master;
- file "sub.example.net/zone.db.signed";
-};
--- /dev/null
+;% generationtime=20100331230548
+;% lifetime=28d
+example.de. IN DNSKEY 256 3 5 BQEAAAABx4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/ 2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: x4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: MWWd0AvKmimZrtVrPrTAK/UD0ZrJuL3Rcxw6qzxPWE5S3KcdJNtt5HzOPeGWIZVN8rBtPCSRhiksjugrMqkMRQ==
+Prime1: 48VMTrU7heYjFQ5ou7rSOpqt2Eot+EBDjYUPKeOR268=
+Prime2: 4EGLA3LuyNrDfBHTn0xmGHdO3DvHn6YUmJKh/98WzFc=
+Exponent1: WhbPWcw2bisYr9cS59vOFmLxvbXUQgJZTZVYSDW3EF0=
+Exponent2: BoCEx7RES9scWl7PFrUZzrzjDIZiBUICbw4BViSUVWs=
+Coefficient: DmwngpeIb8+dzC9ETnQOojRJTv1MRpW4k0Jo1NfAC+c=
+++ /dev/null
-;% generationtime=20081116180040
-;% lifetime=365d
-example.de. IN DNSKEY 257 3 5 BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU jQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mUjQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: AcxmOS9ewHH4UTWVHOSEyONodDImWb5DFyMOUzn3FCkdBEnsOAYTO8/noT3PP0uoMK0s7/BlIReEqsyCVcgQVrTbJszoKlwhHT+XO60i3wPJIWF9u8ouFDnGLkbSRpw6L72uRZy9SdSWUWHdlRayK6T3uJGrcsCLIlzaSue1vXjdUobHMVxQ+mPCFNjSgRWOvTxGcsoXPKx5MjrmAUEnLyQuoQ==
-Prime1: A50KZhIYCkyx48okZHgirDXs0cVYf2OOvLcNKF4AvBBTwoV9+oFfTd+wKy9f+G/FqVBV1s4rv/M7UCpAFJPCqaDkt+EEv5DNnX69RgvwBrHyxQ==
-Prime2: A5KoV2IkWEM9Djm8pZay/fQpM8coQxVutNDb9G4ADMwpwK5ddGifS38jPlHenUKDxSFtfOZBQbyf7ra/lSttpOqSnr/e6s6HHRn5TYfdR9IXKQ==
-Exponent1: eWP9FtwMjnnrsAhQlO7Fbko74gKGRVaygSe4Pd+TGM22dHDZCCoc//IBL+s2Dhezy1l8xiOPVbcxzxHMbqrQhPENi7HihDwiR1WfuSaoIfod
-Exponent2: AweXUxlW7qBg+v2qV5cCZl+gvTBW/1vP7llsoOqbHR69xLklXEV96TlEbKU8hoSnq8ts8qqh4/HFj1d+KRTeHWpseUm0GXdK/k7ZvYfr7KVHUQ==
-Coefficient: AwVZtbgFX0bAOj9J2p48qYAn3EaIuCvzDYoIE3E/m3NZS8UXQ5MK12AFhulRYpWOgZCIWK9fH0MTvtDFk3I5vyFTMhovDBrSWNn/+TJ47CwrBQ==
--- /dev/null
+;% generationtime=20100224232104
+;% lifetime=28d
+example.de. IN DNSKEY 256 3 5 BQEAAAABsbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFes ZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: sbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFesZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: PHPdKKwdgE+02a+6R+2xk7RfPUmjIW0dclILS0uQ2GL2lYJCaFKoMEZJb/30CkJLWBBGUS4XUPzplYQ8VLn6gQ==
+Prime1: 5efr+OinaF8nLpI/N1EuTxuoSbILnPn5pSWVpwJPgTk=
+Prime2: xdzEgtE9CEHT06oa0yM+lLMJp2K6RlBiByRo13Sd8VE=
+Exponent1: dE2UZNfo/uln1Yq9lz3pImp5gWDjeT+sYIdBBk8qfOk=
+Exponent2: TPXU6D9veGi9J41RR3KvLo4s3u/rQWHXyQrO6jQwX0E=
+Coefficient: t1ysP5l5JUhi+d3GvFN0EyZAv1nW31lsL+4979deLsw=
+++ /dev/null
-;% generationtime=20080914221502
-;% lifetime=365d
-example.de. IN DNSKEY 257 3 5 BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E uw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8Euw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CxINUgbVqMf0BnMNYq3aL8ucN4fael2ljQYgDCpcTMfqVuRo+Vo6sMEr3C6Bw8MTHWo2jMxdulyS4tsiMQVVjWUArFL/sfFYLwopjOExcneji6noi8n9dzgslNpo3QAdnKwDGUwj+k7CBzCbLSZ5xpt/eaHcN4l1buQ0tcqShthdh7sNHFX1nAqjsLa7xxCiBsliA6LD/QTAAzcbED0Xw7SJWQ==
-Prime1: A+RY6jx9urFg5GeyRqrAiqqClEzyWgEM4HsJn/oQ38PE6NrPzcG9U95um79u1WwWtXe5xTifInhN40CpxQYH45NFjZEuEvROvkXk5JHV9b5UHw==
-Prime2: A2949khdV+cKgI2EHmRIu7PJUFkBgrMXacwVpGdaN41NpJYFRYW8qoPmKRrw/Fji7GZj0rrro51XT7JNDbC44dX/bGdNa/eWvslPJGfCR4Gb5Q==
-Exponent1: rVHNFnlV2HXIOzi9+2Hit8m7bNXrVXA/DJ3lGCzDL2PzpvQcrL6mMXzaYznP9XaSgyR9M8u+Tdwqq11lHsnWhNLyWKTyAlO5WP3syQD3+0Jp
-Exponent2: ArQCCQS8lPgDvu7LI3q5tanr2nmM2uMzPNud9EPSqAql8iEIgOZDLDsMDZd9QHm2Dicjc2UifTcJgQlc3OACSVYkkxjvHKO7t03KNoZkhceTTQ==
-Coefficient: GUOOUFWtz0iCPZx1ljdxpP3T4hW7Jux1zcfV6PwX+Nx+8KcawXFfNxjsC1+Sla9Txv02Kgqg9Mh3mCNGynimcbkmmOcfyozKOttAD1sheFK0
+++ /dev/null
-;% generationtime=20090615065826
-;% lifetime=28d
-example.de. IN DNSKEY 256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q==
-Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM=
-Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c=
-Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0=
-Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc=
-Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao=
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Jul 04 2009 01:30:24
-;
-
-; *** List of Key Signing Keys ***
-; example.de. tag=47280 algo=RSASHA1 generated Dec 28 2008 23:55:28
-example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
- mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
- CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2
- 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E
- uw==
- ) ; key id = 47280
-
-; example.de. tag=37983 algo=RSASHA1 generated Dec 28 2008 23:55:28
-example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
- YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
- m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB
- q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU
- jQ==
- ) ; key id = 37983
-
-; *** List of Zone Signing Keys ***
-; example.de. tag=55529 algo=RSASHA1 generated Jun 24 2009 17:12:33
-example.de. 3600 IN DNSKEY 256 3 5 (
- BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC
- XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
- ) ; key id = 55529
-
+++ /dev/null
-example.de. IN DS 37983 5 1 635B486D53D19B16BC4A87366BC2D5626978F4B9
-example.de. IN DS 37983 5 2 5B8412FE443D8F4F77AC4C89FF12289DA88998D864EC68E3E5A4EE2C B192F9DC
-example.de. IN DS 47280 5 1 149C886C8175B220A964D4293EB4FCFAC1650974
-example.de. IN DS 47280 5 2 466E738B6913F7081DE5E17FC3567771618AB1D6CB0A333270A4AC24 7DB14DD0
+++ /dev/null
-;% generationtime=20080506225722
-;% lifetime=20d
-;% expirationtime=20080711220959
-example.de. IN DNSKEY 385 3 5 BQEAAAABCyg92L7v21N3lc/gR07/2iLmvt6dUn1KKauLvmkRuT040XT+ Rd3Iq20iq6BqVPsPS+hCOTRA3xikTIn5YzmPLPutIRtjIodHhsrML4D9 Pp1dzgEDKWLam96v+E7KC0GGH/BI6/WelqeqjS5BjI4Gjv4roaTyDCi6 3oXwcMFDVwrSjws4A/5AGANka41Aky+UCGse6+64YmNP/QkSXDAeBZqw rw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: Cyg92L7v21N3lc/gR07/2iLmvt6dUn1KKauLvmkRuT040XT+Rd3Iq20iq6BqVPsPS+hCOTRA3xikTIn5YzmPLPutIRtjIodHhsrML4D9Pp1dzgEDKWLam96v+E7KC0GGH/BI6/WelqeqjS5BjI4Gjv4roaTyDCi63oXwcMFDVwrSjws4A/5AGANka41Aky+UCGse6+64YmNP/QkSXDAeBZqwrw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CGYBtGSIMmSFoqnh6yYuoYlvTP2O7vkBdRrfkN43NwdlQVhco+wQO55QxCZNhCcbp2xau9IdejetNH0pQ3Zfg2Vllx78F8VMTMqkgw2HudWS/RahkMg+Hq6DBUaX/LYt90ToGyy5+FmyBm4fOV8FxJVrmTFMw4m7ULp3FgRcxmzS5zNjKYP2LKU/pYz0wFpyAr88DGNjChgwvRN/GE4obsoJgQ==
-Prime1: A18v8idXV3o9tpIzalTEpOeDX7OxKumhUsoDpPhOJf7XqHLS6hYoYwFbRObF23Zi/3kHiAoGffR1Dkd+ji3xZhFOSEcUDuikQ2jdzdY8NxbzQQ==
-Prime2: A08XMjIEpsViYvYB+ChuYxPbq7Z/eHtT/r5f8zS+nuEUwYAlKeq/i+U5sIydC1txv5XQuRPqpjtlZTClJ85BpS0GnSspG5PcY3OMwkA2smLX7w==
-Exponent1: AcLu8YM68M8LtP7Dr7vYI+vJK6RK5SN/mAnz4ALt53igCUB/iVrfvBWCHp7hEgkRZUQQoItbT9C6YXrC3G9DW+IldSP8vrtqYva4YDBD2X1LAQ==
-Exponent2: JdJVp3CAJPPcx0KiKDS8gHDiu22CBV2w1cycnXgwFmJl4aQkbTA7/xlgl15r3lByacAc19JreArqgCQRQV3bS7NG2PiQmzO26XkwCq+Kj7OJ
-Coefficient: i6sKgv2zpCvdY9fChryaf5nZyb4nFd2dG/vnjQScBz8YVw4LnfL/XqKIego0Ez6/KlL4AnvkcafzogJ+MtmBB7V4RXEyObcbR6M/MLGMhpL8
+++ /dev/null
-;% generationtime=20080608210458
-;% lifetime=20d
-;% expirationtime=20080914221502
-example.de. IN DNSKEY 385 3 5 BQEAAAABDrm5aXRPuZOmwT4nINnY2qXyXWLtutggFAJgBW5Ua7uzAR+7 r/DcOE7IfjnT5FQhbYXIuKy61uOEqPu1TYvDsGb1pseKSB4J0jmXDU9N tu9TDp6X6ZXE11+cFdATa4TPnsAUMSxVkLZanrbyACmcNr1gjT3dz6qI VBVPb5OnUldndbgtlOX3wcE0aR/MIsIjz1UQl/QoxbVclZVOUNdJQGb9 zQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: Drm5aXRPuZOmwT4nINnY2qXyXWLtutggFAJgBW5Ua7uzAR+7r/DcOE7IfjnT5FQhbYXIuKy61uOEqPu1TYvDsGb1pseKSB4J0jmXDU9Ntu9TDp6X6ZXE11+cFdATa4TPnsAUMSxVkLZanrbyACmcNr1gjT3dz6qIVBVPb5OnUldndbgtlOX3wcE0aR/MIsIjz1UQl/QoxbVclZVOUNdJQGb9zQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: AQM2fRAmc6coPLeTHAK1DCHOYCRPSjsHYXoOzwMzzdIpHschjfxka35UdNSGKYpqM9E+VTZmV96w9ZZK5recxYak/6F72ZYTIYtsWYqCkej18nzhpnlt4nASnRt0nsS9UVVwc1Y7QxqRtSVXEcgcbiW3lr0jq+PSBf/HjY9qOHV4ExXlz7KPYOWbJa1YLFnvGlMd/W7hmQvXNEfTvOwjKURV4Q==
-Prime1: A/0Yax4evJzC7VSw0Swt0KNM7gtIJ9nwzDCrTymulzKhu6Wgeu0veU9OAGDhv0Yfmn0kr1JLITpMu4uo3a5jfLb18yZEAyPphejZBA+wPIll+Q==
-Prime2: A7EcplBfPWZmeCeL6UnFz4h45nxi3jRfQT00k34Nu5aFt5v+ngExbatcoOMnEKZSq2SQKDQRTp6XBOiwPNB9mVaLmzl9k9tyX6JvkCBEDrM7dQ==
-Exponent1: AjoJbjmJarH7I4Zj5UPc9r0I5NtVgrAx4ZltcqPN07/1cBS2QAnZuMSLUvv8pkK+Lng9Wdy9c2FL0XjWY5Q+ORYj4ONGl9OWpi2zKqpTw4WgOQ==
-Exponent2: AZfFGuYsztbn6tHFUIdIeXfaFTYyVbSfCEUp2Uv8N75QMyyuT4dzAlkU2cfSg3oAefrlCKWqXtLv9XlOJ1hTeXZOz8jyYAyhvGWGoHmSbeaNKQ==
-Coefficient: AX6DKJRk0GXwCnkpfbn91myfZ2wgsUTXKjqasdlTqm3JL9Rtpq8J2MWPhexcSSz8DNa5LQlGduE1nh4eqqntnSNckD6CeImMdWgTNbQS3zV8Bw==
+++ /dev/null
-;% generationtime=20080711221000
-;% lifetime=20d
-;% expirationtime=20081116180039
-example.de. IN DNSKEY 385 3 5 BQEAAAABDfaBERX9p+FUi1OXYVig7zLCQFZoRYpwDDuLzBcC7k+G1+wW dftyA1vBm5HMpyq0OifT0Hsez4+H+0CIWHZP8oPCYfKrq+wM2EgMzDDO Yv+O1TQU4i3G+iONxB1RAwH/J2lA+U0zCbrdf0KLq/enNquchhPw4gCX 0RB9HC+TkpoPf2u7aKFcjlpw4C4uhDl1s6FpfdXe6NQWW6c+ONUcLAEt +w==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DfaBERX9p+FUi1OXYVig7zLCQFZoRYpwDDuLzBcC7k+G1+wWdftyA1vBm5HMpyq0OifT0Hsez4+H+0CIWHZP8oPCYfKrq+wM2EgMzDDOYv+O1TQU4i3G+iONxB1RAwH/J2lA+U0zCbrdf0KLq/enNquchhPw4gCX0RB9HC+TkpoPf2u7aKFcjlpw4C4uhDl1s6FpfdXe6NQWW6c+ONUcLAEt+w==
-PublicExponent: AQAAAAE=
-PrivateExponent: /MDd0rAZf9mm/3cDi6TjTqeegMmnidhKYIzxyz1+quzwOA16L3jLf3ucWjz/BlEiOYh1CZbAroGRYqBAskys8u7FDinOQEP5cEn5NUyL5z0WebSCO+qnaqaQSokRs0oUx3+e9tJc9GhhmZIVNXQe4mYxfeYCl6KZS9CXe22y31PkvJ+SQIBh/I+SQnM4rbW012rKroAxdHfTvmalofx+Qb1h
-Prime1: A/5Pkk5UAGvEa06GrEcATMOjsxZ0BbgalPuJKLLTFzvtYhdlJY738oY0QfsHba9hEC+iiSwfjWYyNlH/7bcVqSFtbLJiJ0aUfvObj75qw4HjXQ==
-Prime2: A38aQzy3UrARKcwUqCiQrSOTM5P7xIDfbruW7ywmaWA1lXCvP3EJAal6MYs0pG2vx1cxVTIPva3Se26NkGaBqZw+RgHxmRmfgxvSoCfWXGZZNw==
-Exponent1: OvPYJBkVUbncb0mBtTe5uwa9RgGlCgW4ges93zf3UQuHGvAesUFNnMh6y9zi4vgyVNbz2KOSnA91onc9l42b6NwqRNbExGhDsMc8NQi16vnF
-Exponent2: AkkCNzHuGv3HaQ4MpRT/PLPA2UONseMBvJHWlgK+aO2xb6/7I09sPqKnJ4f6Bj5jL8efNZYHWsaN4l335V9lc5791opU+07LHHpULn2qVRpJYw==
-Coefficient: An94juF2F5cDtoMC6gwI5iaWDH/qxkeuZ62fnMFoMY18XO0/clTVfdW7XvXCOn1DQyDLDOYpxR5MfeDKkbxtGGYKABWBOWlyaS1A5D5wTQRJzw==
+++ /dev/null
-$ORIGIN .
-example.de 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
- Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
- z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
- z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
- 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
- us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
- 8Mlp1+mUjQ==
- ) ; key id = 37983
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
- LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
- 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
- vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
- lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
- GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
- K9bqDM8Euw==
- ) ; key id = 47280
+++ /dev/null
-; KSK rollover phase2 (this is the new key)
-sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
- W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
- j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
- 04a9eVgvhME=
- ) ; key id = 26451
+++ /dev/null
-;% generationtime=20090624151233
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ==
-Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok=
-Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk=
-Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE=
-Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE=
-Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw=
+++ /dev/null
-;% generationtime=20090615065624
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
-PublicExponent: AQAAAAE=
-PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ==
-Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE=
-Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs=
-Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E=
-Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88=
-Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8=
+++ /dev/null
-;% generationtime=20090703233023
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
-PublicExponent: AQAAAAE=
-PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E=
-Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw==
-Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ==
-Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ==
-Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ==
-Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA==
--- /dev/null
+;% generationtime=20100311230027
+;% lifetime=3d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABxKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+ fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: xKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: LDta/Lx7ETLqQamSm9XAERno+ixf6Dl/cq10zcd8QNLuvleFqMvtRURxfhFhNlrvFTuckz1IzIX7ufecSrarYQ==
+Prime1: 5x1rjqJnLrLUd+i4DUmSutQQrQZWg+vzwurpGkxBCTc=
+Prime2: 2dmVy5A1h7avKD9Ez0rcg1G96wxVkdp+/8AvXEYe+QM=
+Exponent1: Fx9QLrquictb9W74f5gmRs5wQcsyWjkNVXUE/eb84l0=
+Exponent2: kexPooMJG2rfGbnWG0Mnav28EcV7q7xNnIHELjRCfWU=
+Coefficient: Liq85Ma7Ki3tZePKv/v+he9UgH7J5tgDnmHof0370/M=
--- /dev/null
+;% generationtime=20100311234526
+;% lifetime=7d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13 EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W9 6dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZ lvW8DPh+/CM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W96dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZlvW8DPh+/CM=
+PublicExponent: AQAAAAE=
+PrivateExponent: fWmnzNBw5Pz/Zk7x3dJwg36L+myF19pas+uYon6bL1WuIYGSu5TnZbmPemkyo2XrWedlv5+sXdpY5H2axgpmKtDyBCmjCSL00ohcjQlFNmp5U4YPU1cvlfnCCCUMRVzzTwp1iZ39Y1rGKTALITOazux161s1V+C8xErGnMYXjhE=
+Prime1: +H/1W3Qgd6CCwi3cwrtfWzhosSjbb7+6WVo7bX2Rn6EBWyo07Y7WpIGAEdkBGsPn9Ow8JANPjzNzqrcF4LvUtw==
+Prime2: 7YuVHcg7Fa4MysfTgaLKupaCVKkJxQ3SDVp2mVABgu9GkKzKgPRlwznLANgKC2kWudUqKG0+jO97GxV6Jhff9Q==
+Exponent1: sCr44sRCtIX9o2izqQZAca6koln9//yloHgwXyQepvJGeuxWsfpSGmUf5gJlvaovrTdN4fpy5mA0b4vZnQRsBw==
+Exponent2: k3Q0J6VvHwFresOiQ8Ekzw/AHXgGY+X0+MJWJ+6IEy2dCQWOHPhguXyAKP8B8ootNijjM2Bzb76eeT0vz3mKXQ==
+Coefficient: A9rqRcjvB0xOPfSUAQDclV8JQPq+xHBOXIpOm5xDtrzQpjv/6uams+bgNeV7m9CPi5jyjWaM5XGwUQv+3itRyQ==
+++ /dev/null
-;% generationtime=20090630103352
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
-PublicExponent: AQAAAAE=
-PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0=
-Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw==
-Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew==
-Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w==
-Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw==
-Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew==
+++ /dev/null
-;% generationtime=20090615065826
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
-PublicExponent: AQAAAAE=
-PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0=
-Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw==
-Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw==
-Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw==
-Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ==
-Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A==
--- /dev/null
+;% generationtime=20100224232104
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAABw7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfe S9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87c vsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgX HLeDoqHQAFM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: w7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfeS9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87cvsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgXHLeDoqHQAFM=
+PublicExponent: AQAAAAE=
+PrivateExponent: uoruJIZElyAQA+KeL5wBYD8hdNbr9/By0IHg/cPVZd6526ahZpWob5ucps4xjq02rgLl/i0FvG+o/iJJKQ072Wvp4LoSzFpLKRQPQhrC8tf2Zqaup03gDlaMSe+mav59pisU/yRi42xkLdFCq9qAqOolhMYH/5rTTIQjLGm4N+E=
+Prime1: 6WHxgLrUdEcx9ByQvaC1+POsQpA77D9kAqrgR2iPXlmlBsp6JD/lImNCZCUcnt1TRJWEDmMoP3U1diWvvV69MQ==
+Prime2: 1qy3KTqZNxlxGOJ3GvtUT9AGvZrKCNDDvPYGW6UT1aMCaR7rVKOjuxsdTZGBgVQMSynTVhrsirOsUodhYfskww==
+Exponent1: gJeuTs2r2TORC6JlxWb7cWyKpTwlAiVZPO8V1bHwT9XoT5upILso6ozh8IB+o2SdxhxNSx0gXmnU9xPk58SJMQ==
+Exponent2: qT/gYLKfcgWDpIQ1/ZSaCNqeBuyzUVpR1+HTySxFSUD9+yu7Ra07/E+N5EFlfW4WshA762j1Ums8GtKNNZ3nKw==
+Coefficient: SwfLMVH9qp/SuXcmnOsYQd0kF9JcYdVyi3HiP3EvI/G97sKT2P/RXVi1hSPQ1AocBX6Fwke2FYQpFGyV0/IuwQ==
+++ /dev/null
-;% generationtime=20090630100243
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
-PublicExponent: AQAAAAE=
-PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ==
-Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0=
-Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs=
-Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk=
-Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs=
-Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94=
--- /dev/null
+;% generationtime=20100331230548
+;% lifetime=3d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2 uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: wp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
+PublicExponent: AQAAAAE=
+PrivateExponent: Xgmu9fyg1QoKridDOUywH7mZg92dEvGVIcz5QrpXMYZDhi/Z1NLB4UJwaO4Kmbg9EyAT+ms3fjjC8ncy+mVnEQ==
+Prime1: 9wrDpiFEJkYGuCC0JriZgA+uaLBYtzudTzUByr8BGU0=
+Prime2: yavdgu+a7BloewO3Fzg6JwxYvJYrfeAgYLVr4uXzwec=
+Exponent1: Z8tEYnN2N5LxFjL9+mdfnOjNhVxAouZ/wyyokWf0C4U=
+Exponent2: axnHnwpVRfb5Xt25+8oIVoVH4YdTXDCbr4nkcjru4As=
+Coefficient: dvqfAzS1VFtC6dvzFTgh+GoFt3EwIxHDXcskNmbFDto=
+++ /dev/null
-;% generationtime=20081002230219
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/ zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnU ISRyLtFdi10=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
-PublicExponent: AQAAAAE=
-PrivateExponent: esuIKav5AkrTaOu06kDZnh1+fL3BRkH6D6IZBBZxmidd6zwEvTR9dQ8kkoDSY0WTZxZDKYOJtWha5jrDnLaqKvPizEnfxs7P4yCe9fpGy/BZ6BkvVWECKeQ9o8ZacALg8If1NagdhTmueflj39qquBogoe7TWiWxsNTJzq0os4E=
-Prime1: 74wMDEa4SeFhMLIWgOz6hwdP86ak+JLjdRsTmj1qFykYHTlG+h3y8ic79fimHaD0P1Tbk91pOgh1rBeLWTXzOQ==
-Prime2: 5H2Pik/CdxqcIBCyqBSN0hwfzwCry3t2mPVtDmc79XyGLOwiGhzWkbMeZro5hjBxpN3U4Kb5WuUGu7+paEnlRQ==
-Exponent1: 6QSyuPdI58qXPZQogATGykz9nR+n1FySUWtanLUlQcNDS2Nl1zaZy9+fzAuiekF3EZQxlSL/dTNoUP/dei4pyQ==
-Exponent2: R5IuojoV16bq6HTDRahO756zqMwaG+Kp8DGijSjzHchNywnCpzvlHK2+WXbjx/7Smno5zrB1cOYMQ0xRwOAn1Q==
-Coefficient: Bc9CyTQt6wEU/ShcJLXYGKVnBMdzM4JjB7y7sj05E4kLocYaQw2slxBFZyc7oGKEaAFKsqIC2JyurCo4Z6mDrQ==
--- /dev/null
+;% generationtime=20100302100015
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQ Q2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo 9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwq c3x8BzbIorM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQQ2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwqc3x8BzbIorM=
+PublicExponent: AQAAAAE=
+PrivateExponent: y+rt5sGw902oNDr4JAP2+erGfuYpp1g3UavEEPplKcyFZNg21fMasVCIyerS5ORCr/ktaNP9ZCuOkv/Ob9CY6hbbMMFKHIKGtBb7eu+et+fbbr71fdxyqHlcpqfAiRjsqYLuLw1r93Odw1HyCRpiIVR3Esiq7xTTsbd6v+mjqHE=
+Prime1: 9deZ3ccGM9abtuCR/vGI2v8dOR3WwzhClE+kmRKhB+++ON5hvg1Y+cJc60FpWLHTxKs96t4axX/6ijiRWZpyKw==
+Prime2: 7hv6lVRo8UCdt/q4n9OKbDnPu8z7GokPSXcqT5O8W7p/O7Yvuy0YMRbL8CTJw2A4IP202bScW5Lg5EWdPUa1mQ==
+Exponent1: TM/bBQFxZfgGdjnJ58qGE9e5GNuqjNgT7HacbqTtnvHKQmRTp6Z+es8qV7U6ise0Glyz/zwB9BuYynUU+XKpsw==
+Exponent2: MHiLBFWwhaeg21jfCAqblY6elrqmLWiq6qkk8mRPTHtyaCkr1fa4/4u6q54XiyIBQxLKUf3prhjzq+o+hagIYQ==
+Coefficient: fi1lTsYNS1ka3RHT8SxGcwur8oRZLPAaLu8UYFxy9bfAInYkUg/jnR3q3i5BcKcr4+UL6Pp9iPzl1AfMQj//fg==
+++ /dev/null
-;% generationtime=20090703233023
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
-PublicExponent: AQAAAAE=
-PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ==
-Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU=
-Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks=
-Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k=
-Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0=
-Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: wBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4QlglYkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
+PublicExponent: AQAAAAE=
+PrivateExponent: mcrUc9cypiq7j30rntMoCrIxE9SemJxzTJ/USNZPGqfa4MpfsfvIt6A+8JzgS0Sx+6piSk9d8QSdr55aVqgEYQ==
+Prime1: 6dRm4EGvg7WN5LFAMv/8HzeyZbNu7FlQwf08QZOmgYc=
+Prime2: 0lM7LrrOzTThb372TCC+7Wz0S6GuqfjhM33MWwNEeZE=
+Exponent1: Q8jFuxbjffHEGZxuUdLkkmWka0hDlACozr31blXYgCc=
+Exponent2: yqc1ijD9jaK8b5IUIqsx42nbJ6boeMyx77wfOUoXw7E=
+Coefficient: R4QnEkjxtLd7bPChAqblYPb9A8lcsD7KGh5fTR9LcFM=
--- /dev/null
+;% generationtime=20100302100004
+;% lifetime=2d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4Qlgl YkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
+++ /dev/null
-sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
-sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
-sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
-sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
-sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
-sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
-sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Jul 04 2009 01:30:24
-;
-
-; *** List of Key Signing Keys ***
-; sub.example.de. tag=40956 algo=RSASHA1 generated Dec 28 2008 23:55:28
-sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg
- CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/
- zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnU
- ISRyLtFdi10=
- ) ; key id = 40956
-
-; sub.example.de. tag=26451 algo=RSASHA1 generated Jun 15 2009 08:58:26
-sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
- W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
- j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
- 04a9eVgvhME=
- ) ; key id = 26451
-
-; sub.example.de. tag=24426 algo=RSASHA1 generated Jun 30 2009 12:33:52
-sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D
- xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp
- 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878
- vlXrwWNo4Pk=
- ) ; key id = 24426
-
-; sub.example.de. tag=60332 algo=RSAMD5 generated Jul 04 2009 01:30:23
-sub.example.de. 3600 IN DNSKEY 257 3 1 (
- BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ
- f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg
- oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ
- jyZPu//rrNM=
- ) ; key id = 60332
-
-; *** List of Zone Signing Keys ***
-; sub.example.de. tag=11091 algo=RSAMD5 generated Jun 24 2009 17:12:33
-sub.example.de. 3600 IN DNSKEY 256 3 1 (
- BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+
- 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
- ) ; key id = 11091
-
-; sub.example.de. tag=38598 algo=RSAMD5 generated Jun 24 2009 17:12:33
-sub.example.de. 3600 IN DNSKEY 256 3 1 (
- BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe
- zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
- ) ; key id = 38598
-
-; sub.example.de. tag=37547 algo=RSASHA1 generated Jun 30 2009 12:02:43
-sub.example.de. 3600 IN DNSKEY 256 3 5 (
- BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy
- 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
- ) ; key id = 37547
-
-; sub.example.de. tag=57863 algo=RSASHA1 generated Jul 04 2009 01:30:23
-sub.example.de. 3600 IN DNSKEY 256 3 5 (
- BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1
- XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
- ) ; key id = 57863
-
+++ /dev/null
-##
-## dnssec-zkt v0.4 (c) Jan 2005 hoz <at> hznet <dot> de ##
-##
-
-resigninterval 36h
-sigvalidity 2d
-max_ttl 90s
-
-ksk_lifetime 5d
-ksk_algo RSASHA1
-ksk_bits 1024
-
-zsk_lifetime 2d
-zsk_algo RSAMD5
-zsk_bits 512
-
-dlv_domain "dlv.trusted-keys.net"
+++ /dev/null
-sub.example.de. IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
-sub.example.de. IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
-sub.example.de. IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
-sub.example.de. IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
-sub.example.de. IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
-sub.example.de. IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de. IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
-sub.example.de. IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
+++ /dev/null
-$ORIGIN .
-sub.example.de 7200 IN DNSKEY 257 3 1 (
- BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
- LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
- /iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
- gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
- vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
- ) ; key id = 60332
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
- WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
- pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
- uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
- 0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
- ) ; key id = 24426
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
- W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
- yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
- ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
- 0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
- ) ; key id = 26451
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
- 8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
- yVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTi
- dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
- geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
- ) ; key id = 40956
+++ /dev/null
-;% generationtime=20080818053647
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAABvYDREzYgpwbapQq47TOdCxf0+0vn0rFKNv0HedmV0uSQ8mkt PRHKKQNgeBDWN99JjV47XEFeYRmMYIixsEjjMTv7jBbYYlf+pMEnDfip wj1bvaQRsQ8KFLHnII0syARkZfxVllNulIYsYLA0QOH1bqUXCy3WOUO+ ykohqGTWSgs=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: vYDREzYgpwbapQq47TOdCxf0+0vn0rFKNv0HedmV0uSQ8mktPRHKKQNgeBDWN99JjV47XEFeYRmMYIixsEjjMTv7jBbYYlf+pMEnDfipwj1bvaQRsQ8KFLHnII0syARkZfxVllNulIYsYLA0QOH1bqUXCy3WOUO+ykohqGTWSgs=
-PublicExponent: AQAAAAE=
-PrivateExponent: XMRzabB2jRdVLpnDth8Zr1okVfyBA9U0f2/qRnQT0ltPBomFgazQlrN1cyvt34vuqHsk+Nb44/HZLzl369HK9iO99sD3N+gKDXv0rB+r0QOSoku8eImkk6p0G5VLkdROSggo+GgUJmWMa0BGg4Y9XnStN0+bwyr/cJDkdPLnKqE=
-Prime1: +UoUiIMjAVNDQ4BRYUhW9PIiXCFMUOJQNQ5bIcYLBJBtkKJl1exS8MTNxTQgcRy3YNgUx7u4Fh6FEsBfVlL8kQ==
-Prime2: wpq74Cv2kvENsDlAXpYcigtNB8rtiOXGpe/eUl3Pj6aahS97KYyXivoHK+xZpoxLTz5dE28v2jRc+o7Dedma2w==
-Exponent1: toMLd17tND5W6ifexKH0olazwhokTxSyL1JrSjmSo2BqKjohREv3alaIq/+2epKuDoX1/jI6kOL5JJHvX0ngEQ==
-Exponent2: JR1w0pvriWfzXCwPel0crw+JUUpDM8bFiYDZX/zkNyuOrplqbh2REi5bCf0AUOgxie78WjxTvhyewwiByHtF/w==
-Coefficient: RADyZiLO+IXAJ4pFGsX5m0fZvixCmQdN1mmN9NnzZws43mb2KhKs+UwOsDpU1R5RddoCWgFhz58dgMS2VId8XA==
+++ /dev/null
-;% generationtime=20081216163213
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji qj6JGXl48/0=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: vFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
-PublicExponent: AQAAAAE=
-PrivateExponent: BKxnBi6a/3ziyfbN1FifPRo0QzGrQaZsVmJK3KF5keyYTRbImsVEFuYyc2sD7YZdACRvX1MIFoxMiORhxXlU7rrawQHtGXHHFIdBCE+/GINg9NtAijz/I8LCFexsttRGUESyXQjx0QCOr2j/qGpLU2jDspoQnOuAJNABDQeXtNk=
-Prime1: 8ta4x0uQsfcfBqvGUoX4Ngtr/zWExLRDY+THy9DV7aKNw7UBvOnPjL7NQD4RTHRp52buZbh33XDB2ujA6lV/Yw==
-Prime2: xo3tGYInbtnFZe6/Itwz+uihogLj5lWpn+e1VT6aa2SdSES53MrVnu7+Swsv7KAZHGnT99pLjwaTsNvo1MeNHw==
-Exponent1: 6ALwJf4uypQi4g+zXXfnhNnkU6xHhG8MolwpE2UlfJ02GovKsgWbxNnoqdQyGeOMhSeHaj1Fzyca0TmJqx0oQQ==
-Exponent2: iA6ciyRLclAnq3HMo1uul8ssrtyRF4FhfFJ+/nhSvqYX6uvcUH3HqV4Tarq0Irf79jq+wwEUKmG6VLP6wMnwRQ==
-Coefficient: Z7PYXTT7y8EHoHTBE1ioOegzTgJ3gNnb6Pd4atgsyANeFxbUPukgr/rf4ahkipp+r6RcjBm4yJtEp0kSlJnhCw==
+++ /dev/null
-;% generationtime=20080726221746
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAABpL4/T8z6mCbTm46Y9+KJOgCAk+dGHBoyg75N1f0lwYSZOLyy yOLWwDxlsfkb5WwvZ1ZG6NFmg/3o5N3Zd7TEkkvHZafRMrzHFicdIMSv jmOWVBR0GsEb+reREu5X0sdZbqOuxT6CkKoTXRpRZgU9ouus6W5bSWQA fdQIegTBBKk=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: pL4/T8z6mCbTm46Y9+KJOgCAk+dGHBoyg75N1f0lwYSZOLyyyOLWwDxlsfkb5WwvZ1ZG6NFmg/3o5N3Zd7TEkkvHZafRMrzHFicdIMSvjmOWVBR0GsEb+reREu5X0sdZbqOuxT6CkKoTXRpRZgU9ouus6W5bSWQAfdQIegTBBKk=
-PublicExponent: AQAAAAE=
-PrivateExponent: CrFKdhkCOgyF27Jc4GPfo7A6v2q0OgRE2nBdkw7XFUEADEHSVLA6XYUm3AZmAOWxTmrGU8EK+76hfC22DjA6O0BljTNdxLB5cGRL2Dxey603jCIEVt/ahIqyb2STr0pWYEVc3qAKJL93iP4v5r7fJt157sJhQF8F5Zpqj24QvmE=
-Prime1: 1EpVvo011F2qgjesKSKplhqtvbmRPjTuhijb7531zIbxDzBF+lXCDyjt3Y/LrWS240t74vbZpo9FUZIETIf/FQ==
-Prime2: xqm8Bk18u2WJZ9uUr+/MMPKfh6OgAFqtBwFi81FFJ62kHGL9i8AcychE9tD5IRu74KLCGW+Vk87lyLOF3WU0RQ==
-Exponent1: JmLNa+QmMjHVDmAM833bF024/+NIyZgfNSDLnGXxTqYZ3PK/llLHIwBChLMKAQgFvt5PP0id1Nkc9N16xjkuFQ==
-Exponent2: rZW7rMmQxQQRHD8TKQTAhCX+31n8jnq7gW9dyVpjY85GDuQe6+3rox6xvsMfUzEOgXk1lgnm46FAIHOH6DhMuQ==
-Coefficient: MPoirwMUkLzLWeynO1Izy+lff70hnDnOcZEckS+Sy1TlUkk22uHBF4uNLkgoF26XqeKzK9pG1rCGfccfWTCayQ==
+++ /dev/null
-;% generationtime=20081003212715
-;% lifetime=5d
-sub.example.de. IN DNSKEY 257 3 5 BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n GLv3a4BbGFc=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: olXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
-PublicExponent: AQAAAAE=
-PrivateExponent: OZyxcY+HDUm3QnD5ZKQNlUHg5m5SuiUNpDUPzsguED89tgWM12U8IgsChJd2kVlM2Ntayu3KhtUs0/bwFk7yMEyrHPkRcMCInAlB28cXKailxaad5pIvHOu+xt5/44C+j5p125Xd7N29dhRjH7afQY7eYV7FYmDcnXrPyrTkBeE=
-Prime1: 0GylzPNywg5QbH9EzgBTjb1J87G2gmKW2eSePiAFq6g4LKUh/HTeCX9TkXmszC/xaA5X96h7UoiPTyl/uq5mRw==
-Prime2: x2Pq+Edr4PVN9PaZ/RImYjQGk3gs0J5SbJ9kNKFTPw2ZsWr9wtN5n1KKUCHDqsJ0I9XbOmdI94Ze96uju5L1cQ==
-Exponent1: K1098oZ5S8EV4rjvzRrJRe+zLNhvCOeyKQLeE0pZk9G60aMxRTm1HAYyof1kcw43G8BgPU2+26kzFAFQHQIK+w==
-Exponent2: oL+7Esi69/qc5yJFk65FJld6jfvv5XHiZOLmj5K/Sagk1mYpj+vveitQzPaNb5G2cl7sN1rW8jgiYdKsyCe0QQ==
-Coefficient: MoX+4JTGDuR2nPCAjwMRBDIu6hCTn65zU2EHAFMWaf7hvvhWVEBn0YTK1/sYFzz0LxJUJxa/JJltY7ZYulk7uQ==
+++ /dev/null
-; KSK rollover phase2 (this is the new key)
-sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
- W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
- j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
- 04a9eVgvhME=
- ) ; key id = 26451
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) sub.example.de/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ IN SOA ns1.example.de. hostmaster.example.de. (
- 2009070301; Serial (up to 10 digits)
- 86400 ; Refresh (RIPE recommendation if NOTIFY is used)
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
-
- IN NS ns1.example.de.
-
-$INCLUDE dnskey.db
-
-localhost IN A 127.0.0.1
-
-a IN A 1.2.3.4
-b IN A 1.2.3.5
-c IN A 1.2.3.6
+++ /dev/null
-; File written on Sat Jul 4 01:32:17 2009
-; dnssec_signzone version 9.7.0a1
-sub.example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. (
- 2009070301 ; serial
- 86400 ; refresh (1 day)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 1 3 7200 20090705220522 (
- 20090703223217 38598 sub.example.de.
