+2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
+
2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag. [RT #19305]
-zkt 0.98 -- 30. Dec 2008
+zkt 0.99c -- 1. Aug 2009
+
+* misc dnssec-signer command line option vars changed to storage
+ class static.
+
+* port setenv() replaced by putenv() in misc.c
+
+* misc Install binaries in prefix/bin instead of $HOME/bin.
+ Fixing some spelling errors in dnssec-signzone.8 and
+ dnssec-zkt.8.
+ Thanks to Mans Nilsson.
+
+* port timegm() check added to configure.ac
+
+* misc configure.ac, Makefile.in, and doc is now part of distribution
+
+* bug off by one error fixed in splitpath()
+
+* misc is_dotfile() renamed to is_dotfilename() (misc.c)
+
+* misc inc_soaserial() sourced out to soaserial.c
+
+* misc reload() functions sourced out to nscomm.c
+
+* bug Introducing parameter "KeyAlgorithm" for both ZSK and
+ KSK keys instead of separate KSK and ZSK algorithms.
+ New functions dki_algo() and dki_findalgo().
+
+* bug Redirect stderr message (additionally to stdout) of
+ dnssec-signzone command to pipe.
+ Pick up last line of output for logging.
+
+* misc "Sig_GenerateDS" is no longer a hidden parameter.
+
+* misc "make clean" now remove the binary files
+ New target "distclean" added to Makefile
+
+* bug Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
+ Soderblum and Peter Norin for the patch)
+ Changed all TIMEINT parameter values to long.
+
+* bug If someone changes the zone.db file in dynamic mode, this will be treated
+ the same way as an initial setup, so the zone.db file will be used as new
+ input file (Thanks to Shane Wegner for this patch)
+
+* bug Option nsec3_param added to dnssec-signzone command for dynamic zones.
+
+* func New option "NamedChrootDir" added to dnssec.conf to specify the
+ directory of a chrooted named. Without such an option
+ "dnssec-signer -N named.conf" couldn't find the zone file directory.
+
+* misc Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
+ suppress the warning message about ZSK keysize of 512 bits.
+
+zkt 0.98 -- 28. Dec 2008
* misc Target "install-man" added to Makefile
man files moved to sub directory "man"
prefix = @prefix@
mandir = @mandir@
-INSTALL_DIR = $$HOME/bin
CC = @CC@
HEADER = dki.h misc.h domaincmp.h zconf.h config_zkt.h \
config.h.in strlist.h zone.h zkt.h debug.h \
- ncparse.h log.h rollover.h
+ ncparse.h log.h rollover.h nscomm.h soaserial.h
SRC_ALL = dki.c misc.c domaincmp.c zconf.c log.c
OBJ_ALL = $(SRC_ALL:.c=.o)
-SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c
+SRC_SIG = dnssec-signer.c zone.c ncparse.c rollover.c \
+ nscomm.c soaserial.c
OBJ_SIG = $(SRC_SIG:.c=.o)
MAN_SIG = dnssec-signer.8
PROG_SIG= dnssec-signer
MAN_ALL = $(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
OTHER = README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
configure examples
-SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) man $(OTHER)
-MNTSAVE = $(SAVE) configure.ac config.h.in doc
+SAVE = $(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \
+ man configure.ac config.h.in doc
+#MNTSAVE = $(SAVE) configure.ac config.h.in doc
all: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
-macos: ## for MAC OS
+macos: ## for MAC OS (depreciated)
macos:
$(MAKE) CFLAGS="$(CFLAGS) -D HAS_UTYPES=0" all
-solaris: ## for solaris
+solaris: ## for solaris (depreciated)
solaris:
@$(MAKE) CFLAGS="$(CFLAGS) -D HAVE_GETOPT_LONG=0" all
$(PROG_SER): $(OBJ_SER) Makefile
$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
-install: ## install binaries in INSTALL_DIR
+install: ## install binaries in prefix/bin
install: $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
- cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(INSTALL_DIR)
+ test -d $(prefix)/bin || mkdir -p $(prefix)/bin
+ cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/
install-man: ## install man pages in mandir
install-man:
- test -d $(mandir)/man8/ && cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+ test -d $(mandir)/man8/ || mkdir -p $(mandir)/man8/
+ cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+
tags: ## create tags file
clean: ## remove objectfiles and binaries
clean:
- rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL)
+ -rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \
+ $(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+
+distclean: ## remove objectfiles, binaries and distribution files
+distclean: clean
+ -rm -f Makefile config.h config.log config.status config.cache \
+ $(PROJECT)-$(VERSION).tar.gz
-dist: ## create tar file for distribution
-dist: $(PROJECT)-$(VERSION).tar.gz
tar: ## create tar file for distribution
tar: $(PROJECT)-$(VERSION).tar.gz
-maintain: ## create configure script
-maintain: configure
-
-mainttar: ## create tar file for maintenance
-mainttar: $(PROJECT)-maint-$(VERSION).tar.gz
-
-configure: configure.ac
+configure: ## create configure script
+configure: configure.ac Makefile.in
autoconf && autoheader
man: man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-$(VERSION).tar.gz $$distfiles ;\
)
-$(PROJECT)-maint-$(VERSION).tar.gz: $(MNTSAVE)
- ( \
- distfiles=`ls -d $(MNTSAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
- cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-maint-$(VERSION).tar.gz $$distfiles ;\
- )
-
depend:
$(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
## all dependicies
#:r !make depend
-#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
+#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
- ncparse.h zone.h dki.h rollover.h log.h
+ ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
zone.h
ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
log.h rollover.h
+nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \
+ misc.h debug.h
+soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h
dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
dki.h zkt.h
strlist.o: strlist.c strlist.h
#
# README dnssec zone key tool
#
-# (c) March 2005 - Dec 2008 by Holger Zuleger hznet
+# (c) March 2005 - Aug 2009 by Holger Zuleger hznet
# (c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
# (c) for zconf.c by Jeroen Masar & Holger Zuleger
#
To build the software:
a) Get the current version of zkt
- $ wget http://www.hznet.de/dns/zkt/zkt-0.98.tar.gz
+ $ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz
b) Unpack
- $ tar xzvf zkt-0.98.tar.gz
+ $ tar xzvf zkt-0.99c.tar.gz
c) Change to dir
- $ cd zkt-0.98
+ $ cd zkt-0.99c
d) Run configure script
$ ./configure
$ make
g) Install
- $ make install # this will copy the binarys to $HOME/bin
+ # make install
+ # make install-man
h) (optional) Install and modify the default dnssec.conf file
$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
Start and stop of dnssec-signer
Re-signing events
Key rollover events
+ KSK key generation and revoking
Zone reload resp. freeze/thaw of dynamic zone
LG_INFO: Currently none
planned:
-TODO list as of zkt-0.97
+TODO list as of zkt-0.99
general:
Renaming of the tools to zkt-* ?
dnssec-zkt:
feat option to specify the key age as remaining lifetime
- (Option -i inverse age ?) As of v0.95 the key lifetime
- is stored at the key itself, so this could be possibly
- implemented without big effort(?).
+ (Option -i inverse age ?).
dnssec-signer:
- bug Distribute_Cmd will not work properly on dynamic zones
+ bug Distribute_Cmd wouldn't work properly on dynamic zones
+ (missing freeze, thaw; copy Keyfiles instead of signed zone file)
bug Automatic KSK rollover of dynamic zones will only work if the parent
uses the standard name for the signed zonefile (zonefile.db.signed).
(Key removal is not recognized by dosigning () function )
bug There is no online checking of the key material by design.
- So the signer command checks the status of the key as they
+ The signer command checks the status of the key as they
are represented in the file system and not in the zone.
The dnssec maintainer is responsible for the lifeliness of the
data in the hosted domain.
/* Define to 1 if you have the `gettimeofday' function. */
#undef HAVE_GETTIMEOFDAY
+/* Define to 1 if you have the `getuid' function. */
+#undef HAVE_GETUID
+
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
-/* Define to 1 if you have the `setenv' function. */
-#undef HAVE_SETENV
+/* Define to 1 if you have the `putenv' function. */
+#undef HAVE_PUTENV
/* Define to 1 if you have the `socket' function. */
#undef HAVE_SOCKET
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
+/* Define to 1 if you have the `timegm' function. */
+#undef HAVE_TIMEGM
+
/* Define to 1 if you have the `tzset' function. */
#undef HAVE_TZSET
/* Define to rpl_malloc if the replacement function should be used. */
#undef malloc
-/* Define to `unsigned' if <sys/types.h> does not define. */
+/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Define to `unsigned char' if <sys/types.h> does not define. */
#ifndef CONFIG_ZKT_H
# define CONFIG_ZKT_H
-#ifndef HAS_TIMEGM
-# define HAS_TIMEGM 1
-#endif
-
#ifndef LOG_FNAMETMPL
# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
#endif
# define HAS_UTYPES 1
#endif
-#ifndef HAVE_GETOPT_LONG
-# define HAVE_GETOPT_LONG 1
-#endif
-
-#ifndef HAVE_STRFTIME
-# define HAVE_STRFTIME 1
-#endif
+/* # define HAVE_TIMEGM 1 */
+/* # define HAVE_GETOPT_LONG 1 */
+/* # define HAVE_STRFTIME 1 */
#ifndef TTL_IN_KEYFILE_ALLOWED
# define TTL_IN_KEYFILE_ALLOWED 1
# define LOG_WITH_LEVEL 1
#endif
+#ifndef ALWAYS_CHECK_KEYSETFILES
+# define ALWAYS_CHECK_KEYSETFILES 1
+#endif
+
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
#endif
#ifndef ZKT_VERSION
# if defined(USE_TREE) && USE_TREE
-# define ZKT_VERSION "vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+# define ZKT_VERSION "vT0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
# else
-# define ZKT_VERSION "v0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+# define ZKT_VERSION "v0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
# endif
#endif
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for ZKT 0.98.
+# Generated by GNU Autoconf 2.61 for ZKT 0.99c.
#
# Report bugs to <Holger Zuleger hznet.de>.
#
-# Copyright (C) 2003 Free Software Foundation, Inc.
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.
## --------------------- ##
## M4sh Initialization. ##
## --------------------- ##
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
emulate sh
NULLCMD=:
# Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
# is contrary to our usage. Disable this feature.
alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
- set -o posix
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+ echo "#! /bin/sh" >conf$$.sh
+ echo "exit 0" >>conf$$.sh
+ chmod +x conf$$.sh
+ if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+ PATH_SEPARATOR=';'
+ else
+ PATH_SEPARATOR=:
+ fi
+ rm -f conf$$.sh
fi
-DUALCASE=1; export DUALCASE # for MKS sh
# Support unset when possible.
if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
fi
+# IFS
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" "" $as_nl"
+
+# Find who we are. Look in the path if we contain no directory separator.
+case $0 in
+ *[\\/]* ) as_myself=$0 ;;
+ *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+ ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+ as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+ echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+ { (exit 1); exit 1; }
+fi
+
# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
PS1='$ '
PS2='> '
PS4='+ '
if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
eval $as_var=C; export $as_var
else
- $as_unset $as_var
+ ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
fi
done
# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
as_expr=expr
else
as_expr=false
fi
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
as_basename=basename
else
as_basename=false
# Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
X"$0" : 'X\(//\)$' \| \
- X"$0" : 'X\(/\)$' \| \
- . : '\(.\)' 2>/dev/null ||
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
echo X/"$0" |
- sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
- /^X\/\(\/\/\)$/{ s//\1/; q; }
- /^X\/\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+# CDPATH.
+$as_unset CDPATH
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
- echo "#! /bin/sh" >conf$$.sh
- echo "exit 0" >>conf$$.sh
- chmod +x conf$$.sh
- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
- PATH_SEPARATOR=';'
- else
- PATH_SEPARATOR=:
- fi
- rm -f conf$$.sh
+if test "x$CONFIG_SHELL" = x; then
+ if (eval ":") 2>/dev/null; then
+ as_have_required=yes
+else
+ as_have_required=no
fi
+ if test $as_have_required = yes && (eval ":
+(as_func_return () {
+ (exit \$1)
+}
+as_func_success () {
+ as_func_return 0
+}
+as_func_failure () {
+ as_func_return 1
+}
+as_func_ret_success () {
+ return 0
+}
+as_func_ret_failure () {
+ return 1
+}
- as_lineno_1=$LINENO
- as_lineno_2=$LINENO
- as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
- test "x$as_lineno_1" != "x$as_lineno_2" &&
- test "x$as_lineno_3" = "x$as_lineno_2" || {
- # Find who we are. Look in the path if we contain no path at all
- # relative or not.
- case $0 in
- *[\\/]* ) as_myself=$0 ;;
- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
+exitcode=0
+if as_func_success; then
+ :
+else
+ exitcode=1
+ echo as_func_success failed.
+fi
- ;;
- esac
- # We did not find ourselves, most probably we were run as `sh COMMAND'
- # in which case we are not to be found in the path.
- if test "x$as_myself" = x; then
- as_myself=$0
- fi
- if test ! -f "$as_myself"; then
- { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
- { (exit 1); exit 1; }; }
- fi
- case $CONFIG_SHELL in
- '')
+if as_func_failure; then
+ exitcode=1
+ echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+ :
+else
+ exitcode=1
+ echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+ exitcode=1
+ echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+ :
+else
+ exitcode=1
+ echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+ as_lineno_1=\$LINENO
+ as_lineno_2=\$LINENO
+ test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+ test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+ :
+else
+ as_candidate_shells=
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
- for as_base in sh bash ksh sh5; do
- case $as_dir in
+ case $as_dir in
/*)
- if ("$as_dir/$as_base" -c '
+ for as_base in sh bash ksh sh5; do
+ as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+ done;;
+ esac
+done
+IFS=$as_save_IFS
+
+
+ for as_shell in $as_candidate_shells $SHELL; do
+ # Try only shells that exist, to save several forks.
+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+ { ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+ CONFIG_SHELL=$as_shell
+ as_have_required=yes
+ if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+ emulate sh
+ NULLCMD=:
+ # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+ (exit $1)
+}
+as_func_success () {
+ as_func_return 0
+}
+as_func_failure () {
+ as_func_return 1
+}
+as_func_ret_success () {
+ return 0
+}
+as_func_ret_failure () {
+ return 1
+}
+
+exitcode=0
+if as_func_success; then
+ :
+else
+ exitcode=1
+ echo as_func_success failed.
+fi
+
+if as_func_failure; then
+ exitcode=1
+ echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+ :
+else
+ exitcode=1
+ echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+ exitcode=1
+ echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+ :
+else
+ exitcode=1
+ echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
as_lineno_1=$LINENO
as_lineno_2=$LINENO
- as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
test "x$as_lineno_1" != "x$as_lineno_2" &&
- test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then
- $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
- $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
- CONFIG_SHELL=$as_dir/$as_base
- export CONFIG_SHELL
- exec "$CONFIG_SHELL" "$0" ${1+"$@"}
- fi;;
- esac
- done
-done
-;;
- esac
+ test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+ break
+fi
+
+fi
+
+ done
+
+ if test "x$CONFIG_SHELL" != x; then
+ for as_var in BASH_ENV ENV
+ do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+ done
+ export CONFIG_SHELL
+ exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+ if test $as_have_required = no; then
+ echo This script requires a shell more modern than all the
+ echo shells that I found on your system. Please install a
+ echo modern shell, or manually run the script under such a
+ echo shell if you do have one.
+ { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+ (exit \$1)
+}
+as_func_success () {
+ as_func_return 0
+}
+as_func_failure () {
+ as_func_return 1
+}
+as_func_ret_success () {
+ return 0
+}
+as_func_ret_failure () {
+ return 1
+}
+
+exitcode=0
+if as_func_success; then
+ :
+else
+ exitcode=1
+ echo as_func_success failed.
+fi
+
+if as_func_failure; then
+ exitcode=1
+ echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+ :
+else
+ exitcode=1
+ echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+ exitcode=1
+ echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+ :
+else
+ exitcode=1
+ echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+ echo No shell found that supports shell functions.
+ echo Please tell autoconf@gnu.org about your system,
+ echo including any error possibly output before this
+ echo message
+}
+
+
+
+ as_lineno_1=$LINENO
+ as_lineno_2=$LINENO
+ test "x$as_lineno_1" != "x$as_lineno_2" &&
+ test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
# Create $as_me.lineno as a copy of $as_myself, but with $LINENO
# uniformly replaced by the line number. The first 'sed' inserts a
- # line-number line before each line; the second 'sed' does the real
- # work. The second script uses 'N' to pair each line-number line
- # with the numbered line, and appends trailing '-' during
- # substitution so that $LINENO is not a special case at line end.
+ # line-number line after each line using $LINENO; the second 'sed'
+ # does the real work. The second script uses 'N' to pair each
+ # line-number line with the line containing $LINENO, and appends
+ # trailing '-' during substitution so that $LINENO is not a special
+ # case at line end.
# (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
- # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-)
- sed '=' <$as_myself |
+ # scripts with optimization help from Paolo Bonzini. Blame Lee
+ # E. McMahon (1931-1989) for sed's syntax. :-)
+ sed -n '
+ p
+ /[$]LINENO/=
+ ' <$as_myself |
sed '
+ s/[$]LINENO.*/&-/
+ t lineno
+ b
+ :lineno
N
- s,$,-,
- : loop
- s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+ :loop
+ s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
t loop
- s,-$,,
- s,^['$as_cr_digits']*\n,,
+ s/-\n.*//
' >$as_me.lineno &&
- chmod +x $as_me.lineno ||
+ chmod +x "$as_me.lineno" ||
{ echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
{ (exit 1); exit 1; }; }
# Don't try to exec as it changes $[0], causing all sort of problems
# (the dirname of $[0] is not the place where we might find the
- # original and so on. Autoconf is especially sensible to this).
- . ./$as_me.lineno
+ # original and so on. Autoconf is especially sensitive to this).
+ . "./$as_me.lineno"
# Exit status is that of the last command.
exit
}
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
- *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T=' ' ;;
- *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;;
- *) ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+ as_dirname=dirname
+else
+ as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+ case `echo 'x\c'` in
+ *c*) ECHO_T=' ';; # ECHO_T is single tab character.
+ *) ECHO_C='\c';;
+ esac;;
+*)
+ ECHO_N='-n';;
esac
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
as_expr=expr
else
as_expr=false
fi
rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+ rm -f conf$$.dir/conf$$.file
+else
+ rm -f conf$$.dir
+ mkdir conf$$.dir
+fi
echo >conf$$.file
if ln -s conf$$.file conf$$ 2>/dev/null; then
- # We could just check for DJGPP; but this test a) works b) is more generic
- # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
- if test -f conf$$.exe; then
- # Don't use ln at all; we don't have any links
+ as_ln_s='ln -s'
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+ # In both cases, we have to default to `cp -p'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
as_ln_s='cp -p'
- else
- as_ln_s='ln -s'
- fi
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
as_ln_s='cp -p'
fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
if mkdir -p . 2>/dev/null; then
as_mkdir_p=:
as_mkdir_p=false
fi
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+ as_test_x='test -x'
+else
+ if ls -dL / >/dev/null 2>&1; then
+ as_ls_L_option=L
+ else
+ as_ls_L_option=
+ fi
+ as_test_x='
+ eval sh -c '\''
+ if test -d "$1"; then
+ test -d "$1/.";
+ else
+ case $1 in
+ -*)set "./$1";;
+ esac;
+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+ ???[sx]*):;;*)false;;esac;fi
+ '\'' sh
+ '
+fi
+as_executable_p=$as_test_x
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" $as_nl"
-
-# CDPATH.
-$as_unset CDPATH
+exec 7<&0 </dev/null 6>&1
# Name of the host.
# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
# so uname gets run too.
ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
-exec 6>&1
-
#
# Initializations.
#
ac_default_prefix=/usr/local
+ac_clean_files=
ac_config_libobj_dir=.
+LIBOBJS=
cross_compiling=no
subdirs=
MFLAGS=
MAKEFLAGS=
SHELL=${CONFIG_SHELL-/bin/sh}
-# Maximum number of lines to put in a shell here document.
-# This variable seems obsolete. It should probably be removed, and
-# only ac_max_sed_lines should be used.
-: ${ac_max_here_lines=38}
-
# Identity of this package.
PACKAGE_NAME='ZKT'
PACKAGE_TARNAME='zkt'
-PACKAGE_VERSION='0.98'
-PACKAGE_STRING='ZKT 0.98'
+PACKAGE_VERSION='0.99c'
+PACKAGE_STRING='ZKT 0.99c'
PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
ac_unique_file="dnssec-zkt.c"
# Factoring default headers for most tests.
ac_includes_default="\
#include <stdio.h>
-#if HAVE_SYS_TYPES_H
+#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
-#if HAVE_SYS_STAT_H
+#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
-#if STDC_HEADERS
+#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
-# if HAVE_STDLIB_H
+# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif
-#if HAVE_STRING_H
-# if !STDC_HEADERS && HAVE_MEMORY_H
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
# include <memory.h>
# endif
# include <string.h>
#endif
-#if HAVE_STRINGS_H
+#ifdef HAVE_STRINGS_H
# include <strings.h>
#endif
-#if HAVE_INTTYPES_H
+#ifdef HAVE_INTTYPES_H
# include <inttypes.h>
-#else
-# if HAVE_STDINT_H
-# include <stdint.h>
-# endif
#endif
-#if HAVE_UNISTD_H
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif"
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SIGNZONE_PROG CPP EGREP LIBOBJS LTLIBOBJS'
+ac_header_list=
+ac_func_list=
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+SIGNZONE_PROG
+CPP
+GREP
+EGREP
+LIBOBJS
+LTLIBOBJS'
ac_subst_files=''
+ ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP'
+
# Initialize some variables set by options.
ac_init_help=
# and all the variables that are supposed to be based on exec_prefix
# by default will actually change.
# Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
bindir='${exec_prefix}/bin'
sbindir='${exec_prefix}/sbin'
libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
includedir='${prefix}/include'
oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
ac_prev=
+ac_dashdash=
for ac_option
do
# If the previous option needs an argument, assign it.
if test -n "$ac_prev"; then
- eval "$ac_prev=\$ac_option"
+ eval $ac_prev=\$ac_option
ac_prev=
continue
fi
- ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
+ case $ac_option in
+ *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+ *) ac_optarg=yes ;;
+ esac
# Accept the important Cygnus configure options, so we can diagnose typos.
- case $ac_option in
+ case $ac_dashdash$ac_option in
+ --)
+ ac_dashdash=yes ;;
-bindir | --bindir | --bindi | --bind | --bin | --bi)
ac_prev=bindir ;;
--config-cache | -C)
cache_file=config.cache ;;
- -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+ -datadir | --datadir | --datadi | --datad)
ac_prev=datadir ;;
- -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
- | --da=*)
+ -datadir=* | --datadir=* | --datadi=* | --datad=*)
datadir=$ac_optarg ;;
+ -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+ | --dataroo | --dataro | --datar)
+ ac_prev=datarootdir ;;
+ -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+ datarootdir=$ac_optarg ;;
+
-disable-* | --disable-*)
ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid feature name: $ac_feature" >&2
{ (exit 1); exit 1; }; }
- ac_feature=`echo $ac_feature | sed 's/-/_/g'`
- eval "enable_$ac_feature=no" ;;
+ ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+ eval enable_$ac_feature=no ;;
+
+ -docdir | --docdir | --docdi | --doc | --do)
+ ac_prev=docdir ;;
+ -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+ docdir=$ac_optarg ;;
+
+ -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+ ac_prev=dvidir ;;
+ -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+ dvidir=$ac_optarg ;;
-enable-* | --enable-*)
ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid feature name: $ac_feature" >&2
{ (exit 1); exit 1; }; }
- ac_feature=`echo $ac_feature | sed 's/-/_/g'`
- case $ac_option in
- *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
- *) ac_optarg=yes ;;
- esac
- eval "enable_$ac_feature='$ac_optarg'" ;;
+ ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+ eval enable_$ac_feature=\$ac_optarg ;;
-exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
| --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-host=* | --host=* | --hos=* | --ho=*)
host_alias=$ac_optarg ;;
+ -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+ ac_prev=htmldir ;;
+ -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+ | --ht=*)
+ htmldir=$ac_optarg ;;
+
-includedir | --includedir | --includedi | --included | --include \
| --includ | --inclu | --incl | --inc)
ac_prev=includedir ;;
| --libexe=* | --libex=* | --libe=*)
libexecdir=$ac_optarg ;;
+ -localedir | --localedir | --localedi | --localed | --locale)
+ ac_prev=localedir ;;
+ -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+ localedir=$ac_optarg ;;
+
-localstatedir | --localstatedir | --localstatedi | --localstated \
- | --localstate | --localstat | --localsta | --localst \
- | --locals | --local | --loca | --loc | --lo)
+ | --localstate | --localstat | --localsta | --localst | --locals)
ac_prev=localstatedir ;;
-localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
- | --localstate=* | --localstat=* | --localsta=* | --localst=* \
- | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
localstatedir=$ac_optarg ;;
-mandir | --mandir | --mandi | --mand | --man | --ma | --m)
| --progr-tra=* | --program-tr=* | --program-t=*)
program_transform_name=$ac_optarg ;;
+ -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+ ac_prev=pdfdir ;;
+ -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+ pdfdir=$ac_optarg ;;
+
+ -psdir | --psdir | --psdi | --psd | --ps)
+ ac_prev=psdir ;;
+ -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+ psdir=$ac_optarg ;;
+
-q | -quiet | --quiet | --quie | --qui | --qu | --q \
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-with-* | --with-*)
ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid package name: $ac_package" >&2
{ (exit 1); exit 1; }; }
- ac_package=`echo $ac_package| sed 's/-/_/g'`
- case $ac_option in
- *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
- *) ac_optarg=yes ;;
- esac
- eval "with_$ac_package='$ac_optarg'" ;;
+ ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+ eval with_$ac_package=\$ac_optarg ;;
-without-* | --without-*)
ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid package name: $ac_package" >&2
{ (exit 1); exit 1; }; }
- ac_package=`echo $ac_package | sed 's/-/_/g'`
- eval "with_$ac_package=no" ;;
+ ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+ eval with_$ac_package=no ;;
--x)
# Obsolete; use --with-x.
expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid variable name: $ac_envvar" >&2
{ (exit 1); exit 1; }; }
- ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
- eval "$ac_envvar='$ac_optarg'"
+ eval $ac_envvar=\$ac_optarg
export $ac_envvar ;;
*)
{ (exit 1); exit 1; }; }
fi
-# Be sure to have absolute paths.
-for ac_var in exec_prefix prefix
-do
- eval ac_val=$`echo $ac_var`
- case $ac_val in
- [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
- *) { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
- { (exit 1); exit 1; }; };;
- esac
-done
-
-# Be sure to have absolute paths.
-for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
- localstatedir libdir includedir oldincludedir infodir mandir
+# Be sure to have absolute directory names.
+for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ datadir sysconfdir sharedstatedir localstatedir includedir \
+ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+ libdir localedir mandir
do
- eval ac_val=$`echo $ac_var`
+ eval ac_val=\$$ac_var
case $ac_val in
- [\\/$]* | ?:[\\/]* ) ;;
- *) { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
- { (exit 1); exit 1; }; };;
+ [\\/$]* | ?:[\\/]* ) continue;;
+ NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
esac
+ { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+ { (exit 1); exit 1; }; }
done
# There might be people who depend on the old broken behavior: `$host'
test "$silent" = yes && exec 6>/dev/null
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+ { echo "$as_me: error: Working directory cannot be determined" >&2
+ { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+ { echo "$as_me: error: pwd does not report name of working directory" >&2
+ { (exit 1); exit 1; }; }
+
+
# Find the source files, if location was not specified.
if test -z "$srcdir"; then
ac_srcdir_defaulted=yes
- # Try the directory containing this script, then its parent.
- ac_confdir=`(dirname "$0") 2>/dev/null ||
+ # Try the directory containing this script, then the parent directory.
+ ac_confdir=`$as_dirname -- "$0" ||
$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$0" : 'X\(//\)[^/]' \| \
X"$0" : 'X\(//\)$' \| \
- X"$0" : 'X\(/\)' \| \
- . : '\(.\)' 2>/dev/null ||
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$0" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
- /^X\(\/\/\)[^/].*/{ s//\1/; q; }
- /^X\(\/\/\)$/{ s//\1/; q; }
- /^X\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
srcdir=$ac_confdir
- if test ! -r $srcdir/$ac_unique_file; then
+ if test ! -r "$srcdir/$ac_unique_file"; then
srcdir=..
fi
else
ac_srcdir_defaulted=no
fi
-if test ! -r $srcdir/$ac_unique_file; then
- if test "$ac_srcdir_defaulted" = yes; then
- { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
+if test ! -r "$srcdir/$ac_unique_file"; then
+ test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+ { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
{ (exit 1); exit 1; }; }
- else
- { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+fi
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+ cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
{ (exit 1); exit 1; }; }
- fi
-fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
- { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
- { (exit 1); exit 1; }; }
-srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
-ac_env_build_alias_set=${build_alias+set}
-ac_env_build_alias_value=$build_alias
-ac_cv_env_build_alias_set=${build_alias+set}
-ac_cv_env_build_alias_value=$build_alias
-ac_env_host_alias_set=${host_alias+set}
-ac_env_host_alias_value=$host_alias
-ac_cv_env_host_alias_set=${host_alias+set}
-ac_cv_env_host_alias_value=$host_alias
-ac_env_target_alias_set=${target_alias+set}
-ac_env_target_alias_value=$target_alias
-ac_cv_env_target_alias_set=${target_alias+set}
-ac_cv_env_target_alias_value=$target_alias
-ac_env_CC_set=${CC+set}
-ac_env_CC_value=$CC
-ac_cv_env_CC_set=${CC+set}
-ac_cv_env_CC_value=$CC
-ac_env_CFLAGS_set=${CFLAGS+set}
-ac_env_CFLAGS_value=$CFLAGS
-ac_cv_env_CFLAGS_set=${CFLAGS+set}
-ac_cv_env_CFLAGS_value=$CFLAGS
-ac_env_LDFLAGS_set=${LDFLAGS+set}
-ac_env_LDFLAGS_value=$LDFLAGS
-ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
-ac_cv_env_LDFLAGS_value=$LDFLAGS
-ac_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_env_CPPFLAGS_value=$CPPFLAGS
-ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_cv_env_CPPFLAGS_value=$CPPFLAGS
-ac_env_CPP_set=${CPP+set}
-ac_env_CPP_value=$CPP
-ac_cv_env_CPP_set=${CPP+set}
-ac_cv_env_CPP_value=$CPP
+ pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+ srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+ eval ac_env_${ac_var}_set=\${${ac_var}+set}
+ eval ac_env_${ac_var}_value=\$${ac_var}
+ eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+ eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
#
# Report the --help message.
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ZKT 0.98 to adapt to many kinds of systems.
+\`configure' configures ZKT 0.99c to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or \`..']
-_ACEOF
-
- cat <<_ACEOF
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[$ac_default_prefix]
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
- --datadir=DIR read-only architecture-independent data [PREFIX/share]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
- --infodir=DIR info documentation [PREFIX/info]
- --mandir=DIR man documentation [PREFIX/man]
+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
+ --infodir=DIR info documentation [DATAROOTDIR/info]
+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
+ --mandir=DIR man documentation [DATAROOTDIR/man]
+ --docdir=DIR documentation root [DATAROOTDIR/doc/zkt]
+ --htmldir=DIR html documentation [DOCDIR]
+ --dvidir=DIR dvi documentation [DOCDIR]
+ --pdfdir=DIR pdf documentation [DOCDIR]
+ --psdir=DIR ps documentation [DOCDIR]
_ACEOF
cat <<\_ACEOF
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ZKT 0.98:";;
+ short | recursive ) echo "Configuration of ZKT 0.99c:";;
esac
cat <<\_ACEOF
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
- CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
- headers in a nonstandard directory <include dir>
+ LIBS libraries to pass to the linker, e.g. -l<library>
+ CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+ you have headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
Report bugs to <Holger Zuleger hznet.de>.
_ACEOF
+ac_status=$?
fi
if test "$ac_init_help" = "recursive"; then
# If there are subdirs, report their specific --help.
- ac_popdir=`pwd`
for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
- test -d $ac_dir || continue
+ test -d "$ac_dir" || continue
ac_builddir=.
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
- # A "../" for each directory in $ac_dir_suffix.
- ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
- ac_dir_suffix= ac_top_builddir=
-fi
+ # A ".." for each directory in $ac_dir_suffix.
+ ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+ case $ac_top_builddir_sub in
+ "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+ esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
case $srcdir in
- .) # No --srcdir option. We are building in place.
+ .) # We are building in place.
ac_srcdir=.
- if test -z "$ac_top_builddir"; then
- ac_top_srcdir=.
- else
- ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
- fi ;;
- [\\/]* | ?:[\\/]* ) # Absolute path.
+ ac_top_srcdir=$ac_top_builddir_sub
+ ac_abs_top_srcdir=$ac_pwd ;;
+ [\\/]* | ?:[\\/]* ) # Absolute name.
ac_srcdir=$srcdir$ac_dir_suffix;
- ac_top_srcdir=$srcdir ;;
- *) # Relative path.
- ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
- ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
- case "$ac_dir" in
- .) ac_abs_builddir=`pwd`;;
- [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
- *) ac_abs_builddir=`pwd`/"$ac_dir";;
- esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
- case ${ac_top_builddir}. in
- .) ac_abs_top_builddir=$ac_abs_builddir;;
- [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
- *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
- esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
- case $ac_srcdir in
- .) ac_abs_srcdir=$ac_abs_builddir;;
- [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
- *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
- esac;;
+ ac_top_srcdir=$srcdir
+ ac_abs_top_srcdir=$srcdir ;;
+ *) # Relative name.
+ ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+ ac_top_srcdir=$ac_top_build_prefix$srcdir
+ ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
- case $ac_top_srcdir in
- .) ac_abs_top_srcdir=$ac_abs_builddir;;
- [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
- *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
- esac;;
-esac
-
- cd $ac_dir
- # Check for guested configure; otherwise get Cygnus style configure.
- if test -f $ac_srcdir/configure.gnu; then
- echo
- $SHELL $ac_srcdir/configure.gnu --help=recursive
- elif test -f $ac_srcdir/configure; then
- echo
- $SHELL $ac_srcdir/configure --help=recursive
- elif test -f $ac_srcdir/configure.ac ||
- test -f $ac_srcdir/configure.in; then
- echo
- $ac_configure --help
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+ cd "$ac_dir" || { ac_status=$?; continue; }
+ # Check for guested configure.
+ if test -f "$ac_srcdir/configure.gnu"; then
+ echo &&
+ $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+ elif test -f "$ac_srcdir/configure"; then
+ echo &&
+ $SHELL "$ac_srcdir/configure" --help=recursive
else
echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
- fi
- cd $ac_popdir
+ fi || ac_status=$?
+ cd "$ac_pwd" || { ac_status=$?; break; }
done
fi
-test -n "$ac_init_help" && exit 0
+test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ZKT configure 0.98
-generated by GNU Autoconf 2.59
+ZKT configure 0.99c
+generated by GNU Autoconf 2.61
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
- exit 0
+ exit
fi
-exec 5>config.log
-cat >&5 <<_ACEOF
+cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ZKT $as_me 0.98, which was
-generated by GNU Autoconf 2.59. Invocation command line was
+It was created by ZKT $as_me 0.99c, which was
+generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
_ACEOF
+exec 5>>config.log
{
cat <<_ASUNAME
## --------- ##
/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown`
/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown`
/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-hostinfo = `(hostinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown`
/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown`
/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown`
/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown`
test -z "$as_dir" && as_dir=.
echo "PATH: $as_dir"
done
+IFS=$as_save_IFS
} >&5
ac_configure_args=
ac_configure_args0=
ac_configure_args1=
-ac_sep=
ac_must_keep_next=false
for ac_pass in 1 2
do
-q | -quiet | --quiet | --quie | --qui | --qu | --q \
| -silent | --silent | --silen | --sile | --sil)
continue ;;
- *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+ *\'*)
ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
esac
case $ac_pass in
-* ) ac_must_keep_next=true ;;
esac
fi
- ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
- # Get rid of the leading space.
- ac_sep=" "
+ ac_configure_args="$ac_configure_args '$ac_arg'"
;;
esac
done
# When interrupted or exit'd, cleanup temporary files, and complete
# config.log. We remove comments because anyway the quotes in there
# would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
trap 'exit_status=$?
# Save into config.log some information that might help in debugging.
{
_ASBOX
echo
# The following way of writing the cache mishandles newlines in values,
-{
+(
+ for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+ eval ac_val=\$$ac_var
+ case $ac_val in #(
+ *${as_nl}*)
+ case $ac_var in #(
+ *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+ esac
+ case $ac_var in #(
+ _ | IFS | as_nl) ;; #(
+ *) $as_unset $ac_var ;;
+ esac ;;
+ esac
+ done
(set) 2>&1 |
- case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
- *ac_space=\ *)
+ case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+ *${as_nl}ac_space=\ *)
sed -n \
- "s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
- s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
- ;;
+ "s/'\''/'\''\\\\'\'''\''/g;
+ s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+ ;; #(
*)
- sed -n \
- "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+ sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
;;
- esac;
-}
+ esac |
+ sort
+)
echo
cat <<\_ASBOX
echo
for ac_var in $ac_subst_vars
do
- eval ac_val=$`echo $ac_var`
- echo "$ac_var='"'"'$ac_val'"'"'"
+ eval ac_val=\$$ac_var
+ case $ac_val in
+ *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ esac
+ echo "$ac_var='\''$ac_val'\''"
done | sort
echo
if test -n "$ac_subst_files"; then
cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
_ASBOX
echo
for ac_var in $ac_subst_files
do
- eval ac_val=$`echo $ac_var`
- echo "$ac_var='"'"'$ac_val'"'"'"
+ eval ac_val=\$$ac_var
+ case $ac_val in
+ *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ esac
+ echo "$ac_var='\''$ac_val'\''"
done | sort
echo
fi
## ----------- ##
_ASBOX
echo
- sed "/^$/d" confdefs.h | sort
+ cat confdefs.h
echo
fi
test "$ac_signal" != 0 &&
echo "$as_me: caught signal $ac_signal"
echo "$as_me: exit $exit_status"
} >&5
- rm -f core *.core &&
- rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
+ rm -f core *.core core.conftest.* &&
+ rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
exit $exit_status
- ' 0
+' 0
for ac_signal in 1 2 13 15; do
trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
done
ac_signal=0
# confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo >confdefs.h
+rm -f -r conftest* confdefs.h
# Predefined preprocessor variables.
# Let the site file select an alternate cache file if it wants to.
# Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
- if test "x$prefix" != xNONE; then
- CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
- else
- CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
- fi
+if test -n "$CONFIG_SITE"; then
+ set x "$CONFIG_SITE"
+elif test "x$prefix" != xNONE; then
+ set x "$prefix/share/config.site" "$prefix/etc/config.site"
+else
+ set x "$ac_default_prefix/share/config.site" \
+ "$ac_default_prefix/etc/config.site"
fi
-for ac_site_file in $CONFIG_SITE; do
+shift
+for ac_site_file
+do
if test -r "$ac_site_file"; then
{ echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
echo "$as_me: loading site script $ac_site_file" >&6;}
{ echo "$as_me:$LINENO: loading cache $cache_file" >&5
echo "$as_me: loading cache $cache_file" >&6;}
case $cache_file in
- [\\/]* | ?:[\\/]* ) . $cache_file;;
- *) . ./$cache_file;;
+ [\\/]* | ?:[\\/]* ) . "$cache_file";;
+ *) . "./$cache_file";;
esac
fi
else
>$cache_file
fi
+ac_header_list="$ac_header_list sys/time.h"
+ac_header_list="$ac_header_list unistd.h"
+ac_func_list="$ac_func_list alarm"
+ac_header_list="$ac_header_list utime.h"
# Check that the precious variables saved in the cache have kept the same
# value.
ac_cache_corrupted=false
-for ac_var in `(set) 2>&1 |
- sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+for ac_var in $ac_precious_vars; do
eval ac_old_set=\$ac_cv_env_${ac_var}_set
eval ac_new_set=\$ac_env_${ac_var}_set
- eval ac_old_val="\$ac_cv_env_${ac_var}_value"
- eval ac_new_val="\$ac_env_${ac_var}_value"
+ eval ac_old_val=\$ac_cv_env_${ac_var}_value
+ eval ac_new_val=\$ac_env_${ac_var}_value
case $ac_old_set,$ac_new_set in
set,)
{ echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
# Pass precious variables to config.status.
if test "$ac_new_set" = set; then
case $ac_new_val in
- *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
- ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+ *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
*) ac_arg=$ac_var=$ac_new_val ;;
esac
case " $ac_configure_args " in
{ (exit 1); exit 1; }; }
fi
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
### Files to test to check if src dir contains the package
- ac_config_headers="$ac_config_headers config.h"
+ac_config_headers="$ac_config_headers config.h"
if test -n "$ac_tool_prefix"; then
# Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_prog_CC+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="${ac_tool_prefix}gcc"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
+IFS=$as_save_IFS
fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
- echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+ { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
fi
+
fi
if test -z "$ac_cv_prog_CC"; then
ac_ct_CC=$CC
# Extract the first word of "gcc", so it can be a program name with args.
set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_CC="gcc"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
+IFS=$as_save_IFS
fi
fi
ac_ct_CC=$ac_cv_prog_ac_ct_CC
if test -n "$ac_ct_CC"; then
- echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+ { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
fi
- CC=$ac_ct_CC
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
else
CC="$ac_cv_prog_CC"
fi
if test -z "$CC"; then
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_prog_CC+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="${ac_tool_prefix}cc"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
+IFS=$as_save_IFS
fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
- echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+ { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
fi
-fi
-if test -z "$ac_cv_prog_CC"; then
- ac_ct_CC=$CC
- # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- if test -n "$ac_ct_CC"; then
- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_CC="cc"
- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
- echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
- CC=$ac_ct_CC
-else
- CC="$ac_cv_prog_CC"
-fi
+ fi
fi
if test -z "$CC"; then
# Extract the first word of "cc", so it can be a program name with args.
set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_prog_CC+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
ac_prog_rejected=yes
continue
fi
done
done
+IFS=$as_save_IFS
if test $ac_prog_rejected = yes; then
# We found a bogon in the path, so make sure we never use it.
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
- echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+ { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
fi
+
fi
if test -z "$CC"; then
if test -n "$ac_tool_prefix"; then
- for ac_prog in cl
+ for ac_prog in cl.exe
do
# Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_prog_CC+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
+IFS=$as_save_IFS
fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
- echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+ { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
fi
+
test -n "$CC" && break
done
fi
if test -z "$CC"; then
ac_ct_CC=$CC
- for ac_prog in cl
+ for ac_prog in cl.exe
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_CC="$ac_prog"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
+IFS=$as_save_IFS
fi
fi
ac_ct_CC=$ac_cv_prog_ac_ct_CC
if test -n "$ac_ct_CC"; then
- echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+ { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
fi
+
test -n "$ac_ct_CC" && break
done
- CC=$ac_ct_CC
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
fi
fi
{ (exit 1); exit 1; }; }
# Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
- "checking for C compiler version" >&5
+echo "$as_me:$LINENO: checking for C compiler version" >&5
ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
- (eval $ac_compiler --version </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compiler --version >&5") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
- (eval $ac_compiler -v </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compiler -v >&5") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
- (eval $ac_compiler -V </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compiler -V >&5") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
# Try to create an executable without -o first, disregard a.out.
# It will help us diagnose broken compilers, and finding out an intuition
# of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
- (eval $ac_link_default) 2>&5
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort. b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions. Remove them first so a
+# subsequent execution test works.
+ac_rmfiles=
+for ac_file in $ac_files
+do
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+ * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+ esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link_default") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; then
- # Find the output, starting from the most likely. This scheme is
-# not robust to junk in `.', hence go to wildcards (a.*) only as a last
-# resort.
-
-# Be careful to initialize this variable, since it used to be cached.
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
+ # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile. We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
do
test -f "$ac_file" || continue
case $ac_file in
- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
- ;;
- conftest.$ac_ext )
- # This is the source file.
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
;;
[ab].out )
# We found the default executable, but exeext='' is most
# certainly right.
break;;
*.* )
- ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
- # FIXME: I believe we export ac_cv_exeext for Libtool,
- # but it would be cool to find out if it's true. Does anybody
- # maintain Libtool? --akim.
- export ac_cv_exeext
+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+ then :; else
+ ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ fi
+ # We set ac_cv_exeext here because the later test for it is not
+ # safe: cross compilers may not add the suffix if given an `-o'
+ # argument, so we may need to know it at that point already.
+ # Even if this section looks crufty: it has the advantage of
+ # actually working.
break;;
* )
break;;
esac
done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
else
+ ac_file=''
+fi
+
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
+if test -z "$ac_file"; then
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
fi
ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6
-# Check the compiler produces executables we can run. If not, either
+# Check that the compiler produces executables we can run. If not, either
# the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
# If not cross compiling, check that we can run a simple program.
if test "$cross_compiling" != yes; then
if { ac_try='./$ac_file'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
fi
fi
fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
rm -f a.out a.exe conftest$ac_cv_exeext b.out
ac_clean_files=$ac_clean_files_save
-# Check the compiler produces executables we can run. If not, either
+# Check that the compiler produces executables we can run. If not, either
# the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6
-
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
+
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; then
for ac_file in conftest.exe conftest conftest.*; do
test -f "$ac_file" || continue
case $ac_file in
- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
*.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
- export ac_cv_exeext
break;;
* ) break;;
esac
fi
rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
rm -f conftest.$ac_ext
EXEEXT=$ac_cv_exeext
ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
if test "${ac_cv_objext+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
}
_ACEOF
rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>&5
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; then
- for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
+ for ac_file in conftest.o conftest.obj conftest.*; do
+ test -f "$ac_file" || continue;
case $ac_file in
- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
*) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
break;;
esac
rm -f conftest.$ac_cv_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
OBJEXT=$ac_cv_objext
ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
if test "${ac_cv_c_compiler_gnu+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_compiler_gnu=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_compiler_gnu=no
+ ac_compiler_gnu=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
ac_cv_c_compiler_gnu=$ac_compiler_gnu
fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
GCC=`test $ac_compiler_gnu = yes && echo yes`
ac_test_CFLAGS=${CFLAGS+set}
ac_save_CFLAGS=$CFLAGS
-CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
if test "${ac_cv_prog_cc_g+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- cat >conftest.$ac_ext <<_ACEOF
+ ac_save_c_werror_flag=$ac_c_werror_flag
+ ac_c_werror_flag=yes
+ ac_cv_prog_cc_g=no
+ CFLAGS="-g"
+ cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_g=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ CFLAGS=""
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ :
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_c_werror_flag=$ac_save_c_werror_flag
+ CFLAGS="-g"
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_prog_cc_g=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_prog_cc_g=no
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_c_werror_flag=$ac_save_c_werror_flag
fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
if test "$ac_test_CFLAGS" = set; then
CFLAGS=$ac_save_CFLAGS
elif test $ac_cv_prog_cc_g = yes; then
CFLAGS=
fi
fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- ac_cv_prog_cc_stdc=no
+ ac_cv_prog_cc_c89=no
ac_save_CC=$CC
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has
function prototypes and stuff, but not '\xHH' hex character constants.
These don't provoke an error unfortunately, instead are silently treated
- as 'x'. The following induces an error, until -std1 is added to get
+ as 'x'. The following induces an error, until -std is added to get
proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an
array size at least. It's necessary to write '\x00'==0 to get something
- that's true only with -std1. */
+ that's true only with -std. */
int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+ inside strings and character constants. */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
int test (int i, double x);
struct s1 {int (*f) (int a);};
struct s2 {int (*f) (double a);};
return 0;
}
_ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX -qlanglvl=ansi
-# Ultrix and OSF/1 -std1
-# HP-UX 10.20 and later -Ae
-# HP-UX older versions -Aa -D_HPUX_SOURCE
-# SVR4 -Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
do
CC="$ac_save_CC $ac_arg"
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_prog_cc_stdc=$ac_arg
-break
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_prog_cc_c89=$ac_arg
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
+
fi
-rm -f conftest.err conftest.$ac_objext
+
+rm -f core conftest.err conftest.$ac_objext
+ test "x$ac_cv_prog_cc_c89" != "xno" && break
done
-rm -f conftest.$ac_ext conftest.$ac_objext
+rm -f conftest.$ac_ext
CC=$ac_save_CC
fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+ x)
+ { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+ xno)
+ { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
+ *)
+ CC="$CC $ac_cv_prog_cc_c89"
+ { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+
-case "x$ac_cv_prog_cc_stdc" in
- x|xno)
- echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+### find out the path to BIND utils and version
+# Extract the first word of "dnssec-signzone", so it can be a program name with args.
+set dummy dnssec-signzone; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_SIGNZONE_PROG+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ case $SIGNZONE_PROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_SIGNZONE_PROG="$SIGNZONE_PROG" # Let the user override the test with a path.
+ ;;
*)
- echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
- CC="$CC $ac_cv_prog_cc_stdc" ;;
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_path_SIGNZONE_PROG="$as_dir/$ac_word$ac_exec_ext"
+ echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+ ;;
esac
+fi
+SIGNZONE_PROG=$ac_cv_path_SIGNZONE_PROG
+if test -n "$SIGNZONE_PROG"; then
+ { echo "$as_me:$LINENO: result: $SIGNZONE_PROG" >&5
+echo "${ECHO_T}$SIGNZONE_PROG" >&6; }
+else
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
-# Some people use a C++ compiler to compile C. Since we use `exit',
-# in C++ we need to declare it. In case someone uses the same compiler
-# for both compiling C and C++ we need to have the C++ compiler decide
-# the declaration of exit, since it's the most demanding environment.
-cat >conftest.$ac_ext <<_ACEOF
-#ifndef __cplusplus
- choke me
-#endif
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- for ac_declaration in \
- '' \
- 'extern "C" void std::exit (int) throw (); using std::exit;' \
- 'extern "C" void std::exit (int); using std::exit;' \
- 'extern "C" void exit (int) throw ();' \
- 'extern "C" void exit (int);' \
- 'void exit (int);'
-do
- cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-$ac_declaration
-#include <stdlib.h>
-int
-main ()
-{
-exit (42);
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- :
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
- cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-$ac_declaration
-int
-main ()
-{
-exit (42);
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- break
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
- echo '#ifdef __cplusplus' >>confdefs.h
- echo $ac_declaration >>confdefs.h
- echo '#endif' >>confdefs.h
-fi
-
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-### find out the path to BIND utils and version
-# Extract the first word of "dnssec-signzone", so it can be a program name with args.
-set dummy dnssec-signzone; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_SIGNZONE_PROG+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- case $SIGNZONE_PROG in
- [\\/]* | ?:[\\/]*)
- ac_cv_path_SIGNZONE_PROG="$SIGNZONE_PROG" # Let the user override the test with a path.
- ;;
- *)
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_SIGNZONE_PROG="$as_dir/$ac_word$ac_exec_ext"
- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
-done
-
- ;;
-esac
-fi
-SIGNZONE_PROG=$ac_cv_path_SIGNZONE_PROG
-
-if test -n "$SIGNZONE_PROG"; then
- echo "$as_me:$LINENO: result: $SIGNZONE_PROG" >&5
-echo "${ECHO_T}$SIGNZONE_PROG" >&6
-else
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-bind_util_path=`dirname "$SIGNZONE_PROG"`
-if test -z "$SIGNZONE_PROG" ; then
-# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
- { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
-echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
-else
-
- # define BIND_UTIL_PATH in config.h.in
-
-cat >>confdefs.h <<_ACEOF
-#define BIND_UTIL_PATH "$bind_util_path/"
+
+if test -z "$SIGNZONE_PROG" ; then
+# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
+ { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
+echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
+else
+ bind_util_path=`dirname "$SIGNZONE_PROG"`
+ # define BIND_UTIL_PATH in config.h.in
+
+cat >>confdefs.h <<_ACEOF
+#define BIND_UTIL_PATH "$bind_util_path/"
_ACEOF
# define BIND_VERSION in config.h.in
- #bind_version=`$SIGNZONE_PROG 2>&1 | sed -n -e "/Version:/s/Version: \(\[0-9\]\[0-9\.\]*\).*/\1/p" | tr -d "."`
bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
cat >>confdefs.h <<_ACEOF
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
# On Suns, sometimes $CPP names a directory.
if test -n "$CPP" && test -d "$CPP"; then
CPP=
#endif
Syntax error
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
:
else
echo "$as_me: failed program was:" >&5
# Broken: fails on valid input.
continue
fi
+
rm -f conftest.err conftest.$ac_ext
- # OK, works on sane cases. Now check whether non-existent headers
+ # OK, works on sane cases. Now check whether nonexistent headers
# can be detected and how.
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
/* end confdefs.h. */
#include <ac_nonexistent.h>
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
# Broken: success on invalid input.
continue
else
ac_preproc_ok=:
break
fi
+
rm -f conftest.err conftest.$ac_ext
done
else
ac_cv_prog_CPP=$CPP
fi
-echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
ac_preproc_ok=false
for ac_c_preproc_warn_flag in '' yes
do
#endif
Syntax error
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
:
else
echo "$as_me: failed program was:" >&5
# Broken: fails on valid input.
continue
fi
+
rm -f conftest.err conftest.$ac_ext
- # OK, works on sane cases. Now check whether non-existent headers
+ # OK, works on sane cases. Now check whether nonexistent headers
# can be detected and how.
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
/* end confdefs.h. */
#include <ac_nonexistent.h>
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
# Broken: success on invalid input.
continue
else
ac_preproc_ok=:
break
fi
+
rm -f conftest.err conftest.$ac_ext
done
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
-if test "${ac_cv_prog_egrep+set}" = set; then
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
+if test "${ac_cv_path_GREP+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_path_GREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_prog in grep ggrep; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+ { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+ # Check for GNU ac_path_GREP and select it if it is found.
+ # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+ ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+ ac_count=0
+ echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+ while :
+ do
+ cat "conftest.in" "conftest.in" >"conftest.tmp"
+ mv "conftest.tmp" "conftest.in"
+ cp "conftest.in" "conftest.nl"
+ echo 'GREP' >> "conftest.nl"
+ "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+ ac_count=`expr $ac_count + 1`
+ if test $ac_count -gt ${ac_path_GREP_max-0}; then
+ # Best one so far, save it but keep looking for a better one
+ ac_cv_path_GREP="$ac_path_GREP"
+ ac_path_GREP_max=$ac_count
+ fi
+ # 10*(2^10) chars as input seems more than enough
+ test $ac_count -gt 10 && break
+ done
+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+ $ac_path_GREP_found && break 3
+ done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+ { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+else
+ ac_cv_path_GREP=$GREP
+fi
+
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+ then ac_cv_path_EGREP="$GREP -E"
+ else
+ # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- if echo a | (grep -E '(a|b)') >/dev/null 2>&1
- then ac_cv_prog_egrep='grep -E'
- else ac_cv_prog_egrep='egrep'
+ ac_path_EGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_prog in egrep; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+ { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+ # Check for GNU ac_path_EGREP and select it if it is found.
+ # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+ ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+ ac_count=0
+ echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+ while :
+ do
+ cat "conftest.in" "conftest.in" >"conftest.tmp"
+ mv "conftest.tmp" "conftest.in"
+ cp "conftest.in" "conftest.nl"
+ echo 'EGREP' >> "conftest.nl"
+ "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+ ac_count=`expr $ac_count + 1`
+ if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+ # Best one so far, save it but keep looking for a better one
+ ac_cv_path_EGREP="$ac_path_EGREP"
+ ac_path_EGREP_max=$ac_count
fi
+ # 10*(2^10) chars as input seems more than enough
+ test $ac_count -gt 10 && break
+ done
+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+ $ac_path_EGREP_found && break 3
+ done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+ { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+ { (exit 1); exit 1; }; }
+fi
+
+else
+ ac_cv_path_EGREP=$EGREP
+fi
+
+
+ fi
fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
if test "${ac_cv_header_stdc+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_header_stdc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_header_stdc=no
+ ac_cv_header_stdc=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
if test $ac_cv_header_stdc = yes; then
# SunOS 4.x string.h does not declare mem*, contrary to ANSI.
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <ctype.h>
+#include <stdlib.h>
#if ((' ' & 0x0FF) == 0x020)
# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
for (i = 0; i < 256; i++)
if (XOR (islower (i), ISLOWER (i))
|| toupper (i) != TOUPPER (i))
- exit(2);
- exit (0);
+ return 2;
+ return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_header_stdc=no
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
fi
fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
if test $ac_cv_header_stdc = yes; then
cat >>confdefs.h <<\_ACEOF
inttypes.h stdint.h unistd.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
#include <$ac_header>
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
eval "$as_ac_Header=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_Header=no"
+ eval "$as_ac_Header=no"
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_Header'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
done
-echo "$as_me:$LINENO: checking for uint" >&5
-echo $ECHO_N "checking for uint... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint" >&5
+echo $ECHO_N "checking for uint... $ECHO_C" >&6; }
if test "${ac_cv_type_uint+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
+typedef uint ac__type_new_;
int
main ()
{
-if ((uint *) 0)
+if ((ac__type_new_ *) 0)
return 0;
-if (sizeof (uint))
+if (sizeof (ac__type_new_))
return 0;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_type_uint=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_type_uint=no
+ ac_cv_type_uint=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint" >&5
-echo "${ECHO_T}$ac_cv_type_uint" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint" >&5
+echo "${ECHO_T}$ac_cv_type_uint" >&6; }
if test $ac_cv_type_uint = yes; then
:
else
fi
-echo "$as_me:$LINENO: checking for ulong" >&5
-echo $ECHO_N "checking for ulong... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ulong" >&5
+echo $ECHO_N "checking for ulong... $ECHO_C" >&6; }
if test "${ac_cv_type_ulong+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
+typedef ulong ac__type_new_;
int
main ()
{
-if ((ulong *) 0)
+if ((ac__type_new_ *) 0)
return 0;
-if (sizeof (ulong))
+if (sizeof (ac__type_new_))
return 0;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_type_ulong=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_type_ulong=no
+ ac_cv_type_ulong=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ulong" >&5
-echo "${ECHO_T}$ac_cv_type_ulong" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ulong" >&5
+echo "${ECHO_T}$ac_cv_type_ulong" >&6; }
if test $ac_cv_type_ulong = yes; then
:
else
fi
-echo "$as_me:$LINENO: checking for ushort" >&5
-echo $ECHO_N "checking for ushort... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ushort" >&5
+echo $ECHO_N "checking for ushort... $ECHO_C" >&6; }
if test "${ac_cv_type_ushort+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
+typedef ushort ac__type_new_;
int
main ()
{
-if ((ushort *) 0)
+if ((ac__type_new_ *) 0)
return 0;
-if (sizeof (ushort))
+if (sizeof (ac__type_new_))
return 0;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_type_ushort=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_type_ushort=no
+ ac_cv_type_ushort=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ushort" >&5
-echo "${ECHO_T}$ac_cv_type_ushort" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ushort" >&5
+echo "${ECHO_T}$ac_cv_type_ushort" >&6; }
if test $ac_cv_type_ushort = yes; then
:
else
fi
-echo "$as_me:$LINENO: checking for uchar" >&5
-echo $ECHO_N "checking for uchar... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uchar" >&5
+echo $ECHO_N "checking for uchar... $ECHO_C" >&6; }
if test "${ac_cv_type_uchar+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
+typedef uchar ac__type_new_;
int
main ()
{
-if ((uchar *) 0)
+if ((ac__type_new_ *) 0)
return 0;
-if (sizeof (uchar))
+if (sizeof (ac__type_new_))
return 0;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_type_uchar=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_type_uchar=no
+ ac_cv_type_uchar=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uchar" >&5
-echo "${ECHO_T}$ac_cv_type_uchar" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uchar" >&5
+echo "${ECHO_T}$ac_cv_type_uchar" >&6; }
if test $ac_cv_type_uchar = yes; then
:
else
### define configure arguments
-# Check whether --enable-printtimezone or --disable-printtimezone was given.
+# Check whether --enable-printtimezone was given.
if test "${enable_printtimezone+set}" = set; then
- enableval="$enable_printtimezone"
- printtimezone=$enableval
-fi;
+ enableval=$enable_printtimezone; printtimezone=$enableval
+fi
+
printtimezone=0
test "$printtimezone" = yes && printtimezone=1
_ACEOF
-# Check whether --enable-printyear or --disable-printyear was given.
+# Check whether --enable-printyear was given.
if test "${enable_printyear+set}" = set; then
- enableval="$enable_printyear"
- printyear=$enableval
-fi;
+ enableval=$enable_printyear; printyear=$enableval
+fi
+
printyear=0
test "$printyear" = yes && printyear=1
_ACEOF
-# Check whether --enable-logprogname or --disable-logprogname was given.
+# Check whether --enable-logprogname was given.
if test "${enable_logprogname+set}" = set; then
- enableval="$enable_logprogname"
- logprogname=$enableval
-fi;
+ enableval=$enable_logprogname; logprogname=$enableval
+fi
+
logprogname=0
test "$logprogname" = yes && logprogname=1
_ACEOF
-# Check whether --enable-logtimestamp or --disable-logtimestamp was given.
+# Check whether --enable-logtimestamp was given.
if test "${enable_logtimestamp+set}" = set; then
- enableval="$enable_logtimestamp"
- logtimestamp=$enableval
-fi;
+ enableval=$enable_logtimestamp; logtimestamp=$enableval
+fi
+
logtimestamp=1
test "$logtimestamp" = no && logtimestamp=0
_ACEOF
-# Check whether --enable-loglevel or --disable-loglevel was given.
+# Check whether --enable-loglevel was given.
if test "${enable_loglevel+set}" = set; then
- enableval="$enable_loglevel"
- loglevel=$enableval
-fi;
+ enableval=$enable_loglevel; loglevel=$enableval
+fi
+
loglevel=1
test "$loglevel" = no && loglevel=0
_ACEOF
-# Check whether --enable-ttl_in_keyfile or --disable-ttl_in_keyfile was given.
+# Check whether --enable-ttl_in_keyfile was given.
if test "${enable_ttl_in_keyfile+set}" = set; then
- enableval="$enable_ttl_in_keyfile"
- ttl_in_keyfile=$enableval
-fi;
+ enableval=$enable_ttl_in_keyfile; ttl_in_keyfile=$enableval
+fi
+
ttl_in_keyfile=1
test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
configpath="/var/named"
-# Check whether --enable-configpath or --disable-configpath was given.
+# Check whether --enable-configpath was given.
if test "${enable_configpath+set}" = set; then
- enableval="$enable_configpath"
- configpath=$enableval
-fi;
+ enableval=$enable_configpath; configpath=$enableval
+fi
+
case "$configpath" in
yes)
configpath="/var/named"
usetree=1
t="T"
-# Check whether --enable-tree or --disable-tree was given.
+# Check whether --enable-tree was given.
if test "${enable_tree+set}" = set; then
- enableval="$enable_tree"
- usetree=$enableval
-fi;
+ enableval=$enable_tree; usetree=$enableval
+fi
+
if test "$usetree" = no
then
usetree=0
cat >>confdefs.h <<_ACEOF
-#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
_ACEOF
ac_header_dirent=no
for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do
as_ac_Header=`echo "ac_cv_header_dirent_$ac_hdr" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5
-echo $ECHO_N "checking for $ac_hdr that defines DIR... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5
+echo $ECHO_N "checking for $ac_hdr that defines DIR... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
eval "$as_ac_Header=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_Header=no"
+ eval "$as_ac_Header=no"
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_Header'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_hdr" | $as_tr_cpp` 1
done
# Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
if test $ac_header_dirent = dirent.h; then
- echo "$as_me:$LINENO: checking for library containing opendir" >&5
-echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6
+ { echo "$as_me:$LINENO: checking for library containing opendir" >&5
+echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6; }
if test "${ac_cv_search_opendir+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_func_search_save_LIBS=$LIBS
-ac_cv_search_opendir=no
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char opendir ();
int
main ()
{
-opendir ();
+return opendir ();
;
return 0;
}
_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+for ac_lib in '' dir; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_search_opendir="none required"
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ ac_cv_search_opendir=$ac_res
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-fi
-rm -f conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_opendir" = no; then
- for ac_lib in dir; do
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char opendir ();
-int
-main ()
-{
-opendir ();
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_search_opendir="-l$ac_lib"
-break
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+fi
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext
+ if test "${ac_cv_search_opendir+set}" = set; then
+ break
fi
-rm -f conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- done
+done
+if test "${ac_cv_search_opendir+set}" = set; then
+ :
+else
+ ac_cv_search_opendir=no
fi
+rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
-echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
-echo "${ECHO_T}$ac_cv_search_opendir" >&6
-if test "$ac_cv_search_opendir" != no; then
- test "$ac_cv_search_opendir" = "none required" || LIBS="$ac_cv_search_opendir $LIBS"
+{ echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
+echo "${ECHO_T}$ac_cv_search_opendir" >&6; }
+ac_res=$ac_cv_search_opendir
+if test "$ac_res" != no; then
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
fi
else
- echo "$as_me:$LINENO: checking for library containing opendir" >&5
-echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6
+ { echo "$as_me:$LINENO: checking for library containing opendir" >&5
+echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6; }
if test "${ac_cv_search_opendir+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_func_search_save_LIBS=$LIBS
-ac_cv_search_opendir=no
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char opendir ();
int
main ()
{
-opendir ();
+return opendir ();
;
return 0;
}
_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+for ac_lib in '' x; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_search_opendir="none required"
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ ac_cv_search_opendir=$ac_res
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-fi
-rm -f conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_opendir" = no; then
- for ac_lib in x; do
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h. */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h. */
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char opendir ();
-int
-main ()
-{
-opendir ();
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
- ac_status=$?
- grep -v '^ *+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_search_opendir="-l$ac_lib"
-break
-else
- echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+fi
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext
+ if test "${ac_cv_search_opendir+set}" = set; then
+ break
fi
-rm -f conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- done
+done
+if test "${ac_cv_search_opendir+set}" = set; then
+ :
+else
+ ac_cv_search_opendir=no
fi
+rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
-echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
-echo "${ECHO_T}$ac_cv_search_opendir" >&6
-if test "$ac_cv_search_opendir" != no; then
- test "$ac_cv_search_opendir" = "none required" || LIBS="$ac_cv_search_opendir $LIBS"
+{ echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
+echo "${ECHO_T}$ac_cv_search_opendir" >&6; }
+ac_res=$ac_cv_search_opendir
+if test "$ac_res" != no; then
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
fi
fi
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
if test "${ac_cv_header_stdc+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_header_stdc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_header_stdc=no
+ ac_cv_header_stdc=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
if test $ac_cv_header_stdc = yes; then
# SunOS 4.x string.h does not declare mem*, contrary to ANSI.
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <ctype.h>
+#include <stdlib.h>
#if ((' ' & 0x0FF) == 0x020)
# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
for (i = 0; i < 256; i++)
if (XOR (islower (i), ISLOWER (i))
|| toupper (i) != TOUPPER (i))
- exit(2);
- exit (0);
+ return 2;
+ return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_header_stdc=no
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
fi
fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
if test $ac_cv_header_stdc = yes; then
cat >>confdefs.h <<\_ACEOF
for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
- echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
else
# Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
#include <$ac_header>
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_header_compiler=no
+ ac_header_compiler=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
/* end confdefs.h. */
#include <$ac_header>
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
ac_header_preproc=no
fi
+
rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
- (
- cat <<\_ASBOX
+ ( cat <<\_ASBOX
## -------------------------------------- ##
## Report this to Holger Zuleger hznet.de ##
## -------------------------------------- ##
_ASBOX
- ) |
- sed "s/^/$as_me: WARNING: /" >&2
+ ) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
eval "$as_ac_Header=\$ac_header_preproc"
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
fi
if test `eval echo '${'$as_ac_Header'}'` = yes; then
### Checks for typedefs, structures, and compiler characteristics.
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6; }
if test "${ac_cv_c_const+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
#ifndef __cplusplus
/* Ultrix mips cc rejects this. */
typedef int charset[2];
- const charset x;
+ const charset cs;
/* SunOS 4.1.1 cc rejects this. */
- char const *const *ccp;
- char **p;
+ char const *const *pcpcc;
+ char **ppc;
/* NEC SVR4.0.2 mips cc rejects this. */
struct point {int x, y;};
static struct point const zero = {0,0};
an arm of an if-expression whose if-part is not a constant
expression */
const char *g = "string";
- ccp = &g + (g ? g-g : 0);
+ pcpcc = &g + (g ? g-g : 0);
/* HPUX 7.0 cc rejects these. */
- ++ccp;
- p = (char**) ccp;
- ccp = (char const *const *) p;
+ ++pcpcc;
+ ppc = (char**) pcpcc;
+ pcpcc = (char const *const *) ppc;
{ /* SCO 3.2v4 cc rejects this. */
char *t;
char const *s = 0 ? (char *) 0 : (char const *) 0;
*t++ = 0;
+ if (s) return 0;
}
{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */
int x[] = {25, 17};
}
{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
const int foo = 10;
+ if (!foo) return 0;
}
+ return !cs[0] && !zero.x;
#endif
;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_c_const=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_c_const=no
+ ac_cv_c_const=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6; }
if test $ac_cv_c_const = no; then
cat >>confdefs.h <<\_ACEOF
fi
-echo "$as_me:$LINENO: checking for size_t" >&5
-echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6; }
if test "${ac_cv_type_size_t+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
+typedef size_t ac__type_new_;
int
main ()
{
-if ((size_t *) 0)
+if ((ac__type_new_ *) 0)
return 0;
-if (sizeof (size_t))
+if (sizeof (ac__type_new_))
return 0;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_type_size_t=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_type_size_t=no
+ ac_cv_type_size_t=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
-echo "${ECHO_T}$ac_cv_type_size_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6; }
if test $ac_cv_type_size_t = yes; then
:
else
cat >>confdefs.h <<_ACEOF
-#define size_t unsigned
+#define size_t unsigned int
_ACEOF
fi
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
if test "${ac_cv_header_time+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_header_time=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_header_time=no
+ ac_cv_header_time=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
if test $ac_cv_header_time = yes; then
cat >>confdefs.h <<\_ACEOF
fi
-echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
-echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
+echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6; }
if test "${ac_cv_struct_tm+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
int
main ()
{
-struct tm *tp; tp->tm_sec;
+struct tm tm;
+ int *p = &tm.tm_sec;
+ return !p;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_cv_struct_tm=time.h
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_struct_tm=sys/time.h
+ ac_cv_struct_tm=sys/time.h
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
-echo "${ECHO_T}$ac_cv_struct_tm" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
+echo "${ECHO_T}$ac_cv_struct_tm" >&6; }
if test $ac_cv_struct_tm = sys/time.h; then
cat >>confdefs.h <<\_ACEOF
fi
-echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
-echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6; }
if test "${ac_cv_type_uid_t+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
rm -f conftest*
fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
-echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6; }
if test $ac_cv_type_uid_t = no; then
cat >>confdefs.h <<\_ACEOF
### Checks for library functions.
-echo "$as_me:$LINENO: checking whether closedir returns void" >&5
-echo $ECHO_N "checking whether closedir returns void... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether closedir returns void" >&5
+echo $ECHO_N "checking whether closedir returns void... $ECHO_C" >&6; }
if test "${ac_cv_func_closedir_void+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
int
main ()
{
-exit (closedir (opendir (".")) != 0);
+return closedir (opendir (".")) != 0;
;
return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_func_closedir_void=yes
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
fi
-echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5
-echo "${ECHO_T}$ac_cv_func_closedir_void" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5
+echo "${ECHO_T}$ac_cv_func_closedir_void" >&6; }
if test $ac_cv_func_closedir_void = yes; then
cat >>confdefs.h <<\_ACEOF
fi
-echo "$as_me:$LINENO: checking for error_at_line" >&5
-echo $ECHO_N "checking for error_at_line... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for error_at_line" >&5
+echo $ECHO_N "checking for error_at_line... $ECHO_C" >&6; }
if test "${ac_cv_lib_error_at_line+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-$ac_includes_default
+#include <error.h>
int
main ()
{
-error_at_line (0, 0, "", 0, "");
+error_at_line (0, 0, "", 0, "an error occurred");
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
ac_cv_lib_error_at_line=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_lib_error_at_line=no
+ ac_cv_lib_error_at_line=no
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_error_at_line" >&5
-echo "${ECHO_T}$ac_cv_lib_error_at_line" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_error_at_line" >&5
+echo "${ECHO_T}$ac_cv_lib_error_at_line" >&6; }
if test $ac_cv_lib_error_at_line = no; then
- case $LIBOBJS in
- "error.$ac_objext" | \
- *" error.$ac_objext" | \
- "error.$ac_objext "* | \
+ case " $LIBOBJS " in
*" error.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS error.$ac_objext" ;;
+ *) LIBOBJS="$LIBOBJS error.$ac_objext"
+ ;;
esac
fi
for ac_header in stdlib.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
- echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
else
# Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
#include <$ac_header>
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_header_compiler=no
+ ac_header_compiler=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
/* end confdefs.h. */
#include <$ac_header>
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
ac_header_preproc=no
fi
+
rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
- (
- cat <<\_ASBOX
+ ( cat <<\_ASBOX
## -------------------------------------- ##
## Report this to Holger Zuleger hznet.de ##
## -------------------------------------- ##
_ASBOX
- ) |
- sed "s/^/$as_me: WARNING: /" >&2
+ ) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
eval "$as_ac_Header=\$ac_header_preproc"
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
fi
if test `eval echo '${'$as_ac_Header'}'` = yes; then
done
-echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
-echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
+echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6; }
if test "${ac_cv_func_malloc_0_nonnull+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-#if STDC_HEADERS || HAVE_STDLIB_H
+#if defined STDC_HEADERS || defined HAVE_STDLIB_H
# include <stdlib.h>
#else
char *malloc ();
int
main ()
{
-exit (malloc (0) ? 0 : 1);
+return ! malloc (0);
;
return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_func_malloc_0_nonnull=no
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
fi
-echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
-echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
+echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6; }
if test $ac_cv_func_malloc_0_nonnull = yes; then
cat >>confdefs.h <<\_ACEOF
#define HAVE_MALLOC 0
_ACEOF
- case $LIBOBJS in
- "malloc.$ac_objext" | \
- *" malloc.$ac_objext" | \
- "malloc.$ac_objext "* | \
+ case " $LIBOBJS " in
*" malloc.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS malloc.$ac_objext" ;;
+ *) LIBOBJS="$LIBOBJS malloc.$ac_objext"
+ ;;
esac
-for ac_header in stdlib.h sys/time.h unistd.h
+
+for ac_header in $ac_header_list
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
- echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
else
# Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
#include <$ac_header>
_ACEOF
rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_header_compiler=no
+ ac_header_compiler=no
fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
/* end confdefs.h. */
#include <$ac_header>
_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
ac_header_preproc=no
fi
+
rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
- (
- cat <<\_ASBOX
+ ( cat <<\_ASBOX
## -------------------------------------- ##
## Report this to Holger Zuleger hznet.de ##
## -------------------------------------- ##
_ASBOX
- ) |
- sed "s/^/$as_me: WARNING: /" >&2
+ ) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
eval "$as_ac_Header=\$ac_header_preproc"
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
fi
if test `eval echo '${'$as_ac_Header'}'` = yes; then
done
-for ac_func in alarm
+
+
+
+
+
+
+
+for ac_func in $ac_func_list
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
#undef $ac_func
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
-{
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char $ac_func ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
#endif
int
main ()
{
-return f != $ac_func;
+return $ac_func ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
eval "$as_ac_var=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_var=no"
+ eval "$as_ac_var=no"
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_var'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
fi
done
-echo "$as_me:$LINENO: checking for working mktime" >&5
-echo $ECHO_N "checking for working mktime... $ECHO_C" >&6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for working mktime" >&5
+echo $ECHO_N "checking for working mktime... $ECHO_C" >&6; }
if test "${ac_cv_func_working_mktime+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
/* Test program from Paul Eggert and Tony Leneis. */
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
# else
# include <time.h>
# endif
#endif
-#if HAVE_STDLIB_H
-# include <stdlib.h>
-#endif
+#include <stdlib.h>
-#if HAVE_UNISTD_H
+#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif
-#if !HAVE_ALARM
+#ifndef HAVE_ALARM
# define alarm(X) /* empty */
#endif
};
#define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
-/* Fail if mktime fails to convert a date in the spring-forward gap.
+/* Return 0 if mktime fails to convert a date in the spring-forward gap.
Based on a problem report from Andreas Jaeger. */
-static void
+static int
spring_forward_gap ()
{
/* glibc (up to about 1998-10-07) failed this test. */
tm.tm_min = 0;
tm.tm_sec = 0;
tm.tm_isdst = -1;
- if (mktime (&tm) == (time_t)-1)
- exit (1);
+ return mktime (&tm) != (time_t) -1;
}
-static void
+static int
mktime_test1 (now)
time_t now;
{
struct tm *lt;
- if ((lt = localtime (&now)) && mktime (lt) != now)
- exit (1);
+ return ! (lt = localtime (&now)) || mktime (lt) == now;
}
-static void
+static int
mktime_test (now)
time_t now;
{
- mktime_test1 (now);
- mktime_test1 ((time_t) (time_t_max - now));
- mktime_test1 ((time_t) (time_t_min + now));
+ return (mktime_test1 (now)
+ && mktime_test1 ((time_t) (time_t_max - now))
+ && mktime_test1 ((time_t) (time_t_min + now)));
}
-static void
+static int
irix_6_4_bug ()
{
/* Based on code from Ariel Faigon. */
tm.tm_sec = 0;
tm.tm_isdst = -1;
mktime (&tm);
- if (tm.tm_mon != 2 || tm.tm_mday != 31)
- exit (1);
+ return tm.tm_mon == 2 && tm.tm_mday == 31;
}
-static void
+static int
bigtime_test (j)
int j;
{
&& lt->tm_wday == tm.tm_wday
&& ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
== (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
- exit (1);
+ return 0;
}
+ return 1;
+}
+
+static int
+year_2050_test ()
+{
+ /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
+ ignoring leap seconds. */
+ unsigned long int answer = 2527315200UL;
+
+ struct tm tm;
+ time_t t;
+ tm.tm_year = 2050 - 1900;
+ tm.tm_mon = 2 - 1;
+ tm.tm_mday = 1;
+ tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+
+ /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
+ instead of "TZ=America/Vancouver" in order to detect the bug even
+ on systems that don't support the Olson extension, or don't have the
+ full zoneinfo tables installed. */
+ putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
+
+ t = mktime (&tm);
+
+ /* Check that the result is either a failure, or close enough
+ to the correct answer that we can assume the discrepancy is
+ due to leap seconds. */
+ return (t == (time_t) -1
+ || (0 < t && answer - 120 <= t && t <= answer + 120));
}
int
putenv (tz_strings[i]);
for (t = 0; t <= time_t_max - delta; t += delta)
- mktime_test (t);
- mktime_test ((time_t) 1);
- mktime_test ((time_t) (60 * 60));
- mktime_test ((time_t) (60 * 60 * 24));
+ if (! mktime_test (t))
+ return 1;
+ if (! (mktime_test ((time_t) 1)
+ && mktime_test ((time_t) (60 * 60))
+ && mktime_test ((time_t) (60 * 60 * 24))))
+ return 1;
for (j = 1; 0 < j; j *= 2)
- bigtime_test (j);
- bigtime_test (j - 1);
+ if (! bigtime_test (j))
+ return 1;
+ if (! bigtime_test (j - 1))
+ return 1;
}
- irix_6_4_bug ();
- spring_forward_gap ();
- exit (0);
+ return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_func_working_mktime=no
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
fi
-echo "$as_me:$LINENO: result: $ac_cv_func_working_mktime" >&5
-echo "${ECHO_T}$ac_cv_func_working_mktime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_working_mktime" >&5
+echo "${ECHO_T}$ac_cv_func_working_mktime" >&6; }
if test $ac_cv_func_working_mktime = no; then
- case $LIBOBJS in
- "mktime.$ac_objext" | \
- *" mktime.$ac_objext" | \
- "mktime.$ac_objext "* | \
+ case " $LIBOBJS " in
*" mktime.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS mktime.$ac_objext" ;;
+ *) LIBOBJS="$LIBOBJS mktime.$ac_objext"
+ ;;
esac
fi
-echo "$as_me:$LINENO: checking whether lstat dereferences a symlink specified with a trailing slash" >&5
-echo $ECHO_N "checking whether lstat dereferences a symlink specified with a trailing slash... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether lstat dereferences a symlink specified with a trailing slash" >&5
+echo $ECHO_N "checking whether lstat dereferences a symlink specified with a trailing slash... $ECHO_C" >&6; }
if test "${ac_cv_func_lstat_dereferences_slashed_symlink+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
/* Linux will dereference the symlink and fail.
That is better in the sense that it means we will not
have to compile and use the lstat wrapper. */
- exit (lstat ("conftest.sym/", &sbuf) ? 0 : 1);
+ return lstat ("conftest.sym/", &sbuf) == 0;
;
return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_func_lstat_dereferences_slashed_symlink=no
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
else
# If the `ln -s' command failed, then we probably don't even
# have an lstat function.
rm -f conftest.sym conftest.file
fi
-echo "$as_me:$LINENO: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5
-echo "${ECHO_T}$ac_cv_func_lstat_dereferences_slashed_symlink" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5
+echo "${ECHO_T}$ac_cv_func_lstat_dereferences_slashed_symlink" >&6; }
test $ac_cv_func_lstat_dereferences_slashed_symlink = yes &&
if test $ac_cv_func_lstat_dereferences_slashed_symlink = no; then
- case $LIBOBJS in
- "lstat.$ac_objext" | \
- *" lstat.$ac_objext" | \
- "lstat.$ac_objext "* | \
+ case " $LIBOBJS " in
*" lstat.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;;
+ *) LIBOBJS="$LIBOBJS lstat.$ac_objext"
+ ;;
esac
fi
-echo "$as_me:$LINENO: checking whether stat accepts an empty string" >&5
-echo $ECHO_N "checking whether stat accepts an empty string... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether stat accepts an empty string" >&5
+echo $ECHO_N "checking whether stat accepts an empty string... $ECHO_C" >&6; }
if test "${ac_cv_func_stat_empty_string_bug+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
main ()
{
struct stat sbuf;
- exit (stat ("", &sbuf) ? 1 : 0);
+ return stat ("", &sbuf) == 0;
;
return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
- ac_cv_func_stat_empty_string_bug=yes
+ ac_cv_func_stat_empty_string_bug=no
else
echo "$as_me: program exited with status $ac_status" >&5
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
( exit $ac_status )
-ac_cv_func_stat_empty_string_bug=no
+ac_cv_func_stat_empty_string_bug=yes
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
+
+
fi
-echo "$as_me:$LINENO: result: $ac_cv_func_stat_empty_string_bug" >&5
-echo "${ECHO_T}$ac_cv_func_stat_empty_string_bug" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_stat_empty_string_bug" >&5
+echo "${ECHO_T}$ac_cv_func_stat_empty_string_bug" >&6; }
if test $ac_cv_func_stat_empty_string_bug = yes; then
- case $LIBOBJS in
- "stat.$ac_objext" | \
- *" stat.$ac_objext" | \
- "stat.$ac_objext "* | \
+ case " $LIBOBJS " in
*" stat.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS stat.$ac_objext" ;;
+ *) LIBOBJS="$LIBOBJS stat.$ac_objext"
+ ;;
esac
for ac_func in strftime
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
#undef $ac_func
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
-{
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char $ac_func ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
#endif
int
main ()
{
-return f != $ac_func;
+return $ac_func ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
eval "$as_ac_var=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_var=no"
+ eval "$as_ac_var=no"
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_var'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
else
# strftime is in -lintl on SCO UNIX.
-echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
-echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
+echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6; }
if test "${ac_cv_lib_intl_strftime+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char strftime ();
int
main ()
{
-strftime ();
+return strftime ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
ac_cv_lib_intl_strftime=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_lib_intl_strftime=no
+ ac_cv_lib_intl_strftime=no
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6; }
if test $ac_cv_lib_intl_strftime = yes; then
cat >>confdefs.h <<\_ACEOF
#define HAVE_STRFTIME 1
fi
done
-echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
-echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
+echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6; }
if test "${ac_cv_func_utime_null+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
+ #ifdef HAVE_UTIME_H
+ # include <utime.h>
+ #endif
int
main ()
{
struct stat s, t;
- exit (!(stat ("conftest.data", &s) == 0
- && utime ("conftest.data", (long *)0) == 0
- && stat ("conftest.data", &t) == 0
- && t.st_mtime >= s.st_mtime
- && t.st_mtime - s.st_mtime < 120));
+ return ! (stat ("conftest.data", &s) == 0
+ && utime ("conftest.data", 0) == 0
+ && stat ("conftest.data", &t) == 0
+ && t.st_mtime >= s.st_mtime
+ && t.st_mtime - s.st_mtime < 120);
;
return 0;
}
_ACEOF
rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
( exit $ac_status )
ac_cv_func_utime_null=no
fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
-rm -f core *.core
+
+
fi
-echo "$as_me:$LINENO: result: $ac_cv_func_utime_null" >&5
-echo "${ECHO_T}$ac_cv_func_utime_null" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_utime_null" >&5
+echo "${ECHO_T}$ac_cv_func_utime_null" >&6; }
if test $ac_cv_func_utime_null = yes; then
cat >>confdefs.h <<\_ACEOF
for ac_func in vprintf
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
#undef $ac_func
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
-{
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char $ac_func ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
#endif
int
main ()
{
-return f != $ac_func;
+return $ac_func ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
eval "$as_ac_var=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_var=no"
+ eval "$as_ac_var=no"
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_var'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
-echo "$as_me:$LINENO: checking for _doprnt" >&5
-echo $ECHO_N "checking for _doprnt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for _doprnt" >&5
+echo $ECHO_N "checking for _doprnt... $ECHO_C" >&6; }
if test "${ac_cv_func__doprnt+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
#undef _doprnt
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
-{
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char _doprnt ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
-#if defined (__stub__doprnt) || defined (__stub____doprnt)
+#if defined __stub__doprnt || defined __stub____doprnt
choke me
-#else
-char (*f) () = _doprnt;
-#endif
-#ifdef __cplusplus
-}
#endif
int
main ()
{
-return f != _doprnt;
+return _doprnt ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
ac_cv_func__doprnt=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_func__doprnt=no
+ ac_cv_func__doprnt=no
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: $ac_cv_func__doprnt" >&5
-echo "${ECHO_T}$ac_cv_func__doprnt" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func__doprnt" >&5
+echo "${ECHO_T}$ac_cv_func__doprnt" >&6; }
if test $ac_cv_func__doprnt = yes; then
cat >>confdefs.h <<\_ACEOF
# 2008-07-04 getopt_long added
+# 2009-07-30 timegm added
+
-for ac_func in getopt_long gettimeofday memset setenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime
+
+for ac_func in getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
#undef $ac_func
-/* Override any gcc2 internal prototype to avoid an error. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
-{
#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
char $ac_func ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
#endif
int
main ()
{
-return f != $ac_func;
+return $ac_func ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -z "$ac_c_werror_flag"
- || test ! -s conftest.err'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
eval "$as_ac_var=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_var=no"
+ eval "$as_ac_var=no"
fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_var'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
- ac_config_files="$ac_config_files Makefile"
+ac_config_files="$ac_config_files Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
# The following way of writing the cache mishandles newlines in values,
# but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
+# So, we kill variables containing newlines.
# Ultrix sh set writes to stderr and can't be redirected directly,
# and sets the high bit in the cache file unless we assign to the vars.
-{
+(
+ for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+ eval ac_val=\$$ac_var
+ case $ac_val in #(
+ *${as_nl}*)
+ case $ac_var in #(
+ *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+ esac
+ case $ac_var in #(
+ _ | IFS | as_nl) ;; #(
+ *) $as_unset $ac_var ;;
+ esac ;;
+ esac
+ done
+
(set) 2>&1 |
- case `(ac_space=' '; set | grep ac_space) 2>&1` in
- *ac_space=\ *)
+ case $as_nl`(ac_space=' '; set) 2>&1` in #(
+ *${as_nl}ac_space=\ *)
# `set' does not quote correctly, so add quotes (double-quote
# substitution turns \\\\ into \\, and sed turns \\ into \).
sed -n \
"s/'/'\\\\''/g;
s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
- ;;
+ ;; #(
*)
# `set' quotes correctly as required by POSIX, so do not add quotes.
- sed -n \
- "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+ sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
;;
- esac;
-} |
+ esac |
+ sort
+) |
sed '
+ /^ac_cv_env_/b end
t clear
- : clear
+ :clear
s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
t end
- /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
- : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
- if test -w $cache_file; then
- test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+ s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+ :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+ if test -w "$cache_file"; then
+ test "x$cache_file" != "x/dev/null" &&
+ { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
cat confcache >$cache_file
else
- echo "not updating unwritable cache $cache_file"
+ { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
fi
fi
rm -f confcache
# Let make expand exec_prefix.
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
- ac_vpsub='/^[ ]*VPATH[ ]*=/{
-s/:*\$(srcdir):*/:/;
-s/:*\${srcdir}:*/:/;
-s/:*@srcdir@:*/:/;
-s/^\([^=]*=[ ]*\):*/\1/;
-s/:*$//;
-s/^[^=]*=[ ]*$//;
-}'
-fi
-
DEFS=-DHAVE_CONFIG_H
ac_libobjs=
ac_ltlibobjs=
for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
# 1. Remove the extension, and $U if already installed.
- ac_i=`echo "$ac_i" |
- sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
- # 2. Add them.
- ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
- ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
+ ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+ ac_i=`echo "$ac_i" | sed "$ac_script"`
+ # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR
+ # will be set to the directory where LIBOBJS objects are built.
+ ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+ ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
done
LIBOBJS=$ac_libobjs
## M4sh Initialization. ##
## --------------------- ##
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
emulate sh
NULLCMD=:
# Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
# is contrary to our usage. Disable this feature.
alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
- set -o posix
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in
+ *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+ echo "#! /bin/sh" >conf$$.sh
+ echo "exit 0" >>conf$$.sh
+ chmod +x conf$$.sh
+ if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+ PATH_SEPARATOR=';'
+ else
+ PATH_SEPARATOR=:
+ fi
+ rm -f conf$$.sh
fi
-DUALCASE=1; export DUALCASE # for MKS sh
# Support unset when possible.
if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
fi
+# IFS
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" "" $as_nl"
+
+# Find who we are. Look in the path if we contain no directory separator.
+case $0 in
+ *[\\/]* ) as_myself=$0 ;;
+ *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+ ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+ as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+ echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+ { (exit 1); exit 1; }
+fi
+
# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
PS1='$ '
PS2='> '
PS4='+ '
if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
eval $as_var=C; export $as_var
else
- $as_unset $as_var
+ ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
fi
done
# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
as_expr=expr
else
as_expr=false
fi
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
as_basename=basename
else
as_basename=false
# Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
X"$0" : 'X\(//\)$' \| \
- X"$0" : 'X\(/\)$' \| \
- . : '\(.\)' 2>/dev/null ||
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
echo X/"$0" |
- sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
- /^X\/\(\/\/\)$/{ s//\1/; q; }
- /^X\/\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
-
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
- echo "#! /bin/sh" >conf$$.sh
- echo "exit 0" >>conf$$.sh
- chmod +x conf$$.sh
- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
- PATH_SEPARATOR=';'
- else
- PATH_SEPARATOR=:
- fi
- rm -f conf$$.sh
-fi
+# CDPATH.
+$as_unset CDPATH
- as_lineno_1=$LINENO
- as_lineno_2=$LINENO
- as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
- test "x$as_lineno_1" != "x$as_lineno_2" &&
- test "x$as_lineno_3" = "x$as_lineno_2" || {
- # Find who we are. Look in the path if we contain no path at all
- # relative or not.
- case $0 in
- *[\\/]* ) as_myself=$0 ;;
- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
- ;;
- esac
- # We did not find ourselves, most probably we were run as `sh COMMAND'
- # in which case we are not to be found in the path.
- if test "x$as_myself" = x; then
- as_myself=$0
- fi
- if test ! -f "$as_myself"; then
- { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
- { (exit 1); exit 1; }; }
- fi
- case $CONFIG_SHELL in
- '')
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for as_base in sh bash ksh sh5; do
- case $as_dir in
- /*)
- if ("$as_dir/$as_base" -c '
as_lineno_1=$LINENO
as_lineno_2=$LINENO
- as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
test "x$as_lineno_1" != "x$as_lineno_2" &&
- test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then
- $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
- $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
- CONFIG_SHELL=$as_dir/$as_base
- export CONFIG_SHELL
- exec "$CONFIG_SHELL" "$0" ${1+"$@"}
- fi;;
- esac
- done
-done
-;;
- esac
+ test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
# Create $as_me.lineno as a copy of $as_myself, but with $LINENO
# uniformly replaced by the line number. The first 'sed' inserts a
- # line-number line before each line; the second 'sed' does the real
- # work. The second script uses 'N' to pair each line-number line
- # with the numbered line, and appends trailing '-' during
- # substitution so that $LINENO is not a special case at line end.
+ # line-number line after each line using $LINENO; the second 'sed'
+ # does the real work. The second script uses 'N' to pair each
+ # line-number line with the line containing $LINENO, and appends
+ # trailing '-' during substitution so that $LINENO is not a special
+ # case at line end.
# (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
- # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-)
- sed '=' <$as_myself |
+ # scripts with optimization help from Paolo Bonzini. Blame Lee
+ # E. McMahon (1931-1989) for sed's syntax. :-)
+ sed -n '
+ p
+ /[$]LINENO/=
+ ' <$as_myself |
sed '
+ s/[$]LINENO.*/&-/
+ t lineno
+ b
+ :lineno
N
- s,$,-,
- : loop
- s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+ :loop
+ s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
t loop
- s,-$,,
- s,^['$as_cr_digits']*\n,,
+ s/-\n.*//
' >$as_me.lineno &&
- chmod +x $as_me.lineno ||
- { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
+ chmod +x "$as_me.lineno" ||
+ { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
{ (exit 1); exit 1; }; }
# Don't try to exec as it changes $[0], causing all sort of problems
# (the dirname of $[0] is not the place where we might find the
- # original and so on. Autoconf is especially sensible to this).
- . ./$as_me.lineno
+ # original and so on. Autoconf is especially sensitive to this).
+ . "./$as_me.lineno"
# Exit status is that of the last command.
exit
}
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
- *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T=' ' ;;
- *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;;
- *) ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+ as_dirname=dirname
+else
+ as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+ case `echo 'x\c'` in
+ *c*) ECHO_T=' ';; # ECHO_T is single tab character.
+ *) ECHO_C='\c';;
+ esac;;
+*)
+ ECHO_N='-n';;
esac
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
as_expr=expr
else
as_expr=false
fi
rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+ rm -f conf$$.dir/conf$$.file
+else
+ rm -f conf$$.dir
+ mkdir conf$$.dir
+fi
echo >conf$$.file
if ln -s conf$$.file conf$$ 2>/dev/null; then
- # We could just check for DJGPP; but this test a) works b) is more generic
- # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
- if test -f conf$$.exe; then
- # Don't use ln at all; we don't have any links
+ as_ln_s='ln -s'
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+ # In both cases, we have to default to `cp -p'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
as_ln_s='cp -p'
- else
- as_ln_s='ln -s'
- fi
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
as_ln_s='cp -p'
fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
if mkdir -p . 2>/dev/null; then
as_mkdir_p=:
as_mkdir_p=false
fi
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+ as_test_x='test -x'
+else
+ if ls -dL / >/dev/null 2>&1; then
+ as_ls_L_option=L
+ else
+ as_ls_L_option=
+ fi
+ as_test_x='
+ eval sh -c '\''
+ if test -d "$1"; then
+ test -d "$1/.";
+ else
+ case $1 in
+ -*)set "./$1";;
+ esac;
+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+ ???[sx]*):;;*)false;;esac;fi
+ '\'' sh
+ '
+fi
+as_executable_p=$as_test_x
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" $as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
exec 6>&1
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
+# Save the log message, to keep $[0] and so on meaningful, and to
# report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling. Logging --version etc. is OK.
-exec 5>>config.log
-{
- echo
- sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-
-This file was extended by ZKT $as_me 0.98, which was
-generated by GNU Autoconf 2.59. Invocation command line was
+# values after options handling.
+ac_log="
+This file was extended by ZKT $as_me 0.99c, which was
+generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
CONFIG_COMMANDS = $CONFIG_COMMANDS
$ $0 $@
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
# Files that config.status was made for.
-if test -n "$ac_config_files"; then
- echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_headers"; then
- echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_links"; then
- echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
-fi
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
-if test -n "$ac_config_commands"; then
- echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
-fi
+_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF
-
ac_cs_usage="\
\`$as_me' instantiates files from templates according to the
current configuration.
Usage: $0 [OPTIONS] [FILE]...
-h, --help print this help, then exit
- -V, --version print version number, then exit
+ -V, --version print version number and configuration settings, then exit
-q, --quiet do not print progress messages
-d, --debug don't remove temporary files
--recheck update $as_me by reconfiguring in the same conditions
$config_headers
Report bugs to <bug-autoconf@gnu.org>."
-_ACEOF
+_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-ZKT config.status 0.98
-configured by $0, generated by GNU Autoconf 2.59,
- with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
+ZKT config.status 0.99c
+configured by $0, generated by GNU Autoconf 2.61,
+ with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 2006 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."
-srcdir=$srcdir
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF
do
case $1 in
--*=*)
- ac_option=`expr "x$1" : 'x\([^=]*\)='`
- ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+ ac_option=`expr "X$1" : 'X\([^=]*\)='`
+ ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
ac_shift=:
;;
- -*)
+ *)
ac_option=$1
ac_optarg=$2
ac_shift=shift
;;
- *) # This is not an option, so the user has probably given explicit
- # arguments.
- ac_option=$1
- ac_need_defaults=false;;
esac
case $ac_option in
# Handling of the options.
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
ac_cs_recheck=: ;;
- --version | --vers* | -V )
- echo "$ac_cs_version"; exit 0 ;;
- --he | --h)
- # Conflict between --help and --header
- { { echo "$as_me:$LINENO: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2;}
- { (exit 1); exit 1; }; };;
- --help | --hel | -h )
- echo "$ac_cs_usage"; exit 0 ;;
- --debug | --d* | -d )
+ --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+ echo "$ac_cs_version"; exit ;;
+ --debug | --debu | --deb | --de | --d | -d )
debug=: ;;
--file | --fil | --fi | --f )
$ac_shift
$ac_shift
CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
ac_need_defaults=false;;
+ --he | --h)
+ # Conflict between --help and --header
+ { echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2
+ { (exit 1); exit 1; }; };;
+ --help | --hel | -h )
+ echo "$ac_cs_usage"; exit ;;
-q | -quiet | --quiet | --quie | --qui | --qu | --q \
| -silent | --silent | --silen | --sile | --sil | --si | --s)
ac_cs_silent=: ;;
# This is an error.
- -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2;}
+ -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
{ (exit 1); exit 1; }; } ;;
- *) ac_config_targets="$ac_config_targets $1" ;;
+ *) ac_config_targets="$ac_config_targets $1"
+ ac_need_defaults=false ;;
esac
shift
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
if \$ac_cs_recheck; then
- echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
- exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+ echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+ CONFIG_SHELL=$SHELL
+ export CONFIG_SHELL
+ exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
fi
_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+ echo
+ sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+ echo "$ac_log"
+} >&5
-
-
-
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF
+
+# Handling of arguments.
for ac_config_target in $ac_config_targets
do
- case "$ac_config_target" in
- # Handling of arguments.
- "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
- "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+ case $ac_config_target in
+ "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+ "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+
*) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
{ (exit 1); exit 1; }; };;
esac
done
+
# If the user did not use the arguments to specify the items to instantiate,
# then the envvar interface is used. Set only those that are not.
# We use the long form for the default assignment because of an extremely
fi
# Have a temporary directory for convenience. Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
+# simply because there is no reason against having it here, and in addition,
# creating and moving files from /tmp can sometimes cause problems.
-# Create a temporary directory, and hook for its removal unless debugging.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
$debug ||
{
- trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+ tmp=
+ trap 'exit_status=$?
+ { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
trap '{ (exit 1); exit 1; }' 1 2 13 15
}
-
# Create a (secure) tmp directory for tmp files.
{
- tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+ tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
test -n "$tmp" && test -d "$tmp"
} ||
{
- tmp=./confstat$$-$RANDOM
- (umask 077 && mkdir $tmp)
+ tmp=./conf$$-$RANDOM
+ (umask 077 && mkdir "$tmp")
} ||
{
echo "$me: cannot create a temporary directory in ." >&2
{ (exit 1); exit 1; }
}
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-
#
-# CONFIG_FILES section.
+# Set up the sed scripts for CONFIG_FILES section.
#
# No need to generate the scripts if there are no CONFIG_FILES.
# This happens for instance when ./config.status config.h
-if test -n "\$CONFIG_FILES"; then
- # Protect against being on the right side of a sed subst in config.status.
- sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
- s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
-s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
-s,@exec_prefix@,$exec_prefix,;t t
-s,@prefix@,$prefix,;t t
-s,@program_transform_name@,$program_transform_name,;t t
-s,@bindir@,$bindir,;t t
-s,@sbindir@,$sbindir,;t t
-s,@libexecdir@,$libexecdir,;t t
-s,@datadir@,$datadir,;t t
-s,@sysconfdir@,$sysconfdir,;t t
-s,@sharedstatedir@,$sharedstatedir,;t t
-s,@localstatedir@,$localstatedir,;t t
-s,@libdir@,$libdir,;t t
-s,@includedir@,$includedir,;t t
-s,@oldincludedir@,$oldincludedir,;t t
-s,@infodir@,$infodir,;t t
-s,@mandir@,$mandir,;t t
-s,@build_alias@,$build_alias,;t t
-s,@host_alias@,$host_alias,;t t
-s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
-s,@ECHO_C@,$ECHO_C,;t t
-s,@ECHO_N@,$ECHO_N,;t t
-s,@ECHO_T@,$ECHO_T,;t t
-s,@LIBS@,$LIBS,;t t
-s,@CC@,$CC,;t t
-s,@CFLAGS@,$CFLAGS,;t t
-s,@LDFLAGS@,$LDFLAGS,;t t
-s,@CPPFLAGS@,$CPPFLAGS,;t t
-s,@ac_ct_CC@,$ac_ct_CC,;t t
-s,@EXEEXT@,$EXEEXT,;t t
-s,@OBJEXT@,$OBJEXT,;t t
-s,@SIGNZONE_PROG@,$SIGNZONE_PROG,;t t
-s,@CPP@,$CPP,;t t
-s,@EGREP@,$EGREP,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-CEOF
-
-_ACEOF
-
- cat >>$CONFIG_STATUS <<\_ACEOF
- # Split the substitutions into bite-sized pieces for seds with
- # small command number limits, like on Digital OSF/1 and HP-UX.
- ac_max_sed_lines=48
- ac_sed_frag=1 # Number of current file.
- ac_beg=1 # First line for current file.
- ac_end=$ac_max_sed_lines # Line after last line for current file.
- ac_more_lines=:
- ac_sed_cmds=
- while $ac_more_lines; do
- if test $ac_beg -gt 1; then
- sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
- else
- sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
- fi
- if test ! -s $tmp/subs.frag; then
- ac_more_lines=false
- else
- # The purpose of the label and of the branching condition is to
- # speed up the sed processing (if there are no `@' at all, there
- # is no need to browse any of the substitutions).
- # These are the two extra sed commands mentioned above.
- (echo ':t
- /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
- if test -z "$ac_sed_cmds"; then
- ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
- else
- ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
- fi
- ac_sed_frag=`expr $ac_sed_frag + 1`
- ac_beg=$ac_end
- ac_end=`expr $ac_end + $ac_max_sed_lines`
- fi
- done
- if test -z "$ac_sed_cmds"; then
- ac_sed_cmds=cat
+if test -n "$CONFIG_FILES"; then
+
+_ACEOF
+
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+ cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+SIGNZONE_PROG!$SIGNZONE_PROG$ac_delim
+CPP!$CPP$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 50; then
+ break
+ elif $ac_last_try; then
+ { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+ { (exit 1); exit 1; }; }
+ else
+ ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
fi
-fi # test -n "$CONFIG_FILES"
+done
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+ ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+ ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
_ACEOF
+
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+ ac_vpsub='/^[ ]*VPATH[ ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[ ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[ ]*$//
+}'
+fi
+
cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
- # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
- case $ac_file in
- - | *:- | *:-:* ) # input from stdin
- cat >$tmp/stdin
- ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
- ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
- *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
- ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
- * ) ac_file_in=$ac_file.in ;;
+fi # test -n "$CONFIG_FILES"
+
+
+for ac_tag in :F $CONFIG_FILES :H $CONFIG_HEADERS
+do
+ case $ac_tag in
+ :[FHLC]) ac_mode=$ac_tag; continue;;
+ esac
+ case $ac_mode$ac_tag in
+ :[FHL]*:*);;
+ :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+ { (exit 1); exit 1; }; };;
+ :[FH]-) ac_tag=-:-;;
+ :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+ esac
+ ac_save_IFS=$IFS
+ IFS=:
+ set x $ac_tag
+ IFS=$ac_save_IFS
+ shift
+ ac_file=$1
+ shift
+
+ case $ac_mode in
+ :L) ac_source=$1;;
+ :[FH])
+ ac_file_inputs=
+ for ac_f
+ do
+ case $ac_f in
+ -) ac_f="$tmp/stdin";;
+ *) # Look for the file first in the build tree, then in the source tree
+ # (if the path is not absolute). The absolute path cannot be DOS-style,
+ # because $ac_f cannot contain `:'.