- JgCBS7//ArxzV4ZFw1uu5ermsqBelp/HnmeF
- 1V/2j71/lSIS+1H/o2appt6Ox11KnAqML0Zi
- D6KRnBt1xAbXmA== )
- 7200 RRSIG SOA 5 3 7200 20090705220711 (
- 20090703223217 37547 sub.example.de.
- gt/Cnm3ltYYKX1h1xUEM8xfGlovwilUCf9TK
- E6lUZL9w56DY8WDaz+5kdh4FfiXbprTgzjGA
- LMGc9HSP79dRuA== )
- 7200 NS ns1.example.de.
- 7200 RRSIG NS 1 3 7200 20090705222744 (
- 20090703223217 38598 sub.example.de.
- Gor5vVdsREkojunDB1+1EOzQcsOhjO+RP+CQ
- 9MEdAtqXqfJaqn2BxAkjANy7UWiPbIei3QnT
- MBmpop2wmSzjHg== )
- 7200 RRSIG NS 5 3 7200 20090705221546 (
- 20090703223217 37547 sub.example.de.
- GOWmEt+2ye6zuH1BdUrzEpmjbLTjrqzTwpOP
- CBop0iM/TeSKv3OIpzbCscn68XsKdALKx6J5
- vsnk1e7z4qdMnQ== )
- 7200 NSEC a.sub.example.de. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 1 3 7200 20090705222040 (
- 20090703223217 38598 sub.example.de.
- DzeJgkKvZsVnlRG6x1CjJsqE7ZW7STTfq0ND
- v3whxX6+ODSLWtttakOYZU5ih6YKKbqtxxOi
- WpV1PcoUZ0g2PQ== )
- 7200 RRSIG NSEC 5 3 7200 20090705222545 (
- 20090703223217 37547 sub.example.de.
- fG3D1B9ERox7BwFF2pFOT7D89+6f/3Ti1xUK
- rc/kv17mlcxJDzzNtBx7dmKl/jPIccWFEe+d
- WaeKi5AZKRsCsg== )
- 3600 DNSKEY 256 3 1 (
- BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOml
- gVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVU
- BgwiMj4XdqFLLuNzjJbGiw==
- ) ; key id = 38598
- 3600 DNSKEY 256 3 1 (
- BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpv
- StPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQ
- euyJ87LiXfGpR/X/MCtTEQ==
- ) ; key id = 11091
- 3600 DNSKEY 256 3 5 (
- BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjt
- YHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hx
- CoFgziaYXEnU0OjHM/Vatw==
- ) ; key id = 57863
- 3600 DNSKEY 256 3 5 (
- BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yG
- BvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqe
- abWDGzKm3MbybdKLLtGD/w==
- ) ; key id = 37547
- 3600 DNSKEY 257 3 1 (
- BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
- LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
- /iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
- gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
- vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
- ) ; key id = 60332
- 3600 DNSKEY 257 3 5 (
- BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
- WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
- pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
- uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
- 0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
- ) ; key id = 24426
- 3600 DNSKEY 257 3 5 (
- BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
- W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
- yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
- ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
- 0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
- ) ; key id = 26451
- 3600 DNSKEY 257 3 5 (
- BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
- 8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
- yVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTi
- dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
- geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
- ) ; key id = 40956
- 3600 RRSIG DNSKEY 1 3 3600 20090705221028 (
- 20090703223217 60332 sub.example.de.
- xVnKSgfSjfIEzeJVBlSPfJWDmkG/sGvQQaUc
- P6kHUugus9z+MwnPpXKCwvSufQQJHzmUuMG4
- hk29luebSAK+bm8s6lExQQDpUTNWnOxlIrb/
- pQJp7tsBfN8wfZnOg+FrtLSiWzbN+jRyq+Us
- 6IUopL10tPSalhTp9UleZSUkZyA= )
- 3600 RRSIG DNSKEY 1 3 3600 20090705221035 (
- 20090703223217 38598 sub.example.de.
- fq6OWIKGHtdavvZx8pkieeF+DdA7P13nvW1c
- cSmrRsfFFBx8SMJ6H9zFX4FPuoDSsNb8xnNB
- i7LKN5hMK+uKvw== )
- 3600 RRSIG DNSKEY 5 3 3600 20090705220958 (
- 20090703223217 40956 sub.example.de.
- z3M5xdXXWOywAa9BPtVMzsMWmHumq4rbYyNB
- e/in7ijwMwRTZ2pOfK5ccOBMhFE8TaRQrZD5
- 2eP2uqdUE4Jkhr42y5e8+o8ShuKxXIlkGao3
- oFdCIwPElIUswnWs3i44Hz2SCFVnnCz8PXQL
- VtxuyGMtrFGuRFh3xC14bi/U5LE= )
- 3600 RRSIG DNSKEY 5 3 3600 20090705221542 (
- 20090703223217 37547 sub.example.de.
- bRPadfI4qu6Xl4SCQ+i97/IANaCsE78L+LTG
- 1ckVTUmWbDZwj6RjJofdx5Mm1LlM6pi5hAJ2
- 7vDjTlynq0uFyg== )
- 3600 RRSIG DNSKEY 5 3 3600 20090705222555 (
- 20090703223217 26451 sub.example.de.
- Eu2lW/SJDyKHZ0zLIV3Co80+D9ykkULXEJpR
- BpvhG6wa9R9i0z/QEQc3QWUt2sDPOYDX61wh
- iP87yVmb2B1IFMU/VW33d2xZgcK2NGSMk0QI
- g2T6jXk+uWd9ribgfWT57Xf3Qr2D+Zl23mOR
- Q/C/bJgOmq9mZt4vNOBTvgmuHqw= )
- 3600 RRSIG DNSKEY 5 3 3600 20090705222912 (
- 20090703223217 24426 sub.example.de.
- ktIrKORfmsOtyUj47zBb1p/3wp/aA2GIT9dI
- e+mDK6Kvvc3Rb+UZe2689vAMwq7/lMvRhHQR
- 25Od0UIU77XuW/trIczippIl78ISPwKSiEN0
- LUO9kUf9yZ2dqsZMxMKXWZMSVYXY0ja8zSY5
- v9HafpYQx24FTD99v6DcjMvQu/M= )
-a.sub.example.de. 7200 IN A 1.2.3.4
- 7200 RRSIG A 1 4 7200 20090705222143 (
- 20090703223217 38598 sub.example.de.
- A9WVnbcBJW3L+GOND3BJdtrzK3G/klcIWp8l
- 0WW1HTbiJAFMxizNWVjyGKU3ciydtawT7gVS
- guDWYW++F1vv4w== )
- 7200 RRSIG A 5 4 7200 20090705223053 (
- 20090703223217 37547 sub.example.de.
- kZWrAPgslp1YjZtfWhSgQfpegRrVVjVGLPhi
- 5OAwpJ14sWmXe+Ty7PbDM1icKdt3DwmGHtk7
- jkFkcdEu6pH3rQ== )
- 7200 NSEC b.sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20090705221732 (
- 20090703223217 38598 sub.example.de.
- Jb666TyzO/8OaJKtEsg/baMAwV3WgLzplwKi
- 0FcSu89AMMTEtYDkJx3PSinttrkK/74SHCQI
- QprLeptnAT88wQ== )
- 7200 RRSIG NSEC 5 4 7200 20090705223013 (
- 20090703223217 37547 sub.example.de.
- L7pmPJgNOV4XpcN2BsUti0OyVNp3SZu58z8w
- nJk6Na21sO6gorCh0T9r9GYK0JbJVk6BC+9D
- BBQkH4YqqkPxXQ== )
-b.sub.example.de. 7200 IN A 1.2.3.5
- 7200 RRSIG A 1 4 7200 20090705223139 (
- 20090703223217 38598 sub.example.de.
- gaoCOBLTR+bfk7O73vH80nP37xchqjh4S8gk
- aIhiXZwmVYwWatlzhB8ZK/qhs4mRLqs3Rpte
- QVYtDIC2+AOstw== )
- 7200 RRSIG A 5 4 7200 20090705221720 (
- 20090703223217 37547 sub.example.de.
- A4+jPotrDIV4JgxRNjH/2vtFW9RNM4g0acRI
- tpEoOAphse9Ki7/KDJDYRyjlNqNOYoPSlDlz
- rWlKXai3MYg7VQ== )
- 7200 NSEC c.sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20090705223117 (
- 20090703223217 38598 sub.example.de.
- DuFAapyfyrTDnYkgkkGZG6JyiWa2yWbSbvB/
- EbiaA//ffEEFvoHPt+md+ctHtw7inP3WZ0jf
- IBAStKfocnPfxA== )
- 7200 RRSIG NSEC 5 4 7200 20090705222451 (
- 20090703223217 37547 sub.example.de.
- y4eQUHYVVEDsXXjtx3YZ5mGtrdL8x7e3F5HK
- J/jTwHDYvCq+/xqaXdOGIDl1TZYN4Z+/mgud
- ePUilJqZI7+d0A== )
-c.sub.example.de. 7200 IN A 1.2.3.6
- 7200 RRSIG A 1 4 7200 20090705220747 (
- 20090703223217 38598 sub.example.de.
- AhUeZDcL2x0nT4K1ueLzpti37wP0p+nBCO1h
- N1asQJycnjayQ49nVwXuOPjFtO5SpUijl/gf
- rsvFrG2Eyf8KyQ== )
- 7200 RRSIG A 5 4 7200 20090705221402 (
- 20090703223217 37547 sub.example.de.
- I9UX1XpqYmFXZKfS0SJn7eAahEGlDvTO/miW
- 5sAvWS1PDIPiGs6eNIKEjmCcy1bTCR8TdCF4
- eDzbZncW5J57bA== )
- 7200 NSEC localhost.sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20090705221655 (
- 20090703223217 38598 sub.example.de.
- spoeS9+UVDFk3i6OuzJDg+dYm1UGVd1dd/1H
- c0Cg7Wn5FjKwAuxVh6Fkwo+gnfFeuNqXULp7
- 2oZVaizjK0xxdA== )
- 7200 RRSIG NSEC 5 4 7200 20090705220501 (
- 20090703223217 37547 sub.example.de.
- qjJcnn8GAR948AasHOuT3grziFXevNKdIdd0
- JsThsXekPAFoe/o/Wj7a/aRBQpdSQHfbHs66
- ehXm31OmY1Z1MQ== )
-localhost.sub.example.de. 7200 IN A 127.0.0.1
- 7200 RRSIG A 1 4 7200 20090705223018 (
- 20090703223217 38598 sub.example.de.
- KKzhk8TIfVygE1HXHyno+5JRUa/HjZXlCyqO
- IXPpEh2AGQjbEy9lJOXbfH15explsbFUl8iS
- oFdkIwDqvk/ldw== )
- 7200 RRSIG A 5 4 7200 20090705221933 (
- 20090703223217 37547 sub.example.de.
- X5HZEaT+hbuvxoOng20cDqYGepR2ud7q7ASs
- ADVuZx38VBtj02Gbp0xyM8LnjjrKD6McQC35
- lqRrrcEvaMIFYA== )
- 7200 NSEC sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20090705223031 (
- 20090703223217 38598 sub.example.de.
- nUE795F1yE6+61N2UQb2Kmm4PpTBpdwGiPD5
- RfETf5J3Y/7M6GuUw7Rrl5G5FHN9vzz4IJLB
- XeLxR6WY4FdXFg== )
- 7200 RRSIG NSEC 5 4 7200 20090705222830 (
- 20090703223217 37547 sub.example.de.
- YitlICV/U/5iwY5vYd4Huwpyx3O317WuufiP
- 8Ci4kDa6pp7bzM+q5INYGn5ZuFUb6bk1LrJG
- hu9IzPp4IpAwhQ== )
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) example.de/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-; Ensure that the serial number below is left
-; justified in a field of at least 10 chars!!
-; 0123456789;
-; It's also possible to use the date format e.g. 2005040101
-@ IN SOA ns1.example.de. hostmaster.example.de. (
- 277 ; Serial
- 43200 ; Refresh
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
-
- IN NS ns1.example.de.
- IN NS ns2.example.de.
-
-ns1 IN A 1.0.0.5
- IN AAAA 2001:db8::53
-ns2 IN A 1.2.0.6
-
-localhost IN A 127.0.0.1
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.de file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub IN NS ns1.example.de.
-
-; this file will contain all the zone keys
-$INCLUDE dnskey.db
-
+++ /dev/null
-; File written on Sat Jul 4 01:33:59 2009
-; dnssec_signzone version 9.7.0a1
-example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. (
- 277 ; serial
- 43200 ; refresh (12 hours)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 5 2 7200 20090713220611 (
- 20090703223359 55529 example.de.
- rwMt/rMQ9Ioun/qZlL4nTW9J7rg3hZs+8Jxu
- +GJ3IWDRFzf3ri9A5+ZWubnZs+eXkDtlxDQ5
- hsQYk04gxowbNw== )
- 7200 NS ns1.example.de.
- 7200 NS ns2.example.de.
- 7200 RRSIG NS 5 2 7200 20090713221949 (
- 20090703223359 55529 example.de.
- ehIVNiOaHHevfb3GkYt79MSmwzzMUCHvOGOf
- MSI3QqG+Z0rS+wjI1pXdJxnVbzLldkZThBAZ
- wwZVvOnfyye+Bg== )
- 7200 NSEC localhost.example.de. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 2 7200 20090713221831 (
- 20090703223359 55529 example.de.
- B4vUFaDg29C95e0nstt6d6hsOYqiGWfMchp3
- MHb2FuYZN369T+OjJxBO3jaxhB6JLhQQT+CA
- Kbdednz3+3mpbw== )
- 3600 DNSKEY 256 3 5 (
- BQEAAAABty5HRSBzUDY5SVgORw+KKE64Sjmq
- EpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqB
- k/zizzUe4+dbj+jORPirtQ==
- ) ; key id = 55529
- 3600 DNSKEY 257 3 5 (
- BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
- Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
- z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
- z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
- 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
- us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
- 8Mlp1+mUjQ==
- ) ; key id = 37983
- 3600 DNSKEY 257 3 5 (
- BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
- LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
- 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
- vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
- lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
- GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
- K9bqDM8Euw==
- ) ; key id = 47280
- 3600 RRSIG DNSKEY 5 2 3600 20090713222248 (
- 20090703223359 47280 example.de.
- AnxgMlrm0RcJPTcgO40Ul+k8T0B5YYF3PE4O
- DjZ6GwdU0RGtIswtrD5JQoaEm0rJcckU7zaP
- 372CkCbdapzMbTafjx90KpnPGNka2umUEoU+
- wE1T0EmEHPsNy1UnxXpNgrtUlLQ7+wypX85h
- H4xIhkZLt3rc/xfztObawFkw1PvjdBMp1ySY
- 9jz8TPWSotfItRz2UDSWmFz2+Mt3fuKhvnWp
- sw== )
- 3600 RRSIG DNSKEY 5 2 3600 20090713222256 (
- 20090703223359 55529 example.de.
- kahO5eo6d+HIuROuIhprEG5vMnsVK1c8jueZ
- ThPa3YVVL3hSP7h79FPugMb6paqBSi0CW/0x
- X32Vx3fHL2R7Cw== )
-localhost.example.de. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 3 7200 20090713220920 (
- 20090703223359 55529 example.de.
- hQddObpj6XKM06r/fZB3uXW5K44vepmmJs9Z
- 4IDPRBwG+YzZCkUly58N5soSFxiF50Ieaq4M
- pmC47X42c1EHKg== )
- 7200 NSEC ns1.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090713222053 (
- 20090703223359 55529 example.de.
- OednWdOSDAxJXwuc3OugwSYPvOFl29c98R1s
- cPyovg8NoQnSAyXlqANUrOEHKzXekelzGV53
- wzfFHCmIuJZ5Fw== )
-ns1.example.de. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 3 7200 20090713221855 (
- 20090703223359 55529 example.de.
- TXWHh/P5XR0krzYb0io4o1/42AeNGcPcdHob
- iiFJCKHmyX8hVVysHfvvN6wB1XqLOWsSNxsZ
- pwPbr9JcTJDMPA== )
- 7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 3 7200 20090713221023 (
- 20090703223359 55529 example.de.
- meShWaTBanhROgGlnwQq0KNmEKJbjLluTj7Z
- ELbMUvgmTc1qLBCDHzWtp8sWWXz5UbMacL9X
- F7Ncp5dAbBO2lQ== )
- 7200 NSEC ns2.example.de. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090713221918 (
- 20090703223359 55529 example.de.
- B4mBvLOjzjuahaarR0UJwf+2IpLo0Hj6Jxj9
- WfKlMrUVJOmm2Hbq0Amk/L0NSeqD+W1eNlux
- 6EVYdyJm4f+wlw== )
-ns2.example.de. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 3 7200 20090713221339 (
- 20090703223359 55529 example.de.
- FPMu/4JWrPbRMPXm8Hyx3AD+lRn4jCZ70WZh
- LSADXIx3lZfEGy14x4UD7iLUiC/9TPl1aY6w
- q9R3ZLNhVmMbyw== )
- 7200 NSEC sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090713221447 (
- 20090703223359 55529 example.de.
- DINiU0MiPkSyMjyJzKYuj3FgRlE92LubLU7v
- eFufAQJM8hXe7oc+JfOSVDhpKdyF2ayd+w/e
- TTnmaF7c65FZvw== )
-sub.example.de. 7200 IN NS ns1.example.de.
- 7200 DS 26451 5 1 (
- 317B8B00E2518957ED982C4872659A5E7F85
- 783E )
- 7200 DS 26451 5 2 (
- C5492796671C24EA74C30B39371E94AD1A3D
- D2EA8977B4949B08422C16217B2A )
- 7200 RRSIG DS 5 3 7200 20090713222900 (
- 20090703223359 55529 example.de.
- hfoghbLW7Xd1CnLwcA/k6NM54/U34M1j5ELo
- 0S+r5jbhy6rBj3kE8PRWCvLkpFclVyTAt0nq
- pS69INoz+7pmeg== )
- 7200 NSEC example.de. NS DS RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090713220837 (
- 20090703223359 55529 example.de.
- mrR2sfL826pwQ3+/3X3/z8b3eOecBVYTdAmT
- tVml23Zegq0EYJlQUiaTH5uP47vu/tsBRba8
- TzIh0TVdyfiFyw== )
+++ /dev/null
-; Be sure that the serial number below is left
-; justified in a field of at least 10 chars!!
-; 0123456789;
-; It's also possible to use the date form e.g. 2005040101
-@ IN SOA ns1.example.de. hostmaster.example.de. (
- 267 ; Serial
- 43200 ; Refresh
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
+++ /dev/null
-$ORIGIN .
-example.de 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
- Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
- z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
- z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
- 7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
- us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
- 8Mlp1+mUjQ==
- ) ; key id = 37983
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
- LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
- 6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
- vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
- lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
- GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
- K9bqDM8Euw==
- ) ; key id = 47280
+++ /dev/null
-#
-# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
-#
-
-# dnssec-zkt options
-Zonedir: "."
-Recursive: True
-PrintTime: False
-PrintAge: True
-LeftJustify: False
-
-# zone specific values
-ResignInterval: 1w # (604800 seconds)
-Sigvalidity: 10d # (864000 seconds)
-Max_TTL: 6h # (21600 seconds)
-Propagation: 5m # (300 seconds)
-KEY_TTL: 1h # (3600 seconds)
-Serialformat: incremental
-
-# signing key parameters
-KSK_lifetime: 20d # (1728000 seconds)
-KSK_algo: RSASHA1 # (Algorithm ID 5)
-KSK_bits: 1300
-KSK_randfile: "/dev/urandom"
-ZSK_lifetime: 4w # (2419200 seconds)
-ZSK_algo: RSASHA1 # (Algorithm ID 5)
-ZSK_bits: 512
-ZSK_randfile: "/dev/urandom"
-
-# dnssec-signer options
-LogFile: "log"
-LogLevel: "info"
-SyslogFacility: "user"
-SyslogLevel: "notice"
-Keyfile: "dnskey.db"
-Zonefile: "zone.db"
-KeySetDir: ".."
-DLV_Domain: ""
-Sig_Pseudorand: True
-Sig_Parameter: "-j 1800"
--- /dev/null
+2010-02-06 00:54:11.045: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-02-21 12:51:38.667: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-02-25 00:21:05.030: info: "example.de.": new key 39599 generated for publishing
+2010-02-25 00:21:05.030: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 00:22:32.667: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:40.317: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-02 11:00:04.526: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-02 11:00:16.077: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-03 23:22:07.163: notice: "example.de.": lifetime of zone signing key 63077 exceeded: ZSK rollover done
+2010-03-03 23:22:07.163: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:00:27.706: info: "example.de.": old ZSK 63077 removed
+2010-03-12 00:00:27.710: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:45:26.305: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-04-01 01:05:48.848: notice: "example.de.": lifetime of zone signing key 39599 exceeded since 43m41s: ZSK rollover deferred: waiting for published key
+2010-04-01 01:05:48.928: info: "example.de.": new key 9743 generated for publishing
+2010-04-01 01:05:48.929: notice: "example.de.": re-signing triggered: Modfied zone key set
--- /dev/null
+2010-02-06 00:54:11.044: info: "sub.example.de.": kskrollover phase2: send new key 33580 to the parent zone
+2010-02-21 12:51:38.487: info: "sub.example.de.": kskrollover phase3: Remove old key 3831
+2010-02-21 12:51:38.488: notice: "sub.example.de.": lifetime of zone signing key 320 exceeded: ZSK rollover done
+2010-02-21 12:51:38.556: info: "sub.example.de.": new key 17513 generated for publishing
+2010-02-21 12:51:38.556: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 00:21:04.838: info: "sub.example.de.": kskrollover phase1: New key 27861 generated
+2010-02-25 00:21:04.838: info: "sub.example.de.": old ZSK 320 removed
+2010-02-25 00:21:04.838: notice: "sub.example.de.": lifetime of zone signing key 65003 exceeded: ZSK rollover done
+2010-02-25 00:21:04.876: info: "sub.example.de.": new key 31547 generated for publishing
+2010-02-25 00:21:04.876: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 01:01:09.615: info: "sub.example.de.": old ZSK 65003 removed
+2010-02-25 01:01:09.615: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:40.316: info: "sub.example.de.": kskrollover phase2: send new key 9663 to the parent zone
+2010-03-02 11:00:04.328: info: "sub.example.de.": kskrollover phase3: Remove old key 59961
+2010-03-02 11:00:04.328: notice: "sub.example.de.": lifetime of zone signing key 17513 exceeded: ZSK rollover done
+2010-03-02 11:00:04.444: info: "sub.example.de.": new key 63530 generated for publishing
+2010-03-02 11:00:04.444: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-02 11:00:16.024: info: "sub.example.de.": kskrollover phase1: New key 42639 generated
+2010-03-02 11:00:16.025: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-03 23:22:07.066: info: "sub.example.de.": kskrollover phase2: send new key 27861 to the parent zone
+2010-03-03 23:22:07.066: info: "sub.example.de.": old ZSK 17513 removed
+2010-03-03 23:22:07.067: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:00:27.495: info: "sub.example.de.": kskrollover phase3: Remove old key 9663
+2010-03-12 00:00:27.495: notice: "sub.example.de.": lifetime of zone signing key 31547 exceeded: ZSK rollover done
+2010-03-12 00:00:27.609: info: "sub.example.de.": new key 7295 generated for publishing
+2010-03-12 00:00:27.609: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:45:26.265: info: "sub.example.de.": kskrollover phase1: New key 8544 generated
+2010-03-12 00:45:26.265: info: "sub.example.de.": old ZSK 31547 removed
+2010-03-12 00:45:26.266: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-04-01 01:05:48.169: info: "sub.example.de.": kskrollover phase2: send new key 42639 to the parent zone
+2010-04-01 01:05:48.169: notice: "sub.example.de.": lifetime of zone signing key 63530 exceeded: ZSK rollover done
+2010-04-01 01:05:48.650: info: "sub.example.de.": new key 40559 generated for publishing
+2010-04-01 01:05:48.650: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+++ /dev/null
-/*****************************************************************
-**
-** #(@) named.conf (c) 6. May 2004 (hoz)
-**
-*****************************************************************/
-
-/*****************************************************************
-** logging options
-*****************************************************************/
-logging {
- channel "named-log" {
- file "/var/log/named" versions 3 size 2m;
- print-time yes;
- print-category yes;
- print-severity yes;
- severity info;
- };
- channel "resolver-log" {
- file "/var/log/named";
- print-time yes;
- print-category yes;
- print-severity yes;
- severity debug 1;
- };
- channel "dnssec-log" {
-# file "/var/log/named-dnssec" ;
- file "/var/log/named" ;
- print-time yes;
- print-category yes;
- print-severity yes;
- severity debug 3;
- };
- category "dnssec" { "dnssec-log"; };
- category "default" { "named-log"; };
- category "resolver" { "resolver-log"; };
- category "client" { "resolver-log"; };
- category "queries" { "resolver-log"; };
-};
-
-/*****************************************************************
-** name server options
-*****************************************************************/
-options {
- directory ".";
-
- dump-file "/var/log/named_dump.db";
- statistics-file "/var/log/named.stats";
-
- listen-on-v6 { any; };
-
- query-source address * port 53;
- transfer-source * port 53;
- notify-source * port 53;
-
- recursion yes;
- dnssec-enable yes;
- edns-udp-size 4096;
-
-# dnssec-lookaside "." trust-anchor "trusted-keys.de.";
-
- querylog yes;
-
-};
-
-/*****************************************************************
-** include shared secrets...
-*****************************************************************/
-/** for control sessions ... **/
-# include "rndc.key";
-controls {
- inet 127.0.0.1
- allow { localhost; }
- keys { "rndc-key"; };
- inet ::1
- allow { localhost; }
- keys { "rndc-key"; };
-};
-
-/*****************************************************************
-** ... and trusted_keys
-*****************************************************************/
-# include "trusted-keys.conf" ;
-
-/*****************************************************************
-** root server hints and required 127 stuff
-*****************************************************************/
-zone "." in {
- type hint;
- file "root.hint";
-};
-
-zone "localhost" in {
- type master;
- file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.arpa" in {
- type master;
- file "127.0.0.zone";
-};
-
-include "zone.conf";
+++ /dev/null
-
-zone "example.de." in {
- type master;
- file "de/example.de/zone.db.signed";
-};
-
-zone "sub.example.de." in {
- type master;
- file "de/example.de/sub.example.de/zone.db.signed";
-};
+++ /dev/null
-#
-# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
-#
-
-# dnssec-zkt options
-Zonedir: "extern"
-Recursive: True
-PrintTime: False
-PrintAge: True
-LeftJustify: False
-
-# zone specific values
-ResignInterval: 1w # (604800 seconds)
-Sigvalidity: 10d # (864000 seconds)
-Max_TTL: 8h # (28800 seconds)
-Propagation: 5m # (300 seconds)
-KEY_TTL: 1h # (3600 seconds)
-Serialformat: unixtime
-
-# signing key parameters
-KSK_lifetime: 1y # (31536000 seconds)
-KSK_algo: RSASHA1 # (Algorithm ID 5)
-KSK_bits: 1300
-KSK_randfile: "/dev/urandom"
-ZSK_lifetime: 30d # (2592000 seconds)
-ZSK_algo: RSASHA1 # (Algorithm ID 5)
-ZSK_bits: 512
-ZSK_randfile: "/dev/urandom"
-
-# dnssec-signer options
-LogFile: "zkt-ext.log"
-LogLevel: "debug"
-SyslogFacility: "none"
-SyslogLevel: "notice"
-VerboseLog: 2
-Keyfile: "dnskey.db"
-Zonefile: "zone.db"
-DLV_Domain: ""
-Sig_Pseudorand: True
+++ /dev/null
-#
-# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
-#
-
-# dnssec-zkt options
-Zonedir: "intern"
-Recursive: True
-PrintTime: False
-PrintAge: True
-LeftJustify: False
-
-# zone specific values
-ResignInterval: 5h # (18000 seconds)
-Sigvalidity: 1d # (86400 seconds)
-Max_TTL: 30m # (1800 seconds)
-Propagation: 1m # (60 seconds)
-KEY_TTL: 30m # (1800 seconds)
-Serialformat: unixtime
-
-# signing key parameters
-KSK_lifetime: 1y # (31536000 seconds)
-KSK_algo: RSASHA1 # (Algorithm ID 5)
-KSK_bits: 1300
-KSK_randfile: "/dev/urandom"
-ZSK_lifetime: 30d # (2592000 seconds)
-ZSK_algo: RSASHA1 # (Algorithm ID 5)
-ZSK_bits: 512
-ZSK_randfile: "/dev/urandom"
-
-# dnssec-signer options
-LogFile: "zkt-int.log"
-LogLevel: "debug"
-SyslogFacility: "none"
-SyslogLevel: "notice"
-VerboseLog: 2
-Keyfile: "dnskey.db"
-Zonefile: "zone.db"
-DLV_Domain: ""
-Sig_Pseudorand: True
+++ /dev/null
-#!/bin/sh
-#
-# Shell script to start the dnssec-signer
-# command out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@"
+++ /dev/null
-#!/bin/sh
-#
-# Shell script to start the dnssec-signer
-# command out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@"
+++ /dev/null
-#!/bin/sh
-#
-# Shell script to start the dnssec-zkt command
-# out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@"
+++ /dev/null
-#!/bin/sh
-#
-# Shell script to start the dnssec-zkt command
-# out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@"
+++ /dev/null
-;% generationtime=20080609231143
-;% lifetime=30d
-example.net. IN DNSKEY 256 3 5 BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4 ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw==
-PublicExponent: AQAAAAE=
-PrivateExponent: Q3TKb2j5AMk4wn9q5vvgtEy7o1VAhCvv/Nw3QRpXi7xGeHb7WJHj2ia2I44vQQk9fB+Kck1M8KNRMgYt0d0xCQ==
-Prime1: 7l4yn7VYrTSOaZu+lubsFvE+JB7asyYyymAEQeod2p0=
-Prime2: 7a4LEAmrtZTI/PHjdk/Ij/hbpDmtOe1H0lnWTVG+GfM=
-Exponent1: DTpyBBW39+d9b8LqCo7hJf5KQ3oVw9tdnUuHNstGZd0=
-Exponent2: b+aBbhRPr/a9ZCNM2JTjZJrrSebtMQCy1GcE33o64HM=
-Coefficient: UdvxnKd2GL6In82yHG40rU35WTZ2SUYQ+1mfz3DQqnE=
+++ /dev/null
-;% generationtime=20081002230045
-;% lifetime=30d
-example.net. IN DNSKEY 256 3 5 BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0 QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw==
-PublicExponent: AQAAAAE=
-PrivateExponent: UPJ5tLih3Wxu/lvoTctyw53YqaVngGRH+fSTLNchJfqXrwwKdP0LqiNMjWHv1m+OtDZJgbU8sZmXCXUVZOgCAQ==
-Prime1: /0fbhjXuq926sklBidVvZ5KPmAJPlbAeCprKhXi7GwE=
-Prime2: zYhpS9+p5PR1MisPZ5jf456zfJZg/XsuLZ288+5VH0c=
-Exponent1: rrZnAccK6f+4bRRLZEzM6V5tVopoZuSo3StxdGFIuAE=
-Exponent2: ChoiCjVQLac7g0/XOTbjeCoqrgcz9KB/z/36ZbuGRQ0=
-Coefficient: Lria2iu3j2EXiZal1YUyoUleY2jM64c4Dv5SYVzrsVU=
+++ /dev/null
-example.net. IN DNSKEY 257 3 5 BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1 sQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1sQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: A3ZXTF8afjlxddgO/sDxotc0XLBMa3sNrXhCpdFzeDV1HszZbz1lP8rrZjA1wQgSo56DjiGRKTsHjAAm4xN1lGYKBZuVF4U3uiWie2PhJStt7kckNduKOfV9Nofow5Jh8I2lXKqcOJ8Qd+EJYIsajdBoGQ72PGGfDaHphbN/mW13n59PlilMF4RRRybcMA6jTAOfvIcv5Mes3+ADh0TktHdHQQ==
-Prime1: A+SKyrgtNzGVpAXPQysMQ9O/10B/+nhy6//1F5Epxihyuln+d2euh+TjVneojx4D2JUflDUSD5BQAdflDb+KiBXdQjBEmqfWwY+INwSQzv4M5Q==
-Prime2: AyXovkiIs7ywIRS6FfRolMMUeh3yeYNtCVAvLB6EC2MiNCzfkDOFB7rpmUkZR8HYUWuz1hQfR781RDO81Sp3RIpSyL7SwOqkpMZyaSgK/GKE3Q==
-Exponent1: D1vC405mkcUVfno92EuBXomRiOG7VeSyjwofgCpa0JKR6J2BThdCGrcVbq68ucIddn+cbkD8JsZB3k4aeDYFxm6d1En1Z2C1cVHrzCFi2zFV
-Exponent2: N+iliM1Qp3spcsR06kXImb/N4FosHrZkXtcbRIMWhV8NBcyqLDIfGlNluaiztv4rf6Kn2UyVeiGC822nqZHcW5PiXJnBEWs9AC4Di1QzZh0h
-Coefficient: AtZ4sYqGgyB5kfdcQBBlIkPbsRRNKrUVAsZkjabdZTQa+ox6tYnlVjh7BgPMHJlj/Z4VTRJ5rfAUPnB4ZwO/r1eAJLd+vxjJb9M7DaGMc+RqQA==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: sQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6wiAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q==
-PublicExponent: AQAAAAE=
-PrivateExponent: fZs/S7/pOPP1C9Jjdb7KhnbfiLfCIXdc7d8LDWmm7d9rL2kZK77WMp+o5WRQhoIDDQPAdv+phoIdFEIiXKLN8Q==
-Prime1: 6NEgG3Z86nn9fNjG+3E9OqF/7oaCvrVnb1XogalZgr0=
-Prime2: wq0aosO1mWXo38HuxO5JiR2mX/9LWjxxqwK6I9gnJp0=
-Exponent1: ZvI2y//PImr1OqeVLoWfFHop2iorgT4+SYiz1Gw9FME=
-Exponent2: TBUeoolmnFcOfWO6T1v0S6za7LEib2H1Pgt95UvDA40=
-Coefficient: eHmKka0EVRfjDfEpcwRp5nZ36ZHfLxuKF5tGQ1YclBI=
+++ /dev/null
-;% generationtime=20071217224527
-;% lifetime=30
-;% expiretime=20080116224527
-example.net. IN DNSKEY 256 3 5 BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6w iAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q==
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Oct 03 2008 01:00:45
-;
-
-; *** List of Key Signing Keys ***
-; example.net. tag=23553 algo=RSASHA1 generated Aug 05 2008 23:01:57
-example.net. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI
- ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ
- uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T
- u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1
- sQ==
- ) ; key id = 23553
-
-; *** List of Zone Signing Keys ***
-; example.net. tag=35744 algo=RSASHA1 generated Aug 05 2008 23:01:57
-example.net. 3600 IN DNSKEY 256 3 5 (
- BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6w
- iAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q==
- ) ; key id = 35744
-
-; example.net. tag=10367 algo=RSASHA1 generated Aug 05 2008 23:01:57
-example.net. 3600 IN DNSKEY 256 3 5 (
- BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4
- ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw==
- ) ; key id = 10367
-
-; example.net. tag=14714 algo=RSASHA1 generated Oct 03 2008 01:00:45
-example.net. 3600 IN DNSKEY 256 3 5 (
- BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0
- QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw==
- ) ; key id = 14714
-
+++ /dev/null
-example.net. IN DS 23553 5 1 A1A6D06CB84D619730F605AEF2A6DD4148DD9D5B
-example.net. IN DS 23553 5 2 B0DCAB8A32C230495CEC1FD61CEC03849450909CA6636FD9BC53D1B3 3B4F3A2D
+++ /dev/null
-$ORIGIN .
-example.net 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
- YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
- pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
- 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
- 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
- XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
- 6DaiC6E1sQ==
- ) ; key id = 23553
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) extern/example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ IN SOA ns1.example.net. hostmaster.example.net. (
- 0 ; Serial
- 43200 ; Refresh
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
- IN NS ns1.example.net.
- IN NS ns2.example.net.
-
-ns1 IN A 1.0.0.5
- IN AAAA 2001:db8::53
-ns2 IN A 1.2.0.6
-
-localhost IN A 127.0.0.1
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.net file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub IN NS ns1.example.net.
-
-; this file will have all the zone keys
-$INCLUDE dnskey.db
-
+++ /dev/null
-; File written on Fri Oct 3 01:00:46 2008
-; dnssec_signzone version 9.5.1b2
-example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 1222988445 ; serial
- 43200 ; refresh (12 hours)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 5 2 7200 20081012220045 (
- 20081002220045 10367 example.net.
- LCFqUSzaxGi6kFs/IV6OuWgB77TzF4cYCH0S
- UKrZ2PBlf7iR10Y1t7UsG/RGy/mBZxMMebf+
- IzaEcsJynOXTOA== )
- 7200 NS ns1.example.net.
- 7200 NS ns2.example.net.
- 7200 RRSIG NS 5 2 7200 20081012220045 (
- 20081002220045 10367 example.net.
- hc9aE9RI0TQr9IlIv7A6Xl3D+O7IT4B2vmAj
- 7HA6znKCJMoA42h/EBNaSpc7lwLQmsHVpjP6
- I1cAjynNC+KCwA== )
- 7200 NSEC localhost.example.net. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 2 7200 20081012220045 (
- 20081002220045 10367 example.net.
- mRRRKkwqB3r09e9vBGCGj4d+TiPmKAFnldyd
- bWIoh7zT/cJm/HH8nDR1zUXXdeKp3/k8ddup
- rXE8rdS4LHa7sg== )
- 3600 DNSKEY 256 3 5 (
- BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5
- yYSeERYtaO2Wxi+kHz6wiAyKkbBYFUGtmbPJ
- 6JFt+4f9KnNPi1txiBg76Q==
- ) ; key id = 35744
- 3600 DNSKEY 256 3 5 (
- BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrk
- AidjF2+ndxtzw5OCLZG0QfmUumSh2Cq+g1dZ
- w2lIKan+blLCD7vRCX6cRw==
- ) ; key id = 14714
- 3600 DNSKEY 256 3 5 (
- BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzN
- vJUMaOc++HqN2N1sKSX4ZTf2V5gtamPZ/1kM
- rg8gYImKCl6n3K37EjXYBw==
- ) ; key id = 10367
- 3600 DNSKEY 257 3 5 (
- BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
- YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
- pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
- 19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
- 9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
- XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
- 6DaiC6E1sQ==
- ) ; key id = 23553
- 3600 RRSIG DNSKEY 5 2 3600 20081012220045 (
- 20081002220045 10367 example.net.
- RfMpx9krw1j7GCBGHnLU1NvvoBFOw2+HA08j
- zhrSrOd0iKlSxyewCf0r2LVUV0EXFEzwbrqy
- Wyt1l1ojfDX7mQ== )
- 3600 RRSIG DNSKEY 5 2 3600 20081012220045 (
- 20081002220045 23553 example.net.
- AYHR7rcPmwdcr3UP8jPBNesQ3aC8RdeB8vtg
- V01vPtvNIpp1OtMPIEx7bot9eWfmD/gVNuyS
- xOAp77KxECFIULPvq6Pk1dyTUOWXn19JOMDU
- CPyIxJs9gjD9AQ+UYo7UhhipOV1w5Y/g3Kvj
- TiPEMprIF2xBUSRDSn8+qTZdvQE8QymU4ujj
- 0gTF8egaCwgSmdeBajS3Vb6/L8M+GGP1tSOb
- Sg== )
-localhost.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- ngq0qDdgR3JILUgNpXzafmJd16pMcIJBlX3Q
- URIhGFOXTgUvRmOGsZvhqEqSCQQwkPYkpsNd
- 6NEKo5ZMZujTzA== )
- 7200 NSEC ns1.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- KoYaIavkKL8/oYzk1DQIy9SodaCd8yYC6QMD
- Ry4PfyiaoKchq45KFlQ5SVkaPfXQmGffbJdT
- mndSk+Txu7C2aw== )
-ns1.example.net. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- TZnIpUO6Odm6FaN2fzXslFfPjN0BmueDUco8
- T/sxtBpVAMbLkgSopaTEKgvV/J+pZfR1ehIh
- GZfIki/kSWfXxg== )
- 7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- Kr+R4GvcpfWp6RGMauy1MFK9iRwIuvxFfAxd
- ZAa/RiGOAB6BnLuGP6JHbJg25n6e+zPT7HeB
- cHmHAn4azykZDg== )
- 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- t7VkcKKR55956Kv9ASpw5vJCIFtZ1jYoBOU/
- aaB5OFsrN8706ARrlkUw6aFBCh1sd9vzi+SU
- vkgWg0dE7bbUpg== )
-ns2.example.net. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- lpYgf61HD7a7hAPtZuMnMxnVsjFSwY7qyRce
- cVzUeaxlqHTBbgXazldKYyYkBsPR1f7x7JUI
- m39kBVe4kf9byg== )
- 7200 NSEC sub.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- fC8u/dDkso6U3eBqyQrhohlnsMOZjHvn/vOx
- PxNCoJ3ideGp6g/WWExRdLA+SdQJqm40QJoQ
- +72LfvnXzQ+tRg== )
-sub.example.net. 7200 IN NS ns1.example.net.