+ test -f "$ac_f" ||
+ case $ac_f in
+ [\\/$]*) false;;
+ *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+ esac ||
+ { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+ { (exit 1); exit 1; }; };;
+ esac
+ ac_file_inputs="$ac_file_inputs $ac_f"
+ done
+
+ # Let's still pretend it is `configure' which instantiates (i.e., don't
+ # use $as_me), people would be surprised to read:
+ # /* config.h. Generated by config.status. */
+ configure_input="Generated from "`IFS=:
+ echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+ if test x"$ac_file" != x-; then
+ configure_input="$ac_file. $configure_input"
+ { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+ fi
+
+ case $ac_tag in
+ *:-:* | *:-) cat >"$tmp/stdin";;
+ esac
+ ;;
esac
- # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
- ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+ ac_dir=`$as_dirname -- "$ac_file" ||
$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$ac_file" : 'X\(//\)[^/]' \| \
X"$ac_file" : 'X\(//\)$' \| \
- X"$ac_file" : 'X\(/\)' \| \
- . : '\(.\)' 2>/dev/null ||
+ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$ac_file" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
- /^X\(\/\/\)[^/].*/{ s//\1/; q; }
- /^X\(\/\/\)$/{ s//\1/; q; }
- /^X\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
- { if $as_mkdir_p; then
- mkdir -p "$ac_dir"
- else
- as_dir="$ac_dir"
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ { as_dir="$ac_dir"
+ case $as_dir in #(
+ -*) as_dir=./$as_dir;;
+ esac
+ test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
as_dirs=
- while test ! -d "$as_dir"; do
- as_dirs="$as_dir $as_dirs"
- as_dir=`(dirname "$as_dir") 2>/dev/null ||
+ while :; do
+ case $as_dir in #(
+ *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+ *) as_qdir=$as_dir;;
+ esac
+ as_dirs="'$as_qdir' $as_dirs"
+ as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$as_dir" : 'X\(//\)[^/]' \| \
X"$as_dir" : 'X\(//\)$' \| \
- X"$as_dir" : 'X\(/\)' \| \
- . : '\(.\)' 2>/dev/null ||
+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$as_dir" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
- /^X\(\/\/\)[^/].*/{ s//\1/; q; }
- /^X\(\/\/\)$/{ s//\1/; q; }
- /^X\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ test -d "$as_dir" && break
done
- test ! -n "$as_dirs" || mkdir $as_dirs
- fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+ test -z "$as_dirs" || eval "mkdir $as_dirs"
+ } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
{ (exit 1); exit 1; }; }; }
-
ac_builddir=.
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
- # A "../" for each directory in $ac_dir_suffix.
- ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
- ac_dir_suffix= ac_top_builddir=
-fi
+ # A ".." for each directory in $ac_dir_suffix.
+ ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+ case $ac_top_builddir_sub in
+ "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+ esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
case $srcdir in
- .) # No --srcdir option. We are building in place.
+ .) # We are building in place.
ac_srcdir=.
- if test -z "$ac_top_builddir"; then
- ac_top_srcdir=.
- else
- ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
- fi ;;
- [\\/]* | ?:[\\/]* ) # Absolute path.
+ ac_top_srcdir=$ac_top_builddir_sub
+ ac_abs_top_srcdir=$ac_pwd ;;
+ [\\/]* | ?:[\\/]* ) # Absolute name.
ac_srcdir=$srcdir$ac_dir_suffix;
- ac_top_srcdir=$srcdir ;;
- *) # Relative path.
- ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
- ac_top_srcdir=$ac_top_builddir$srcdir ;;
+ ac_top_srcdir=$srcdir
+ ac_abs_top_srcdir=$srcdir ;;
+ *) # Relative name.
+ ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+ ac_top_srcdir=$ac_top_build_prefix$srcdir
+ ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
- case "$ac_dir" in
- .) ac_abs_builddir=`pwd`;;
- [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
- *) ac_abs_builddir=`pwd`/"$ac_dir";;
- esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
- case ${ac_top_builddir}. in
- .) ac_abs_top_builddir=$ac_abs_builddir;;
- [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
- *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
- esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
- case $ac_srcdir in
- .) ac_abs_srcdir=$ac_abs_builddir;;
- [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
- *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
- esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
- case $ac_top_srcdir in
- .) ac_abs_top_srcdir=$ac_abs_builddir;;
- [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
- *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
- esac;;
-esac
+ case $ac_mode in
+ :F)
+ #
+ # CONFIG_FILE
+ #
+_ACEOF
- if test x"$ac_file" != x-; then
- { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
- rm -f "$ac_file"
- fi
- # Let's still pretend it is `configure' which instantiates (i.e., don't
- # use $as_me), people would be surprised to read:
- # /* config.h. Generated by config.status. */
- if test x"$ac_file" = x-; then
- configure_input=
- else
- configure_input="$ac_file. "
- fi
- configure_input=$configure_input"Generated from `echo $ac_file_in |
- sed 's,.*/,,'` by configure."
-
- # First look for the input files in the build tree, otherwise in the
- # src tree.
- ac_file_inputs=`IFS=:
- for f in $ac_file_in; do
- case $f in
- -) echo $tmp/stdin ;;
- [\\/$]*)
- # Absolute (can't be DOS-style, as IFS=:)
- test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
- { (exit 1); exit 1; }; }
- echo "$f";;
- *) # Relative
- if test -f "$f"; then
- # Build tree
- echo "$f"
- elif test -f "$srcdir/$f"; then
- # Source tree
- echo "$srcdir/$f"
- else
- # /dev/null tree
- { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
- { (exit 1); exit 1; }; }
- fi;;
- esac
- done` || { (exit 1); exit 1; }
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+case `sed -n '/datarootdir/ {
+ p
+ q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+ { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+ ac_datarootdir_hack='
+ s&@datadir@&$datadir&g
+ s&@docdir@&$docdir&g
+ s&@infodir@&$infodir&g
+ s&@localedir@&$localedir&g
+ s&@mandir@&$mandir&g
+ s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
cat >>$CONFIG_STATUS <<_ACEOF
sed "$ac_vpsub
$extrasub
cat >>$CONFIG_STATUS <<\_ACEOF
:t
/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s,@configure_input@,$configure_input,;t t
-s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
-s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
-" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
- rm -f $tmp/stdin
- if test x"$ac_file" != x-; then
- mv $tmp/out $ac_file
- else
- cat $tmp/out
- rm -f $tmp/out
- fi
-
-done
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-#
-# CONFIG_HEADER section.
-#
-
-# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
-# NAME is the cpp macro being defined and VALUE is the value it is being given.
-#
-# ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s,^\([ ]*\)#\([ ]*define[ ][ ]*\)'
-ac_dB='[ ].*$,\1#\2'
-ac_dC=' '
-ac_dD=',;t'
-# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_uA='s,^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)'
-ac_uB='$,\1#\2define\3'
-ac_uC=' '
-ac_uD=',;t'
-
-for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
- # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+ { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+ { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+ { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined. Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined. Please make sure it is defined." >&2;}
+
+ rm -f "$tmp/stdin"
case $ac_file in
- - | *:- | *:-:* ) # input from stdin
- cat >$tmp/stdin
- ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
- ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
- *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
- ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
- * ) ac_file_in=$ac_file.in ;;
+ -) cat "$tmp/out"; rm -f "$tmp/out";;
+ *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
esac
-
- test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-
- # First look for the input files in the build tree, otherwise in the
- # src tree.
- ac_file_inputs=`IFS=:
- for f in $ac_file_in; do
- case $f in
- -) echo $tmp/stdin ;;
- [\\/$]*)
- # Absolute (can't be DOS-style, as IFS=:)
- test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
- { (exit 1); exit 1; }; }
- # Do quote $f, to prevent DOS paths from being IFS'd.
- echo "$f";;
- *) # Relative
- if test -f "$f"; then
- # Build tree
- echo "$f"
- elif test -f "$srcdir/$f"; then
- # Source tree
- echo "$srcdir/$f"
- else
- # /dev/null tree
- { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
- { (exit 1); exit 1; }; }
- fi;;
- esac
- done` || { (exit 1); exit 1; }
- # Remove the trailing spaces.
- sed 's/[ ]*$//' $ac_file_inputs >$tmp/in
-
-_ACEOF
-
-# Transform confdefs.h into two sed scripts, `conftest.defines' and
-# `conftest.undefs', that substitutes the proper values into
-# config.h.in to produce config.h. The first handles `#define'
-# templates, and the second `#undef' templates.
-# And first: Protect against being on the right side of a sed subst in
-# config.status. Protect against being in an unquoted here document
-# in config.status.
-rm -f conftest.defines conftest.undefs
-# Using a here document instead of a string reduces the quoting nightmare.
-# Putting comments in sed scripts is not portable.
-#
-# `end' is used to avoid that the second main sed command (meant for
-# 0-ary CPP macros) applies to n-ary macro definitions.
-# See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
-s/[\\&,]/\\&/g
-s,[\\$`],\\&,g
-t clear
-: clear
-s,^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*\)\(([^)]*)\)[ ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
-t end
-s,^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
-: end
-_ACEOF
-# If some macros were called several times there might be several times
-# the same #defines, which is useless. Nevertheless, we may not want to
-# sort them, since we want the *last* AC-DEFINE to be honored.
-uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
-sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
-rm -f confdef2sed.sed
-
-# This sed command replaces #undef with comments. This is necessary, for
+ ;;
+ :H)
+ #
+ # CONFIG_HEADER
+ #
+_ACEOF
+
+# Transform confdefs.h into a sed script `conftest.defines', that
+# substitutes the proper values into config.h.in to produce config.h.
+rm -f conftest.defines conftest.tail
+# First, append a space to every undef/define line, to ease matching.
+echo 's/$/ /' >conftest.defines
+# Then, protect against being on the right side of a sed subst, or in
+# an unquoted here document, in config.status. If some macros were
+# called several times there might be several #defines for the same
+# symbol, which is useless. But do not sort them, since the last
+# AC_DEFINE must be honored.
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
+# NAME is the cpp macro being defined, VALUE is the value it is being given.
+# PARAMS is the parameter list in the macro definition--in most cases, it's
+# just an empty string.
+ac_dA='s,^\\([ #]*\\)[^ ]*\\([ ]*'
+ac_dB='\\)[ (].*,\\1define\\2'
+ac_dC=' '
+ac_dD=' ,'
+
+uniq confdefs.h |
+ sed -n '
+ t rset
+ :rset
+ s/^[ ]*#[ ]*define[ ][ ]*//
+ t ok
+ d
+ :ok
+ s/[\\&,]/\\&/g
+ s/^\('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
+ s/^\('"$ac_word_re"'\)[ ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
+ ' >>conftest.defines
+
+# Remove the space that was appended to ease matching.
+# Then replace #undef with comments. This is necessary, for
# example, in the case of _POSIX_SOURCE, which is predefined and required
# on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
-s,^[ ]*#[ ]*undef[ ][ ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
-
-# Break up conftest.defines because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo ' # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo ' if grep "^[ ]*#[ ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
-echo ' # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
-echo ' :' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.defines >/dev/null
+# (The regexp can be short, since the line contains either #define or #undef.)
+echo 's/ $//
+s,^[ #]*u.*,/* & */,' >>conftest.defines
+
+# Break up conftest.defines:
+ac_max_sed_lines=50
+
+# First sed command is: sed -f defines.sed $ac_file_inputs >"$tmp/out1"
+# Second one is: sed -f defines.sed "$tmp/out1" >"$tmp/out2"
+# Third one will be: sed -f defines.sed "$tmp/out2" >"$tmp/out1"
+# et cetera.
+ac_in='$ac_file_inputs'
+ac_out='"$tmp/out1"'
+ac_nxt='"$tmp/out2"'
+
+while :
do
- # Write a limited-size here document to $tmp/defines.sed.
- echo ' cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
- # Speed up: don't consider the non `#define' lines.
- echo '/^[ ]*#[ ]*define/!b' >>$CONFIG_STATUS
- # Work around the forget-to-reset-the-flag bug.
- echo 't clr' >>$CONFIG_STATUS
- echo ': clr' >>$CONFIG_STATUS
- sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+ # Write a here document:
+ cat >>$CONFIG_STATUS <<_ACEOF
+ # First, check the format of the line:
+ cat >"\$tmp/defines.sed" <<\\CEOF
+/^[ ]*#[ ]*undef[ ][ ]*$ac_word_re[ ]*\$/b def
+/^[ ]*#[ ]*define[ ][ ]*$ac_word_re[( ]/b def
+b
+:def
+_ACEOF
+ sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
echo 'CEOF
- sed -f $tmp/defines.sed $tmp/in >$tmp/out
- rm -f $tmp/in
- mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
- sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+ sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
+ ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
+ sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
+ grep . conftest.tail >/dev/null || break
rm -f conftest.defines
mv conftest.tail conftest.defines
done
-rm -f conftest.defines
-echo ' fi # grep' >>$CONFIG_STATUS
-echo >>$CONFIG_STATUS
-
-# Break up conftest.undefs because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo ' # Handle all the #undef templates' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.undefs >/dev/null
-do
- # Write a limited-size here document to $tmp/undefs.sed.
- echo ' cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
- # Speed up: don't consider the non `#undef'
- echo '/^[ ]*#[ ]*undef/!b' >>$CONFIG_STATUS
- # Work around the forget-to-reset-the-flag bug.
- echo 't clr' >>$CONFIG_STATUS
- echo ': clr' >>$CONFIG_STATUS
- sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
- echo 'CEOF
- sed -f $tmp/undefs.sed $tmp/in >$tmp/out
- rm -f $tmp/in
- mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
- sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
- rm -f conftest.undefs
- mv conftest.tail conftest.undefs
-done
-rm -f conftest.undefs
+rm -f conftest.defines conftest.tail
+echo "ac_result=$ac_in" >>$CONFIG_STATUS
cat >>$CONFIG_STATUS <<\_ACEOF
- # Let's still pretend it is `configure' which instantiates (i.e., don't
- # use $as_me), people would be surprised to read:
- # /* config.h. Generated by config.status. */
- if test x"$ac_file" = x-; then
- echo "/* Generated by configure. */" >$tmp/config.h
- else
- echo "/* $ac_file. Generated by configure. */" >$tmp/config.h
- fi
- cat $tmp/in >>$tmp/config.h
- rm -f $tmp/in
if test x"$ac_file" != x-; then
- if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+ echo "/* $configure_input */" >"$tmp/config.h"
+ cat "$ac_result" >>"$tmp/config.h"
+ if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
{ echo "$as_me:$LINENO: $ac_file is unchanged" >&5
echo "$as_me: $ac_file is unchanged" >&6;}
else
- ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X"$ac_file" : 'X\(//\)[^/]' \| \
- X"$ac_file" : 'X\(//\)$' \| \
- X"$ac_file" : 'X\(/\)' \| \
- . : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
- /^X\(\/\/\)[^/].*/{ s//\1/; q; }
- /^X\(\/\/\)$/{ s//\1/; q; }
- /^X\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
- { if $as_mkdir_p; then
- mkdir -p "$ac_dir"
- else
- as_dir="$ac_dir"
- as_dirs=
- while test ! -d "$as_dir"; do
- as_dirs="$as_dir $as_dirs"
- as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X"$as_dir" : 'X\(//\)[^/]' \| \
- X"$as_dir" : 'X\(//\)$' \| \
- X"$as_dir" : 'X\(/\)' \| \
- . : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
- /^X\(\/\/\)[^/].*/{ s//\1/; q; }
- /^X\(\/\/\)$/{ s//\1/; q; }
- /^X\(\/\).*/{ s//\1/; q; }
- s/.*/./; q'`
- done
- test ! -n "$as_dirs" || mkdir $as_dirs
- fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
- { (exit 1); exit 1; }; }; }
-
rm -f $ac_file
- mv $tmp/config.h $ac_file
+ mv "$tmp/config.h" $ac_file
fi
else
- cat $tmp/config.h
- rm -f $tmp/config.h
+ echo "/* $configure_input */"
+ cat "$ac_result"
fi
-done
-_ACEOF
+ rm -f "$tmp/out12"
+ ;;
+
+
+ esac
+
+done # for ac_tag
-cat >>$CONFIG_STATUS <<\_ACEOF
{ (exit 0); exit 0; }
_ACEOF
--- /dev/null
+# -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+#
+# @(#) configure.ac
+#
+# 2008-06-27 initial setup
+# 2008-06-29 add of BIND path checking
+# 2008-06-30 add of arg checkings
+# 2008-07-02 additional arg checkings
+# 2008-07-04 check for getopt_long() added
+# 2008-08-30 check for unsigned integer types
+# 2008-10-01 if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
+# 2009-07-30 check for timegm() added
+#
+
+AC_PREREQ(2.59)
+
+### Package name and current version
+AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de)
+dnl AC_REVISION($Revision: 1.1 $)
+
+### Files to test to check if src dir contains the package
+AC_CONFIG_SRCDIR([dnssec-zkt.c])
+AC_CONFIG_HEADER([config.h])
+
+
+### Checks for programs.
+AC_PROG_CC
+
+### find out the path to BIND utils and version
+AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
+if test -z "$SIGNZONE_PROG" ; then
+# AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
+ AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
+else
+ bind_util_path=`dirname "$SIGNZONE_PROG"`
+ # define BIND_UTIL_PATH in config.h.in
+ AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
+ # define BIND_VERSION in config.h.in
+ bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+ AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
+fi
+
+AC_CHECK_TYPE(uint, unsigned int)
+AC_CHECK_TYPE(ulong, unsigned long)
+AC_CHECK_TYPE(ushort, unsigned short)
+AC_CHECK_TYPE(uchar, unsigned char)
+
+### define configure arguments
+AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval])
+printtimezone=0
+test "$printtimezone" = yes && printtimezone=1
+AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
+
+AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval])
+printyear=0
+test "$printyear" = yes && printyear=1
+AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year)
+
+AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval])
+logprogname=0
+test "$logprogname" = yes && logprogname=1
+AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
+
+AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval])
+logtimestamp=1
+test "$logtimestamp" = no && logtimestamp=0
+AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
+
+AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval])
+loglevel=1
+test "$loglevel" = no && loglevel=0
+AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
+
+AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval])
+ttl_in_keyfile=1
+test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
+
+configpath="/var/named"
+AC_ARG_ENABLE([configpath],
+ AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
+ [configpath=$enableval])
+case "$configpath" in
+yes)
+ configpath="/var/named"
+ ;;
+no)
+ configpath=""
+ ;;
+*)
+ ;;
+esac
+AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
+
+usetree=1
+t="T"
+AC_ARG_ENABLE([tree],
+ AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
+ [usetree=$enableval])
+if test "$usetree" = no
+then
+ usetree=0
+ t=""
+fi
+AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
+
+AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string)
+
+### Checks for libraries.
+
+
+### Checks for header files.
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h])
+
+
+### Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+AC_TYPE_UID_T
+
+
+### Checks for library functions.
+AC_FUNC_CLOSEDIR_VOID
+AC_FUNC_ERROR_AT_LINE
+AC_FUNC_MALLOC
+AC_FUNC_MKTIME
+AC_FUNC_STAT
+AC_FUNC_STRFTIME
+AC_FUNC_UTIME_NULL
+AC_FUNC_VPRINTF
+# 2008-07-04 getopt_long added
+# 2009-07-30 timegm added
+AC_CHECK_FUNCS([getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm])
+
+
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
while ( (dentp = readdir (dirp)) != NULL )
{
- if ( is_dotfile (dentp->d_name) )
+ if ( is_dotfilename (dentp->d_name) )
continue;
dbg_val ("directory: check %s\n", dentp->d_name);
{
char *p;
- dki_estr[0] = '\0';
if ( dkp == NULL )
return 0;
{
int days;
- dki_estr[0] = '\0';
if ( dkp == NULL )
return 0;
{
int len = 0;
- dki_estr[0] = '\0';
if ( dkp == NULL )
return len;
len += fprintf (fp, "; %s ", dkp->name);
int spaces;
int len = 0;
- dki_estr[0] = '\0';
if ( dkp == NULL )
return len;
len += fprintf (fp, "\"%s\" ", dkp->name);
{
int res;
- dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
{
int res;
- dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
*****************************************************************/
int dki_namecmp (const dki_t *a, const dki_t *b)
{
- dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
*****************************************************************/
int dki_tagcmp (const dki_t *a, const dki_t *b)
{
- dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
*****************************************************************/
int dki_timecmp (const dki_t *a, const dki_t *b)
{
- dki_estr[0] = '\0';
if ( a == NULL ) return -1;
if ( b == NULL ) return 1;
return ((ulong)a->time - (ulong)b->time);
}
+/*****************************************************************
+** dki_algo () return the algorithm of the key
+*****************************************************************/
+time_t dki_algo (const dki_t *dkp)
+{
+ assert (dkp != NULL);
+ return (dkp->algo);
+}
+
/*****************************************************************
** dki_time () return the timestamp of the key
*****************************************************************/
time_t dki_time (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->time);
}
*****************************************************************/
time_t dki_exptime (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->exptime);
}
*****************************************************************/
time_t dki_lifetime (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->lifetime);
}
*****************************************************************/
ushort dki_lifetimedays (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->lifetime / DAYSEC);
}
*****************************************************************/
time_t dki_gentime (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->gentime > 0L ? dkp->gentime: dkp->time);
}
ulong lifetsec;
char path[MAX_PATHSIZE+1];
- dki_estr[0] = '\0';
assert (dkp != NULL);
lifetsec = dkp->lifetime; /* old lifetime */
char path[MAX_PATHSIZE+1];
time_t oldexptime;
- dki_estr[0] = '\0';
assert (dkp != NULL);
dbg_val1 ("dki_setexptime (%ld)\n", sec);
*****************************************************************/
int dki_age (const dki_t *dkp, time_t curr)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return ((ulong)curr - (ulong)dkp->time);
}
*****************************************************************/
dk_flag_t dki_getflag (const dki_t *dkp, time_t curr)
{
- dki_estr[0] = '\0';
return dkp->flags;
}
*****************************************************************/
dk_flag_t dki_setflag (dki_t *dkp, dk_flag_t flag)
{
- dki_estr[0] = '\0';
return dkp->flags |= (ushort)flag;
}
*****************************************************************/
dk_flag_t dki_unsetflag (dki_t *dkp, dk_flag_t flag)
{
- dki_estr[0] = '\0';
return dkp->flags &= ~((ushort)flag);
}
*****************************************************************/
int dki_isksk (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->flags & DK_FLAG_KSK) == DK_FLAG_KSK;
}
*****************************************************************/
int dki_isrevoked (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->flags & DK_FLAG_REVOKE) == DK_FLAG_REVOKE;
}
*****************************************************************/
int dki_isdepreciated (const dki_t *dkp)
{
- dki_estr[0] = '\0';
return dki_status (dkp) == DKI_DEPRECIATED;
}
*****************************************************************/
int dki_isactive (const dki_t *dkp)
{
- dki_estr[0] = '\0';
return dki_status (dkp) == DKI_ACTIVE;
}
*****************************************************************/
int dki_ispublished (const dki_t *dkp)
{
- dki_estr[0] = '\0';
return dki_status (dkp) == DKI_PUBLISHED;
}
*****************************************************************/
dk_status_t dki_status (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
return (dkp->status);
}
*****************************************************************/
const char *dki_statusstr (const dki_t *dkp)
{
- dki_estr[0] = '\0';
assert (dkp != NULL);
switch ( dkp->status )
{
dki_t *curr;
dki_t *last;
- dki_estr[0] = '\0';
if ( list == NULL )
return NULL;
if ( new == NULL )
{
const dki_t *curr;
- dki_estr[0] = '\0';
curr = list;
if ( tag )
while ( curr && (tag != curr->tag ||
{
dki_t **p;
- dki_estr[0] = '\0';
p = tsearch (new, tree, dki_namecmp);
if ( *p == new )
dbg_val ("dki_tadd: New entry %s added\n", new->name);
dki_t search;
dki_t **p;
- dki_estr[0] = '\0';
search.tag = tag;
snprintf (search.name, sizeof (search.name), "%s", name);
p = tfind (&search, &tree, dki_namecmp);
const dki_t *dkp;
const dki_t *last;
- dki_estr[0] = '\0';
last = NULL;
for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
if ( dki_isksk (dkp) == ksk && dki_status (dkp) == status )
return last;
}
+
+/*****************************************************************
+** dki_findalgo () find the n'th ksk or zsk key with given
+** algorithm and status
+*****************************************************************/
+const dki_t *dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)
+{
+ const dki_t *dkp;
+ const dki_t *last;
+
+ last = NULL;
+ for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
+ if ( dki_isksk (dkp) == ksk && dki_algo (dkp) == alg &&
+ dki_status (dkp) == status )
+ {
+ no--;
+ last = dkp;
+ }
+
+ return last;
+}
extern int dki_isrevoked (const dki_t *dkp);
extern int dki_isactive (const dki_t *dkp);
extern int dki_ispublished (const dki_t *dkp);
+extern time_t dki_algo (const dki_t *dkp);
extern time_t dki_time (const dki_t *dkp);
extern time_t dki_exptime (const dki_t *dkp);
extern time_t dki_gentime (const dki_t *dkp);
extern const dki_t *dki_tsearch (const dki_t *tree, int tag, const char *name);
extern const dki_t *dki_search (const dki_t *list, int tag, const char *name);
extern const dki_t *dki_find (const dki_t *list, int ksk, int status, int first);
+extern const dki_t *dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no);
extern void dki_free (dki_t *dkp);
extern void dki_freelist (dki_t **listp);
extern char *dki_algo2str (int algo);
# include "debug.h"
# include "misc.h"
# include "ncparse.h"
+# include "nscomm.h"
+# include "soaserial.h"
# include "zone.h"
# include "dki.h"
# include "rollover.h"
static int new_keysetfiles (const char *dir, time_t zone_signing_time);
static int writekeyfile (const char *fname, const dki_t *list, int key_ttl);
static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf);
-static int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
-static int reload_zone (const char *domain, const zconf_t *z);
-static int dist_and_reload (const zone_t *zp);
static void register_key (dki_t *listp, const zconf_t *z);
static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
extern int optind;
extern char *optarg;
const char *progname;
-const char *viewname = NULL;
-const char *logfile = NULL;
-const char *origin = NULL;
-const char *namedconf = NULL;
-const char *dirname = NULL;
+static const char *viewname = NULL;
+static const char *logfile = NULL;
+static const char *origin = NULL;
+static const char *namedconf = NULL;
+static const char *dirname = NULL;
static int verbose = 0;
static int force = 0;
static int reloadflag = 0;
{
int c;
int errcnt;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
int opt_index;
+#endif
char errstr[255+1];
char *p;
const char *defconfname;
viewname = getnameappendix (progname, "dnssec-signer");
defconfname = getdefconfname (viewname);
- config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+ config = loadconfig ("", (zconf_t *)NULL); /* load build-in config */
if ( fileexist (defconfname) ) /* load default config file */
config = loadconfig (defconfname, config);
if ( config == NULL )
break;
#if defined(BIND_VERSION) && BIND_VERSION >= 940
case 'd':
-#if BIND_VERSION >= 960
+# if BIND_VERSION >= 960
set_bind96_dynzone (dynamic_zone);
-#else
+# else
set_bind94_dynzone(dynamic_zone);
-#endif
+# endif
/* dynamic zone requires a name server reload... */
reloadflag = 0; /* ...but "rndc thaw" reloads the zone anyway */
break;
noexec = 1;
break;
case 'r':
- reloadflag = 1;
+ if ( !dynamic_zone ) /* dynamic zones don't need a rndc reload (see "-d" */
+ reloadflag = 1;
break;
case 'v':
verbose++;
/* store some of the commandline parameter in the config structure */
setconfigpar (config, "--view", viewname);
setconfigpar (config, "-v", &verbose);
+ setconfigpar (config, "--noexec", &noexec);
if ( logfile == NULL )
logfile = config->logfile;
memset (dir, '\0', sizeof (dir));
if ( config->zonedir )
strncpy (dir, config->zonedir, sizeof(dir));
- if ( !parse_namedconf (namedconf, dir, sizeof (dir), add2zonelist) )
+ if ( !parse_namedconf (namedconf, config->chroot_dir, dir, sizeof (dir), add2zonelist) )
fatal ("Can't read file %s as namedconf file\n", namedconf);
if ( zonelist == NULL )
fatal ("No signed zone found in file %s\n", namedconf);
while ( (dentp = readdir (dirp)) != NULL )
{
- if ( is_dotfile (dentp->d_name) )
+ if ( is_dotfilename (dentp->d_name) )
continue;
pathname (path, sizeof (path), dir, dentp->d_name, NULL);
if ( !newkey )
newkey = check_keydb_timestamp (zp->keys, file_mtime (path));
- /* if we work in subdir mode, check if there is a new keyset- file */
newkeysetfile = 0;
+#if defined(ALWAYS_CHECK_KEYSETFILES) && ALWAYS_CHECK_KEYSETFILES /* patch from Shane Wegner 15. June 2009 */
+ /* check if there is a new keyset- file */
+ if ( !newkey )
+ newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#else
+ /* if we work in subdir mode, check if there is a new keyset- file */
if ( !newkey && zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#endif
/**
** Check if it is time to do a re-sign. This is the case if
pathname (zfile, sizeof (zfile), zp->dir, zp->file, NULL);
pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
- if ( filesize (path) == 0L ) /* initial signing request */
+ if ( filesize (path) == 0L ) /* initial signing request ? */
{
verbmesg (1, zp->conf, "\tDynamic Zone signing: Initial signing request: Add DNSKEYs to zonefile\n");
copyfile (zfile, path, zp->conf->keyfile);
}
+#if 1
+ else if ( zfile_time > zfilesig_time ) /* zone.db is newer than signed file */
+ {
+ verbmesg (1, zp->conf, "\tDynamic Zone signing: zone file manually edited: Use it as new input file\n");
+ copyfile (zfile, path, NULL);
+ }
+#endif
verbmesg (1, zp->conf, "\tDynamic Zone signing: copy old signed zone file %s to new input file %s\n",
path, zfile);
+
if ( newkey ) /* if we have new keys, they should be added to the zone file */
copyzonefile (path, zfile, zp->conf->keyfile);
else /* else we can do a simple file copy */
timer = start_timer ();
if ( (err = sign_zone (zp->dir, zp->zone, zp->file, zp->conf)) < 0 )
{
- error ("Signing of zone %s failed (%d)!\n", zp->zone, err);
+ error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
}
timer = stop_timer (timer);
if ( dynamic_zone )
dyn_update_freeze (zp->zone, zp->conf, 0); /* thaw dynamic zone file */
+ if ( err >= 0 )
{
const char *tstr = str_delspace (age2str (timer));
nsec3param[0] = '\0';
#if defined(BIND_VERSION) && BIND_VERSION >= 960
- if ( conf->z_algo == DK_ALGO_NSEC3DSA || conf->z_algo == DK_ALGO_NSEC3RSASHA1 )
+ if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 )
{
- static char hexstr[] = "0123456789ABCDEF";
- static int seed = 0;
char salt[510+1]; /* salt has a maximum of 255 bytes == 510 hex nibbles */
- int saltlen = 0; /* current length of salt in hex nibbles */
- int i;
- int hex;
-
- if ( seed == 0 )
- srandom (seed = (unsigned int)time (NULL));
- saltlen = conf->saltbits / 4;
- for ( i = 0; i < saltlen; i++ )
- {
- hex = random () % 16;
- assert ( hex >= 0 && hex < 16 );
- salt[i] = hexstr[hex];
- }
- salt[i] = '\0';
- snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
+ if ( gensalt (salt, sizeof (salt), conf->saltbits) )
+ snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
}
#endif
dbg_line();
#if defined(BIND_VERSION) && BIND_VERSION >= 940
if ( dynamic_zone )
- snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s-o %s -e +%d %s -N increment -f %s.dsigned %s K*.private",
- dir, SIGNCMD, param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
+ snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
+ dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
else
#endif
- snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%d %s %s K*.private",
+ snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
verbmesg (2, conf, "\t Run cmd \"%s\"\n", cmd);
*str = '\0';
if ( noexec == 0 )
{
+#if 0
if ( (fp = popen (cmd, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
return -1;
+#else
+ if ( (fp = popen (cmd, "r")) == NULL )
+ return -1;
+ str[0] = '\0';
+ while ( fgets (str, sizeof str, fp) != NULL ) /* eat up all output until the last line */
+ ;
+#endif
pclose (fp);
}
dbg_line();
verbmesg (2, conf, "\t Cmd dnssec-signzone return: \"%s\"\n", str_chop (str, '\n'));
+ len = strlen (str) - 6;
+ if ( len < 0 || strcmp (str+len, "signed") != 0 )
+ return -1;
return 0;
}
}
}
}
-
-static int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
-{
- char cmdline[254+1];
- char str[254+1];
- char *action;
- FILE *fp;
-
- assert (z != NULL);
- if ( freeze )
- action = "freeze";
- else
- action = "thaw";
-
- if ( z->view )
- snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
- else
- snprintf (str, sizeof (str), "\"%s\"", domain);
-
- lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
- verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
-
- if ( z->view )
- snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
- else
- snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
-
- verbmesg (2, z, "\t Run cmd \"%s\"\n", cmdline);
- *str = '\0';
- if ( noexec == 0 )
- {
- if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
- return -1;
- pclose (fp);
- }
-
- verbmesg (2, z, "\t rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
-
- return 0;
-}
-
-/*****************************************************************
-** distribute and reload a zone via "distribute_command"
-*****************************************************************/
-static int dist_and_reload (const zone_t *zp)
-{
- char path[MAX_PATHSIZE+1];
- char cmdline[254+1];
- char zone[254+1];
- char str[254+1];
- FILE *fp;
-
- assert (zp != NULL);
- assert (zp->conf->dist_cmd != NULL);
-
- if ( !is_exec_ok (zp->conf->dist_cmd) )
- {
- char *mesg;
-
- if ( getuid () == 0 )
- mesg = "\tDistribution command %s not run as root\n";
- else
- mesg = "\tDistribution command %s not run due to strange file mode settings\n";
-
- verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
- lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
-
- return -1;
- }
-
- if ( zp->conf->view )
- snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
- else
- snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
-
-
- pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
-
- lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
- verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
- if ( zp->conf->view )
- snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
- else
- snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
-
- *str = '\0';
- if ( noexec == 0 )
- {
- verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
- if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
- return -2;
- pclose (fp);
- verbmesg (2, zp->conf, "\t %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
- }
-
-
- lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
- verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
- if ( zp->conf->view )
- snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
- else
- snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
-
- *str = '\0';
- if ( noexec == 0 )
- {
- verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
- if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
- return -2;
- pclose (fp);
- verbmesg (2, zp->conf, "\t %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
- }
-
- return 0;
-}
-
-/*****************************************************************
-** reload a zone via "rndc"
-*****************************************************************/
-static int reload_zone (const char *domain, const zconf_t *z)
-{
- char cmdline[254+1];
- char str[254+1];
- FILE *fp;
-
- assert (z != NULL);
- // fprintf (stderr, "reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
- if ( z->view )
- snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
- else
- snprintf (str, sizeof (str), "\"%s\"", domain);
-
- lg_mesg (LG_NOTICE, "%s: reload triggered", str);
- verbmesg (1, z, "\tReload zone %s\n", str);
-
- if ( z->view )
- snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
- else
- snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
-
- *str = '\0';
- if ( noexec == 0 )
- {
- verbmesg (2, z, "\t Run cmd \"%s\"\n", cmdline);
- if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
- return -1;
- pclose (fp);
- verbmesg (2, z, "\t rndc reload return: \"%s\"\n", str_chop (str, '\n'));
- }
-
- return 0;
-}
sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
fprintf (stderr, "\t\tKSK (use -k): %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
- fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->z_algo), cp->z_bits);
+ fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
fprintf (stderr, "\n");
fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
}
if ( zskflag )
- dkp = dki_new (dir, keyname, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+ dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
else
dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
if ( dkp == NULL )
}
// dkp = keylist; /* use old key to create the parent file */
- if ( (dkp = (dki_t *)dki_find (keylist, 1, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
+ if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
if ( !create_parent_file (path, phase, key_ttl, dkp) )
fatal ("Couldn't create parentfile %s\n", path);
while ( (dentp = readdir (dirp)) != NULL )
{
- if ( is_dotfile (dentp->d_name) )
+ if ( is_dotfilename (dentp->d_name) )
continue;
dbg_val ("directory: check %s\n", dentp->d_name);
--- /dev/null
+.NH 1
+DNS Key Status Types and Filenames
+.PP
+.TS
+cfB | cfB s | cfB s | cfB | cfB
+cfB | cfB | cfB | cfB | cfB | cfB | cfB
+l | l | n | l | l | c | lfCW .
+Status Key Filename used for dnssec-zkt
+\^ Type Flags public private signing? label
+_
+active ZSK 256 .key .private y act ive
+ KSK 257 .key .private y act ive
+.sp 0.2
+published ZSK 256 .key .published n pub lished
+ KSK 257 .key .private n sta ndby
+.sp 0.2
+depreciated (retired) ZSK 256 .key .depreciated n dep reciated
+.sp 0.2
+revoked KSK 385 .key .private y rev oked
+.sp 0.2
+removed KSK 257 k*.key k*.private n -
+.sp 0.2
+sep KSK 257 .key - n sep
+.ig
+.sp 0.2
+(master KSK 257 M...key .private n -)
+..
+.TE
+.SP 2
+.NH 1
+Key rollover
+.PP
+.NH 2
+Zone signing key rollover (pre-publish RFC4641)
+.PP
+.TS
+rfB cfB |cfB |cfB |cfB
+lfB |cfB |cfB |cfB |cfB
+l |l |l |l |l .
+action create change remove
+keys newkey sig key old key
+_
+zsk1 active active depreciated
+zsk2 published active active
+.sp 0.3
+RRSIG zsk1 zsk1 zsk2 zsk2
+.TE
+.SP 2
+.NH 2
+Key signing key rollover (double signature RFC4641)
+.PP
+.TS
+rfB cfB |cfB |cfB |cfB
+lfB |cfB |cfB |cfB |cfB
+l |l |l |l |l .
+action create change remove
+keys newkey delegation old key
+_
+ksk\d1\u active active active
+ksk\d2\u active active active
+.sp 0.3
+DNSKEY RRSIG ksk1 ksk1,ksk2 ksk1,ksk2 ksk2
+.sp 0.3
+DS at parent DS\d1\u DS\d1\u DS\d2\u DS\d2\u
+.TE
+.\"RRSIG DNSKEY\dksk1\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk2\u
+.SP 2
+.NH 2
+Key signing key rollover (rfc5011)
+.PP
+.TS
+rfB cfB |cfB |cfB
+lfB |cfB |cfB |cfB
+l |l |l |l .
+action newkey change delegation
+keys & rollover & remove old key
+_
+ksk\d1\u active revoke\v'-0.2'\(dg\v'+0.2'
+ksk\d2\u standby active active
+ksk\d3\u standby\v'-0.2'\(dd\v'+0.2' standby
+.sp 0.3
+DNSKEY RRSIG ksk1 ksk1,ksk2 ksk2
+.sp 0.3
+Parent DS DS\d1\u DS\d1\u DS\d2\u
+ DS\d2\u DS\d2\u DS\d3\u
+.TE
+.LP
+\v'-0.2'\(dg\v'0.2'
+Have to remain until the remove hold-down time is expired,
+which is 30days at a minimum.
+.LP
+\v'-0.2'\(dd\v'0.2'
+Will be the standby key after the hold-down time is expired
+.br
+Add holdtime \(eq max(30days, TTL of DNSKEY)
--- /dev/null
+%!PS-Adobe-3.0
+%%Creator: groff version 1.19.2
+%%CreationDate: Mon Jul 14 23:23:30 2008
+%%DocumentNeededResources: font Times-Bold
+%%+ font Times-Roman
+%%+ font Courier
+%%+ font Symbol
+%%DocumentSuppliedResources: procset grops 1.19 2
+%%Pages: 1
+%%PageOrder: Ascend
+%%DocumentMedia: Default 595 842 0 () ()
+%%Orientation: Portrait
+%%EndComments
+%%BeginDefaults
+%%PageMedia: Default
+%%EndDefaults
+%%BeginProlog
+%%BeginResource: procset grops 1.19 2
+%!PS-Adobe-3.0 Resource-ProcSet
+/setpacking where{
+pop
+currentpacking
+true setpacking
+}if
+/grops 120 dict dup begin
+/SC 32 def
+/A/show load def
+/B{0 SC 3 -1 roll widthshow}bind def
+/C{0 exch ashow}bind def
+/D{0 exch 0 SC 5 2 roll awidthshow}bind def
+/E{0 rmoveto show}bind def
+/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
+/G{0 rmoveto 0 exch ashow}bind def
+/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/I{0 exch rmoveto show}bind def
+/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
+/K{0 exch rmoveto 0 exch ashow}bind def
+/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/M{rmoveto show}bind def
+/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
+/O{rmoveto 0 exch ashow}bind def
+/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/Q{moveto show}bind def
+/R{moveto 0 SC 3 -1 roll widthshow}bind def
+/S{moveto 0 exch ashow}bind def
+/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/SF{
+findfont exch
+[exch dup 0 exch 0 exch neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/MF{
+findfont
+[5 2 roll
+0 3 1 roll
+neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/level0 0 def
+/RES 0 def
+/PL 0 def
+/LS 0 def
+/MANUAL{
+statusdict begin/manualfeed true store end
+}bind def
+/PLG{
+gsave newpath clippath pathbbox grestore
+exch pop add exch pop
+}bind def
+/BP{
+/level0 save def
+1 setlinecap
+1 setlinejoin
+72 RES div dup scale
+LS{
+90 rotate
+}{
+0 PL translate
+}ifelse
+1 -1 scale
+}bind def
+/EP{
+level0 restore
+showpage
+}def
+/DA{
+newpath arcn stroke
+}bind def
+/SN{
+transform
+.25 sub exch .25 sub exch
+round .25 add exch round .25 add exch
+itransform
+}bind def
+/DL{
+SN
+moveto
+SN
+lineto stroke
+}bind def
+/DC{
+newpath 0 360 arc closepath
+}bind def
+/TM matrix def
+/DE{
+TM currentmatrix pop
+translate scale newpath 0 0 .5 0 360 arc closepath
+TM setmatrix
+}bind def
+/RC/rcurveto load def
+/RL/rlineto load def
+/ST/stroke load def
+/MT/moveto load def
+/CL/closepath load def
+/Fr{
+setrgbcolor fill
+}bind def
+/setcmykcolor where{
+pop
+/Fk{
+setcmykcolor fill
+}bind def
+}if
+/Fg{
+setgray fill
+}bind def
+/FL/fill load def
+/LW/setlinewidth load def
+/Cr/setrgbcolor load def
+/setcmykcolor where{
+pop
+/Ck/setcmykcolor load def
+}if
+/Cg/setgray load def
+/RE{
+findfont
+dup maxlength 1 index/FontName known not{1 add}if dict begin
+{
+1 index/FID ne{def}{pop pop}ifelse
+}forall
+/Encoding exch def
+dup/FontName exch def
+currentdict end definefont pop
+}bind def
+/DEFS 0 def
+/EBEGIN{
+moveto
+DEFS begin
+}bind def
+/EEND/end load def
+/CNT 0 def
+/level1 0 def
+/PBEGIN{
+/level1 save def
+translate
+div 3 1 roll div exch scale
+neg exch neg exch translate
+0 setgray
+0 setlinecap
+1 setlinewidth
+0 setlinejoin
+10 setmiterlimit
+[]0 setdash
+/setstrokeadjust where{
+pop
+false setstrokeadjust
+}if
+/setoverprint where{
+pop
+false setoverprint
+}if
+newpath
+/CNT countdictstack def
+userdict begin
+/showpage{}def
+/setpagedevice{}def
+}bind def
+/PEND{
+countdictstack CNT sub{end}repeat
+level1 restore
+}bind def
+end def
+/setpacking where{
+pop
+setpacking
+}if
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%BeginFeature: *PageSize Default
+<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
+%%EndFeature
+%%IncludeResource: font Times-Bold
+%%IncludeResource: font Times-Roman
+%%IncludeResource: font Courier
+%%IncludeResource: font Symbol
+grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
+def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
+/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
+/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
+/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
+/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
+/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
+/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
+/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
+/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
+/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
+/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
+/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
+/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
+/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
+/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
+/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
+/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
+/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
+/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
+/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
+/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
+/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
+/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
+/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
+/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
+/Times-Bold@0 ENC0/Times-Bold RE
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+BP
+%%EndPageSetup
+/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
+(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
+(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
+(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
+(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
+(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
+SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
+26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
+/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
+E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
+(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
+26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
+17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
+-.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
+(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
+-.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
+(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
+-64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
+46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
+61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
+(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
+(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
+E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
+280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
+196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
+-.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
+(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
+-2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
+(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
+318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
+.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
+(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
+-.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
+-.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
+33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
+297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
+362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
+-.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
+(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
+-.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
+F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
+428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
+(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
+(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
+-.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
+(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
+(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
+5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
+402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
+(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
+(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
+F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
+.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
+(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
+Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
+(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
+33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
+(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
+Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
+(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
+(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
+DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
+2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
+-.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
+(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
+2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
+(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
+SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
+%%Trailer
+end
+%%EOF
--- /dev/null
+
+
+
+Intended Status: Informational O. Gudmundsson
+Network Working Group OGUD Consulting LLC
+Internet-Draft J. Ihren
+Expires: August 21, 2008 AAB
+ February 18, 2008
+
+
+ Names of States in the life of a DNSKEY
+ draft-gudmundsson-life-of-dnskey-00
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 21, 2008.
+
+Copyright Notice
+
+ Copyright (C) The IETF Trust (2008).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 1]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+Abstract
+
+ This document recommends a specific terminology to use when
+ expressing the state that a DNSKEY is in at particular time. This
+ does not affect how the protocol operates in any way.
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. DNSKEY timeline . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. Life stages of a DNSKEY . . . . . . . . . . . . . . . . . . . 5
+ 3.1. Generated . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.2. Published . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.2.1. Pre-Publication . . . . . . . . . . . . . . . . . . . 5
+ 3.2.2. Out-Of-Band Publication . . . . . . . . . . . . . . . 5
+ 3.3. Active . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.4. Retired . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.5. Removed . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.1. Lame . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.2. Stale . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.6. Revoked . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 4. Security considerations . . . . . . . . . . . . . . . . . . . 7
+ 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
+ 6.2. Informative References . . . . . . . . . . . . . . . . . . 9
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+ Intellectual Property and Copyright Statements . . . . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 2]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+1. Introduction
+
+ When the editors of this document where comparing their DNSSEC key
+ management projects they discovered that they where discussing
+ roughly the same thing but using different terminology.
+
+ This document presents a unified terminology to use when describing
+ the current state of a DNSKEY.
+
+ The DNSSEC standards documents ([1], [2] and [3]) do not address the
+ required states for the key management of a DNSSEC key. The DNSSEC
+ Operational Practices [4] document does propose that keys be
+ published before use but uses inconsistent or confusing terms. This
+ document assumes basic understanding of DNSSEC and key management.
+
+ The terms proposed in this document attempt to avoid any confusion
+ and make the states of keys to be as clear as possible. The terms
+ used in this document are intended as a operational supplement to the
+ terms defined in Section 2 of [1].
+
+ To large extent this discussion is motivated by Trust anchor keys but
+ the same terminology can be used for zone signing keys.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 3]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+2. DNSKEY timeline
+
+ The model in this document is that keys progress through a state
+ machine along a one-way path, keys never move to an earlier states.
+
+
+
+ GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
+ | ^ | | | ^
+ | | | | v |
+ +--> Pre-PUBLISHED--+ +--------+---------> REVOKED ---+
+
+
+ DNSKEY time line.
+
+ There are few more states that are defined below but these apply only
+ to the publisher of TA's and the consumer of TA's. Two of these are
+ sub-sets of the Published state, the other two are error states.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 4]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+3. Life stages of a DNSKEY
+
+3.1. Generated
+
+ Once a key is generated it enters state Generated and stays there
+ until the next state. While in this state only the owner of the key
+ is aware of its existence and can prepare for its future use.
+
+3.2. Published
+
+ Once the key is added to the DNSKEY set of a zone the key is there
+ for the world to see, or published. The key needs to remain in this
+ state for some time to propagate to all validators that have cached
+ the prior version of the DNSKEY set. In the case of KSK the key
+ should remain in this state for a longer time as documented in DNSSEC
+ Timers RFC [5].
+
+3.2.1. Pre-Publication
+
+ In certain circumstances a zone owner may want to give out a new
+ Trust Anchor before exposing the actual public key. In this case the
+ zone can publish a DS record of the key. This allows others to
+ configure the trust anchor but will not be able to use the key until
+ the key is published in the DNSKEY RRset.
+
+3.2.2. Out-Of-Band Publication
+
+ In certain circumstances a domain may want to give out a new Trust
+ Anchor outside DNS to give others a long lead time to configure the
+ new key as trust anchor. The reason people may want to do this is to
+ keep the size of the DNSKEY set smaller and only add new trust anchor
+ just before the key goes into use. One likely use for this is the
+ DNS "." root key as it does not have a parent that can publish a DS
+ record for it. The publication mechanism does not matter it can be
+ any one of web-site, advertisement in Financial Times and other
+ international publication, e-mail to DNS related mailing lists, etc..
+
+3.3. Active
+
+ The key is in ACTIVE state while it is actively signing data in the
+ zone it resides in. It is one of the the keys that are signing the
+ zone or parts of the zone.
+
+3.4. Retired
+
+ When the key is no longer used for signing the zone it enters state
+ Retired. In this state there may still be signatures by the key in
+ cached data from the zone available at recursive servers, but the
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 5]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+ authoritative servers for the zone do no longer carry any signatures
+ generated by the key.
+
+3.5. Removed
+
+ Once the key is removed from the DNSKEY RRset it enters the state
+ Removed. At this point all signatures by the key that may still be
+ temporarily valid will fail to verify once the validator refreshes
+ the DNSKEY RRset in its memory.
+
+ Therefore "removal" of a key is typically not done until all the
+ cached signatures have expired. Entering this state too early may
+ cause number of validators to end up with STALE Trust Anchors.
+
+3.5.1. Lame
+
+ A Trust Anchor is Lame if the parent continues to publish DS pointing
+ to the key after it has been removed from the DNSKEY RRset. A Trust
+ Anchor is arguably Lame if there are no signatures by a Retired KSK
+ in the zone.
+
+3.5.2. Stale
+
+ A Stale Trust Anchor is an old TA that remains in a validators list
+ of active key(s) after the key has been removed from the zone's
+ DNSKEY RRset.
+
+3.6. Revoked
+
+ There are times when a zone wants to signal that a particular key
+ should not be used at all. The mechanism to do this is to set the
+ REVOKE bit [5]. Any key in any of the while the key is the DNSSKEY
+ set can be exited to Revoked state. After some time in the Revoke
+ state the key will be Removed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 6]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+4. Security considerations
+
+ TBD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 7]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+5. IANA considerations
+
+ This document does not have any IANA actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 8]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+6. References
+
+6.1. Normative References
+
+6.2. Informative References
+
+ [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+ [4] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+ RFC 4641, September 2006.
+
+ [5] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+ Anchors", RFC 5011, September 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 9]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+Authors' Addresses
+
+ Olafur Gudmundsson
+ OGUD Consulting LLC
+ 3821 Village Park Drive
+ Chevy Chase, MD 20815
+ USA
+
+ Email: ogud@ogud.com
+
+
+ Johan Ihren
+ Automatica, AB
+ Bellmansgatan 30
+ Stockholm, SE-118 47
+ Sweden
+
+ Email: johani@automatica.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 10]
+\f
+Internet-Draft DNSSEC Key life stages. February 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+Gudmundsson & Ihren Expires August 21, 2008 [Page 11]
+\f
--- /dev/null
+
+
+
+DNSOP O. Kolkman
+Internet-Draft NLnet Labs
+Obsoletes: 2541 (if approved) R. Gieben
+Intended status: BCP
+Expires: September 8, 2009 March 7, 2009
+
+
+ DNSSEC Operational Practices, Version 2
+ draft-ietf-dnsop-rfc4641bis-01
+
+Status of This Memo
+
+ This Internet-Draft is submitted to IETF in full conformance with the
+ provisions of BCP 78 and BCP 79. This document may contain material
+ from IETF Documents or IETF Contributions published or made publicly
+ available before November 10, 2008. The person(s) controlling the
+ copyright in some of this material may not have granted the IETF
+ Trust the right to allow modifications of such material outside the
+ IETF Standards Process. Without obtaining an adequate license from
+ the person(s) controlling the copyright in such materials, this
+ document may not be modified outside the IETF Standards Process, and
+ derivative works of it may not be created outside the IETF Standards
+ Process, except to format it for publication as an RFC or to
+ translate it into languages other than English.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 8, 2009.
+
+Copyright Notice
+
+ Copyright (c) 2009 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 1]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents in effect on the date of
+ publication of this document (http://trustee.ietf.org/license-info).
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document.
+
+Abstract
+
+ This document describes a set of practices for operating the DNS with
+ security extensions (DNSSEC). The target audience is zone
+ administrators deploying DNSSEC.
+
+ The document discusses operational aspects of using keys and
+ signatures in the DNS. It discusses issues of key generation, key
+ storage, signature generation, key rollover, and related policies.
+
+ This document obsoletes RFC 2541, as it covers more operational
+ ground and gives more up-to-date requirements with respect to key
+ sizes and the new DNSSEC specification.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. The Use of the Term 'key' . . . . . . . . . . . . . . . . 5
+ 1.2. Time Definitions . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Keeping the Chain of Trust Intact . . . . . . . . . . . . . . 5
+ 3. Keys Generation and Storage . . . . . . . . . . . . . . . . . 6
+ 3.1. Zone and Key Signing Keys . . . . . . . . . . . . . . . . 6
+ 3.1.1. Motivations for the KSK and ZSK Separation . . . . . . 7
+ 3.1.2. Differentiation for 'High-Level' Zones . . . . . . . . 9
+ 3.2. Key Generation . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.3. Key Effectivity Period . . . . . . . . . . . . . . . . . . 9
+ 3.4. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . 10
+ 3.5. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 3.6. Private Key Storage . . . . . . . . . . . . . . . . . . . 11
+ 4. Signature Generation, Key Rollover, and Related Policies . . . 12
+ 4.1. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.1.1. Time Considerations . . . . . . . . . . . . . . . . . 13
+ 4.2. Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 15
+ 4.2.1. Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+ 4.2.1.1. Pre-Publish Key Rollover . . . . . . . . . . . . . 15
+ 4.2.1.2. Double Signature Zone Signing Key Rollover . . . . 17
+ 4.2.1.3. Pros and Cons of the Schemes . . . . . . . . . . . 19
+ 4.2.2. Key Signing Key Rollovers . . . . . . . . . . . . . . 19
+ 4.2.3. Difference Between ZSK and KSK Rollovers . . . . . . . 21
+ 4.2.4. Key algorithm rollover . . . . . . . . . . . . . . . . 22
+ 4.2.5. Automated Key Rollovers . . . . . . . . . . . . . . . 23
+ 4.3. Planning for Emergency Key Rollover . . . . . . . . . . . 24
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 2]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ 4.3.1. KSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+ 4.3.1.1. Keeping the Chain of Trust Intact . . . . . . . . 25
+ 4.3.1.2. Breaking the Chain of Trust . . . . . . . . . . . 26
+ 4.3.2. ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26
+ 4.3.3. Compromises of Keys Anchored in Resolvers . . . . . . 26
+ 4.4. Parental Policies . . . . . . . . . . . . . . . . . . . . 27
+ 4.4.1. Initial Key Exchanges and Parental Policies
+ Considerations . . . . . . . . . . . . . . . . . . . . 27
+ 4.4.2. Storing Keys or Hashes? . . . . . . . . . . . . . . . 27
+ 4.4.3. Security Lameness . . . . . . . . . . . . . . . . . . 28
+ 4.4.4. DS Signature Validity Period . . . . . . . . . . . . . 28
+ 4.4.5. (Non) Cooperating Registrars . . . . . . . . . . . . . 29
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 30
+ 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 30
+ 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . . 31
+ 8.2. Informative References . . . . . . . . . . . . . . . . . . 31
+ Appendix A. Terminology . . . . . . . . . . . . . . . . . . . . . 32
+ Appendix B. Zone Signing Key Rollover How-To . . . . . . . . . . 34
+ Appendix C. Typographic Conventions . . . . . . . . . . . . . . . 34
+ Appendix D. Document Editing History . . . . . . . . . . . . . . 37
+ D.1. draft-ietf-dnsop-rfc4641-00 . . . . . . . . . . . . . . . 37
+ D.2. version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 3]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+1. Introduction
+
+ This document describes how to run a DNS Security (DNSSEC)-enabled
+ environment. It is intended for operators who have knowledge of the
+ DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+ See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the
+ newly introduced Resource Records (RRs), and RFC 4035 [5] for the
+ protocol changes.
+
+ During workshops and early operational deployment tests, operators
+ and system administrators have gained experience about operating the
+ DNS with security extensions (DNSSEC). This document translates
+ these experiences into a set of practices for zone administrators.
+ At the time of writing, there exists very little experience with
+ DNSSEC in production environments; this document should therefore
+ explicitly not be seen as representing 'Best Current Practices'.
+ [OK: Is this document ripe enough to shoot for BCP?]
+
+ The procedures herein are focused on the maintenance of signed zones
+ (i.e., signing and publishing zones on authoritative servers). It is
+ intended that maintenance of zones such as re-signing or key
+ rollovers be transparent to any verifying clients on the Internet.
+
+ The structure of this document is as follows. In Section 2, we
+ discuss the importance of keeping the "chain of trust" intact.
+ Aspects of key generation and storage of private keys are discussed
+ in Section 3; the focus in this section is mainly on the private part
+ of the key(s). Section 4 describes considerations concerning the
+ public part of the keys. Since these public keys appear in the DNS
+ one has to take into account all kinds of timing issues, which are
+ discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
+ rollover, or supercession, of keys. Finally, Section 4.4 discusses
+ considerations on how parents deal with their children's public keys
+ in order to maintain chains of trust.
+
+ The typographic conventions used in this document are explained in
+ Appendix C.
+
+ Since this is a document with operational suggestions and there are
+ no protocol specifications, the RFC 2119 [6] language does not apply.
+
+ This document [OK: when approved] obsoletes RFC 4641 [16].
+
+ [OK: Editorial comments and questions are indicated by square
+ brackets and editor innitials]
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 4]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+1.1. The Use of the Term 'key'
+
+ It is assumed that the reader is familiar with the concept of
+ asymmetric keys on which DNSSEC is based (public key cryptography
+ RFC4949 [17]). Therefore, this document will use the term 'key'
+ rather loosely. Where it is written that 'a key is used to sign
+ data' it is assumed that the reader understands that it is the
+ private part of the key pair that is used for signing. It is also
+ assumed that the reader understands that the public part of the key
+ pair is published in the DNSKEY Resource Record and that it is the
+ public part that is used in key exchanges.
+
+1.2. Time Definitions
+
+ In this document, we will be using a number of time-related terms.
+ The following definitions apply:
+
+ o "Signature validity period" The period that a signature is valid.
+ It starts at the time specified in the signature inception field
+ of the RRSIG RR and ends at the time specified in the expiration
+ field of the RRSIG RR.
+
+ o "Signature publication period" Time after which a signature (made
+ with a specific key) is replaced with a new signature (made with
+ the same key). This replacement takes place by publishing the
+ relevant RRSIG in the master zone file. After one stops
+ publishing an RRSIG in a zone, it may take a while before the
+ RRSIG has expired from caches and has actually been removed from
+ the DNS.
+
+ o "Key effectivity period" The period during which a key pair is
+ expected to be effective. This period is defined as the time
+ between the first inception time stamp and the last expiration
+ date of any signature made with this key, regardless of any
+ discontinuity in the use of the key. The key effectivity period
+ can span multiple signature validity periods.
+
+ o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+ value of the TTLs from the complete set of RRs in a zone. Note
+ that the minimum TTL is not the same as the MINIMUM field in the
+ SOA RR. See [9] for more information.
+
+2. Keeping the Chain of Trust Intact
+
+ Maintaining a valid chain of trust is important because broken chains
+ of trust will result in data being marked as Bogus (as defined in [3]
+ Section 5), which may cause entire (sub)domains to become invisible
+ to verifying clients. The administrators of secured zones have to
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 5]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ realize that their zone is, to verifying clients, part of a chain of
+ trust.
+
+ As mentioned in the introduction, the procedures herein are intended
+ to ensure that maintenance of zones, such as re-signing or key
+ rollovers, will be transparent to the verifying clients on the
+ Internet.
+
+ Administrators of secured zones will have to keep in mind that data
+ published on an authoritative primary server will not be immediately
+ seen by verifying clients; it may take some time for the data to be
+ transferred to other secondary authoritative nameservers and clients
+ may be fetching data from caching non-authoritative servers. In this
+ light, note that the time for a zone transfer from master to slave is
+ negligible when using NOTIFY [8] and incremental transfer (IXFR) [7].
+ It increases when full zone transfers (AXFR) are used in combination
+ with NOTIFY. It increases even more if you rely on full zone
+ transfers based on only the SOA timing parameters for refresh.
+
+ For the verifying clients, it is important that data from secured
+ zones can be used to build chains of trust regardless of whether the
+ data came directly from an authoritative server, a caching
+ nameserver, or some middle box. Only by carefully using the
+ available timing parameters can a zone administrator ensure that the
+ data necessary for verification can be obtained.
+
+ The responsibility for maintaining the chain of trust is shared by
+ administrators of secured zones in the chain of trust. This is most
+ obvious in the case of a 'key compromise' when a trade-off between
+ maintaining a valid chain of trust and replacing the compromised keys
+ as soon as possible must be made. Then zone administrators will have
+ to make a trade-off, between keeping the chain of trust intact --
+ thereby allowing for attacks with the compromised key -- or
+ deliberately breaking the chain of trust and making secured
+ subdomains invisible to security-aware resolvers. Also see
+ Section 4.3.
+
+3. Keys Generation and Storage
+
+ This section describes a number of considerations with respect to the
+ security of keys. It deals with the generation, effectivity period,
+ size, and storage of private keys.
+
+3.1. Zone and Key Signing Keys
+
+ The DNSSEC validation protocol does not distinguish between different
+ types of DNSKEYs. All DNSKEYs can be used during the validation. In
+ practice, operators use Key Signing and Zone Signing Keys and use the
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 6]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ so-called Secure Entry Point (SEP) [5] flag to distinguish between
+ them during operations. The dynamics and considerations are
+ discussed below.
+
+ To make zone re-signing and key rollover procedures easier to
+ implement, it is possible to use one or more keys as Key Signing Keys
+ (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone.
+ Other keys can be used to sign all the RRSets in a zone and are
+ referred to as Zone Signing Keys (ZSKs). In this document, we assume
+ that KSKs are the subset of keys that are used for key exchanges with
+ the parent and potentially for configuration as trusted anchors --
+ the SEP keys. In this document, we assume a one-to-one mapping
+ between KSK and SEP keys and we assume the SEP flag to be set on all
+ KSKs.
+
+3.1.1. Motivations for the KSK and ZSK Separation
+
+ Differentiating between the KSK and ZSK functions has several
+ advantages:
+
+ o No parent/child interaction is required when ZSKs are updated.
+
+ o [OK: Bullet removed, strawman Paul Hoffman]
+
+ o As the KSK is only used to sign a key set, which is most probably
+ updated less frequently than other data in the zone, it can be
+ stored separately from and in a safer location than the ZSK.
+
+ o A KSK can have a longer key effectivity period.
+
+ For almost any method of key management and zone signing, the KSK is
+ used less frequently than the ZSK. Once a key set is signed with the
+ KSK, all the keys in the key set can be used as ZSKs. If a ZSK is
+ compromised, it can be simply dropped from the key set. The new key
+ set is then re-signed with the KSK.
+
+ Given the assumption that for KSKs the SEP flag is set, the KSK can
+ be distinguished from a ZSK by examining the flag field in the DNSKEY
+ RR. If the flag field is an odd number it is a KSK. If it is an
+ even number it is a ZSK.
+
+ The Zone Signing Key can be used to sign all the data in a zone on a
+ regular basis. When a Zone Signing Key is to be rolled, no
+ interaction with the parent is needed. This allows for signature
+ validity periods on the order of days.
+
+ The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+ zone. If a Key Signing Key is to be rolled over, there will be
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 7]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ interactions with parties other than the zone administrator. If
+ there is a parent zone, these can include the registry of the parent
+ zone or administrators of verifying resolvers that have the
+ particular key configured as secure entry points. If this is a trust
+ anchor, everyone relying on the trust anchor needs to roll over to
+ the new key. The latter may be subject to stability costs if
+ automated trust-anchor rollover mechanisms (such as e.g. RFC5011
+ [18]) are not in place. Hence, the key effectivity period of these
+ keys can and should be made much longer.
+
+ There are two schools of thought on rolling a KSK that is not a trust
+ anchor [OK: One can never be sure a KSK is _not_ a trust anchor]:
+
+ o It should be done regularly (possibly every few months) so that a
+ key rollover remains an operational routine.
+
+ o It should only be done when it is known or strongly suspected that
+ the key has been compromised in order to reduce the stability
+ issues on systems where the rollover does not happen cleanly.
+
+ There is no widespread agreement on which of these two schools of
+ thought is better for different deployments of DNSSEC. There is a
+ stability cost every time a non-anchor KSK is rolled over, but it is
+ possibly low if the communication between the child and the parent is
+ good. On the other hand, the only completely effective way to tell
+ if the communication is good is to test it periodically. Thus,
+ rolling a KSK with a parent is only done for two reasons: to test and
+ verify the rolling system to prepare for an emergency, and in the
+ case of an actual emergency.
+
+ [OK: The paragraph below is a straw-man by Paul Hoffman] Because of
+ the difficulty of getting all users of a trust anchor to replace an
+ old trust anchor with a new one, a KSK that is a trust anchor should
+ never be rolled unless it is known or strongly suspected that the key
+ has been compromised.
+
+ [OK: This is an alternative straw-man by Olaf Kolkman] The same
+ operational concerns apply to the rollover of KSKs that are used as
+ trust-anchors. Since the administrator of a zone can not be certain
+ that the zone's KSK is in use as a trust-anchor she will have to
+ assume that a rollover will cause a stability cost for the users that
+ did configure her key as a trust-anchor. Those costs can be
+ minimized by automating the rollover RFC5011 [18] and by rolling the
+ key regularly, and advertising such, so that the operators of
+ recursive nameservers will put the appropriate mechanism in place to
+ deal with these stability costs, or, in other words, budget for these
+ costs instead of incuring them unexpectedly.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 8]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+3.1.2. Differentiation for 'High-Level' Zones
+
+ In an earlier version of this document we made a differentiation
+ between KSKs used for zones that are high in the DNS hierarchy versus
+ KSKs used for zones low in that hierarchy. We have come to realize
+ that there are other considerations that argue such differentiation
+ does not need to be made.
+
+ Longer keys are not useful because the crypto guidance is that
+ everyone should use keys that no one can break. Also, it is
+ impossible to judge which zones are more or less valuable to an
+ attacker. An attack can only be used if the compromise is unnoticed
+ and the attacker can act as an man-in-the-middle attack (MITM) in an
+ unnoticed way. If .example is compromised and the attacker forges
+ answers for somebank.example and sends them out as an MITM, when the
+ attack is discovered it will be simple to prove that .example has
+ been compromised and the KSK will be rolled. Defining a long-term
+ successful attack is difficult for keys at any level.
+
+3.2. Key Generation
+
+ Careful generation of all keys is a sometimes overlooked but
+ absolutely essential element in any cryptographically secure system.
+ The strongest algorithms used with the longest keys are still of no
+ use if an adversary can guess enough to lower the size of the likely
+ key space so that it can be exhaustively searched. Technical
+ suggestions for the generation of random keys will be found in RFC
+ 4086 [14] and NIST SP 800-900 [20]. One should carefully assess if
+ the random number generator used during key generation adheres to
+ these suggestions.
+
+ Keys with a long effectivity period are particularly sensitive as
+ they will represent a more valuable target and be subject to attack
+ for a longer time than short-period keys. It is strongly recommended
+ that long-term key generation occur off-line in a manner isolated
+ from the network via an air gap or, at a minimum, high-level secure
+ hardware.
+
+3.3. Key Effectivity Period
+
+ From a purely operational perspective, a reasonable key effectivity
+ period for KSKs that have a parent zone is 13 months, with the intent
+ to replace them after 12 months. An intended key effectivity period
+ of a month is reasonable for Zone Signing Keys. This annual rollover
+ gives operational practice to rollovers.
+
+ Ignoring the operational perspective, a reasonable effectivity period
+ for KSKs that have a parent zone is of the order of 2 decades or
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 9]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ longer. That is, if one does not plan to test the rollover
+ procedure, the key should be effective essentially forever, and then
+ only rolled over in case of emergency.
+
+ The "operational habit" argument also applies to trust anchor
+ reconfiguration. If a short key effectivity period is used and the
+ trust anchor configuration has to be revisited on a regular basis,
+ the odds that the configuration tends to be forgotten is smaller.
+ The trade-off is against a system that is so dynamic that
+ administrators of the validating clients will not be able to follow
+ the modifications.Note that if a trust anchor replacement is done
+ incorrectly, the entire zone that the trust anchor covers will become
+ bogus until the trust anchor is corrected.
+
+ Key effectivity periods can be made very short, as in a few minutes.
+ But when replacing keys one has to take the considerations from
+ Section 4.1 and Section 4.2 into account.
+
+3.4. Key Algorithm
+
+ There are currently two types of signature algorithms that can be
+ used in DNSSEC: RSA and DSA. Both are fully specified in many
+ freely-available documents, and both are widely considered to be
+ patent-free. The creation of signatures wiht RSA and DSA takes
+ roughly the same time, but DSA is about ten times slower for
+ signature verification.
+
+ We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the
+ preferred signature algorithms. Both have advantages and
+ disadvantages. RSA/SHA-1 has been deployed for many years, while
+ RSA/SHA-256 has only begun to be deployed. On the other hand, it is
+ expected that if effective attacks on either algorithm appeark, they
+ will appear for RSA/SHA-1 first. RSA/MD5 should not be considered
+ for use because RSA/MD5 will very likely be the first common-use
+ signature algorithm to have an effective attack.
+
+ At the time of publication, it is known that the SHA-1 hash has
+ cryptanalysis issues. There is work in progress on addressing these
+ issues. We recommend the use of public key algorithms based on
+ hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+ algorithms are available in protocol specifications (see [21] and
+ [22]) and implementations.
+
+3.5. Key Sizes
+
+ DNSSEC signing keys should be large enough to avoid all know
+ cryptographic attacks during the lifetime of the key. To date,
+ despite huge efforts, no one has broken a regular 1024-bit key; in
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 10]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ fact, the best completed attack is estimated to be the equivalent of
+ a 700-bit key. An attacker breaking a 1024-bit signing key would
+ need expend phenominal amounts of networked computing power in a way
+ that would not be detected in order to break a single key. Because
+ of this, it is estimated that most zones can safely use 1024-bit keys
+ for at least the next ten years. A 1024-bit asymmetric key has an
+ approximate equivalent strength of a symmetric 80-bit key.
+
+ Keys that are used as extremely high value trust anchors, or non-
+ anchor keys that may be difficult to roll over, may want to use
+ lengths longer than 1024 bits. Typically, the next larger key size
+ used is 2048 bits, which have the approximate equivalent strength of
+ a symmetric 112-bit key. In a standard CPU, it takes about four
+ times as long to sign or verify with a 2048-bit key as it does with a
+ 1024-bit key.
+
+ Another way to decide on the size of key to use is to remember that
+ the phenominal effort it takes for an attacker to break a 1024-bit
+ key is the same regardless of how the key is used. If an attacker
+ has the capability of breaking a 1024-bit DNSSEC key, he also has the
+ capability of breaking one of the many 1024-bit TLS trust anchor keys
+ that are installed with web browsers. If the value of a DNSSEC key
+ is lower to the attacker than the value of a TLS trust anchor, the
+ attacker will use the resources to attack the TLS trust anchor.
+
+ It is possible that there is a unexpected improvement in the ability
+ for attackers to beak keys, and that such an attack would make it
+ feasible to break 1024-bit keys but not 2048-bit keys. If such an
+ improvement happens, it is likely that there will be a huge amount of
+ publicity, particularly because of the large number of 1024-bit TLS
+ trust anchors build into popular web browsers. At that time, all
+ 1024-bit keys (both ones with parent zones and ones that are trust
+ anchors) can be rolled over and replaced with larger keys.
+
+ Earlier documents (including the previous version of this document)
+ urged the use of longer keys in situations where a particular key was
+ "heavily used". That advice may have been true 15 years ago, but it
+ is not true today when using RSA or DSA algorithms and keys of 1024
+ bits or higher.
+
+3.6. Private Key Storage
+
+ It is recommended that, where possible, zone private keys and the
+ zone file master copy that is to be signed be kept and used in off-
+ line, non-network-connected, physically secure machines only.
+ Periodically, an application can be run to add authentication to a
+ zone by adding RRSIG and NSEC RRs. Then the augmented file can be
+ transferred.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 11]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ When relying on dynamic update to manage a signed zone [11], be aware
+ that at least one private key of the zone will have to reside on the
+ master server. This key is only as secure as the amount of exposure
+ the server receives to unknown clients and the security of the host.
+ Although not mandatory, one could administer the DNS in the following
+ way. The master that processes the dynamic updates is unavailable
+ from generic hosts on the Internet, it is not listed in the NS RRSet,
+ although its name appears in the SOA RRs MNAME field. The
+ nameservers in the NS RRSet are able to receive zone updates through
+ NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This
+ approach is known as the "hidden master" setup.
+
+ The ideal situation is to have a one-way information flow to the
+ network to avoid the possibility of tampering from the network.
+ Keeping the zone master file on-line on the network and simply
+ cycling it through an off-line signer does not do this. The on-line
+ version could still be tampered with if the host it resides on is
+ compromised. For maximum security, the master copy of the zone file
+ should be off-net and should not be updated based on an unsecured
+ network mediated communication.
+
+ In general, keeping a zone file off-line will not be practical and
+ the machines on which zone files are maintained will be connected to
+ a network. Operators are advised to take security measures to shield
+ unauthorized access to the master copy.
+
+ For dynamically updated secured zones [11], both the master copy and
+ the private key that is used to update signatures on updated RRs will
+ need to be on-line.
+
+4. Signature Generation, Key Rollover, and Related Policies
+
+4.1. Time in DNSSEC
+
+ Without DNSSEC, all times in the DNS are relative. The SOA fields
+ REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+ elapsed after a slave server synchronized with a master server. The
+ Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are
+ used to determine how long a forwarder should cache data after it has
+ been fetched from an authoritative server. By using a signature
+ validity period, DNSSEC introduces the notion of an absolute time in
+ the DNS. Signatures in DNSSEC have an expiration date after which
+ the signature is marked as invalid and the signed data is to be
+ considered Bogus.
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 12]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+4.1.1. Time Considerations
+
+ Because of the expiration of signatures, one should consider the
+ following:
+
+ o We suggest the Maximum Zone TTL of your zone data to be a fraction
+ of your signature validity period.
+
+ If the TTL would be of similar order as the signature validity
+ period, then all RRSets fetched during the validity period
+ would be cached until the signature expiration time. Section
+ 7.1 of [3] suggests that "the resolver may use the time
+ remaining before expiration of the signature validity period of
+ a signed RRSet as an upper bound for the TTL". As a result,
+ query load on authoritative servers would peak at signature
+ expiration time, as this is also the time at which records
+ simultaneously expire from caches.
+
+ To avoid query load peaks, we suggest the TTL on all the RRs in
+ your zone to be at least a few times smaller than your
+ signature validity period.
+
+ o We suggest the signature publication period to end at least one
+ Maximum Zone TTL duration before the end of the signature validity
+ period.
+
+ Re-signing a zone shortly before the end of the signature
+ validity period may cause simultaneous expiration of data from
+ caches. This in turn may lead to peaks in the load on
+ authoritative servers.
+
+ o We suggest the Minimum Zone TTL to be long enough to both fetch
+ and verify all the RRs in the trust chain. In workshop
+ environments, it has been demonstrated [19] that a low TTL (under
+ 5 to 10 minutes) caused disruptions because of the following two
+ problems:
+
+ 1. During validation, some data may expire before the
+ validation is complete. The validator should be able to keep
+ all data until it is completed. This applies to all RRs needed
+ to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the
+ final answers, i.e., the RRSet that is returned for the initial
+ query.
+
+ 2. Frequent verification causes load on recursive nameservers.
+ Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit
+ from caching. The TTL on those should be relatively long.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 13]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ o Slave servers will need to be able to fetch newly signed zones
+ well before the RRSIGs in the zone served by the slave server pass
+ their signature expiration time.
+
+ When a slave server is out of sync with its master and data in
+ a zone is signed by expired signatures, it may be better for
+ the slave server not to give out any answer.
+
+ Normally, a slave server that is not able to contact a master
+ server for an extended period will expire a zone. When that
+ happens, the server will respond differently to queries for
+ that zone. Some servers issue SERVFAIL, whereas others turn
+ off the 'AA' bit in the answers. The time of expiration is set
+ in the SOA record and is relative to the last successful
+ refresh between the master and the slave servers. There exists
+ no coupling between the signature expiration of RRSIGs in the
+ zone and the expire parameter in the SOA.
+
+ If the server serves a DNSSEC zone, then it may well happen
+ that the signatures expire well before the SOA expiration timer
+ counts down to zero. It is not possible to completely prevent
+ this from happening by tweaking the SOA parameters.
+
+ However, the effects can be minimized where the SOA expiration
+ time is equal to or shorter than the signature validity period.
+
+ The consequence of an authoritative server not being able to
+ update a zone, whilst that zone includes expired signatures, is
+ that non-secure resolvers will continue to be able to resolve
+ data served by the particular slave servers while security-
+ aware resolvers will experience problems because of answers
+ being marked as Bogus.
+
+ We suggest the SOA expiration timer being approximately one
+ third or one fourth of the signature validity period. It will
+ allow problems with transfers from the master server to be
+ noticed before the actual signature times out.
+
+ We also suggest that operators of nameservers that supply
+ secondary services develop 'watch dogs' to spot upcoming
+ signature expirations in zones they slave, and take appropriate
+ action.
+
+ When determining the value for the expiration parameter one has
+ to take the following into account: What are the chances that
+ all my secondaries expire the zone? How quickly can I reach an
+ administrator of secondary servers to load a valid zone? These
+ questions are not DNSSEC specific but may influence the choice
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 14]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ of your signature validity intervals.
+
+4.2. Key Rollovers
+
+ Regardless of whether a zone uses periodic key rollovers in order to
+ practice for emergencies, or only rolls over keys in an emergency,
+ key rollovers are a fact of life when using DNSSEC. Zone
+ administrators who are in the process of rolling their keys have to
+ take into account that data published in previous versions of their
+ zone still lives in caches. When deploying DNSSEC, this becomes an
+ important consideration; ignoring data that may be in caches may lead
+ to loss of service for clients.
+
+ The most pressing example of this occurs when zone material signed
+ with an old key is being validated by a resolver that does not have
+ the old zone key cached. If the old key is no longer present in the
+ current zone, this validation fails, marking the data "Bogus".
+ Alternatively, an attempt could be made to validate data that is
+ signed with a new key against an old key that lives in a local cache,
+ also resulting in data being marked "Bogus".
+
+4.2.1. Zone Signing Key Rollovers
+
+ For "Zone Signing Key rollovers", there are two ways to make sure
+ that during the rollover data still cached can be verified with the
+ new key sets or newly generated signatures can be verified with the
+ keys still in caches. One schema, described in Section 4.2.1.2, uses
+ double signatures; the other uses key pre-publication
+ (Section 4.2.1.1). The pros, cons, and recommendations are described
+ in Section 4.2.1.3.
+
+4.2.1.1. Pre-Publish Key Rollover
+
+ This section shows how to perform a ZSK rollover without the need to
+ sign all the data in a zone twice -- the "pre-publish key rollover".
+ This method has advantages in the case of a key compromise. If the
+ old key is compromised, the new key has already been distributed in
+ the DNS. The zone administrator is then able to quickly switch to
+ the new key and remove the compromised key from the zone. Another
+ major advantage is that the zone size does not double, as is the case
+ with the double signature ZSK rollover. A small "how-to" for this
+ kind of rollover can be found in Appendix B.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 15]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Pre-publish key rollover involves four stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY new RRSIGs DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2 SOA3
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
+
+ DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover
+
+ initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
+ signatures are generated with this key yet, but this does not
+ secure against brute force attacks on the public key. The minimum
+ duration of this pre-roll phase is the time it takes for the data
+ to propagate to the authoritative servers plus TTL value of the
+ key set.
+
+ new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+ used to sign the data in the zone exclusively (i.e., all the
+ signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
+ remains published in the key set. This way data that was loaded
+ into caches from version 1 of the zone can still be verified with
+ key sets fetched from version 2 of the zone. The minimum time
+ that the key set including DNSKEY 10 is to be published is the
+ time that it takes for zone data from the previous version of the
+ zone to expire from old caches, i.e., the time it takes for this
+ zone to propagate to all authoritative servers plus the Maximum
+ Zone TTL value of any of the data in the previous version of the
+ zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. The key set,
+ now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+ DNSKEY 1.
+
+ The above scheme can be simplified by always publishing the "future"
+ key immediately after the rollover. The scheme would look as follows
+ (we show two rollovers); the future key is introduced in "new DNSKEY"
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 16]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+ (II)":
+
+
+ initial new RRSIGs new DNSKEY
+ -----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11 DNSKEY12
+ RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ ----------------------------------------------------------------
+ new RRSIGs (II) new DNSKEY (II)
+ ----------------------------------------------------------------
+ SOA3 SOA4
+ RRSIG12(SOA3) RRSIG12(SOA4)
+
+ DNSKEY1 DNSKEY1
+ DNSKEY11 DNSKEY12
+ DNSKEY12 DNSKEY13
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG12(DNSKEY) RRSIG12(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover, Showing Two Rollovers
+
+ Note that the key introduced in the "new DNSKEY" phase is not used
+ for production yet; the private key can thus be stored in a
+ physically secure manner and does not need to be 'fetched' every time
+ a zone needs to be signed.
+
+4.2.1.2. Double Signature Zone Signing Key Rollover
+
+ This section shows how to perform a ZSK key rollover using the double
+ zone data signature scheme, aptly named "double signature rollover".
+
+ During the "new DNSKEY" stage the new version of the zone file will
+ need to propagate to all authoritative servers and the data that
+ exists in (distant) caches will need to expire, requiring at least
+ the Maximum Zone TTL.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 17]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Double signature ZSK rollover involves three stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
+ RRSIG11(SOA1)
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
+ RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Double Signature Zone Signing Key Rollover
+
+ initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+ introduced into the key set and all the data in the zone is signed
+ with DNSKEY 10 and DNSKEY 11. The rollover period will need to
+ continue until all data from version 0 of the zone has expired
+ from remote caches. This will take at least the Maximum Zone TTL
+ of version 0 of the zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. All the
+ signatures from DNSKEY 10 are removed from the zone. The key set,
+ now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+ At every instance, RRSIGs from the previous version of the zone can
+ be verified with the DNSKEY RRSet from the current version and the
+ other way around. The data from the current version can be verified
+ with the data from the previous version of the zone. The duration of
+ the "new DNSKEY" phase and the period between rollovers should be at
+ least the Maximum Zone TTL.
+
+ Making sure that the "new DNSKEY" phase lasts until the signature
+ expiration time of the data in the initial version of the zone is
+ recommended. This way all caches are cleared of the old signatures.
+ However, this duration could be considerably longer than the Maximum
+ Zone TTL, making the rollover a lengthy procedure.
+
+ Note that in this example we assumed that the zone was not modified
+ during the rollover. New data can be introduced in the zone as long
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 18]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ as it is signed with both keys.
+
+4.2.1.3. Pros and Cons of the Schemes
+
+ Pre-publish key rollover: This rollover does not involve signing the
+ zone data twice. Instead, before the actual rollover, the new key
+ is published in the key set and thus is available for
+ cryptanalysis attacks. A small disadvantage is that this process
+ requires four steps. Also the pre-publish scheme involves more
+ parental work when used for KSK rollovers as explained in
+ Section 4.2.3.
+
+ Double signature ZSK rollover: The drawback of this signing scheme
+ is that during the rollover the number of signatures in your zone
+ doubles; this may be prohibitive if you have very big zones. An
+ advantage is that it only requires three steps.
+
+4.2.2. Key Signing Key Rollovers
+
+ For the rollover of a Key Signing Key, the same considerations as for
+ the rollover of a Zone Signing Key apply. However, we can use a
+ double signature scheme to guarantee that old data (only the apex key
+ set) in caches can be verified with a new key set and vice versa.
+ Since only the key set is signed with a KSK, zone size considerations
+ do not apply.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 19]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ --------------------------------------------------------------------
+ initial new DNSKEY DS change DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 --------> SOA1 -------->
+ RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
+ DS1 --------> DS2 -------->
+ RRSIGpar(DS) --------> RRSIGpar(DS) -------->
+
+
+ Child:
+ SOA0 SOA1 --------> SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
+ -------->
+ DNSKEY1 DNSKEY1 --------> DNSKEY2
+ DNSKEY2 -------->
+ DNSKEY10 DNSKEY10 --------> DNSKEY10
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
+ RRSIG2 (DNSKEY) -------->
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+ initial: Initial version of the zone. The parental DS points to
+ DNSKEY1. Before the rollover starts, the child will have to
+ verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+ is needed during the rollover and we refer to the value as TTL_DS.
+
+ new DNSKEY: During the "new DNSKEY" phase, the zone administrator
+ generates a second KSK, DNSKEY2. The key is provided to the
+ parent, and the child will have to wait until a new DS RR has been
+ generated that points to DNSKEY2. After that DS RR has been
+ published on all servers authoritative for the parent's zone, the
+ zone administrator has to wait at least TTL_DS to make sure that
+ the old DS RR has expired from caches.
+
+ DS change: The parent replaces DS1 with DS2.
+
+ DNSKEY removal: DNSKEY1 has been removed.
+
+ The scenario above puts the responsibility for maintaining a valid
+ chain of trust with the child. It also is based on the premise that
+ the parent only has one DS RR (per algorithm) per zone. An
+ alternative mechanism has been considered. Using an established
+ trust relation, the interaction can be performed in-band, and the
+ removal of the keys by the child can possibly be signaled by the
+ parent. In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 20]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ RRs at the parent. Since at the moment of writing the protocol for
+ this interaction has not been developed, further discussion is out of
+ scope for this document.
+
+4.2.3. Difference Between ZSK and KSK Rollovers
+
+ Note that KSK rollovers and ZSK rollovers are different in the sense
+ that a KSK rollover requires interaction with the parent (and
+ possibly replacing of trust anchors) and the ensuing delay while
+ waiting for it.
+
+ A zone key rollover can be handled in two different ways: pre-publish
+ (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+ As the KSK is used to validate the key set and because the KSK is not
+ changed during a ZSK rollover, a cache is able to validate the new
+ key set of the zone. The pre-publish method would also work for a
+ KSK rollover. The records that are to be pre-published are the
+ parental DS RRs. The pre-publish method has some drawbacks for KSKs.
+ We first describe the rollover scheme and then indicate these
+ drawbacks.
+
+
+ --------------------------------------------------------------------
+ initial new DS new DNSKEY DS/DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 SOA1 --------> SOA2
+ RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
+ DS1 DS1 --------> DS2
+ DS2 -------->
+ RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
+
+ Child:
+ SOA0 --------> SOA1 SOA1
+ RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
+ -------->
+ DNSKEY1 --------> DNSKEY2 DNSKEY2
+ -------->
+ DNSKEY10 --------> DNSKEY10 DNSKEY10
+ RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
+ RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+ When the child zone wants to roll, it notifies the parent during the
+ "new DS" phase and submits the new key (or the corresponding DS) to
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 21]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
+ and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase),
+ which can take place as soon as the new DS set propagated through the
+ DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
+ ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+ record can be deleted.
+
+ The drawbacks of this scheme are that during the "new DS" phase the
+ parent cannot verify the match between the DS2 RR and DNSKEY2 using
+ the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
+ "security lame" key (see Section 4.4.3). Finally, the child-parent
+ interaction consists of two steps. The "double signature" method
+ only needs one interaction.
+
+4.2.4. Key algorithm rollover
+
+ [OK: The txt of this section is a strawman for the issue in: http://
+ www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+ ]
+
+ A special class of keyrollover is the rollover of key algorithms
+ (either adding a new algorithm, removing an old algorithm, or both),
+ additional steps are needed to retain integrity during the rollover.
+
+ Because of the algorithm downgrade protection in RFC4035 section 2.2,
+ you may not have a key of an algorithm for which you do not have
+ signatures.
+
+ When adding a new algorithm, the signatures should be added first.
+ After the TTL has expired, and caches have dropped the old data
+ covered by those signatures, the DNSKEY with the new algorithm can be
+ added. When removing an old algorithm, the DNSKEY should be removed
+ first.
+
+ To do both, the following steps can be used. For simplicity, we use
+ a zone that is only signed by one zone signing key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 22]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ ----------------------------------------------------------------
+ 1 Initial 2 New RRSIGS 3 New DNSKEY
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG1(SOA0) RRSIG1(SOA1) RRSIG1(SOA2)
+ RRSIG2(SOA1) RRSIG2(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) DNSKEY2
+ RRSIG2(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG2(DNSKEY)
+ ----------------------------------------------------------------
+ 4 Remove DNSKEY 5 Remove RRSIGS
+ ----------------------------------------------------------------
+ SOA3 SOA4
+ RRSIG1(SOA3) RRSIG2(SOA4)
+ RRSIG2(SOA3)
+
+ DNSKEY2 DNSKEY2
+ RRSIG1(DNSKEY) RRSIG2(DNSKEY)
+ RRSIG2(DNSKEY)
+ ----------------------------------------------------------------
+
+ Stages of Deployment during an Algorithm Rollover.
+
+ In step 2, the signatures for the new key are added, but the key
+ itself is not. While in theory, the signatures of the keyset should
+ always be synchronized with the keyset itself, it can be possible
+ that RRSIGS are requested separately, so it might be prudent to also
+ sign the DNSKEY set with the new signature.
+
+ After the cache data has expired, the new key can be added to the
+ zone, as done in step 3.
+
+ The next step is to remove the old algorithm. This time the key
+ needs to be removed first, before removing the signatures. The key
+ is removed in step 4, and after the cache data has expired, the
+ signatures can be removed in step 5.
+
+ The above steps ensure that during the rollover to a new algorithm,
+ the integrity of the zone is never broken.
+
+4.2.5. Automated Key Rollovers
+
+ As keys must be renewed periodically, there is some motivation to
+ automate the rollover process. Consider the following:
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 23]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ o ZSK rollovers are easy to automate as only the child zone is
+ involved.
+
+ o A KSK rollover needs interaction between parent and child. Data
+ exchange is needed to provide the new keys to the parent;
+ consequently, this data must be authenticated and integrity must
+ be guaranteed in order to avoid attacks on the rollover.
+
+4.3. Planning for Emergency Key Rollover
+
+ This section deals with preparation for a possible key compromise.
+ Our advice is to have a documented procedure ready for when a key
+ compromise is suspected or confirmed.
+
+ When the private material of one of your keys is compromised it can
+ be used for as long as a valid trust chain exists. A trust chain
+ remains intact for
+
+ o as long as a signature over the compromised key in the trust chain
+ is valid,
+
+ o as long as a parental DS RR (and signature) points to the
+ compromised key,
+
+ o as long as the key is anchored in a resolver and is used as a
+ starting point for validation (this is generally the hardest to
+ update).
+
+ While a trust chain to your compromised key exists, your namespace is
+ vulnerable to abuse by anyone who has obtained illegitimate
+ possession of the key. Zone operators have to make a trade-off if
+ the abuse of the compromised key is worse than having data in caches
+ that cannot be validated. If the zone operator chooses to break the
+ trust chain to the compromised key, data in caches signed with this
+ key cannot be validated. However, if the zone administrator chooses
+ to take the path of a regular rollover, the malicious key holder can
+ spoof data so that it appears to be valid.
+
+4.3.1. KSK Compromise
+
+ A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+ as long as the compromised KSK is configured as trust anchor or a
+ parental DS points to it.
+
+ A compromised KSK can be used to sign the key set of an attacker's
+ zone. That zone could be used to poison the DNS.
+
+ Therefore, when the KSK has been compromised, the trust anchor or the
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 24]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ parental DS should be replaced as soon as possible. It is local
+ policy whether to break the trust chain during the emergency
+ rollover. The trust chain would be broken when the compromised KSK
+ is removed from the child's zone while the parent still has a DS
+ pointing to the compromised KSK (the assumption is that there is only
+ one DS at the parent. If there are multiple DSes this does not apply
+ -- however the chain of trust of this particular key is broken).
+
+ Note that an attacker's zone still uses the compromised KSK and the
+ presence of a parental DS would cause the data in this zone to appear
+ as valid. Removing the compromised key would cause the attacker's
+ zone to appear as valid and the child's zone as Bogus. Therefore, we
+ advise not to remove the KSK before the parent has a DS to a new KSK
+ in place.
+
+4.3.1.1. Keeping the Chain of Trust Intact
+
+ If we follow this advice, the timing of the replacement of the KSK is
+ somewhat critical. The goal is to remove the compromised KSK as soon
+ as the new DS RR is available at the parent. And also make sure that
+ the signature made with a new KSK over the key set with the
+ compromised KSK in it expires just after the new DS appears at the
+ parent, thus removing the old cruft in one swoop.
+
+ The procedure is as follows:
+
+ 1. Introduce a new KSK into the key set, keep the compromised KSK in
+ the key set.
+
+ 2. Sign the key set, with a short validity period. The validity
+ period should expire shortly after the DS is expected to appear
+ in the parent and the old DSes have expired from caches.
+
+ 3. Upload the DS for this new key to the parent.
+
+ 4. Follow the procedure of the regular KSK rollover: Wait for the DS
+ to appear in the authoritative servers and then wait as long as
+ the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
+ and modify/extend the expiration time.
+
+ 5. Remove the compromised DNSKEY RR from the zone and re-sign the
+ key set using your "normal" validity interval.
+
+ An additional danger of a key compromise is that the compromised key
+ could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+ nameserver changes at the parent. When that happens, the domain may
+ be in dispute. An authenticated out-of-band and secure notify
+ mechanism to contact a parent is needed in this case.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 25]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Note that this is only a problem when the DNSKEY and or DS records
+ are used for authentication at the parent.
+
+4.3.1.2. Breaking the Chain of Trust
+
+ There are two methods to break the chain of trust. The first method
+ causes the child zone to appear 'Bogus' to validating resolvers. The
+ other causes the child zone to appear 'insecure'. These are
+ described below.
+
+ In the method that causes the child zone to appear 'Bogus' to
+ validating resolvers, the child zone replaces the current KSK with a
+ new one and re-signs the key set. Next it sends the DS of the new
+ key to the parent. Only after the parent has placed the new DS in
+ the zone is the child's chain of trust repaired.
+
+ An alternative method of breaking the chain of trust is by removing
+ the DS RRs from the parent zone altogether. As a result, the child
+ zone would become insecure.
+
+4.3.2. ZSK Compromise
+
+ Primarily because there is no parental interaction required when a
+ ZSK is compromised, the situation is less severe than with a KSK
+ compromise. The zone must still be re-signed with a new ZSK as soon
+ as possible. As this is a local operation and requires no
+ communication between the parent and child, this can be achieved
+ fairly quickly. However, one has to take into account that just as
+ with a normal rollover the immediate disappearance of the old
+ compromised key may lead to verification problems. Also note that as
+ long as the RRSIG over the compromised ZSK is not expired the zone
+ may be still at risk.
+
+4.3.3. Compromises of Keys Anchored in Resolvers
+
+ A key can also be pre-configured in resolvers. For instance, if
+ DNSSEC is successfully deployed the root key may be pre-configured in
+ most security aware resolvers.
+
+ If trust-anchor keys are compromised, the resolvers using these keys
+ should be notified of this fact. Zone administrators may consider
+ setting up a mailing list to communicate the fact that a SEP key is
+ about to be rolled over. This communication will of course need to
+ be authenticated, e.g., by using digital signatures.
+
+ End-users faced with the task of updating an anchored key should
+ always validate the new key. New keys should be authenticated out-
+ of-band, for example, through the use of an announcement website that
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 26]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ is secured using secure sockets (TLS) [23].
+
+4.4. Parental Policies
+
+4.4.1. Initial Key Exchanges and Parental Policies Considerations
+
+ The initial key exchange is always subject to the policies set by the
+ parent. When designing a key exchange policy one should take into
+ account that the authentication and authorization mechanisms used
+ during a key exchange should be as strong as the authentication and
+ authorization mechanisms used for the exchange of delegation
+ information between parent and child. That is, there is no implicit
+ need in DNSSEC to make the authentication process stronger than it
+ was in DNS.
+
+ Using the DNS itself as the source for the actual DNSKEY material,
+ with an out-of-band check on the validity of the DNSKEY, has the
+ benefit that it reduces the chances of user error. A DNSKEY query
+ tool can make use of the SEP bit [5] to select the proper key from a
+ DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+ sent. It can validate the self-signature over a key; thereby
+ verifying the ownership of the private key material. Fetching the
+ DNSKEY from the DNS ensures that the chain of trust remains intact
+ once the parent publishes the DS RR indicating the child is secure.
+
+ Note: the out-of-band verification is still needed when the key
+ material is fetched via the DNS. The parent can never be sure
+ whether or not the DNSKEY RRs have been spoofed.
+
+4.4.2. Storing Keys or Hashes?
+
+ When designing a registry system one should consider which of the
+ DNSKEYs and/or the corresponding DSes to store. Since a child zone
+ might wish to have a DS published using a message digest algorithm
+ not yet understood by the registry, the registry can't count on being
+ able to generate the DS record from a raw DNSKEY. Thus, we recommend
+ that registry systems at least support storing DS records.
+
+ It may also be useful to store DNSKEYs, since having them may help
+ during troubleshooting and, as long as the child's chosen message
+ digest is supported, the overhead of generating DS records from them
+ is minimal. Having an out-of-band mechanism, such as a registry
+ directory (e.g., Whois), to find out which keys are used to generate
+ DS Resource Records for specific owners and/or zones may also help
+ with troubleshooting.
+
+ The storage considerations also relate to the design of the customer
+ interface and the method by which data is transferred between
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 27]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ registrant and registry; Will the child zone administrator be able to
+ upload DS RRs with unknown hash algorithms or does the interface only
+ allow DNSKEYs? In the registry-registrar model, one can use the
+ DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+ which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3. Security Lameness
+
+ Security lameness is defined as what happens when a parent has a DS
+ RR pointing to a non-existing DNSKEY RR. When this happens, the
+ child's zone may be marked "Bogus" by verifying DNS clients.
+
+ As part of a comprehensive delegation check, the parent could, at key
+ exchange time, verify that the child's key is actually configured in
+ the DNS. However, if a parent does not understand the hashing
+ algorithm used by child, the parental checks are limited to only
+ comparing the key id.
+
+ Child zones should be very careful in removing DNSKEY material,
+ specifically SEP keys, for which a DS RR exists.
+
+ Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+ take time to propagate through the DNS.
+
+4.4.4. DS Signature Validity Period
+
+ Since the DS can be replayed as long as it has a valid signature, a
+ short signature validity period over the DS minimizes the time a
+ child is vulnerable in the case of a compromise of the child's
+ KSK(s). A signature validity period that is too short introduces the
+ possibility that a zone is marked "Bogus" in case of a configuration
+ error in the signer. There may not be enough time to fix the
+ problems before signatures expire. Something as mundane as operator
+ unavailability during weekends shows the need for DS signature
+ validity periods longer than 2 days. We recommend an absolute
+ minimum for a DS signature validity period of a few days.
+
+ The maximum signature validity period of the DS record depends on how
+ long child zones are willing to be vulnerable after a key compromise.
+ On the other hand, shortening the DS signature validity interval
+ increases the operational risk for the parent. Therefore, the parent
+ may have policy to use a signature validity interval that is
+ considerably longer than the child would hope for.
+
+ A compromise between the operational constraints of the parent and
+ minimizing damage for the child may result in a DS signature validity
+ period somewhere between a week and months.
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 28]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ In addition to the signature validity period, which sets a lower
+ bound on the number of times the zone owner will need to sign the
+ zone data and which sets an upper bound to the time a child is
+ vulnerable after key compromise, there is the TTL value on the DS
+ RRs. Shortening the TTL means that the authoritative servers will
+ see more queries. But on the other hand, a short TTL lowers the
+ persistence of DS RRSets in caches thereby increasing the speed with
+ which updated DS RRSets propagate through the DNS.
+
+4.4.5. (Non) Cooperating Registrars
+
+ [OK: this is a first strawman, and is intended to start the
+ discussion of the issue. By no means this is intended to be a final
+ text.]
+
+ The parent-child relation is often described in terms of a (thin)
+ registry model. Where a registry maintains the parent zone, and the
+ registrant (the user of the child-domain name), deals with the
+ registry through an intermediary called a registrar. (See [12] for a
+ comprehensive definition). Registrants may out-source the
+ maintenance of their DNS system, including the maintenance of DNSSEC
+ key material, to the registrar or to another third party. The entity
+ that has control over the DNS zone and its keys may prevent the
+ registrant to make a timely move to a different registrar. [OK: I
+ use the term registrar below while it is the operator of the DNS zone
+ who is the actual culprit. For instance, the case also applies when
+ a registrant passes a zone to another registrant. Should I just use
+ "DNS Administrator"?]
+
+ Suppose that the registrant wants to move from losing registrar A to
+ gaining registrar B. Let us first look what would happen in a
+ cooperative environment. The assumption is that registrar A will not
+ hand off any private key material to registrar B because that would
+ be a trivial case.
+
+ In a cooperating environment one could proceed with a pre-publish ZSK
+ rollover whereby registrar A pre-publishes the ZSK of registrar B,
+ combined with a double signature KSK rollover where the two
+ registrars exchange public keys and independently generate a
+ signature over the keysets that they combine and both publish in the
+ zone.
+
+ In the non-cooperative case matters are more complicated. The
+ loosing registrar A may not cooperate and leave the data in the DNS
+ as is. In the extreme case registrar A may become obstructive and
+ publish a DNSKEY RR with a high TTL and corresponding signature
+ validity so that registrar A's DNSKEY, would end up in caches for, in
+ theory, tens of years.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 29]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ The problem arises when a validator tries to validate with A's key
+ and there is no signature material produced with Registrars A
+ available in the delegation path after redelegation from registrar A
+ to registrar B has taken place. One could imagine a rollover
+ scenario where registrar B pulls all RRSIGs created by registar A and
+ publishes those in conjunction with its own signatures, but that
+ would not allow any changes in the zone content. Since a
+ redelegation took place the NS RRset has -- per definition-- changed
+ so such rollover scenario will not work. Besides if zone transfers
+ are not allowed by A and NSEC3 is deployed in the A's zone then
+ registrar B will not have certainty that all of A's RRSIGs are
+ transfered.
+
+ The only viable option for the registrant is to publish its zone
+ unsigned and ask the registry to remove the DS pointing to registrar
+ A for as long as the DNSKEY of registrar A, or any of the signatures
+ produced by registrar A are likely to appear in caches, which as
+ mentioned above could in theory be for tens of years. [OK: Some
+ implementations limit the time data is cached. Although that is not
+ a protocol requirement (and may even be considered a protocol
+ violation) it seems that that practice may limit the impact of this
+ problem, is that worth mentioning?]
+
+ [OK: This is really the point that I'm trying to make, is the above
+ text needed?] There is no operational methodology to work around
+ this business issue and proper contractual relations ships between
+ registrants and their registrars seem to be the only solution to cope
+ with these problems.
+
+5. Security Considerations
+
+ DNSSEC adds data integrity to the DNS. This document tries to assess
+ the operational considerations to maintain a stable and secure DNSSEC
+ service. Not taking into account the 'data propagation' properties
+ in the DNS will cause validation failures and may make secured zones
+ unavailable to security-aware resolvers.
+
+6. IANA considerations
+
+ There are no IANA considerations with respect to this document
+
+7. Acknowledgments
+
+ Most of the text of this document is copied from RFC4641 [16] people
+ involved in that work were in random order: Rip Loomis, Olafur
+ Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van
+ Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte
+ Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman,
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 30]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian
+ Bedford, and Lindy Foster, G. Guette, and O. Courtay.
+
+ For this version of the document we would like to acknowldge:
+
+ o Paul Hoffman for his contribution on the choice of cryptographic
+ paramenters and addressing some of the trust anchor issues.
+
+ o Jelte Jansen provided the text in Section 4.2.4
+
+8. References
+
+8.1. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033,
+ March 2005.
+
+ [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions",
+ RFC 4035, March 2005.
+
+8.2. Informative References
+
+ [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [7] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+ August 1996.
+
+ [8] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+ (DNS NOTIFY)", RFC 1996, August 1996.
+
+ [9] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [10] Eastlake, D., "DNS Security Operational Considerations",
+ RFC 2541, March 1999.
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 31]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+ Update", RFC 3007, November 2000.
+
+ [12] Hollenbeck, S., "Generic Registry-Registrar Protocol
+ Requirements", RFC 3375, September 2002.
+
+ [13] Orman, H. and P. Hoffman, "Determining Strengths For Public
+ Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+ April 2004.
+
+ [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+ [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+ Mapping for the Extensible Provisioning Protocol (EPP)",
+ RFC 4310, December 2005.
+
+ [16] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+ RFC 4641, September 2006.
+
+ [17] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
+ August 2007.
+
+ [18] StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+ Anchors", RFC 5011, September 2007.
+
+ [19] Rose, S., "NIST DNSSEC workshop notes", , June 2001.
+
+ [20] Barker, E. and J. Kelsey, "Recommendation for Random Number
+ Generation Using Deterministic Random Bit Generators
+ (Revised)", Nist Special Publication 800-90, March 2007.
+
+ [21] Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
+ RRSIG Resource Records for DNSSEC",
+ draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress),
+ July 2008.
+
+ [22] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+ Resource Records (RRs)", RFC 4509, May 2006.
+
+ [23] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+ T. Wright, "Transport Layer Security (TLS) Extensions",
+ RFC 4366, April 2006.