- 7200 NSEC example.net. NS RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081012220045 (
- 20081002220045 10367 example.net.
- OGaRT/2gV7fgQ88YXhqbP08cH+x/otO5qOEX
- WJ7PvCMhForeY7z66e1LZufRqU2HchNpx94o
- cz9+z1t7ECFYhw== )
+++ /dev/null
-2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 17:59:04.196: debug: Check RFC5011 status
-2008-06-12 17:59:04.196: debug: ->ksk5011status returns 0
-2008-06-12 17:59:04.196: debug: Check ksk status
-2008-06-12 17:59:04.196: debug: Re-signing not necessary!
-2008-06-12 17:59:04.196: notice: end of run: 0 errors occured
-2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 17:59:17.436: debug: Check RFC5011 status
-2008-06-12 17:59:17.436: debug: ->ksk5011status returns 0
-2008-06-12 17:59:17.436: debug: Check ksk status
-2008-06-12 17:59:17.436: debug: Re-signing not necessary!
-2008-06-12 17:59:17.436: notice: end of run: 0 errors occured
-2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 18:00:07.819: debug: Check RFC5011 status
-2008-06-12 18:00:07.819: debug: ->ksk5011status returns 0
-2008-06-12 18:00:07.819: debug: Check ksk status
-2008-06-12 18:00:07.819: debug: Re-signing not necessary!
-2008-06-12 18:00:07.819: notice: end of run: 0 errors occured
-2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 18:00:39.020: debug: Check RFC5011 status
-2008-06-12 18:00:39.020: debug: ->ksk5011status returns 0
-2008-06-12 18:00:39.020: debug: Check ksk status
-2008-06-12 18:00:39.020: debug: Re-signing not necessary!
-2008-06-12 18:00:39.020: notice: end of run: 0 errors occured
-2008-10-03 01:00:45.544: notice: ------------------------------------------------------------
-2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v
-2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net"
-2008-10-03 01:00:45.545: debug: Check RFC5011 status
-2008-10-03 01:00:45.545: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-10-03 01:00:45.545: debug: Check KSK status
-2008-10-03 01:00:45.545: debug: Check ZSK status
-2008-10-03 01:00:45.545: debug: Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec)
-2008-10-03 01:00:45.546: debug: ->depreciate it
-2008-10-03 01:00:45.546: debug: ->activate published key 10367
-2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done
-2008-10-03 01:00:45.546: debug: New key for publishing needed
-2008-10-03 01:00:45.614: debug: ->creating new key 14714
-2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing
-2008-10-03 01:00:45.614: debug: Re-signing necessary: New zone key
-2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key
-2008-10-03 01:00:45.614: debug: Writing key file "extern/example.net/dnskey.db"
-2008-10-03 01:00:45.614: debug: Signing zone "example.net"
-2008-10-03 01:00:45.614: debug: Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +864000 -N unixtime zone.db K*.private"
-2008-10-03 01:00:46.114: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-10-03 01:00:46.114: debug: Signing completed after 1s.
-2008-10-03 01:00:46.114: debug:
-2008-10-03 01:00:46.114: notice: end of run: 0 errors occured
+++ /dev/null
-example.net. IN DNSKEY 257 3 5 BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9 +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq Lw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: C+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYqLw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CF6/bss8OtQFdcjO6kJh9EamPFXAsaXFCdcYpHF55CU4H3jBuu7teLFEanvgm6M+wROYF0Yohiyb2aeSBdGLRIfTC9l3xfHD+XixuZVoNk6DqR1/8Wlxwu/a/hW9dq7pUXqDfTbzdZKR6SVRPa4MAdQ0p8aSF4S926NRqZC6E/anqhqNPSlBpxTs3TrRk+wY6u8wMXxPGNjJYoID8Y0Qau/H6Q==
-Prime1: A50B7etEtQCDudL8+KBxU1/2sVT3ORMfoZPsOe+ZLFrwcOO9Iyrr6saymuD4QvcIHECdLUM5rsT1JBo87wgvVysibco7oVLxlIfsTcbM70l2Kw==
-Prime2: A0n3+qM3ng3WAFzlpYRNUZpH/CW1pMq3nOHjx2olWwDxDZ4tAsUPKuW9n3kVZAR+4FkeUKn2ePR7xRtO3AzvA6QmZuZN6EHuLPlSKRufzeZ+DQ==
-Exponent1: Hk5KY5PiXs6pf8T8rSvVs6PJqDX491R01ZDdAIDYjmhIUHKWQ2STAlPEpSAGXi+oqOo4dD1eJWgw36hT0JakjXU4aIvPoSdmVPMs8aod0NUh
-Exponent2: AXKBZ5sYApCCj/0fGBTkmU6Zc89/ddQNrFm2lVLrwSTILHQWm/aXDvI+5icpF5kdrukVcNHUeCz1R/RTgeV4N9/qvr5YzbPWieqDNvpG1RcNRQ==
-Coefficient: BZxK+fKwUNWoJ5huBqLsi8UMWgrCMqAfXvge4+Y4n4IL0VCU1UUEXZQEEeiATh0g52CuetOMej6FZ4QKbNryWg036ZKl81ataMGtDX/i/yZG
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: sMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHxpyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: fpWuYAOXJWdjMrZnI91hTi1wwuje4sKjDu8xvfnKvqKhr61QxK1gR9TB3mc2FM+Awivphb3xfi8+y2cacq9iUQ==
-Prime1: 6DE1tFJXGIm2SW3fSwQymX7Zcw8VSIMWiHQPCqX1FA0=
-Prime2: wuHS7u0I9aYOFkDAndfEVyDi8vOh96CcY/BuSvEZ6+0=
-Exponent1: sn7RttKPap3cgw2sddmgwcuVSaEpwOswF/O42Ou3fMk=
-Exponent2: LoJ305VksT7SWWR6bM5OybcdTm39PTZM0g3V2hOceK0=
-Coefficient: SwRF9S9ICVeyeYw3djxbg7kUZjz5AkbHIgz9VeX4mzM=
+++ /dev/null
-example.net. IN DNSKEY 256 3 5 BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHx pyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ==
+++ /dev/null
-;% generationtime=20080612154545
-;% lifetime=30d
-example.net. IN DNSKEY 256 3 5 BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9Lc TpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9LcTpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw==
-PublicExponent: AQAAAAE=
-PrivateExponent: XZK4eHRUrFka7O0Q/RBuBG3iW8KFng5em4FnjCSBQpwSAvFzTBebqwfNSOcgqKihz8VzvKHxEd6BxVZRGI2dgQ==
-Prime1: 8Jji5R57Y4ROxrO5EuEFjxL723VQ/Ym+4KYG+tM3bP8=
-Prime2: 2uhGRdJU3UJvnPwx0gJGio6KmRBC6CmDqTMORhYrS1E=
-Exponent1: cqVno4KLgMmKN5VPWaYA+pB5e55r6UEIaxqj6WMXATs=
-Exponent2: EqSKzb/r02jmNCTv5aX7wHl+57LYR40rJvzgVTfh/tE=
-Coefficient: 37ywfYlNFmtR/jZwoZBHNdIEy+C+jIeJ+fEepesSpoI=
+++ /dev/null
-;% generationtime=20081002230038
-;% lifetime=30d
-example.net. IN DNSKEY 256 3 5 BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb 6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw==
-PublicExponent: AQAAAAE=
-PrivateExponent: dQ8votLvyw0GPMsOp8k0mmhnjV07S4auujNLDyYZAiuHzVAXnGNz3xT2SnFW8w8DefMPcsV5xcIrRK7e0IwFQQ==
-Prime1: /cDlq0uko2XS08z5G6tedDY2VMrpPBHtZfPFv+deJNU=
-Prime2: 1/NwlY7J6WKGV/OIF6rlhn4UUitvTW7fpvUtyVEm+zs=
-Exponent1: omnudnzEz+TTOSfoandcrZGS9x4qxU7hN+WjpRI7sCU=
-Exponent2: rrt9FPIRiwGDSRtlsUaPNqgcgk4l/EQdWciqnhWu5ms=
-Coefficient: GFA1bGcsWxRZza80zKnL/V9YsfoNaI4id7pwU7FOtAE=
+++ /dev/null
-;
-; !!! Don't edit this file by hand.
-; !!! It will be generated by dnssec-signer.
-;
-; Last generation time Oct 03 2008 01:00:38
-;
-
-; *** List of Key Signing Keys ***
-; example.net. tag=126 algo=RSASHA1 generated Aug 05 2008 23:01:57
-example.net. 1800 IN DNSKEY 257 3 5 (
- BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W
- ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI
- wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9
- +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq
- Lw==
- ) ; key id = 126
-
-; *** List of Zone Signing Keys ***
-; example.net. tag=23375 algo=RSASHA1 generated Aug 05 2008 23:01:57
-example.net. 1800 IN DNSKEY 256 3 5 (
- BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9Lc
- TpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw==
- ) ; key id = 23375
-
-; example.net. tag=5972 algo=RSASHA1 generated Aug 05 2008 23:01:57
-example.net. 1800 IN DNSKEY 256 3 5 (
- BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHx
- pyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ==
- ) ; key id = 5972
-
-; example.net. tag=55745 algo=RSASHA1 generated Oct 03 2008 01:00:38
-example.net. 1800 IN DNSKEY 256 3 5 (
- BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb
- 6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw==
- ) ; key id = 55745
-
+++ /dev/null
-example.net. IN DS 126 5 1 D32161DCFCA120944CB9C0394CBED1389FDB72CA
-example.net. IN DS 126 5 2 351C6807B25E47223D7A6AA222291E8D7D7DDDA61D64CE839F937F22 47481FC9
+++ /dev/null
-$ORIGIN .
-example.net 7200 IN DNSKEY 257 3 5 (
- BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
- gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
- uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
- 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
- ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
- 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
- grOD6IYqLw==
- ) ; key id = 126
+++ /dev/null
-;-----------------------------------------------------------------
-;
-; @(#) intern/example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ IN SOA ns1.example.net. hostmaster.example.net. (
- 0 ; Serial
- 43200 ; Refresh
- 1800 ; Retry
- 2W ; Expire
- 7200 ) ; Minimum
-
- IN NS ns1.example.net.
- IN NS ns2.example.net.
-
-ns1 IN A 192.168.1.53
- IN AAAA fd12:063c:cdbb::53
-ns2 IN A 10.1.2.3
-
-localhost IN A 127.0.0.1
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.net file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub IN NS ns1.example.net.
-
-; this file will have all the zone keys
-$INCLUDE dnskey.db
-
+++ /dev/null
-; File written on Fri Oct 3 01:00:38 2008
-; dnssec_signzone version 9.5.1b2
-example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 1222988438 ; serial
- 43200 ; refresh (12 hours)
- 1800 ; retry (30 minutes)
- 1209600 ; expire (2 weeks)
- 7200 ; minimum (2 hours)
- )
- 7200 RRSIG SOA 5 2 7200 20081003220038 (
- 20081002220038 23375 example.net.
- EaJUHwT7koYW6b+W6LZ/1L3zXvs/SMSW+d94
- PjdcgdSR4b8mhJetzWj2ZO/n5uy7CUl496Hx
- RU+QoCF8K6HkVw== )
- 7200 NS ns1.example.net.
- 7200 NS ns2.example.net.
- 7200 RRSIG NS 5 2 7200 20081003220038 (
- 20081002220038 23375 example.net.
- b0W8xa7AgV6IWMSYtVCuix1bEHeohx2oboqs
- HqCrVPgd0OtYdSpxgcIJhLiUv/9ux9YihjKC
- aKsw9D8YtpOmpg== )
- 7200 NSEC localhost.example.net. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 2 7200 20081003220038 (
- 20081002220038 23375 example.net.
- mHJnc/UsTztaTRWQCTVc7vgM8bt5mgFJTIlJ
- 52+Rn74uzak2fDTfR4jHEHCqsinx9EA+iAcN
- 2na44xgRs2dCNQ== )
- 1800 DNSKEY 256 3 5 (
- BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb
- 11l0HC5kGIDp+JPQIQHxpyCWa/LaLgcvK3IA
- 1HR8YaO3QXB2LAHEz5B/CQ==
- ) ; key id = 5972
- 1800 DNSKEY 256 3 5 (
- BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0Q
- Qv96Qwy5/zuOa/3Zy9LcTpbE13DtEAqOfVGS
- Q79S4WgKalFJxq6lSk0xrw==
- ) ; key id = 23375
- 1800 DNSKEY 256 3 5 (
- BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMg
- H3nDnWBT3BD75hEuz/Cb6YapmxaZybxc+EE/
- Ts8bhXGqPEwoADjxfW1UFw==
- ) ; key id = 55745
- 1800 DNSKEY 257 3 5 (
- BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
- gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
- uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
- 5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
- ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
- 6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
- grOD6IYqLw==
- ) ; key id = 126
- 1800 RRSIG DNSKEY 5 2 1800 20081003220038 (
- 20081002220038 126 example.net.
- CLKVhqz7zOAEyJrQq/WAEaRsnTfNEnCwYEMj
- KPrAgiXXF+RJy18cHN7QoXb4kc8KA/TrOU1w
- WN8IjdESlPj9pQKqUs/uO9RLzIcv6jOlOKQP
- oKOjjnOxAL52+WNK94TUpunlvfd53ovC8YK4
- /nOsSjpLoqTbmL1r45vqpL/C6jqJR8bTouwy
- rjAYEtkWRND0QZ9R6IAHfxO6onmX1GOtu5Ji
- ew== )
- 1800 RRSIG DNSKEY 5 2 1800 20081003220038 (
- 20081002220038 23375 example.net.
- WXsmdMkwYcvzrf8qevByn+BMPjTE8aEcze7q
- uzZI+3NOcbZ4MMlAdauc6jhfc9xmgSiJu52q
- EUX5JLL8xQ7tDg== )
-localhost.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- FoSR7rfi2wfgEz5wj+qILnVwV7mAmL4XknQA
- b1uGLJ8Wcnkn4sqjaISgfVwG/GVxwuBOuVne
- SqXIFVVvKQtEUg== )
- 7200 NSEC ns1.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- iwB4+BZVreVKVnmBZdVdz/NxRy1tyYpd0JgK
- otoiLA6dESoC29tHQL/hBx92Q7lETZI+8gSE
- II0sRQv+1PL+JQ== )
-ns1.example.net. 7200 IN A 192.168.1.53
- 7200 RRSIG A 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- oBiQfEsq72v6NMONwgdewLtvNyH1K/Btz1b5
- hEYqdoX1QpaduXlQNodFPf15PdwEp4v4FwZ0
- rOtPt7kO4EQnww== )
- 7200 AAAA fd12:63c:cdbb::53
- 7200 RRSIG AAAA 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- mmNK/6aWk1nr7lWhVt9m6A9vgenngt1hsOxs
- 43jwarEb7SeYRanHMnML/g101mk7czXAiRxq
- np4Cjs3lo1M/Bg== )
- 7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- jTnbufp39i9n9cZwasJ6IsRwqWIIeTU1Z/wy
- ECBmyYQlfAuYmWTYmX4BPsQ9SwFZVIICg40I
- /BYlDBm7ihxUyw== )
-ns2.example.net. 7200 IN A 10.1.2.3
- 7200 RRSIG A 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- Rdu1WWzZdPJ5CjfMd9n31XY6Df4NiO2wPnxy
- Wp6x3EyLrABDdM95fwf8DBgjarppJNtOaV5j
- Lr5CujYtAoXksA== )
- 7200 NSEC sub.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- GcxFEovqwXtJ/tYRG4G4tNKyVY7Vg9HULhbj
- JZfi8IlaR3bloMVMj2bHWhNQvvXTFY+N59UG
- PNWE+krE+L4yfQ== )
-sub.example.net. 7200 IN NS ns1.example.net.
- 7200 NSEC example.net. NS RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20081003220038 (
- 20081002220038 23375 example.net.
- SgCqYEbpzuCcVDLi5PcyUEG8qKm+EQ0lj3mz
- uiSDDTh6OsCKOVqW8dKs15P8v3i5LDJwM/Eu
- OaqT7RJgB2UOkQ== )
+++ /dev/null
-2008-06-12 18:02:13.593: notice: running as ../../dnssec-signer -V intern -v -v
-2008-06-12 18:02:13.594: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:02:13.594: debug: Check RFC5011 status
-2008-06-12 18:02:13.595: debug: ->ksk5011status returns 0
-2008-06-12 18:02:13.595: debug: Check ksk status
-2008-06-12 18:02:13.595: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727466 sec)
-2008-06-12 18:02:13.595: debug: ->waiting for pre-publish key
-2008-06-12 18:02:13.595: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h17m46s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:02:13.595: debug: Re-signing necessary: Modified keys
-2008-06-12 18:02:13.595: notice: "example.net.": re-signing triggered: Modified keys
-2008-06-12 18:02:13.595: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:02:13.596: debug: Signing zone "example.net."
-2008-06-12 18:02:13.596: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:02:13.705: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:02:13.705: debug: Signing completed after 0s.
-2008-06-12 18:02:13.705: debug:
-2008-06-12 18:02:13.705: notice: end of run: 0 errors occured
-2008-06-12 18:03:13.208: notice: running as ../../dnssec-signer -V intern -r -v -v
-2008-06-12 18:03:13.209: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:03:13.209: debug: Check RFC5011 status
-2008-06-12 18:03:13.209: debug: ->ksk5011status returns 0
-2008-06-12 18:03:13.209: debug: Check ksk status
-2008-06-12 18:03:13.209: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727526 sec)
-2008-06-12 18:03:13.209: debug: ->waiting for pre-publish key
-2008-06-12 18:03:13.209: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m46s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:03:13.209: debug: Re-signing not necessary!
-2008-06-12 18:03:13.209: notice: end of run: 0 errors occured
-2008-06-12 18:03:19.287: notice: running as ../../dnssec-signer -V intern -r -v -v
-2008-06-12 18:03:19.288: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:03:19.288: debug: Check RFC5011 status
-2008-06-12 18:03:19.289: debug: ->ksk5011status returns 0
-2008-06-12 18:03:19.289: debug: Check ksk status
-2008-06-12 18:03:19.289: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727532 sec)
-2008-06-12 18:03:19.289: debug: ->waiting for pre-publish key
-2008-06-12 18:03:19.289: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m52s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:03:19.289: debug: Re-signing not necessary!
-2008-06-12 18:03:19.289: notice: end of run: 0 errors occured
-2008-06-12 18:03:23.617: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:03:23.618: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:03:23.618: debug: Check RFC5011 status
-2008-06-12 18:03:23.618: debug: ->ksk5011status returns 0
-2008-06-12 18:03:23.618: debug: Check ksk status
-2008-06-12 18:03:23.618: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727536 sec)
-2008-06-12 18:03:23.618: debug: ->waiting for pre-publish key
-2008-06-12 18:03:23.618: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m56s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:03:23.618: debug: Re-signing necessary: Option -f
-2008-06-12 18:03:23.618: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:03:23.618: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:03:23.619: debug: Signing zone "example.net."
-2008-06-12 18:03:23.619: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:03:23.719: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:03:23.719: debug: Signing completed after 0s.
-2008-06-12 18:03:23.720: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:03:23.772: debug:
-2008-06-12 18:03:23.772: notice: end of run: 0 errors occured
-2008-06-12 18:05:39.532: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:05:39.533: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:05:39.533: debug: Check RFC5011 status
-2008-06-12 18:05:39.533: debug: ->ksk5011status returns 0
-2008-06-12 18:05:39.533: debug: Check ksk status
-2008-06-12 18:05:39.533: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727672 sec)
-2008-06-12 18:05:39.533: debug: ->waiting for pre-publish key
-2008-06-12 18:05:39.533: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h21m12s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:05:39.533: debug: Re-signing necessary: Option -f
-2008-06-12 18:05:39.533: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:05:39.533: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:05:39.534: debug: Signing zone "example.net."
-2008-06-12 18:05:39.534: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:05:39.629: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:05:39.630: debug: Signing completed after 0s.
-2008-06-12 18:05:39.630: notice: ""example.net."": reload triggered
-2008-06-12 18:05:39.640: debug:
-2008-06-12 18:05:39.640: notice: end of run: 0 errors occured
-2008-06-12 18:07:47.753: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:07:47.754: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:07:47.754: debug: Check RFC5011 status
-2008-06-12 18:07:47.754: debug: ->ksk5011status returns 0
-2008-06-12 18:07:47.754: debug: Check ksk status
-2008-06-12 18:07:47.754: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727800 sec)
-2008-06-12 18:07:47.754: debug: ->waiting for pre-publish key
-2008-06-12 18:07:47.754: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h23m20s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:07:47.754: debug: Re-signing necessary: Option -f
-2008-06-12 18:07:47.754: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:07:47.754: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:07:47.754: debug: Signing zone "example.net."
-2008-06-12 18:07:47.754: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:07:47.856: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:07:47.856: debug: Signing completed after 0s.
-2008-06-12 18:07:47.856: notice: ""example.net."": reload triggered
-2008-06-12 18:07:47.866: debug:
-2008-06-12 18:07:47.867: notice: end of run: 0 errors occured
-2008-06-12 18:10:57.978: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:10:57.978: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:10:57.978: debug: Check RFC5011 status
-2008-06-12 18:10:57.978: debug: ->ksk5011status returns 0
-2008-06-12 18:10:57.978: debug: Check ksk status
-2008-06-12 18:10:57.978: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727990 sec)
-2008-06-12 18:10:57.978: debug: ->waiting for pre-publish key
-2008-06-12 18:10:57.978: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h26m30s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:10:57.978: debug: Re-signing necessary: Option -f
-2008-06-12 18:10:57.978: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:10:57.978: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:10:57.979: debug: Signing zone "example.net."
-2008-06-12 18:10:57.979: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:10:58.081: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:10:58.081: debug: Signing completed after 1s.
-2008-06-12 18:10:58.081: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:10:58.093: debug:
-2008-06-12 18:10:58.093: notice: end of run: 0 errors occured
-2008-06-12 18:13:29.511: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:13:29.512: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:13:29.512: debug: Check RFC5011 status
-2008-06-12 18:13:29.512: debug: ->ksk5011status returns 0
-2008-06-12 18:13:29.512: debug: Check ksk status
-2008-06-12 18:13:29.512: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728142 sec)
-2008-06-12 18:13:29.512: debug: ->waiting for pre-publish key
-2008-06-12 18:13:29.512: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m2s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:13:29.512: debug: Re-signing necessary: Option -f
-2008-06-12 18:13:29.512: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:13:29.512: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:13:29.513: debug: Signing zone "example.net."
-2008-06-12 18:13:29.513: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:13:29.612: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:13:29.612: debug: Signing completed after 0s.
-2008-06-12 18:13:29.612: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:13:29.612: debug: Reload zone "example.net." in view "intern"
-2008-06-12 18:13:29.612: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
-2008-06-12 18:13:29.623: debug:
-2008-06-12 18:13:29.623: notice: end of run: 0 errors occured
-2008-06-12 18:13:38.707: notice: running as ../../dnssec-signer -V intern -f -r -v
-2008-06-12 18:13:38.708: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:13:38.709: debug: Check RFC5011 status
-2008-06-12 18:13:38.709: debug: ->ksk5011status returns 0
-2008-06-12 18:13:38.709: debug: Check ksk status
-2008-06-12 18:13:38.709: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728151 sec)
-2008-06-12 18:13:38.709: debug: ->waiting for pre-publish key
-2008-06-12 18:13:38.709: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m11s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:13:38.709: debug: Re-signing necessary: Option -f
-2008-06-12 18:13:38.709: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:13:38.709: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:13:38.710: debug: Signing zone "example.net."
-2008-06-12 18:13:38.710: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:13:39.163: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:13:39.163: debug: Signing completed after 1s.
-2008-06-12 18:13:39.163: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:13:39.163: debug: Reload zone "example.net." in view "intern"
-2008-06-12 18:13:39.163: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
-2008-06-12 18:13:39.174: debug:
-2008-06-12 18:13:39.174: notice: end of run: 0 errors occured
-2008-06-12 18:13:43.163: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:13:43.164: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:13:43.164: debug: Check RFC5011 status
-2008-06-12 18:13:43.164: debug: ->ksk5011status returns 0
-2008-06-12 18:13:43.164: debug: Check ksk status
-2008-06-12 18:13:43.164: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728156 sec)
-2008-06-12 18:13:43.164: debug: ->waiting for pre-publish key
-2008-06-12 18:13:43.164: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m16s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:13:43.164: debug: Re-signing necessary: Option -f
-2008-06-12 18:13:43.164: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:13:43.164: debug: Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:13:43.164: debug: Signing zone "example.net."
-2008-06-12 18:13:43.164: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private"
-2008-06-12 18:13:43.262: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:13:43.262: debug: Signing completed after 0s.
-2008-06-12 18:13:43.262: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:13:43.262: debug: Reload zone "example.net." in view "intern"
-2008-06-12 18:13:43.262: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
-2008-06-12 18:13:43.273: debug:
-2008-06-12 18:13:43.273: notice: end of run: 0 errors occured
-2008-10-03 01:00:38.404: notice: ------------------------------------------------------------
-2008-10-03 01:00:38.404: notice: running ../../dnssec-signer -V intern
-2008-10-03 01:00:38.405: debug: parsing zone "example.net" in dir "intern/example.net"
-2008-10-03 01:00:38.405: debug: Check RFC5011 status
-2008-10-03 01:00:38.405: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
-2008-10-03 01:00:38.405: debug: Check KSK status
-2008-10-03 01:00:38.405: debug: Check ZSK status
-2008-10-03 01:00:38.405: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (5018321 sec)
-2008-10-03 01:00:38.405: debug: ->depreciate it
-2008-10-03 01:00:38.405: debug: ->activate published key 23375
-2008-10-03 01:00:38.405: notice: "example.net": lifetime of zone signing key 5972 exceeded: ZSK rollover done
-2008-10-03 01:00:38.405: debug: New key for publishing needed
-2008-10-03 01:00:38.491: debug: ->creating new key 55745
-2008-10-03 01:00:38.492: info: "example.net": new key 55745 generated for publishing
-2008-10-03 01:00:38.492: debug: Re-signing necessary: New zone key
-2008-10-03 01:00:38.492: notice: "example.net": re-signing triggered: New zone key
-2008-10-03 01:00:38.492: debug: Writing key file "intern/example.net/dnskey.db"
-2008-10-03 01:00:38.492: debug: Signing zone "example.net"
-2008-10-03 01:00:38.492: debug: Run cmd "cd intern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +86400 -N unixtime zone.db K*.private"
-2008-10-03 01:00:38.796: debug: Cmd dnssec-signzone return: "zone.db.signed"
-2008-10-03 01:00:38.796: debug: Signing completed after 0s.
-2008-10-03 01:00:38.796: debug:
-2008-10-03 01:00:38.796: notice: end of run: 0 errors occured
+++ /dev/null
-/*****************************************************************
-**
-** #(@) named.conf (c) 6. May 2004 (hoz)
-*****************************************************************/
-
-/*****************************************************************
-** logging options
-*****************************************************************/
-logging {
- channel "named-log" {
- file "named.log";
- print-time yes;
- print-category yes;
- print-severity yes;
- severity info;
- };
- category "dnssec" { "named-log"; };
- category "edns-disabled" { "named-log"; };
- category "default" { "named-log"; };
-};
-
-/*****************************************************************
-** name server options
-*****************************************************************/
-options {
- directory ".";
-
- pid-file "named.pid";
- listen-on-v6 port 1053 { any; };
- listen-on port 1053 { any; };
-
- empty-zones-enable no;
-
- port 1053;
- query-source address * port 1053;
- query-source-v6 address * port 1053;
- transfer-source * port 53;
- transfer-source-v6 * port 53;
- use-alt-transfer-source no;
- notify-source * port 53;
- notify-source-v6 * port 53;
-
- recursion yes;
- dnssec-enable yes;
- dnssec-validation yes; /* required by BIND 9.4.0 */
- dnssec-accept-expired false; /* added since BIND 9.5.0 */
- edns-udp-size 1460; /* (M4) */
- max-udp-size 1460; /* (M5) */
-
- # allow-query { localhost; }; /* default in 9.4.0 */
- # allow-query-cache { localhost; }; /* default in 9.4.0 */
-
- dnssec-must-be-secure "." no;
-
- querylog yes;
-
- stats-server 127.0.0.1 port 8881; /* added since BIND 9.5.0 */
-};
-
-/*****************************************************************
-** view intern
-*****************************************************************/
-view "intern" {
- match-clients { 127.0.0.1; ::1; };
- recursion yes;
- zone "." in {
- type hint;
- file "root.hint";
- };
-
- zone "0.0.127.in-addr.arpa" in {
- type master;
- file "127.0.0.zone";
- };
-
- zone "example.net" in {
- type master;
- file "intern/example.net/zone.db.signed";
- };
-};
-
-/*****************************************************************
-** view extern
-*****************************************************************/
-view "extern" {
- match-clients { any; };
- recursion no;
- zone "." in {
- type hint;
- file "root.hint";
- };
-
- zone "example.net" in {
- type master;
- file "extern/example.net/zone.db.signed";
- };
-};
+++ /dev/null
-20-Nov-2007 17:12:58.092 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
-20-Nov-2007 17:12:58.092 general: critical: exiting (due to early fatal error)
-20-Nov-2007 17:20:24.941 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
-20-Nov-2007 17:20:24.941 general: critical: exiting (due to early fatal error)
-20-Nov-2007 17:28:22.686 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
-20-Nov-2007 17:28:22.686 general: critical: exiting (due to early fatal error)
-20-Nov-2007 17:40:12.389 general: error: zone 0.0.127.in-addr.arpa/IN/intern: loading from master file 127.0.0.zone failed: file not found
-20-Nov-2007 17:40:12.391 general: info: zone example.net/IN/intern: loaded serial 1195574789 (signed)
-20-Nov-2007 17:40:12.393 general: info: zone example.net/IN/extern: loaded serial 1195561217 (signed)
-20-Nov-2007 17:40:12.393 general: notice: running
-20-Nov-2007 17:40:12.393 notify: info: zone example.net/IN/intern: sending notifies (serial 1195574789)
-20-Nov-2007 17:40:12.394 notify: info: zone example.net/IN/extern: sending notifies (serial 1195561217)
-20-Nov-2007 19:07:04.016 general: info: shutting down
-20-Nov-2007 19:07:04.017 network: info: no longer listening on ::#1053
-20-Nov-2007 19:07:04.017 network: info: no longer listening on 127.0.0.1#1053
-20-Nov-2007 19:07:04.017 network: info: no longer listening on 145.253.100.51#1053
-20-Nov-2007 19:07:04.020 general: notice: exiting
+++ /dev/null
-; <<>> DiG 9.5.0a6 <<>> ns . @a.root-servers.net
-;; global options: printcmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33355
-;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
-;; WARNING: recursion requested but not available
-
-;; QUESTION SECTION:
-;. IN NS
-
-;; ANSWER SECTION:
-. 518400 IN NS H.ROOT-SERVERS.NET.
-. 518400 IN NS I.ROOT-SERVERS.NET.
-. 518400 IN NS J.ROOT-SERVERS.NET.
-. 518400 IN NS K.ROOT-SERVERS.NET.
-. 518400 IN NS L.ROOT-SERVERS.NET.
-. 518400 IN NS M.ROOT-SERVERS.NET.
-. 518400 IN NS A.ROOT-SERVERS.NET.
-. 518400 IN NS B.ROOT-SERVERS.NET.
-. 518400 IN NS C.ROOT-SERVERS.NET.
-. 518400 IN NS D.ROOT-SERVERS.NET.
-. 518400 IN NS E.ROOT-SERVERS.NET.
-. 518400 IN NS F.ROOT-SERVERS.NET.
-. 518400 IN NS G.ROOT-SERVERS.NET.
-
-;; ADDITIONAL SECTION:
-A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
-B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
-C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
-D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
-E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
-F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
-G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
-H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
-I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
-J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
-K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
-L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
-M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
-
-;; Query time: 114 msec
-;; SERVER: 198.41.0.4#53(198.41.0.4)
-;; WHEN: Mon Nov 5 07:28:00 2007
-;; MSG SIZE rcvd: 436
-
+++ /dev/null
-
-
-ZKT_CONFFILE=dnssec.conf
-export ZKT_CONFFILE
-
-if true
-then
- echo "All internal keys:"
- ./dnssec-zkt-intern
- echo
-
- echo "All external keys:"
- ./dnssec-zkt-extern
- echo
-fi
-
-echo "Sign both views"
-./dnssec-signer-intern -v -v -f -r
-echo
-./dnssec-signer-extern -v -v
#!/bin/sh
#
-# Shell script to start the dnssec-zkt command
+# Shell script to start the zkt-ls command
# out of the example directory
#
echo Please start this skript out of the flat or hierarchical sub directory
exit 1
fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt "$@"
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"
#!/bin/sh
#
-# Shell script to start the dnssec-signer
+# Shell script to start the zkt-signer
# command out of the example directory
#
echo Please start this skript out of the flat or hierarchical sub directory
exit 1
fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"
** module internal vars & declarations
*****************************************************************/
static FILE *lg_fp;
+static FILE *lg_fpsave;
static int lg_minfilelevel;
static int lg_syslogging;
static int lg_minsyslevel;
return ret;
}
+/*****************************************************************
+** lg_zone_start (domain)
+** -- reopen the log channel
+** return values:
+** 0 on success
+** -1 on file open error
+*****************************************************************/
+int lg_zone_start (const char *dir, const char *domain)
+{
+ char fname[255+1];
+
+ dbg_val2 ("lg_zone_start (%s, %s)\n", dir, domain);
+
+ snprintf (fname, sizeof (fname), LOG_DOMAINTMPL, domain);
+ if ( lg_fp )
+ lg_fpsave = lg_fp;
+ lg_fp = lg_fileopen (dir, fname);
+
+ return lg_fp != NULL;
+}
+
+/*****************************************************************
+** lg_zone_end (domain)
+** -- close the (reopened) log channel
+** return values:
+** 0 on success
+** -1 on file open error
+*****************************************************************/
+int lg_zone_end ()
+{
+ if ( lg_fp && lg_fpsave )
+ {
+ lg_close ();
+ lg_fp = lg_fpsave;
+ lg_fpsave = NULL;
+ return 1;
+ }
+
+ return 0;
+}
+
/*****************************************************************
**
** lg_args (level, argc, argv[])
# include <time.h>
# include <syslog.h>
+#ifndef LOG_FNAMETMPL
+# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ+log"
+#endif
+
+#ifndef LOG_DOMAINTMPL
+# define LOG_DOMAINTMPL "zktlog-%s"
+#endif
+
+
typedef enum {
LG_NONE = 0,
LG_DEBUG,
extern long lg_reseterrcnt (void);
extern int lg_open (const char *progname, const char *facility, const char *syslevel, const char *path, const char *file, const char *filelevel);
extern int lg_close (void);
+extern int lg_zone_start (const char *dir, const char *domain);
+extern int lg_zone_end (void);
extern void lg_args (lg_lvl_t level, int argc, char * const argv[]);
extern void lg_mesg (int level, char *fmt, ...);
#endif
--- /dev/null
+.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt-conf \(em Secure DNS zone key config tool
+
+.SH SYNOPSYS
+.na
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.B \-d
+.RB [ \-O
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.RB [ \-s ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.B \-l
+.RB [ \-a ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
+
+.B zkt-conf
+.RB [ \-c
+.IR "file" ]
+.RB [ \-w ]
+.I "zonefile"
+
+.br
+.ad
+.SH DESCRIPTION
+The
+.I zkt-conf
+command helps to create and show a config file for use by
+the Zone Key Tool commands, which are currently
+.I zkt-ls(8) ,
+.I zkt-keyman(8) ,
+and
+.IR zkt-signer(8) .
+.PP
+In general, the ZKT commands uses up to three consequitive sources for config
+parameter settings:
+.IP
+a)
+The build-in default parameters
+.IP
+b)
+The side wide config file or the file specified with option -c
+overloads the built-in vars.
+The file is
+.I /var/named/dnssec.conf
+or the one set by the environment variable ZKT_CONFFILE.
+.IP
+c)
+The local config file
+.I dnssec.conf
+in the current zone directory also overloads the parameter read so far.
+.PP
+Because of the overload feature, none of the config files has to have
+a complete parameter set.
+Typically the local config file will have only those parameters which are
+different from the global or built-in ones.
+.PP
+The default operation of
+.I zkt-conf(8)
+is to print the site wide config file (same as option
+.BR \-s ).
+Option
+.B \-d
+will print out the built-in defaults while
+.B \-l
+print those local parameters which are different to the global ones.
+In the last case
+.B \-a
+gives the fully
+.RB ( \-\-all )
+parameter list.
+.PP
+In all forms of the command, the parameters are changeable via option
+.B \-O
+.RB ( \-\-config-option ).
+.PP
+With option
+.B \-w
+.RB ( \-\-write )
+the confg parameters are written back to the config file.
+This is useful in case of an ZKT upgrade or if one or more parameters are changed
+by option
+.BR \-O .
+.PP
+Option
+.B \-t
+checks some of the parameter for reasonable values.
+.PP
+.PP
+Which config file is shown (or modified or checked) is determined by an option.
+.B \-d
+means the built-in defaults, option
+.B \-l
+is for the local config file and
+.B \-s
+specifies the site wide config file.
+Option
+.B \-s
+is the default.
+.PP
+In the last form of the command, the
+maximum TTL value of all the resource records of
+.I zonefile
+is calculated and print on stdout.
+Additional, the zonefile is checked if the key database
+.RI ( dnskey.db )
+is included in the zone file.
+If option
+.B \-w
+is set, than the INCLUDE directive will be added to the zone file if
+necessary, and the maximum ttl value is written to a local config file.
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BR \-d ", " \-\-built-in-defaults
+List all the built-in default parameter.
+.TP
+.BR \-s ", " \-\-sitecfg
+List all site wide config parameter (this is the default).
+.TP
+.BR \-l ", " \-\-localcfg
+List local config parameter which are different to the site wide config
+parameter.
+With otion
+.B \-a
+.RB ( \-\-all )
+all config parameters will be shown.
+
+.SH OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the
+.B \-V
+or
+.B \-\-view
+option every time, it is also possible to create a hard or softlink to the
+executable file and name it like
+.I zkt-conf-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read all parameter from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file parameter via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-a ", " \-\-all
+In case of showing the local config file parameter
+.RB ( \-l )
+this prints all parameter, not just the ones different to the site wide
+or built-in defaults.
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-conf \-d
+.fam T
+Print the built-in default config pars.
+.TP
+.fam C
+.B "zkt-conf \-d \-w
+.fam T
+Write all the built-in defaults into the site wide config file.
+.TP
+.fam C
+.B "zkt-conf \-s \-O ""SerialFormat: Incremental; Zonedir: /var/named/zones"" \-w"
+.fam T
+Change two parameters in the site wide
+.I dnssec.conf
+file.
+.TP
+.fam C
+.B "zkt-conf \-w zone.db
+.fam T
+Add
+.B "$INCLUDE dnskey.db"
+to the zone file and set the maximum ttl paramter in the local config file
+to the maximum ttl fond in any RR of
+.IR zone.db .
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (additionally used in
+.B \-l
+mode).