+
+Appendix A. Terminology
+
+ In this document, there is some jargon used that is defined in other
+ documents. In most cases, we have not copied the text from the
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 32]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ documents defining the terms but have given a more elaborate
+ explanation of the meaning. Note that these explanations should not
+ be seen as authoritative.
+
+ Anchored key: A DNSKEY configured in resolvers around the globe.
+ This key is hard to update, hence the term anchored.
+
+ Bogus: Also see Section 5 of [3]. An RRSet in DNSSEC is marked
+ "Bogus" when a signature of an RRSet does not validate against a
+ DNSKEY.
+
+ Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is
+ used exclusively for signing the apex key set. The fact that a
+ key is a KSK is only relevant to the signing tool.
+
+ Key size: The term 'key size' can be substituted by 'modulus size'
+ throughout the document. It is mathematically more correct to use
+ modulus size, but as this is a document directed at operators we
+ feel more at ease with the term key size.
+
+ Private and public keys: DNSSEC secures the DNS through the use of
+ public key cryptography. Public key cryptography is based on the
+ existence of two (mathematically related) keys, a public key and a
+ private key. The public keys are published in the DNS by use of
+ the DNSKEY Resource Record (DNSKEY RR). Private keys should
+ remain private.
+
+ Key rollover: A key rollover (also called key supercession in some
+ environments) is the act of replacing one key pair with another at
+ the end of a key effectivity period.
+
+ Secure Entry Point (SEP) key: A KSK that has a parental DS record
+ pointing to it or is configured as a trust anchor. Although not
+ required by the protocol, we recommend that the SEP flag [5] is
+ set on these keys.
+
+ Self-signature: This only applies to signatures over DNSKEYs; a
+ signature made with DNSKEY x, over DNSKEY x is called a self-
+ signature. Note: without further information, self-signatures
+ convey no trust. They are useful to check the authenticity of the
+ DNSKEY, i.e., they can be used as a hash.
+
+ Singing the zone file: The term used for the event where an
+ administrator joyfully signs its zone file while producing melodic
+ sound patterns.
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 33]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ Signer: The system that has access to the private key material and
+ signs the Resource Record sets in a zone. A signer may be
+ configured to sign only parts of the zone, e.g., only those RRSets
+ for which existing signatures are about to expire.
+
+ Zone Signing Key (ZSK): A key that is used for signing all data in a
+ zone (except, perhaps, the DNSKEY RRSet). The fact that a key is
+ a ZSK is only relevant to the signing tool.
+
+ Zone administrator: The 'role' that is responsible for signing a
+ zone and publishing it on the primary authoritative server.
+
+Appendix B. Zone Signing Key Rollover How-To
+
+ Using the pre-published signature scheme and the most conservative
+ method to assure oneself that data does not live in caches, here
+ follows the "how-to".
+
+ Step 0: The preparation: Create two keys and publish both in your
+ key set. Mark one of the keys "active" and the other "published".
+ Use the "active" key for signing your zone data. Store the
+ private part of the "published" key, preferably off-line. The
+ protocol does not provide for attributes to mark a key as active
+ or published. This is something you have to do on your own,
+ through the use of a notebook or key management tool.
+
+ Step 1: Determine expiration: At the beginning of the rollover make
+ a note of the highest expiration time of signatures in your zone
+ file created with the current key marked as active. Wait until
+ the expiration time marked in Step 1 has passed.
+
+ Step 2: Then start using the key that was marked "published" to sign
+ your data (i.e., mark it "active"). Stop using the key that was
+ marked "active"; mark it "rolled".
+
+ Step 3: It is safe to engage in a new rollover (Step 1) after at
+ least one signature validity period.
+
+Appendix C. Typographic Conventions
+
+ The following typographic conventions are used in this document:
+
+ Key notation: A key is denoted by DNSKEYx, where x is a number or an
+ identifier, x could be thought of as the key id.
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 34]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ RRSet notations: RRs are only denoted by the type. All other
+ information -- owner, class, rdata, and TTL -- is left out. Thus:
+ "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
+ list of RRs. A example of this would be "A1, A2", specifying the
+ RRSet containing two "A" records. This could again be abbreviated
+ to just "A".
+
+ Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+ means that RRSet is signed with DNSKEYx.
+
+ Zone representation: Using the above notation we have simplified the
+ representation of a signed zone by leaving out all unnecessary
+ details such as the names and by representing all data by "SOAx"
+
+ SOA representation: SOAs are represented as SOAx, where x is the
+ serial number.
+
+ Using this notation the following signed zone:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 35]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ example.net. 86400 IN SOA ns.example.net. bert.example.net. (
+ 2006022100 ; serial
+ 86400 ; refresh ( 24 hours)
+ 7200 ; retry ( 2 hours)
+ 3600000 ; expire (1000 hours)
+ 28800 ) ; minimum ( 8 hours)
+ 86400 RRSIG SOA 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ cmL62SI6iAX46xGNQAdQ... )
+ 86400 NS a.example.net.
+ 86400 NS b.example.net.
+ 86400 RRSIG NS 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ SO5epiJei19AjXoUpFnQ ... )
+ 86400 DNSKEY 256 3 5 (
+ EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+ 86400 DNSKEY 257 3 5 (
+ gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ J4zCe8QX4tXVGjV4e1r9... )
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 15 example.net.
+ keVDCOpsSeDReyV6O... )
+ 86400 RRSIG NSEC 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ obj3HEp1GjnmhRjX... )
+ a.example.net. 86400 IN TXT "A label"
+ 86400 RRSIG TXT 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ IkDMlRdYLmXH7QJnuF3v... )
+ 86400 NSEC b.example.com. TXT RRSIG NSEC
+ 86400 RRSIG NSEC 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ bZMjoZ3bHjnEz0nIsPMM... )
+ ...
+
+ is reduced to the following representation:
+
+ SOA2006022100
+ RRSIG14(SOA2006022100)
+ DNSKEY14
+ DNSKEY15
+
+ RRSIG14(KEY)
+ RRSIG15(KEY)
+
+ The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 36]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ i.e., an RRSIG created with DNSKEY 14.
+
+Appendix D. Document Editing History
+
+ [To be removed prior to publication as an RFC]
+
+D.1. draft-ietf-dnsop-rfc4641-00
+
+ Version 0 was differs from RFC4641 in the following ways.
+
+ o Status of this memo appropriate for I-D
+
+ o TOC formatting differs.
+
+ o Whitespaces, linebreaks, and pagebreaks may be slightly different
+ because of xml2rfc generation.
+
+ o References slightly reordered.
+
+ o Applied the errata from
+ http://www.rfc-editor.org/errata_search.php?rfc=4641
+
+ o Inserted trivial "IANA considertations" section.
+
+ In other words it should not contain substantive changes in content
+ as intended by the workinggroup for the original RFC4641.
+
+D.2. version 0->1
+
+ Cryptography details rewritten. (See http://www.nlnetlabs.nl/svn/
+ rfc4641bis/trunk/open-issues/cryptography_flawed)
+
+ o Reference to NIST 800-90 added
+
+ o RSA/SHA256 is being recommended in addition to RSA/SHA1.
+
+ o Complete rewrite of Section 3.5 removing the table and suggesting
+ a keysize of 1024 for keys in use for less than 8 years, issued up
+ to at least 2015.
+
+ o Replaced the reference to Schneiers' applied cryptograpy with a
+ reference to RFC4949.
+
+ o Removed the KSK for high level zones consideration
+
+ Applied some differentiation with respect of the use of a KSK for
+ parent or trust-anchor relation http://www.nlnetlabs.nl/svn/
+ rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 37]
+\f
+Internet-Draft DNSSEC Operational Practices, Version 2 March 2009
+
+
+ http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+ rollover_assumptions
+
+ Added Section 4.2.4 as suggested by Jelte Jansen in http://
+ www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+
+ Added Section 4.4.5 Issue identified by Antoin Verschuur http://
+ www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+ non-cooperative-registrars
+
+ In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset.
+
+ $Id: draft-ietf-dnsop-rfc4641bis-01.txt,v 1.1 2009/09/23 13:22:50 fdupont Exp $
+
+Authors' Addresses
+
+ Olaf M. Kolkman
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098 VA
+ The Netherlands
+
+ EMail: olaf@nlnetlabs.nl
+ URI: http://www.nlnetlabs.nl
+
+
+ Miek Gieben
+
+
+ EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Expires September 8, 2009 [Page 38]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group O. Kolkman
+Request for Comments: 4641 R. Gieben
+Obsoletes: 2541 NLnet Labs
+Category: Informational September 2006
+
+
+ DNSSEC Operational Practices
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This document describes a set of practices for operating the DNS with
+ security extensions (DNSSEC). The target audience is zone
+ administrators deploying DNSSEC.
+
+ The document discusses operational aspects of using keys and
+ signatures in the DNS. It discusses issues of key generation, key
+ storage, signature generation, key rollover, and related policies.
+
+ This document obsoletes RFC 2541, as it covers more operational
+ ground and gives more up-to-date requirements with respect to key
+ sizes and the new DNSSEC specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 1]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. The Use of the Term 'key' ..................................4
+ 1.2. Time Definitions ...........................................4
+ 2. Keeping the Chain of Trust Intact ...............................5
+ 3. Keys Generation and Storage .....................................6
+ 3.1. Zone and Key Signing Keys ..................................6
+ 3.1.1. Motivations for the KSK and ZSK Separation ..........6
+ 3.1.2. KSKs for High-Level Zones ...........................7
+ 3.2. Key Generation .............................................8
+ 3.3. Key Effectivity Period .....................................8
+ 3.4. Key Algorithm ..............................................9
+ 3.5. Key Sizes ..................................................9
+ 3.6. Private Key Storage .......................................11
+ 4. Signature Generation, Key Rollover, and Related Policies .......12
+ 4.1. Time in DNSSEC ............................................12
+ 4.1.1. Time Considerations ................................12
+ 4.2. Key Rollovers .............................................14
+ 4.2.1. Zone Signing Key Rollovers .........................14
+ 4.2.1.1. Pre-Publish Key Rollover ..................15
+ 4.2.1.2. Double Signature Zone Signing Key
+ Rollover ..................................17
+ 4.2.1.3. Pros and Cons of the Schemes ..............18
+ 4.2.2. Key Signing Key Rollovers ..........................18
+ 4.2.3. Difference Between ZSK and KSK Rollovers ...........20
+ 4.2.4. Automated Key Rollovers ............................21
+ 4.3. Planning for Emergency Key Rollover .......................21
+ 4.3.1. KSK Compromise .....................................22
+ 4.3.1.1. Keeping the Chain of Trust Intact .........22
+ 4.3.1.2. Breaking the Chain of Trust ...............23
+ 4.3.2. ZSK Compromise .....................................23
+ 4.3.3. Compromises of Keys Anchored in Resolvers ..........24
+ 4.4. Parental Policies .........................................24
+ 4.4.1. Initial Key Exchanges and Parental Policies
+ Considerations .....................................24
+ 4.4.2. Storing Keys or Hashes? ............................25
+ 4.4.3. Security Lameness ..................................25
+ 4.4.4. DS Signature Validity Period .......................26
+ 5. Security Considerations ........................................26
+ 6. Acknowledgments ................................................26
+ 7. References .....................................................27
+ 7.1. Normative References ......................................27
+ 7.2. Informative References ....................................28
+ Appendix A. Terminology ...........................................30
+ Appendix B. Zone Signing Key Rollover How-To ......................31
+ Appendix C. Typographic Conventions ...............................32
+
+
+
+
+Kolkman & Gieben Informational [Page 2]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+1. Introduction
+
+ This document describes how to run a DNS Security (DNSSEC)-enabled
+ environment. It is intended for operators who have knowledge of the
+ DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+ See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
+ newly introduced Resource Records (RRs), and RFC 4035 [6] for the
+ protocol changes.
+
+ During workshops and early operational deployment tests, operators
+ and system administrators have gained experience about operating the
+ DNS with security extensions (DNSSEC). This document translates
+ these experiences into a set of practices for zone administrators.
+ At the time of writing, there exists very little experience with
+ DNSSEC in production environments; this document should therefore
+ explicitly not be seen as representing 'Best Current Practices'.
+
+ The procedures herein are focused on the maintenance of signed zones
+ (i.e., signing and publishing zones on authoritative servers). It is
+ intended that maintenance of zones such as re-signing or key
+ rollovers be transparent to any verifying clients on the Internet.
+
+ The structure of this document is as follows. In Section 2, we
+ discuss the importance of keeping the "chain of trust" intact.
+ Aspects of key generation and storage of private keys are discussed
+ in Section 3; the focus in this section is mainly on the private part
+ of the key(s). Section 4 describes considerations concerning the
+ public part of the keys. Since these public keys appear in the DNS
+ one has to take into account all kinds of timing issues, which are
+ discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
+ rollover, or supercession, of keys. Finally, Section 4.4 discusses
+ considerations on how parents deal with their children's public keys
+ in order to maintain chains of trust.
+
+ The typographic conventions used in this document are explained in
+ Appendix C.
+
+ Since this is a document with operational suggestions and there are
+ no protocol specifications, the RFC 2119 [7] language does not apply.
+
+ This document obsoletes RFC 2541 [12] to reflect the evolution of the
+ underlying DNSSEC protocol since then. Changes in the choice of
+ cryptographic algorithms, DNS record types and type names, and the
+ parent-child key and signature exchange demanded a major rewrite and
+ additional information and explanation.
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 3]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+1.1. The Use of the Term 'key'
+
+ It is assumed that the reader is familiar with the concept of
+ asymmetric keys on which DNSSEC is based (public key cryptography
+ [17]). Therefore, this document will use the term 'key' rather
+ loosely. Where it is written that 'a key is used to sign data' it is
+ assumed that the reader understands that it is the private part of
+ the key pair that is used for signing. It is also assumed that the
+ reader understands that the public part of the key pair is published
+ in the DNSKEY Resource Record and that it is the public part that is
+ used in key exchanges.
+
+1.2. Time Definitions
+
+ In this document, we will be using a number of time-related terms.
+ The following definitions apply:
+
+ o "Signature validity period" The period that a signature is valid.
+ It starts at the time specified in the signature inception field
+ of the RRSIG RR and ends at the time specified in the expiration
+ field of the RRSIG RR.
+
+ o "Signature publication period" Time after which a signature (made
+ with a specific key) is replaced with a new signature (made with
+ the same key). This replacement takes place by publishing the
+ relevant RRSIG in the master zone file. After one stops
+ publishing an RRSIG in a zone, it may take a while before the
+ RRSIG has expired from caches and has actually been removed from
+ the DNS.
+
+ o "Key effectivity period" The period during which a key pair is
+ expected to be effective. This period is defined as the time
+ between the first inception time stamp and the last expiration
+ date of any signature made with this key, regardless of any
+ discontinuity in the use of the key. The key effectivity period
+ can span multiple signature validity periods.
+
+ o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+ value of the TTLs from the complete set of RRs in a zone. Note
+ that the minimum TTL is not the same as the MINIMUM field in the
+ SOA RR. See [11] for more information.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 4]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+2. Keeping the Chain of Trust Intact
+
+ Maintaining a valid chain of trust is important because broken chains
+ of trust will result in data being marked as Bogus (as defined in [4]
+ Section 5), which may cause entire (sub)domains to become invisible
+ to verifying clients. The administrators of secured zones have to
+ realize that their zone is, to verifying clients, part of a chain of
+ trust.
+
+ As mentioned in the introduction, the procedures herein are intended
+ to ensure that maintenance of zones, such as re-signing or key
+ rollovers, will be transparent to the verifying clients on the
+ Internet.
+
+ Administrators of secured zones will have to keep in mind that data
+ published on an authoritative primary server will not be immediately
+ seen by verifying clients; it may take some time for the data to be
+ transferred to other secondary authoritative nameservers and clients
+ may be fetching data from caching non-authoritative servers. In this
+ light, note that the time for a zone transfer from master to slave is
+ negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
+ It increases when full zone transfers (AXFR) are used in combination
+ with NOTIFY. It increases even more if you rely on full zone
+ transfers based on only the SOA timing parameters for refresh.
+
+ For the verifying clients, it is important that data from secured
+ zones can be used to build chains of trust regardless of whether the
+ data came directly from an authoritative server, a caching
+ nameserver, or some middle box. Only by carefully using the
+ available timing parameters can a zone administrator ensure that the
+ data necessary for verification can be obtained.
+
+ The responsibility for maintaining the chain of trust is shared by
+ administrators of secured zones in the chain of trust. This is most
+ obvious in the case of a 'key compromise' when a trade-off between
+ maintaining a valid chain of trust and replacing the compromised keys
+ as soon as possible must be made. Then zone administrators will have
+ to make a trade-off, between keeping the chain of trust intact --
+ thereby allowing for attacks with the compromised key -- or
+ deliberately breaking the chain of trust and making secured
+ subdomains invisible to security-aware resolvers. Also see Section
+ 4.3.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 5]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+3. Keys Generation and Storage
+
+ This section describes a number of considerations with respect to the
+ security of keys. It deals with the generation, effectivity period,
+ size, and storage of private keys.
+
+3.1. Zone and Key Signing Keys
+
+ The DNSSEC validation protocol does not distinguish between different
+ types of DNSKEYs. All DNSKEYs can be used during the validation. In
+ practice, operators use Key Signing and Zone Signing Keys and use the
+ so-called Secure Entry Point (SEP) [3] flag to distinguish between
+ them during operations. The dynamics and considerations are
+ discussed below.
+
+ To make zone re-signing and key rollover procedures easier to
+ implement, it is possible to use one or more keys as Key Signing Keys
+ (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone.
+ Other keys can be used to sign all the RRSets in a zone and are
+ referred to as Zone Signing Keys (ZSKs). In this document, we assume
+ that KSKs are the subset of keys that are used for key exchanges with
+ the parent and potentially for configuration as trusted anchors --
+ the SEP keys. In this document, we assume a one-to-one mapping
+ between KSK and SEP keys and we assume the SEP flag to be set on all
+ KSKs.
+
+3.1.1. Motivations for the KSK and ZSK Separation
+
+ Differentiating between the KSK and ZSK functions has several
+ advantages:
+
+ o No parent/child interaction is required when ZSKs are updated.
+
+ o The KSK can be made stronger (i.e., using more bits in the key
+ material). This has little operational impact since it is only
+ used to sign a small fraction of the zone data. Also, the KSK is
+ only used to verify the zone's key set, not for other RRSets in
+ the zone.
+
+ o As the KSK is only used to sign a key set, which is most probably
+ updated less frequently than other data in the zone, it can be
+ stored separately from and in a safer location than the ZSK.
+
+ o A KSK can have a longer key effectivity period.
+
+ For almost any method of key management and zone signing, the KSK is
+ used less frequently than the ZSK. Once a key set is signed with the
+ KSK, all the keys in the key set can be used as ZSKs. If a ZSK is
+
+
+
+Kolkman & Gieben Informational [Page 6]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ compromised, it can be simply dropped from the key set. The new key
+ set is then re-signed with the KSK.
+
+ Given the assumption that for KSKs the SEP flag is set, the KSK can
+ be distinguished from a ZSK by examining the flag field in the DNSKEY
+ RR. If the flag field is an odd number it is a KSK. If it is an
+ even number it is a ZSK.
+
+ The Zone Signing Key can be used to sign all the data in a zone on a
+ regular basis. When a Zone Signing Key is to be rolled, no
+ interaction with the parent is needed. This allows for signature
+ validity periods on the order of days.
+
+ The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+ zone. If a Key Signing Key is to be rolled over, there will be
+ interactions with parties other than the zone administrator. These
+ can include the registry of the parent zone or administrators of
+ verifying resolvers that have the particular key configured as secure
+ entry points. Hence, the key effectivity period of these keys can
+ and should be made much longer. Although, given a long enough key,
+ the key effectivity period can be on the order of years, we suggest
+ planning for a key effectivity on the order of a few months so that a
+ key rollover remains an operational routine.
+
+3.1.2. KSKs for High-Level Zones
+
+ Higher-level zones are generally more sensitive than lower-level
+ zones. Anyone controlling or breaking the security of a zone thereby
+ obtains authority over all of its subdomains (except in the case of
+ resolvers that have locally configured the public key of a subdomain,
+ in which case this, and only this, subdomain wouldn't be affected by
+ the compromise of the parent zone). Therefore, extra care should be
+ taken with high-level zones, and strong keys should be used.
+
+ The root zone is the most critical of all zones. Someone controlling
+ or compromising the security of the root zone would control the
+ entire DNS namespace of all resolvers using that root zone (except in
+ the case of resolvers that have locally configured the public key of
+ a subdomain). Therefore, the utmost care must be taken in the
+ securing of the root zone. The strongest and most carefully handled
+ keys should be used. The root zone private key should always be kept
+ off-line.
+
+ Many resolvers will start at a root server for their access to and
+ authentication of DNS data. Securely updating the trust anchors in
+ an enormous population of resolvers around the world will be
+ extremely difficult.
+
+
+
+
+Kolkman & Gieben Informational [Page 7]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+3.2. Key Generation
+
+ Careful generation of all keys is a sometimes overlooked but
+ absolutely essential element in any cryptographically secure system.
+ The strongest algorithms used with the longest keys are still of no
+ use if an adversary can guess enough to lower the size of the likely
+ key space so that it can be exhaustively searched. Technical
+ suggestions for the generation of random keys will be found in RFC
+ 4086 [14]. One should carefully assess if the random number
+ generator used during key generation adheres to these suggestions.
+
+ Keys with a long effectivity period are particularly sensitive as
+ they will represent a more valuable target and be subject to attack
+ for a longer time than short-period keys. It is strongly recommended
+ that long-term key generation occur off-line in a manner isolated
+ from the network via an air gap or, at a minimum, high-level secure
+ hardware.
+
+3.3. Key Effectivity Period
+
+ For various reasons, keys in DNSSEC need to be changed once in a
+ while. The longer a key is in use, the greater the probability that
+ it will have been compromised through carelessness, accident,
+ espionage, or cryptanalysis. Furthermore, when key rollovers are too
+ rare an event, they will not become part of the operational habit and
+ there is risk that nobody on-site will remember the procedure for
+ rollover when the need is there.
+
+ From a purely operational perspective, a reasonable key effectivity
+ period for Key Signing Keys is 13 months, with the intent to replace
+ them after 12 months. An intended key effectivity period of a month
+ is reasonable for Zone Signing Keys.
+
+ For key sizes that match these effectivity periods, see Section 3.5.
+
+ As argued in Section 3.1.2, securely updating trust anchors will be
+ extremely difficult. On the other hand, the "operational habit"
+ argument does also apply to trust anchor reconfiguration. If a short
+ key effectivity period is used and the trust anchor configuration has
+ to be revisited on a regular basis, the odds that the configuration
+ tends to be forgotten is smaller. The trade-off is against a system
+ that is so dynamic that administrators of the validating clients will
+ not be able to follow the modifications.
+
+ Key effectivity periods can be made very short, as in a few minutes.
+ But when replacing keys one has to take the considerations from
+ Section 4.1 and Section 4.2 into account.
+
+
+
+
+Kolkman & Gieben Informational [Page 8]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+3.4. Key Algorithm
+
+ There are currently three different types of algorithms that can be
+ used in DNSSEC: RSA, DSA, and elliptic curve cryptography. The
+ latter is fairly new and has yet to be standardized for usage in
+ DNSSEC.
+
+ RSA has been developed in an open and transparent manner. As the
+ patent on RSA expired in 2000, its use is now also free.
+
+ DSA has been developed by the National Institute of Standards and
+ Technology (NIST). The creation of signatures takes roughly the same
+ time as with RSA, but is 10 to 40 times as slow for verification
+ [17].
+
+ We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+ key. The current known attacks on RSA can be defeated by making your
+ key longer. As the MD5 hashing algorithm is showing cracks, we
+ recommend the usage of SHA-1.
+
+ At the time of publication, it is known that the SHA-1 hash has
+ cryptanalysis issues. There is work in progress on addressing these
+ issues. We recommend the use of public key algorithms based on
+ hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+ algorithms are available in protocol specifications (see [19] and
+ [20]) and implementations.
+
+3.5. Key Sizes
+
+ When choosing key sizes, zone administrators will need to take into
+ account how long a key will be used, how much data will be signed
+ during the key publication period (see Section 8.10 of [17]), and,
+ optionally, how large the key size of the parent is. As the chain of
+ trust really is "a chain", there is not much sense in making one of
+ the keys in the chain several times larger then the others. As
+ always, it's the weakest link that defines the strength of the entire
+ chain. Also see Section 3.1.1 for a discussion of how keys serving
+ different roles (ZSK vs. KSK) may need different key sizes.
+
+ Generating a key of the correct size is a difficult problem; RFC 3766
+ [13] tries to deal with that problem. The first part of the
+ selection procedure in Section 1 of the RFC states:
+
+ 1. Determine the attack resistance necessary to satisfy the
+ security requirements of the application. Do this by
+ estimating the minimum number of computer operations that the
+ attacker will be forced to do in order to compromise the
+
+
+
+
+Kolkman & Gieben Informational [Page 9]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ security of the system and then take the logarithm base two of
+ that number. Call that logarithm value "n".
+
+ A 1996 report recommended 90 bits as a good all-around choice
+ for system security. The 90 bit number should be increased by
+ about 2/3 bit/year, or about 96 bits in 2005.
+
+ [13] goes on to explain how this number "n" can be used to calculate
+ the key sizes in public key cryptography. This culminated in the
+ table given below (slightly modified for our purpose):
+
+ +-------------+-----------+--------------+
+ | System | | |
+ | requirement | Symmetric | RSA or DSA |
+ | for attack | key size | modulus size |
+ | resistance | (bits) | (bits) |
+ | (bits) | | |
+ +-------------+-----------+--------------+
+ | 70 | 70 | 947 |
+ | 80 | 80 | 1228 |
+ | 90 | 90 | 1553 |
+ | 100 | 100 | 1926 |
+ | 150 | 150 | 4575 |
+ | 200 | 200 | 8719 |
+ | 250 | 250 | 14596 |
+ +-------------+-----------+--------------+
+
+ The key sizes given are rather large. This is because these keys are
+ resilient against a trillionaire attacker. Assuming this rich
+ attacker will not attack your key and that the key is rolled over
+ once a year, we come to the following recommendations about KSK
+ sizes: 1024 bits for low-value domains, 1300 bits for medium-value
+ domains, and 2048 bits for high-value domains.
+
+ Whether a domain is of low, medium, or high value depends solely on
+ the views of the zone owner. One could, for instance, view leaf
+ nodes in the DNS as of low value, and top-level domains (TLDs) or the
+ root zone of high value. The suggested key sizes should be safe for
+ the next 5 years.
+
+ As ZSKs can be rolled over more easily (and thus more often), the key
+ sizes can be made smaller. But as said in the introduction of this
+ paragraph, making the ZSKs' key sizes too small (in relation to the
+ KSKs' sizes) doesn't make much sense. Try to limit the difference in
+ size to about 100 bits.
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 10]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Note that nobody can see into the future and that these key sizes are
+ only provided here as a guide. Further information can be found in
+ [16] and Section 7.5 of [17]. It should be noted though that [16] is
+ already considered overly optimistic about what key sizes are
+ considered safe.
+
+ One final note concerning key sizes. Larger keys will increase the
+ sizes of the RRSIG and DNSKEY records and will therefore increase the
+ chance of DNS UDP packet overflow. Also, the time it takes to
+ validate and create RRSIGs increases with larger keys, so don't
+ needlessly double your key sizes.
+
+3.6. Private Key Storage
+
+ It is recommended that, where possible, zone private keys and the
+ zone file master copy that is to be signed be kept and used in off-
+ line, non-network-connected, physically secure machines only.
+ Periodically, an application can be run to add authentication to a
+ zone by adding RRSIG and NSEC RRs. Then the augmented file can be
+ transferred.
+
+ When relying on dynamic update to manage a signed zone [10], be aware
+ that at least one private key of the zone will have to reside on the
+ master server. This key is only as secure as the amount of exposure
+ the server receives to unknown clients and the security of the host.
+ Although not mandatory, one could administer the DNS in the following
+ way. The master that processes the dynamic updates is unavailable
+ from generic hosts on the Internet, it is not listed in the NS RR
+ set, although its name appears in the SOA RRs MNAME field. The
+ nameservers in the NS RRSet are able to receive zone updates through
+ NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This
+ approach is known as the "hidden master" setup.
+
+ The ideal situation is to have a one-way information flow to the
+ network to avoid the possibility of tampering from the network.
+ Keeping the zone master file on-line on the network and simply
+ cycling it through an off-line signer does not do this. The on-line
+ version could still be tampered with if the host it resides on is
+ compromised. For maximum security, the master copy of the zone file
+ should be off-net and should not be updated based on an unsecured
+ network mediated communication.
+
+ In general, keeping a zone file off-line will not be practical and
+ the machines on which zone files are maintained will be connected to
+ a network. Operators are advised to take security measures to shield
+ unauthorized access to the master copy.
+
+
+
+
+
+Kolkman & Gieben Informational [Page 11]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ For dynamically updated secured zones [10], both the master copy and
+ the private key that is used to update signatures on updated RRs will
+ need to be on-line.
+
+4. Signature Generation, Key Rollover, and Related Policies
+
+4.1. Time in DNSSEC
+
+ Without DNSSEC, all times in the DNS are relative. The SOA fields
+ REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+ elapsed after a slave server synchronized with a master server. The
+ Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+ are used to determine how long a forwarder should cache data after it
+ has been fetched from an authoritative server. By using a signature
+ validity period, DNSSEC introduces the notion of an absolute time in
+ the DNS. Signatures in DNSSEC have an expiration date after which
+ the signature is marked as invalid and the signed data is to be
+ considered Bogus.
+
+4.1.1. Time Considerations
+
+ Because of the expiration of signatures, one should consider the
+ following:
+
+ o We suggest the Maximum Zone TTL of your zone data to be a fraction
+ of your signature validity period.
+
+ If the TTL would be of similar order as the signature validity
+ period, then all RRSets fetched during the validity period
+ would be cached until the signature expiration time. Section
+ 7.1 of [4] suggests that "the resolver may use the time
+ remaining before expiration of the signature validity period of
+ a signed RRSet as an upper bound for the TTL". As a result,
+ query load on authoritative servers would peak at signature
+ expiration time, as this is also the time at which records
+ simultaneously expire from caches.
+
+ To avoid query load peaks, we suggest the TTL on all the RRs in
+ your zone to be at least a few times smaller than your
+ signature validity period.
+
+ o We suggest the signature publication period to end at least one
+ Maximum Zone TTL duration before the end of the signature validity
+ period.
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 12]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Re-signing a zone shortly before the end of the signature
+ validity period may cause simultaneous expiration of data from
+ caches. This in turn may lead to peaks in the load on
+ authoritative servers.
+
+ o We suggest the Minimum Zone TTL to be long enough to both fetch
+ and verify all the RRs in the trust chain. In workshop
+ environments, it has been demonstrated [18] that a low TTL (under
+ 5 to 10 minutes) caused disruptions because of the following two
+ problems:
+
+ 1. During validation, some data may expire before the
+ validation is complete. The validator should be able to
+ keep all data until it is completed. This applies to all
+ RRs needed to complete the chain of trust: DSes, DNSKEYs,
+ RRSIGs, and the final answers, i.e., the RRSet that is
+ returned for the initial query.
+
+ 2. Frequent verification causes load on recursive nameservers.
+ Data at delegation points, DSes, DNSKEYs, and RRSIGs
+ benefit from caching. The TTL on those should be
+ relatively long.
+
+ o Slave servers will need to be able to fetch newly signed zones
+ well before the RRSIGs in the zone served by the slave server pass
+ their signature expiration time.
+
+ When a slave server is out of sync with its master and data in
+ a zone is signed by expired signatures, it may be better for
+ the slave server not to give out any answer.
+
+ Normally, a slave server that is not able to contact a master
+ server for an extended period will expire a zone. When that
+ happens, the server will respond differently to queries for
+ that zone. Some servers issue SERVFAIL, whereas others turn
+ off the 'AA' bit in the answers. The time of expiration is set
+ in the SOA record and is relative to the last successful
+ refresh between the master and the slave servers. There exists
+ no coupling between the signature expiration of RRSIGs in the
+ zone and the expire parameter in the SOA.
+
+ If the server serves a DNSSEC zone, then it may well happen
+ that the signatures expire well before the SOA expiration timer
+ counts down to zero. It is not possible to completely prevent
+ this from happening by tweaking the SOA parameters. However,
+ the effects can be minimized where the SOA expiration time is
+ equal to or shorter than the signature validity period. The
+ consequence of an authoritative server not being able to update
+
+
+
+Kolkman & Gieben Informational [Page 13]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ a zone, whilst that zone includes expired signatures, is that
+ non-secure resolvers will continue to be able to resolve data
+ served by the particular slave servers while security-aware
+ resolvers will experience problems because of answers being
+ marked as Bogus.
+
+ We suggest the SOA expiration timer being approximately one
+ third or one fourth of the signature validity period. It will
+ allow problems with transfers from the master server to be
+ noticed before the actual signature times out. We also suggest
+ that operators of nameservers that supply secondary services
+ develop 'watch dogs' to spot upcoming signature expirations in
+ zones they slave, and take appropriate action.
+
+ When determining the value for the expiration parameter one has
+ to take the following into account: What are the chances that
+ all my secondaries expire the zone? How quickly can I reach an
+ administrator of secondary servers to load a valid zone? These
+ questions are not DNSSEC specific but may influence the choice
+ of your signature validity intervals.
+
+4.2. Key Rollovers
+
+ A DNSSEC key cannot be used forever (see Section 3.3). So key
+ rollovers -- or supercessions, as they are sometimes called -- are a
+ fact of life when using DNSSEC. Zone administrators who are in the
+ process of rolling their keys have to take into account that data
+ published in previous versions of their zone still lives in caches.
+ When deploying DNSSEC, this becomes an important consideration;
+ ignoring data that may be in caches may lead to loss of service for
+ clients.
+
+ The most pressing example of this occurs when zone material signed
+ with an old key is being validated by a resolver that does not have
+ the old zone key cached. If the old key is no longer present in the
+ current zone, this validation fails, marking the data "Bogus".
+ Alternatively, an attempt could be made to validate data that is
+ signed with a new key against an old key that lives in a local cache,
+ also resulting in data being marked "Bogus".
+
+4.2.1. Zone Signing Key Rollovers
+
+ For "Zone Signing Key rollovers", there are two ways to make sure
+ that during the rollover data still cached can be verified with the
+ new key sets or newly generated signatures can be verified with the
+ keys still in caches. One schema, described in Section 4.2.1.2, uses
+
+
+
+
+
+Kolkman & Gieben Informational [Page 14]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ double signatures; the other uses key pre-publication (Section
+ 4.2.1.1). The pros, cons, and recommendations are described in
+ Section 4.2.1.3.
+
+4.2.1.1. Pre-Publish Key Rollover
+
+ This section shows how to perform a ZSK rollover without the need to
+ sign all the data in a zone twice -- the "pre-publish key rollover".
+ This method has advantages in the case of a key compromise. If the
+ old key is compromised, the new key has already been distributed in
+ the DNS. The zone administrator is then able to quickly switch to
+ the new key and remove the compromised key from the zone. Another
+ major advantage is that the zone size does not double, as is the case
+ with the double signature ZSK rollover. A small "how-to" for this
+ kind of rollover can be found in Appendix B.
+
+ Pre-publish key rollover involves four stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY new RRSIGs DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2 SOA3
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
+
+ DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover
+
+ initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
+ signatures are generated with this key yet, but this does not
+ secure against brute force attacks on the public key. The minimum
+ duration of this pre-roll phase is the time it takes for the data
+ to propagate to the authoritative servers plus TTL value of the
+ key set.
+
+ new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+ used to sign the data in the zone exclusively (i.e., all the
+ signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
+ remains published in the key set. This way data that was loaded
+
+
+
+Kolkman & Gieben Informational [Page 15]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ into caches from version 1 of the zone can still be verified with
+ key sets fetched from version 2 of the zone. The minimum time
+ that the key set including DNSKEY 10 is to be published is the
+ time that it takes for zone data from the previous version of the
+ zone to expire from old caches, i.e., the time it takes for this
+ zone to propagate to all authoritative servers plus the Maximum
+ Zone TTL value of any of the data in the previous version of the
+ zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now
+ only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+ DNSKEY 1.
+
+ The above scheme can be simplified by always publishing the "future"
+ key immediately after the rollover. The scheme would look as follows
+ (we show two rollovers); the future key is introduced in "new DNSKEY"
+ as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+ (II)":
+
+ ----------------------------------------------------------------
+ initial new RRSIGs new DNSKEY
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11 DNSKEY11 DNSKEY12
+ RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ ----------------------------------------------------------------
+ new RRSIGs (II) new DNSKEY (II)
+ ----------------------------------------------------------------
+ SOA3 SOA4
+ RRSIG12(SOA3) RRSIG12(SOA4)
+
+ DNSKEY1 DNSKEY1
+ DNSKEY11 DNSKEY12
+ DNSKEY12 DNSKEY13
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG12(DNSKEY) RRSIG12(DNSKEY)
+ ----------------------------------------------------------------
+
+ Pre-Publish Key Rollover, Showing Two Rollovers
+
+
+
+
+
+Kolkman & Gieben Informational [Page 16]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Note that the key introduced in the "new DNSKEY" phase is not used
+ for production yet; the private key can thus be stored in a
+ physically secure manner and does not need to be 'fetched' every time
+ a zone needs to be signed.
+
+4.2.1.2. Double Signature Zone Signing Key Rollover
+
+ This section shows how to perform a ZSK key rollover using the double
+ zone data signature scheme, aptly named "double signature rollover".
+
+ During the "new DNSKEY" stage the new version of the zone file will
+ need to propagate to all authoritative servers and the data that
+ exists in (distant) caches will need to expire, requiring at least
+ the Maximum Zone TTL.
+
+ Double signature ZSK rollover involves three stages as follows:
+
+ ----------------------------------------------------------------
+ initial new DNSKEY DNSKEY removal
+ ----------------------------------------------------------------
+ SOA0 SOA1 SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
+ RRSIG11(SOA1)
+
+ DNSKEY1 DNSKEY1 DNSKEY1
+ DNSKEY10 DNSKEY10 DNSKEY11
+ DNSKEY11
+ RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
+ RRSIG11(DNSKEY)
+ ----------------------------------------------------------------
+
+ Double Signature Zone Signing Key Rollover
+
+ initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+ Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+ Signing Key.
+
+ new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+ introduced into the key set and all the data in the zone is signed
+ with DNSKEY 10 and DNSKEY 11. The rollover period will need to
+ continue until all data from version 0 of the zone has expired
+ from remote caches. This will take at least the Maximum Zone TTL
+ of version 0 of the zone.
+
+ DNSKEY removal: DNSKEY 10 is removed from the zone. All the
+ signatures from DNSKEY 10 are removed from the zone. The key set,
+ now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+
+
+Kolkman & Gieben Informational [Page 17]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ At every instance, RRSIGs from the previous version of the zone can
+ be verified with the DNSKEY RRSet from the current version and the
+ other way around. The data from the current version can be verified
+ with the data from the previous version of the zone. The duration of
+ the "new DNSKEY" phase and the period between rollovers should be at
+ least the Maximum Zone TTL.
+
+ Making sure that the "new DNSKEY" phase lasts until the signature
+ expiration time of the data in initial version of the zone is
+ recommended. This way all caches are cleared of the old signatures.
+ However, this duration could be considerably longer than the Maximum
+ Zone TTL, making the rollover a lengthy procedure.
+
+ Note that in this example we assumed that the zone was not modified
+ during the rollover. New data can be introduced in the zone as long
+ as it is signed with both keys.
+
+4.2.1.3. Pros and Cons of the Schemes
+
+ Pre-publish key rollover: This rollover does not involve signing the
+ zone data twice. Instead, before the actual rollover, the new key
+ is published in the key set and thus is available for
+ cryptanalysis attacks. A small disadvantage is that this process
+ requires four steps. Also the pre-publish scheme involves more
+ parental work when used for KSK rollovers as explained in Section
+ 4.2.3.
+
+ Double signature ZSK rollover: The drawback of this signing scheme is
+ that during the rollover the number of signatures in your zone
+ doubles; this may be prohibitive if you have very big zones. An
+ advantage is that it only requires three steps.
+
+4.2.2. Key Signing Key Rollovers
+
+ For the rollover of a Key Signing Key, the same considerations as for
+ the rollover of a Zone Signing Key apply. However, we can use a
+ double signature scheme to guarantee that old data (only the apex key
+ set) in caches can be verified with a new key set and vice versa.
+ Since only the key set is signed with a KSK, zone size considerations
+ do not apply.
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 18]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ --------------------------------------------------------------------
+ initial new DNSKEY DS change DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 --------> SOA1 -------->
+ RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
+ DS1 --------> DS2 -------->
+ RRSIGpar(DS) --------> RRSIGpar(DS) -------->
+
+
+ Child:
+ SOA0 SOA1 --------> SOA2
+ RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
+ -------->
+ DNSKEY1 DNSKEY1 --------> DNSKEY2
+ DNSKEY2 -------->
+ DNSKEY10 DNSKEY10 --------> DNSKEY10
+ RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
+ RRSIG2 (DNSKEY) -------->
+ RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+ initial: Initial version of the zone. The parental DS points to
+ DNSKEY1. Before the rollover starts, the child will have to
+ verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+ is needed during the rollover and we refer to the value as TTL_DS.
+
+ new DNSKEY: During the "new DNSKEY" phase, the zone administrator
+ generates a second KSK, DNSKEY2. The key is provided to the
+ parent, and the child will have to wait until a new DS RR has been
+ generated that points to DNSKEY2. After that DS RR has been
+ published on all servers authoritative for the parent's zone, the
+ zone administrator has to wait at least TTL_DS to make sure that
+ the old DS RR has expired from caches.
+
+ DS change: The parent replaces DS1 with DS2.
+
+ DNSKEY removal: DNSKEY1 has been removed.
+
+ The scenario above puts the responsibility for maintaining a valid
+ chain of trust with the child. It also is based on the premise that
+ the parent only has one DS RR (per algorithm) per zone. An
+ alternative mechanism has been considered. Using an established
+ trust relation, the interaction can be performed in-band, and the
+ removal of the keys by the child can possibly be signaled by the
+ parent. In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben Informational [Page 19]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ RRs at the parent. Since at the moment of writing the protocol for
+ this interaction has not been developed, further discussion is out of
+ scope for this document.
+
+4.2.3. Difference Between ZSK and KSK Rollovers
+
+ Note that KSK rollovers and ZSK rollovers are different in the sense
+ that a KSK rollover requires interaction with the parent (and
+ possibly replacing of trust anchors) and the ensuing delay while
+ waiting for it.
+
+ A zone key rollover can be handled in two different ways: pre-publish
+ (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+ As the KSK is used to validate the key set and because the KSK is not
+ changed during a ZSK rollover, a cache is able to validate the new
+ key set of the zone. The pre-publish method would also work for a
+ KSK rollover. The records that are to be pre-published are the
+ parental DS RRs. The pre-publish method has some drawbacks for KSKs.
+ We first describe the rollover scheme and then indicate these
+ drawbacks.
+
+ --------------------------------------------------------------------
+ initial new DS new DNSKEY DS/DNSKEY removal
+ --------------------------------------------------------------------
+ Parent:
+ SOA0 SOA1 --------> SOA2
+ RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
+ DS1 DS1 --------> DS2
+ DS2 -------->
+ RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
+
+
+ Child:
+ SOA0 --------> SOA1 SOA1
+ RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
+ -------->
+ DNSKEY1 --------> DNSKEY2 DNSKEY2
+ -------->
+ DNSKEY10 --------> DNSKEY10 DNSKEY10
+ RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
+ RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+ --------------------------------------------------------------------
+
+ Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 20]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ When the child zone wants to roll, it notifies the parent during the
+ "new DS" phase and submits the new key (or the corresponding DS) to
+ the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
+ and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase),
+ which can take place as soon as the new DS set propagated through the
+ DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
+ ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+ record can be deleted.
+
+ The drawbacks of this scheme are that during the "new DS" phase the
+ parent cannot verify the match between the DS2 RR and DNSKEY2 using
+ the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
+ "security lame" key (see Section 4.4.3). Finally, the child-parent
+ interaction consists of two steps. The "double signature" method
+ only needs one interaction.
+
+4.2.4. Automated Key Rollovers
+
+ As keys must be renewed periodically, there is some motivation to
+ automate the rollover process. Consider the following:
+
+ o ZSK rollovers are easy to automate as only the child zone is
+ involved.
+
+ o A KSK rollover needs interaction between parent and child. Data
+ exchange is needed to provide the new keys to the parent;
+ consequently, this data must be authenticated and integrity must
+ be guaranteed in order to avoid attacks on the rollover.
+
+4.3. Planning for Emergency Key Rollover
+
+ This section deals with preparation for a possible key compromise.
+ Our advice is to have a documented procedure ready for when a key
+ compromise is suspected or confirmed.
+
+ When the private material of one of your keys is compromised it can
+ be used for as long as a valid trust chain exists. A trust chain
+ remains intact for
+
+ o as long as a signature over the compromised key in the trust chain
+ is valid,
+
+ o as long as a parental DS RR (and signature) points to the
+ compromised key,
+
+ o as long as the key is anchored in a resolver and is used as a
+ starting point for validation (this is generally the hardest to
+ update).
+
+
+
+Kolkman & Gieben Informational [Page 21]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ While a trust chain to your compromised key exists, your namespace is
+ vulnerable to abuse by anyone who has obtained illegitimate
+ possession of the key. Zone operators have to make a trade-off if
+ the abuse of the compromised key is worse than having data in caches
+ that cannot be validated. If the zone operator chooses to break the
+ trust chain to the compromised key, data in caches signed with this
+ key cannot be validated. However, if the zone administrator chooses
+ to take the path of a regular rollover, the malicious key holder can
+ spoof data so that it appears to be valid.
+
+4.3.1. KSK Compromise
+
+ A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+ as long as the compromised KSK is configured as trust anchor or a
+ parental DS points to it.
+
+ A compromised KSK can be used to sign the key set of an attacker's
+ zone. That zone could be used to poison the DNS.
+
+ Therefore, when the KSK has been compromised, the trust anchor or the
+ parental DS should be replaced as soon as possible. It is local
+ policy whether to break the trust chain during the emergency
+ rollover. The trust chain would be broken when the compromised KSK
+ is removed from the child's zone while the parent still has a DS
+ pointing to the compromised KSK (the assumption is that there is only
+ one DS at the parent. If there are multiple DSes this does not apply
+ -- however the chain of trust of this particular key is broken).
+
+ Note that an attacker's zone still uses the compromised KSK and the
+ presence of a parental DS would cause the data in this zone to appear
+ as valid. Removing the compromised key would cause the attacker's
+ zone to appear as valid and the child's zone as Bogus. Therefore, we
+ advise not to remove the KSK before the parent has a DS to a new KSK
+ in place.
+
+4.3.1.1. Keeping the Chain of Trust Intact
+
+ If we follow this advice, the timing of the replacement of the KSK is
+ somewhat critical. The goal is to remove the compromised KSK as soon
+ as the new DS RR is available at the parent. And also make sure that
+ the signature made with a new KSK over the key set with the
+ compromised KSK in it expires just after the new DS appears at the
+ parent, thus removing the old cruft in one swoop.
+
+ The procedure is as follows:
+
+ 1. Introduce a new KSK into the key set, keep the compromised KSK in
+ the key set.
+
+
+
+Kolkman & Gieben Informational [Page 22]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ 2. Sign the key set, with a short validity period. The validity
+ period should expire shortly after the DS is expected to appear
+ in the parent and the old DSes have expired from caches.
+
+ 3. Upload the DS for this new key to the parent.
+
+ 4. Follow the procedure of the regular KSK rollover: Wait for the DS
+ to appear in the authoritative servers and then wait as long as
+ the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
+ and modify/extend the expiration time.
+
+ 5. Remove the compromised DNSKEY RR from the zone and re-sign the
+ key set using your "normal" validity interval.
+
+ An additional danger of a key compromise is that the compromised key
+ could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+ nameserver changes at the parent. When that happens, the domain may
+ be in dispute. An authenticated out-of-band and secure notify
+ mechanism to contact a parent is needed in this case.
+
+ Note that this is only a problem when the DNSKEY and or DS records
+ are used for authentication at the parent.
+
+4.3.1.2. Breaking the Chain of Trust
+
+ There are two methods to break the chain of trust. The first method
+ causes the child zone to appear 'Bogus' to validating resolvers. The
+ other causes the child zone to appear 'insecure'. These are
+ described below.
+
+ In the method that causes the child zone to appear 'Bogus' to
+ validating resolvers, the child zone replaces the current KSK with a
+ new one and re-signs the key set. Next it sends the DS of the new
+ key to the parent. Only after the parent has placed the new DS in
+ the zone is the child's chain of trust repaired.
+
+ An alternative method of breaking the chain of trust is by removing
+ the DS RRs from the parent zone altogether. As a result, the child
+ zone would become insecure.
+
+4.3.2. ZSK Compromise
+
+ Primarily because there is no parental interaction required when a
+ ZSK is compromised, the situation is less severe than with a KSK
+ compromise. The zone must still be re-signed with a new ZSK as soon
+ as possible. As this is a local operation and requires no
+ communication between the parent and child, this can be achieved
+ fairly quickly. However, one has to take into account that just as
+
+
+
+Kolkman & Gieben Informational [Page 23]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ with a normal rollover the immediate disappearance of the old
+ compromised key may lead to verification problems. Also note that as
+ long as the RRSIG over the compromised ZSK is not expired the zone
+ may be still at risk.
+
+4.3.3. Compromises of Keys Anchored in Resolvers
+
+ A key can also be pre-configured in resolvers. For instance, if
+ DNSSEC is successfully deployed the root key may be pre-configured in
+ most security aware resolvers.
+
+ If trust-anchor keys are compromised, the resolvers using these keys
+ should be notified of this fact. Zone administrators may consider
+ setting up a mailing list to communicate the fact that a SEP key is
+ about to be rolled over. This communication will of course need to
+ be authenticated, e.g., by using digital signatures.
+
+ End-users faced with the task of updating an anchored key should
+ always validate the new key. New keys should be authenticated out-
+ of-band, for example, through the use of an announcement website that
+ is secured using secure sockets (TLS) [21].
+
+4.4. Parental Policies
+
+4.4.1. Initial Key Exchanges and Parental Policies Considerations
+
+ The initial key exchange is always subject to the policies set by the
+ parent. When designing a key exchange policy one should take into
+ account that the authentication and authorization mechanisms used
+ during a key exchange should be as strong as the authentication and
+ authorization mechanisms used for the exchange of delegation
+ information between parent and child. That is, there is no implicit
+ need in DNSSEC to make the authentication process stronger than it
+ was in DNS.
+
+ Using the DNS itself as the source for the actual DNSKEY material,
+ with an out-of-band check on the validity of the DNSKEY, has the
+ benefit that it reduces the chances of user error. A DNSKEY query
+ tool can make use of the SEP bit [3] to select the proper key from a
+ DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+ sent. It can validate the self-signature over a key; thereby
+ verifying the ownership of the private key material. Fetching the
+ DNSKEY from the DNS ensures that the chain of trust remains intact
+ once the parent publishes the DS RR indicating the child is secure.
+
+ Note: the out-of-band verification is still needed when the key
+ material is fetched via the DNS. The parent can never be sure
+ whether or not the DNSKEY RRs have been spoofed.
+
+
+
+Kolkman & Gieben Informational [Page 24]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+4.4.2. Storing Keys or Hashes?
+
+ When designing a registry system one should consider which of the
+ DNSKEYs and/or the corresponding DSes to store. Since a child zone
+ might wish to have a DS published using a message digest algorithm
+ not yet understood by the registry, the registry can't count on being
+ able to generate the DS record from a raw DNSKEY. Thus, we recommend
+ that registry systems at least support storing DS records.
+
+ It may also be useful to store DNSKEYs, since having them may help
+ during troubleshooting and, as long as the child's chosen message
+ digest is supported, the overhead of generating DS records from them
+ is minimal. Having an out-of-band mechanism, such as a registry
+ directory (e.g., Whois), to find out which keys are used to generate
+ DS Resource Records for specific owners and/or zones may also help
+ with troubleshooting.
+
+ The storage considerations also relate to the design of the customer
+ interface and the method by which data is transferred between
+ registrant and registry; Will the child zone administrator be able to
+ upload DS RRs with unknown hash algorithms or does the interface only
+ allow DNSKEYs? In the registry-registrar model, one can use the
+ DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+ which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3. Security Lameness
+
+ Security lameness is defined as what happens when a parent has a DS
+ RR pointing to a non-existing DNSKEY RR. When this happens, the
+ child's zone may be marked "Bogus" by verifying DNS clients.
+
+ As part of a comprehensive delegation check, the parent could, at key
+ exchange time, verify that the child's key is actually configured in
+ the DNS. However, if a parent does not understand the hashing
+ algorithm used by child, the parental checks are limited to only
+ comparing the key id.
+
+ Child zones should be very careful in removing DNSKEY material,
+ specifically SEP keys, for which a DS RR exists.
+
+ Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+ take time to propagate through the DNS.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 25]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+4.4.4. DS Signature Validity Period
+
+ Since the DS can be replayed as long as it has a valid signature, a
+ short signature validity period over the DS minimizes the time a
+ child is vulnerable in the case of a compromise of the child's
+ KSK(s). A signature validity period that is too short introduces the
+ possibility that a zone is marked "Bogus" in case of a configuration
+ error in the signer. There may not be enough time to fix the
+ problems before signatures expire. Something as mundane as operator
+ unavailability during weekends shows the need for DS signature
+ validity periods longer than 2 days. We recommend an absolute
+ minimum for a DS signature validity period of a few days.
+
+ The maximum signature validity period of the DS record depends on how
+ long child zones are willing to be vulnerable after a key compromise.
+ On the other hand, shortening the DS signature validity interval
+ increases the operational risk for the parent. Therefore, the parent
+ may have policy to use a signature validity interval that is
+ considerably longer than the child would hope for.
+
+ A compromise between the operational constraints of the parent and
+ minimizing damage for the child may result in a DS signature validity
+ period somewhere between a week and months.
+
+ In addition to the signature validity period, which sets a lower
+ bound on the number of times the zone owner will need to sign the
+ zone data and which sets an upper bound to the time a child is
+ vulnerable after key compromise, there is the TTL value on the DS
+ RRs. Shortening the TTL means that the authoritative servers will
+ see more queries. But on the other hand, a short TTL lowers the
+ persistence of DS RRSets in caches thereby increasing the speed with
+ which updated DS RRSets propagate through the DNS.
+
+5. Security Considerations
+
+ DNSSEC adds data integrity to the DNS. This document tries to assess
+ the operational considerations to maintain a stable and secure DNSSEC
+ service. Not taking into account the 'data propagation' properties
+ in the DNS will cause validation failures and may make secured zones
+ unavailable to security-aware resolvers.
+
+6. Acknowledgments
+
+ Most of the ideas in this document were the result of collective
+ efforts during workshops, discussions, and tryouts.
+
+ At the risk of forgetting individuals who were the original
+ contributors of the ideas, we would like to acknowledge people who
+
+
+
+Kolkman & Gieben Informational [Page 26]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ were actively involved in the compilation of this document. In
+ random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+ Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+ Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+ Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
+
+ Some material in this document has been copied from RFC 2541 [12].
+
+ Mike StJohns designed the key exchange between parent and child
+ mentioned in the last paragraph of Section 4.2.2
+
+ Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+ Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
+ the spelling and style issues.
+
+ Kolkman and Gieben take the blame for introducing all miscakes (sic).
+
+ While working on this document, Kolkman was employed by the RIPE NCC
+ and Gieben was employed by NLnet Labs.
+
+7. References
+
+7.1. Normative References
+
+ [1] Mockapetris, P., "Domain names - concepts and facilities", STD
+ 13, RFC 1034, November 1987.
+
+ [2] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
+ KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
+ Flag", RFC 3757, May 2004.
+
+ [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "DNS Security Introduction and Requirements", RFC 4033, March
+ 2005.
+
+ [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Resource Records for the DNS Security Extensions", RFC 4034,
+ March 2005.
+
+ [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+ "Protocol Modifications for the DNS Security Extensions", RFC
+ 4035, March 2005.
+
+
+
+
+
+Kolkman & Gieben Informational [Page 27]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+7.2. Informative References
+
+ [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [8] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
+ 1996.
+
+ [9] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+ (DNS NOTIFY)", RFC 1996, August 1996.
+
+ [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+ Update", RFC 3007, November 2000.
+
+ [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+ RFC 2308, March 1998.
+
+ [12] Eastlake, D., "DNS Security Operational Considerations", RFC
+ 2541, March 1999.
+
+ [13] Orman, H. and P. Hoffman, "Determining Strengths For Public
+ Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+ April 2004.
+
+ [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+ [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+ Mapping for the Extensible Provisioning Protocol (EPP)", RFC
+ 4310, December 2005.
+
+ [16] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+ Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+ [17] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+ Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+ (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+ 1996.
+
+ [18] Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+ [19] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+ Records in DNSSEC", Work in Progress, January 2006.
+
+ [20] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+ Resource Records (RRs)", RFC 4509, May 2006.
+
+
+
+
+
+Kolkman & Gieben Informational [Page 28]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ [21] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+ T. Wright, "Transport Layer Security (TLS) Extensions", RFC
+ 4366, April 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 29]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Appendix A. Terminology
+
+ In this document, there is some jargon used that is defined in other
+ documents. In most cases, we have not copied the text from the
+ documents defining the terms but have given a more elaborate
+ explanation of the meaning. Note that these explanations should not
+ be seen as authoritative.
+
+ Anchored key: A DNSKEY configured in resolvers around the globe.
+ This key is hard to update, hence the term anchored.
+
+ Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked
+ "Bogus" when a signature of an RRSet does not validate against a
+ DNSKEY.
+
+ Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+ exclusively for signing the apex key set. The fact that a key is
+ a KSK is only relevant to the signing tool.
+
+ Key size: The term 'key size' can be substituted by 'modulus size'
+ throughout the document. It is mathematically more correct to use
+ modulus size, but as this is a document directed at operators we
+ feel more at ease with the term key size.
+
+ Private and public keys: DNSSEC secures the DNS through the use of
+ public key cryptography. Public key cryptography is based on the
+ existence of two (mathematically related) keys, a public key and a
+ private key. The public keys are published in the DNS by use of
+ the DNSKEY Resource Record (DNSKEY RR). Private keys should
+ remain private.
+
+ Key rollover: A key rollover (also called key supercession in some
+ environments) is the act of replacing one key pair with another at
+ the end of a key effectivity period.
+
+ Secure Entry Point (SEP) key: A KSK that has a parental DS record
+ pointing to it or is configured as a trust anchor. Although not
+ required by the protocol, we recommend that the SEP flag [3] is
+ set on these keys.
+
+ Self-signature: This only applies to signatures over DNSKEYs; a
+ signature made with DNSKEY x, over DNSKEY x is called a self-
+ signature. Note: without further information, self-signatures
+ convey no trust. They are useful to check the authenticity of the
+ DNSKEY, i.e., they can be used as a hash.
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 30]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ Singing the zone file: The term used for the event where an
+ administrator joyfully signs its zone file while producing melodic
+ sound patterns.
+
+ Signer: The system that has access to the private key material and
+ signs the Resource Record sets in a zone. A signer may be
+ configured to sign only parts of the zone, e.g., only those RRSets
+ for which existing signatures are about to expire.
+
+ Zone Signing Key (ZSK): A key that is used for signing all data in a
+ zone. The fact that a key is a ZSK is only relevant to the
+ signing tool.
+
+ Zone administrator: The 'role' that is responsible for signing a zone
+ and publishing it on the primary authoritative server.
+
+Appendix B. Zone Signing Key Rollover How-To
+
+ Using the pre-published signature scheme and the most conservative
+ method to assure oneself that data does not live in caches, here
+ follows the "how-to".
+
+ Step 0: The preparation: Create two keys and publish both in your key
+ set. Mark one of the keys "active" and the other "published".
+ Use the "active" key for signing your zone data. Store the
+ private part of the "published" key, preferably off-line. The
+ protocol does not provide for attributes to mark a key as active
+ or published. This is something you have to do on your own,
+ through the use of a notebook or key management tool.
+
+ Step 1: Determine expiration: At the beginning of the rollover make a
+ note of the highest expiration time of signatures in your zone
+ file created with the current key marked as active. Wait until
+ the expiration time marked in Step 1 has passed.
+
+ Step 2: Then start using the key that was marked "published" to sign
+ your data (i.e., mark it "active"). Stop using the key that was
+ marked "active"; mark it "rolled".
+
+ Step 3: It is safe to engage in a new rollover (Step 1) after at
+ least one signature validity period.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 31]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Appendix C. Typographic Conventions
+
+ The following typographic conventions are used in this document:
+
+ Key notation: A key is denoted by DNSKEYx, where x is a number or an
+ identifier, x could be thought of as the key id.
+
+ RRSet notations: RRs are only denoted by the type. All other
+ information -- owner, class, rdata, and TTL--is left out. Thus:
+ "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
+ list of RRs. A example of this would be "A1, A2", specifying the
+ RRSet containing two "A" records. This could again be abbreviated to
+ just "A".
+
+ Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+ means that RRSet is signed with DNSKEYx.
+
+ Zone representation: Using the above notation we have simplified the
+ representation of a signed zone by leaving out all unnecessary
+ details such as the names and by representing all data by "SOAx"
+
+ SOA representation: SOAs are represented as SOAx, where x is the
+ serial number.
+
+ Using this notation the following signed zone:
+
+ example.net. 86400 IN SOA ns.example.net. bert.example.net. (
+ 2006022100 ; serial
+ 86400 ; refresh ( 24 hours)
+ 7200 ; retry ( 2 hours)
+ 3600000 ; expire (1000 hours)
+ 28800 ) ; minimum ( 8 hours)
+ 86400 RRSIG SOA 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ cmL62SI6iAX46xGNQAdQ... )
+ 86400 NS a.iana-servers.net.
+ 86400 NS b.iana-servers.net.
+ 86400 RRSIG NS 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ SO5epiJei19AjXoUpFnQ ... )
+ 86400 DNSKEY 256 3 5 (
+ EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+ 86400 DNSKEY 257 3 5 (
+ gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 14 example.net.
+ J4zCe8QX4tXVGjV4e1r9... )
+
+
+
+
+Kolkman & Gieben Informational [Page 32]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+ 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
+ 20130422213204 15 example.net.
+ keVDCOpsSeDReyV6O... )
+ 86400 RRSIG NSEC 5 2 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ obj3HEp1GjnmhRjX... )
+ a.example.net. 86400 IN TXT "A label"
+ 86400 RRSIG TXT 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ IkDMlRdYLmXH7QJnuF3v... )
+ 86400 NSEC b.example.com. TXT RRSIG NSEC
+ 86400 RRSIG NSEC 5 3 86400 20130507213204 (
+ 20130407213204 14 example.net.
+ bZMjoZ3bHjnEz0nIsPMM... )
+ ...
+
+ is reduced to the following representation:
+
+ SOA2006022100
+ RRSIG14(SOA2006022100)
+ DNSKEY14
+ DNSKEY15
+
+ RRSIG14(KEY)
+ RRSIG15(KEY)
+
+ The rest of the zone data has the same signature as the SOA record,
+ i.e., an RRSIG created with DNSKEY 14.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 33]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Authors' Addresses
+
+ Olaf M. Kolkman
+ NLnet Labs
+ Kruislaan 419
+ Amsterdam 1098 VA
+ The Netherlands
+
+ EMail: olaf@nlnetlabs.nl
+ URI: http://www.nlnetlabs.nl
+
+
+ R. (Miek) Gieben
+
+ EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 34]
+\f
+RFC 4641 DNSSEC Operational Practices September 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Kolkman & Gieben Informational [Page 35]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group M. StJohns
+Request for Comments: 5011 Independent
+Category: Standards Track September 2007
+
+
+ Automated Updates of DNS Security (DNSSEC) Trust Anchors
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ This document describes a means for automated, authenticated, and
+ authorized updating of DNSSEC "trust anchors". The method provides
+ protection against N-1 key compromises of N keys in the trust point
+ key set. Based on the trust established by the presence of a current
+ anchor, other anchors may be added at the same place in the
+ hierarchy, and, ultimately, supplant the existing anchor(s).
+
+ This mechanism will require changes to resolver management behavior
+ (but not resolver resolution behavior), and the addition of a single
+ flag bit to the DNSKEY record.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns Standards Track [Page 1]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 1.1. Compliance Nomenclature ....................................3
+ 2. Theory of Operation .............................................3
+ 2.1. Revocation .................................................4
+ 2.2. Add Hold-Down ..............................................4
+ 2.3. Active Refresh .............................................5
+ 2.4. Resolver Parameters ........................................6
+ 2.4.1. Add Hold-Down Time ..................................6
+ 2.4.2. Remove Hold-Down Time ...............................6
+ 2.4.3. Minimum Trust Anchors per Trust Point ...............6
+ 3. Changes to DNSKEY RDATA Wire Format .............................6
+ 4. State Table .....................................................6
+ 4.1. Events .....................................................7
+ 4.2. States .....................................................7
+ 5. Trust Point Deletion ............................................8
+ 6. Scenarios - Informative .........................................9
+ 6.1. Adding a Trust Anchor ......................................9
+ 6.2. Deleting a Trust Anchor ....................................9
+ 6.3. Key Roll-Over .............................................10
+ 6.4. Active Key Compromised ....................................10
+ 6.5. Stand-by Key Compromised ..................................10
+ 6.6. Trust Point Deletion ......................................10
+ 7. IANA Considerations ............................................11
+ 8. Security Considerations ........................................11
+ 8.1. Key Ownership vs. Acceptance Policy .......................11
+ 8.2. Multiple Key Compromise ...................................12
+ 8.3. Dynamic Updates ...........................................12
+ 9. Normative References ...........................................12
+ 10. Informative References ........................................12
+
+1. Introduction
+
+ As part of the reality of fielding DNSSEC (Domain Name System
+ Security Extensions) [RFC4033] [RFC4034] [RFC4035], the community has
+ come to the realization that there will not be one signed name space,
+ but rather islands of signed name spaces each originating from
+ specific points (i.e., 'trust points') in the DNS tree. Each of
+ those islands will be identified by the trust point name, and
+ validated by at least one associated public key. For the purpose of
+ this document, we'll call the association of that name and a
+ particular key a 'trust anchor'. A particular trust point can have
+ more than one key designated as a trust anchor.
+
+ For a DNSSEC-aware resolver to validate information in a DNSSEC
+ protected branch of the hierarchy, it must have knowledge of a trust
+ anchor applicable to that branch. It may also have more than one
+
+
+
+StJohns Standards Track [Page 2]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ trust anchor for any given trust point. Under current rules, a chain
+ of trust for DNSSEC-protected data that chains its way back to ANY
+ known trust anchor is considered 'secure'.
+
+ Because of the probable balkanization of the DNSSEC tree due to
+ signing voids at key locations, a resolver may need to know literally
+ thousands of trust anchors to perform its duties (e.g., consider an
+ unsigned ".COM"). Requiring the owner of the resolver to manually
+ manage these many relationships is problematic. It's even more
+ problematic when considering the eventual requirement for key
+ replacement/update for a given trust anchor. The mechanism described
+ herein won't help with the initial configuration of the trust anchors
+ in the resolvers, but should make trust point key
+ replacement/rollover more viable.
+
+ As mentioned above, this document describes a mechanism whereby a
+ resolver can update the trust anchors for a given trust point, mainly
+ without human intervention at the resolver. There are some corner
+ cases discussed (e.g., multiple key compromise) that may require
+ manual intervention, but they should be few and far between. This
+ document DOES NOT discuss the general problem of the initial
+ configuration of trust anchors for the resolver.
+
+1.1. Compliance Nomenclature
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, [RFC2119].
+
+2. Theory of Operation
+
+ The general concept of this mechanism is that existing trust anchors
+ can be used to authenticate new trust anchors at the same point in
+ the DNS hierarchy. When a zone operator adds a new SEP key (i.e., a
+ DNSKEY with the Secure Entry Point bit set) (see [RFC4034], Section
+ 2.1.1) to a trust point DNSKEY RRSet, and when that RRSet is
+ validated by an existing trust anchor, then the resolver can add the
+ new key to its set of valid trust anchors for that trust point.
+
+ There are some issues with this approach that need to be mitigated.
+ For example, a compromise of one of the existing keys could allow an
+ attacker to add their own 'valid' data. This implies a need for a
+ method to revoke an existing key regardless of whether or not that
+ key is compromised. As another example, assuming a single key
+ compromise, we need to prevent an attacker from adding a new key and
+ revoking all the other old keys.
+
+
+
+
+
+StJohns Standards Track [Page 3]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+2.1. Revocation
+
+ Assume two trust anchor keys A and B. Assume that B has been
+ compromised. Without a specific revocation bit, B could invalidate A
+ simply by sending out a signed trust point key set that didn't
+ contain A. To fix this, we add a mechanism that requires knowledge
+ of the private key of a DNSKEY to revoke that DNSKEY.
+
+ A key is considered revoked when the resolver sees the key in a
+ self-signed RRSet and the key has the REVOKE bit (see Section 7
+ below) set to '1'. Once the resolver sees the REVOKE bit, it MUST
+ NOT use this key as a trust anchor or for any other purpose except to
+ validate the RRSIG it signed over the DNSKEY RRSet specifically for
+ the purpose of validating the revocation. Unlike the 'Add' operation
+ below, revocation is immediate and permanent upon receipt of a valid
+ revocation at the resolver.
+
+ A self-signed RRSet is a DNSKEY RRSet that contains the specific
+ DNSKEY and for which there is a corresponding validated RRSIG record.
+ It's not a special DNSKEY RRSet, just a way of describing the
+ validation requirements for that RRSet.
+
+ N.B.: A DNSKEY with the REVOKE bit set has a different fingerprint
+ than one without the bit set. This affects the matching of a DNSKEY
+ to DS records in the parent [RFC3755], or the fingerprint stored at a
+ resolver used to configure a trust point.
+
+ In the given example, the attacker could revoke B because it has
+ knowledge of B's private key, but could not revoke A.
+
+2.2. Add Hold-Down
+
+ Assume two trust point keys A and B. Assume that B has been
+ compromised. An attacker could generate and add a new trust anchor
+ key C (by adding C to the DNSKEY RRSet and signing it with B), and
+ then invalidate the compromised key. This would result in both the
+ attacker and owner being able to sign data in the zone and have it
+ accepted as valid by resolvers.
+
+ To mitigate but not completely solve this problem, we add a hold-down
+ time to the addition of the trust anchor. When the resolver sees a
+ new SEP key in a validated trust point DNSKEY RRSet, the resolver
+ starts an acceptance timer, and remembers all the keys that validated
+ the RRSet. If the resolver ever sees the DNSKEY RRSet without the
+ new key but validly signed, it stops the acceptance process for that
+ key and resets the acceptance timer. If all of the keys that were
+
+
+
+
+
+StJohns Standards Track [Page 4]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ originally used to validate this key are revoked prior to the timer
+ expiring, the resolver stops the acceptance process and resets the
+ timer.
+
+ Once the timer expires, the new key will be added as a trust anchor
+ the next time the validated RRSet with the new key is seen at the
+ resolver. The resolver MUST NOT treat the new key as a trust anchor
+ until the hold-down time expires AND it has retrieved and validated a
+ DNSKEY RRSet after the hold-down time that contains the new key.
+
+ N.B.: Once the resolver has accepted a key as a trust anchor, the key
+ MUST be considered a valid trust anchor by that resolver until
+ explicitly revoked as described above.
+
+ In the given example, the zone owner can recover from a compromise by
+ revoking B and adding a new key D and signing the DNSKEY RRSet with
+ both A and B.
+
+ The reason this does not completely solve the problem has to do with
+ the distributed nature of DNS. The resolver only knows what it sees.
+ A determined attacker who holds one compromised key could keep a
+ single resolver from realizing that the key had been compromised by
+ intercepting 'real' data from the originating zone and substituting
+ their own (e.g., using the example, signed only by B). This is no
+ worse than the current situation assuming a compromised key.
+
+2.3. Active Refresh
+
+ A resolver that has been configured for an automatic update of keys
+ from a particular trust point MUST query that trust point (e.g., do a
+ lookup for the DNSKEY RRSet and related RRSIG records) no less often
+ than the lesser of 15 days, half the original TTL for the DNSKEY
+ RRSet, or half the RRSIG expiration interval and no more often than
+ once per hour. The expiration interval is the amount of time from
+ when the RRSIG was last retrieved until the expiration time in the
+ RRSIG. That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
+ 1/2*RRSigExpirationInterval))
+
+ If the query fails, the resolver MUST repeat the query until
+ satisfied no more often than once an hour and no less often than the
+ lesser of 1 day, 10% of the original TTL, or 10% of the original
+ expiration interval. That is, retryTime = MAX (1 hour, MIN (1 day,
+ .1 * origTTL, .1 * expireInterval)).
+
+
+
+
+
+
+
+
+StJohns Standards Track [Page 5]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+2.4. Resolver Parameters
+
+2.4.1. Add Hold-Down Time
+
+ The add hold-down time is 30 days or the expiration time of the
+ original TTL of the first trust point DNSKEY RRSet that contained the
+ new key, whichever is greater. This ensures that at least two
+ validated DNSKEY RRSets that contain the new key MUST be seen by the
+ resolver prior to the key's acceptance.
+
+2.4.2. Remove Hold-Down Time
+
+ The remove hold-down time is 30 days. This parameter is solely a key
+ management database bookeeping parameter. Failure to remove
+ information about the state of defunct keys from the database will
+ not adversely impact the security of this protocol, but may end up
+ with a database cluttered with obsolete key information.
+
+2.4.3. Minimum Trust Anchors per Trust Point
+
+ A compliant resolver MUST be able to manage at least five SEP keys
+ per trust point.
+
+3. Changes to DNSKEY RDATA Wire Format
+
+ Bit 8 of the DNSKEY Flags field is designated as the 'REVOKE' flag.
+ If this bit is set to '1', AND the resolver sees an RRSIG(DNSKEY)
+ signed by the associated key, then the resolver MUST consider this
+ key permanently invalid for all purposes except for validating the
+ revocation.
+
+4. State Table
+
+ The most important thing to understand is the resolver's view of any
+ key at a trust point. The following state table describes this view
+ at various points in the key's lifetime. The table is a normative
+ part of this specification. The initial state of the key is 'Start'.
+ The resolver's view of the state of the key changes as various events
+ occur.
+
+ This is the state of a trust-point key as seen from the resolver.
+ The column on the left indicates the current state. The header at
+ the top shows the next state. The intersection of the two shows the
+ event that will cause the state to transition from the current state
+ to the next.
+
+
+
+
+
+
+StJohns Standards Track [Page 6]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ NEXT STATE
+ --------------------------------------------------
+ FROM |Start |AddPend |Valid |Missing|Revoked|Removed|
+ ----------------------------------------------------------
+ Start | |NewKey | | | | |
+ ----------------------------------------------------------
+ AddPend |KeyRem | |AddTime| | | |
+ ----------------------------------------------------------
+ Valid | | | |KeyRem |Revbit | |
+ ----------------------------------------------------------
+ Missing | | |KeyPres| |Revbit | |
+ ----------------------------------------------------------
+ Revoked | | | | | |RemTime|
+ ----------------------------------------------------------
+ Removed | | | | | | |
+ ----------------------------------------------------------
+
+ State Table
+
+4.1. Events
+
+ NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
+ That key will become a new trust anchor for the named trust
+ point after it's been present in the RRSet for at least 'add
+ time'.
+
+ KeyPres The key has returned to the valid DNSKEY RRSet.
+
+ KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
+ this key.
+
+ AddTime The key has been in every valid DNSKEY RRSet seen for at
+ least the 'add time'.
+
+ RemTime A revoked key has been missing from the trust-point DNSKEY
+ RRSet for sufficient time to be removed from the trust set.
+
+ RevBit The key has appeared in the trust anchor DNSKEY RRSet with
+ its "REVOKED" bit set, and there is an RRSig over the DNSKEY
+ RRSet signed by this key.
+
+4.2. States
+
+ Start The key doesn't yet exist as a trust anchor at the resolver.
+ It may or may not exist at the zone server, but either
+ hasn't yet been seen at the resolver or was seen but was
+ absent from the last DNSKEY RRSet (e.g., KeyRem event).
+
+
+
+
+StJohns Standards Track [Page 7]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ AddPend The key has been seen at the resolver, has its 'SEP' bit
+ set, and has been included in a validated DNSKEY RRSet.
+ There is a hold-down time for the key before it can be used
+ as a trust anchor.
+
+ Valid The key has been seen at the resolver and has been included
+ in all validated DNSKEY RRSets from the time it was first
+ seen through the hold-down time. It is now valid for
+ verifying RRSets that arrive after the hold-down time.
+ Clarification: The DNSKEY RRSet does not need to be
+ continuously present at the resolver (e.g., its TTL might
+ expire). If the RRSet is seen and is validated (i.e.,
+ verifies against an existing trust anchor), this key MUST be
+ in the RRSet, otherwise a 'KeyRem' event is triggered.
+
+ Missing This is an abnormal state. The key remains a valid trust-
+ point key, but was not seen at the resolver in the last
+ validated DNSKEY RRSet. This is an abnormal state because
+ the zone operator should be using the REVOKE bit prior to
+ removal.
+
+ Revoked This is the state a key moves to once the resolver sees an
+ RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet
+ contains this key with its REVOKE bit set to '1'. Once in
+ this state, this key MUST permanently be considered invalid
+ as a trust anchor.
+
+ Removed After a fairly long hold-down time, information about this
+ key may be purged from the resolver. A key in the removed
+ state MUST NOT be considered a valid trust anchor. (Note:
+ this state is more or less equivalent to the "Start" state,
+ except that it's bad practice to re-introduce previously
+ used keys -- think of this as the holding state for all the
+ old keys for which the resolver no longer needs to track
+ state.)
+
+5. Trust Point Deletion
+
+ A trust point that has all of its trust anchors revoked is considered
+ deleted and is treated as if the trust point was never configured.
+ If there are no superior configured trust points, data at and below
+ the deleted trust point are considered insecure by the resolver. If
+ there ARE superior configured trust points, data at and below the
+ deleted trust point are evaluated with respect to the superior trust
+ point(s).
+
+ Alternately, a trust point that is subordinate to another configured
+ trust point MAY be deleted by a resolver after 180 days, where such a
+
+
+
+StJohns Standards Track [Page 8]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ subordinate trust point validly chains to a superior trust point.
+ The decision to delete the subordinate trust anchor is a local
+ configuration decision. Once the subordinate trust point is deleted,
+ validation of the subordinate zone is dependent on validating the
+ chain of trust to the superior trust point.
+
+6. Scenarios - Informative
+
+ The suggested model for operation is to have one active key and one
+ stand-by key at each trust point. The active key will be used to
+ sign the DNSKEY RRSet. The stand-by key will not normally sign this
+ RRSet, but the resolver will accept it as a trust anchor if/when it
+ sees the signature on the trust point DNSKEY RRSet.
+
+ Since the stand-by key is not in active signing use, the associated
+ private key may (and should) be provided with additional protections
+ not normally available to a key that must be used frequently (e.g.,
+ locked in a safe, split among many parties, etc). Notionally, the
+ stand-by key should be less subject to compromise than an active key,
+ but that will be dependent on operational concerns not addressed
+ here.
+
+6.1. Adding a Trust Anchor
+
+ Assume an existing trust anchor key 'A'.
+
+ 1. Generate a new key pair.
+
+ 2. Create a DNSKEY record from the key pair and set the SEP and Zone
+ Key bits.
+
+ 3. Add the DNSKEY to the RRSet.
+
+ 4. Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
+ 'A'.
+
+ 5. Wait for various resolvers' timers to go off and for them to
+ retrieve the new DNSKEY RRSet and signatures.
+
+ 6. The new trust anchor will be populated at the resolvers on the
+ schedule described by the state table and update algorithm -- see
+ Sections 2 and 4 above.
+
+6.2. Deleting a Trust Anchor
+
+ Assume existing trust anchors 'A' and 'B' and that you want to revoke
+ and delete 'A'.
+
+
+
+
+StJohns Standards Track [Page 9]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ 1. Set the revocation bit on key 'A'.
+
+ 2. Sign the DNSKEY RRSet with both 'A' and 'B'. 'A' is now revoked.
+ The operator should include the revoked 'A' in the RRSet for at
+ least the remove hold-down time, but then may remove it from the
+ DNSKEY RRSet.
+
+6.3. Key Roll-Over
+
+ Assume existing keys A and B. 'A' is actively in use (i.e. has been
+ signing the DNSKEY RRSet). 'B' was the stand-by key. (i.e. has been
+ in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
+ used to sign the RRSet).
+
+ 1. Generate a new key pair 'C'.
+ 2. Add 'C' to the DNSKEY RRSet.
+ 3. Set the revocation bit on key 'A'.
+ 4. Sign the RRSet with 'A' and 'B'.
+
+ 'A' is now revoked, 'B' is now the active key, and 'C' will be the
+ stand-by key once the hold-down expires. The operator should include
+ the revoked 'A' in the RRSet for at least the remove hold-down time,
+ but may then remove it from the DNSKEY RRSet.
+
+6.4. Active Key Compromised
+
+ This is the same as the mechanism for Key Roll-Over (Section 6.3)
+ above, assuming 'A' is the active key.
+
+6.5. Stand-by Key Compromised
+
+ Using the same assumptions and naming conventions as Key Roll-Over
+ (Section 6.3) above:
+
+ 1. Generate a new key pair 'C'.
+ 2. Add 'C' to the DNSKEY RRSet.
+ 3. Set the revocation bit on key 'B'.
+ 4. Sign the RRSet with 'A' and 'B'.
+
+ 'B' is now revoked, 'A' remains the active key, and 'C' will be the
+ stand-by key once the hold-down expires. 'B' should continue to be
+ included in the RRSet for the remove hold-down time.
+
+6.6. Trust Point Deletion
+
+ To delete a trust point that is subordinate to another configured
+ trust point (e.g., example.com to .com) requires some juggling of the
+ data. The specific process is:
+
+
+
+StJohns Standards Track [Page 10]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+ 1. Generate a new DNSKEY and DS record and provide the DS record to
+ the parent along with DS records for the old keys.
+
+ 2. Once the parent has published the DSs, add the new DNSKEY to the
+ RRSet and revoke ALL of the old keys at the same time, while
+ signing the DNSKEY RRSet with all of the old and new keys.
+
+ 3. After 30 days, stop publishing the old, revoked keys and remove
+ any corresponding DS records in the parent.
+
+ Revoking the old trust-point keys at the same time as adding new keys
+ that chain to a superior trust prevents the resolver from adding the
+ new keys as trust anchors. Adding DS records for the old keys avoids
+ a race condition where either the subordinate zone becomes unsecure
+ (because the trust point was deleted) or becomes bogus (because it
+ didn't chain to the superior zone).
+
+7. IANA Considerations
+
+ The IANA has assigned a bit in the DNSKEY flags field (see Section 7
+ of [RFC4034]) for the REVOKE bit (8).
+
+8. Security Considerations
+
+ In addition to the following sections, see also Theory of Operation
+ above (Section 2) and especially Section 2.2 for related discussions.
+
+ Security considerations for trust anchor rollover not specific to
+ this protocol are discussed in [RFC4986].
+
+8.1. Key Ownership vs. Acceptance Policy
+
+ The reader should note that, while the zone owner is responsible for
+ creating and distributing keys, it's wholly the decision of the
+ resolver owner as to whether to accept such keys for the
+ authentication of the zone information. This implies the decision to
+ update trust-anchor keys based on trusting a current trust-anchor key
+ is also the resolver owner's decision.
+
+ The resolver owner (and resolver implementers) MAY choose to permit
+ or prevent key status updates based on this mechanism for specific
+ trust points. If they choose to prevent the automated updates, they
+ will need to establish a mechanism for manual or other out-of-band
+ updates, which are outside the scope of this document.
+
+
+
+
+
+
+
+StJohns Standards Track [Page 11]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+8.2. Multiple Key Compromise
+
+ This scheme permits recovery as long as at least one valid trust-
+ anchor key remains uncompromised, e.g., if there are three keys, you
+ can recover if two of them are compromised. The zone owner should
+ determine their own level of comfort with respect to the number of
+ active, valid trust anchors in a zone and should be prepared to
+ implement recovery procedures once they detect a compromise. A
+ manual or other out-of-band update of all resolvers will be required
+ if all trust-anchor keys at a trust point are compromised.
+
+8.3. Dynamic Updates
+
+ Allowing a resolver to update its trust anchor set based on in-band
+ key information is potentially less secure than a manual process.
+ However, given the nature of the DNS, the number of resolvers that
+ would require update if a trust anchor key were compromised, and the
+ lack of a standard management framework for DNS, this approach is no
+ worse than the existing situation.
+
+9. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation
+ Signer (DS)", RFC 3755, May 2004.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements", RFC
+ 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+10. Informative References
+
+ [RFC4986] Eland, H., Mundy, R., Crocker, S., and S. Krishnaswamy,
+ "Requirements Related to DNS Security (DNSSEC) Trust
+ Anchor Rollover", RFC 4986, August 2007.
+
+
+
+
+
+
+StJohns Standards Track [Page 12]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+Author's Address
+
+ Michael StJohns
+ Independent
+
+ EMail: mstjohns@comcast.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns Standards Track [Page 13]
+\f
+RFC 5011 Trust Anchor Update September 2007
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2007).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns Standards Track [Page 14]
+\f
fi
;;
reload)
- echo "rndc $action $zone $view"
- : rndc $action $zone $view
+ echo "rndc $action $domain $view"
+ : rndc $action $domain $view
;;
*)
usage "illegal action $action"
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the dnssec-signer
+# command out of the example directory
+#
+
+chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
+
+if test ! -f dnssec.conf
+then
+ echo Please start this skript out of the flat or hierarchical sub directory
+ exit 1
+fi
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
#
-# @(#) dnssec.conf vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de
+# @(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de
#
# dnssec-zkt options
Serialformat: incremental
# signing key parameters
+Key_algo: RSASHA1 # (Algorithm ID 5)
KSK_lifetime: 60d # (5184000 seconds)
-KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 2w # (1209600 seconds)
-ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
SaltBits: 24
KeySetDir: "../keysets"
DLV_Domain: ""
Sig_Pseudorand: True
-Sig_Parameter: ""
+Sig_GenerateDS: True
+Sig_Parameter: "-n 1"
Distribute_Cmd: "./dist.sh"
+++ /dev/null
-;% generationtime=20081116175850
-;% lifetime=90d
-example.net. IN DNSKEY 256 3 5 BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: yh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
-PublicExponent: AQAAAAE=
-PrivateExponent: XHrB+Ib/yjBFNUQoB66abHOazbj5hDkaprg0ygOwDdrxLSpwrYHQAn5H6JPlGhcTZHN5X1nF4M7GlGlbRah0oQ==
-Prime1: 7T9UFlW1S4Dnditz/D0PmPdJ+fiozB+wz8xxRuOT4zE=
-Prime2: 2hjLgVBakXblbcuQ08UYHkP00pMp+45mK+L5M35OpS8=
-Exponent1: CPzNNspgw6XVf63vdcnEP55k7wMVttStCJw8+r3T5FE=
-Exponent2: t8JDeQOEiO2L0dbIkuANjXOBiCauM6fnRHanvKcwmrs=
-Coefficient: ObUC9ojBjcCKuGvPqXfWD20iXRpkzVsHjrJqcLXRqw4=
--- /dev/null
+;% generationtime=20090730151357
+;% lifetime=84d
+example.net. IN DNSKEY 256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ==
+Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8=
+Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8=
+Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k=
+Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc=
+Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM=
--- /dev/null
+;% generationtime=20090228113129
+;% lifetime=60d
+example.net. IN DNSKEY 257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ==
+Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw==
+Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw==
+Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ==
+Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ
+Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q==
+Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU=
+Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU=
+Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk=
+Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk=
+Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk=
--- /dev/null
+;% generationtime=20090615075841
+;% lifetime=14d
+example.net. IN DNSKEY 256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
--- /dev/null
+;% generationtime=20090630093509
+;% lifetime=14d
+example.net. IN DNSKEY 256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+PublicExponent: AQAAAAE=
+PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ==
+Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc=
+Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0=
+Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s=
+Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE=
+Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs=
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
-; Last generation time Dec 28 2008 23:08:02
+; Last generation time Jul 30 2009 17:13:57
;
; *** List of Key Signing Keys ***
-; example.net. tag=1764 algo=RSASHA1 generated Nov 16 2008 18:58:50
-example.net. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8
- VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs
- lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+
- YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU
- 8w==
- ) ; key id = 1764
+; example.net. tag=33840 algo=RSASHA1 generated Feb 28 2009 12:31:29
+example.net. 14400 IN DNSKEY 257 3 5 (
+ BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+ +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
+ m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
+ SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
+ aQ==
+ ) ; key id = 33840
-; example.net. tag=7308 algo=RSASHA1 generated Nov 16 2008 18:58:50
-example.net. 3600 IN DNSKEY 257 3 5 (
+; example.net. tag=7308 algo=RSASHA1 generated Feb 28 2009 12:31:29
+example.net. 14400 IN DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ
oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ
w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU
) ; key id = 7308
; *** List of Zone Signing Keys ***
-; example.net. tag=4157 algo=RSASHA1 generated Dec 09 2008 14:08:16
-example.net. 3600 IN DNSKEY 256 3 5 (
- BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS
- ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
- ) ; key id = 4157
+; example.net. tag=34925 algo=RSASHA1 generated Jun 17 2009 16:36:16
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj
+ w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+ ) ; key id = 34925
+
+; example.net. tag=48089 algo=RSASHA1 generated Jun 30 2009 11:35:09
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
+ IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+ ) ; key id = 48089
+
+; example.net. tag=24545 algo=RSASHA1 generated Jul 30 2009 17:13:57
+example.net. 14400 IN DNSKEY 256 3 5 (
+ BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ
+ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+ ) ; key id = 24545
-example.net. IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
-example.net. IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
+example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
+example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
;% generationtime=20080506212634
;% lifetime=60d
-example.net. IN DNSKEY 257 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
+;% expirationtime=20090228113128
+example.net. IN DNSKEY 385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+ 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+ BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+ eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+ grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+ V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+ Il5cqhugaQ==
+ ) ; key id = 33840
+ 7200 IN DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
- Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
- VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
- HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
- DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
- AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
- +B9rLlBU8w==
- ) ; key id = 1764
; 0123456789;
; It's also possible to use the date format e.g. 2005040101
@ IN SOA ns1.example.net. hostmaster.example.net. (
- 333 ; Serial
+ 350 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
-; File written on Sun Dec 28 23:08:02 2008
-; dnssec_signzone version 9.6.0
+; File written on Thu Jul 30 17:13:57 2009
+; dnssec_signzone version 9.7.0a1
example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 333 ; serial
+ 350 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
- 7200 RRSIG SOA 5 2 7200 20090103210802 (
- 20081228210802 4157 example.net.
- UqDcRU7Et3DQF9VF+1AmHFXLa9L2x6LYA1ZS
- shG02/N9gH+2uNnxxBvuGDkSzTl5C52csvbw
- LZnWW56sPCShiw== )
+ 7200 RRSIG SOA 5 2 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph
+ ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB
+ gOjVmH4Ywf+oKg== )
7200 NS ns1.example.net.
7200 NS ns2.example.net.
- 7200 RRSIG NS 5 2 7200 20090103210802 (
- 20081228210802 4157 example.net.
- i4OCvNnG2BWy6gYbUnwv1xi6MRQjbDl6ts8o
- 28CxUNmBX/r3RWlewQiyO8acGC2UJUdWz7So
- gbHJqojIAjjpbA== )
+ 7200 RRSIG NS 5 2 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU
+ FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl
+ Mk6meHS+9wsneQ== )
7200 NSEC a.example.net. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 2 7200 20090103210802 (
- 20081228210802 4157 example.net.
- g963zm5F91sPNl955WRBExCcKJehXmTjyw0K
- ISKE7Dq77Z8zKkTpgf1QWhVe3UOLRRbXwRnC
- aQh+jaXNE3vIag== )
- 3600 DNSKEY 256 3 5 (
- BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1
- y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMj
- c0IQF7PAryhN2olWcINK/w==
- ) ; key id = 4157
- 3600 DNSKEY 257 3 5 (
+ 7200 RRSIG NSEC 5 2 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ
+ 9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e
+ olkU38g+o0fkPQ== )
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk
+ mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY
+ m/hhC77xJoVwSeOtXdmKiQ==
+ ) ; key id = 34925
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0
+ nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma
+ dHRQZDfu79tEz8MUid7aOw==
+ ) ; key id = 48089
+ 14400 DNSKEY 256 3 5 (
+ BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA
+ 1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc
+ oAhDVW0hZ6DSDuV/0kouMQ==
+ ) ; key id = 24545
+ 14400 DNSKEY 257 3 5 (
+ BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+ 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+ BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+ eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+ grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+ V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+ Il5cqhugaQ==
+ ) ; key id = 33840
+ 14400 DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
- 3600 DNSKEY 257 3 5 (
- BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
- Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
- VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
- HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
- DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
- AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
- +B9rLlBU8w==
- ) ; key id = 1764
- 3600 RRSIG DNSKEY 5 2 3600 20090103210802 (
- 20081228210802 1764 example.net.
- DMU1/sQwNC9bxNCo+SGM1JpHAkWGCRoSEswb
- 2EV/YDWwF19IM2J/sz+9JB6h7esETapCg4qY
- 5SCBrgbMEvQNRL0t16K7ciAHYNKLTbMG0uaP
- yEOVQ0/ZofoDEsYJYScyO3hC58F2Vl/YSBFo
- hfkYvtrjrrDQqU9Uh8U1rcROIXNJF/FyDSuj
- Ca2fzHlCvnJRfF/Djg7DOjXIlWBThc4kI12v
- xw== )
- 3600 RRSIG DNSKEY 5 2 3600 20090103210802 (
- 20081228210802 4157 example.net.
- gH+J4h1fRmX5QS/wocZKerd9RqgrFR/0m1HE
- O+GYS4Q4X19TnGQW4Bq6w/QRI/5OiJH3YR2R
- 9MW3EmYMKX9Tuw== )
+ 14400 RRSIG DNSKEY 5 2 14400 20090809141357 (
+ 20090730141357 7308 example.net.
+ CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN
+ UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv
+ PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/
+ r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8
+ ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN
+ B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq
+ YQ== )
+ 14400 RRSIG DNSKEY 5 2 14400 20090809141357 (
+ 20090730141357 48089 example.net.
+ XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg
+ XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc
+ 62464sVZH+EfWg== )
a.example.net. 7200 IN A 1.2.3.1
- 7200 RRSIG A 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- nh9TDSy8L61ccYJiLAL632N4FIvUpDCvsdcf
- 0HhGA8b++YADE5gX346coX1L0Oy+DB9eHIAZ
- PCfli582EhPwKA== )
+ 7200 RRSIG A 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg
+ 1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs
+ nzR8X0uN22BTIA== )
7200 NSEC b.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- LCe66yRV1gez4AbSq7/SaPznvzuUPRnf+vh2
- Fuv3IlCszc0Bdo/fAyUQcc9LRo8hrvfYFDjI
- TFe3Mm0U0A5Lew== )
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s
+ ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv
+ 0n6P1jVIBVTNOg== )
b.example.net. 7200 IN MX 10 a.example.net.
- 7200 RRSIG MX 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- oQuNvNDrqblLnEl5arNz+3YlBC9j33tp7OzF
- MptYqb32rDNB/YivuxeiBWNt7ykFmdXh1P94
- DZ8Qq2J8lIW1DA== )
+ 7200 RRSIG MX 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN
+ S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH
+ UGStzfIl/8troQ== )
7200 NSEC d.example.net. MX RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- GF6J2HjZ4xrkdT2a6Zjukl5sUSwejQkzzx2+
- pLRQ/RXtfkcMrO5xpsOZ8AqeZjySUMEGjS2U
- RUlbzM0y/70x4g== )
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ
+ sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm
+ 5lDVj28RqfZ7Pw== )
d.example.net. 7200 IN A 1.2.3.3
- 7200 RRSIG A 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- T9LBUwsAKM+3yh1wizaGqWvqfLOqfuTzZhpm
- tmpDPZXzSjJ8pj4KO3f8eA7ygo52bY8hNzTh
- 2hwGBAQlb1ACpA== )
+ 7200 RRSIG A 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh
+ Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn
+ 4OEF4w8WGhL67A== )
7200 AAAA 2001:db8::3
- 7200 RRSIG AAAA 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- gpBuR+r14AbjVJLx48k8plwo52RG6taN03XU
- 8uUgfOSpJSprjpvhEzKt1h87aGtmZScoS/WH
- 3D3f2Xz4e+r6QA== )
+ 7200 RRSIG AAAA 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd
+ qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0
+ J3JSNlXGbwHSgQ== )
7200 NSEC localhost.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- fSM90YN/6UVuUPbVTuhSj2Zzxdn+3TkVIXq6
- CjpGxAxDGa5Uh3x6ExZUg3n7N7TWcuyN2fZV
- va8VlkEJeAHd/g== )
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb
+ YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a
+ zgIUX0pOt281Bw== )
localhost.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- I0tSvJaBTdG0RTfOTkzDyW2iSKdX555aN5Ux
- a4l5gJhiY4tpN1NNofQK8xbdZvJi+F0JBsb4
- qctstfW97RAnZw== )
+ 7200 RRSIG A 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw
+ EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m
+ kNSeEuoa+qR+eg== )
7200 NSEC ns1.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- pORPHi5yJId4IynH/UcNM1kL9kyJqO65+iku
- G5z9A2CS+aJy39Am6Nbr11GN6SAVcOmSjjeA
- SOAdxGlWWpwAvA== )
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP
+ 0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw
+ 3OFb0GRqEXDc5w== )
ns1.example.net. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- mPktHGQ4Cvn6JwysjndL8/dZhtht6bGq1OZI
- qR4SSqIc14Yfbbee819fwuw/JGaaTFyItDU2
- AIU8Ix2FrNLcQA== )
+ 7200 RRSIG A 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr
+ o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6
+ 89OCX/es/0rTtA== )
7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- I+i9d3dewJTTmK1J5gbMlsjodEDjV57fHDbv
- 3haEPH6WHn/9W3P9eTDRIVEIvSVCEObAJyem
- ItOMKZOxlRTF5Q== )
+ 7200 RRSIG AAAA 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP
+ Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv
+ OVzIQY+ltEOSvg== )
7200 NSEC ns2.example.net. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- KF6bVYTEEuOgaYTrD1BhY6dyYtp1k7uPQAbe
- +8aDk4OJwtL681t91XIT/TRXvKwiSVH4M7Un
- ZOFI4o33/oIJag== )
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz
+ wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK
+ iovzZNBDetmiBg== )
ns2.example.net. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- pLL55Ja/b/pGnWdYP2tAOtx84xyKiEdD/oPC
- 7prF8HCXLJgbFdnJ3JkZ1umAPbsRrEkFIFII
- wGwfrjMkM9c8zw== )
+ 7200 RRSIG A 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2
+ 3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up
+ ZESuqA8PJwq9hQ== )
7200 NSEC sub.example.net. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- b5AfO/ekdK8rQBAiyGcjCSFHOLCYfdVJP7DD
- FsNKBjkJj+jLz3P1lJClTrgc4gv7EmRlZncd
- YOzblBcjylZqAw== )
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK
+ +NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32
+ YVpaLtAlA5Gc1g== )
sub.example.net. 7200 IN NS ns1.example.net.
- 7200 DS 18846 7 1 (
- 71103B8D50793E190E48D99E95B48D9F20C4
- 04C6 )
- 7200 DS 18846 7 2 (
- 42A13BAC66BEB451B6BF17A51FC2C141B765
- D3E9B952C689BA4B572DC1AF2FCC )
- 7200 RRSIG DS 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- HeLgZtRjTPXR8HDw0uHiavKTmJTJU2ryunVf
- JR8vASP8QT2D4hD0BvCUzQdIB23+oB9eY2dx
- f9WtEwKY89dcTQ== )
- 7200 NSEC example.net. NS DS RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090103210802 (
- 20081228210802 4157 example.net.
- XViJS+mWV3mddMCV25zV9i3ZpRlBsQIr/Guq
- wJYzIiBP3F5cY+GbzOyjLdRnuy9pIeCUmEIN
- 0XsanfbJHcTm8w== )
+ 7200 NSEC example.net. NS RRSIG NSEC
+ 7200 RRSIG NSEC 5 3 7200 20090809141357 (
+ 20090730141357 48089 example.net.
+ qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/
+ bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw
+ +dpIoVdHzGqmdg== )
-sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.dlv.trusted-keys.de. IN DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.dlv.trusted-keys.de. IN DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
-example.net. IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
-example.net. IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
example.net. IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
example.net. IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
+example.net. IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
+example.net. IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
-sub.example.net. IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net. IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+sub.example.net. IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net. IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
$ORIGIN .
example.net 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+ 1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+ BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+ eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+ grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+ V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+ Il5cqhugaQ==
+ ) ; key id = 33840
+ 7200 IN DNSKEY 257 3 5 (
BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
JT9+p0yB/Q==
) ; key id = 7308
- 7200 IN DNSKEY 257 3 5 (
- BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
- Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
- VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
- HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
- DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
- AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
- +B9rLlBU8w==
- ) ; key id = 1764
$ORIGIN .
sub.example.net 7200 IN DNSKEY 257 3 7 (
- AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
- 3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
- dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
- pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
- VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
- ) ; key id = 18846
+ AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
+ jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
+ /5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
+ H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
+ ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
+ ) ; key id = 48516
file "127.0.0.zone";
};
-include "zone.conf";
+#include "zone.conf";
+
+zone "example.NET." in {
+ type master;
+ file "example.net/zone.db.signed";
+};
+
+zone "sub.example.NET." in {
+ type master;
+ file "sub.example.net/zone.db.signed";
+};
+++ /dev/null
-;% generationtime=20081228220628
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 6 AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI v8lZ
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): vkFZckOUzy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1zgQ==
-Subprime(q): qHjRa5osHmJx2NpT9a+wCWA7CLk=
-Base(g): t9Qo3KI9nqhaA9i/vXOmHah4S/+KYgi2oWjP6z2sksF6/NEg2+6dLWefgWKruCLbWaImIbreEcSg2vlj+RsHTQ==
-Private_value(x): J9kC0094M4urh22UyajBvYp6OUU=
-Public_value(y): rfdSEO07PKqymWRw5N+ivNzs1ipxdThpEiJIu5H6FslIunCQDHZ3N97j3/u4pxILjeEq9oeEFxjZuNoSiL/JWQ==
+++ /dev/null
-;% generationtime=20081216133130
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 6 AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi 7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp +U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn /UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0 DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls lfy1
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): 50c8zvi1zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp+Q==
-Subprime(q): zVTFuNMY3m0bMsXC3ULBHHiaUM8=
-Base(g): TVs1TYPKiksqFlHn7pI3m7tHu2VAIaWZ6wTjIAPaQsFgC8GhJeA+E+f9QNBbPTzHchphW9VxBxwECC57g2H9EQ==
-Private_value(x): LnevSOPwRhakaa7vYh1YBwGWIh8=
-Public_value(y): NwN9ucIKHYWeFToIQrCqIxfrtA1y7lmGOoeilp+MrraOjTAW+YV0g2mDE4IiWDuTEu/XfO+iyDycr95pbJX8tQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): j+A/58oThRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qPoQ==
-Subprime(q): kuawB/eONoc0BjGmDIKOerRKBkM=
-Base(g): C/CRAij2ID/BEajrSxPOHaMWdQ06G5zfI6el3MIZtMFvNxBQypZ3VRawKbBeOncxvSMSX/ecw5MeJDKXCWfi7Q==
-Private_value(x): HZ/c+Fa0T/qv5IwEmPEF681ckVw=
-Public_value(y): bvjS4V5v38HzFvDmzxxq09i13mBupQ79O5ZLNyxoyE17kHNcKD6/ggVPSVx1jDymtgE9FLYgo1OoKh9qdNrG0w==
+++ /dev/null
-;% generationtime=20081209130816
-;% lifetime=3d
-sub.example.net. IN DNSKEY 256 3 6 AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0 2sbT
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ==
+PublicExponent: AQAB
+PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ==
+Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE=
+Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k=
+Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE=
+Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE=
+Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI=
--- /dev/null
+;% generationtime=20090624144422
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
+++ /dev/null
-;% generationtime=20081125154049
-;% lifetime=60d
-sub.example.net. IN DNSKEY 257 3 7 AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP 7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq fu8SrJ0f
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 7 (?)