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), zkt-ls(8), zkt-keyman(8),
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Wed Mar 31 18:15:57 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
+</style>
+<title>zkt-conf</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-conf</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt-conf
+— Secure DNS zone key config tool</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf</b>
+[<b>−V</b> <i>name</i>] [<b>−w</b>]
+<b>−d</b> [<b>−O</b> <i>optstr</i>] <b><br>
+zkt-conf</b> [<b>−V</b> <i>name</i>] [<b>−w</b>]
+[<b>−s</b>] [<b>−c</b> <i>file</i>]
+[<b>−O</b> <i>optstr</i>] <b><br>
+zkt-conf</b> [<b>−V</b> <i>name</i>] [<b>−w</b>]
+<b>−l</b> [<b>−a</b>] [<b>−c</b>
+<i>file</i>] [<b>−O</b> <i>optstr</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf</b>
+[<b>−c</b> <i>file</i>] [<b>−w</b>]
+<i>zonefile</i></p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-conf</i> command helps to create and show a config
+file for use by the Zone Key Tool commands, which are
+currently <i>zkt-ls(8) , zkt-keyman(8) ,</i> and
+<i>zkt-signer(8)</i>.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In general, the
+ZKT commands uses up to three consequitive sources for
+config parameter settings:</p>
+
+<p style="margin-left:22%; margin-top: 1em">a) The build-in
+default parameters</p>
+
+<p style="margin-left:22%; margin-top: 1em">b) The side
+wide config file or the file specified with option -c
+overloads the built-in vars. The file is
+<i>/var/named/dnssec.conf</i> or the one set by the
+environment variable ZKT_CONFFILE.</p>
+
+<p style="margin-left:22%; margin-top: 1em">c) The local
+config file <i>dnssec.conf</i> in the current zone directory
+also overloads the parameter read so far.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Because of the
+overload feature, none of the config files has to have a
+complete parameter set. Typically the local config file will
+have only those parameters which are different from the
+global or built-in ones.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The default
+operation of <i>zkt-conf(8)</i> is to print the site wide
+config file (same as option <b>−s</b>). Option
+<b>−d</b> will print out the built-in defaults while
+<b>−l</b> print those local parameters which are
+different to the global ones. In the last case
+<b>−a</b> gives the fully (<b>−−all</b>)
+parameter list.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In all forms of
+the command, the parameters are changeable via option
+<b>−O</b> (<b>−−config-option</b>).</p>
+
+<p style="margin-left:11%; margin-top: 1em">With option
+<b>−w</b> (<b>−−write</b>) the confg
+parameters are written back to the config file. This is
+useful in case of an ZKT upgrade or if one or more
+parameters are changed by option <b>−O</b>.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Option
+<b>−t</b> checks some of the parameter for reasonable
+values.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Which config
+file is shown (or modified or checked) is determined by an
+option. <b>−d</b> means the built-in defaults, option
+<b>−l</b> is for the local config file and
+<b>−s</b> specifies the site wide config file. Option
+<b>−s</b> is the default.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the last
+form of the command, the maximum TTL value of all the
+resource records of <i>zonefile</i> is calculated and print
+on stdout. Additional, the zonefile is checked if the key
+database (<i>dnskey.db</i>) is included in the zone file. If
+option <b>−w</b> is set, than the INCLUDE directive
+will be added to the zone file if necessary, and the maximum
+ttl value is written to a local config file.</p>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−h</b>,
+<b>−−help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>−d</b>,
+<b>−−built-in-defaults</b></p>
+
+<p style="margin-left:22%;">List all the built-in default
+parameter.</p>
+
+<p style="margin-left:11%;"><b>−s</b>,
+<b>−−sitecfg</b></p>
+
+<p style="margin-left:22%;">List all site wide config
+parameter (this is the default).</p>
+
+<p style="margin-left:11%;"><b>−l</b>,
+<b>−−localcfg</b></p>
+
+<p style="margin-left:22%;">List local config parameter
+which are different to the site wide config parameter. With
+otion <b>−a</b> (<b>−−all</b>) all config
+parameters will be shown.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
+<i>view</i><b>, −−view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-<view>.conf .</i> Instead of specifying the
+<b>−V</b> or <b>−−view</b> option every
+time, it is also possible to create a hard or softlink to
+the executable file and name it like
+<i>zkt-conf-<view> .</i></p>
+
+<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
+−−config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read all parameter from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>−O</b>
+<i>optstr</i><b>,
+−−config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file parameter
+via the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>−a</b>,
+<b>−−all</b></p>
+
+<p style="margin-left:22%;">In case of showing the local
+config file parameter (<b>−l</b>) this prints all
+parameter, not just the ones different to the site wide or
+built-in defaults.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf
+−d</b></p>
+
+<p style="margin-left:22%;">Print the built-in default
+config pars.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf −d
+−w</b></p>
+
+<p style="margin-left:22%;">Write all the built-in defaults
+into the site wide config file.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf −s −O
+"SerialFormat: Incremental; Zonedir:
+/var/named/zones" <br>
+−w</b></p>
+
+<p style="margin-left:22%;">Change two parameters in the
+site wide <i>dnssec.conf</i> file.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf −w
+zone.db</b></p>
+
+<p style="margin-left:22%;">Add <b>$INCLUDE dnskey.db</b>
+to the zone file and set the maximum ttl paramter in the
+local config file to the maximum ttl fond in any RR of
+<i>zone.db</i>.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Default global configuration
+file. The name of the default global config file is settable
+via the environment variable ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file
+(additionally used in <b>−l</b> mode).</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 − 2010 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8),
+zkt-ls(8), zkt-keyman(8), <br>
+RFC4641 "DNSSEC Operational Practices" by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
--- /dev/null
+.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt-conf \(em Secure DNS zone key config tool
+
+.SH SYNOPSYS
+.na
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.B \-d|\-\-default
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.RB [ \-s ]
+.RB [ \-c|\-\-config
+.IR "file" ]
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.B \-l|\-\-local
+.RB [ \-c|\-\-config
+.IR "file" ]
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+
+.B zkt-conf
+.RB [ \-c
+.IR "file" ]
+.RB [ \-w|\-\-write ]
+.I "zonefile"
+
+.br
+.ad
+
+.SH DESCRIPTION
+The
+.I zkt-conf
+command helps to create and show a config file for use by
+the Zone Key Tool commands, which are currently
+.I dnssec-zkt(8)
+and
+.IR zkt-signer(8) .
+.PP
+In general, the ZKT commands uses three sources for the config parameters:
+.HP 3
+a)
+The build-in default parameters
+.HP 3
+b)
+The side wide config file or the file specified with option -c
+will overload the built-in vars.
+The site wide config file is the file
+.I /var/named/dnssec.conf
+or the one set by the environment variable ZKT_CONF.
+.HP 3
+c)
+The local config file
+.I dnssec.conf
+in the current zone directory will also overload the parameters read so far.
+.PP
+Because of this overloading feature, none of the config files has to have
+a complete parameter set.
+Typically the local config file will have only those parameters which are
+different from the global or built-in ones.
+.PP
+The default operation of
+.I zkt-conf(8)
+is to print the site wide config file (same as option
+.BR \-s ).
+Option
+.B \-d
+will print out the built-in defaults while
+.B \-l
+just print the local config parameters which are different to the global ones.
+In the last case
+.B \-a
+gives the complete
+.RB ( \-\-all )
+parameter list.
+.PP
+In all forms of the command, the parameters are changeable via option
+.B \-O
+.RB ( \-\-config-option ).
+.PP
+With option
+.B \-w
+.RB ( \-\-write )
+the parameters will be written back to the config file.
+This is useful in case of an ZKT upgrade or if one or more parameters are changed
+by option
+.BR \-O .
+.PP
+Option
+.B \-t
+checks some of the parameter for reasonable values.
+.PP
+If the option
+.B \-t
+is given, all config parameters are checked against reasonable values.
+.PP
+Which config file is shown (or modified or checked) is determined by option
+.B \-d
+which means the built-in defaults, option
+.B \-l
+which means the local config file or
+.B \-s
+which specifies the site wide config file.
+Option
+.B \-s
+is the default.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or \-\-view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like
+.I zkt-conf-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read all parameter from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file parameter via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-a ", " \-\-all
+In case of showing the local config file parameter
+.RI ( \-l )
+print all parameter, not just the ones different o the site wide or built-in defaults.
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BR \-d ", " \-\-built-in-defaults
+List all the built-in default paremeter.
+.TP
+.BR \-s ", " \-\-sidecfg
+List all side wide config parameters (this is the default).
+.TP
+.BR \-l ", " \-\-localconf
+List all local config parameters which are different to the site-wide config
+parameters.
+With otion
+.B \-a
+.RB ( \-\-all )
+all config parameters will be shown.
+
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-conf \-d
+.fam T
+Print the built-in default config pars.
+.TP
+.fam C
+.B "zkt-conf \-d \-w
+.fam T
+Write all the built-in defaults into the site wide config file.
+.TP
+.fam C
+.B "zkt-conf \-s \-\--option "SerialFormat: unixtime; Zonedir: /var/named/zones" "\-w
+.fam T
+Change two parameters in the site wide dnssec.conf file.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (additionallx used in
+.B \-l
+mode).
+
+.SH BUGS
+.PP
+Some of the general options will not be meaningful in all of the command modes.
+.PP
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), dnssec-zkt(8),
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+.TH zkt\-keyman 8 "Apr 1, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt\-keyman \(em A DNSSEC key management tool
+
+.SH SYNOPSYS
+.na
+.B zkt\-keyman
+.BR \-C <label>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-krpz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-create= <label>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-krpz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.BR \- { P | A | D | R } <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-published= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-active= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-depreciate= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-rename= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.BR \-\-destroy= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.B \-9 | \-\-ksk-rollover
+.br
+.B zkt\-keyman
+.B \-1 | \-\-ksk-roll-phase1
+.I "do.ma.in."
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-2 | \-\-ksk-roll-phase2
+.I "do.ma.in."
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-3 | \-\-ksk-roll-phase3
+.I do.ma.in.
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-0 | \-\-ksk-roll-stat
+.I do.ma.in.
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.ad
+
+.SH DESCRIPTION
+The
+.I zkt\-keyman
+command is a wrapper around
+.I dnssec-keygen(8)
+to assist in dnssec zone key management.
+.PP
+The command is useful in dns key management.
+It is suitable for modification of key status.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like
+.I zkt\-keyman\-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read default values from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-d ", " \-\-directory
+Skip directory arguments.
+This will be useful in combination with wildcard arguments
+to prevent dnsssec-zkt to list all keys found in subdirectories.
+For example "zkt\-keyman -d *" will print out a list of all keys only found in
+the current directory.
+Maybe it is easier to use "zkt\-keyman ." instead (without -r set).
+The option works similar to the \-d option of
+.IR ls(1) .
+.TP
+.BR \-k ", " \-\-ksk
+Select key signing keys only (default depends on command mode).
+.TP
+.BR \-z ", " \-\-zsk
+Select zone signing keys only (default depends on command mode).
+.TP
+.BR \-r ", " \-\-recursive
+Recursive mode (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: Recursive).
+.TP
+.BR \-F ", " \-\-setlifetime
+Set the key lifetime of all the selected keys.
+Use option -k, -z, -l or the file and dir argument for key selection.
+.PP
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BI \-C " zone" ", \-\-create=" zone
+Create a new zone signing key for the given zone.
+Add option
+.B \-k
+to create a key signing key.
+The key algorithm and key length will be examined from built-in default values
+or from the parameter settings in the
+.I dnssec.conf
+file.
+.br
+The keyfile will be created in the current directory if
+the
+.B \-p
+option is specified.
+.TP
+.BI \-R " keyid" ", \-\-revoke=" keyid
+Revoke the key signing key with the given keyid.
+A revoked key has bit 8 in the flags filed set (see RFC5011).
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+.TP
+.BI \-\-rename=" keyid
+Rename the key files of the key with the given keyid
+(Look at key file names starting with an lower 'k').
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+.TP
+.BI \-\-destroy= keyid
+Deletes the key with the given keyid.
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+Beware that this deletes both private and public keyfiles, thus the key is
+unrecoverable lost.
+.TP
+.BI \-P|A|D " keyid," " \-\-published=" keyid, " \-\-active=" keyid, " \-\-depreciated=" keyid
+Change the status of the given dnssec key to
+published
+.RB ( \-P ),
+active
+.RB ( \-A )
+or depreciated
+.RB ( \-D ).
+The
+.I keyid
+is the numeric keytag with an optionally added zone name separated by a colon.
+Setting the status to "published" or "depreciate" will change the filename
+of the private key file to ".published" or ".depreciated" respectivly.
+This prevents the usage of the key as a signing key by the use of
+.IR dnssec-signzone(8) .
+The time of status change will be stored in the 'mtime' field of the corresponding
+".key" file.
+Key activation via option
+.B \-A
+will restore the original timestamp and file name (".private").
+.TP
+.BI \-\-ksk-roll-phase[123] " do.ma.in."
+Initiate a key signing key rollover of the specified domain.
+This feature is currently in experimental status and is mainly for the use
+in an hierachical environment.
+Use --ksk-rollover for a little more detailed description.
+
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-keyman \-C example.net \-k \-r ./zonedir
+.fam T
+Create a new key signing key for the zone "example.net".
+Store the key in the same directory below "zonedir" where the other
+"example.net" keys live.
+.TP
+.fam C
+.B "zkt-keyman \-D 123245 \-r .
+.fam T
+Depreciate the key with tag "12345" below the current directory,
+.TP
+.fam C
+.B "zkt-keyman --view intern \-C example.net
+.fam T
+Create a new zone key for the internal zone example.net.
+.TP
+.fam C
+.B "zkt-keyman-intern
+.fam T
+Same as above.
+The binary file
+.I zkt\-keyman
+has another link, named
+.I zkt-keyman-intern
+made, and
+.I zkt\-keyman
+examines argv[0] to find a view whose zones it proceeds to process.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (only used in
+.B \-C
+mode).
+
+.SH BUGS
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2008 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-signer(8)
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Aug 4 21:33:40 2009 -->
+<!-- CreationDate: Tue Mar 23 23:47:31 2010 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
-<title>dnssec-zkt</title>
+<title>zkt−keyman</title>
</head>
<body>
-<h1 align="center">dnssec-zkt</h1>
+<h1 align="center">zkt−keyman</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
</h2>
-<p style="margin-left:11%; margin-top: 1em">dnssec-zkt
-— Secure DNS zone key tool</p>
+
+<p style="margin-left:11%; margin-top: 1em">zkt−keyman
+— A DNSSEC key management tool</p>
<h2>SYNOPSYS
<a name="SYNOPSYS"></a>
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt</b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−adefhkLrptz</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−C</b><label> [<b>−V|--view</b>
<i>view</i>] [<b>−c</b> <i>file</i>]
[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
-dnssec-zkt −−create=</b><label>
+zkt−keyman −−create=</b><label>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−krpz</b>]
[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
-dnssec-zkt −−published=</b><keytag>
+zkt−keyman −−published=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
-dnssec-zkt −−active=</b><keytag>
+zkt−keyman −−active=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
-dnssec-zkt −−depreciate=</b><keytag>
+zkt−keyman −−depreciate=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
-dnssec-zkt −−rename=</b><keytag>
+zkt−keyman −−rename=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−−destroy=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−T</b> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hr</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]
-<b><br>
-dnssec-zkt −−list-trustedkeys</b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−K</b> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−list-dnskeys</b>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
+−9 | −−ksk-rollover <br>
+zkt−keyman −1 |
+−−ksk-roll-phase1</b> <i>do.ma.in.</i>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−Z</b> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −−zone-config</b>
+<i>file</i>] <b><br>
+zkt−keyman −2 |
+−−ksk-roll-phase2</b> <i>do.ma.in.</i>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−9 | −−ksk-rollover <br>
-dnssec-zkt −1 | −−ksk-roll-phase1</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −2 | −−ksk-roll-phase2</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −3 | −−ksk-roll-phase3</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −0 | −−ksk-roll-stat</b>
+<i>file</i>] <b><br>
+zkt−keyman −3 |
+−−ksk-roll-phase3</b> <i>do.ma.in.</i>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] <b><br>
+zkt−keyman −0 | −−ksk-roll-stat</b>
<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
[<b>−c</b> <i>file</i>]</p>
<p style="margin-left:11%; margin-top: 1em">The
-<i>dnssec-zkt</i> command is a wrapper around
+<i>zkt−keyman</i> command is a wrapper around
<i>dnssec-keygen(8)</i> to assist in dnssec zone key
management.</p>
-<p style="margin-left:11%; margin-top: 1em">In the common
-usage the command prints out information about all dnssec
-(zone) keys found in the given (or predefined default)
-directory. It is also possible to specify keyfiles (K*.key)
-as arguments. With option <b>−r</b> subdirectories
-will be searched recursively, and all dnssec keys found will
-be listed sorted by domain name, key type and generation
-time. In that mode the use of the <b>−p</b> option may
-be helpful to find the location of the keyfile in the
-directory tree.</p>
-
-<p style="margin-left:11%; margin-top: 1em">Other forms of
-the command print out keys in a format suitable for a
-trusted-key section or as a DNSKEY resource record.</p>
-
<p style="margin-left:11%; margin-top: 1em">The command is
-also useful in dns key management. It offers monitoring of
-key lifetime and modification of key status.</p>
+useful in dns key management. It is suitable for
+modification of key status.</p>
<h2>GENERAL OPTIONS
<a name="GENERAL OPTIONS"></a>
<i>dnssec-<view>.conf .</i> Instead of specifying the
−V or --view option every time, it is also possible to
create a hard or softlink to the executable file to give it
-an additional name like <i>dnssec-zkt-<view> .</i></p>
+an additional name like
+<i>zkt−keyman−<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
specified at the argument string but have to be delimited by
semicolon (or newline).</p>
-<p style="margin-left:11%;"><b>−l</b> <i>list</i></p>
-
-<p style="margin-left:22%;">Print out information solely
-about domains given in the comma or space separated list.
-Take care of, that every domain name has a trailing dot.</p>
-
<p style="margin-left:11%;"><b>−d</b>,
<b>−−directory</b></p>
<p style="margin-left:22%;">Skip directory arguments. This
will be useful in combination with wildcard arguments to
prevent dnsssec-zkt to list all keys found in
-subdirectories. For example "dnssec-zkt -d *" will
-print out a list of all keys only found in the current
-directory. Maybe it is easier to use "dnssec-zkt
-." instead (without -r set). The option works similar
-to the −d option of <i>ls(1)</i>.</p>
-
-<p style="margin-left:11%;"><b>−L</b>,
-<b>−−left-justify</b></p>
-
-<p style="margin-left:22%;">Print out the domain name left
-justified.</p>
+subdirectories. For example "zkt−keyman -d
+*" will print out a list of all keys only found in the
+current directory. Maybe it is easier to use
+"zkt−keyman ." instead (without -r set). The
+option works similar to the −d option of
+<i>ls(1)</i>.</p>
<p style="margin-left:11%;"><b>−k</b>,
<b>−−ksk</b></p>
-<p style="margin-left:22%;">Select and print key signing
-keys only (default depends on command mode).</p>
+<p style="margin-left:22%;">Select key signing keys only
+(default depends on command mode).</p>
<p style="margin-left:11%;"><b>−z</b>,
<b>−−zsk</b></p>
-<p style="margin-left:22%;">Select and print zone signing
-keys only (default depends on command mode).</p>
+<p style="margin-left:22%;">Select zone signing keys only
+(default depends on command mode).</p>
<p style="margin-left:11%;"><b>−r</b>,
<b>−−recursive</b></p>
Also settable in the dnssec.conf file (Parameter:
Recursive).</p>
-<p style="margin-left:11%;"><b>−p</b>,
-<b>−−path</b></p>
-
-<p style="margin-left:22%;">Print pathname in listing mode.
-In -C mode, don’t create the new key in the same
-directory as (already existing) keys with the same
-label.</p>
-
-<p style="margin-left:11%;"><b>−a</b>,
-<b>−−age</b></p>
-
-<p style="margin-left:22%;">Print age of key in weeks,
-days, hours, minutes and seconds (default is off). <br>
-Also settable in the dnssec.conf file (Parameter:
-PrintAge).</p>
-
-<p style="margin-left:11%;"><b>−f</b>,
-<b>−−lifetime</b></p>
-
-<p style="margin-left:22%;">Print the key lifetime.</p>
-
<p style="margin-left:11%;"><b>−F</b>,
<b>−−setlifetime</b></p>
selected keys. Use option -k, -z, -l or the file and dir
argument for key selection.</p>
-<p style="margin-left:11%;"><b>−e</b>,
-<b>−−exptime</b></p>
-
-<p style="margin-left:22%;">Print the key expiration
-time.</p>
-
-<p style="margin-left:11%;"><b>−t</b>,
-<b>−−time</b></p>
-
-<p style="margin-left:22%;">Print the key generation time
-(default is on). <br>
-Also settable in the dnssec.conf file (Parameter:
-PrintTime).</p>
-
-<table width="100%" border="0" rules="none" frame="void"
- cellspacing="0" cellpadding="0">
-<tr valign="top" align="left">
-<td width="11%"></td>
-<td width="3%">
-
-
-<p><b>−h</b></p></td>
-<td width="8%"></td>
-<td width="78%">
-
-
-<p>No header or trusted-key section header and trailer in
--T mode</p></td></tr>
-</table>
-
<h2>COMMAND OPTIONS
<a name="COMMAND OPTIONS"></a>
</h2>
-<p style="margin-left:11%; margin-top: 1em"><b>−H</b>,
+<p style="margin-left:11%; margin-top: 1em"><b>−h</b>,
<b>−−help</b></p>
<p style="margin-left:22%;">Print out the online help.</p>
-<p style="margin-left:11%;"><b>−T</b>,
-<b>−−list-trustedkeys</b></p>
-
-<p style="margin-left:22%;">List all key signing keys as a
-<i>named.conf</i> trusted-key section. Use <b>−h</b>
-to supress the section header/trailer.</p>
-
-<p style="margin-left:11%;"><b>−K</b>,
-<b>−−list-dnskeys</b></p>
-
-<p style="margin-left:22%;">List the public part of all the
-keys in DNSKEY resource record format. Use <b>−h</b>
-to suppress comment lines.</p>
-
<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>,
−−create=</b><i>zone</i></p>
activation via option <b>−A</b> will restore the
original timestamp and file name (".private").</p>
-<p style="margin-left:11%;"><b>−Z</b>,
-<b>−−zone-config</b></p>
-
-<p style="margin-left:22%;">Write all config parameters to
-stdout. The output is suitable as a template for the
-<i>dnssec.conf</i> file, so the easiest way to create a
-<i>dnssec.conf</i> file is to redirect the standard output
-of the above command. Pay attention not to overwrite an
-existing file.</p>
-
<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b>
<i>do.ma.in.</i></p>
</h2>
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−r .</b></p>
-
-<p style="margin-left:22%;">Print out a list of all zone
-keys found below the current directory.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −Z −c
-""</b></p>
-
-<p style="margin-left:22%;">Print out the compiled in
-default parameters.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −C
-example.net −k −r ./zonedir</b></p>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman
+−C example.net −k −r ./zonedir</b></p>
<p style="margin-left:22%;">Create a new key signing key
for the zone "example.net". Store the key in the
same directory below "zonedir" where the other
"example.net" keys live.</p>
-<p style="margin-left:11%;"><b>dnssec-zkt −T
-./zonedir/example.net</b></p>
-
-<p style="margin-left:22%;">Print out a trusted-key section
-containing the key signing keys of
-"example.net".</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −D 123245
+<p style="margin-left:11%;"><b>zkt-keyman −D 123245
−r .</b></p>
<p style="margin-left:22%;">Depreciate the key with tag
"12345" below the current directory,</p>
-<p style="margin-left:11%;"><b>dnssec-zkt --view
-intern</b></p>
+<p style="margin-left:11%;"><b>zkt-keyman --view intern
+−C example.net</b></p>
-<p style="margin-left:22%;">Print out a list of all zone
-keys found below the directory where all the zones of view
-intern live. There should be a seperate dnssec config file
-<i>dnssec-intern.conf</i> with a directory option to take
-affect of this.</p>
+<p style="margin-left:22%;">Create a new zone key for the
+internal zone example.net.</p>
-<p style="margin-left:11%;"><b>dnssec-zkt-intern</b></p>
+<p style="margin-left:11%;"><b>zkt-keyman-intern</b></p>
<p style="margin-left:22%;">Same as above. The binary file
-<i>dnssec-zkt</i> has another link, named
-<i>dnssec-zkt-intern</i> made, and <i>dnssec-zkt</i>
+<i>zkt−keyman</i> has another link, named
+<i>zkt-keyman-intern</i> made, and <i>zkt−keyman</i>
examines argv[0] to find a view whose zones it proceeds to
process.</p>
</h2>
-<p style="margin-left:11%; margin-top: 1em">Some of the
-general options will not be meaningful in all of the command
-modes. <br>
-The option <b>−l</b> and the ksk rollover options
-insist on domain names ending with a dot.</p>
-
<h2>AUTHORS
<a name="AUTHORS"></a>
</h2>
-<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
-Mans Nilsson</p>
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
-dnssec-signzone(8), rndc(8), named.conf(5),
-dnssec-signer(8), <br>
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
+zkt-ls(8), zkt-signer(8) <br>
RFC4641 "DNSSEC Operational Practices" by Miek
Gieben and Olaf Kolkman, <br>
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
--- /dev/null
+.TH zkt-ls 8 "February 25, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt\-ls \(em list dnskeys
+
+.SH SYNOPSYS
+.na
+.B zkt\-ls
+.B \-H
+
+.B zkt\-ls
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-adefhkLprtz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-ls
+.B \-T
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-trustedkeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-ls
+.B \-K
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhkrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-dnskeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhkrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.SH DESCRIPTION
+The
+.I zkt-ls
+command list all dnssec zone keys found in the given or predefined
+default directory.
+It is also possible to specify keyfiles (K*.key) as arguments.
+With option
+.B \-r
+subdirectories will be searched recursively and all dnssec keys found
+are listed, sorted by domain name, key type and generation time.
+In that mode the use of option
+.B \-p
+may be helpful to find the location of the keyfile in the directory tree.
+.PP
+Other forms of the command, print out keys in a format suitable for
+a trusted-key section
+.RB ( \-T )
+or as a DNSKEY
+.RB ( \-K )
+resource record.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like
+.I zkt-ls-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read default values from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BI \-l " list" ", \-\-label=" list
+Print out information solely about domains given in the comma or space separated
+list.
+Take care of, that every domain name has a trailing dot.
+.TP
+.BR \-d ", " \-\-directory
+Skip directory arguments.
+This will be useful in combination with wildcard arguments
+to prevent dnsssec-zkt to list all keys found in subdirectories.
+For example "zkt-ls -d *" will print out a list of all keys only found in
+the current directory.
+Maybe it is easier to use "zkt-ls ." instead (without -r set).
+The option works similar to the \-d option of
+.IR ls(1) .
+.TP
+.BR \-L ", " \-\-left-justify
+Print out the domain name left justified.
+.TP
+.BR \-k ", " \-\-ksk
+Select and print key signing keys only (default depends on command mode).
+.TP
+.BR \-z ", " \-\-zsk
+Select and print zone signing keys only (default depends on command mode).
+.TP
+.BR \-r ", " \-\-recursive
+Recursive mode (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: Recursive).
+.TP
+.BR \-p ", " \-\-path
+Print pathname in listing mode.
+In -C mode, don't create the new key in the same directory as (already existing)
+keys with the same label.
+.TP
+.BR \-a ", " \-\-age
+Print age of key in weeks, days, hours, minutes and seconds (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: PrintAge).
+.TP
+.BR \-f ", " \-\-lifetime
+Print the key lifetime.
+.TP
+.BR \-e ", " \-\-exptime
+Print the key expiration time.
+.TP
+.BR \-t ", " \-\-time
+Print the key generation time (default is on).
+.br
+Also settable in the dnssec.conf file (Parameter: PrintTime).
+.TP
+.B \-h
+No header or trusted-key section header and trailer in -T mode
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-H ", " \-\-help
+Print out the online help.
+.TP
+.BR \-T ", " \-\-list-trustedkeys
+List all key signing keys as a
+.I named.conf
+trusted-key section.
+Use
+.B \-h
+to supress the section header/trailer.
+.TP
+.BR \-K ", " \-\-list-dnskeys
+List the public part of all the keys in DNSKEY resource record format.
+Use
+.B \-h
+to suppress comment lines.
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt\-ls \-r .
+.fam T
+Print out a list of all zone keys found below the current directory.
+.TP
+.fam C
+.B "zkt\-ls \-Z \-c """"
+.fam T
+Print out the compiled in default parameters.
+.TP
+.fam C
+.B "zkt\-ls \-T ./zonedir/example.net
+.fam T
+Print out a trusted-key section containing the key signing keys of "example.net".
+.TP
+.fam C
+.B "zkt\-ls --view intern
+.fam T
+Print out a list of all zone keys found below the directory where all
+the zones of view intern live.
+There should be a seperate dnssec config file
+.I dnssec-intern.conf
+with a directory option to take affect of this.
+.TP
+.fam C
+.B "zkt\-ls\-intern
+.fam T
+Same as above.
+The binary file
+.I zkt\-ls
+has another link, named
+.I zkt\-ls\-intern
+made, and
+.I zkt\-ls
+examines argv[0] to find a view whose zones it proceeds to process.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (only used in
+.B \-C
+mode).
+
+.SH BUGS
+.PP
+Some of the general options will not be meaningful in all of the command modes.
+.br
+The option
+.B \-l
+and the ksk rollover options
+insist on domain names ending with a dot.
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-keyman(8), zkt-signer(8)
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
+</style>
+<title>zkt-ls</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-ls</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#BUGS">BUGS</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt−ls
+— list dnskeys</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−H</b></p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−adefhkLprtz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−T</b> [<b>−V|--view</b> <i>view</i>]
+[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−ls −−list-trustedkeys</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−K</b> [<b>−V|--view</b> <i>view</i>]
+[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhkrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−ls −−list-dnskeys</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhkrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-ls</i> command list all dnssec zone keys found in the
+given or predefined default directory. It is also possible
+to specify keyfiles (K*.key) as arguments. With option
+<b>−r</b> subdirectories will be searched recursively
+and all dnssec keys found are listed, sorted by domain name,
+key type and generation time. In that mode the use of option
+<b>−p</b> may be helpful to find the location of the
+keyfile in the directory tree.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Other forms of
+the command, print out keys in a format suitable for a
+trusted-key section (<b>−T</b>) or as a DNSKEY
+(<b>−K</b>) resource record.</p>
+
+<h2>GENERAL OPTIONS
+<a name="GENERAL OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
+<i>view</i><b>, −−view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-<view>.conf .</i> Instead of specifying the
+−V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like <i>zkt-ls-<view> .</i></p>
+
+<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
+−−config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read default values from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>−O</b>
+<i>optstr</i><b>,
+−−config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file option via
+the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>−l</b> <i>list</i><b>,
+−−label=</b><i>list</i></p>
+
+<p style="margin-left:22%;">Print out information solely
+about domains given in the comma or space separated list.
+Take care of, that every domain name has a trailing dot.</p>
+
+<p style="margin-left:11%;"><b>−d</b>,
+<b>−−directory</b></p>
+
+<p style="margin-left:22%;">Skip directory arguments. This
+will be useful in combination with wildcard arguments to
+prevent dnsssec-zkt to list all keys found in
+subdirectories. For example "zkt-ls -d *" will
+print out a list of all keys only found in the current
+directory. Maybe it is easier to use "zkt-ls ."
+instead (without -r set). The option works similar to the
+−d option of <i>ls(1)</i>.</p>
+
+<p style="margin-left:11%;"><b>−L</b>,
+<b>−−left-justify</b></p>
+
+<p style="margin-left:22%;">Print out the domain name left
+justified.</p>
+
+<p style="margin-left:11%;"><b>−k</b>,
+<b>−−ksk</b></p>
+
+<p style="margin-left:22%;">Select and print key signing
+keys only (default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>−z</b>,
+<b>−−zsk</b></p>
+
+<p style="margin-left:22%;">Select and print zone signing
+keys only (default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>−r</b>,
+<b>−−recursive</b></p>
+
+<p style="margin-left:22%;">Recursive mode (default is
+off). <br>
+Also settable in the dnssec.conf file (Parameter:
+Recursive).</p>
+
+<p style="margin-left:11%;"><b>−p</b>,
+<b>−−path</b></p>
+
+<p style="margin-left:22%;">Print pathname in listing mode.
+In -C mode, don’t create the new key in the same
+directory as (already existing) keys with the same
+label.</p>
+
+<p style="margin-left:11%;"><b>−a</b>,
+<b>−−age</b></p>
+
+<p style="margin-left:22%;">Print age of key in weeks,
+days, hours, minutes and seconds (default is off). <br>
+Also settable in the dnssec.conf file (Parameter:
+PrintAge).</p>
+
+<p style="margin-left:11%;"><b>−f</b>,
+<b>−−lifetime</b></p>
+
+<p style="margin-left:22%;">Print the key lifetime.</p>
+
+<p style="margin-left:11%;"><b>−e</b>,
+<b>−−exptime</b></p>
+
+<p style="margin-left:22%;">Print the key expiration
+time.</p>
+
+<p style="margin-left:11%;"><b>−t</b>,
+<b>−−time</b></p>
+
+<p style="margin-left:22%;">Print the key generation time
+(default is on). <br>
+Also settable in the dnssec.conf file (Parameter:
+PrintTime).</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+ cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="3%">
+
+
+<p><b>−h</b></p></td>
+<td width="8%"></td>
+<td width="78%">
+
+
+<p>No header or trusted-key section header and trailer in
+-T mode</p></td></tr>
+</table>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−H</b>,
+<b>−−help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>−T</b>,
+<b>−−list-trustedkeys</b></p>
+
+<p style="margin-left:22%;">List all key signing keys as a
+<i>named.conf</i> trusted-key section. Use <b>−h</b>
+to supress the section header/trailer.</p>
+
+<p style="margin-left:11%;"><b>−K</b>,
+<b>−−list-dnskeys</b></p>
+
+<p style="margin-left:22%;">List the public part of all the
+keys in DNSKEY resource record format. Use <b>−h</b>
+to suppress comment lines.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−r .</b></p>
+
+<p style="margin-left:22%;">Print out a list of all zone
+keys found below the current directory.</p>
+
+<p style="margin-left:11%;"><b>zkt−ls −Z
+−c ""</b></p>
+
+<p style="margin-left:22%;">Print out the compiled in
+default parameters.</p>
+
+<p style="margin-left:11%;"><b>zkt−ls −T
+./zonedir/example.net</b></p>
+
+<p style="margin-left:22%;">Print out a trusted-key section
+containing the key signing keys of
+"example.net".</p>
+
+<p style="margin-left:11%;"><b>zkt−ls --view
+intern</b></p>
+
+<p style="margin-left:22%;">Print out a list of all zone
+keys found below the directory where all the zones of view
+intern live. There should be a seperate dnssec config file
+<i>dnssec-intern.conf</i> with a directory option to take
+affect of this.</p>
+
+
+<p style="margin-left:11%;"><b>zkt−ls−intern</b></p>
+
+<p style="margin-left:22%;">Same as above. The binary file
+<i>zkt−ls</i> has another link, named
+<i>zkt−ls−intern</i> made, and
+<i>zkt−ls</i> examines argv[0] to find a view whose
+zones it proceeds to process.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Built-in default global
+configuration file. The name of the default global config
+file is settable via the environment variable
+ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file (only
+used in <b>−C</b> mode).</p>
+
+<h2>BUGS
+<a name="BUGS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Some of the
+general options will not be meaningful in all of the command
+modes. <br>
+The option <b>−l</b> and the ksk rollover options
+insist on domain names ending with a dot.</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 − 2010 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
+zkt-keyman(8), zkt-signer(8) <br>
+RFC4641 "DNSSEC Operational Practices" by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
-.TH dnssec-signer 8 "Aug 1, 2009" "ZKT 0.99b" ""
+.TH zkt-signer 8 "Feb 2, 2010" "ZKT 1.0" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH NAME
-dnssec-signer \(em Secure DNS zone signing tool
+zkt-signer \(em Secure DNS zone signing tool
.SH SYNOPSYS
.na
-.B dnssec-signer
+.B zkt-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.RI [ zone
.RI "" ... ]
.br
-.B dnssec-signer
+.B zkt-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.RI [ zone
.RI "" ... ]
.br
-.B dnssec-signer
+.B zkt-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.SH DESCRIPTION
The
-.I dnssec-signer
+.I zkt-signer
command is a wrapper around
.I dnssec-signzone(8)
and
file.
If you have a configuration file with views, you have to use option
-V viewname or --view viewname to specify the name of the view.
-Alternatively you could link the executable file to a second name like
-.I dnssec-signer-viewname
+Alternately you could link the executable file to a second name like
+.I zkt-signer-viewname
and use that command to specify the name of the view.
All master zone statements will be scanned for filenames
ending with ".signed".
will be signed.
However, it is also possible to reduce the signing to those
zones given as arguments.
+.ig
In directory mode the pre-requisite is, that the directory name is
exactly (including the trailing dot) the same as the zone name.
+..
.PP
In the last form of the command, the functionality is more or less the same
as the
.BI ERROR
is enabled by default.
These parameters are settable via the config file parameter
-.BI "SyslogFacility:" ,
-.BI "SyslogLevel:" ,
-.BI "LogFile:"
+.BI "SyslogFacility" ,
+.BI "SyslogLevel" ,
+.BI "LogFile"
and
.BI "Loglevel" .
.br
-There is an additional parameter
-.BI VerboseLog:
-which specifies the verbosity (0|1|2) of messages that will be logged
+The additional parameter
+.BI VerboseLog
+specifies the verbosity (0|1|2) of messages that will be logged
with level
.BI DEBUG
to file and syslog.
Instead of specifying the \-V or --view option every time,
it is also possible to create a hard- or softlink to the
executable file with an additional name like
-.I dnssec-zkt-<view> .
+.I zkt-signer-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read configuration values out of the specified file.
.TP
.BR \-f ", " \-\-force
Force a resigning of the zone, regardless if the resigning interval
-is reached, or any new keys must be announced.
+is reached or new keys must be announced.
.TP
.BR \-n ", " \-\-noexec
Don't execute the
to be sure that a freshly signed zone will be immediately propagated.
However, that's only feasable if named runs on the signing
machine, which is not recommended.
+.ig
Otherwise the signed zonefile must be copied to the production
server before reloading the zone.
If this is the case, the parameter
in the
.I dnssec.conf
file must be set to a reasonable value.
+..
.TP
.BR \-v ", " \-\-verbose
Verbose mode (recommended).
.SH SAMPLE USAGE
.TP
.fam C
-.B "dnssec-signer \-N /var/named/named.conf \-r \-v \-v
+.B "zkt-signer \-N /var/named/named.conf \-r \-v \-v
.fam T
Sign all secure zones found in the named.conf file and, if necessary,
trigger a reload of the zone.
Print some explanatory remarks on stdout.
.TP
.fam C
-.B "dnssec-signer \-D zonedir/example.net. \-f \-v \-v
+.B "zkt-signer \-D zonedir/example.net. \-f \-v \-v
.fam T
Force the signing of the zone found in the directory
.I zonedir/example.net .
Do not reload the zone.
.TP
.fam C
-.B "dnssec-signer \-D zonedir \-f \-v \-v example.net.
+.B "zkt-signer \-D zonedir \-f \-v \-v example.net.
.fam T
Same as above.
.TP
.fam C
-.B "dnssec-signer \-f \-v \-v example.net.
+.B "zkt-signer \-f \-v \-v example.net.
.fam T
Same as above if the
.I dnssec.conf
zone.
.TP
.fam C
-.B "dnssec-signer \-f \-v \-v \-o example.net. zone.db
+.B "zkt-signer \-f \-v \-v \-o example.net. zone.db
.fam T
Same as above if we are in the directory containing the
.I example.net
files.
.TP
.fam C
-.B "dnssec-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
+.B "zkt-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
.fam T
.br
.TP
Name the directory just like the zone.
.br
-That's only needed if you want to use the dnssec-signer command in
+That's only needed if you want to use the zkt-signer command in
directory mode
.RB ( \-D ).
Then the name of the zone will be parsed out of the directory name.
...
.fi
.fam T
+You can also run
+.I zkt-conf(8)
+in the secure zone directory to do this.
+Try
+.br
+.if t \{\
+.nf
+.fam C
+$ zkt-conf -w zone.db
+.fi
+.fam T
.\}
.TP
Control the format of the SOA-Record
.fam T
.\}
If you use BIND version 9.4 or later and
-use the unixtime format for the serial number (See parameter
-Serialformat in
-.IR dnssec.conf )
+use the unixtime format for the serial number (which is the default since ZKT-1.0)
than this is not necessary.
+See also the parameter Serialformat in
+.IR dnssec.conf .
.TP
Try to sign the zone
If the current working directory is the directory of the zone
.fam C
.nf
.sp 0.5
- $ dnssec-signer \-D .. \-v \-v example.net
- $ dnssec-signer \-o example.net.
+ $ zkt-signer \-D .. \-v \-v example.net
+ or
+ $ zkt-signer \-o example.net.
.sp 0.5
.fi
.fam T
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
Use
+.I zkt-conf(8)
+with option
+.B \-w
+or
.I dnssec-zkt(8)
with option
.B \-Z
.TP
.I ./dnssec.conf
Local configuration file.
+The file contains typically only the diff to the global site wide config file.
+Use for example
+.fam C
+.nf
+.sp 0.5
+ $ zkt-conf -w -l -O "key_ttl: 5d"
+.sp 0.5
+.fi
+.fam T
+to create a local config file with a different key ttl time.
.TP
.I dnskey.db
The file contains the currently used key and zone signing keys.
very well tested.
.SH AUTHORS
-Holger Zuleger, Mans Nilsson
+The man page is written by
+Holger Zuleger and Mans Nilsson
.SH COPYRIGHT
-Copyright (c) 2005 \- 2009 by Holger Zuleger.
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
+
.SH SEE ALSO
-dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-keygen(8)
.br
RFC4033, RFC4034, RFC4035
.br
<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Aug 4 21:33:41 2009 -->
+<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
-<title>dnssec-signer</title>
+<title>zkt-signer</title>
</head>
<body>
-<h1 align="center">dnssec-signer</h1>
+<h1 align="center">zkt-signer</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
<a href="#OPTIONS">OPTIONS</a><br>
<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
<a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br>
-<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
-<a href="#FILES">FILES</a><br>
-<a href="#BUGS">BUGS</a><br>
-<a href="#AUTHORS">AUTHORS</a><br>
-<a href="#COPYRIGHT">COPYRIGHT</a><br>
-<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
</h2>
-<p style="margin-left:11%; margin-top: 1em">dnssec-signer
+<p style="margin-left:11%; margin-top: 1em">zkt-signer
— Secure DNS zone signing tool</p>
<h2>SYNOPSYS
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer</b>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer</b>
[<b>−L|--logfile</b> <i>file</i>]
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
[<b>−v</b>]] <b>−N</b> <i>named.conf</i>
[<i>zone ...</i>] <b><br>
-dnssec-signer</b> [<b>−L|--logfile</b> <i>file</i>]
+zkt-signer</b> [<b>−L|--logfile</b> <i>file</i>]
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
[<b>−v</b>]] [<b>−D</b> <i>directory</i>]
[<i>zone ...</i>] <b><br>
-dnssec-signer</b> [<b>−L|--logfile</b> <i>file</i>]
+zkt-signer</b> [<b>−L|--logfile</b> <i>file</i>]
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
[<b>−v</b>]] <b>−o</b> <i>origin</i>
<p style="margin-left:11%; margin-top: 1em">The
-<i>dnssec-signer</i> command is a wrapper around
+<i>zkt-signer</i> command is a wrapper around
<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
sign a zone and manage the necessary zone keys. It is able
to increment the serial number before signing the zone and
<b>−N</b> to read the secure zones out of the given
<i>named.conf</i> file. If you have a configuration file
with views, you have to use option -V viewname or --view
-viewname to specify the name of the view. Alternatively you
+viewname to specify the name of the view. Alternately you
could link the executable file to a second name like
-<i>dnssec-signer-viewname</i> and use that command to
-specify the name of the view. All master zone statements
-will be scanned for filenames ending with
-".signed". These zones will be checked if the
-necessary zone- and key signing keys are existent and fresh
-enough to be used in the signing process. If one or more
-out-dated keys are found, new keying material will be
-generated via the <i>dnssec-keygen(8)</i> command and the
-old keys will be marked as depreciated. So the command do
-anything needed for a zone key rollover as defined by
-[2].</p>
+<i>zkt-signer-viewname</i> and use that command to specify
+the name of the view. All master zone statements will be
+scanned for filenames ending with ".signed". These
+zones will be checked if the necessary zone- and key signing
+keys are existent and fresh enough to be used in the signing
+process. If one or more out-dated keys are found, new keying
+material will be generated via the <i>dnssec-keygen(8)</i>
+command and the old keys will be marked as depreciated. So
+the command do anything needed for a zone key rollover as
+defined by [2].</p>
<p style="margin-left:11%; margin-top: 1em">If the
resigning interval is reached or any new key must be
tree with the option <b>−D</b> <i>dir</i>. Every
secure zone found in a subdirectory below <i>dir</i> will be
signed. However, it is also possible to reduce the signing
-to those zones given as arguments. In directory mode the
-pre-requisite is, that the directory name is exactly
-(including the trailing dot) the same as the zone name.</p>
+to those zones given as arguments.</p>
<p style="margin-left:11%; margin-top: 1em">In the last
form of the command, the functionality is more or less the
The default is no file logging, but error logging to syslog
with facility <b>USER</b> at level <b>ERROR</b> is enabled
by default. These parameters are settable via the config
-file parameter <b>SyslogFacility:</b><i>,</i>
-<b>SyslogLevel:</b><i>,</i> <b>LogFile:</b> and
+file parameter <b>SyslogFacility</b><i>,</i>
+<b>SyslogLevel</b><i>,</i> <b>LogFile</b> and
<b>Loglevel</b><i>.</i> <br>
-There is an additional parameter <b>VerboseLog:</b> which
-specifies the verbosity (0|1|2) of messages that will be
-logged with level <b>DEBUG</b> to file and syslog.</p>
+The additional parameter <b>VerboseLog</b> specifies the
+verbosity (0|1|2) of messages that will be logged with level
+<b>DEBUG</b> to file and syslog.</p>
<p style="margin-left:11%;"><b>−V</b> <i>view</i><b>,
−−view=</b><i>view</i></p>
<i>dnssec-<view>.conf .</i> Instead of specifying the
−V or --view option every time, it is also possible to
create a hard- or softlink to the executable file with an
-additional name like <i>dnssec-zkt-<view> .</i></p>
+additional name like <i>zkt-signer-<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
<b>−−force</b></p>
<p style="margin-left:22%;">Force a resigning of the zone,
-regardless if the resigning interval is reached, or any new
-keys must be announced.</p>
+regardless if the resigning interval is reached or new keys
+must be announced.</p>
<p style="margin-left:11%;"><b>−n</b>,
<b>−−noexec</b></p>
environment it is recommended to use this option to be sure
that a freshly signed zone will be immediately propagated.
However, that’s only feasable if named runs on the
-signing machine, which is not recommended. Otherwise the
-signed zonefile must be copied to the production server
-before reloading the zone. If this is the case, the
-parameter <i>propagation</i> in the <i>dnssec.conf</i> file
-must be set to a reasonable value.</p>
+signing machine, which is not recommended.</p>
<p style="margin-left:11%;"><b>−v</b>,
<b>−−verbose</b></p>
</h2>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer
−N /var/named/named.conf −r −v
−v</b></p>
the named.conf file and, if necessary, trigger a reload of
the zone. Print some explanatory remarks on stdout.</p>
-<p style="margin-left:11%;"><b>dnssec-signer −D
+<p style="margin-left:11%;"><b>zkt-signer −D
zonedir/example.net. −f −v −v</b></p>
<p style="margin-left:22%;">Force the signing of the zone
found in the directory <i>zonedir/example.net .</i> Do not
reload the zone.</p>
-<p style="margin-left:11%;"><b>dnssec-signer −D
-zonedir −f −v −v example.net.</b></p>
+<p style="margin-left:11%;"><b>zkt-signer −D zonedir
+−f −v −v example.net.</b></p>
<p style="margin-left:22%;">Same as above.</p>
-<p style="margin-left:11%;"><b>dnssec-signer −f
-−v −v example.net.</b></p>
+<p style="margin-left:11%;"><b>zkt-signer −f −v
+−v example.net.</b></p>
<p style="margin-left:22%;">Same as above if the
<i>dnssec.conf</i> file contains the path of the parent
directory of the <i>example.net</i> zone.</p>
-<p style="margin-left:11%;"><b>dnssec-signer −f
-−v −v −o example.net. zone.db</b></p>
+<p style="margin-left:11%;"><b>zkt-signer −f −v
+−v −o example.net. zone.db</b></p>
<p style="margin-left:22%;">Same as above if we are in the
directory containing the <i>example.net</i> files.</p>
-<p style="margin-left:11%;"><b>dnssec-signer
+<p style="margin-left:11%;"><b>zkt-signer
−−config-option=’ResignInterval 1d;
Sigvalidity 28h; \</b></p>
the zone.</p>
<p style="margin-left:22%;">That’s only needed if you
-want to use the dnssec-signer command in directory mode
+want to use the zkt-signer command in directory mode
(<b>−D</b>). Then the name of the zone will be parsed
out of the directory name.</p>
<p style="margin-left:22%;">The name of the keyfile is
settable by the <i>dnssec.conf</i> parameter <i>keyfile
.</i> The default is <i>dnskey.db .</i></p>
-
-<p style="margin-left:11%;">Control the format of the
-SOA-Record</p>
-
-<p style="margin-left:22%;">For automatic incrementation of
-the serial number, the SOA-Record must be formated, so that
-the serial number is on a single line and left justified in
-a field of at least 10 spaces! If you use BIND version 9.4
-or later and use the unixtime format for the serial number
-(See parameter Serialformat in <i>dnssec.conf</i>) than this
-is not necessary.</p>
-
-<p style="margin-left:11%;">Try to sign the zone</p>
-
-<p style="margin-left:22%;">If the current working
-directory is the directory of the zone <i>example.net</i>,
-use the command <br>
-$ dnssec-signer −D .. −v −v example.net
-<br>
-$ dnssec-signer −o example.net. <br>
-to create the initial keying material and a signed zone
-file. Then try to load the file on the name server.</p>
-
-<h2>ENVIRONMENT VARIABLES
-<a name="ENVIRONMENT VARIABLES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
-
-<p style="margin-left:22%;">Specifies the name of the
-default global configuration files.</p>
-
-<h2>FILES
-<a name="FILES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Built-in default global
-configuration file. The name of the default global config
-file is settable via the environment variable ZKT_CONFFILE.
-Use <i>dnssec-zkt(8)</i> with option <b>−Z</b> to
-create an initial config file.</p>
-
-
-<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
-
-<p style="margin-left:22%;">View specific global
-configuration file.</p>
-
-<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Local configuration file.</p>
-
-<p style="margin-left:11%;"><i>dnskey.db</i></p>
-
-<p style="margin-left:22%;">The file contains the currently
-used key and zone signing keys. It will be created by
-<i>dnsssec-signer(8)</i>. The name of the file is settable
-via the dnssec configuration file (parameter
-<i>keyfile</i>).</p>
-
-<p style="margin-left:11%;"><i>zone.db</i></p>
-
-<p style="margin-left:22%;">This is the zone file. The name
-of the file is settable via the dnssec configuration file
-(parameter <i>zonefile</i>).</p>
-
-<h2>BUGS
-<a name="BUGS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">The named.conf
-parser is a bit rudimental and not very well tested.</p>
-
-<h2>AUTHORS
-<a name="AUTHORS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
-Mans Nilsson</p>
-
-<h2>COPYRIGHT
-<a name="COPYRIGHT"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Copyright (c)
-2005 − 2009 by Holger Zuleger. Licensed under the BSD
-Licence. There is NO warranty; not even for MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE.</p>
-
-<h2>SEE ALSO
-<a name="SEE ALSO"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
-dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
-<br>
-RFC4033, RFC4034, RFC4035 <br>
-[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
-(http://www.nlnetlabs.nl/dnssec_howto/) <br>
-[2] RFC4641 "DNSSEC Operational Practices" by Miek
-Gieben and Olaf Kolkman <br>
- (http://www.ietf.org/rfc/rfc4641.txt)</p>
<hr>
</body>
</html>
/*****************************************************************
** copyfile (fromfile, tofile, dnskeyfile)
+** copy fromfile into tofile.
+** Add (optional) the content of dnskeyfile to tofile.
*****************************************************************/
int copyfile (const char *fromfile, const char *tofile, const char *dnskeyfile)
{
/****************************************************************
**
-** int gensalt (saltstr, sizeofstalstr, bits)
+** int gensalt (saltstr, sizeofsaltstr, bits)
**
** generate a random hexstring of 'bits' salt and store it
** in saltstr. return 1 on success, otherwise 0.
**
*****************************************************************/
-int gensalt (char *salt, size_t saltsize, int saltbits)
+int gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed)
{
static char hexstr[] = "0123456789ABCDEF";
- static int seed = 0;
int saltlen = 0; /* current length of salt in hex nibbles */
int i;
int hex;
extern void logmesg (char *fmt, ...);
extern void verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...);
extern void logflush (void);
-extern int gensalt (char *salt, size_t saltsize, int saltbits);
+extern int gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed);
extern char *str_untaint (char *str);
extern char *str_chop (char *str, char c);
extern int is_dotfilename (const char *name);
bufend = buf + sizeof (buf) - 1;
do
*p++ = tolower (c);
- while ( (c = getc (fp)) != EOF && p < bufend && isalpha (c) );
+ while ( (c = getc (fp)) != EOF && p < bufend && (isalpha (c) || c == '-') );
*p = '\0';
ungetc (c, fp);
/*****************************************************************
** distribute and reload a zone via "distribute_command"
+** what is
+** 1 for zone distribution and relaod
+** 2 for key distribution (used by dynamic zoes)
*****************************************************************/
-int dist_and_reload (const zone_t *zp)
+int dist_and_reload (const zone_t *zp, int what)
{
char path[MAX_PATHSIZE+1];
char cmdline[254+1];
char zone[254+1];
char str[254+1];
+ char *view;
FILE *fp;
assert (zp != NULL);
assert (zp->conf->dist_cmd != NULL);
+ assert ( what == 1 || what == 2 );
+
+ if ( zp->conf->dist_cmd == NULL )
+ return 0;
if ( !is_exec_ok (zp->conf->dist_cmd) )
{
return -1;
}
+ view = ""; /* default is an empty view string */
if ( zp->conf->view )
+ {
snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
+ view = zp->conf->view;
+ }
else
snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
+ if ( what == 2 )
+ {
+ lg_mesg (LG_NOTICE, "%s: key distribution triggered", zone);
+ verbmesg (1, zp->conf, "\tDistribute keys for zone %s\n", zone);
+ snprintf (cmdline, sizeof (cmdline), "%s distkeys %s %s %s",
+ zp->conf->dist_cmd, zp->zone, path, view);
+ *str = '\0';
+ if ( zp->conf->noexec == 0 )
+ {
+ verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
+ if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+ return -2;
+ pclose (fp);
+ verbmesg (2, zp->conf, "\t %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+ }
+
+ return 0;
+ }
+
pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
- if ( zp->conf->view )
- snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
- else
- snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
+ snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, view);
*str = '\0';
if ( zp->conf->noexec == 0 )
lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
- if ( zp->conf->view )
- snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
- else
- snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
+ snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, view);
*str = '\0';
if ( zp->conf->noexec == 0 )
**
*****************************************************************/
#ifndef NSCOMM_H
+# define NSCOMM_H
# include <assert.h>
# include <unistd.h>
# include <sys/types.h>
# include "log.h"
# include "misc.h"
# include "debug.h"
-# define NSCOMM_H
extern int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
extern int reload_zone (const char *domain, const zconf_t *z);
-extern int dist_and_reload (const zone_t *zp);
+extern int dist_and_reload (const zone_t *zp, int what);
#endif
#if 0
verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %d < parentprop %d + parentresig %d + parentkeyttl %d\n", parfile_age, parent_propagation, parent_resign, parent_keyttl);
#else
- verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %dsec < parentprop %dsec + parentkeyttl %dsec\n", parfile_age, parent_propagation, parent_keyttl);
+ verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %dsec < parentprop %dsec + parentkeyttl %dsec\n", parfile_age, parent_propagation, parent_keyttl);
#endif
break;
default:
akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k2_algo, 'a', 1);
if ( akey == NULL )
{
- verbmesg (1, z, "\tNo active KSK for second algorithm found: generate new one\n");
+ verbmesg (1, z, "\tNo active KSK for additional algorithm found: generate new one\n");
akey = genkey2 (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
if ( !akey )
{
- error ("\tcould not generate new KSK for 2nd algorithm\n");
+ error ("\tcould not generate new KSK for additional algorithm\n");
lg_mesg (LG_ERROR, "\"%s\": can't generate new KSK for 2nd algorithm: \"%s\"",
zp->zone, dki_geterrstr());
}
else
- lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for 2nd algorithm",
+ lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for additional algorithm",
zp->zone, akey->tag);
return 1; /* return value of 1 forces a resigning of the zone */
}
CONF_FACILITY zconf.c /^ CONF_FACILITY,$/;" e enum:__anon2 file:
CONF_INT zconf.c /^ CONF_INT,$/;" e enum:__anon2 file:
CONF_LEVEL zconf.c /^ CONF_LEVEL,$/;" e enum:__anon2 file:
+CONF_NSEC3 zconf.c /^ CONF_NSEC3,$/;" e enum:__anon2 file:
CONF_SERIAL zconf.c /^ CONF_SERIAL,$/;" e enum:__anon2 file:
CONF_STRING zconf.c /^ CONF_STRING,$/;" e enum:__anon2 file:
CONF_TIMEINT zconf.c /^ CONF_TIMEINT,$/;" e enum:__anon2 file:
-ISCOMMENT zconf.c 67;" d file:
-ISDELIM zconf.c 69;" d file:
-ISTRUE zconf.c 65;" d file:
-KEYSET_FILE_PFX dnssec-signer.c 709;" d file:
+CONF_VERSION zconf.c /^ CONF_VERSION,$/;" e enum:__anon2 file:
+ISCOMMENT zconf.c 68;" d file:
+ISDELIM zconf.c 70;" d file:
+ISTRUE zconf.c 66;" d file:
+KEYGEN_COMPMODE dki.c 231;" d file:
+KEYGEN_COMPMODE dki.c 233;" d file:
+KEYSET_FILE_PFX zkt-signer.c 747;" d file:
KeyWords ncparse.c /^static struct KeyWords {$/;" s file:
-MAXFNAME log.c 97;" d file:
-STRCONFIG_DELIMITER zconf.c 529;" d file:
+MAXFNAME log.c 98;" d file:
+STRCONFIG_DELIMITER zconf.c 632;" d file:
TAINTEDCHARS misc.c 60;" d file:
TOK_DELEGATION ncparse.c 59;" d file:
TOK_DIR ncparse.c 49;" d file:
TOK_VIEW ncparse.c 60;" d file:
TOK_ZONE ncparse.c 52;" d file:
a domaincmp.c /^ char *a;$/;" m struct:__anon1 file:
-add2zonelist dnssec-signer.c /^static int add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;" f file:
+add2zonelist zkt-signer.c /^static int add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;" f file:
+addkeydb zfparse.c /^int addkeydb (const char *file, const char *keydbfile)$/;" f
age2str misc.c /^char *age2str (time_t sec)$/;" f
-ageflag dnssec-zkt.c /^int ageflag = 0;$/;" v
+ageflag zkt-keyman.c /^int ageflag = 0;$/;" v
+ageflag zkt-ls.c /^int ageflag = 0;$/;" v
+allflag zkt-conf.c /^static int allflag = 0;$/;" v file:
b domaincmp.c /^ char *b;$/;" m struct:__anon1 file:
-bind94_dynzone dnssec-signer.c 130;" d file:
-bind96_dynzone dnssec-signer.c 131;" d file:
+bind94_dynzone zkt-signer.c 130;" d file:
+bind96_dynzone zkt-signer.c 131;" d file:
+bold_off tcap.c /^static const char *bold_off = "";$/;" v file:
+bold_on tcap.c /^static const char *bold_on = "";$/;" v file:
bool2str zconf.c /^static const char *bool2str (int val)$/;" f file:
-check_keydb_timestamp dnssec-signer.c /^static int check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;" f file:
+check_keydb_timestamp zkt-signer.c /^static int check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;" f file:
checkconfig zconf.c /^int checkconfig (const zconf_t *z)$/;" f
-cmdline zconf.c /^ int cmdline; \/* is this a command line parameter ? *\/$/;" m struct:__anon3 file:
+cmdln zconf.c 73;" d file:
cmpfile misc.c /^int cmpfile (const char *file1, const char *file2)$/;" f
-config dnssec-signer.c /^static zconf_t *config;$/;" v file:
+colortab tcap.c /^static char colortab[8][31+1];$/;" v file:
+compversion zconf.c /^static int compversion;$/;" v file:
config zconf.c /^static zconf_t *config;$/;" v file:
+config zkt-signer.c /^static zconf_t *config;$/;" v file:
confpara zconf.c /^static zconf_para_t confpara[] = {$/;" v file:
-copy_keyset dnssec-signer.c /^static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf)$/;" f file:
+copy_keyset zkt-signer.c /^static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf)$/;" f file:
copyfile misc.c /^int copyfile (const char *fromfile, const char *tofile, const char *dnskeyfile)$/;" f
copyzonefile misc.c /^int copyzonefile (const char *fromfile, const char *tofile, const char *dnskeyfile)$/;" f
-create_parent_file dnssec-zkt.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
create_parent_file rollover.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
-createkey dnssec-zkt.c /^static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;" f file:
+create_parent_file zkt-keyman.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
+createkey zkt-keyman.c /^static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;" f file:
ctype_t zconf.c /^} ctype_t;$/;" t typeref:enum:__anon2 file:
def zconf.c /^static zconf_t def = {$/;" v file:
-dirflag dnssec-zkt.c /^static int dirflag = 0;$/;" v file:
-dirname dnssec-signer.c /^static const char *dirname = NULL;$/;" v file:
-dist_and_reload nscomm.c /^int dist_and_reload (const zone_t *zp)$/;" f
+dirflag zkt-keyman.c /^static int dirflag = 0;$/;" v file:
+dirflag zkt-ls.c /^static int dirflag = 0;$/;" v file:
+dirname zkt-signer.c /^static const char *dirname = NULL;$/;" v file:
+dist_and_reload nscomm.c /^int dist_and_reload (const zone_t *zp, int what)$/;" f
dki_add dki.c /^dki_t *dki_add (dki_t **list, dki_t *new)$/;" f
dki_age dki.c /^int dki_age (const dki_t *dkp, time_t curr)$/;" f
dki_algo dki.c /^time_t dki_algo (const dki_t *dkp)$/;" f
dki_readdir dki.c /^int dki_readdir (const char *dir, dki_t **listp, int recursive)$/;" f
dki_readfile dki.c /^static int dki_readfile (FILE *fp, dki_t *dkp)$/;" f file:
dki_remove dki.c /^dki_t *dki_remove (dki_t *dkp)$/;" f
+dki_revnamecmp dki.c /^int dki_revnamecmp (const dki_t *a, const dki_t *b)$/;" f
dki_search dki.c /^const dki_t *dki_search (const dki_t *list, int tag, const char *name)$/;" f
dki_setexptime dki.c /^time_t dki_setexptime (dki_t *dkp, time_t sec)$/;" f
dki_setflag dki.c /^dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag)$/;" f
dki_setstatus_preservetime dki.c /^int dki_setstatus_preservetime (dki_t *dkp, int status)$/;" f
dki_status dki.c /^dk_status_t dki_status (const dki_t *dkp)$/;" f
dki_statusstr dki.c /^const char *dki_statusstr (const dki_t *dkp)$/;" f
-dki_tadd dki.c /^dki_t *dki_tadd (dki_t **tree, dki_t *new)$/;" f
+dki_tadd dki.c /^dki_t *dki_tadd (dki_t **tree, dki_t *new, int sub_before)$/;" f
dki_tagcmp dki.c /^int dki_tagcmp (const dki_t *a, const dki_t *b)$/;" f
dki_tfree dki.c /^void dki_tfree (dki_t **tree)$/;" f
dki_time dki.c /^time_t dki_time (const dki_t *dkp)$/;" f
dki_writeinfo dki.c /^static int dki_writeinfo (const dki_t *dkp, const char *path)$/;" f file:
domain_canonicdup misc.c /^char *domain_canonicdup (const char *s)$/;" f
domaincmp domaincmp.c /^int domaincmp (const char *a, const char *b)$/;" f
-dosigning dnssec-signer.c /^static int dosigning (zone_t *zonelist, zone_t *zp)$/;" f file:
+domaincmp_dir domaincmp.c /^int domaincmp_dir (const char *a, const char *b, int subdomain_above)$/;" f
+dosigning zkt-signer.c /^static int dosigning (zone_t *zonelist, zone_t *zp)$/;" f file:
dupconfig zconf.c /^zconf_t *dupconfig (const zconf_t *conf)$/;" f
dyn_update_freeze nscomm.c /^int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;" f
-dynamic_zone dnssec-signer.c /^static int dynamic_zone = 0; \/* dynamic zone ? *\/$/;" v file:
+dynamic_zone zkt-signer.c /^static int dynamic_zone = 0; \/* dynamic zone ? *\/$/;" v file:
error misc.c /^void error (char *fmt, ...)$/;" f
ex domaincmp.c /^} ex[] = {$/;" v typeref:struct:__anon1 file:
-exptimeflag dnssec-zkt.c /^int exptimeflag = 0;$/;" v
+exptimeflag zkt-keyman.c /^int exptimeflag = 0;$/;" v
+exptimeflag zkt-ls.c /^int exptimeflag = 0;$/;" v
extern dki.c 59;" d file:
extern dki.c 61;" d file:
-extern domaincmp.c 42;" d file:
-extern domaincmp.c 44;" d file:
+extern domaincmp.c 43;" d file:
+extern domaincmp.c 45;" d file:
extern log.c 55;" d file:
extern log.c 57;" d file:
extern misc.c 56;" d file:
extern rollover.c 59;" d file:
extern soaserial.c 53;" d file:
extern soaserial.c 55;" d file:
-extern zconf.c 60;" d file:
-extern zconf.c 62;" d file:
-extern zkt.c 47;" d file:
+extern tcap.c 31;" d file:
+extern tcap.c 33;" d file:
+extern zconf.c 61;" d file:
+extern zconf.c 63;" d file:
+extern zfparse.c 58;" d file:
+extern zfparse.c 60;" d file:
extern zkt.c 49;" d file:
+extern zkt.c 51;" d file:
extern zone.c 53;" d file:
extern zone.c 55;" d file:
fatal misc.c /^void fatal (char *fmt, ...)$/;" f
file_mtime misc.c /^time_t file_mtime (const char *fname)$/;" f
fileexist misc.c /^int fileexist (const char *name)$/;" f
filesize misc.c /^size_t filesize (const char *name)$/;" f
-force dnssec-signer.c /^static int force = 0;$/;" v file:
+first zconf.c 74;" d file:
+force zkt-signer.c /^static int force = 0;$/;" v file:
+freeconfig zconf.c /^zconf_t *freeconfig (zconf_t *conf)$/;" f
genkey rollover.c /^static dki_t *genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
genkey2 rollover.c /^static dki_t *genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
-gensalt misc.c /^int gensalt (char *salt, size_t saltsize, int saltbits)$/;" f
+gensalt misc.c /^int gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed)$/;" f
get_exptime rollover.c /^static time_t get_exptime (dki_t *key, const zconf_t *z)$/;" f file:
-get_parent_phase dnssec-zkt.c /^static int get_parent_phase (const char *file)$/;" f file:
get_parent_phase rollover.c /^static int get_parent_phase (const char *file)$/;" f file:
+get_parent_phase zkt-keyman.c /^static int get_parent_phase (const char *file)$/;" f file:
+get_ttl zfparse.c /^static long get_ttl (const char *s)$/;" f file:
getdefconfname misc.c /^const char *getdefconfname (const char *view)$/;" f
getnameappendix misc.c /^const char *getnameappendix (const char *progname, const char *basename)$/;" f
gettok ncparse.c /^static int gettok (FILE *fp, char *val, size_t valsize)$/;" f file:
-goto_labelstart domaincmp.c 47;" d file:
-headerflag dnssec-zkt.c /^int headerflag = 1;$/;" v
+goto_labelstart domaincmp.c 48;" d file:
+headerflag zkt-keyman.c /^int headerflag = 1;$/;" v
+headerflag zkt-ls.c /^int headerflag = 1;$/;" v
+html tcap.c /^static int html = 0;$/;" v file:
in_strarr misc.c /^int in_strarr (const char *str, char *const arr[], int cnt)$/;" f
inc_errstr soaserial.c /^const char *inc_errstr (int err)$/;" f
inc_serial soaserial.c /^int inc_serial (const char *fname, int use_unixtime)$/;" f
inc_soa_serial soaserial.c /^static int inc_soa_serial (FILE *fp, int use_unixtime)$/;" f file:
+is1 tcap.c /^static const char *is1 = "";$/;" v file:
+is2 tcap.c /^static const char *is2 = "";$/;" v file:
+is_defined zkt-signer.c 132;" d file:
is_directory misc.c /^int is_directory (const char *name)$/;" f
is_dotfilename misc.c /^int is_dotfilename (const char *name)$/;" f
is_exec_ok misc.c /^int is_exec_ok (const char *prog)$/;" f
is_keyfilename misc.c /^int is_keyfilename (const char *name)$/;" f
+is_multiline_rr zfparse.c /^static const char *is_multiline_rr (int *multi_line_rr, const char *p)$/;" f file:
is_parentdirsigned rollover.c /^static int is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;" f file:
is_soa_rr soaserial.c /^static int is_soa_rr (const char *line)$/;" f file:
+iscmdline zconf.c 77;" d file:
+iscompatible zconf.c 78;" d file:
isinlist strlist.c /^int isinlist (const char *str, const char *list)$/;" f
+isparentdomain domaincmp.c /^int isparentdomain (const char *child, const char *parent, int level)$/;" f
+issubdomain domaincmp.c /^int issubdomain (const char *child, const char *parent)$/;" f
+italic_off tcap.c /^static const char *italic_off = "";$/;" v file:
+italic_on tcap.c /^static const char *italic_on = "";$/;" v file:
ksk5011status rollover.c /^int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;" f
-ksk_roll dnssec-zkt.c /^static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;" f file:
-kskdomain dnssec-zkt.c /^static char *kskdomain = "";$/;" v file:
-kskflag dnssec-zkt.c /^int kskflag = 1;$/;" v
+ksk_roll zkt-keyman.c /^static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;" f file:
+kskdomain zkt-keyman.c /^static char *kskdomain = "";$/;" v file:
+kskflag zkt-keyman.c /^int kskflag = 1;$/;" v
+kskflag zkt-ls.c /^int kskflag = 1;$/;" v
kskrollover rollover.c /^static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;" f file:
kskstatus rollover.c /^int kskstatus (zone_t *zonelist, zone_t *zp)$/;" f
kw ncparse.c /^} kw[] = {$/;" v typeref:struct:KeyWords file:
label zconf.c /^ char *label; \/* the name of the paramter *\/$/;" m struct:__anon3 file:
-labellist dnssec-zkt.c /^char *labellist = NULL;$/;" v
+labellist zkt-keyman.c /^char *labellist = NULL;$/;" v
+labellist zkt-ls.c /^char *labellist = NULL;$/;" v
+last zconf.c 75;" d file:
level log.c /^ lg_lvl_t level;$/;" m struct:__anon4 file:
lg_args log.c /^void lg_args (lg_lvl_t level, int argc, char * const argv[])$/;" f
lg_close log.c /^int lg_close ()$/;" f
lg_errcnt log.c /^static long lg_errcnt;$/;" v file:
lg_fileopen log.c /^static FILE *lg_fileopen (const char *path, const char *name)$/;" f file:
lg_fp log.c /^static FILE *lg_fp;$/;" v file:
+lg_fpsave log.c /^static FILE *lg_fpsave;$/;" v file:
lg_geterrcnt log.c /^long lg_geterrcnt ()$/;" f
lg_lvl2str log.c /^const char *lg_lvl2str (lg_lvl_t level)$/;" f
lg_lvl2syslog log.c /^lg_lvl_t lg_lvl2syslog (lg_lvl_t level)$/;" f
lg_str2syslog log.c /^int lg_str2syslog (const char *facility)$/;" f
lg_symtbl_t log.c /^} lg_symtbl_t;$/;" t typeref:struct:__anon4 file:
lg_syslogging log.c /^static int lg_syslogging;$/;" v file:
-lifetime dnssec-zkt.c /^int lifetime = 0;$/;" v
-lifetimeflag dnssec-zkt.c /^int lifetimeflag = 0;$/;" v
+lg_zone_end log.c /^int lg_zone_end ()$/;" f
+lg_zone_start log.c /^int lg_zone_start (const char *dir, const char *domain)$/;" f
+lifetime zkt-keyman.c /^int lifetime = 0;$/;" v
+lifetime zkt-ls.c /^int lifetime = 0;$/;" v
+lifetimeflag zkt-keyman.c /^int lifetimeflag = 0;$/;" v
+lifetimeflag zkt-ls.c /^int lifetimeflag = 0;$/;" v
linkfile misc.c /^int linkfile (const char *fromfile, const char *tofile)$/;" f
list_dnskey zkt.c /^static void list_dnskey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
list_key zkt.c /^static void list_key (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
list_trustedkey zkt.c /^static void list_trustedkey (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
-ljustflag dnssec-zkt.c /^int ljustflag = 0;$/;" v
+ljustflag zkt-keyman.c /^int ljustflag = 0;$/;" v
+ljustflag zkt-ls.c /^int ljustflag = 0;$/;" v
loadconfig zconf.c /^zconf_t *loadconfig (const char *filename, zconf_t *z)$/;" f
loadconfig_fromstr zconf.c /^zconf_t *loadconfig_fromstr (const char *str, zconf_t *z)$/;" f
-logfile dnssec-signer.c /^static const char *logfile = NULL;$/;" v file:
+logfile zkt-signer.c /^static const char *logfile = NULL;$/;" v file:
logflush misc.c /^void logflush ()$/;" f
logmesg misc.c /^void logmesg (char *fmt, ...)$/;" f
-long_options dnssec-signer.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
-long_options dnssec-zkt.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
-lopt_usage dnssec-signer.c 326;" d file:
-lopt_usage dnssec-signer.c 329;" d file:
-lopt_usage dnssec-zkt.c 402;" d file:
-lopt_usage dnssec-zkt.c 405;" d file:
-loptstr dnssec-signer.c 327;" d file:
-loptstr dnssec-signer.c 330;" d file:
-loptstr dnssec-zkt.c 403;" d file:
-loptstr dnssec-zkt.c 406;" d file:
-main dnssec-signer.c /^int main (int argc, char *const argv[])$/;" f
-main dnssec-zkt.c /^int main (int argc, char *argv[])$/;" f
+long_options zkt-conf.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
+long_options zkt-keyman.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
+long_options zkt-ls.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
+long_options zkt-signer.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
+lopt_usage zkt-conf.c 306;" d file:
+lopt_usage zkt-conf.c 309;" d file:
+lopt_usage zkt-keyman.c 334;" d file:
+lopt_usage zkt-keyman.c 337;" d file:
+lopt_usage zkt-ls.c 314;" d file:
+lopt_usage zkt-ls.c 317;" d file:
+lopt_usage zkt-signer.c 341;" d file:
+lopt_usage zkt-signer.c 344;" d file:
+loptstr zkt-conf.c 307;" d file:
+loptstr zkt-conf.c 310;" d file:
+loptstr zkt-keyman.c 335;" d file:
+loptstr zkt-keyman.c 338;" d file:
+loptstr zkt-ls.c 315;" d file:
+loptstr zkt-ls.c 318;" d file:
+loptstr zkt-signer.c 342;" d file:
+loptstr zkt-signer.c 345;" d file:
main domaincmp.c /^main (int argc, char *argv[])$/;" f
main log.c /^int main (int argc, char *argv[])$/;" f
main misc.c /^main (int argc, char *argv[])$/;" f
main ncparse.c /^main (int argc, char *argv[])$/;" f
main soaserial.c /^main (int argc, char *argv[])$/;" f
main strlist.c /^main (int argc, char *argv[])$/;" f
+main tcap.c /^main (int argc, const char *argv[])$/;" f
main zconf.c /^main (int argc, char *argv[])$/;" f
+main zfparse.c /^int main (int argc, char *argv[])$/;" f
+main zkt-conf.c /^int main (int argc, char *argv[])$/;" f
+main zkt-keyman.c /^int main (int argc, char *argv[])$/;" f
+main zkt-ls.c /^int main (int argc, char *argv[])$/;" f
+main zkt-signer.c /^int main (int argc, char *const argv[])$/;" f
main zkt-soaserial.c /^int main (int argc, char *argv[])$/;" f
+maxcolor tcap.c /^static int maxcolor;$/;" v file:
name ncparse.c /^ char *name;$/;" m struct:KeyWords file:
-namedconf dnssec-signer.c /^static const char *namedconf = NULL;$/;" v file:
-new_keysetfiles dnssec-signer.c /^static int new_keysetfiles (const char *dir, time_t zone_signing_time)$/;" f file:
-noexec dnssec-signer.c /^static int noexec = 0;$/;" v file:
-origin dnssec-signer.c /^static const char *origin = NULL;$/;" v file:
+namedconf zkt-signer.c /^static const char *namedconf = NULL;$/;" v file:
+new_keysetfiles zkt-signer.c /^static int new_keysetfiles (const char *dir, time_t zone_signing_time)$/;" f file:
+noexec zkt-signer.c /^static int noexec = 0;$/;" v file:
+origin zkt-signer.c /^static const char *origin = NULL;$/;" v file:
+parent zkt.c /^const dki_t *parent;$/;" v
parse_namedconf ncparse.c /^int parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())$/;" f
parseconfigline zconf.c /^static void parseconfigline (char *buf, unsigned int line, zconf_t *z)$/;" f file:
-parsedir dnssec-signer.c /^static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;" f file:
-parsedirectory dnssec-zkt.c /^static int parsedirectory (const char *dir, dki_t **listp)$/;" f file:
-parsefile dnssec-zkt.c /^static void parsefile (const char *file, dki_t **listp)$/;" f file:
-parsetag dnssec-zkt.c /^static const char *parsetag (const char *str, int *tagp)$/;" f file:
+parsedir zkt-signer.c /^static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;" f file:
+parsedirectory zkt-keyman.c /^static int parsedirectory (const char *dir, dki_t **listp)$/;" f file:
+parsedirectory zkt-ls.c /^static int parsedirectory (const char *dir, dki_t **listp, int sub_before)$/;" f file:
+parsefile zkt-keyman.c /^static void parsefile (const char *file, dki_t **listp)$/;" f file:
+parsefile zkt-ls.c /^static void parsefile (const char *file, dki_t **listp, int sub_before)$/;" f file:
+parsetag zkt-keyman.c /^static const char *parsetag (const char *str, int *tagp)$/;" f file:
parseurl misc.c /^void parseurl (char *url, char **proto, char **host, char **port, char **para)$/;" f
-pathflag dnssec-zkt.c /^int pathflag = 0;$/;" v
+parsezonefile zfparse.c /^int parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile)$/;" f
+pathflag zkt-keyman.c /^int pathflag = 0;$/;" v
+pathflag zkt-ls.c /^int pathflag = 0;$/;" v
pathname misc.c /^char *pathname (char *path, size_t size, const char *dir, const char *file, const char *ext)$/;" f
prepstrlist strlist.c /^char *prepstrlist (const char *str, const char *delim)$/;" f
printconfig zconf.c /^int printconfig (const char *fname, const zconf_t *z)$/;" f
+printconfigdiff zconf.c /^int printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)$/;" f
printconfigline zconf.c /^static void printconfigline (FILE *fp, zconf_para_t *cp)$/;" f file:
printkeyinfo zkt.c /^static void printkeyinfo (const dki_t *dkp, const char *oldpath)$/;" f file:
printserial zkt-soaserial.c /^static void printserial (const char *fname, unsigned long serial)$/;" f file:
printzone ncparse.c /^int printzone (const char *dir, const char *view, const char *zone, const char *file)$/;" f
-progname dnssec-signer.c /^const char *progname;$/;" v
-progname dnssec-zkt.c /^const char *progname;$/;" v
progname domaincmp.c /^const char *progname;$/;" v
progname log.c /^const char *progname;$/;" v
progname misc.c /^const char *progname;$/;" v
progname ncparse.c /^char *progname;$/;" v
progname soaserial.c /^const char *progname;$/;" v
+progname tcap.c /^static const char *progname;$/;" v file:
progname zconf.c /^const char *progname;$/;" v
+progname zfparse.c /^const char *progname;$/;" v
+progname zkt-conf.c /^const char *progname;$/;" v
+progname zkt-keyman.c /^const char *progname;$/;" v
+progname zkt-ls.c /^const char *progname;$/;" v
+progname zkt-signer.c /^const char *progname;$/;" v
progname zkt-soaserial.c /^static const char *progname;$/;" v file:
+put tcap.c /^static int put (int c)$/;" f file:
+r1 tcap.c /^static const char *r1 = "";$/;" v file:
+r2 tcap.c /^static const char *r2 = "";$/;" v file:
read_serial_fromfile zkt-soaserial.c /^static int read_serial_fromfile (const char *fname, unsigned long *serial)$/;" f file:
-recflag dnssec-zkt.c /^static int recflag = RECURSIVE;$/;" v file:
-register_key dnssec-signer.c /^static void register_key (dki_t *list, const zconf_t *z)$/;" f file:
+recflag zkt-keyman.c /^static int recflag = RECURSIVE;$/;" v file:
+recflag zkt-ls.c /^static int recflag = RECURSIVE;$/;" v file:
+register_key zkt-signer.c /^static void register_key (dki_t *list, const zconf_t *z)$/;" f file:
reload_zone nscomm.c /^int reload_zone (const char *domain, const zconf_t *z)$/;" f