-Modulus: 451+rtzB+GXdovwGVREaeA8D7cjYTcbdc9ETthrD81yjtpeiscomBEUygzfSruMMFq50t5cL/985ADDY/m8LDK4eYgWjh+VefnWwx4WlZ0/sTx+aLiT9igIRK768G9/6tlYMxWiyPxVUQhspNwkTXo2x3WWzUUgZ+Kp+7xKsnR8=
-PublicExponent: AQAB
-PrivateExponent: J0mYBDa2hFmQ2AEIVsaM+wwccX6pV0NsFgGQlW4pRGhJGcsymd16kmIfRebsxqMKAyA5pTa9K30sKYxE6CXikgpm1+TqQtH3CQJGEz81gf5/c/RgHdG4+bygPrKeW1vA7dI5jsEQ8wnhBAJa0jDIt8f0bP9G5rGYyxctmmC8mgE=
-Prime1: 8gsI7gGw1oPDMLhQHMx3NorrKgy1wMu3/anCcIEEe1OflmSNHzb0Y4hQ8Zl97EyU6ZuPAGlnI4MfykK2V35orw==
-Prime2: 8L163OyeS3aLn+Bxfxlc/6OZGat5b6C5RKFzvdJ9/7ZxM1woegJCe8DD0wwuKwNs7go+venTI4O7L1ZB0jJOkQ==
-Exponent1: aJiOLlQ6uCjOk+JCdH+DUOWthEljzcH7a7oNlZKbfjP/9fzT41ZbPBvvZsh+2zuo6l7X6ESkVntWpJA5vguZbw==
-Exponent2: a4mIh4VfFICI0Er3B/pxc3RF4JSbc0TNXZ3tUL7lL8P0fyfMoOu/fP5Xuz+2o9os34xOCJGZkkS26edTEa0NMQ==
-Coefficient: sEYTrLAosmx+x8M2BBdTYLddTSbv3xXDlqHeCNxajW4bhhbjkn3oMCWQfaq7Oke4zeUXPOAYjaf8Ve2oLD9fzg==
--- /dev/null
+;% generationtime=20090630093509
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ==
+PublicExponent: AQAB
+PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ==
+Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU=
+Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU=
+Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190=
+Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU=
+Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo=
--- /dev/null
+;% generationtime=20090624144206
+;% lifetime=7d
+sub.example.net. IN DNSKEY 257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc=
+PublicExponent: AQAB
+PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk=
+Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw==
+Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q==
+Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw==
+Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q==
+Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g==
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
-; Last generation time Dec 28 2008 23:08:02
+; Last generation time Jun 30 2009 13:02:21
;
; *** List of Key Signing Keys ***
-; sub.example.net. tag=18846 algo=NSEC3RSASHA1 generated Nov 25 2008 16:40:49
+; sub.example.net. tag=48516 algo=NSEC3RSASHA1 generated Jun 24 2009 16:42:06
sub.example.net. 3600 IN DNSKEY 257 3 7 (
- AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK
- JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP
- 7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq
- fu8SrJ0f
- ) ; key id = 18846
+ AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD
+ ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM
+ f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5
+ UPSENnx3
+ ) ; key id = 48516
; *** List of Zone Signing Keys ***
-; sub.example.net. tag=5823 algo=NSEC3DSA generated Dec 28 2008 23:06:27
-sub.example.net. 3600 IN DNSKEY 256 3 6 (
- AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi
- 7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp
- +U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn
- /UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0
- DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls
- lfy1
- ) ; key id = 5823
+; sub.example.net. tag=32345 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04
+sub.example.net. 3600 IN DNSKEY 256 3 7 (
+ AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI
+ w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
+ ) ; key id = 32345
-; sub.example.net. tag=22440 algo=NSEC3DSA generated Dec 28 2008 23:06:27
-sub.example.net. 3600 IN DNSKEY 256 3 6 (
- AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco
- zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP
- oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW
- sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe
- YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0
- 2sbT
- ) ; key id = 22440
-
-; sub.example.net. tag=4710 algo=NSEC3DSA generated Dec 28 2008 23:06:28
-sub.example.net. 3600 IN DNSKEY 256 3 6 (
- AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i
- jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z
- gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n
- n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW
- KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI
- v8lZ
- ) ; key id = 4710
+; sub.example.net. tag=14600 algo=NSEC3RSASHA1 generated Jun 30 2009 13:02:04
+sub.example.net. 3600 IN DNSKEY 256 3 7 (
+ AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5
+ +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
+ ) ; key id = 14600
max_ttl 90s
Serialformat: unixtime
-zsk_lifetime 3m
+ksk_lifetime 1w
ksk_algo N3RSASHA1
ksk_bits 1024
zsk_lifetime 3d
-zsk_algo NSEC3DSA
+zsk_algo N3RSASHA1
zsk_bits 512
dlv_domain "dlv.trusted-keys.de"
-; File written on Sun Dec 28 23:08:02 2008
-; dnssec_signzone version 9.6.0
+; File written on Tue Jun 30 13:02:21 2009
+; dnssec_signzone version 9.7.0a1
sub.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. (
- 1230502082 ; serial
+ 1246359741 ; serial
86400 ; refresh (1 day)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
- 7200 RRSIG SOA 6 3 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AMwSbl1AvSw6nz/6SAX26uwD5BAKYAxmfBIq
- ynkaiFplhArpE1dTqlU= )
+ 7200 RRSIG SOA 7 3 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug
+ Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj
+ beUBuNmOKBwgQw== )
7200 NS ns1.example.net.
- 7200 RRSIG NS 6 3 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AFIZX6ddVm4v+ae2F4zcVgp0jJHow+jKe+LC
- YYNpRqF42vDPsri4shw= )
- 3600 DNSKEY 256 3 6 (
- AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oT
- hRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1ch
- epu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73
- x4qPoQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc
- 3yOnpdzCGbTBbzcQUMqWd1UWsCmwXjp3Mb0j
- El/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObP
- HGrT2LXeYG6lDv07lks3LGjITXuQc1woPr+C
- BU9JXHWMPKa2AT0UtiCjU6gqH2p02sbT
- ) ; key id = 22440
- 3600 DNSKEY 256 3 6 (
- AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOU
- zy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOB
- RhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3
- At1zgbfUKNyiPZ6oWgPYv71zph2oeEv/imII
- tqFoz+s9rJLBevzRINvunS1nn4Fiq7gi21mi
- JiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk
- 36K83OzWKnF1OGkSIki7kfoWyUi6cJAMdnc3
- 3uPf+7inEguN4Sr2h4QXGNm42hKIv8lZ
- ) ; key id = 4710
- 3600 DNSKEY 256 3 6 (
- AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1
- zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+
- HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1
- EtNp+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGl
- mesE4yAD2kLBYAvBoSXgPhPn/UDQWz08x3Ia
- YVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghC
- sKojF+u0DXLuWYY6h6KWn4yuto6NMBb5hXSD
- aYMTgiJYO5MS79d876LIPJyv3mlslfy1
- ) ; key id = 5823
+ 7200 RRSIG NS 7 3 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY
+ jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK
+ LPErXQ8ObaggQA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk
+ GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z
+ NwICF4QjetjqUGta4Ak=
+ ) ; key id = 14600
+ 3600 DNSKEY 256 3 7 (
+ AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw
+ hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf
+ fNq73SbkyknTyXYRe2k=
+ ) ; key id = 32345
3600 DNSKEY 257 3 7 (
- AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
- 3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
- dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
- pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
- VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
- ) ; key id = 18846
- 3600 RRSIG DNSKEY 6 3 3600 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AMh2mLe04LwOikgp7Djk5OD+VjsxHWFIrM5K
- eZ9TwWum0+c3KRc0Ye0= )
- 3600 RRSIG DNSKEY 7 3 3600 20081230210802 (
- 20081228210802 18846 sub.example.net.
- oXtpSP1gJIoDZ4HUjdlGV6wyS0VPHp9pv7hB
- t8sOWSTxSAQ2D1u+2bHK97lE7c1TJUqNsQO7
- YiTwCvfeypt/9QWSFg8d8TrUTaFvUyZO9yJM
- HEeJvoV9+TmRsqT1M4vYNO6OY9zBrqQF8Jov
- gblJkg3ftGhllMDdz8JlIe3m35U= )
- 0 NSEC3PARAM 1 0 100 B5EA98
- 0 RRSIG NSEC3PARAM 6 3 0 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AEK69arso3M/F6qdvHBnEaS7PYoMPzkXeut8
- f7tQNJi/n/57iOXxBtY= )
+ AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
+ jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
+ /5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
+ H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
+ ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
+ ) ; key id = 48516
+ 3600 RRSIG DNSKEY 7 3 3600 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ 2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB
+ dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9
+ GcBg3KQvJl0+AQ== )
+ 3600 RRSIG DNSKEY 7 3 3600 20090702100221 (
+ 20090630100221 48516 sub.example.net.
+ PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx
+ f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/
+ iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid
+ qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5
+ F6avz0sLu3gtDu/nwyyK/5Hf3kM= )
+ 0 NSEC3PARAM 1 0 100 86F43F
+ 0 RRSIG NSEC3PARAM 7 3 0 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0
+ gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV
+ 3uTWjwSs7kyfDQ== )
a.sub.example.net. 7200 IN A 1.2.3.4
- 7200 RRSIG A 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- ACtzcM76XGO0nQg0MNi/3xIA17I/Zl7dpLie
- L+UWpvdyC01FhiJ9nBc= )
+ 7200 RRSIG A 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD
+ LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/
+ hXTkHJif/0w78g== )
b.sub.example.net. 7200 IN A 1.2.3.5
- 7200 RRSIG A 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AMvlob5onyssxa/DQ13dtCp9pL9sHw4pruqq
- PI85Joh+QNgM26VGXRA= )
+ 7200 RRSIG A 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4
+ rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU
+ T10UWy4dnxfoNQ== )
c.sub.example.net. 7200 IN A 1.2.3.6
- 7200 RRSIG A 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AJAcwAkedEjx4i28vF/Uu31BDly6Hmc5LI9R
- 19PqH1vAijma5No2x5Q= )
+ 7200 RRSIG A 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd
+ qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr
+ JJ+/QuqBHFyISQ== )
localhost.sub.example.net. 7200 IN A 127.0.0.1
- 7200 RRSIG A 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- ACgSEXi/TbpF35NNFs8zocciqhZtwDL5C4e/
- 6hTGwvl3Z+IjCjf8oDc= )
-ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE A RRSIG
- 7200 RRSIG NSEC3 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AGjJ1uwyqNVcHgz3aFQZhvNFpBEPXdQaEeKo
- /1Joi1+1g5r7AqEPgbU= )
-FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 J961TISKA95UUNS1JAV5OMBDNS342B6O A RRSIG
- 7200 RRSIG NSEC3 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AERaVeALOfnnt/33oq5dDu08p3oyfYET59xd
- x6I2CRIOFUr7LkHm2ro= )
-J961TISKA95UUNS1JAV5OMBDNS342B6O.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O A RRSIG
- 7200 RRSIG NSEC3 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- ADgp7RYKJ95X9iLaS/O0N75fzc/yjA3NhVnv
- hDKrUluwi2qYv1/AOIk= )
-KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN A RRSIG
- 7200 RRSIG NSEC3 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AMkFnz9tj86fr4NmFDnrqDNFlkgMAhRY/fR3
- SGzdb8LfKdbWCRwYtu0= )
-TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN.sub.example.net. 7200 IN NSEC3 1 0 100 B5EA98 ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A NS SOA RRSIG DNSKEY NSEC3PARAM
- 7200 RRSIG NSEC3 6 4 7200 20081230210802 (
- 20081228210802 5823 sub.example.net.
- AHYEmiF12gwP5LOpUfqK+uHzj7cwuxlGXNT7
- OdhDcXznJd5bkkQuoFY= )
+ 7200 RRSIG A 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5
+ TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f
+ S06Z9C5YaKI7ig== )
+7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe
+ yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k
+ /t2mOvXB11pLqQ== )
+AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM
+ 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa
+ axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc
+ ivGHaozr64hBjg== )
+D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5
+ h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo
+ wHjm0Ab+ez7COg== )
+K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB
+ 2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr
+ eARbsKjcsRJF7A== )
+L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3 1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG
+ 7200 RRSIG NSEC3 7 4 7200 20090702100221 (
+ 20090630100221 32345 sub.example.net.
+ IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc
+ BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn
+ zBrGA0FxGvo4Pg== )
2008-12-28 23:08:02.534: debug: Signing completed after 0s.
2008-12-28 23:08:02.534: debug:
2008-12-28 23:08:02.534: notice: end of run: 0 errors occured
+2009-02-28 12:31:26.082: notice: ------------------------------------------------------------
+2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf
+2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:31:26.100: debug: Check RFC5011 status
+2009-02-28 12:31:26.100: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:31:26.100: debug: Check KSK status
+2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s
+2009-02-28 12:31:26.100: debug: Check ZSK status
+2009-02-28 12:31:26.100: debug: Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec)
+2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed
+2009-02-28 12:31:26.101: debug: ->remove it
+2009-02-28 12:31:26.101: debug: Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec)
+2009-02-28 12:31:26.101: debug: ->depreciate it
+2009-02-28 12:31:26.101: debug: ->activate published key 4710
+2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done
+2009-02-28 12:31:26.101: debug: New key for publishing needed
+2009-02-28 12:31:28.559: debug: ->creating new key 32820
+2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing
+2009-02-28 12:31:28.559: debug: Re-signing necessary: Modfied zone key set
+2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:31:28.560: debug: Writing key file "././sub.example.net/dnskey.db"
+2009-02-28 12:31:28.560: debug: Signing zone "sub.example.net."
+2009-02-28 12:31:28.560: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-02-28 12:31:28.803: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:31:28.803: debug: Signing completed after 0s.
+2009-02-28 12:31:28.803: debug:
+2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:31:28.803: debug: Check RFC5011 status
+2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover
+2009-02-28 12:31:28.803: debug: Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover!
+2009-02-28 12:31:28.803: debug: =>Generating new standby key signing key
+2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840
+2009-02-28 12:31:29.067: debug: =>Activating old standby key 7308
+2009-02-28 12:31:29.068: debug: =>Revoking old active key 1764
+2009-02-28 12:31:29.068: debug: Check ZSK status
+2009-02-28 12:31:29.068: debug: Re-signing necessary: Modfied zone key set
+2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:31:29.068: debug: Writing key file "././example.net/dnskey.db"
+2009-02-28 12:31:29.069: debug: Incrementing serial number in file "././example.net/zone.db"
+2009-02-28 12:31:29.069: debug: Signing zone "example.net."
+2009-02-28 12:31:29.069: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-02-28 12:31:29.206: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:31:29.206: debug: Signing completed after 0s.
+2009-02-28 12:31:29.206: debug:
+2009-02-28 12:31:29.206: notice: end of run: 0 errors occured
+2009-02-28 12:31:34.121: notice: ------------------------------------------------------------
+2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:31:34.126: debug: Check RFC5011 status
+2009-02-28 12:31:34.126: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:31:34.126: debug: Check KSK status
+2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s
+2009-02-28 12:31:34.126: debug: Check ZSK status
+2009-02-28 12:31:34.126: debug: Re-signing not necessary!
+2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy
+2009-02-28 12:31:34.126: debug:
+2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:31:34.126: debug: Check RFC5011 status
+2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:31:34.126: debug: Check ZSK status
+2009-02-28 12:31:34.126: debug: Re-signing not necessary!
+2009-02-28 12:31:34.126: debug: Check if there is a parent file to copy
+2009-02-28 12:31:34.126: debug:
+2009-02-28 12:31:34.126: notice: end of run: 0 errors occured
+2009-02-28 12:32:49.522: notice: ------------------------------------------------------------
+2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:32:49.525: debug: Check RFC5011 status
+2009-02-28 12:32:49.525: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:32:49.525: debug: Check KSK status
+2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s
+2009-02-28 12:32:49.525: debug: Check ZSK status
+2009-02-28 12:32:49.526: debug: Re-signing not necessary!
+2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy
+2009-02-28 12:32:49.526: debug:
+2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:32:49.526: debug: Check RFC5011 status
+2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:32:49.526: debug: Check ZSK status
+2009-02-28 12:32:49.526: debug: Re-signing not necessary!
+2009-02-28 12:32:49.526: debug: Check if there is a parent file to copy
+2009-02-28 12:32:49.527: debug:
+2009-02-28 12:32:49.527: notice: end of run: 0 errors occured
+2009-02-28 12:42:47.999: notice: ------------------------------------------------------------
+2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:45:56.491: notice: ------------------------------------------------------------
+2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:50:13.057: notice: ------------------------------------------------------------
+2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:50:54.700: notice: ------------------------------------------------------------
+2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:52:23.926: notice: ------------------------------------------------------------
+2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:52:23.934: debug: Check RFC5011 status
+2009-02-28 12:52:23.934: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:52:23.934: debug: Check KSK status
+2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s
+2009-02-28 12:52:23.934: debug: Check ZSK status
+2009-02-28 12:52:23.934: debug: Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec)
+2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed
+2009-02-28 12:52:23.934: debug: ->remove it
+2009-02-28 12:52:23.934: debug: Re-signing necessary: Modfied zone key set
+2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:52:23.934: debug: Writing key file "././sub.example.net/dnskey.db"
+2009-02-28 12:52:23.935: debug: Signing zone "sub.example.net."
+2009-02-28 12:52:23.935: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-02-28 12:52:24.701: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:52:24.701: debug: Signing completed after 1s.
+2009-02-28 12:52:24.701: debug:
+2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:52:24.701: debug: Check RFC5011 status
+2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:52:24.701: debug: Check ZSK status
+2009-02-28 12:52:24.701: debug: Re-signing not necessary!
+2009-02-28 12:52:24.701: debug: Check if there is a parent file to copy
+2009-02-28 12:52:24.701: debug:
+2009-02-28 12:52:24.701: notice: end of run: 0 errors occured
+2009-02-28 12:53:08.325: notice: ------------------------------------------------------------
+2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:53:48.858: notice: ------------------------------------------------------------
+2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:54:09.878: notice: ------------------------------------------------------------
+2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
+2009-02-28 12:54:09.885: debug: Check RFC5011 status
+2009-02-28 12:54:09.885: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:54:09.885: debug: Check KSK status
+2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s
+2009-02-28 12:54:09.886: debug: Check ZSK status
+2009-02-28 12:54:09.886: debug: Re-signing not necessary!
+2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy
+2009-02-28 12:54:09.886: debug:
+2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
+2009-02-28 12:54:09.886: debug: Check RFC5011 status
+2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:54:09.886: debug: Check ZSK status
+2009-02-28 12:54:09.886: debug: Re-signing not necessary!
+2009-02-28 12:54:09.886: debug: Check if there is a parent file to copy
+2009-02-28 12:54:09.886: debug:
+2009-02-28 12:54:09.886: notice: end of run: 0 errors occured
+2009-02-28 12:55:02.579: notice: ------------------------------------------------------------
+2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-03-03 19:13:47.524: notice: ------------------------------------------------------------
+2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
+2009-03-03 19:13:47.532: debug: Check RFC5011 status
+2009-03-03 19:13:47.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:13:47.532: debug: Check KSK status
+2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s
+2009-03-03 19:13:47.533: debug: Check ZSK status
+2009-03-03 19:13:47.533: debug: Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec)
+2009-03-03 19:13:47.533: debug: ->depreciate it
+2009-03-03 19:13:47.533: debug: ->activate published key 32820
+2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done
+2009-03-03 19:13:47.533: debug: New key for publishing needed
+2009-03-03 19:13:48.366: debug: ->creating new key 49656
+2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing
+2009-03-03 19:13:48.366: debug: Re-signing necessary: Modfied zone key set
+2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-03-03 19:13:48.367: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db"
+2009-03-03 19:13:48.367: debug: Signing zone "sub.example.net."
+2009-03-03 19:13:48.367: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-03 19:13:48.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-03 19:13:48.543: debug: Signing completed after 0s.
+2009-03-03 19:13:48.543: debug:
+2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
+2009-03-03 19:13:48.543: debug: Check RFC5011 status
+2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:13:48.543: debug: Check ZSK status
+2009-03-03 19:13:48.543: debug: Re-signing necessary: re-signing interval (2d) reached
+2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2009-03-03 19:13:48.543: debug: Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db"
+2009-03-03 19:13:48.544: debug: Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db"
+2009-03-03 19:13:48.544: debug: Signing zone "example.net."
+2009-03-03 19:13:48.544: debug: Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-03-03 19:13:48.723: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-03 19:13:48.723: debug: Signing completed after 0s.
+2009-03-03 19:13:48.723: debug:
+2009-03-03 19:13:48.724: notice: end of run: 0 errors occured
+2009-03-03 19:14:16.121: notice: ------------------------------------------------------------
+2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf
+2009-03-03 19:14:30.231: notice: ------------------------------------------------------------
+2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf
+2009-03-03 19:15:37.851: notice: ------------------------------------------------------------
+2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf
+2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net"
+2009-03-03 19:15:37.853: debug: Check RFC5011 status
+2009-03-03 19:15:37.853: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:15:37.853: debug: Check KSK status
+2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s
+2009-03-03 19:15:37.853: debug: Check ZSK status
+2009-03-03 19:15:37.853: debug: Re-signing not necessary!
+2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy
+2009-03-03 19:15:37.853: debug:
+2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net"
+2009-03-03 19:15:37.853: debug: Check RFC5011 status
+2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:15:37.853: debug: Check ZSK status
+2009-03-03 19:15:37.853: debug: Re-signing not necessary!
+2009-03-03 19:15:37.853: debug: Check if there is a parent file to copy
+2009-03-03 19:15:37.853: debug:
+2009-03-03 19:15:37.853: notice: end of run: 0 errors occured
+2009-03-03 19:15:44.219: notice: ------------------------------------------------------------
+2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf
+2009-03-03 19:15:49.305: notice: ------------------------------------------------------------
+2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-03 19:15:49.308: debug: Check RFC5011 status
+2009-03-03 19:15:49.308: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:15:49.308: debug: Check KSK status
+2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s
+2009-03-03 19:15:49.309: debug: Check ZSK status
+2009-03-03 19:15:49.309: debug: Re-signing not necessary!
+2009-03-03 19:15:49.309: debug: Check if there is a parent file to copy
+2009-03-03 19:15:49.309: debug:
+2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-03 19:15:49.310: debug: Check RFC5011 status
+2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:15:49.310: debug: Check ZSK status
+2009-03-03 19:15:49.310: debug: Re-signing not necessary!
+2009-03-03 19:15:49.310: debug: Check if there is a parent file to copy
+2009-03-03 19:15:49.310: debug:
+2009-03-03 19:15:49.310: notice: end of run: 0 errors occured
+2009-03-04 18:07:38.441: notice: ------------------------------------------------------------
+2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf
+2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:07:38.459: debug: Check RFC5011 status
+2009-03-04 18:07:38.459: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:07:38.459: debug: Check KSK status
+2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s
+2009-03-04 18:07:38.459: debug: Check ZSK status
+2009-03-04 18:07:38.459: debug: Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec)
+2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed
+2009-03-04 18:07:38.459: debug: ->remove it
+2009-03-04 18:07:38.459: debug: Re-signing necessary: Modfied zone key set
+2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-03-04 18:07:38.459: debug: Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:07:38.460: debug: Signing zone "sub.example.net."
+2009-03-04 18:07:38.460: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:07:38.635: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:07:38.635: debug: Signing completed after 0s.
+2009-03-04 18:07:38.635: debug:
+2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:07:38.635: debug: Check RFC5011 status
+2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:07:38.636: debug: Check ZSK status
+2009-03-04 18:07:38.636: debug: Re-signing not necessary!
+2009-03-04 18:07:38.636: debug: Check if there is a parent file to copy
+2009-03-04 18:07:38.636: debug:
+2009-03-04 18:07:38.636: notice: end of run: 0 errors occured
+2009-03-04 18:07:54.353: notice: ------------------------------------------------------------
+2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf
+2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:07:54.357: debug: Check RFC5011 status
+2009-03-04 18:07:54.357: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:07:54.357: debug: Check KSK status
+2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s
+2009-03-04 18:07:54.357: debug: Check ZSK status
+2009-03-04 18:07:54.357: debug: Re-signing not necessary!
+2009-03-04 18:07:54.357: debug: Check if there is a parent file to copy
+2009-03-04 18:07:54.357: debug:
+2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:07:54.357: debug: Check RFC5011 status
+2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:07:54.358: debug: Check ZSK status
+2009-03-04 18:07:54.358: debug: Re-signing not necessary!
+2009-03-04 18:07:54.358: debug: Check if there is a parent file to copy
+2009-03-04 18:07:54.358: debug:
+2009-03-04 18:07:54.358: notice: end of run: 0 errors occured
+2009-03-04 18:08:25.210: notice: ------------------------------------------------------------
+2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf
+2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:25.212: debug: Check RFC5011 status
+2009-03-04 18:08:25.213: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:25.213: debug: Check KSK status
+2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s
+2009-03-04 18:08:25.213: debug: Check ZSK status
+2009-03-04 18:08:25.213: debug: Re-signing not necessary!
+2009-03-04 18:08:25.213: debug: Check if there is a parent file to copy
+2009-03-04 18:08:25.213: debug:
+2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:25.214: debug: Check RFC5011 status
+2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:25.214: debug: Check ZSK status
+2009-03-04 18:08:25.214: debug: Re-signing not necessary!
+2009-03-04 18:08:25.214: debug: Check if there is a parent file to copy
+2009-03-04 18:08:25.214: debug:
+2009-03-04 18:08:25.216: notice: end of run: 0 errors occured
+2009-03-04 18:08:32.379: notice: ------------------------------------------------------------
+2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf
+2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:32.381: debug: Check RFC5011 status
+2009-03-04 18:08:32.381: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:32.381: debug: Check KSK status
+2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s
+2009-03-04 18:08:32.381: debug: Check ZSK status
+2009-03-04 18:08:32.381: debug: Re-signing necessary: Option -f
+2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:32.381: debug: Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:32.382: debug: Signing zone "sub.example.net."
+2009-03-04 18:08:32.382: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:08:32.896: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:32.896: debug: Signing completed after 0s.
+2009-03-04 18:08:32.896: debug:
+2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:32.896: debug: Check RFC5011 status
+2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:32.896: debug: Check ZSK status
+2009-03-04 18:08:32.896: debug: Re-signing necessary: Option -f
+2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:32.896: debug: Writing key file "././example.net/dnskey.db"
+2009-03-04 18:08:32.897: debug: Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:08:32.897: debug: Signing zone "example.net."
+2009-03-04 18:08:32.897: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-03-04 18:08:33.042: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:33.042: debug: Signing completed after 1s.
+2009-03-04 18:08:33.042: debug:
+2009-03-04 18:08:33.043: notice: end of run: 0 errors occured
+2009-03-04 18:08:46.381: notice: ------------------------------------------------------------
+2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf
+2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:46.385: debug: Check RFC5011 status
+2009-03-04 18:08:46.385: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:46.385: debug: Check KSK status
+2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s
+2009-03-04 18:08:46.385: debug: Check ZSK status
+2009-03-04 18:08:46.385: debug: Re-signing necessary: Option -f
+2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:46.385: debug: Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:46.386: debug: Signing zone "sub.example.net."
+2009-03-04 18:08:46.386: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:08:46.990: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:46.991: debug: Signing completed after 0s.
+2009-03-04 18:08:46.991: debug:
+2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:46.991: debug: Check RFC5011 status
+2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:46.991: debug: Check ZSK status
+2009-03-04 18:08:46.991: debug: Re-signing necessary: Option -f
+2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:46.991: debug: Writing key file "././example.net/dnskey.db"
+2009-03-04 18:08:46.992: debug: Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:08:46.992: debug: Signing zone "example.net."
+2009-03-04 18:08:46.993: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-03-04 18:08:47.149: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:47.149: debug: Signing completed after 1s.
+2009-03-04 18:08:47.149: debug:
+2009-03-04 18:08:47.149: notice: end of run: 0 errors occured
+2009-03-04 18:08:59.141: notice: ------------------------------------------------------------
+2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf
+2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:59.145: debug: Check RFC5011 status
+2009-03-04 18:08:59.145: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:59.145: debug: Check KSK status
+2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s
+2009-03-04 18:08:59.145: debug: Check ZSK status
+2009-03-04 18:08:59.145: debug: Re-signing necessary: Option -f
+2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:59.146: debug: Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:59.146: debug: Signing zone "sub.example.net."
+2009-03-04 18:08:59.146: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:09:00.082: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:09:00.082: debug: Signing completed after 1s.
+2009-03-04 18:09:00.082: debug:
+2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:09:00.083: debug: Check RFC5011 status
+2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:09:00.083: debug: Check ZSK status
+2009-03-04 18:09:00.083: debug: Re-signing necessary: Option -f
+2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:09:00.083: debug: Writing key file "././example.net/dnskey.db"
+2009-03-04 18:09:00.084: debug: Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:09:00.084: debug: Signing zone "example.net."
+2009-03-04 18:09:00.084: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-03-04 18:09:00.238: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:09:00.238: debug: Signing completed after 0s.
+2009-03-04 18:09:00.238: debug:
+2009-03-04 18:09:00.238: notice: end of run: 0 errors occured
+2009-06-15 09:58:41.205: notice: ------------------------------------------------------------
+2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v
+2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-15 09:58:41.226: debug: Check RFC5011 status
+2009-06-15 09:58:41.226: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-15 09:58:41.226: debug: Check KSK status
+2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s
+2009-06-15 09:58:41.227: debug: Check ZSK status
+2009-06-15 09:58:41.227: debug: Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec)
+2009-06-15 09:58:41.227: debug: ->depreciate it
+2009-06-15 09:58:41.227: debug: ->activate published key 49656
+2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done
+2009-06-15 09:58:41.227: debug: New key for publishing needed
+2009-06-15 09:58:41.346: debug: ->creating new key 37135
+2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing
+2009-06-15 09:58:41.346: debug: Re-signing necessary: Modfied zone key set
+2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-15 09:58:41.346: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-15 09:58:41.346: debug: Signing zone "sub.example.net."
+2009-06-15 09:58:41.346: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-15 09:58:41.399: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-15 09:58:41.399: debug: Signing completed after 0s.
+2009-06-15 09:58:41.399: debug:
+2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-15 09:58:41.399: debug: Check RFC5011 status
+2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-06-15 09:58:41.399: debug: Remove revoked key 1764 which is older than 30 days
+2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764
+2009-06-15 09:58:41.400: debug: Check ZSK status
+2009-06-15 09:58:41.400: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec)
+2009-06-15 09:58:41.400: debug: ->waiting for published key
+2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key
+2009-06-15 09:58:41.400: debug: New key for publishing needed
+2009-06-15 09:58:41.499: debug: ->creating new key 34925
+2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing
+2009-06-15 09:58:41.499: debug: Re-signing necessary: Modfied zone key set
+2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-15 09:58:41.499: debug: Writing key file "./example.net/dnskey.db"
+2009-06-15 09:58:41.499: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-15 09:58:41.499: debug: Signing zone "example.net."
+2009-06-15 09:58:41.499: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-06-15 09:58:41.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-15 09:58:41.543: debug: Signing completed after 0s.
+2009-06-15 09:58:41.543: debug:
+2009-06-15 09:58:41.543: notice: end of run: 0 errors occured
+2009-06-17 16:36:16.761: notice: ------------------------------------------------------------
+2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v
+2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-17 16:36:16.792: debug: Check RFC5011 status
+2009-06-17 16:36:16.792: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-17 16:36:16.792: debug: Check KSK status
+2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s
+2009-06-17 16:36:16.792: debug: Check ZSK status
+2009-06-17 16:36:16.792: debug: Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec)
+2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed
+2009-06-17 16:36:16.792: debug: ->remove it
+2009-06-17 16:36:16.792: debug: Re-signing necessary: Modfied zone key set
+2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-17 16:36:16.792: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-17 16:36:16.793: debug: Signing zone "sub.example.net."
+2009-06-17 16:36:16.793: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-17 16:36:16.984: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-17 16:36:16.984: debug: Signing completed after 0s.
+2009-06-17 16:36:16.984: debug:
+2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-17 16:36:16.984: debug: Check RFC5011 status
+2009-06-17 16:36:16.984: debug: Check ZSK status
+2009-06-17 16:36:16.984: debug: Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec)
+2009-06-17 16:36:16.984: debug: ->depreciate it
+2009-06-17 16:36:16.984: debug: ->activate published key 34925
+2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done
+2009-06-17 16:36:16.984: debug: Re-signing necessary: Modfied zone key set
+2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-17 16:36:16.984: debug: Writing key file "./example.net/dnskey.db"
+2009-06-17 16:36:16.985: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-17 16:36:16.985: debug: Signing zone "example.net."
+2009-06-17 16:36:16.985: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-06-17 16:36:17.102: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-17 16:36:17.102: debug: Signing completed after 1s.
+2009-06-17 16:36:17.102: debug:
+2009-06-17 16:36:17.102: notice: end of run: 0 errors occured
+2009-06-24 16:33:27.617: notice: ------------------------------------------------------------
+2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v
+2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:33:27.619: debug: Check RFC5011 status
+2009-06-24 16:33:27.620: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:33:27.620: debug: Check KSK status
+2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s
+2009-06-24 16:33:27.620: debug: Check ZSK status
+2009-06-24 16:33:27.620: debug: Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec)
+2009-06-24 16:33:27.620: debug: ->depreciate it
+2009-06-24 16:33:27.620: debug: ->activate published key 37135
+2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done
+2009-06-24 16:33:27.620: debug: New key for publishing needed
+2009-06-24 16:33:27.751: debug: ->creating new key 25272
+2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing
+2009-06-24 16:33:27.751: debug: Re-signing necessary: Modfied zone key set
+2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:33:27.751: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:33:27.751: debug: Signing zone "sub.example.net."
+2009-06-24 16:33:27.751: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed!
+2009-06-24 16:33:27.859: debug: Signing completed after 0s.
+2009-06-24 16:33:27.859: debug:
+2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:33:27.859: debug: Check RFC5011 status
+2009-06-24 16:33:27.859: debug: Check ZSK status
+2009-06-24 16:33:27.859: debug: Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec)
+2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed
+2009-06-24 16:33:27.860: debug: ->remove it
+2009-06-24 16:33:27.860: debug: Re-signing necessary: Modfied zone key set
+2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:33:27.860: debug: Writing key file "./example.net/dnskey.db"
+2009-06-24 16:33:27.860: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:33:27.860: debug: Signing zone "example.net."
+2009-06-24 16:33:27.860: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-06-24 16:33:27.966: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:33:27.966: debug: Signing completed after 0s.
+2009-06-24 16:33:27.966: debug:
+2009-06-24 16:33:27.966: notice: end of run: 1 error occured
+2009-06-24 16:42:06.709: notice: ------------------------------------------------------------
+2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v
+2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:06.711: debug: Check RFC5011 status
+2009-06-24 16:42:06.711: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:06.711: debug: Check KSK status
+2009-06-24 16:42:06.711: debug: No active KSK found: generate new one
+2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516
+2009-06-24 16:42:06.855: debug: Check ZSK status
+2009-06-24 16:42:06.855: debug: No active ZSK found: generate new one
+2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383
+2009-06-24 16:42:06.883: debug: Re-signing necessary: Modfied zone key set
+2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:42:06.883: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:06.883: debug: Signing zone "sub.example.net."
+2009-06-24 16:42:06.883: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:06.905: debug: Signing completed after 0s.
+2009-06-24 16:42:06.905: debug:
+2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:06.905: debug: Check RFC5011 status
+2009-06-24 16:42:06.905: debug: Check ZSK status
+2009-06-24 16:42:06.905: debug: Re-signing not necessary!
+2009-06-24 16:42:06.905: debug: Check if there is a parent file to copy
+2009-06-24 16:42:06.905: debug:
+2009-06-24 16:42:06.905: notice: end of run: 1 error occured
+2009-06-24 16:42:31.402: notice: ------------------------------------------------------------
+2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v
+2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:31.404: debug: Check RFC5011 status
+2009-06-24 16:42:31.404: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:31.404: debug: Check KSK status
+2009-06-24 16:42:31.404: debug: Check ZSK status
+2009-06-24 16:42:31.404: debug: Re-signing necessary: Modified keys
+2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys
+2009-06-24 16:42:31.405: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:31.405: debug: Signing zone "sub.example.net."
+2009-06-24 16:42:31.405: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:31.450: debug: Signing completed after 0s.
+2009-06-24 16:42:31.450: debug:
+2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:31.450: debug: Check RFC5011 status
+2009-06-24 16:42:31.450: debug: Check ZSK status
+2009-06-24 16:42:31.450: debug: Re-signing not necessary!
+2009-06-24 16:42:31.450: debug: Check if there is a parent file to copy
+2009-06-24 16:42:31.450: debug:
+2009-06-24 16:42:31.450: notice: end of run: 1 error occured
+2009-06-24 16:42:48.193: notice: ------------------------------------------------------------
+2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v
+2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:48.195: debug: Check RFC5011 status
+2009-06-24 16:42:48.195: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:48.195: debug: Check KSK status
+2009-06-24 16:42:48.195: debug: Check ZSK status
+2009-06-24 16:42:48.195: debug: Re-signing necessary: Modified keys
+2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys
+2009-06-24 16:42:48.195: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:48.195: debug: Signing zone "sub.example.net."
+2009-06-24 16:42:48.195: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:48.212: debug: Signing completed after 0s.
+2009-06-24 16:42:48.212: debug:
+2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:48.212: debug: Check RFC5011 status
+2009-06-24 16:42:48.212: debug: Check ZSK status
+2009-06-24 16:42:48.212: debug: Re-signing not necessary!
+2009-06-24 16:42:48.212: debug: Check if there is a parent file to copy
+2009-06-24 16:42:48.212: debug:
+2009-06-24 16:42:48.212: notice: end of run: 1 error occured
+2009-06-24 16:44:22.959: notice: ------------------------------------------------------------
+2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v
+2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:44:22.961: debug: Check RFC5011 status
+2009-06-24 16:44:22.961: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:44:22.961: debug: Check KSK status
+2009-06-24 16:44:22.961: debug: Check ZSK status
+2009-06-24 16:44:22.961: debug: No active ZSK found: generate new one
+2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600
+2009-06-24 16:44:23.008: debug: Re-signing necessary: Modfied zone key set
+2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:44:23.009: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:44:23.009: debug: Signing zone "sub.example.net."
+2009-06-24 16:44:23.009: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:44:23.040: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:44:23.040: debug: Signing completed after 0s.
+2009-06-24 16:44:23.040: debug:
+2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:44:23.040: debug: Check RFC5011 status
+2009-06-24 16:44:23.040: debug: Check ZSK status
+2009-06-24 16:44:23.040: debug: Re-signing not necessary!
+2009-06-24 16:44:23.040: debug: Check if there is a parent file to copy
+2009-06-24 16:44:23.040: debug:
+2009-06-24 16:44:23.040: notice: end of run: 0 errors occured
+2009-06-24 16:50:36.189: notice: ------------------------------------------------------------
+2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v
+2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:36.191: debug: Check RFC5011 status
+2009-06-24 16:50:36.191: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:36.191: debug: Check KSK status
+2009-06-24 16:50:36.192: debug: Check ZSK status
+2009-06-24 16:50:36.192: debug: Re-signing not necessary!
+2009-06-24 16:50:36.192: debug: Check if there is a parent file to copy
+2009-06-24 16:50:36.192: debug:
+2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:36.192: debug: Check RFC5011 status
+2009-06-24 16:50:36.192: debug: Check ZSK status
+2009-06-24 16:50:36.193: debug: Re-signing not necessary!
+2009-06-24 16:50:36.193: debug: Check if there is a parent file to copy
+2009-06-24 16:50:36.193: debug:
+2009-06-24 16:50:36.193: notice: end of run: 0 errors occured
+2009-06-24 16:50:42.877: notice: ------------------------------------------------------------
+2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f
+2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:42.879: debug: Check RFC5011 status
+2009-06-24 16:50:42.879: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:42.879: debug: Check KSK status
+2009-06-24 16:50:42.879: debug: Check ZSK status
+2009-06-24 16:50:42.879: debug: Re-signing necessary: Option -f
+2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:42.879: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:50:42.879: debug: Signing zone "sub.example.net."
+2009-06-24 16:50:42.879: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:50:42.932: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:42.932: debug: Signing completed after 0s.
+2009-06-24 16:50:42.932: debug:
+2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:42.932: debug: Check RFC5011 status
+2009-06-24 16:50:42.932: debug: Check ZSK status
+2009-06-24 16:50:42.932: debug: Re-signing necessary: Option -f
+2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:42.932: debug: Writing key file "./example.net/dnskey.db"
+2009-06-24 16:50:42.933: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:50:42.933: debug: Signing zone "example.net."
+2009-06-24 16:50:42.933: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-06-24 16:50:42.978: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:42.978: debug: Signing completed after 0s.
+2009-06-24 16:50:42.978: debug:
+2009-06-24 16:50:42.979: notice: end of run: 0 errors occured
+2009-06-24 16:50:51.923: notice: ------------------------------------------------------------
+2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f
+2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:51.924: debug: Check RFC5011 status
+2009-06-24 16:50:51.924: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:51.924: debug: Check KSK status
+2009-06-24 16:50:51.924: debug: Check ZSK status
+2009-06-24 16:50:51.925: debug: Re-signing necessary: Option -f
+2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:51.925: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:50:51.925: debug: Signing zone "sub.example.net."
+2009-06-24 16:50:51.925: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:50:51.972: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:51.973: debug: Signing completed after 0s.
+2009-06-24 16:50:51.973: debug:
+2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:51.973: debug: Check RFC5011 status
+2009-06-24 16:50:51.973: debug: Check ZSK status
+2009-06-24 16:50:51.973: debug: Re-signing necessary: Option -f
+2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:51.973: debug: Writing key file "./example.net/dnskey.db"
+2009-06-24 16:50:51.973: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:50:51.973: debug: Signing zone "example.net."
+2009-06-24 16:50:51.973: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-06-24 16:50:52.017: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:52.017: debug: Signing completed after 1s.
+2009-06-24 16:50:52.017: debug:
+2009-06-24 16:50:52.017: notice: end of run: 0 errors occured
+2009-06-24 16:51:19.914: notice: ------------------------------------------------------------
+2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f
+2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:51:19.916: debug: Check RFC5011 status
+2009-06-24 16:51:19.916: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:51:19.916: debug: Check KSK status
+2009-06-24 16:51:19.916: debug: Check ZSK status
+2009-06-24 16:51:19.916: debug: Re-signing necessary: Option -f
+2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:51:19.916: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:51:19.917: debug: Signing zone "sub.example.net."
+2009-06-24 16:51:19.917: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:51:19.969: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:51:19.969: debug: Signing completed after 0s.
+2009-06-24 16:51:19.969: debug:
+2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:51:19.969: debug: Check RFC5011 status
+2009-06-24 16:51:19.969: debug: Check ZSK status
+2009-06-24 16:51:19.969: debug: Re-signing necessary: Option -f
+2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:51:19.969: debug: Writing key file "./example.net/dnskey.db"
+2009-06-24 16:51:19.969: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:51:19.969: debug: Signing zone "example.net."
+2009-06-24 16:51:19.969: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private"
+2009-06-24 16:51:20.018: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:51:20.018: debug: Signing completed after 1s.
+2009-06-24 16:51:20.018: debug:
+2009-06-24 16:51:20.018: notice: end of run: 0 errors occured
+2009-06-24 16:55:38.094: notice: ------------------------------------------------------------
+2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f
+2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:55:38.096: debug: Check RFC5011 status
+2009-06-24 16:55:38.096: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:55:38.096: debug: Check KSK status
+2009-06-24 16:55:38.096: debug: Check ZSK status
+2009-06-24 16:55:38.096: debug: Re-signing necessary: Option -f
+2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:55:38.096: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:55:38.097: debug: Signing zone "sub.example.net."
+2009-06-24 16:55:38.097: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-24 16:55:38.144: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1."
+2009-06-24 16:55:38.144: debug: Signing completed after 0s.
+2009-06-24 16:55:38.144: debug:
+2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:55:38.144: debug: Check RFC5011 status
+2009-06-24 16:55:38.144: debug: Check ZSK status
+2009-06-24 16:55:38.144: debug: Re-signing necessary: Option -f
+2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:55:38.144: debug: Writing key file "./example.net/dnskey.db"
+2009-06-24 16:55:38.144: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:55:38.144: debug: Signing zone "example.net."
+2009-06-24 16:55:38.144: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2009-06-24 16:55:38.182: debug: Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1."
+2009-06-24 16:55:38.182: debug: Signing completed after 0s.
+2009-06-24 16:55:38.182: debug:
+2009-06-24 16:55:38.182: notice: end of run: 0 errors occured
+2009-06-24 17:12:06.145: notice: ------------------------------------------------------------
+2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f
+2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 17:12:06.147: debug: Check RFC5011 status
+2009-06-24 17:12:06.147: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 17:12:06.147: debug: Check KSK status
+2009-06-24 17:12:06.147: debug: Check ZSK status
+2009-06-24 17:12:06.147: debug: Re-signing necessary: Option -f
+2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 17:12:06.147: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 17:12:06.147: debug: Signing zone "sub.example.net."
+2009-06-24 17:12:06.147: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-24 17:12:06.204: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 17:12:06.204: debug: Signing completed after 0s.
+2009-06-24 17:12:06.204: debug:
+2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 17:12:06.204: debug: Check RFC5011 status
+2009-06-24 17:12:06.204: debug: Check ZSK status
+2009-06-24 17:12:06.204: debug: Re-signing necessary: Option -f
+2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 17:12:06.205: debug: Writing key file "./example.net/dnskey.db"
+2009-06-24 17:12:06.205: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 17:12:06.205: debug: Signing zone "example.net."
+2009-06-24 17:12:06.205: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2009-06-24 17:12:06.259: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 17:12:06.259: debug: Signing completed after 0s.
+2009-06-24 17:12:06.259: debug:
+2009-06-24 17:12:06.259: notice: end of run: 0 errors occured
+2009-06-30 11:35:09.298: notice: ------------------------------------------------------------
+2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v
+2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 11:35:09.326: debug: Check RFC5011 status
+2009-06-30 11:35:09.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 11:35:09.326: debug: Check KSK status
+2009-06-30 11:35:09.326: debug: Check ZSK status
+2009-06-30 11:35:09.326: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec)
+2009-06-30 11:35:09.326: debug: ->waiting for published key
+2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key
+2009-06-30 11:35:09.326: debug: New key for publishing needed
+2009-06-30 11:35:09.482: debug: ->creating new key 32345
+2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing
+2009-06-30 11:35:09.482: debug: Re-signing necessary: Modfied zone key set
+2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 11:35:09.483: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 11:35:09.483: debug: Signing zone "sub.example.net."
+2009-06-30 11:35:09.483: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 11:35:09.838: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 11:35:09.838: debug: Signing completed after 0s.
+2009-06-30 11:35:09.838: debug:
+2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 11:35:09.838: debug: Check RFC5011 status
+2009-06-30 11:35:09.838: debug: Check ZSK status
+2009-06-30 11:35:09.838: debug: New key for publishing needed
+2009-06-30 11:35:09.896: debug: ->creating new key 48089
+2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing
+2009-06-30 11:35:09.896: debug: Re-signing necessary: Modfied zone key set
+2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 11:35:09.897: debug: Writing key file "./example.net/dnskey.db"
+2009-06-30 11:35:09.897: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 11:35:09.897: debug: Signing zone "example.net."
+2009-06-30 11:35:09.897: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2009-06-30 11:35:09.997: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 11:35:09.997: debug: Signing completed after 0s.
+2009-06-30 11:35:09.997: debug:
+2009-06-30 11:35:09.997: notice: end of run: 0 errors occured
+2009-06-30 12:01:53.878: notice: ------------------------------------------------------------
+2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v
+2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 12:01:53.881: debug: Check RFC5011 status
+2009-06-30 12:01:53.881: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 12:01:53.881: debug: Check KSK status
+2009-06-30 12:01:53.881: debug: Check ZSK status
+2009-06-30 12:01:53.881: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec)
+2009-06-30 12:01:53.881: debug: ->waiting for published key
+2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key
+2009-06-30 12:01:53.881: debug: Re-signing not necessary!
+2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy
+2009-06-30 12:01:53.881: debug:
+2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 12:01:53.881: debug: Check RFC5011 status
+2009-06-30 12:01:53.881: debug: Check ZSK status
+2009-06-30 12:01:53.881: debug: Re-signing not necessary!
+2009-06-30 12:01:53.881: debug: Check if there is a parent file to copy
+2009-06-30 12:01:53.881: debug:
+2009-06-30 12:01:53.881: notice: end of run: 0 errors occured
+2009-06-30 12:02:05.490: notice: ------------------------------------------------------------
+2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v
+2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 12:02:05.492: debug: Check RFC5011 status
+2009-06-30 12:02:05.492: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 12:02:05.492: debug: Check KSK status
+2009-06-30 12:02:05.492: debug: Check ZSK status
+2009-06-30 12:02:05.492: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec)
+2009-06-30 12:02:05.492: debug: ->waiting for published key
+2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key
+2009-06-30 12:02:05.492: debug: Re-signing necessary: Option -f
+2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-30 12:02:05.492: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 12:02:05.492: debug: Signing zone "sub.example.net."
+2009-06-30 12:02:05.492: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 12:02:05.543: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 12:02:05.543: debug: Signing completed after 0s.
+2009-06-30 12:02:05.543: debug:
+2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 12:02:05.543: debug: Check RFC5011 status
+2009-06-30 12:02:05.543: debug: Check ZSK status
+2009-06-30 12:02:05.543: debug: Re-signing necessary: Option -f
+2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f
+2009-06-30 12:02:05.543: debug: Writing key file "./example.net/dnskey.db"
+2009-06-30 12:02:05.544: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 12:02:05.544: debug: Signing zone "example.net."
+2009-06-30 12:02:05.544: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2009-06-30 12:02:05.602: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 12:02:05.602: debug: Signing completed after 0s.
+2009-06-30 12:02:05.602: debug:
+2009-06-30 12:02:05.602: notice: end of run: 0 errors occured
+2009-06-30 13:02:04.436: notice: ------------------------------------------------------------
+2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v
+2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 13:02:04.438: debug: Check RFC5011 status
+2009-06-30 13:02:04.438: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 13:02:04.438: debug: Check KSK status
+2009-06-30 13:02:04.438: debug: Check ZSK status
+2009-06-30 13:02:04.438: debug: Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec)
+2009-06-30 13:02:04.438: debug: ->depreciate it
+2009-06-30 13:02:04.439: debug: ->activate published key 32345
+2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done
+2009-06-30 13:02:04.439: debug: Re-signing necessary: Modfied zone key set
+2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 13:02:04.439: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 13:02:04.439: debug: Signing zone "sub.example.net."
+2009-06-30 13:02:04.439: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 13:02:04.491: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:04.491: debug: Signing completed after 0s.
+2009-06-30 13:02:04.491: debug:
+2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 13:02:04.491: debug: Check RFC5011 status
+2009-06-30 13:02:04.491: debug: Check ZSK status
+2009-06-30 13:02:04.491: debug: Re-signing not necessary!
+2009-06-30 13:02:04.491: debug: Check if there is a parent file to copy
+2009-06-30 13:02:04.491: debug:
+2009-06-30 13:02:04.491: notice: end of run: 0 errors occured
+2009-06-30 13:02:21.019: notice: ------------------------------------------------------------
+2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v
+2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 13:02:21.021: debug: Check RFC5011 status
+2009-06-30 13:02:21.021: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 13:02:21.021: debug: Check KSK status
+2009-06-30 13:02:21.021: debug: Check ZSK status
+2009-06-30 13:02:21.022: debug: Re-signing necessary: Option -f
+2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-30 13:02:21.022: debug: Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 13:02:21.022: debug: Signing zone "sub.example.net."
+2009-06-30 13:02:21.022: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 13:02:21.070: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:21.070: debug: Signing completed after 0s.
+2009-06-30 13:02:21.070: debug:
+2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 13:02:21.070: debug: Check RFC5011 status
+2009-06-30 13:02:21.070: debug: Check ZSK status
+2009-06-30 13:02:21.070: debug: Re-signing necessary: Option -f
+2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f
+2009-06-30 13:02:21.071: debug: Writing key file "./example.net/dnskey.db"
+2009-06-30 13:02:21.071: debug: Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 13:02:21.071: debug: Signing zone "example.net."
+2009-06-30 13:02:21.071: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2009-06-30 13:02:21.121: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:21.121: debug: Signing completed after 0s.