-reloadflag dnssec-signer.c /^static int reloadflag = 0;$/;" v file:
+reloadflag zkt-signer.c /^static int reloadflag = 0;$/;" v file:
res domaincmp.c /^ int res;$/;" m struct:__anon1 file:
searchitem zkt.c /^static int searchitem;$/;" v file:
searchkw ncparse.c /^static int searchkw (const char *keyword)$/;" f file:
searchresult zkt.c /^static const dki_t *searchresult;$/;" v file:
serialtime soaserial.c /^static ulong serialtime (time_t sec)$/;" f file:
-set_all_varptr zconf.c /^static void set_all_varptr (zconf_t *cp)$/;" f file:
-set_bind94_dynzone dnssec-signer.c 128;" d file:
-set_bind96_dynzone dnssec-signer.c 129;" d file:
+set_all_varptr zconf.c /^static void set_all_varptr (zconf_t *cp, const zconf_t *cp2)$/;" f file:
+set_bind94_dynzone zkt-signer.c 128;" d file:
+set_bind96_dynzone zkt-signer.c 129;" d file:
set_keylifetime zkt.c /^static void set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
-set_varptr zconf.c /^static int set_varptr (char *entry, void *ptr)$/;" f file:
+set_varptr zconf.c /^static int set_varptr (char *entry, void *ptr, const void *ptr2)$/;" f file:
setconfigpar zconf.c /^int setconfigpar (zconf_t *config, char *entry, const void *pval)$/;" f
-setglobalflags dnssec-zkt.c /^static void setglobalflags (zconf_t *config)$/;" f file:
-short_options dnssec-signer.c 68;" d file:
-short_options dnssec-signer.c 70;" d file:
-short_options dnssec-zkt.c 89;" d file:
-sign_zone dnssec-signer.c /^static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;" f file:
-sopt_usage dnssec-signer.c 324;" d file:
-sopt_usage dnssec-zkt.c 400;" d file:
+setconfigversion zconf.c /^void setconfigversion (int version)$/;" f
+setglobalflags zkt-keyman.c /^static void setglobalflags (zconf_t *config)$/;" f file:
+setglobalflags zkt-ls.c /^static void setglobalflags (zconf_t *config)$/;" f file:
+setminmax zfparse.c /^static void setminmax (long *pmin, long val, long *pmax)$/;" f file:
+short_options zkt-conf.c 73;" d file:
+short_options zkt-keyman.c 88;" d file:
+short_options zkt-ls.c 92;" d file:
+short_options zkt-ls.c 94;" d file:
+short_options zkt-signer.c 68;" d file:
+short_options zkt-signer.c 70;" d file:
+sign_zone zkt-signer.c /^static int sign_zone (const zone_t *zp)$/;" f file:
+skiplabel zfparse.c /^static const char *skiplabel (const char *s)$/;" f file:
+skipws zfparse.c /^static const char *skipws (const char *s)$/;" f file:
+sopt_usage zkt-conf.c 304;" d file:
+sopt_usage zkt-keyman.c 332;" d file:
+sopt_usage zkt-ls.c 312;" d file:
+sopt_usage zkt-signer.c 339;" d file:
splitpath misc.c /^const char *splitpath (char *path, size_t psize, const char *filename)$/;" f
start_timer misc.c /^time_t start_timer ()$/;" f
stop_timer misc.c /^time_t stop_timer (time_t start)$/;" f
str_delspace misc.c /^char *str_delspace (char *s)$/;" f
str_untaint misc.c /^char *str_untaint (char *str)$/;" f
strfindstr soaserial.c /^static const char *strfindstr (const char *str, const char *search)$/;" f file:
+subdomain_before_parent zkt-ls.c /^int subdomain_before_parent = 1;$/;" v
symtbl log.c /^static lg_symtbl_t symtbl[] = {$/;" v file:
syslog_level log.c /^ int syslog_level;$/;" m struct:__anon4 file:
tag_search zkt.c /^static void tag_search (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
+tc_attr tcap.c /^int tc_attr (FILE *fp, tc_att_t attr, int on)$/;" f
+tc_color tcap.c /^static int tc_color (FILE *fp, int color)$/;" f file:
+tc_end tcap.c /^int tc_end (FILE *fp, const char *term)$/;" f
+tc_init tcap.c /^int tc_init (FILE *fp, const char *term)$/;" f
+tc_outfp tcap.c /^static FILE *tc_outfp;$/;" v file:
+tc_printattr tcap.c /^static int tc_printattr (FILE *fp, const char *attstr)$/;" f file:
+term zkt-ls.c /^static const char *term = NULL;$/;" v file:
+testflag zkt-conf.c /^static int testflag = 0;$/;" v file:
time2isostr misc.c /^char *time2isostr (time_t sec, int precision)$/;" f
time2str misc.c /^char *time2str (time_t sec, int precision)$/;" f
-timeflag dnssec-zkt.c /^int timeflag = 1;$/;" v
-timeint2str zconf.c /^static const char *timeint2str (ulong val)$/;" f file:
+timeflag zkt-keyman.c /^int timeflag = 1;$/;" v
+timeflag zkt-ls.c /^int timeflag = 1;$/;" v
+timeint2str zconf.c /^const char *timeint2str (unsigned long val)$/;" f
timestr zkt-soaserial.c /^static char *timestr (time_t sec)$/;" f file:
timestr2time misc.c /^time_t timestr2time (const char *timestr)$/;" f
tok ncparse.c /^ int tok;$/;" m struct:KeyWords file:
tok2str ncparse.c /^static const char *tok2str (int tok)$/;" f file:
touch misc.c /^int touch (const char *fname, time_t sec)$/;" f
-trustedkeyflag dnssec-zkt.c /^static int trustedkeyflag = 0;$/;" v file:
+trustedkeyflag zkt-ls.c /^static int trustedkeyflag = 0;$/;" v file:
type zconf.c /^ ctype_t type; \/* the parameter type *\/$/;" m struct:__anon3 file:
unprepstrlist strlist.c /^char *unprepstrlist (char *list, char delimc)$/;" f
-usage dnssec-signer.c /^static void usage (char *mesg, zconf_t *conf)$/;" f file:
-usage dnssec-zkt.c /^static void usage (char *mesg, zconf_t *cp)$/;" f file:
+usage zkt-conf.c /^static void usage (char *mesg)$/;" f file:
+usage zkt-keyman.c /^static void usage (char *mesg, zconf_t *cp)$/;" f file:
+usage zkt-ls.c /^static void usage (char *mesg, zconf_t *cp)$/;" f file:
+usage zkt-signer.c /^static void usage (char *mesg, zconf_t *conf)$/;" f file:
usage zkt-soaserial.c /^static void usage (const char *msg)$/;" f file:
+used_since zconf.c /^ short used_since; \/* compability (from version; 0 == command line) *\/$/;" m struct:__anon3 file:
+used_till zconf.c /^ short used_till; \/* compability (to version) *\/$/;" m struct:__anon3 file:
var zconf.c /^ void *var; \/* pointer to the parameter variable *\/$/;" m struct:__anon3 file:
+var2 zconf.c /^ const void *var2; \/* pointer to a second parameter variable *\/$/;" m struct:__anon3 file:
verbmesg misc.c /^void verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...)$/;" f
-verbose dnssec-signer.c /^static int verbose = 0;$/;" v file:
-view dnssec-zkt.c /^static const char *view = "";$/;" v file:
-viewname dnssec-signer.c /^static const char *viewname = NULL;$/;" v file:
-writekeyfile dnssec-signer.c /^static int writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;" f file:
+verbose zkt-signer.c /^static int verbose = 0;$/;" v file:
+view zkt-conf.c /^static const char *view = "";$/;" v file:
+view zkt-keyman.c /^static const char *view = "";$/;" v file:
+view zkt-ls.c /^static const char *view = "";$/;" v file:
+viewname zkt-signer.c /^static const char *viewname = NULL;$/;" v file:
+writeflag zkt-conf.c /^static int writeflag = 0;$/;" v file:
+writekeyfile zkt-signer.c /^static int writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;" f file:
zconf_para_t zconf.c /^} zconf_para_t;$/;" t typeref:struct:__anon3 file:
zkt_list_dnskeys zkt.c /^void zkt_list_dnskeys (const dki_t *data)$/;" f
zkt_list_keys zkt.c /^void zkt_list_keys (const dki_t *data)$/;" f
zone_print zone.c /^int zone_print (const char *mesg, const zone_t *z)$/;" f
zone_readdir zone.c /^int zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t **listp, const zconf_t *conf, int dyn_zone)$/;" f
zone_search zone.c /^const zone_t *zone_search (const zone_t *list, const char *zone)$/;" f
-zonelist dnssec-signer.c /^static zone_t *zonelist = NULL; \/* must be static global because add2zonelist use it *\/$/;" v file:
-zskflag dnssec-zkt.c /^int zskflag = 1;$/;" v
+zonelist zkt-signer.c /^static zone_t *zonelist = NULL; \/* must be static global because add2zonelist use it *\/$/;" v file:
+zskflag zkt-keyman.c /^int zskflag = 1;$/;" v
+zskflag zkt-ls.c /^int zskflag = 1;$/;" v
zskstatus rollover.c /^int zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;" f
--- /dev/null
+/*****************************************************************
+**
+** tcap.c -- termcap color capabilities
+**
+** (c) Jan 1991 - Feb 2010 by hoz
+**
+** Feb 2002 max line size increased to 512 byte
+** default terminal "html" added
+** Feb 2010 color capabilities added
+**
+*****************************************************************/
+
+#include <stdio.h>
+#include <string.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+# include "config_zkt.h"
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+# ifdef HAVE_TERM_H
+# include <term.h>
+# endif
+# ifdef HAVE_CURSES_H
+# include <curses.h>
+# endif
+#endif
+
+#define extern
+# include "tcap.h"
+#undef extern
+
+/*****************************************************************
+** global vars
+*****************************************************************/
+/* termcap strings */
+static const char *is1 = "";
+static const char *is2 = "";
+static const char *r1 = "";
+static const char *r2 = "";
+static const char *bold_on = "";
+static const char *bold_off = "";
+static const char *italic_on = "";
+static const char *italic_off = "";
+static char colortab[8][31+1];
+
+/* termcap numbers */
+static int maxcolor;
+
+/* function declaration */
+static int tc_printattr (FILE *fp, const char *attstr);
+static int tc_color (FILE *fp, int color);
+
+static int html = 0;
+
+
+
+/*****************************************************************
+** global functions
+*****************************************************************/
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int tc_init (FILE *fp, const char *term)
+{
+ static char area[1024];
+ char buf[1024];
+ char *ap = area;
+ char *af = ""; /* AF */ /* ansi foreground */
+ int i;
+
+ /* clear all color strings */
+ for ( i = 0; i < 8; i++ )
+ colortab[i][0] = '\0';
+
+ if ( term == NULL || *term == '\0' ||
+ strcmp (term, "none") == 0 || strcmp (term, "dumb") == 0 )
+ return 0;
+
+ if ( strcmp (term, "html") == 0 || strcmp (term, "HTML") == 0 )
+ {
+ bold_on = "<B>";
+ bold_off = "</B>";
+ italic_on = "<I>";
+ italic_off = "</I>";
+ af = "";
+ maxcolor = 8;
+ snprintf (colortab[TC_BLACK], sizeof colortab[0], "<font color=black>");
+ snprintf (colortab[TC_BLUE], sizeof colortab[0], "<font color=blue>");
+ snprintf (colortab[TC_GREEN], sizeof colortab[0], "<font color=green>");
+ snprintf (colortab[TC_CYAN], sizeof colortab[0], "<font color=cyan>");
+ snprintf (colortab[TC_RED], sizeof colortab[0], "<font color=red>");
+ snprintf (colortab[TC_MAGENTA], sizeof colortab[0], "<font color=magenta>");
+ snprintf (colortab[TC_YELLOW], sizeof colortab[0], "<font color=yellow>");
+ snprintf (colortab[TC_WHITE], sizeof colortab[0], "<font color=white>");
+ html = 1;
+ return 0;
+ }
+#if 0
+ if ( !istty (fp) )
+ return 0;
+#endif
+ switch ( tgetent (buf, term) )
+ {
+ case -1: perror ("termcap file");
+ return -1;
+ case 0: fprintf (stderr, "unknown terminal %s\n", term);
+ return -1;
+ }
+
+ if ( !(is1 = tgetstr ("is1", &ap)) )
+ is1 = "";
+ if ( !(is2 = tgetstr ("is2", &ap)) )
+ is2 = "";
+ if ( !(r1 = tgetstr ("r1", &ap)) )
+ r1 = "";
+ if ( !(r2 = tgetstr ("r2", &ap)) )
+ r2 = "";
+
+ /* if bold is not present */
+ if ( !(bold_on = tgetstr ("md", &ap)) )
+ /* use standout mode */
+ if ( !(bold_on = tgetstr ("so", &ap)) )
+ bold_on = bold_off = "";
+ else
+ bold_off = tgetstr ("se", &ap);
+ else
+ bold_off = tgetstr ("me", &ap);
+
+ /* if italic not present */
+ if ( !(italic_on = tgetstr ("ZH", &ap)) )
+ /* use underline mode */
+ if ( !(italic_on = tgetstr ("us", &ap)) )
+ italic_on = italic_off = "";
+ else
+ italic_off = tgetstr ("ue", &ap);
+ else
+ italic_off = tgetstr ("ZR", &ap);
+
+ maxcolor = tgetnum ("Co");
+ if ( maxcolor < 0 ) /* no colors ? */
+ return 0;
+ if ( maxcolor > 8 )
+ maxcolor = 8;
+
+ if ( (af = tgetstr ("AF", &ap)) ) /* set ansi color foreground */
+ {
+ for ( i = 0; i < maxcolor; i++ )
+ snprintf (colortab[i], sizeof colortab[0], "%s", tparm (af, i));
+ }
+ else if ( (af = tgetstr ("Sf", &ap)) ) /* or set color foreground */
+ {
+ snprintf (colortab[TC_BLACK], sizeof colortab[0], "%s", tparm (af, 0));
+ snprintf (colortab[TC_BLUE], sizeof colortab[0], "%s", tparm (af, 1));
+ snprintf (colortab[TC_GREEN], sizeof colortab[0], "%s", tparm (af, 2));
+ snprintf (colortab[TC_CYAN], sizeof colortab[0], "%s", tparm (af, 3));
+ snprintf (colortab[TC_RED], sizeof colortab[0], "%s", tparm (af, 4));
+ snprintf (colortab[TC_MAGENTA], sizeof colortab[0], "%s", tparm (af, 5));
+ snprintf (colortab[TC_YELLOW], sizeof colortab[0], "%s", tparm (af, 6));
+ snprintf (colortab[TC_WHITE], sizeof colortab[0], "%s", tparm (af, 7));
+ }
+
+#if 0
+ if ( is1 && *is1 )
+ tc_printattr (fp, is1);
+ if ( is2 && *is2 )
+ tc_printattr (fp, is2);
+#endif
+
+ return 0;
+}
+#else
+int tc_init (FILE *fp, const char *term)
+{
+ int i;
+
+ is1 = "";
+ is2 = "";
+ r1 = "";
+ r2 = "";
+ bold_on = "";
+ bold_off = "";
+ italic_on = "";
+ italic_off = "";
+ for ( i = 0; i < 8; i++ )
+ colortab[i][0] = '\0';
+ maxcolor = 0;
+ html = 0;
+
+ return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int tc_end (FILE *fp, const char *term)
+{
+#if 0
+ if ( term )
+ {
+// if ( r1 && *r1 ) tc_printattr (fp, r1);
+ if ( r2 && *r2 )
+ tc_printattr (fp, r2);
+ }
+#endif
+ return 0;
+}
+#else
+int tc_end (FILE *fp, const char *term)
+{
+ return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int tc_attr (FILE *fp, tc_att_t attr, int on)
+{
+ int len;
+
+ len = 0;
+ if ( on ) /* turn attributes on ? */
+ {
+ if ( (attr & TC_BOLD) == TC_BOLD )
+ len += tc_printattr (fp, bold_on);
+ if ( (attr & TC_ITALIC) == TC_ITALIC )
+ len += tc_printattr (fp, italic_on);
+
+ if ( attr & 0xFF )
+ len += tc_color (fp, attr & 0xFF);
+ }
+ else /* turn attributes off */
+ {
+ if ( html )
+ len += fprintf (fp, "</font>");
+ else
+ len += tc_color (fp, TC_BLACK);
+
+ if ( (attr & TC_ITALIC) == TC_ITALIC )
+ len += tc_printattr (fp, italic_off);
+ if ( !html || (attr & TC_BOLD) == TC_BOLD )
+ len += tc_printattr (fp, bold_off);
+ }
+
+ return len;
+}
+#else
+int tc_attr (FILE *fp, tc_att_t attr, int on)
+{
+ return 0;
+}
+#endif
+
+/*****************************************************************
+** internal functions
+*****************************************************************/
+static FILE *tc_outfp;
+static int put (int c)
+{
+ return putc (c, tc_outfp);
+}
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+static int tc_printattr (FILE *fp, const char *attstr)
+{
+ tc_outfp = fp;
+ return tputs (attstr, 0, put);
+}
+#else
+static int tc_printattr (FILE *fp, const char *attstr)
+{
+ return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+static int tc_color (FILE *fp, int color)
+{
+ tc_outfp = fp;
+
+ if ( color < 0 || color >= maxcolor )
+ return 0;
+ return tputs (colortab[color], 0, put);
+}
+#else
+static int tc_color (FILE *fp, int color)
+{
+ return 0;
+}
+#endif
+
+
+#ifdef TEST
+static const char *progname;
+/*****************************************************************
+** test main()
+*****************************************************************/
+main (int argc, const char *argv[])
+{
+ extern char *getenv ();
+ char *term = getenv ("TERM");
+ int i;
+ const char *text;
+
+ progname = *argv;
+
+ tc_init (stdout, term);
+
+ // printattr (is); /* Initialisierungsstring ausgeben */
+
+ text = "Test";
+ if ( argc > 1 )
+ text = *++argv;
+
+ tc_attr (stdout, TC_BOLD, 1);
+ printf ("Bold Headline\n");
+ tc_attr (stdout, TC_BOLD, 0);
+ for ( i = 0; i < 8; i++ )
+ {
+ tc_attr (stdout, i, 1);
+ printf ("%s", text);
+ tc_attr (stdout, i, 0);
+
+#if 0
+ tc_attr (stdout, (i | TC_BOLD), 1);
+ printf ("\t%s", text);
+ tc_attr (stdout, (i | TC_BOLD), 0);
+
+ tc_attr (stdout, (i | TC_ITALIC), 1);
+ printf ("\t%s", text);
+ tc_attr (stdout, (i | TC_ITALIC), 0);
+
+ tc_attr (stdout, (i | TC_BOLD | TC_ITALIC), 1);
+ printf ("\t%s", text);
+ tc_attr (stdout, (i | TC_BOLD | TC_ITALIC), 0);
+#endif
+ printf ("\n");
+ }
+ printf ("now back to black\n");
+
+ // printattr (r2); /* Zuruecksetzen */
+
+ return (0);
+}
+#endif
--- /dev/null
+/*****************************************************************
+**
+** tcap.h -- termcap color capabilities
+**
+** (c) Mar 2010 by hoz
+**
+*****************************************************************/
+
+#ifndef TCAP_H
+# define TCAP_H
+
+typedef enum {
+ TC_BLACK = 0,
+ TC_RED,
+ TC_GREEN,
+ TC_YELLOW,
+ TC_BLUE,
+ TC_MAGENTA,
+ TC_CYAN,
+ TC_WHITE,
+
+ TC_BOLD = 0x100,
+ TC_ITALIC = 0x200
+} tc_att_t;
+
+extern int tc_init (FILE *fp, const char *term);
+extern int tc_end (FILE *fp, const char *term);
+extern int tc_attr (FILE *fp, tc_att_t attr, int on);
+#endif
** Most of the code is from the SixXS Heartbeat Client
** written by Jeroen Massar <jeroen@sixxs.net>
**
-** New config types and some slightly code changes by Holger Zuleger
+** New config types and many code changes by Holger Zuleger
**
-** Copyright (c) Aug 2005, Jeroen Massar, Holger Zuleger.
+** Copyright (c) Aug 2005, Jeroen Massar.
+** Copyright (c) Aug 2005 - Apr 2010, Holger Zuleger.
** All rights reserved.
**
** This software is open source.
strcasecmp (val, "true") == 0 )
# define ISCOMMENT(cp) (*(cp) == '#' || *(cp) == ';' || \
(*(cp) == '/' && *((cp)+1) == '/') )
-# define ISDELIM(c) ( isspace (c) || (c) == ':' || (c) == '=' )
+# define ISDELIM(c) (isspace (c) || (c) == ':' || (c) == '=')
+# define cmdln (0)
+# define first (1)
+# define last (0x7FFF)
+
+# define iscmdline(x) ((x)->used_since == cmdln)
+# define iscompatible(x) ((x)->used_since != cmdln && compversion >= (x)->used_since && \
+ ((x)->used_till == 1 || (compversion <= (x)->used_till)))
+
typedef enum {
CONF_END = 0,
CONF_STRING,
CONF_SERIAL,
CONF_FACILITY,
CONF_LEVEL,
+ CONF_NSEC3,
CONF_COMMENT,
+ CONF_VERSION,
} ctype_t;
/*****************************************************************
** private (static) variables
*****************************************************************/
+static int compversion;
+
static zconf_t def = {
ZONEDIR, RECURSIVE,
- PRINTTIME, PRINTAGE, LJUST,
- SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Incremental,
+ PRINTTIME, PRINTAGE, LJUST, LSCOLORTERM,
+ SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Unixtime,
RESIGN_INT,
KEY_ALGO, ADDITIONAL_KEY_ALGO,
KSK_LIFETIME, KSK_BITS, KSK_RANDOM,
ZSK_LIFETIME, ZSK_BITS, ZSK_RANDOM,
- SALTLEN,
+ NSEC3_OFF, SALTLEN,
NULL, /* viewname cmdline parameter */
0, /* noexec cmdline parameter */
- LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
+ LOGFILE, LOGLEVEL, LOGDOMAINDIR, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
DNSKEYFILE, ZONEFILE, KEYSETDIR,
LOOKASIDEDOMAIN,
- SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_PARAM,
+ SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_DNSKEY_KSK, SIG_PARAM,
DIST_CMD, /* defaults to NULL which means to run "rndc reload" */
NAMED_CHROOT
};
typedef struct {
char *label; /* the name of the paramter */
- int cmdline; /* is this a command line parameter ? */
+ short used_since; /* compability (from version; 0 == command line) */
+ short used_till; /* compability (to version) */
ctype_t type; /* the parameter type */
void *var; /* pointer to the parameter variable */
+ const void *var2; /* pointer to a second parameter variable */
+ /* this is a ugly hack needed by cmpconfig () */
} zconf_para_t;
static zconf_para_t confpara[] = {
- { "", 0, CONF_COMMENT, ""},
- { "", 0, CONF_COMMENT, "\t@(#) dnssec.conf " ZKT_VERSION },
- { "", 0, CONF_COMMENT, ""},
- { "", 0, CONF_COMMENT, NULL },
-
- { "", 0, CONF_COMMENT, "dnssec-zkt options" },
- { "Zonedir", 0, CONF_STRING, &def.zonedir },
- { "Recursive", 0, CONF_BOOL, &def.recursive },
- { "PrintTime", 0, CONF_BOOL, &def.printtime },
- { "PrintAge", 0, CONF_BOOL, &def.printage },
- { "LeftJustify", 0, CONF_BOOL, &def.ljust },
-
- { "", 0, CONF_COMMENT, NULL },
- { "", 0, CONF_COMMENT, "zone specific values" },
- { "ResignInterval", 0, CONF_TIMEINT, &def.resign },
- { "Sigvalidity", 0, CONF_TIMEINT, &def.sigvalidity },
- { "Max_TTL", 0, CONF_TIMEINT, &def.max_ttl },
- { "Propagation", 0, CONF_TIMEINT, &def.proptime },
- { "KEY_TTL", 0, CONF_TIMEINT, &def.key_ttl },
+ { "", first, last, CONF_COMMENT, ""},
+ { "", first, last, CONF_COMMENT, "\t@(#) dnssec.conf "},
+ { "", first, last, CONF_VERSION, "" },
+ { "", first, last, CONF_COMMENT, ""},
+ { "", first, last, CONF_COMMENT, NULL },
+
+ { "", first, 99, CONF_COMMENT, "dnssec-zkt options" },
+ { "", 100, last, CONF_COMMENT, "zkt-ls options" },
+ { "ZoneDir", first, last, CONF_STRING, &def.zonedir },
+ { "Recursive", first, last, CONF_BOOL, &def.recursive },
+ { "PrintTime", first, last, CONF_BOOL, &def.printtime },
+ { "PrintAge", first, last, CONF_BOOL, &def.printage },
+ { "LeftJustify", first, last, CONF_BOOL, &def.ljust },
+ { "lsColor", 100, last, CONF_STRING, &def.colorterm },
+
+ { "", first, last, CONF_COMMENT, NULL },
+ { "", first, last, CONF_COMMENT, "zone specific values" },
+ { "ResignInterval", first, last, CONF_TIMEINT, &def.resign },
+ { "SigValidity", first, last, CONF_TIMEINT, &def.sigvalidity },
+ { "Max_TTL", first, 100, CONF_TIMEINT, &def.max_ttl },
+ { "MaximumTTL", 101, last, CONF_TIMEINT, &def.max_ttl },
+ { "Propagation", first, last, CONF_TIMEINT, &def.proptime },
+ { "Key_TTL", 90, 100, CONF_TIMEINT, &def.key_ttl },
+ { "DnsKeyTTL", 101, last, CONF_TIMEINT, &def.key_ttl },
#if defined (DEF_TTL)
- { "def_ttl", 0, CONF_TIMEINT, &def.def_ttl },
+ { "def_ttl", first, last, CONF_TIMEINT, &def.def_ttl },
#endif
- { "Serialformat", 0, CONF_SERIAL, &def.serialform },
-
- { "", 0, CONF_COMMENT, NULL },
- { "", 0, CONF_COMMENT, "signing key parameters"},
- { "Key_algo", 0, CONF_ALGO, &def.k_algo }, /* now used as general KEY algoritjm (KSK & ZSK) */
- { "AddKey_algo", 0, CONF_ALGO, &def.k2_algo }, /* second key algorithm added (v0.99) */
- { "KSK_lifetime", 0, CONF_TIMEINT, &def.k_life },
- { "KSK_algo", 1, CONF_ALGO, &def.k_algo }, /* old KSK value changed to key algorithm */
- { "KSK_bits", 0, CONF_INT, &def.k_bits },
- { "KSK_randfile", 0, CONF_STRING, &def.k_random },
- { "ZSK_lifetime", 0, CONF_TIMEINT, &def.z_life },
- /* { "ZSK_algo", 1, CONF_ALGO, &def.z_algo }, ZSK algo removed (set to same as ksk) */
- { "ZSK_algo", 1, CONF_ALGO, &def.k2_algo }, /* if someone using it already, map the algo to the additional key algorithm */
- { "ZSK_bits", 0, CONF_INT, &def.z_bits },
- { "ZSK_randfile", 0, CONF_STRING, &def.z_random },
- { "SaltBits", 0, CONF_INT, &def.saltbits },
-
- { "", 0, CONF_COMMENT, NULL },
- { "", 0, CONF_COMMENT, "dnssec-signer options"},
- { "--view", 1, CONF_STRING, &def.view },
- { "--noexec", 1, CONF_BOOL, &def.noexec },
- { "LogFile", 0, CONF_STRING, &def.logfile },
- { "LogLevel", 0, CONF_LEVEL, &def.loglevel },
- { "SyslogFacility", 0, CONF_FACILITY, &def.syslogfacility },
- { "SyslogLevel", 0, CONF_LEVEL, &def.sysloglevel },
- { "VerboseLog", 0, CONF_INT, &def.verboselog },
- { "-v", 1, CONF_INT, &def.verbosity },
- { "Keyfile", 0, CONF_STRING, &def.keyfile },
- { "Zonefile", 0, CONF_STRING, &def.zonefile },
- { "KeySetDir", 0, CONF_STRING, &def.keysetdir },
- { "DLV_Domain", 0, CONF_STRING, &def.lookaside },
- { "Sig_Randfile", 0, CONF_STRING, &def.sig_random },
- { "Sig_Pseudorand", 0, CONF_BOOL, &def.sig_pseudo },
- { "Sig_GenerateDS", 0, CONF_BOOL, &def.sig_gends },
- { "Sig_Parameter", 0, CONF_STRING, &def.sig_param },
- { "Distribute_Cmd", 0, CONF_STRING, &def.dist_cmd },
- { "NamedChrootDir", 0, CONF_STRING, &def.chroot_dir },
-
- { NULL, 0, CONF_END, NULL},
+ { "SerialFormat", 92, last, CONF_SERIAL, &def.serialform },
+
+ { "", first, last, CONF_COMMENT, NULL },
+ { "", first, last, CONF_COMMENT, "signing key parameters"},
+ { "Key_Algo", 99, 100, CONF_ALGO, &def.k_algo }, /* now used as general KEY algoritjm (KSK & ZSK) */
+ { "KeyAlgo", 101, last, CONF_ALGO, &def.k_algo }, /* now used as general KEY algoritjm (KSK & ZSK) */
+ { "AddKey_Algo", 99, 100, CONF_ALGO, &def.k2_algo }, /* second key algorithm added (v0.99) */
+ { "AddKeyAlgo", 101, last, CONF_ALGO, &def.k2_algo }, /* second key algorithm added (v0.99) */
+ { "KSK_lifetime", first, 100, CONF_TIMEINT, &def.k_life },
+ { "KSKlifetime", 101, last, CONF_TIMEINT, &def.k_life },
+ { "KSK_algo", first, 98, CONF_ALGO, &def.k_algo }, /* old KSK value changed to key algorithm */
+ { "KSK_bits", first, 100, CONF_INT, &def.k_bits },
+ { "KSKbits", 101, last, CONF_INT, &def.k_bits },
+ { "KSK_randfile", first, 100, CONF_STRING, &def.k_random },
+ { "KSKrandfile", 101, last, CONF_STRING, &def.k_random },
+ { "ZSK_lifetime", first, 100, CONF_TIMEINT, &def.z_life },
+ { "ZSKlifetime", 101, last, CONF_TIMEINT, &def.z_life },
+ /* { "ZSK_algo", 1, CONF_ALGO, &def.z_algo }, ZSK algo removed (set to same as ksk) */
+ { "ZSK_algo", first, 98, CONF_ALGO, &def.k2_algo }, /* if someone using it already, map the algo to the additional key algorithm */
+ { "ZSK_bits", first, 100, CONF_INT, &def.z_bits },
+ { "ZSKbits", 101, last, CONF_INT, &def.z_bits },
+ { "ZSK_randfile", first, 100, CONF_STRING, &def.z_random },
+ { "ZSKrandfile", 101, last, CONF_STRING, &def.z_random },
+ { "NSEC3", 100, last, CONF_NSEC3, &def.nsec3 },
+ { "SaltBits", 98, last, CONF_INT, &def.saltbits },
+
+ { "", first, last, CONF_COMMENT, NULL },
+ { "", first, 99, CONF_COMMENT, "dnssec-signer options"},
+ { "", 100, last, CONF_COMMENT, "zkt-signer options"},
+ { "--view", cmdln, last, CONF_STRING, &def.view },
+ { "--noexec", cmdln, last, CONF_BOOL, &def.noexec },
+ { "LogFile", 96, last, CONF_STRING, &def.logfile },
+ { "LogLevel", 96, last, CONF_LEVEL, &def.loglevel },
+ { "LogDomainDir", 96, last, CONF_STRING, &def.logdomaindir },
+ { "SyslogFacility", 96, last, CONF_FACILITY, &def.syslogfacility },
+ { "SyslogLevel", 96, last, CONF_LEVEL, &def.sysloglevel },
+ { "VerboseLog", 96, last, CONF_INT, &def.verboselog },
+ { "-v", cmdln, last, CONF_INT, &def.verbosity },
+ { "KeyFile", first, last, CONF_STRING, &def.keyfile },
+ { "ZoneFile", first, last, CONF_STRING, &def.zonefile },
+ { "KeySetDir", first, last, CONF_STRING, &def.keysetdir },
+ { "DLV_Domain", first, 100, CONF_STRING, &def.lookaside },
+ { "DLVdomain", 101, last, CONF_STRING, &def.lookaside },
+ { "Sig_Randfile", first, 100, CONF_STRING, &def.sig_random },
+ { "SigRandfile", 101, last, CONF_STRING, &def.sig_random },
+ { "Sig_Pseudorand", first, 100, CONF_BOOL, &def.sig_pseudo },
+ { "SigPseudorand", 101, last, CONF_BOOL, &def.sig_pseudo },
+ { "Sig_GenerateDS", first, 100, CONF_BOOL, &def.sig_gends },
+ { "SigGenerateDS", 101, last, CONF_BOOL, &def.sig_gends },
+ { "Sig_DnsKeyKSK", 99, 100, CONF_BOOL, &def.sig_dnskeyksk },
+ { "SigDnsKeyKSK", 101, last, CONF_BOOL, &def.sig_dnskeyksk },
+ { "Sig_Parameter", first, 100, CONF_STRING, &def.sig_param },
+ { "SigParameter", 101, last, CONF_STRING, &def.sig_param },
+ { "Distribute_Cmd", 97, 100, CONF_STRING, &def.dist_cmd },
+ { "DistributeCmd", 101, last, CONF_STRING, &def.dist_cmd },
+ { "NamedChrootDir", 99, last, CONF_STRING, &def.chroot_dir },
+
+ { NULL, 0, 0, CONF_END, NULL},
};
/*****************************************************************
return val ? "True" : "False";
}
-static const char *timeint2str (ulong val)
-{
- static char str[20+1];
-
- if ( val == 0 )
- snprintf (str, sizeof (str), "%lu", val / YEARSEC);
- else if ( val % YEARSEC == 0 )
- snprintf (str, sizeof (str), "%luy", val / YEARSEC);
- else if ( val % WEEKSEC == 0 )
- snprintf (str, sizeof (str), "%luw", val / WEEKSEC);
- else if ( val % DAYSEC == 0 )
- snprintf (str, sizeof (str), "%lud", val / DAYSEC);
- else if ( val % HOURSEC == 0 )
- snprintf (str, sizeof (str), "%luh", val / HOURSEC);
- else if ( val % MINSEC == 0 )
- snprintf (str, sizeof (str), "%lum", val / MINSEC);
- else
- snprintf (str, sizeof (str), "%lus", val);
-
- return str;
-}
-
-static int set_varptr (char *entry, void *ptr)
+static int set_varptr (char *entry, void *ptr, const void *ptr2)
{
zconf_para_t *c;
if ( strcasecmp (entry, c->label) == 0 )
{
c->var = ptr;
+ c->var2 = ptr2;
return 1;
}
return 0;
}
-static void set_all_varptr (zconf_t *cp)
+static void set_all_varptr (zconf_t *cp, const zconf_t *cp2)
{
- set_varptr ("zonedir", &cp->zonedir);
- set_varptr ("recursive", &cp->recursive);
- set_varptr ("printage", &cp->printage);
- set_varptr ("printtime", &cp->printtime);
- set_varptr ("leftjustify", &cp->ljust);
-
- set_varptr ("resigninterval", &cp->resign);
- set_varptr ("sigvalidity", &cp->sigvalidity);
- set_varptr ("max_ttl", &cp->max_ttl);
- set_varptr ("key_ttl", &cp->key_ttl);
- set_varptr ("propagation", &cp->proptime);
+ set_varptr ("zonedir", &cp->zonedir, cp2 ? &cp2->zonedir: NULL);
+ set_varptr ("recursive", &cp->recursive, cp2 ? &cp2->recursive: NULL);
+ set_varptr ("printage", &cp->printage, cp2 ? &cp2->printage: NULL);
+ set_varptr ("printtime", &cp->printtime, cp2 ? &cp2->printtime: NULL);
+ set_varptr ("leftjustify", &cp->ljust, cp2 ? &cp2->ljust: NULL);
+ set_varptr ("lscolor", &cp->colorterm, cp2 ? &cp2->colorterm: NULL);
+
+ set_varptr ("resigninterval", &cp->resign, cp2 ? &cp2->resign: NULL);
+ set_varptr ("sigvalidity", &cp->sigvalidity, cp2 ? &cp2->sigvalidity: NULL);
+ set_varptr ("max_ttl", &cp->max_ttl, cp2 ? &cp2->max_ttl: NULL);
+ set_varptr ("key_ttl", &cp->key_ttl, cp2 ? &cp2->key_ttl: NULL);
+ set_varptr ("propagation", &cp->proptime, cp2 ? &cp2->proptime: NULL);
#if defined (DEF_TTL)
- set_varptr ("def_ttl", &cp->def_ttl);
+ set_varptr ("def_ttl", &cp->def_ttl, cp2 ? &cp2->def_ttl: NULLl);
#endif
- set_varptr ("serialformat", &cp->serialform);
-
- set_varptr ("key_algo", &cp->k_algo);
- set_varptr ("addkey_algo", &cp->k2_algo);
- set_varptr ("ksk_lifetime", &cp->k_life);
- set_varptr ("ksk_algo", &cp->k_algo); /* to be removed in next release */
- set_varptr ("ksk_bits", &cp->k_bits);
- set_varptr ("ksk_randfile", &cp->k_random);
-
- set_varptr ("zsk_lifetime", &cp->z_life);
- // set_varptr ("zsk_algo", &cp->z_algo);
- set_varptr ("zsk_algo", &cp->k2_algo);
- set_varptr ("zsk_bits", &cp->z_bits);
- set_varptr ("zsk_randfile", &cp->z_random);
- set_varptr ("saltbits", &cp->saltbits);
-
- set_varptr ("--view", &cp->view);
- set_varptr ("--noexec", &cp->noexec);
- set_varptr ("logfile", &cp->logfile);
- set_varptr ("loglevel", &cp->loglevel);
- set_varptr ("syslogfacility", &cp->syslogfacility);
- set_varptr ("sysloglevel", &cp->sysloglevel);
- set_varptr ("verboselog", &cp->verboselog);
- set_varptr ("-v", &cp->verbosity);
- set_varptr ("keyfile", &cp->keyfile);
- set_varptr ("zonefile", &cp->zonefile);
- set_varptr ("keysetdir", &cp->keysetdir);
- set_varptr ("dlv_domain", &cp->lookaside);
- set_varptr ("sig_randfile", &cp->sig_random);
- set_varptr ("sig_pseudorand", &cp->sig_pseudo);
- set_varptr ("sig_generateds", &cp->sig_gends);
- set_varptr ("sig_parameter", &cp->sig_param);
- set_varptr ("distribute_cmd", &cp->dist_cmd);
- set_varptr ("namedchrootdir", &cp->chroot_dir);
+ set_varptr ("serialformat", &cp->serialform, cp2 ? &cp2->serialform: NULL);
+
+ set_varptr ("key_algo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL);
+ set_varptr ("addkey_algo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
+ set_varptr ("ksk_lifetime", &cp->k_life, cp2 ? &cp2->k_life: NULL);
+ set_varptr ("ksk_algo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL); /* used only in compability mode */
+ set_varptr ("ksk_bits", &cp->k_bits, cp2 ? &cp2->k_bits: NULL);
+ set_varptr ("ksk_randfile", &cp->k_random, cp2 ? &cp2->k_random: NULL);
+
+ set_varptr ("zsk_lifetime", &cp->z_life, cp2 ? &cp2->z_life: NULL);
+ // set_varptr ("zsk_algo", &cp->z_algo, cp2 ? &cp2->z_algo: NULL);
+ set_varptr ("zsk_algo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
+ set_varptr ("zsk_bits", &cp->z_bits, cp2 ? &cp2->z_bits: NULL);
+ set_varptr ("zsk_randfile", &cp->z_random, cp2 ? &cp2->z_random: NULL);
+ set_varptr ("nsec3", &cp->nsec3, cp2 ? &cp2->nsec3: NULL);
+ set_varptr ("saltbits", &cp->saltbits, cp2 ? &cp2->saltbits: NULL);
+
+ set_varptr ("--view", &cp->view, cp2 ? &cp2->view: NULL);
+ set_varptr ("--noexec", &cp->noexec, cp2 ? &cp2->noexec: NULL);
+ set_varptr ("logfile", &cp->logfile, cp2 ? &cp2->logfile: NULL);
+ set_varptr ("loglevel", &cp->loglevel, cp2 ? &cp2->loglevel: NULL);
+ set_varptr ("logdomaindir", &cp->logdomaindir, cp2 ? &cp2->logdomaindir: NULL);
+ set_varptr ("syslogfacility", &cp->syslogfacility, cp2 ? &cp2->syslogfacility: NULL);
+ set_varptr ("sysloglevel", &cp->sysloglevel, cp2 ? &cp2->sysloglevel: NULL);
+ set_varptr ("verboselog", &cp->verboselog, cp2 ? &cp2->verboselog: NULL);
+ set_varptr ("-v", &cp->verbosity, cp2 ? &cp2->verbosity: NULL);
+ set_varptr ("keyfile", &cp->keyfile, cp2 ? &cp2->keyfile: NULL);
+ set_varptr ("zonefile", &cp->zonefile, cp2 ? &cp2->zonefile: NULL);
+ set_varptr ("keysetdir", &cp->keysetdir, cp2 ? &cp2->keysetdir: NULL);
+ set_varptr ("dlv_domain", &cp->lookaside, cp2 ? &cp2->lookaside: NULL);
+ set_varptr ("sig_randfile", &cp->sig_random, cp2 ? &cp2->sig_random: NULL);
+ set_varptr ("sig_pseudorand", &cp->sig_pseudo, cp2 ? &cp2->sig_pseudo: NULL);
+ set_varptr ("sig_generateds", &cp->sig_gends, cp2 ? &cp2->sig_gends: NULL);
+ set_varptr ("sig_dnskeyksk", &cp->sig_dnskeyksk, cp2 ? &cp2->sig_dnskeyksk: NULL);
+ set_varptr ("sig_parameter", &cp->sig_param, cp2 ? &cp2->sig_param: NULL);
+ set_varptr ("distribute_cmd", &cp->dist_cmd, cp2 ? &cp2->dist_cmd: NULL);
+ set_varptr ("namedchrootdir", &cp->chroot_dir, cp2 ? &cp2->chroot_dir: NULL);
}
static void parseconfigline (char *buf, unsigned int line, zconf_t *z)
*p++ = '\0'; /* Terminate this argument */
dbg_val1 ("Parsing \"%s\"\n", tag);
-
while ( p < end && ISDELIM (*p) ) /* Skip delim chars */
p++;
}
/* Otherwise it is already terminated above */
-
found = 0;
c = confpara;
while ( !found && c->type != CONF_END )
found = 1;
switch ( c->type )
{
+ case CONF_VERSION:
+ break;
case CONF_LEVEL:
case CONF_FACILITY:
case CONF_STRING:
break;
case CONF_TIMEINT:
quantity = 'd';
- sscanf (val, "%ld%c", &lval, &quantity);
+ if ( *val == 'u' || *val == 'U' )
+ lval = 0L;
+ else
+ sscanf (val, "%ld%c", &lval, &quantity);
if ( quantity == 'm' )
lval *= MINSEC;
else if ( quantity == 'h' )
(*(long *)c->var) = lval;
break;
case CONF_ALGO:
- if ( strcasecmp (val, "rsa") == 0 || strcasecmp (val, "rsamd5") == 0 )
+ if ( strcmp (val, "1") == 0 || strcasecmp (val, "rsa") == 0 ||
+ strcasecmp (val, "rsamd5") == 0 )
*((int *)c->var) = DK_ALGO_RSA;
- else if ( strcasecmp (val, "dsa") == 0 )
+ else if ( strcmp (val, "3") == 0 ||
+ strcasecmp (val, "dsa") == 0 )
*((int *)c->var) = DK_ALGO_DSA;
- else if ( strcasecmp (val, "rsasha1") == 0 )
+ else if ( strcmp (val, "5") == 0 ||
+ strcasecmp (val, "rsasha1") == 0 )
*((int *)c->var) = DK_ALGO_RSASHA1;
- else if ( strcasecmp (val, "nsec3dsa") == 0 ||
+ else if ( strcmp (val, "6") == 0 ||
+ strcasecmp (val, "nsec3dsa") == 0 ||
strcasecmp (val, "n3dsa") == 0 )
*((int *)c->var) = DK_ALGO_NSEC3DSA;
- else if ( strcasecmp (val, "nsec3rsasha1") == 0 ||
+ else if ( strcmp (val, "7") == 0 ||
+ strcasecmp (val, "nsec3rsasha1") == 0 ||
strcasecmp (val, "n3rsasha1") == 0 )
*((int *)c->var) = DK_ALGO_NSEC3RSASHA1;
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+ else if ( strcmp (val, "8") == 0 ||
+ strcasecmp (val, "rsasha2") == 0 ||
+ strcasecmp (val, "rsasha256") == 0 ||
+ strcasecmp (val, "nsec3rsasha2") == 0 ||
+ strcasecmp (val, "n3rsasha2") == 0 ||
+ strcasecmp (val, "nsec3rsasha256") == 0 ||
+ strcasecmp (val, "n3rsasha256") == 0 )
+ *((int *)c->var) = DK_ALGO_RSASHA256;
+ else if ( strcmp (val, "10") == 0 ||
+ strcasecmp (val, "rsasha5") == 0 ||
+ strcasecmp (val, "rsasha212") == 0 ||
+ strcasecmp (val, "nsec3rsasha5") == 0 ||
+ strcasecmp (val, "n3rsasha5") == 0 ||
+ strcasecmp (val, "nsec3rsasha512") == 0 ||
+ strcasecmp (val, "n3rsasha512") == 0 )
+ *((int *)c->var) = DK_ALGO_RSASHA512;
+#endif
else
error ("Illegal algorithm \"%s\" "
"in line %d.\n" , val, line);
case CONF_SERIAL:
if ( strcasecmp (val, "unixtime") == 0 )
*((serial_form_t *)c->var) = Unixtime;
- else if ( strcasecmp (val, "incremental") == 0 )
+ else if ( strcasecmp (val, "incremental") == 0 || strcasecmp (val, "inc") == 0 )
*((serial_form_t *)c->var) = Incremental;
else
error ("Illegal serial no format \"%s\" "
"in line %d.\n" , val, line);
break;
+ case CONF_NSEC3:
+ if ( strcasecmp (val, "off") == 0 )
+ *((nsec3_t *)c->var) = NSEC3_OFF;
+ else if ( strcasecmp (val, "on") == 0 )
+ *((nsec3_t *)c->var) = NSEC3_ON;
+ else if ( strcasecmp (val, "optout") == 0 )
+ *((nsec3_t *)c->var) = NSEC3_OPTOUT;
+ else
+ error ("Illegal NSEC3 format \"%s\" "
+ "in line %d.\n" , val, line);
+ break;
case CONF_BOOL:
*((int *)c->var) = ISTRUE (val);
break;
switch ( cp->type )
{
+ case CONF_VERSION:
+ fprintf (fp, "#\tZKT config file for version %d.%02d\n",
+ compversion / 100, compversion % 100);
+ break;
case CONF_COMMENT:
if ( cp->var )
fprintf (fp, "# %s\n", (char *)cp->var);
lval = *(ulong*)cp->var; /* in that case it should be of type ulong */
fprintf (fp, "%s:\t%s", cp->label, timeint2str (lval));
if ( lval )
- fprintf (fp, "\t# (%ld seconds)", lval);
+ fprintf (fp, "\t\t# (%ld seconds)", lval);
putc ('\n', fp);
break;
case CONF_ALGO:
i = *(int*)cp->var;
if ( i )
{
- fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
+ fprintf (fp, "%s:\t%s ", cp->label, dki_algo2str (i));
fprintf (fp, "\t# (Algorithm ID %d)\n", i);
}
break;
case CONF_SERIAL:
fprintf (fp, "%s:\t", cp->label);
if ( *(serial_form_t*)cp->var == Unixtime )
- fprintf (fp, "unixtime\n");
+ fprintf (fp, "UnixTime");
else
- fprintf (fp, "incremental\n");
+ fprintf (fp, "Incremental");
+ fprintf (fp, "\t# (UnixTime|Incremental)\n");
+ break;
+ case CONF_NSEC3:
+ fprintf (fp, "%s:\t\t", cp->label);
+ if ( *(nsec3_t*)cp->var == NSEC3_OFF )
+ fprintf (fp, "Off");
+ else if ( *(nsec3_t*)cp->var == NSEC3_ON )
+ fprintf (fp, "On");
+ else if ( *(nsec3_t*)cp->var == NSEC3_OPTOUT )
+ fprintf (fp, "OptOut");
+ fprintf (fp, "\t\t# (On|Off|OptOut)\n");
break;
case CONF_INT:
fprintf (fp, "%s:\t%d\n", cp->label, *(int *)cp->var);
** public function definition
*****************************************************************/
+void setconfigversion (int version)
+{
+ compversion = version;
+}
+
+const char *timeint2str (unsigned long val)
+{
+ static char str[20+1];
+
+ if ( val == 0 )
+ snprintf (str, sizeof (str), "Unset");
+ else if ( val % YEARSEC == 0 )
+ snprintf (str, sizeof (str), "%luy", val / YEARSEC);
+ else if ( val % WEEKSEC == 0 )
+ snprintf (str, sizeof (str), "%luw", val / WEEKSEC);
+ else if ( val % DAYSEC == 0 )
+ snprintf (str, sizeof (str), "%lud", val / DAYSEC);
+ else if ( val % HOURSEC == 0 )
+ snprintf (str, sizeof (str), "%luh", val / HOURSEC);
+ else if ( val % MINSEC == 0 )
+ snprintf (str, sizeof (str), "%lum", val / MINSEC);
+ else
+ snprintf (str, sizeof (str), "%lus", val);
+
+ return str;
+}
+
+
/*****************************************************************
** loadconfig (file, conf)
** Loads a config file into the "conf" structure pointed to by "z".
** If "z" is NULL then a new conf struct will be dynamically
** allocated.
** If no filename is given the conf struct will be initialized
-** by the builtin default config
+** with the builtin default config
*****************************************************************/
zconf_t *loadconfig (const char *filename, zconf_t *z)
{
}
dbg_val1 ("loadconfig (%s)\n", filename);
- set_all_varptr (z);
+ set_all_varptr (z, NULL);
if ( (fp = fopen(filename, "r")) == NULL )
fatal ("Could not open config file \"%s\"\n", filename);
}
dbg_val1 ("loadconfig_fromstr (\"%s\")\n", str);
- set_all_varptr (z);
+ set_all_varptr (z, NULL);
/* str is const, so we have to copy it into a new buffer */
if ( (buf = strdup (str)) == NULL )
return z;
}
+/*****************************************************************
+** freeconfig (config)
+** free memory for config struct and return a NULL ptr
+*****************************************************************/
+zconf_t *freeconfig (zconf_t *conf)
+{
+ if (conf != NULL);
+ free (conf);
+
+ return (zconf_t *)NULL;
+}
+
/*****************************************************************
** setconfigpar (entry, pval)
*****************************************************************/
char *str;
zconf_para_t *c;
- set_all_varptr (config);
+ set_all_varptr (config, NULL);
for ( c = confpara; c->type != CONF_END; c++ )
if ( strcasecmp (entry, c->label) == 0 )
{
switch ( c->type )
{
+ case CONF_VERSION:
+ break;
case CONF_LEVEL:
case CONF_FACILITY:
case CONF_STRING:
case CONF_TIMEINT:
*((long *)c->var) = *((long *)pval);
break;
+ case CONF_NSEC3:
+ *((nsec3_t *)c->var) = *((nsec3_t *)pval);
+ break;
case CONF_SERIAL:
*((serial_form_t *)c->var) = *((serial_form_t *)pval);
break;
}
}
- set_all_varptr ((zconf_t *)z);
+ set_all_varptr ((zconf_t *)z, NULL);
for ( cp = confpara; cp->type != CONF_END; cp++ ) /* loop through all parameter */
- if ( !cp->cmdline ) /* if this is not a command line parameter ? */
+ if ( iscompatible (cp) ) /* is parameter compatible to current version? */
printconfigline (fp, cp); /* print it out */
if ( fp && fp != stdout && fp != stderr )
return 1;
}
-#if 0
/*****************************************************************
** printconfigdiff (fname, conf_a, conf_b)
*****************************************************************/
int printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)
{
zconf_para_t *cp;
+ int eq;
+ char *p1, *p2;
FILE *fp;
if ( ref == NULL || z == NULL )
}
}
- set_all_varptr ((zconf_t *)z);
+ set_all_varptr ((zconf_t *)z, ref);
for ( cp = confpara; cp->type != CONF_END; cp++ ) /* loop through all parameter */
{
- if ( cp->cmdline )
+ eq = 0;
+ if ( iscmdline (cp) ) /* skip command line parameter */
continue;
-
+ switch ( cp->type )
+ {
+ case CONF_VERSION:
+ case CONF_END:
+ case CONF_COMMENT:
+ continue;
+ case CONF_NSEC3:
+ eq = ( *(nsec3_t *)cp->var == *(nsec3_t *)cp->var2 );
+ break;
+ case CONF_SERIAL:
+ eq = ( *(serial_form_t *)cp->var == *(serial_form_t *)cp->var2 );
+ break;
+ case CONF_BOOL:
+ case CONF_ALGO:
+ case CONF_INT:
+ eq = ( *(int *)cp->var == *(int *)cp->var2 );
+ break;
+ case CONF_TIMEINT:
+ eq = ( *(long *)cp->var == *(long *)cp->var2 );
+ break;
+ case CONF_LEVEL:
+ case CONF_FACILITY:
+ case CONF_STRING:
+ p1 = *(char **)cp->var;
+ p2 = *(char **)cp->var2;
+ if ( p1 && p2 )
+ eq = strcmp (p1, p2) == 0;
+ else if ( p1 == NULL || p2 == NULL )
+ eq = 0;
+ else
+ eq = 1;
+ }
+ if ( !eq )
printconfigline (fp, cp); /* print it out */
}
return 1;
}
-#endif
/*****************************************************************
** checkconfig (config)
*****************************************************************/
int checkconfig (const zconf_t *z)
{
+ int ret;
+ long max_ttl;
+
if ( z == NULL )
return 1;
+ max_ttl = z->max_ttl;
+ if ( max_ttl <= 0 )
+ max_ttl = z->sigvalidity;
+
+ ret = 0;
+ if ( strcmp (z->k_random, "/dev/urandom") == 0 )
+ ret = fprintf (stderr, "random device without enough entropie used for KSK generation \n");
+ if ( strcmp (z->z_random, "/dev/urandom") == 0 )
+ ret = fprintf (stderr, "random device without enough entropie used for ZSK generation\n");
+
if ( z->saltbits < 4 )
- fprintf (stderr, "Saltlength must be at least 4 bits\n");
+ ret = fprintf (stderr, "Saltlength must be at least 4 bits\n");
if ( z->saltbits > 128 )
{
fprintf (stderr, "While the maximum is 520 bits of salt, it's not recommended to use more than 128 bits.\n");
- fprintf (stderr, "The current value is %d bits\n", z->saltbits);
+ ret = fprintf (stderr, "The current value is %d bits\n", z->saltbits);
}
if ( z->sigvalidity < (1 * DAYSEC) || z->sigvalidity > (12 * WEEKSEC) )
{
fprintf (stderr, "Signature should be valid for at least 1 day and no longer than 3 month (12 weeks)\n");
- fprintf (stderr, "The current value is %s\n", timeint2str (z->sigvalidity));
+ ret = fprintf (stderr, "The current value is %s\n", timeint2str (z->sigvalidity));
+ }
+
+ if ( z->max_ttl <= 0 )
+ {
+ ret = fprintf (stderr, "The max TTL is unknown which results in suboptimal key rollover.\n");
+ fprintf (stderr, "Please set max_ttl to the maximum ttl used in the zone (run zkt-conf -w zone.db)\n");
}
+ else
+ if ( max_ttl > z->sigvalidity/2 )
+ ret = fprintf (stderr, "Max TTL (%ld) should be less or equal signature validity (%ld)\n",
+ max_ttl, z->sigvalidity);
- if ( z->resign > (z->sigvalidity*5/6) - (z->max_ttl + z->proptime) )
+ // if ( z->resign > (z->sigvalidity*5/6) - (max_ttl + z->proptime) )
+ if ( z->resign > (z->sigvalidity*5/6) )
{
fprintf (stderr, "Re-signing interval (%s) should be less than ", timeint2str (z->resign));
- fprintf (stderr, "5/6 of sigvalidity\n");
+ ret = fprintf (stderr, "5/6 of sigvalidity (%s)\n", timeint2str (z->sigvalidity));
}
- if ( z->resign < (z->max_ttl + z->proptime) )
+
+ if ( z->max_ttl > 0 && z->resign > (z->sigvalidity - max_ttl) )
{
fprintf (stderr, "Re-signing interval (%s) should be ", timeint2str (z->resign));
- fprintf (stderr, "greater than max_ttl (%ld) plus ", z->max_ttl);
- fprintf (stderr, "propagation time (%ld)\n", z->proptime);
+ fprintf (stderr, "end at least one max_ttl (%ld) before the end of ", max_ttl);
+ ret = fprintf (stderr, "signature lifetime (%ld) (%s)\n", z->sigvalidity, timeint2str(z->sigvalidity - max_ttl));
}
- if ( z->max_ttl >= z->sigvalidity )
- fprintf (stderr, "Max TTL (%ld) should be less than signature validity (%ld)\n",
- z->max_ttl, z->sigvalidity);
-
if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
{
fprintf (stderr, "Lifetime of zone signing key (%s) ", timeint2str (z->z_life));
fprintf (stderr, "seems a little bit high ");
- fprintf (stderr, "(In respect of key size (%d))\n", z->z_bits);
+ ret = fprintf (stderr, "(In respect of key size (%d))\n", z->z_bits);
}
if ( z->k_life > 0 && z->k_life <= z->z_life )
{
fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
- fprintf (stderr, "should be greater than lifetime of zsk\n");
+ ret = fprintf (stderr, "should be greater than lifetime of zsk\n");
}
if ( z->k_life > 0 && z->k_life > (26 * WEEKSEC) * (z->k_bits / 512.) )
{
fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
fprintf (stderr, "seems a little bit high ");
- fprintf (stderr, "(In respect of key size (%d))\n", z->k_bits);
+ ret = fprintf (stderr, "(In respect of key size (%d))\n", z->k_bits);
}
- return 1;
+ return !ret;
}
#ifdef CONF_TEST
/* # define ZSK_ALGO (DK_ALGO_RSASHA1) ZSK_ALGO has to be the same as KSK, so this is no longer used (v0.99) */
# define ZSK_BITS (512)
# define ZSK_RANDOM "/dev/urandom"
+# define NSEC3 0 /* by default nsec3 is off */
# define SALTLEN 24 /* salt length in bits (resolution is 4 bits)*/
# define ZONEDIR "."
# define PRINTTIME 1
# define PRINTAGE 0
# define LJUST 0
+# define LSCOLORTERM NULL /* or "" */
# define KEYSETDIR NULL /* keysets */
# define LOGFILE ""
# define LOGLEVEL "error"
+# define LOGDOMAINDIR ""
# define SYSLOGFACILITY "none"
# define SYSLOGLEVEL "notice"
# define VERBOSELOG 0
# define SIG_RANDOM NULL /* "/dev/urandom" */
# define SIG_PSEUDO 0
# define SIG_GENDS 1
+# define SIG_DNSKEY_KSK 0 /* Sign DNSKEY RR with KSK only */
# define SIG_PARAM ""
# define DIST_CMD NULL /* default is to run "rndc reload" */
# define NAMED_CHROOT NULL /* default is none */
Incremental
} serial_form_t;
+typedef enum {
+ NSEC3_OFF = 0,
+ NSEC3_ON,
+ NSEC3_OPTOUT
+} nsec3_t;
+
typedef enum {
none = 0,
user,
int printtime;
int printage;
int ljust;
+ char *colorterm;
long sigvalidity; /* should be less than expire time */
long max_ttl; /* should be set to the maximum used ttl in the zone */
long key_ttl;
/* int z_algo; no longer used; renamed to k2_algo (v0.99) */
int z_bits;
char *z_random;
+ nsec3_t nsec3; /* 0 == off; 1 == on; 2 == on with optout */
int saltbits;
char *view;
// char *errlog;
char *logfile;
char *loglevel;
+ char *logdomaindir;
char *syslogfacility;
char *sysloglevel;
int verboselog;
char *sig_random;
int sig_pseudo;
int sig_gends;
+ int sig_dnskeyksk;
char *sig_param;
char *dist_cmd; /* cmd to run instead of "rndc reload" */
char *chroot_dir; /* chroot directory of named */
} zconf_t;
+extern const char *timeint2str (unsigned long val);
extern zconf_t *loadconfig (const char *filename, zconf_t *z);
extern zconf_t *loadconfig_fromstr (const char *str, zconf_t *z);
extern zconf_t *dupconfig (const zconf_t *conf);
+extern zconf_t *freeconfig (zconf_t *conf);
extern int setconfigpar (zconf_t *conf, char *entry, const void *pval);
extern int printconfig (const char *fname, const zconf_t *cp);
+extern int printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z);
extern int checkconfig (const zconf_t *z);
+extern void setconfigversion (int version);
#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) zfparse.c -- A zone file parser
+**
+** Copyright (c) Jan 2010 - Jan 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <unistd.h> /* for link(), unlink() */
+# include <ctype.h>
+# include <assert.h>
+#if 0
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <time.h>
+# include <utime.h>
+# include <errno.h>
+# include <fcntl.h>
+#endif
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+# include "zconf.h"
+# include "log.h"
+# include "debug.h"
+#define extern
+# include "zfparse.h"
+#undef extern
+
+
+extern const char *progname;
+
+/*****************************************************************
+** is_multiline_rr (const char *s)
+*****************************************************************/
+static const char *is_multiline_rr (int *multi_line_rr, const char *p)
+{
+ while ( *p && *p != ';' )
+ {
+ if ( *p == '\"' )
+ do
+ p++;
+ while ( *p && *p != '\"' );
+
+ if ( *p == '(' )
+ *multi_line_rr = 1;
+ if ( *p == ')' )
+ *multi_line_rr = 0;
+ p++;
+ }
+ return p;
+}
+
+/*****************************************************************
+** skipws (const char *s)
+*****************************************************************/
+static const char *skipws (const char *s)
+{
+ while ( *s && (*s == ' ' || *s == '\t' || *s == '\n') )
+ s++;
+ return s;
+}
+
+/*****************************************************************
+** skiplabel (const char *s)
+*****************************************************************/
+static const char *skiplabel (const char *s)
+{
+ while ( *s && *s != ';' && *s != ' ' && *s != '\t' && *s != '\n' )
+ s++;
+ return s;
+}
+
+/*****************************************************************
+** setminmax ()
+*****************************************************************/
+static void setminmax (long *pmin, long val, long *pmax)
+{
+ if ( val < *pmin )
+ *pmin = val;
+ if ( val > *pmax )
+ *pmax = val;
+}
+
+/*****************************************************************
+** get_ttl ()
+*****************************************************************/
+static long get_ttl (const char *s)
+{
+ char quantity;
+ long lval;
+
+ quantity = 'd';
+ sscanf (s, "%ld%c", &lval, &quantity);
+ quantity = tolower (quantity);
+ if ( quantity == 'm' )
+ lval *= MINSEC;
+ else if ( quantity == 'h' )
+ lval *= HOURSEC;
+ else if ( quantity == 'd' )
+ lval *= DAYSEC;
+ else if ( quantity == 'w' )
+ lval *= WEEKSEC;
+ else if ( quantity == 'y' )
+ lval *= YEARSEC;
+
+ return lval;
+}
+
+/*****************************************************************
+** addkeydb ()
+*****************************************************************/
+int addkeydb (const char *file, const char *keydbfile)
+{
+ FILE *fp;
+
+ if ( (fp = fopen (file, "a")) == NULL )
+ return -1;
+
+ fprintf (fp, "\n");
+ fprintf (fp, "$INCLUDE %s\t; this is the database of public DNSKEY RR\n", keydbfile);
+
+ fclose (fp);
+
+ return 0;
+}
+
+/*****************************************************************
+** parsezonefile ()
+** parse the BIND zone file 'file' and store the minimum and
+** maximum ttl value in the corresponding parameter.
+** if keydbfile is set, check if this file is already include.
+** return 0 if keydbfile is not included
+** return 1 if keydbfile is included
+** return -1 on error
+*****************************************************************/
+int parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile)
+{
+ FILE *infp;
+ int len;
+ int lnr;
+ long ttl;
+ int multi_line_rr;
+ int keydbfilefound;
+ char buf[1024];
+ const char *p;
+
+ assert (file != NULL);
+ assert (pminttl != NULL);
+ assert (pmaxttl != NULL);
+
+ dbg_val4 ("parsezonefile (\"%s\", %ld, %ld, \"%s\")\n", file, *pminttl, *pmaxttl, keydbfile);
+
+ if ( (infp = fopen (file, "r")) == NULL )
+ return -1;
+
+ lnr = 0;
+ keydbfilefound = 0;
+ multi_line_rr = 0;
+ while ( fgets (buf, sizeof buf, infp) != NULL )
+ {
+ len = strlen (buf);
+ if ( buf[len-1] != '\n' ) /* line too long ? */
+ fprintf (stderr, "line too long\n");
+ lnr++;
+
+ p = buf;
+ if ( multi_line_rr ) /* skip line if it's part of a multiline rr */
+ {
+ is_multiline_rr (&multi_line_rr, p);
+ continue;
+ }
+
+ if ( *p == '$' ) /* special directive ? */
+ {
+ if ( strncmp (p+1, "TTL", 3) == 0 ) /* $TTL ? */
+ {
+ ttl = get_ttl (p+4);
+ dbg_val3 ("%s:%d:ttl %ld\n", file, lnr, ttl);
+ setminmax (pminttl, ttl, pmaxttl);
+ }
+ else if ( strncmp (p+1, "INCLUDE", 7) == 0 ) /* $INCLUDE ? */
+ {
+ char fname[30+1];
+
+ sscanf (p+9, "%30s", fname);
+ dbg_val ("$INCLUDE directive for file \"%s\" found\n", fname);
+ if ( keydbfile && strcmp (fname, keydbfile) == 0 )
+ keydbfilefound = 1;
+ else
+ keydbfilefound = parsezonefile (fname, pminttl, pmaxttl, keydbfile);
+ }
+ }
+ else if ( !isspace (*p) ) /* label ? */
+ p = skiplabel (p);
+
+ p = skipws (p);
+ if ( *p == ';' ) /* skip line if it's a comment line */
+ continue;
+
+ /* skip class (hesiod is not supported now) */
+ if ( (toupper (*p) == 'I' && toupper (p[1]) == 'N') ||
+ (toupper (*p) == 'C' && toupper (p[1]) == 'H') )
+ p += 2;
+ p = skipws (p);
+
+ if ( isdigit (*p) ) /* ttl ? */
+ {
+ ttl = get_ttl (p);
+ dbg_val3 ("%s:%d:ttl %ld\n", file, lnr, ttl);
+ setminmax (pminttl, ttl, pmaxttl);
+ }
+
+ /* check the rest of the line if it's the beginning of a multi_line_rr */
+ is_multiline_rr (&multi_line_rr, p);
+ }
+
+ if ( file )
+ fclose (infp);
+
+ dbg_val5 ("parsezonefile (\"%s\", %ld, %ld, \"%s\") ==> %d\n",
+ file, *pminttl, *pmaxttl, keydbfile, keydbfilefound);
+ return keydbfilefound;
+}
+
+
+#ifdef TEST
+const char *progname;
+int main (int argc, char *argv[])
+{
+ long minttl;
+ long maxttl;
+ int keydbfound;
+ char *dnskeydb;
+
+ progname = *argv;
+ dnskeydb = NULL;
+ dnskeydb = "dnskey.db";
+
+ minttl = 0x7FFFFFFF;
+ maxttl = 0;
+ keydbfound = parsezonefile (argv[1], &minttl, &maxttl, dnskeydb);
+ if ( keydbfound < 0 )
+ error ("can't parse zone file %s\n", argv[1]);
+
+ if ( dnskeydb && !keydbfound )
+ {
+ printf ("$INCLUDE %s directive added \n", dnskeydb);
+ addkeydb (argv[1], dnskeydb);
+ }
+
+ printf ("minttl = %ld\n", minttl);
+ printf ("maxttl = %ld\n", maxttl);
+
+ return 0;
+}
+#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) zfparse.h -- headerfile for a zone file parser
+**
+** Copyright (c) Jan 2010 - Feb 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+#ifndef ZFPARSE_H
+# define ZFPARSE_H
+extern int parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile);
+extern int addkeydb (const char *file, const char *keydbfile);
+#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-conf.c (c) Jan 2005 / Jan 2010 Holger Zuleger hznet.de
+**
+** A config file utility for the DNSSEC Zone Key Tool
+**
+** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h> /* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+# include <time.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "zfparse.h"
+# include "zconf.h"
+
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+
+static const char *view = "";
+static int writeflag = 0;
+static int allflag = 0;
+static int testflag = 0;
+
+# define short_options ":aC:c:O:dlstvwV:rh"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"compability", required_argument, NULL, 'C'},
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"default", no_argument, NULL, 'd'},
+ {"sidecfg", no_argument, NULL, 's'},
+ {"localcfg", no_argument, NULL, 'l'},
+ {"all-values", no_argument, NULL, 'a'},
+ {"test", no_argument, NULL, 't'},
+ {"overwrite", no_argument, NULL, 'w'},
+ {"version", no_argument, NULL, 'v' },
+ {"write", no_argument, NULL, 'w'},
+ {"view", required_argument, NULL, 'V' },
+ {"help", no_argument, NULL, 'h'},
+ {0, 0, 0, 0}
+};
+#endif
+
+static void usage (char *mesg);
+
+
+int main (int argc, char *argv[])
+{
+ int c;
+ int opt_index;
+ int action;
+ int major;
+ int minor;
+ const char *file;
+ const char *defconfname = NULL;
+ const char *confname = NULL;
+ char *p;
+ char str[254+1];
+ zconf_t *refconfig = NULL;
+ zconf_t *config;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+ view = getnameappendix (progname, "zkt-conf");
+
+ defconfname = getdefconfname (view);
+ dbg_val0 ("Load built in config \"%s\"\n");
+ config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+
+ if ( fileexist (defconfname) ) /* load default config file */
+ {
+ dbg_val ("Load site wide config file \"%s\"\n", defconfname);
+ config = loadconfig (defconfname, config);
+ }
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ confname = defconfname;
+
+ opterr = 0;
+ opt_index = 0;
+ action = 0;
+ setconfigversion (100);
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+ case 'V': /* view name */
+ view = optarg;
+ defconfname = getdefconfname (view);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ confname = defconfname;
+ break;
+ case 'O': /* read option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ break;
+ case 'C':
+ switch ( sscanf (optarg, "%d.%d", &major, &minor) )
+ {
+ case 2: major = major * 100 + minor;
+ case 1: break;
+ default:
+ usage ("illegal release number");
+ }
+ setconfigversion (major);
+ break;
+ case 'c':
+ if ( *optarg == '\0' )
+ usage ("empty config file name");
+ config = loadconfig (optarg, config);
+ if ( *optarg == '-' || strcmp (optarg, "stdin") == 0 )
+ confname = "stdout";
+ else
+ confname = optarg;
+ break;
+ case 'd': /* built-in default config */
+ config = loadconfig ("", config); /* load built-in config */
+ confname = defconfname;
+ break;
+ case 's': /* side wide config */
+ /* this is the default **/
+ break;
+ case 'a': /* set all flag */
+ allflag = 1;
+ break;
+ case 'l': /* local config file */
+ refconfig = dupconfig (config); /* duplicate current config */
+ confname = LOCALCONF_FILE;
+ if ( fileexist (LOCALCONF_FILE) ) /* try to load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
+ config = loadconfig (LOCALCONF_FILE, config);
+ }
+ else if ( !writeflag )
+ usage ("error: no local config file found");
+ break;
+ case 't': /* test config */
+ testflag = 1;
+ break;
+ case 'v': /* version */
+ fprintf (stderr, "%s version %s compiled for BIND version %d\n",
+ progname, ZKT_VERSION, BIND_VERSION);
+ fprintf (stderr, "ZKT %s\n", ZKT_COPYRIGHT);
+ return 0;
+ break;
+ case 'w': /* write back conf file */
+ writeflag = 1;
+ break;
+ case 'h': /* print help */
+ usage ("");
+ break;
+ case ':':
+ snprintf (str, sizeof(str), "option \"-%c\" requires an argument.",
+ optopt);
+ usage (str);
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (str, sizeof(str), "Unknown option \"-%c\".",
+ optopt);
+ else
+ snprintf (str, sizeof (str), "Unknown option char \\x%x.",
+ optopt);
+ usage (str);
+ break;
+ default:
+ abort();
+ }
+ }
+
+ c = optind;
+ if ( c >= argc ) /* no arguments given on commandline */
+ {
+ if ( testflag )
+ {
+ if ( checkconfig (config) )
+ fprintf (stderr, "All config file parameter seems to be ok\n");
+ }
+ else
+ {
+ if ( !writeflag ) /* print to stdout */
+ confname = "stdout";
+
+ if ( refconfig ) /* have we seen a local config file ? */
+ if ( allflag )
+ printconfig (confname, config);
+ else
+ printconfigdiff (confname, refconfig, config);
+ else
+ printconfig (confname, config);
+ }
+ }
+ else /* command line argument found: use it as name of zone file */
+ {
+ long minttl;
+ long maxttl;
+ int keydbfound;
+ char *dnskeydb;
+
+ file = argv[c++];
+
+ dnskeydb = config->keyfile;
+
+ minttl = 0x7FFFFFFF;
+ maxttl = 0;
+ keydbfound = parsezonefile (file, &minttl, &maxttl, dnskeydb);
+ if ( keydbfound < 0 )
+ error ("can't parse zone file %s\n", file);
+
+ if ( dnskeydb && !keydbfound )
+ {
+ if ( writeflag )
+ {
+ addkeydb (file, dnskeydb);
+ printf ("\"$INCLUDE %s\" directive added to \"%s\"\n", dnskeydb, file);
+ }
+ else
+ printf ("\"$INCLUDE %s\" should be added to \"%s\" (run with option -w)\n",
+ dnskeydb, file);
+ }
+
+ if ( minttl < (10 * MINSEC) )
+ fprintf (stderr, "Min_TTL of %s (%ld seconds) is too low to use it in a signed zone (see RFC4641)\n",
+ timeint2str (minttl), minttl);
+ else
+ fprintf (stderr, "Min_TTL:\t%s\t# (%ld seconds)\n", timeint2str (minttl), minttl);
+ fprintf (stdout, "Max_TTL:\t%s\t# (%ld seconds)\n", timeint2str (maxttl), maxttl);
+
+ if ( writeflag )
+ {
+ refconfig = dupconfig (config); /* duplicate current config */
+ confname = LOCALCONF_FILE;
+ if ( fileexist (LOCALCONF_FILE) ) /* try to load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
+ config = loadconfig (LOCALCONF_FILE, config);
+ }
+ setconfigpar (config, "Max_TTL", &maxttl);
+ printconfigdiff (confname, refconfig, config);
+ }
+ }
+
+
+ return 0;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg)
+{
+ fprintf (stderr, "%s version %s\n", progname, ZKT_VERSION);
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "usage: %s -h\n", progname);
+ fprintf (stderr, "usage: %s [-V view] [-w|-t] -d [-O <optstr>]\n", progname);
+ fprintf (stderr, "usage: %s [-V view] [-w|-t] [-s] [-c config] [-O <optstr>]\n", progname);
+ fprintf (stderr, "usage: %s [-V view] [-w|-t] [-a] -l [-c config] [-O <optstr>]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "usage: %s [-c config] [-w] <zonefile>\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, " -V name%s", loptstr (", --view=name\n", ""));
+ fprintf (stderr, "\t\t specify the view name \n");
+ fprintf (stderr, " -d%s\tprint built-in default config parameter\n", loptstr (", --default", ""));
+ fprintf (stderr, " -s%s\tprint site wide config file parameter (this is the default)\n", loptstr (", --sitecfg", ""));
+ fprintf (stderr, " -l%s\tprint local config file parameter\n", loptstr (", --localcfg", ""));
+ fprintf (stderr, " -a%s\tprint all parameter not only the different one\n", loptstr (", --all", ""));
+ fprintf (stderr, " -c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, " \t\tread config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, " -O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, " \t\tread config options from commandline\n");
+ fprintf (stderr, " -t%s\ttest the config parameter if they are useful \n", loptstr (", --test", "\t"));
+ fprintf (stderr, " -w%s\twrite or rewrite config file \n", loptstr (", --write", "\t"));
+ fprintf (stderr, " -h%s\tprint this help \n", loptstr (", --help", "\t"));
+ exit (1);
+}
+
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-keyman.c (c) Jan 2005 - Apr 2010 Holger Zuleger hznet.de
+**
+** ZKT key managing tool (formely knon as dnsses-zkt)
+** A wrapper command around the BIND dnssec-keygen utility
+**
+** Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h> /* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "strlist.h"
+# include "zconf.h"
+# include "dki.h"
+# include "zkt.h"
+
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+
+char *labellist = NULL;
+
+int headerflag = 1;
+int ageflag = 0;
+int lifetime = 0;
+int lifetimeflag = 0;
+int timeflag = 1;
+int exptimeflag = 0;
+int pathflag = 0;
+int kskflag = 1;
+int zskflag = 1;
+int ljustflag = 0;
+
+static int dirflag = 0;
+static int recflag = RECURSIVE;
+static char *kskdomain = "";
+static const char *view = "";
+
+# define short_options ":0:1:2:3:9A:C:D:P:S:R:h:ZV:F:c:O:krz"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"ksk-rollover", no_argument, NULL, '9'},
+ {"ksk-status", required_argument, NULL, '0'},
+ {"ksk-roll-status", required_argument, NULL, '0'},
+ {"ksk-newkey", required_argument, NULL, '1'},
+ {"ksk-publish", required_argument, NULL, '2'},
+ {"ksk-delkey", required_argument, NULL, '3'},
+ {"ksk-roll-phase1", required_argument, NULL, '1'},
+ {"ksk-roll-phase2", required_argument, NULL, '2'},
+ {"ksk-roll-phase3", required_argument, NULL, '3'},
+ {"ksk", no_argument, NULL, 'k'},
+ {"zsk", no_argument, NULL, 'z'},
+ {"recursive", no_argument, NULL, 'r'},
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"published", required_argument, NULL, 'P'},
+ {"standby", required_argument, NULL, 'S'},
+ {"active", required_argument, NULL, 'A'},
+ {"depreciated", required_argument, NULL, 'D'},
+ {"create", required_argument, NULL, 'C'},
+ {"revoke", required_argument, NULL, 'R'},
+ {"remove", required_argument, NULL, 19 },
+ {"destroy", required_argument, NULL, 20 },
+ {"setlifetime", required_argument, NULL, 'F' },
+ {"view", required_argument, NULL, 'V' },
+ {"help", no_argument, NULL, 'h'},
+ {0, 0, 0, 0}
+};
+#endif
+
+static int parsedirectory (const char *dir, dki_t **listp);
+static void parsefile (const char *file, dki_t **listp);
+static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf);
+static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf);
+static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp);
+static void usage (char *mesg, zconf_t *cp);
+static const char *parsetag (const char *str, int *tagp);
+
+static void setglobalflags (zconf_t *config)
+{
+ recflag = config->recursive;
+}
+
+int main (int argc, char *argv[])
+{
+ dki_t *data = NULL;
+ dki_t *dkp;
+ int c;
+ int opt_index;
+ int action;
+ const char *file;
+ const char *defconfname = NULL;
+ char *p;
+ char str[254+1];
+ const char *keyname = NULL;
+ int searchtag;
+ zconf_t *config;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+ view = getnameappendix (progname, "dnssec-zkt");
+
+ defconfname = getdefconfname (view);
+ config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+
+ opterr = 0;
+ opt_index = 0;
+ action = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+ case '9': /* ksk rollover help */
+ ksk_roll ("help", c - '0', NULL, NULL);
+ exit (1);
+ case '1': /* ksk rollover: create new key */
+ case '2': /* ksk rollover: publish DS */
+ case '3': /* ksk rollover: delete old key */
+ case '0': /* ksk rollover: show current status */
+ action = c;
+ if ( !optarg )
+ usage ("ksk rollover requires an domain argument", config);
+ kskdomain = domain_canonicdup (optarg);
+ break;
+ case 'h':
+ case 'K':
+ case 'Z':
+ action = c;
+ break;
+ case 'C':
+ pathflag = !pathflag;
+ /* fall through */
+ case 'P':
+ case 'S':
+ case 'A':
+ case 'D':
+ case 'R':
+ case 's':
+ case 19:
+ case 20:
+ if ( (keyname = parsetag (optarg, &searchtag)) != NULL )
+ keyname = domain_canonicdup (keyname);
+ action = c;
+ break;
+ case 'F': /* set key lifetime */
+ lifetime = atoi (optarg);
+ action = c;
+ break;
+ case 'V': /* view name */
+ view = optarg;
+ defconfname = getdefconfname (view);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+ break;
+ case 'c':
+ config = loadconfig (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'O': /* read option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'd': /* ignore directory arg */
+ dirflag = 1;
+ break;
+ case 'k': /* ksk only */
+ zskflag = 0;
+ break;
+ case 'r': /* switch recursive flag */
+ recflag = !recflag;
+ break;
+ case 'z': /* zsk only */
+ kskflag = 0;
+ break;
+ case ':':
+ snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
+ optopt);
+ usage (str, config);
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
+ optopt);
+ else
+ snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
+ optopt);
+ usage (str, config);
+ break;
+ default:
+ abort();
+ }
+ }
+
+ if ( kskflag == 0 && zskflag == 0 )
+ kskflag = zskflag = 1;
+
+ c = optind;
+ do {
+ if ( c >= argc ) /* no args left */
+ file = config->zonedir; /* use default directory */
+ else
+ file = argv[c++];
+
+ if ( is_directory (file) )
+ parsedirectory (file, &data);
+ else
+ parsefile (file, &data);
+
+ } while ( c < argc ); /* for all arguments */
+
+ switch ( action )
+ {
+ case 'h':
+ usage ("", config);
+ case 'C':
+ createkey (keyname, data, config);
+ break;
+ case 'P':
+ case 'S':
+ case 'A':
+ case 'D':
+ if ( (dkp = (dki_t*)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ if ( (c = dki_setstatus_preservetime (dkp, action)) != 0 )
+ fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
+ break;
+ case 19: /* remove (rename) key file */
+ if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ dki_remove (dkp);
+ break;
+ case 20: /* destroy the key (remove the files!) */
+ if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ dki_destroy (dkp);
+ break;
+ case 'R':
+ if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ if ( (c = dki_setstatus (dkp, action)) != 0 )
+ fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
+ break;
+ case '1': /* ksk rollover new key */
+ case '2': /* ksk rollover publish DS */
+ case '3': /* ksk rollover delete old key */
+ case '0': /* ksk rollover status */
+ ksk_roll (kskdomain, action - '0', data, config);
+ break;
+ case 'F':
+ zkt_setkeylifetime (data);
+ /* fall through */
+ default:
+ zkt_list_keys (data);
+ }
+
+ return 0;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg, zconf_t *cp)
+{
+ fprintf (stderr, "DNS Zone Key Management Tool %s\n", ZKT_VERSION);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Create a new key \n");
+ sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\t\tKSK (use -k): %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
+ fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
+ fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
+ sopt_usage ("\tusage: %s -P|-A|-D <keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --published=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --active=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --depreciated=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Revoke specified key (<keyspec> := tag | tag:name) \n");
+ sopt_usage ("\tusage: %s -R <keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --revoke=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Remove (rename) or destroy (delete) specified key (<keyspec> := tag | tag:name) \n");
+ lopt_usage ("\tusage: %s --remove=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --destroy=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Initiate a semi-automated KSK rollover");
+ fprintf (stderr, "('%s -9%s' prints out a brief description)\n", progname, loptstr ("|--ksk-rollover", ""));
+ sopt_usage ("\tusage: %s {-1} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-phase1|--ksk-newkey} do.ma.in.\n", progname);
+ sopt_usage ("\tusage: %s {-2} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-phase2|--ksk-publish} do.ma.in.\n", progname);
+ sopt_usage ("\tusage: %s {-3} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-phase3|--ksk-delkey} do.ma.in.\n", progname);
+ sopt_usage ("\tusage: %s {-0} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-status|--ksk-status} do.ma.in.\n", progname);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "\n");
+ fprintf (stderr, "General options \n");
+ fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, "\t\t read config options from commandline\n");
+ fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
+ fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
+ fprintf (stderr, "\t-F days%s=days\t set key lifetime\n", loptstr (", --setlifetime", "\t"));
+ fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
+ fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ exit (1);
+}
+
+static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)
+{
+ const char *dir = "";
+ dki_t *dkp;
+
+ if ( keyname == NULL || *keyname == '\0' )
+ fatal ("Create key: no keyname!");
+
+ dbg_val2 ("createkey: keyname %s, pathflag = %d\n", keyname, pathflag);
+ /* search for already existent key to get the directory name */
+ if ( pathflag && (dkp = (dki_t *)zkt_search (list, 0, keyname)) != NULL )
+ {
+ char path[MAX_PATHSIZE+1];
+ zconf_t localconf;
+
+ dir = dkp->dname;
+ pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
+ if ( fileexist (path) ) /* load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", path);
+ memcpy (&localconf, conf, sizeof (zconf_t));
+ conf = loadconfig (path, &localconf);
+ }
+ }
+
+ if ( zskflag )
+ dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+ else
+ dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+ if ( dkp == NULL )
+ fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
+
+ /* create a new key always in state published, which means "standby" for ksk */
+ dki_setstatus (dkp, DKI_PUB);
+}
+
+static int get_parent_phase (const char *file)
+{
+ FILE *fp;
+ int phase;
+
+ if ( (fp = fopen (file, "r")) == NULL )
+ return -1;
+
+ phase = 0;
+ if ( fscanf (fp, "; KSK rollover phase%d", &phase) != 1 )
+ phase = 0;
+
+ fclose (fp);
+ return phase;
+}
+
+static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)
+{
+ char path[MAX_PATHSIZE+1];
+ zconf_t localconf;
+ const char *dir;
+ dki_t *keylist;
+ dki_t *dkp;
+ dki_t *standby;
+ int parent_exist;
+ int parent_age;
+ int parent_phase;
+ int parent_propagation;
+ int key_ttl;
+ int ksk;
+
+ if ( phase == 9 ) /* usage */
+ {
+ fprintf (stderr, "A KSK rollover requires three consecutive steps:\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-1%s", loptstr ("|--ksk-roll-phase1 (--ksk-newkey)\n", ""));
+ fprintf (stderr, "\t Create a new KSK.\n");
+ fprintf (stderr, "\t This step also creates a parent-<domain> file which contains only\n");
+ fprintf (stderr, "\t the _old_ key. This file will be copied in hierarchical mode\n");
+ fprintf (stderr, "\t by dnssec-signer to the parent directory as keyset-<domain> file.\n");
+ fprintf (stderr, "\t Wait until the new keyset is propagated, before going to the next step.\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-2%s", loptstr ("|--ksk-roll-phase2 (--ksk-publish)\n", ""));
+ fprintf (stderr, "\t This step creates a parent-<domain> file with the _new_ key only.\n");
+ fprintf (stderr, "\t Please send this file immediately to the parent (In hierarchical\n");
+ fprintf (stderr, "\t mode this will be done automatically by the dnssec-signer command).\n");
+ fprintf (stderr, "\t Then wait until the new DS is generated by the parent and propagated\n");
+ fprintf (stderr, "\t to all the parent name server, plus the old DS TTL before going to step three.\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-3%s", loptstr ("|--ksk-roll-phase3 (--ksk-delkey)\n", ""));
+ fprintf (stderr, "\t Remove (rename) the old KSK and the parent-<domain> file.\n");
+ fprintf (stderr, "\t You have to manually delete the old KSK (look at file names beginning\n");
+ fprintf (stderr, "\t with an lower 'k').\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-0%s", loptstr ("|--ksk-roll-stat (--ksk-status)\n", ""));
+ fprintf (stderr, "\t Show the current KSK rollover state of a domain.\n");
+
+ fprintf (stderr, "\n");
+
+ return;
+ }
+
+ if ( keyname == NULL || *keyname == '\0' )
+ fatal ("ksk rollover: no domain!");
+
+ dbg_val2 ("ksk_roll: keyname %s, phase = %d\n", keyname, phase);
+
+ /* search for already existent key to get the directory name */
+ if ( (keylist = (dki_t *)zkt_search (list, 0, keyname)) == NULL )
+ fatal ("ksk rollover: domain %s not found!\n", keyname);
+ dkp = keylist;
+
+ /* try to read local config file */
+ dir = dkp->dname;
+ pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
+ if ( fileexist (path) ) /* load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", path);
+ memcpy (&localconf, conf, sizeof (zconf_t));
+ conf = loadconfig (path, &localconf);
+ }
+ key_ttl = conf->key_ttl;
+
+ /* check if parent-file already exist */
+ pathname (path, sizeof (path), dir, "parent-", keyname);
+ parent_phase = parent_age = 0;
+ if ( (parent_exist = fileexist (path)) != 0 )
+ {
+ parent_phase = get_parent_phase (path);
+ parent_age = file_age (path);
+ }
+ // parent_propagation = 2 * DAYSEC;
+ parent_propagation = 5 * MINSEC;
+
+ ksk = 0; /* count active(!) key signing keys */
+ standby = NULL; /* find standby key if available */
+ for ( dkp = keylist; dkp; dkp = dkp->next )
+ if ( dki_isksk (dkp) )
+ {
+ if ( dki_status (dkp) == DKI_ACT )
+ ksk++;
+ else if ( dki_status (dkp) == DKI_PUB )
+ standby = dkp;
+ }
+
+ switch ( phase )
+ {
+ case 0: /* print status (debug) */
+ fprintf (stdout, "ksk_rollover:\n");
+ fprintf (stdout, "\t domain = %s\n", keyname);
+ fprintf (stdout, "\t phase = %d\n", parent_phase);
+ fprintf (stdout, "\t parent_file %s %s\n", path, parent_exist ? "exist": "not exist");
+ if ( parent_exist )
+ fprintf (stdout, "\t age of parent_file %d %s\n", parent_age, str_delspace (age2str (parent_age)));
+ fprintf (stdout, "\t # of active key signing keys %d\n", ksk);
+ fprintf (stdout, "\t parent_propagation %d %s\n", parent_propagation, str_delspace (age2str (parent_propagation)));
+ fprintf (stdout, "\t keys ttl %d %s\n", key_ttl, age2str (key_ttl));
+
+ for ( dkp = keylist; dkp; dkp = dkp->next )
+ {
+ /* TODO: Nur zum testen */
+ dki_prt_dnskey (dkp, stdout);
+ }
+ break;
+ case 1:
+ if ( parent_exist || ksk > 1 )
+ fatal ("Can\'t create new ksk because there is already an ksk rollover in progress\n");
+
+ fprintf (stdout, "create new ksk \n");
+ dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+ if ( dkp == NULL )
+ fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
+ if ( standby )
+ {
+ dki_setstatus (standby, DKI_ACT); /* activate standby key */
+ dki_setstatus (dkp, DKI_PUB); /* new key will be the new standby */
+ }
+
+ // dkp = keylist; /* use old key to create the parent file */
+ if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
+ fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
+ if ( !create_parent_file (path, phase, key_ttl, dkp) )
+ fatal ("Couldn't create parentfile %s\n", path);
+ break;
+
+ case 2:
+ if ( ksk < 2 )
+ fatal ("Can\'t publish new key because no one exist\n");
+ if ( !parent_exist )
+ fatal ("More than one KSK but no parent file found!\n");
+ if ( parent_phase != 1 )
+ fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
+ if ( parent_age < conf->proptime + key_ttl )
+ fatal ("ksk_rollover (phase2): you have to wait for the propagation of the new KSK (at least %dsec or %s)\n",
+ conf->proptime + key_ttl - parent_age,
+ str_delspace (age2str (conf->proptime + key_ttl - parent_age)));
+
+ fprintf (stdout, "save new ksk in parent file\n");
+ dkp = keylist->next; /* set dkp to new ksk */
+ if ( !create_parent_file (path, phase, key_ttl, dkp) )
+ fatal ("Couldn't create parentfile %s\n", path);
+ break;
+ case 3:
+ if ( !parent_exist || ksk < 2 )
+ fatal ("ksk-delkey only allowed after ksk-publish\n");
+ if ( parent_phase != 2 )
+ fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
+ if ( parent_age < parent_propagation + key_ttl )
+ fatal ("ksk_rollover (phase3): you have to wait for DS propagation (at least %dsec or %s)\n",
+ parent_propagation + key_ttl - parent_age,
+ str_delspace (age2str (parent_propagation + key_ttl - parent_age)));
+ /* remove the parentfile */
+ fprintf (stdout, "remove parentfile \n");
+ unlink (path);
+ /* remove or rename the old key */
+ fprintf (stdout, "old ksk renamed \n");
+ dkp = keylist; /* set dkp to old ksk */
+ dki_remove (dkp);
+ break;
+ default: assert (phase == 1 || phase == 2 || phase == 3);
+ }
+}
+
+/*****************************************************************
+** create_parent_file ()
+*****************************************************************/
+static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)
+{
+ FILE *fp;
+
+ assert ( fname != NULL );
+
+ if ( dkp == NULL || (phase != 1 && phase != 2) )
+ return 0;
+
+ if ( (fp = fopen (fname, "w")) == NULL )
+ fatal ("can\'t create new parentfile \"%s\"\n", fname);
+
+ if ( phase == 1 )
+ fprintf (fp, "; KSK rollover phase1 (old key)\n");
+ else
+ fprintf (fp, "; KSK rollover phase2 (new key)\n");
+
+ dki_prt_dnskeyttl (dkp, fp, ttl);
+ fclose (fp);
+
+ return phase;
+}
+
+static int parsedirectory (const char *dir, dki_t **listp)
+{
+ dki_t *dkp;
+ DIR *dirp;
+ struct dirent *dentp;
+ char path[MAX_PATHSIZE+1];
+
+ if ( dirflag )
+ return 0;
+
+ dbg_val ("directory: opendir(%s)\n", dir);
+ if ( (dirp = opendir (dir)) == NULL )
+ return 0;
+
+ while ( (dentp = readdir (dirp)) != NULL )
+ {
+ if ( is_dotfilename (dentp->d_name) )
+ continue;
+
+ dbg_val ("directory: check %s\n", dentp->d_name);
+ pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+ if ( is_directory (path) && recflag )
+ {
+ dbg_val ("directory: recursive %s\n", path);
+ parsedirectory (path, listp);
+ }
+ else if ( is_keyfilename (dentp->d_name) )
+ if ( (dkp = dki_read (dir, dentp->d_name)) )
+ {
+ // fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, 1);
+#else
+ dki_add (listp, dkp);
+#endif
+ }
+ }
+ closedir (dirp);
+ return 1;
+}
+
+static void parsefile (const char *file, dki_t **listp)
+{
+ char path[MAX_PATHSIZE+1];
+ dki_t *dkp;
+
+ /* file arg contains path ? ... */
+ file = splitpath (path, sizeof (path), file); /* ... then split of */
+
+ if ( is_keyfilename (file) ) /* plain file name looks like DNS key file ? */
+ {
+ if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, 1); /* ... and add to tree */
+#else
+ dki_add (listp, dkp); /* ... and add to list */
+#endif
+ else
+ error ("error parsing %s: (%s)\n", file, dki_geterrstr());
+ }
+}
+
+static const char *parsetag (const char *str, int *tagp)
+{
+ const char *p;
+
+ *tagp = 0;
+ while ( isspace (*str) ) /* skip leading ws */
+ str++;
+
+ p = str;
+ if ( isdigit (*p) ) /* keytag starts with digit */
+ {
+ sscanf (p, "%u", tagp); /* read keytag as number */
+ do /* eat up to the end of the number */
+ p++;
+ while ( isdigit (*p) );
+
+ if ( *p == ':' ) /* label follows ? */
+ return p+1; /* return that */
+ if ( *p == '\0' )
+ return NULL; /* no label */
+ }
+ return str; /* return as label string if not a numeric keytag */
+}
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-ls.c (c) Jan 2010 Holger Zuleger hznet.de
+**
+** Secure DNS zone key tool
+** A command to list dnssec keys
+**
+** Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h> /* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "strlist.h"
+# include "zconf.h"
+# include "dki.h"
+# include "tcap.h"
+# include "zkt.h"
+
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+
+char *labellist = NULL;
+
+int headerflag = 1;
+int ageflag = 0;
+int lifetime = 0;
+int lifetimeflag = 0;
+int timeflag = 1;
+int exptimeflag = 0;
+int pathflag = 0;
+int kskflag = 1;
+int zskflag = 1;
+int ljustflag = 0;
+int subdomain_before_parent = 1;
+
+static int dirflag = 0;
+static int recflag = RECURSIVE;
+static int trustedkeyflag = 0;
+static const char *view = "";
+static const char *term = NULL;
+
+#if defined(COLOR_MODE) && COLOR_MODE
+# define short_options ":HKTV:afC::c:O:dhkLl:prstez"
+#else
+# define short_options ":HKTV:af:c:O:dhkLl:prstez"
+#endif
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"list-dnskeys", no_argument, NULL, 'K'},
+ {"list-trustedkeys", no_argument, NULL, 'T'},
+ {"ksk", no_argument, NULL, 'k'},
+ {"zsk", no_argument, NULL, 'z'},
+ {"age", no_argument, NULL, 'a'},
+ {"lifetime", no_argument, NULL, 'f'},
+ {"time", no_argument, NULL, 't'},
+ {"expire", no_argument, NULL, 'e'},
+ {"recursive", no_argument, NULL, 'r'},
+ {"leftjust", no_argument, NULL, 'L'},
+ {"label-list", no_argument, NULL, 'l'},
+ {"path", no_argument, NULL, 'p'},
+ {"sort", no_argument, NULL, 's'},
+ {"subdomain", no_argument, NULL, 's'},
+ {"nohead", no_argument, NULL, 'h'},
+ {"directory", no_argument, NULL, 'd'},
+#if defined(COLOR_MODE) && COLOR_MODE
+ {"color", optional_argument, NULL, 'C'},
+#endif
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"view", required_argument, NULL, 'V' },
+ {"help", no_argument, NULL, 'H'},
+ {0, 0, 0, 0}
+};
+#endif
+
+static int parsedirectory (const char *dir, dki_t **listp, int sub_before);
+static void parsefile (const char *file, dki_t **listp, int sub_before);
+static void usage (char *mesg, zconf_t *cp);
+
+static void setglobalflags (zconf_t *config)
+{
+ recflag = config->recursive;
+ ageflag = config->printage;
+ timeflag = config->printtime;
+ ljustflag = config->ljust;
+ term = config->colorterm;
+ if ( term && *term == '\0' )
+ term = getenv ("TERM");
+}
+
+int main (int argc, char *argv[])
+{
+ dki_t *data = NULL;
+ int c;
+ int opt_index;
+ int action;
+ const char *file;
+ const char *defconfname = NULL;
+ char *p;
+ char str[254+1];
+ zconf_t *config;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+ view = getnameappendix (progname, "zkt-ls");
+
+ defconfname = getdefconfname (view);
+ config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+
+ opterr = 0;
+ opt_index = 0;
+ action = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+#if defined(COLOR_MODE) && COLOR_MODE
+ case 'C': /* color mode on; optional with terminal name */
+ if ( optarg )
+ term = optarg;
+ else
+ term = getenv ("TERM");
+ break;
+#endif
+ case 'T':
+ trustedkeyflag = 1;
+ subdomain_before_parent = 0;
+ zskflag = pathflag = 0;
+ /* fall through */
+ case 'H':
+ case 'K':
+ case 'Z':
+ action = c;
+ break;
+ case 'a': /* age */
+ ageflag = !ageflag;
+ break;
+ case 'f': /* key lifetime */
+ lifetimeflag = !lifetimeflag;
+ break;
+ case 'V': /* view name */
+ view = optarg;
+ defconfname = getdefconfname (view);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+ break;
+ case 'c':
+ config = loadconfig (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'O': /* read option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'd': /* ignore directory arg */
+ dirflag = 1;
+ break;
+ case 'h': /* print no headline */
+ headerflag = 0;
+ break;
+ case 'k': /* ksk only */
+ zskflag = 0;
+ break;
+ case 'L': /* ljust */
+ ljustflag = !ljustflag;
+ break;
+ case 'l': /* label list */
+ labellist = prepstrlist (optarg, LISTDELIM);
+ if ( labellist == NULL )
+ fatal ("Out of memory\n");
+ break;
+ case 'p': /* print path */
+ pathflag = 1;
+ break;
+ case 'r': /* switch recursive flag */
+ recflag = !recflag;
+ break;
+ case 's': /* switch subdomain sorting flag */
+ subdomain_before_parent = !subdomain_before_parent;
+ break;
+ case 't': /* time */
+ timeflag = !timeflag;
+ break;
+ case 'e': /* expire time */
+ exptimeflag = !exptimeflag;
+ break;
+ case 'z': /* zsk only */
+ kskflag = 0;
+ break;
+ case ':':
+ snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
+ optopt);
+ usage (str, config);
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
+ optopt);
+ else
+ snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
+ optopt);
+ usage (str, config);
+ break;
+ default:
+ abort();
+ }
+ }
+
+ if ( kskflag == 0 && zskflag == 0 )
+ kskflag = zskflag = 1;
+
+ tc_init (stdout, term);
+
+ c = optind;
+ do {
+ if ( c >= argc ) /* no args left */
+ file = config->zonedir; /* use default directory */
+ else
+ file = argv[c++];
+
+ if ( is_directory (file) )
+ parsedirectory (file, &data, subdomain_before_parent);
+ else
+ parsefile (file, &data, subdomain_before_parent);
+
+ } while ( c < argc ); /* for all arguments */
+
+ switch ( action )
+ {
+ case 'H':
+ usage ("", config);
+ case 'K':
+ zkt_list_dnskeys (data);
+ break;
+ case 'T':
+ zkt_list_trustedkeys (data);
+ break;
+ default:
+ zkt_list_keys (data);
+ }
+
+ tc_end (stdout, term);
+
+ return 0;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg, zconf_t *cp)
+{
+ fprintf (stderr, "Secure DNS Zone Key Tool %s\n", ZKT_VERSION);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "List keys in current or given directory (-r for recursive mode)\n");
+ sopt_usage ("\tusage: %s [-adefhkLprtzC] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "List public part of keys in DNSKEY RR format\n");
+ sopt_usage ("\tusage: %s -K [-dhkrz] [-c config] [file|dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --list-dnskeys [-dhkzr] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "List keys (output is suitable for trusted-keys section)\n");
+ sopt_usage ("\tusage: %s -T [-dhrz] [-c config] [file|dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --list-trustedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "General options \n");
+ fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, "\t\t read config options from commandline\n");
+ fprintf (stderr, "\t-h%s\t no headline or trusted-key section header/trailer in -T mode\n", loptstr (", --nohead", "\t"));
+ fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
+ fprintf (stderr, "\t-L%s\t print the domain name left justified (default: %s)\n", loptstr (", --leftjust", "\t"), ljustflag ? "on": "off");
+ fprintf (stderr, "\t-l list%s", loptstr (", --label=\"list\"\n\t", ""));
+ fprintf (stderr, "\t\t print out only zone keys from the given domain list\n");
+ fprintf (stderr, "\t-C[term]%s", loptstr (", --color[=\"term\"]\n\t", ""));
+ fprintf (stderr, "\t\t turn color mode on \n");
+ fprintf (stderr, "\t-p%s\t show path of keyfile / create key in current directory\n", loptstr (", --path", "\t"));
+ fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
+ fprintf (stderr, "\t-s%s\t change sorting of subdomains\n", loptstr(", --subdomain", "\t"));
+ fprintf (stderr, "\t-a%s\t print age of key (default: %s)\n", loptstr (", --age", "\t"), ageflag ? "on": "off");
+ fprintf (stderr, "\t-t%s\t print key generation time (default: %s)\n", loptstr (", --time", "\t"),
+ timeflag ? "on": "off");
+ fprintf (stderr, "\t-e%s\t print key expiration time\n", loptstr (", --expire", "\t"));
+ fprintf (stderr, "\t-f%s\t print key lifetime\n", loptstr (", --lifetime", "\t"));
+ fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
+ fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ exit (1);
+}
+
+static int parsedirectory (const char *dir, dki_t **listp, int sub_before)
+{
+ dki_t *dkp;
+ DIR *dirp;
+ struct dirent *dentp;
+ char path[MAX_PATHSIZE+1];
+
+ if ( dirflag )
+ return 0;
+
+ dbg_val ("directory: opendir(%s)\n", dir);
+ if ( (dirp = opendir (dir)) == NULL )
+ return 0;
+
+ while ( (dentp = readdir (dirp)) != NULL )
+ {
+ if ( is_dotfilename (dentp->d_name) )
+ continue;
+
+ dbg_val ("directory: check %s\n", dentp->d_name);
+ pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+ if ( is_directory (path) && recflag )
+ {
+ dbg_val ("directory: recursive %s\n", path);
+ parsedirectory (path, listp, sub_before);
+ }
+ else if ( is_keyfilename (dentp->d_name) )
+ if ( (dkp = dki_read (dir, dentp->d_name)) )
+ {
+ // fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, sub_before);
+#else
+ dki_add (listp, dkp);
+#endif
+ }
+ }
+ closedir (dirp);
+ return 1;
+}
+
+static void parsefile (const char *file, dki_t **listp, int sub_before)
+{
+ char path[MAX_PATHSIZE+1];
+ dki_t *dkp;
+
+ /* file arg contains path ? ... */
+ file = splitpath (path, sizeof (path), file); /* ... then split of */
+
+ if ( is_keyfilename (file) ) /* plain file name looks like DNS key file ? */
+ {
+ if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, sub_before); /* ... and add to tree */
+#else
+ dki_add (listp, dkp); /* ... and add to list */
+#endif
+ else
+ error ("error parsing %s: (%s)\n", file, dki_geterrstr());
+ }
+}
/*****************************************************************
**
-** @(#) dnssec-signer.c (c) Jan 2005 Holger Zuleger hznet.de
+** @(#) zkt-signer.c (c) Jan 2005 - Jan 2010 Holger Zuleger hznet.de
**
** A wrapper around the BIND dnssec-signzone command which is able
** to resign a zone if necessary and doing a zone or key signing key rollover.
**
-** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
+** Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
** This software is open source.
**
** Redistribution and use in source and binary forms, with or without
static int check_keydb_timestamp (dki_t *keylist, time_t reftime);
static int new_keysetfiles (const char *dir, time_t zone_signing_time);
static int writekeyfile (const char *fname, const dki_t *list, int key_ttl);
-static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf);
+static int sign_zone (const zone_t *zp);
static void register_key (dki_t *listp, const zconf_t *z);
static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
#define set_bind96_dynzone(dz) ((dz) = 6)
#define bind94_dynzone(dz) ( (dz) > 0 && (dz) < 6 )
#define bind96_dynzone(dz) ( (dz) >= 6 )
+#define is_defined(str) ( (str) && *(str) )
int main (int argc, char *const argv[])
{
progname = *argv;
if ( (p = strrchr (progname, '/')) )
progname = ++p;
- viewname = getnameappendix (progname, "dnssec-signer");
+ if ( strncmp (progname, "dnssec-signer", 13) == 0 )
+ {
+ fprintf (stderr, "The use of dnssec-signer is deprecated, please run zkt-signer instead\n");
+ viewname = getnameappendix (progname, "dnssec-signer");
+ }
+ else
+ viewname = getnameappendix (progname, "zkt-signer");
defconfname = getdefconfname (viewname);
config = loadconfig ("", (zconf_t *)NULL); /* load build-in config */
if ( fileexist (defconfname) ) /* load default config file */
#endif
lg_args (LG_NOTICE, argc, argv);
+ /* 1.0rc1: If the ttl for dynamic zones is not known or if it is 0, use sig valid time for this */
+ if ( config->max_ttl <= 0 || dynamic_zone )
+ {
+ // config = dupconfig (config);
+ config->max_ttl = config->sigvalidity;
+ }
+
+
if ( origin ) /* option -o ? */
{
int ret;
#endif
static void usage (char *mesg, zconf_t *conf)
{
- fprintf (stderr, "%s version %s\n", progname, ZKT_VERSION);
+ fprintf (stderr, "%s version %s compiled for BIND %d\n", progname, ZKT_VERSION, BIND_VERSION);
+ fprintf (stderr, "ZKT %s\n", ZKT_COPYRIGHT);
fprintf (stderr, "\n");
- fprintf (stderr, "usage: %s [-c file] [-O optstr] ", progname);
+ fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
fprintf (stderr, "[-D directorytree] ");
fprintf (stderr, "[-fhnr] [-v [-v]] [zone ...]\n");
- fprintf (stderr, "usage: %s [-c file] [-O optstr] ", progname);
+ fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
fprintf (stderr, "-N named.conf ");
fprintf (stderr, "[-fhnr] [-v [-v]] [zone ...]\n");
- fprintf (stderr, "usage: %s [-c file] [-O optstr] ", progname);
+ fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
fprintf (stderr, "-o origin ");
fprintf (stderr, "[-fhnr] [-v [-v]] [zonefile.signed]\n");
fprintf (stderr, "\t\t set config options on the commandline\n");
fprintf (stderr, "\t-L file|dir%s", loptstr (", --logfile=file|dir\n", ""));
fprintf (stderr, "\t\t specify file or directory for the log output\n");
+ fprintf (stderr, "\t-V name%s", loptstr (", --view=name\n", ""));
+ fprintf (stderr, "\t\t specify the view name \n");
fprintf (stderr, "\t-D dir%s", loptstr (", --directory=dir\n", ""));
fprintf (stderr, "\t\t parse the given directory tree for a list of secure zones \n");
fprintf (stderr, "\t-N file%s", loptstr (", --named-conf=file\n", ""));
zfile_time = file_mtime (path);
currtime = time (NULL);
+ /* check for domain based logging */
+ if ( is_defined (zp->conf->logdomaindir) ) /* parameter is not null or empty ? */
+ {
+ if ( strcmp (zp->conf->logdomaindir, ".") == 0 ) /* current (".") means zone directory */
+ lg_zone_start (zp->dir, zp->zone);
+ else
+ lg_zone_start (zp->conf->logdomaindir, zp->zone);
+ }
+
/* check rfc5011 key signing keys, create new one if necessary */
dbg_msg("parsezonedir check rfc 5011 ksk ");
newkey = ksk5011status (&zp->keys, zp->dir, zp->zone, zp->conf);
verbmesg (2, zp->conf, "\tCheck if there is a parent file to copy\n");
if ( zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
copy_keyset (zp->dir, zp->zone, zp->conf); /* copy the parent- file if it exist */
+ if ( is_defined (zp->conf->logdomaindir) )
+ lg_zone_end ();
return 0; /* nothing to do */
}
path, zfile);
if ( newkey ) /* if we have new keys, they should be added to the zone file */
+ {
copyzonefile (path, zfile, zp->conf->keyfile);
+#if 0
+ if ( zp->conf->dist_cmd )
+ dist_and_reload (zp, 2); /* ... and send to the name server */
+#endif
+ }
else /* else we can do a simple file copy */
copyfile (path, zfile, NULL);
}
timer = start_timer ();
- if ( (err = sign_zone (zp->dir, zp->zone, zp->file, zp->conf)) < 0 )
+ if ( (err = sign_zone (zp)) < 0 )
{
error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
if ( err >= 0 && reloadflag )
{
if ( zp->conf->dist_cmd )
- dist_and_reload (zp);
+ dist_and_reload (zp, 1);
else
reload_zone (zp->zone, zp->conf);
register_key (zp->keys, zp->conf);
}
+ if ( is_defined (zp->conf->logdomaindir) )
+ lg_zone_end ();
+
return err;
}
return 1;
}
-static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)
+static int sign_zone (const zone_t *zp)
{
char cmd[2047+1];
char str[1023+1];
char nsec3param[637+1];
char keysetdir[254+1];
const char *gends;
+ const char *dnskeyksk;
const char *pseudo;
const char *param;
int len;
FILE *fp;
- assert (conf != NULL);
- assert (domain != NULL);
+ const char *dir;
+ const char *domain;
+ const char *file;
+ const zconf_t *conf;
+
+ assert (zp != NULL);
+ dir = zp->dir;
+ domain = zp->zone;
+ file = zp->file;
+ conf = zp->conf;
len = 0;
str[0] = '\0';
gends = "";
if ( conf->sig_gends )
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+ gends = "-C -g ";
+#else
gends = "-g ";
+#endif
+
+ dnskeyksk = "";
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+ if ( conf->sig_dnskeyksk )
+ dnskeyksk = "-x ";
+#endif
pseudo = "";
if ( conf->sig_pseudo )
nsec3param[0] = '\0';
#if defined(BIND_VERSION) && BIND_VERSION >= 960
- if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 )
+ if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 ||
+ conf->nsec3 != NSEC3_OFF )
{
char salt[510+1]; /* salt has a maximum of 255 bytes == 510 hex nibbles */
+ const char *update;
+ const char *optout;
+ unsigned int seed;
+
+# if defined(BIND_VERSION) && BIND_VERSION >= 970
+ update = "-u "; /* trailing blank is necessary */
+# else
+ update = "";
+# endif
+ if ( conf->nsec3 == NSEC3_OPTOUT )
+ optout = "-A ";
+ else
+ optout = "";
+
+ /* static zones can use always a new salt (full zone signing) */
+ seed = 0L; /* no seed: use mechanism build in gensalt() */
+ if ( dynamic_zone )
+ { /* dynamic zones have to reuse the salt on signing */
+ const dki_t *kp;
+
+ /* use gentime timestamp of ZSK for seeding rand generator */
+ kp = dki_find (zp->keys, DKI_ZSK, DKI_ACTIVE, 1);
+ assert ( kp != NULL );
+ if ( kp->gentime )
+ seed = kp->gentime;
+ else
+ seed = kp->time;
+ }
- if ( gensalt (salt, sizeof (salt), conf->saltbits) )
- snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
+ if ( gensalt (salt, sizeof (salt), conf->saltbits, seed) )
+ snprintf (nsec3param, sizeof (nsec3param), "%s%s-3 %s ", update, optout, salt);
}
#endif
dbg_line();
#if defined(BIND_VERSION) && BIND_VERSION >= 940
if ( dynamic_zone )
- snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
- dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
+ snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
+ dir, SIGNCMD, param, nsec3param, dnskeyksk, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
else
#endif
- snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
- dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
+ snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
+ dir, SIGNCMD, param, nsec3param, dnskeyksk, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
verbmesg (2, conf, "\t Run cmd \"%s\"\n", cmd);
*str = '\0';
if ( noexec == 0 )
# include "misc.h"
# include "strlist.h"
# include "zconf.h"
+# include "domaincmp.h"
+# include "tcap.h"
#define extern
# include "zkt.h"
#undef extern
{
if ( headerflag )
{
+ tc_attr (stdout, TC_BOLD, 1);
printf ("%-33.33s %5s %3s %3.3s %-7s", "Keyname",
"Tag", "Typ", "Status", "Algorit");
if ( timeflag )
printf (" %16s", "Age");
if ( lifetimeflag )
printf (" %4s", "LfTm");
+ tc_attr (stdout, TC_BOLD, 0);
putchar ('\n');
}
return;
if ( (kskflag && dki_isksk (dkp)) || (zskflag && !dki_isksk (dkp)) )
{
+ int color;
+
if ( ljustflag )
printf ("%-33.33s ", dkp->name);
else
printf ("%33.33s ", dkp->name);
printf ("%05d ", dkp->tag);
printf ("%3s ", dki_isksk (dkp) ? "KSK" : "ZSK");
+
+ if ( dkp->status == DKI_ACT )
+ color = TC_GREEN;
+ else if ( dkp->status == DKI_PUB )
+ color = TC_BLUE;
+ else if ( dkp->status == DKI_DEP )
+ color = TC_RED;
+ else
+ color = TC_BLACK;
+ tc_attr (stdout, color, 1);
printf ("%-3.3s ", dki_statusstr (dkp) );
+ tc_attr (stdout, color, 0);
+
printf ("%-7s", dki_algo2sstr(dkp->algo));
+
+ if ( currtime < dkp->time + dkp->lifetime )
+ color = TC_GREEN;
+ else
+ color = TC_BOLD|TC_RED;
+ tc_attr (stdout, color, 1);
+
if ( timeflag )
printf (" %-20s", time2str (dkp->gentime ? dkp->gentime: dkp->time, 's'));
if ( exptimeflag )
putchar (' ');
printf ("%hdd", dki_lifetimedays (dkp));
}
+ tc_attr (stdout, color, 0);
putchar ('\n');
}
}
}
#if defined(USE_TREE) && USE_TREE
+# if 0
static void list_trustedkey (const dki_t **nodep, const VISIT which, int depth)
{
const dki_t *dkp;
return;
dkp = *nodep;
-//fprintf (stderr, "list_trustedkey %d %d %s\n", which, depth, dkp->name);
if ( which == INORDER || which == LEAF )
- while ( dkp ) /* loop through list */
+ {
+// fprintf (stderr, "list_trustedkey order=%d(pre=0,in=1,post=2,leaf=3) depth=%d %s\n", which, depth, dkp->name);
+ /* loop through list */
+ while ( dkp )
{
if ( (dki_isksk (dkp) || zskflag) &&
(labellist == NULL || isinlist (dkp->name, labellist)) )
dki_prt_trustedkey (dkp, stdout);
dkp = dkp->next;
}
+ }
}
+# else
+const dki_t *parent;
+static void list_trustedkey (const dki_t **nodep, const VISIT which, int depth)
+{
+ const dki_t *dkp;
+
+ if ( nodep == NULL )
+ return;
+
+ dkp = *nodep;
+ if ( which == INORDER || which == LEAF )
+ {
+// fprintf (stderr, "list_trustedkey order=%d(pre=0,in=1,post=2,leaf=3) depth=%d %s\n", which, depth, dkp->name);
+ if ( labellist && !isinlist (dkp->name, labellist) )
+ return;
+
+ if ( parent == NULL || !issubdomain (dkp->name, parent->name) )
+ {
+ parent = dkp;
+ /* loop through list */
+ while ( dkp )
+ {
+ if ( (dki_isksk (dkp) || zskflag) )
+ dki_prt_trustedkey (dkp, stdout);
+ dkp = dkp->next;
+ }
+ }
+ }
+}
+# endif
#endif
void zkt_list_trustedkeys (const dki_t *data)
{
-#if !defined(USE_TREE) || !USE_TREE
- const dki_t *dkp;
-#endif
+
/* print headline if list is not empty */
if ( data && headerflag )
printf ("trusted-keys {\n");
#if defined(USE_TREE) && USE_TREE
twalk (data, list_trustedkey);
#else
-
for ( dkp = data; dkp; dkp = dkp->next ) /* loop through list */
if ( (dki_isksk (dkp) || zskflag) &&
(labellist == NULL || isinlist (dkp->name, labellist)) )
char *p;
char path[MAX_PATHSIZE+1];
char *signed_ext = ".signed";
+ zconf_t *localconf = NULL;
assert (dir != NULL && *dir != '\0');
assert (conf != NULL);
dbg_val1 ("zone_readdir: check local config file %s\n", path);
if ( fileexist (path) ) /* load local config file */
{
- zconf_t *localconf;
-
localconf = dupconfig (conf);
conf = loadconfig (path, localconf);
+ /* do not free localconf, because a ptr to it will be added to the zone by zone_new() */
}
if ( zfile == NULL )
curr = curr->next;
}
- if ( curr == *list ) /* add node at the beginning of the list */
+ if ( curr == *list ) /* add node at the begining of the list */
*list = new;
else /* add node at end or between two nodes */
last->next = new;
projects / thirdparty / bind9.git / commitdiff