+2009-06-30 13:02:21.121: debug:
+2009-06-30 13:02:21.121: notice: end of run: 0 errors occured
+++ /dev/null
-;% generationtime=20080914221502
-;% lifetime=90d
-example.de. IN DNSKEY 256 3 5 BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: qbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: h7mIMjyW6H7MpJIYWhTgerkh5pR9LbSJbuA/cKp9AU18blpyk4xOzIYGw0SXBqFezHpF0I6BEzSikgwyF1RDAQ==
-Prime1: 1YdJ1XTzsyvAgEjhutvSA4RSkCyPGsTZ81wxZcifWtE=
-Prime2: y3EofwE/nv2kF6/I2STrb3A8gbsBx5D4/6SiKFuHDg0=
-Exponent1: vjWx9G8qNVnlPPWD9uc/6um1vS2+yvriFV3MIMIZL/E=
-Exponent2: o/Jlw/TZ/IrlSvzNCc+xeF8qpip51onZ6fOFFjQ+QQ==
-Coefficient: K/UescJkRXWQr6FmABrKx3kalg748qkaWqvrY101OeY=
--- /dev/null
+;% generationtime=20090615065826
+;% lifetime=28d
+example.de. IN DNSKEY 256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q==
+Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM=
+Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c=
+Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0=
+Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc=
+Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao=
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
-; Last generation time Dec 28 2008 23:06:40
+; Last generation time Jul 04 2009 01:30:24
;
; *** List of Key Signing Keys ***
-; example.de. tag=47280 algo=RSASHA1 generated Nov 16 2008 19:00:40
+; example.de. tag=47280 algo=RSASHA1 generated Dec 28 2008 23:55:28
example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
uw==
) ; key id = 47280
-; example.de. tag=37983 algo=RSASHA1 generated Nov 16 2008 19:00:40
+; example.de. tag=37983 algo=RSASHA1 generated Dec 28 2008 23:55:28
example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
) ; key id = 37983
; *** List of Zone Signing Keys ***
-; example.de. tag=11327 algo=RSASHA1 generated Nov 16 2008 19:00:40
+; example.de. tag=55529 algo=RSASHA1 generated Jun 24 2009 17:12:33
example.de. 3600 IN DNSKEY 256 3 5 (
- BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR
- Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
- ) ; key id = 11327
+ BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC
+ XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+ ) ; key id = 55529
; KSK rollover phase2 (this is the new key)
sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
- pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
- cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
- GLv3a4BbGFc=
- ) ; key id = 56595
+ BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+ W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+ j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+ 04a9eVgvhME=
+ ) ; key id = 26451
+++ /dev/null
-;% generationtime=20081228220640
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 1 BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: uXBzw9Ow7+rVGZ4XZlUjLoBxRUAdN207E+mvZ+OadkH4f7l3PNYJYVn2hTvTZb8v6vhKc/sOoenMRAMavK2oCQ==
-Prime1: 97fUb9zU6zIQ6P53ykjHwpMriBptXWkqH4LUKrtqAYs=
-Prime2: 8Q9XIHa/vuddNXGbnv1WjhQ+BLULtEHoAor6Zz/AczM=
-Exponent1: lys3DhbjPd0964qLcwyI0qZ5lMviMzFBbB/IOthfYnc=
-Exponent2: 2csu2XGtql2o+T1SXeXc6JtC8prIJ+mJuXa0FapeHBc=
-Coefficient: 0+x8jSWVmxWNuZlQNW0mZBFS5cEgll+u0t17KXdh6nI=
--- /dev/null
+;% generationtime=20090624151233
+;% lifetime=2d
+sub.example.de. IN DNSKEY 256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ==
+Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok=
+Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk=
+Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE=
+Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE=
+Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw=
--- /dev/null
+;% generationtime=20090615065624
+;% lifetime=2d
+sub.example.de. IN DNSKEY 256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+PublicExponent: AQAAAAE=
+PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ==
+Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE=
+Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs=
+Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E=
+Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88=
+Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8=
+++ /dev/null
-;% generationtime=20081216163027
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 1 BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw 9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: pqVDVhiSmZyjz4IM3xFkks4yc4MToD2EWbPKp4j8v4RETHjec3F9YYIMpkGaYoNqkx3+yvWpYPPy4YideIu3wQ==
-Prime1: +1CFbP41B3shnGApkHvZYr3439pvg5KO60ykyewDDUU=
-Prime2: 5+EDE42uEwgwiaPs+n4hXruj+K3ewL7cTY1HS7rPpWk=
-Exponent1: tuWKUuBr0ajPkrvq1OdN0EcuggHhuizHNMl9ApAxBYU=
-Exponent2: CHyQ5qkbFlgzbbfyXvjS6aonXu0vRQXN6xEpDrTAiek=
-Coefficient: i4dbOUlePz8KFhOt0/8FImz2TAd2zZ0hryj4uAQbtUY=
+++ /dev/null
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: mjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
-PublicExponent: AQAAAAE=
-PrivateExponent: MPsUwCUqooIUfhCOmRxnn6ZhxzH+CpJOfJ1K0njPwjaQKm8ACnVpM7Fr3mv5b9m0TXNn3jpfQgD+mHzopnR8gQ==
-Prime1: y24Ur3BJ40hhvFGqAPXaUEJcrEZIy4aCq2TxRSfFWs8=
-Prime2: whV4QY7Syoe/CDglpRb/X1ZROUYNLo1y+uXMoSNtaYU=
-Exponent1: DQywtacomS2IXan7sOtmkcWxxe7P6jTtI5KjlN4IhD0=
-Exponent2: N/KfPaxytWiti6+d2E9B00TCwndDQq/vnJ2iYGdNp9k=
-Coefficient: Lp80HvUH/WDwsH1akU1UWbN2n4m3g/hLtihVVuzf0s0=
+++ /dev/null
-;% generationtime=20081120072448
-;% lifetime=2d
-sub.example.de. IN DNSKEY 256 3 1 BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
--- /dev/null
+;% generationtime=20090703233023
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+PublicExponent: AQAAAAE=
+PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E=
+Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw==
+Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ==
+Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ==
+Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ==
+Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA==
--- /dev/null
+;% generationtime=20090630103352
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+PublicExponent: AQAAAAE=
+PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0=
+Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw==
+Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew==
+Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w==
+Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw==
+Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew==
--- /dev/null
+;% generationtime=20090615065826
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+PublicExponent: AQAAAAE=
+PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0=
+Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw==
+Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw==
+Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw==
+Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ==
+Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A==
--- /dev/null
+;% generationtime=20090630100243
+;% lifetime=2d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+PublicExponent: AQAAAAE=
+PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ==
+Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0=
+Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs=
+Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk=
+Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs=
+Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94=
--- /dev/null
+;% generationtime=20090703233023
+;% lifetime=2d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+PublicExponent: AQAAAAE=
+PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ==
+Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU=
+Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks=
+Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k=
+Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0=
+Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc=
-sub.example.de.dlv.trusted-keys.net. IN DLV 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
-sub.example.de.dlv.trusted-keys.net. IN DLV 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
+sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
+sub.example.de.dlv.trusted-keys.net. IN DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
+sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
+sub.example.de.dlv.trusted-keys.net. IN DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
sub.example.de.dlv.trusted-keys.net. IN DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.dlv.trusted-keys.net. IN DLV 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
-sub.example.de.dlv.trusted-keys.net. IN DLV 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
+sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
+sub.example.de.dlv.trusted-keys.net. IN DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
; !!! Don't edit this file by hand.
; !!! It will be generated by dnssec-signer.
;
-; Last generation time Dec 28 2008 23:06:40
+; Last generation time Jul 04 2009 01:30:24
;
; *** List of Key Signing Keys ***
-; sub.example.de. tag=40956 algo=RSASHA1 generated Oct 03 2008 01:02:19
+; sub.example.de. tag=40956 algo=RSASHA1 generated Dec 28 2008 23:55:28
sub.example.de. 3600 IN DNSKEY 257 3 5 (
BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg
CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/
ISRyLtFdi10=
) ; key id = 40956
-; sub.example.de. tag=56595 algo=RSASHA1 generated Oct 03 2008 23:27:15
+; sub.example.de. tag=26451 algo=RSASHA1 generated Jun 15 2009 08:58:26
sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
- pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
- cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
- GLv3a4BbGFc=
- ) ; key id = 56595
+ BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+ W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+ j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+ 04a9eVgvhME=
+ ) ; key id = 26451
-; sub.example.de. tag=31785 algo=RSASHA1 generated Dec 16 2008 17:32:13
+; sub.example.de. tag=24426 algo=RSASHA1 generated Jun 30 2009 12:33:52
sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX
- T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE
- J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji
- qj6JGXl48/0=
- ) ; key id = 31785
+ BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D
+ xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp
+ 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878
+ vlXrwWNo4Pk=
+ ) ; key id = 24426
+
+; sub.example.de. tag=60332 algo=RSAMD5 generated Jul 04 2009 01:30:23
+sub.example.de. 3600 IN DNSKEY 257 3 1 (
+ BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ
+ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg
+ oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ
+ jyZPu//rrNM=
+ ) ; key id = 60332
; *** List of Zone Signing Keys ***
-; sub.example.de. tag=59924 algo=RSAMD5 generated Dec 16 2008 17:30:27
+; sub.example.de. tag=11091 algo=RSAMD5 generated Jun 24 2009 17:12:33
sub.example.de. 3600 IN DNSKEY 256 3 1 (
- BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB
- eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
- ) ; key id = 59924
+ BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+
+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+ ) ; key id = 11091
-; sub.example.de. tag=39146 algo=RSAMD5 generated Dec 16 2008 17:30:27
+; sub.example.de. tag=38598 algo=RSAMD5 generated Jun 24 2009 17:12:33
sub.example.de. 3600 IN DNSKEY 256 3 1 (
- BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw
- 9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
- ) ; key id = 39146
+ BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe
+ zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+ ) ; key id = 38598
-; sub.example.de. tag=4031 algo=RSAMD5 generated Dec 28 2008 23:06:40
-sub.example.de. 3600 IN DNSKEY 256 3 1 (
- BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN
- cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
- ) ; key id = 4031
+; sub.example.de. tag=37547 algo=RSASHA1 generated Jun 30 2009 12:02:43
+sub.example.de. 3600 IN DNSKEY 256 3 5 (
+ BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy
+ 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+ ) ; key id = 37547
+
+; sub.example.de. tag=57863 algo=RSASHA1 generated Jul 04 2009 01:30:23
+sub.example.de. 3600 IN DNSKEY 256 3 5 (
+ BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1
+ XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+ ) ; key id = 57863
-sub.example.de. IN DS 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
-sub.example.de. IN DS 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
+sub.example.de. IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
+sub.example.de. IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
+sub.example.de. IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
+sub.example.de. IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
sub.example.de. IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
sub.example.de. IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de. IN DS 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
-sub.example.de. IN DS 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
+sub.example.de. IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
+sub.example.de. IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
$ORIGIN .
-sub.example.de 7200 IN DNSKEY 257 3 5 (
- BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
- 7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
- 2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
- jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
- cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
- ) ; key id = 56595
+sub.example.de 7200 IN DNSKEY 257 3 1 (
+ BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
+ LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
+ /iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
+ gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
+ vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+ ) ; key id = 60332
7200 IN DNSKEY 257 3 5 (
- BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
- gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
- 4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
- fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
- g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
- ) ; key id = 31785
+ BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
+ WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
+ pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
+ uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
+ 0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+ ) ; key id = 24426
+ 7200 IN DNSKEY 257 3 5 (
+ BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
+ W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
+ yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
+ ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
+ 0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+ ) ; key id = 26451
7200 IN DNSKEY 257 3 5 (
BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
; KSK rollover phase2 (this is the new key)
sub.example.de. 3600 IN DNSKEY 257 3 5 (
- BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
- pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
- cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
- GLv3a4BbGFc=
- ) ; key id = 56595
+ BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+ W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+ j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+ 04a9eVgvhME=
+ ) ; key id = 26451
$TTL 7200
@ IN SOA ns1.example.de. hostmaster.example.de. (
- 2008122801; Serial (up to 10 digits)
+ 2009070301; Serial (up to 10 digits)
86400 ; Refresh (RIPE recommendation if NOTIFY is used)
1800 ; Retry
2W ; Expire
-; File written on Sun Dec 28 23:06:40 2008
-; dnssec_signzone version 9.6.0
+; File written on Sat Jul 4 01:32:17 2009
+; dnssec_signzone version 9.7.0a1
sub.example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. (
- 2008122801 ; serial
+ 2009070301 ; serial
86400 ; refresh (1 day)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
- 7200 RRSIG SOA 1 3 7200 20081230210417 (
- 20081228210640 39146 sub.example.de.
- XM/3402boromtkWjxtvE0SHpUW3J5ITudixH
- Ol/DXfSIUiv5Km5ekQueBMgMIEMFkYHxRYH/
- CRDCu4gTzYJElw== )
+ 7200 RRSIG SOA 1 3 7200 20090705220522 (
+ 20090703223217 38598 sub.example.de.
+ JgCBS7//ArxzV4ZFw1uu5ermsqBelp/HnmeF
+ 1V/2j71/lSIS+1H/o2appt6Ox11KnAqML0Zi
+ D6KRnBt1xAbXmA== )
+ 7200 RRSIG SOA 5 3 7200 20090705220711 (
+ 20090703223217 37547 sub.example.de.
+ gt/Cnm3ltYYKX1h1xUEM8xfGlovwilUCf9TK
+ E6lUZL9w56DY8WDaz+5kdh4FfiXbprTgzjGA
+ LMGc9HSP79dRuA== )
7200 NS ns1.example.de.
- 7200 RRSIG NS 1 3 7200 20081230210435 (
- 20081228210640 39146 sub.example.de.
- YGkNNi+q2byWBB2AnRrZ0fY9eOzOkcvlW98U
- Ti/2LoJhn+LrVNSOG5Xbd7o3KfoxnyyFS+lh
- IwcTPCxkYyTv2A== )
+ 7200 RRSIG NS 1 3 7200 20090705222744 (
+ 20090703223217 38598 sub.example.de.
+ Gor5vVdsREkojunDB1+1EOzQcsOhjO+RP+CQ
+ 9MEdAtqXqfJaqn2BxAkjANy7UWiPbIei3QnT
+ MBmpop2wmSzjHg== )
+ 7200 RRSIG NS 5 3 7200 20090705221546 (
+ 20090703223217 37547 sub.example.de.
+ GOWmEt+2ye6zuH1BdUrzEpmjbLTjrqzTwpOP
+ CBop0iM/TeSKv3OIpzbCscn68XsKdALKx6J5
+ vsnk1e7z4qdMnQ== )
7200 NSEC a.sub.example.de. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 1 3 7200 20081230205813 (
- 20081228210640 39146 sub.example.de.
- dR8j2F8b+725x9Ipuym92XPF0CfLywcU8rVd
- kMwIEHYqvxHtAGgMS7Rg6ehc1Dyu/4AxK5Le
- xQpUFau71SR5zA== )
+ 7200 RRSIG NSEC 1 3 7200 20090705222040 (
+ 20090703223217 38598 sub.example.de.
+ DzeJgkKvZsVnlRG6x1CjJsqE7ZW7STTfq0ND
+ v3whxX6+ODSLWtttakOYZU5ih6YKKbqtxxOi
+ WpV1PcoUZ0g2PQ== )
+ 7200 RRSIG NSEC 5 3 7200 20090705222545 (
+ 20090703223217 37547 sub.example.de.
+ fG3D1B9ERox7BwFF2pFOT7D89+6f/3Ti1xUK
+ rc/kv17mlcxJDzzNtBx7dmKl/jPIccWFEe+d
+ WaeKi5AZKRsCsg== )
3600 DNSKEY 256 3 1 (
- BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+c
- U4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0R
- OBlid0KE2rxJ7rDekuoUiw==
- ) ; key id = 59924
+ BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOml
+ gVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVU
+ BgwiMj4XdqFLLuNzjJbGiw==
+ ) ; key id = 38598
3600 DNSKEY 256 3 1 (
- BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObj
- eSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz
- /9GKXXOH+o/q+dBCoZjqTQ==
- ) ; key id = 39146
- 3600 DNSKEY 256 3 1 (
- BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE1
- 0FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx
- 4vQsbPO5WDiIoXmDUg+/sQ==
- ) ; key id = 4031
+ BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpv
+ StPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQ
+ euyJ87LiXfGpR/X/MCtTEQ==
+ ) ; key id = 11091
+ 3600 DNSKEY 256 3 5 (
+ BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjt
+ YHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hx
+ CoFgziaYXEnU0OjHM/Vatw==
+ ) ; key id = 57863
+ 3600 DNSKEY 256 3 5 (
+ BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yG
+ BvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqe
+ abWDGzKm3MbybdKLLtGD/w==
+ ) ; key id = 37547
+ 3600 DNSKEY 257 3 1 (
+ BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
+ LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
+ /iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
+ gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
+ vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+ ) ; key id = 60332
3600 DNSKEY 257 3 5 (
- BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
- 7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
- 2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
- jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
- cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
- ) ; key id = 56595
+ BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
+ WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
+ pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
+ uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
+ 0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+ ) ; key id = 24426
3600 DNSKEY 257 3 5 (
- BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
- gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
- 4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
- fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
- g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
- ) ; key id = 31785
+ BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
+ W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
+ yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
+ ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
+ 0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+ ) ; key id = 26451
3600 DNSKEY 257 3 5 (
BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
) ; key id = 40956
- 3600 RRSIG DNSKEY 1 3 3600 20081230204044 (
- 20081228210640 39146 sub.example.de.
- rdyBfWCdLqJSLOIg22HSMNpLQTV1GLsg2w5Q
- thtAdJWWdN+YDJfeeD+jkJvwWoQSouleSRdM
- MHZ69c4Fp0KlUg== )
- 3600 RRSIG DNSKEY 5 3 3600 20081230204405 (
- 20081228210640 56595 sub.example.de.
- B4kvh0gQqHNBdwiABmUwMJ+Iqi2dKSsDQTKj
- 0rtquoGkVbbB1mKqGeA0EWjts9g388evvZGz
- hpHVeXQQds4OxRTpt+XlQejbL98RB+8xM+I9
- clj31Dg22MYkzogVqk7VBYTfZN/frK5co5WO
- E+aX97skAkBO8C9rZshwsISbFR0= )
- 3600 RRSIG DNSKEY 5 3 3600 20081230205150 (
- 20081228210640 31785 sub.example.de.
- SiQmiuudpKBGbtKxHupnbvkksCBkYwihgyhl
- kznLuR+GjrZKE4GuzYNAspe5CkDCSbNUHbl2
- CbPFjU4lvGyShA3UtzSM2Cx4SAGi4JtRh7XC
- DtXNIuZK4GBwprUD5nffYAH9Q7Pck9fhl8u8
- YP0JapJ+GV9dx2iSKdbb1JKE8zk= )
- 3600 RRSIG DNSKEY 5 3 3600 20081230205404 (
- 20081228210640 40956 sub.example.de.
- jQty/hjEoHR/lx/tNopuPFNZQ0VF4Qdi37I0
- q2A084KeBTh4v2hgTUA0B00hVncllfgUlOYl
- HbvgHzqhLZPrx2qvtvFlPRmj7FlwjJbXRt5T
- 5JBAMP4IMfd0W6SDsuo1saVVZuiAQPicBbN8
- Rc0Tgde1NEy2rlyVLkk7uKLB0pU= )
+ 3600 RRSIG DNSKEY 1 3 3600 20090705221028 (
+ 20090703223217 60332 sub.example.de.
+ xVnKSgfSjfIEzeJVBlSPfJWDmkG/sGvQQaUc
+ P6kHUugus9z+MwnPpXKCwvSufQQJHzmUuMG4
+ hk29luebSAK+bm8s6lExQQDpUTNWnOxlIrb/
+ pQJp7tsBfN8wfZnOg+FrtLSiWzbN+jRyq+Us
+ 6IUopL10tPSalhTp9UleZSUkZyA= )
+ 3600 RRSIG DNSKEY 1 3 3600 20090705221035 (
+ 20090703223217 38598 sub.example.de.
+ fq6OWIKGHtdavvZx8pkieeF+DdA7P13nvW1c
+ cSmrRsfFFBx8SMJ6H9zFX4FPuoDSsNb8xnNB
+ i7LKN5hMK+uKvw== )
+ 3600 RRSIG DNSKEY 5 3 3600 20090705220958 (
+ 20090703223217 40956 sub.example.de.
+ z3M5xdXXWOywAa9BPtVMzsMWmHumq4rbYyNB
+ e/in7ijwMwRTZ2pOfK5ccOBMhFE8TaRQrZD5
+ 2eP2uqdUE4Jkhr42y5e8+o8ShuKxXIlkGao3
+ oFdCIwPElIUswnWs3i44Hz2SCFVnnCz8PXQL
+ VtxuyGMtrFGuRFh3xC14bi/U5LE= )
+ 3600 RRSIG DNSKEY 5 3 3600 20090705221542 (
+ 20090703223217 37547 sub.example.de.
+ bRPadfI4qu6Xl4SCQ+i97/IANaCsE78L+LTG
+ 1ckVTUmWbDZwj6RjJofdx5Mm1LlM6pi5hAJ2
+ 7vDjTlynq0uFyg== )
+ 3600 RRSIG DNSKEY 5 3 3600 20090705222555 (
+ 20090703223217 26451 sub.example.de.
+ Eu2lW/SJDyKHZ0zLIV3Co80+D9ykkULXEJpR
+ BpvhG6wa9R9i0z/QEQc3QWUt2sDPOYDX61wh
+ iP87yVmb2B1IFMU/VW33d2xZgcK2NGSMk0QI
+ g2T6jXk+uWd9ribgfWT57Xf3Qr2D+Zl23mOR
+ Q/C/bJgOmq9mZt4vNOBTvgmuHqw= )
+ 3600 RRSIG DNSKEY 5 3 3600 20090705222912 (
+ 20090703223217 24426 sub.example.de.
+ ktIrKORfmsOtyUj47zBb1p/3wp/aA2GIT9dI
+ e+mDK6Kvvc3Rb+UZe2689vAMwq7/lMvRhHQR
+ 25Od0UIU77XuW/trIczippIl78ISPwKSiEN0
+ LUO9kUf9yZ2dqsZMxMKXWZMSVYXY0ja8zSY5
+ v9HafpYQx24FTD99v6DcjMvQu/M= )
a.sub.example.de. 7200 IN A 1.2.3.4
- 7200 RRSIG A 1 4 7200 20081230210029 (
- 20081228210640 39146 sub.example.de.
- Mfh4ntlgKOlE1vleYbD8tN8VfvHEYbIZ1/bG
- TWEu2pQNK2YLC7mLfVQWW3bcpzlmOucmWFJq
- XXH+nnsftjxZog== )
+ 7200 RRSIG A 1 4 7200 20090705222143 (
+ 20090703223217 38598 sub.example.de.
+ A9WVnbcBJW3L+GOND3BJdtrzK3G/klcIWp8l
+ 0WW1HTbiJAFMxizNWVjyGKU3ciydtawT7gVS
+ guDWYW++F1vv4w== )
+ 7200 RRSIG A 5 4 7200 20090705223053 (
+ 20090703223217 37547 sub.example.de.
+ kZWrAPgslp1YjZtfWhSgQfpegRrVVjVGLPhi
+ 5OAwpJ14sWmXe+Ty7PbDM1icKdt3DwmGHtk7
+ jkFkcdEu6pH3rQ== )
7200 NSEC b.sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20081230210434 (
- 20081228210640 39146 sub.example.de.
- hKTSoLDwWufmjaQnW53kLzog9MfMK3eUcjHr
- 98uOCfKY3xRFqxHn0UmUvfaHSrCaMGRuwH0H
- 84fk3FvVO3Sg4g== )
+ 7200 RRSIG NSEC 1 4 7200 20090705221732 (
+ 20090703223217 38598 sub.example.de.
+ Jb666TyzO/8OaJKtEsg/baMAwV3WgLzplwKi
+ 0FcSu89AMMTEtYDkJx3PSinttrkK/74SHCQI
+ QprLeptnAT88wQ== )
+ 7200 RRSIG NSEC 5 4 7200 20090705223013 (
+ 20090703223217 37547 sub.example.de.
+ L7pmPJgNOV4XpcN2BsUti0OyVNp3SZu58z8w
+ nJk6Na21sO6gorCh0T9r9GYK0JbJVk6BC+9D
+ BBQkH4YqqkPxXQ== )
b.sub.example.de. 7200 IN A 1.2.3.5
- 7200 RRSIG A 1 4 7200 20081230210628 (
- 20081228210640 39146 sub.example.de.
- LP1xgEzTIlc0w57Ohv9HwJ9eAeGFGeMDM3Ag
- 9oA18G8lUWpzTX66D9sHKdpDxCo8IX8IuosE
- AO4BjHjFytWPLQ== )
+ 7200 RRSIG A 1 4 7200 20090705223139 (
+ 20090703223217 38598 sub.example.de.
+ gaoCOBLTR+bfk7O73vH80nP37xchqjh4S8gk
+ aIhiXZwmVYwWatlzhB8ZK/qhs4mRLqs3Rpte
+ QVYtDIC2+AOstw== )
+ 7200 RRSIG A 5 4 7200 20090705221720 (
+ 20090703223217 37547 sub.example.de.
+ A4+jPotrDIV4JgxRNjH/2vtFW9RNM4g0acRI
+ tpEoOAphse9Ki7/KDJDYRyjlNqNOYoPSlDlz
+ rWlKXai3MYg7VQ== )
7200 NSEC c.sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20081230204400 (
- 20081228210640 39146 sub.example.de.
- 2tmWQXRQEOF5tojcBhFRMVe5pp0V1tA+Jk8M
- svsYT1ukbaJ3QeDOaTGUA604hLEm7J+uapy+
- LTvOcKZl65st6g== )
+ 7200 RRSIG NSEC 1 4 7200 20090705223117 (
+ 20090703223217 38598 sub.example.de.
+ DuFAapyfyrTDnYkgkkGZG6JyiWa2yWbSbvB/
+ EbiaA//ffEEFvoHPt+md+ctHtw7inP3WZ0jf
+ IBAStKfocnPfxA== )
+ 7200 RRSIG NSEC 5 4 7200 20090705222451 (
+ 20090703223217 37547 sub.example.de.
+ y4eQUHYVVEDsXXjtx3YZ5mGtrdL8x7e3F5HK
+ J/jTwHDYvCq+/xqaXdOGIDl1TZYN4Z+/mgud
+ ePUilJqZI7+d0A== )
c.sub.example.de. 7200 IN A 1.2.3.6
- 7200 RRSIG A 1 4 7200 20081230205321 (
- 20081228210640 39146 sub.example.de.
- m5/r/M1tF0d3rEU/kmubSZdV5ZmdKWmcCWTo
- kv+oTux07+5dS7XisCHT+ufjiFkIgI3cf9I6
- bbtEMaChCRmwhA== )
+ 7200 RRSIG A 1 4 7200 20090705220747 (
+ 20090703223217 38598 sub.example.de.
+ AhUeZDcL2x0nT4K1ueLzpti37wP0p+nBCO1h
+ N1asQJycnjayQ49nVwXuOPjFtO5SpUijl/gf
+ rsvFrG2Eyf8KyQ== )
+ 7200 RRSIG A 5 4 7200 20090705221402 (
+ 20090703223217 37547 sub.example.de.
+ I9UX1XpqYmFXZKfS0SJn7eAahEGlDvTO/miW
+ 5sAvWS1PDIPiGs6eNIKEjmCcy1bTCR8TdCF4
+ eDzbZncW5J57bA== )
7200 NSEC localhost.sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20081230204731 (
- 20081228210640 39146 sub.example.de.
- WZAiKmtmMVq69fGpQAxKXFj9179lZm1qd7qs
- gyiutFjWtQTRQFI6wxHyhh1WXdagtI2AjR9V
- eGdKUuoZ9n22yA== )
+ 7200 RRSIG NSEC 1 4 7200 20090705221655 (
+ 20090703223217 38598 sub.example.de.
+ spoeS9+UVDFk3i6OuzJDg+dYm1UGVd1dd/1H
+ c0Cg7Wn5FjKwAuxVh6Fkwo+gnfFeuNqXULp7
+ 2oZVaizjK0xxdA== )
+ 7200 RRSIG NSEC 5 4 7200 20090705220501 (
+ 20090703223217 37547 sub.example.de.
+ qjJcnn8GAR948AasHOuT3grziFXevNKdIdd0
+ JsThsXekPAFoe/o/Wj7a/aRBQpdSQHfbHs66
+ ehXm31OmY1Z1MQ== )
localhost.sub.example.de. 7200 IN A 127.0.0.1
- 7200 RRSIG A 1 4 7200 20081230205746 (
- 20081228210640 39146 sub.example.de.
- Vc48b7SkFZO1e4lNIti+Iw9vPSgxANdhakP/
- oqjKgxMMr+dmk0Vn29DYBTH+bkR7nBpccP9l
- qe0UCeieNSgqOg== )
+ 7200 RRSIG A 1 4 7200 20090705223018 (
+ 20090703223217 38598 sub.example.de.
+ KKzhk8TIfVygE1HXHyno+5JRUa/HjZXlCyqO
+ IXPpEh2AGQjbEy9lJOXbfH15explsbFUl8iS
+ oFdkIwDqvk/ldw== )
+ 7200 RRSIG A 5 4 7200 20090705221933 (
+ 20090703223217 37547 sub.example.de.
+ X5HZEaT+hbuvxoOng20cDqYGepR2ud7q7ASs
+ ADVuZx38VBtj02Gbp0xyM8LnjjrKD6McQC35
+ lqRrrcEvaMIFYA== )
7200 NSEC sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 1 4 7200 20081230203757 (
- 20081228210640 39146 sub.example.de.
- StI4gda9HqSmD1/1zcW/wJaFXvd8zKRHnH89
- nrUy4C6PWJ+9Tqs4QhYm1AzAtZRwSEasS0jX
- g0mFyc6p12gXqg== )
+ 7200 RRSIG NSEC 1 4 7200 20090705223031 (
+ 20090703223217 38598 sub.example.de.
+ nUE795F1yE6+61N2UQb2Kmm4PpTBpdwGiPD5
+ RfETf5J3Y/7M6GuUw7Rrl5G5FHN9vzz4IJLB
+ XeLxR6WY4FdXFg== )
+ 7200 RRSIG NSEC 5 4 7200 20090705222830 (
+ 20090703223217 37547 sub.example.de.
+ YitlICV/U/5iwY5vYd4Huwpyx3O317WuufiP
+ 8Ci4kDa6pp7bzM+q5INYGn5ZuFUb6bk1LrJG
+ hu9IzPp4IpAwhQ== )
; 0123456789;
; It's also possible to use the date format e.g. 2005040101
@ IN SOA ns1.example.de. hostmaster.example.de. (
- 269 ; Serial
+ 277 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
-; File written on Sun Dec 28 23:06:40 2008
-; dnssec_signzone version 9.6.0
+; File written on Sat Jul 4 01:33:59 2009
+; dnssec_signzone version 9.7.0a1
example.de. 7200 IN SOA ns1.example.de. hostmaster.example.de. (
- 269 ; serial
+ 277 ; serial
43200 ; refresh (12 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
- 7200 RRSIG SOA 5 2 7200 20090107205708 (
- 20081228210640 11327 example.de.
- KC6gXko+4iRmpofCb+uOs5e0Jgq4CJVUgsw3
- jjXDsra7FXWybJj9FgO5cdy2KHbV/cQJ5Li6
- bgH2E0gZpcYrvA== )
+ 7200 RRSIG SOA 5 2 7200 20090713220611 (
+ 20090703223359 55529 example.de.
+ rwMt/rMQ9Ioun/qZlL4nTW9J7rg3hZs+8Jxu
+ +GJ3IWDRFzf3ri9A5+ZWubnZs+eXkDtlxDQ5
+ hsQYk04gxowbNw== )
7200 NS ns1.example.de.
7200 NS ns2.example.de.
- 7200 RRSIG NS 5 2 7200 20090107205857 (
- 20081228210640 11327 example.de.
- P5GvCnGqZ3+rGh4fZtGmYfezyI4swQXFVdtp
- UkhR8SBDRgC9HQU5qZw7g7cbuO/CrRUWZLuf
- NYgJvaeyoL8Khw== )
+ 7200 RRSIG NS 5 2 7200 20090713221949 (
+ 20090703223359 55529 example.de.
+ ehIVNiOaHHevfb3GkYt79MSmwzzMUCHvOGOf
+ MSI3QqG+Z0rS+wjI1pXdJxnVbzLldkZThBAZ
+ wwZVvOnfyye+Bg== )
7200 NSEC localhost.example.de. NS SOA RRSIG NSEC DNSKEY
- 7200 RRSIG NSEC 5 2 7200 20090107204400 (
- 20081228210640 11327 example.de.
- cdjSIAQDouZldROWir7R4/k6xcwbvOUcOmNO
- rkGROzjrQf3IdE7vCwxLj/KavLqK5OIhSztf
- Xx9lY5RJWhhxQA== )
+ 7200 RRSIG NSEC 5 2 7200 20090713221831 (
+ 20090703223359 55529 example.de.
+ B4vUFaDg29C95e0nstt6d6hsOYqiGWfMchp3
+ MHb2FuYZN369T+OjJxBO3jaxhB6JLhQQT+CA
+ Kbdednz3+3mpbw== )
3600 DNSKEY 256 3 5 (
- BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchY
- FYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9
- l2J92dAy8m4uofcdFkYKnQ==
- ) ; key id = 11327
+ BQEAAAABty5HRSBzUDY5SVgORw+KKE64Sjmq
+ EpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqB
+ k/zizzUe4+dbj+jORPirtQ==
+ ) ; key id = 55529
3600 DNSKEY 257 3 5 (
BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
K9bqDM8Euw==
) ; key id = 47280
- 3600 RRSIG DNSKEY 5 2 3600 20090107203935 (
- 20081228210640 47280 example.de.
- Bk6rghHHe5smNETUq9iRY6JWr4gSZirMv6Pr
- Sv6AuRNYbHz1K0ZMhQxdjkYbz7WidOtjtolm
- lO2LGZreuNuU8vTbBNxJYTLHUDtncncuYQZR
- htD5hsgGVyeYgEo5X+aIz0+NjrdJrkh3aDZd
- k6FO0ga5+kmbg9My/C1vvnLgjWUaqjP3vnFB
- 9mO5sb30X6qv3VT2d6A4DDqzCucYAphCSuSP
- jw== )
- 3600 RRSIG DNSKEY 5 2 3600 20090107205931 (
- 20081228210640 11327 example.de.
- EW0xShpQjjJnNl94XIe3SBqW/Ml2o5J5R5pf
- pIp2NAVwE2lrBzukxjHQ+M4PPF2EtIUW9lF4
- AFrLMfn3ymVnCw== )
+ 3600 RRSIG DNSKEY 5 2 3600 20090713222248 (
+ 20090703223359 47280 example.de.
+ AnxgMlrm0RcJPTcgO40Ul+k8T0B5YYF3PE4O
+ DjZ6GwdU0RGtIswtrD5JQoaEm0rJcckU7zaP
+ 372CkCbdapzMbTafjx90KpnPGNka2umUEoU+
+ wE1T0EmEHPsNy1UnxXpNgrtUlLQ7+wypX85h
+ H4xIhkZLt3rc/xfztObawFkw1PvjdBMp1ySY
+ 9jz8TPWSotfItRz2UDSWmFz2+Mt3fuKhvnWp
+ sw== )
+ 3600 RRSIG DNSKEY 5 2 3600 20090713222256 (
+ 20090703223359 55529 example.de.
+ kahO5eo6d+HIuROuIhprEG5vMnsVK1c8jueZ
+ ThPa3YVVL3hSP7h79FPugMb6paqBSi0CW/0x
+ X32Vx3fHL2R7Cw== )
localhost.example.de. 7200 IN A 127.0.0.1
- 7200 RRSIG A 5 3 7200 20090107205407 (
- 20081228210640 11327 example.de.
- WSfYUmVVSaPb9nKWyCzczQDcjqlY+QsUSFlx
- FN7OuARdi5JHQ6b/z3y9zrsUJOhuqM1XiF7H
- +Y9WEsWuNjmzmw== )
+ 7200 RRSIG A 5 3 7200 20090713220920 (
+ 20090703223359 55529 example.de.
+ hQddObpj6XKM06r/fZB3uXW5K44vepmmJs9Z
+ 4IDPRBwG+YzZCkUly58N5soSFxiF50Ieaq4M
+ pmC47X42c1EHKg== )
7200 NSEC ns1.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090107204235 (
- 20081228210640 11327 example.de.
- URFD9Qy9xizej4LokkN8xqqGE4A4Fbe7S33O
- vlUr1mw1Kx4zlzscUtGYAuMsHZgi/Rlyppib
- XW+Fd3NHsYhisg== )
+ 7200 RRSIG NSEC 5 3 7200 20090713222053 (
+ 20090703223359 55529 example.de.
+ OednWdOSDAxJXwuc3OugwSYPvOFl29c98R1s
+ cPyovg8NoQnSAyXlqANUrOEHKzXekelzGV53
+ wzfFHCmIuJZ5Fw== )
ns1.example.de. 7200 IN A 1.0.0.5
- 7200 RRSIG A 5 3 7200 20090107204603 (
- 20081228210640 11327 example.de.
- ZO17IgiAhdKtukAJEHIQyN+RqUHWOMvsDod8
- XAFuBfunAeul+LiSjupWQDOijQoOfa5uVMRT
- 1wFhEqz//YgXkQ== )
+ 7200 RRSIG A 5 3 7200 20090713221855 (
+ 20090703223359 55529 example.de.
+ TXWHh/P5XR0krzYb0io4o1/42AeNGcPcdHob
+ iiFJCKHmyX8hVVysHfvvN6wB1XqLOWsSNxsZ
+ pwPbr9JcTJDMPA== )
7200 AAAA 2001:db8::53
- 7200 RRSIG AAAA 5 3 7200 20090107204610 (
- 20081228210640 11327 example.de.
- S4aYxgu/DoVFaM0xdQ7WhfMaPK5sPt4ksZXx
- rsNKCpL1JdNP9S78H4Iy1RUJ0I9i1EAFiWOl
- 0JhVSprPJJiOIg== )
+ 7200 RRSIG AAAA 5 3 7200 20090713221023 (
+ 20090703223359 55529 example.de.
+ meShWaTBanhROgGlnwQq0KNmEKJbjLluTj7Z
+ ELbMUvgmTc1qLBCDHzWtp8sWWXz5UbMacL9X
+ F7Ncp5dAbBO2lQ== )
7200 NSEC ns2.example.de. A AAAA RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090107210249 (
- 20081228210640 11327 example.de.
- XVIz/mWN2RQ5mm20RYOytSl5Q7n9LNMenB6d
- HpT1kaDLYSdPXd3ZlvBCNNMdNhMFmZTBxAxL
- b0Mz8eoLdsy6Lg== )
+ 7200 RRSIG NSEC 5 3 7200 20090713221918 (
+ 20090703223359 55529 example.de.
+ B4mBvLOjzjuahaarR0UJwf+2IpLo0Hj6Jxj9
+ WfKlMrUVJOmm2Hbq0Amk/L0NSeqD+W1eNlux
+ 6EVYdyJm4f+wlw== )
ns2.example.de. 7200 IN A 1.2.0.6
- 7200 RRSIG A 5 3 7200 20090107204524 (
- 20081228210640 11327 example.de.
- fCtOEIQlgh4XDJTZdmh0MBBHOlXvvCR4L+bR
- gKBOUUtzaeL+FuXo8zyrWKuOp6hXj8eOceEL
- oZCrKrjJBbHrJA== )
+ 7200 RRSIG A 5 3 7200 20090713221339 (
+ 20090703223359 55529 example.de.
+ FPMu/4JWrPbRMPXm8Hyx3AD+lRn4jCZ70WZh
+ LSADXIx3lZfEGy14x4UD7iLUiC/9TPl1aY6w
+ q9R3ZLNhVmMbyw== )
7200 NSEC sub.example.de. A RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090107210617 (
- 20081228210640 11327 example.de.
- R4s8H352jY7amgr0bNRmhW4oXD++1itgbk33
- OMDY3cbEEmZ+NonMRDkIOb4cTjDh4in9otMs
- Cl2vNscx9VO9QQ== )
+ 7200 RRSIG NSEC 5 3 7200 20090713221447 (
+ 20090703223359 55529 example.de.
+ DINiU0MiPkSyMjyJzKYuj3FgRlE92LubLU7v
+ eFufAQJM8hXe7oc+JfOSVDhpKdyF2ayd+w/e
+ TTnmaF7c65FZvw== )
sub.example.de. 7200 IN NS ns1.example.de.
- 7200 DS 56595 5 1 (
- 839C43F0267473F1335354384D91BFD70145
- AC01 )
- 7200 DS 56595 5 2 (
- 37F3AA854D2B7B2A9FAE3868EB37FFB08E1E
- DE2E14AF4D259E6C46B027D5C5B7 )
- 7200 RRSIG DS 5 3 7200 20090107204420 (
- 20081228210640 11327 example.de.
- ksOzuWcVDmEEipMetLHeNfWjhSiGizHN5qUL
- H78iOQsu9/zGDuMlLt1ysY+B2vAASCl5jVTp
- B5vr9CTvewcyAA== )
+ 7200 DS 26451 5 1 (
+ 317B8B00E2518957ED982C4872659A5E7F85
+ 783E )
+ 7200 DS 26451 5 2 (
+ C5492796671C24EA74C30B39371E94AD1A3D
+ D2EA8977B4949B08422C16217B2A )
+ 7200 RRSIG DS 5 3 7200 20090713222900 (
+ 20090703223359 55529 example.de.
+ hfoghbLW7Xd1CnLwcA/k6NM54/U34M1j5ELo
+ 0S+r5jbhy6rBj3kE8PRWCvLkpFclVyTAt0nq
+ pS69INoz+7pmeg== )
7200 NSEC example.de. NS DS RRSIG NSEC
- 7200 RRSIG NSEC 5 3 7200 20090107204025 (
- 20081228210640 11327 example.de.
- pyIEOLCMXk7H4wDJ2IwJdoUxvm7UdDlHpsVR
- gsgyogrsRb7xjnWQJ/lwHso+cmcGwvMoD/Qz
- IjVpouYPkbRe3w== )
+ 7200 RRSIG NSEC 5 3 7200 20090713220837 (
+ 20090703223359 55529 example.de.
+ mrR2sfL826pwQ3+/3X3/z8b3eOecBVYTdAmT
+ tVml23Zegq0EYJlQUiaTH5uP47vu/tsBRba8
+ TzIh0TVdyfiFyw== )
-.TH dnssec-signer 8 "December 28, 2008" "ZKT 0.98" ""
+.TH dnssec-signer 8 "Aug 1, 2009" "ZKT 0.99b" ""
\" turn off hyphenation
.\" if n .nh
.nh
and
.I dnssec-keygen(8)
to sign a zone and manage the necessary zone keys.
-It's able to increment the serial number before signing the zone
+It is able to increment the serial number before signing the zone
and can trigger
.I named(8)
to reload the signed zone file.
ending with ".signed".
These zones will be checked if the necessary zone- and key signing keys
are existent and fresh enough to be used in the signing process.
-If some out-dated keys where found, new keying material will be generated via
+If one or more out-dated keys are found, new keying material will be generated via
the
.I dnssec-keygen(8)
-command and the old ones will be marked as depreciated.
+command and the old keys will be marked as depreciated.
So the command do anything needed for a zone key rollover as defined by [2].
.PP
If the resigning interval is reached or any new key must be announced,
command will be called to reload the zone on the
nameserver.
.PP
-In the second form of the command it's possible to specify a directory
+In the second form of the command it is possible to specify a directory
tree with the option
.B \-D
.IR dir .
Every secure zone found in a subdirectory below
.I dir
will be signed.
-However, it's also possible to reduce the signing to those
+However, it is also possible to reduce the signing to those
zones given as arguments.
In directory mode the pre-requisite is, that the directory name is
exactly (including the trailing dot) the same as the zone name.
as the
.I dnssec-signzone (8)
command.
-The parameter specify the zone file name and the option
+The parameter specifies the zone file name and the option
.B \-o
takes the name of the zone.
.PP
.fam T
.\" \&.
If the argument is not an absolute path name and a zone directory
-is specified in the config file, this will prepend the given name.
+is specified in the config file, this will be prepended to the given name.
This option is also settable in the dnssec.conf file via the parameter
.BI LogFile .
.br
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
-it's also possible to create a hard or softlink to the
+it is also possible to create a hard- or softlink to the
executable file with an additional name like
.I dnssec-zkt-<view> .
.TP
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
-Several config file options could be specified at the argument string
+Several config file options can be specified via the argument string
but have to be delimited by semicolon (or newline).
.TP
.BR \-f ", " \-\-force
Reload the zone via
.I rndc(8)
after successful signing.
-In a production environment it's recommended to use this option
+In a production environment it is recommended to use this option
to be sure that a freshly signed zone will be immediately propagated.
-However, that's only feasable if the named runs on the signing
+However, that's only feasable if named runs on the signing
machine, which is not recommended.
Otherwise the signed zonefile must be copied to the production
server before reloading the zone.
.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
.fam T
.br
-Sign the example.net zone but overwrite some config file values with the parameters
+Sign the example.net zone but override some config file values with parameters
given on the commandline.
.SH Zone setup and initial preparation
.fi
.fam T
.\}
-If you use a BIND Verison of 9.4 or greater and
+If you use BIND version 9.4 or later and
use the unixtime format for the serial number (See parameter
Serialformat in
.IR dnssec.conf )
.SH BUGS
.PP
-The zone name given as an argument must be ending with a dot.
-.PP
The named.conf parser is a bit rudimental and not
very well tested.
-.SH AUTHOR
-Holger Zuleger
+.SH AUTHORS
+Holger Zuleger, Mans Nilsson
.SH COPYRIGHT
-Copyright (c) 2005 \- 2008 by Holger Zuleger.
+Copyright (c) 2005 \- 2009 by Holger Zuleger.
Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
-<!-- Creator : groff version 1.19.2 -->
-<!-- CreationDate: Sun Dec 28 23:15:25 2008 -->
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Tue Aug 4 21:33:41 2009 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
- p { margin-top: 0; margin-bottom: 0; }
- pre { margin-top: 0; margin-bottom: 0; }
- table { margin-top: 0; margin-bottom: 0; }
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
</style>
<title>dnssec-signer</title>
</head>
<body>
-<h1 align=center>dnssec-signer</h1>
+<h1 align="center">dnssec-signer</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
<a href="#FILES">FILES</a><br>
<a href="#BUGS">BUGS</a><br>
-<a href="#AUTHOR">AUTHOR</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
<a href="#COPYRIGHT">COPYRIGHT</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
+<h2>NAME
<a name="NAME"></a>
-<h2>NAME</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-signer
— Secure DNS zone signing tool</p>
+<h2>SYNOPSYS
<a name="SYNOPSYS"></a>
-<h2>SYNOPSYS</h2>
+</h2>
[<b>−v</b>]] <b>−o</b> <i>origin</i>
[<i>zonefile</i>]</p>
+<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">The
<i>dnssec-signer</i> command is a wrapper around
<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
-sign a zone and manage the necessary zone keys. It’s
-able to increment the serial number before signing the zone
-and can trigger <i>named(8)</i> to reload the signed zone
-file. The command controls several secure zones and, if
-started in regular intervals via <i>cron(8)</i>, can do all
-that stuff automatically.</p>
+sign a zone and manage the necessary zone keys. It is able
+to increment the serial number before signing the zone and
+can trigger <i>named(8)</i> to reload the signed zone file.
+The command controls several secure zones and, if started in
+regular intervals via <i>cron(8)</i>, can do all that stuff
+automatically.</p>
<p style="margin-left:11%; margin-top: 1em">In the most
useful usage scenario the command will be called with option
will be scanned for filenames ending with
".signed". These zones will be checked if the
necessary zone- and key signing keys are existent and fresh
-enough to be used in the signing process. If some out-dated
-keys where found, new keying material will be generated via
-the <i>dnssec-keygen(8)</i> command and the old ones will be
-marked as depreciated. So the command do anything needed for
-a zone key rollover as defined by [2].</p>
+enough to be used in the signing process. If one or more
+out-dated keys are found, new keying material will be
+generated via the <i>dnssec-keygen(8)</i> command and the
+old keys will be marked as depreciated. So the command do
+anything needed for a zone key rollover as defined by
+[2].</p>
<p style="margin-left:11%; margin-top: 1em">If the
resigning interval is reached or any new key must be
the zone on the nameserver.</p>
<p style="margin-left:11%; margin-top: 1em">In the second
-form of the command it’s possible to specify a
-directory tree with the option <b>−D</b> <i>dir</i>.
-Every secure zone found in a subdirectory below <i>dir</i>
-will be signed. However, it’s also possible to reduce
-the signing to those zones given as arguments. In directory
-mode the pre-requisite is, that the directory name is
-exactly (including the trailing dot) the same as the zone
-name.</p>
+form of the command it is possible to specify a directory
+tree with the option <b>−D</b> <i>dir</i>. Every
+secure zone found in a subdirectory below <i>dir</i> will be
+signed. However, it is also possible to reduce the signing
+to those zones given as arguments. In directory mode the
+pre-requisite is, that the directory name is exactly
+(including the trailing dot) the same as the zone name.</p>
<p style="margin-left:11%; margin-top: 1em">In the last
form of the command, the functionality is more or less the
same as the <i>dnssec-signzone (8)</i> command. The
-parameter specify the zone file name and the option
+parameter specifies the zone file name and the option
<b>−o</b> takes the name of the zone.</p>
<p style="margin-left:11%; margin-top: 1em">If neither
<i>dnssec.conf</i> file by the parameter <i>zonedir</i> will
be used as top level directory.</p>
+<h2>OPTIONS
<a name="OPTIONS"></a>
-<h2>OPTIONS</h2>
+</h2>
or a directory where logfiles are created with a name like
zkt-<i>YYYY-MM-DD</i>T<i>hhmmss</i>Z.log<i>.</i> If the
argument is not an absolute path name and a zone directory
-is specified in the config file, this will prepend the given
-name. This option is also settable in the dnssec.conf file
-via the parameter <b>LogFile</b><i>.</i> <br>
+is specified in the config file, this will be prepended to
+the given name. This option is also settable in the
+dnssec.conf file via the parameter <b>LogFile</b><i>.</i>
+<br>
The default is no file logging, but error logging to syslog
with facility <b>USER</b> at level <b>ERROR</b> is enabled
by default. These parameters are settable via the config
<p style="margin-left:22%;">Try to read the default
configuration out of a file named
<i>dnssec-<view>.conf .</i> Instead of specifying the
-−V or --view option every time, it’s also
-possible to create a hard or softlink to the executable file
-with an additional name like <i>dnssec-zkt-<view>
-.</i></p>
+−V or --view option every time, it is also possible to
+create a hard- or softlink to the executable file with an
+additional name like <i>dnssec-zkt-<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
−−config-option=</b><i>optstr</i></p>
<p style="margin-left:22%;">Set any config file option via
-the commandline. Several config file options could be
-specified at the argument string but have to be delimited by
-semicolon (or newline).</p>
+the commandline. Several config file options can be
+specified via the argument string but have to be delimited
+by semicolon (or newline).</p>
<p style="margin-left:11%;"><b>−f</b>,
<b>−−force</b></p>
<p style="margin-left:22%;">Reload the zone via
<i>rndc(8)</i> after successful signing. In a production
-environment it’s recommended to use this option to be
-sure that a freshly signed zone will be immediately
-propagated. However, that’s only feasable if the named
-runs on the signing machine, which is not recommended.
-Otherwise the signed zonefile must be copied to the
-production server before reloading the zone. If this is the
-case, the parameter <i>propagation</i> in the
-<i>dnssec.conf</i> file must be set to a reasonable
-value.</p>
+environment it is recommended to use this option to be sure
+that a freshly signed zone will be immediately propagated.
+However, that’s only feasable if named runs on the
+signing machine, which is not recommended. Otherwise the
+signed zonefile must be copied to the production server
+before reloading the zone. If this is the case, the
+parameter <i>propagation</i> in the <i>dnssec.conf</i> file
+must be set to a reasonable value.</p>
<p style="margin-left:11%;"><b>−v</b>,
<b>−−verbose</b></p>
<p style="margin-left:22%;">Print out the online help.</p>
+<h2>SAMPLE USAGE
<a name="SAMPLE USAGE"></a>
-<h2>SAMPLE USAGE</h2>
+</h2>
<p style="margin-left:22%;"><b>ZSK_lifetime 2d;’
−v −v −o example.net. zone.db</b> <br>
-Sign the example.net zone but overwrite some config file
-values with the parameters given on the commandline.</p>
+Sign the example.net zone but override some config file
+values with parameters given on the commandline.</p>
+<h2>Zone setup and initial preparation
<a name="Zone setup and initial preparation"></a>
-<h2>Zone setup and initial preparation</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">Create a
<p style="margin-left:22%;">For automatic incrementation of
the serial number, the SOA-Record must be formated, so that
the serial number is on a single line and left justified in
-a field of at least 10 spaces! If you use a BIND Verison of
-9.4 or greater and use the unixtime format for the serial
-number (See parameter Serialformat in <i>dnssec.conf</i>)
-than this is not necessary.</p>
+a field of at least 10 spaces! If you use BIND version 9.4
+or later and use the unixtime format for the serial number
+(See parameter Serialformat in <i>dnssec.conf</i>) than this
+is not necessary.</p>
<p style="margin-left:11%;">Try to sign the zone</p>
to create the initial keying material and a signed zone
file. Then try to load the file on the name server.</p>
+<h2>ENVIRONMENT VARIABLES
<a name="ENVIRONMENT VARIABLES"></a>
-<h2>ENVIRONMENT VARIABLES</h2>
+</h2>
<p style="margin-left:22%;">Specifies the name of the
default global configuration files.</p>
+<h2>FILES
<a name="FILES"></a>
-<h2>FILES</h2>
+</h2>
of the file is settable via the dnssec configuration file
(parameter <i>zonefile</i>).</p>
+<h2>BUGS
<a name="BUGS"></a>
-<h2>BUGS</h2>
-
+</h2>
-<p style="margin-left:11%; margin-top: 1em">The zone name
-given as an argument must be ending with a dot.</p>
<p style="margin-left:11%; margin-top: 1em">The named.conf
parser is a bit rudimental and not very well tested.</p>
-<a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
-<p style="margin-left:11%; margin-top: 1em">Holger
-Zuleger</p>
+<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
+Mans Nilsson</p>
+<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
-<h2>COPYRIGHT</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">Copyright (c)
-2005 − 2008 by Holger Zuleger. Licensed under the BSD
+2005 − 2009 by Holger Zuleger. Licensed under the BSD
Licence. There is NO warranty; not even for MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.</p>
+<h2>SEE ALSO
<a name="SEE ALSO"></a>
-<h2>SEE ALSO</h2>
+</h2>
-.TH dnssec-zkt 8 "December 28, 2008" "ZKT 0.98" ""
+.TH dnssec-zkt 8 "August 1, 2009" "ZKT 0.99b" ""
\" turn off hyphenation
.\" if n .nh
.nh
.PP
In the common usage the command prints out information about
all dnssec (zone) keys found in the given (or predefined default) directory.
-It's also possible to specify keyfiles (K*.key) as arguments.
+It is also possible to specify keyfiles (K*.key) as arguments.
With option
.B \-r
subdirectories will be searched recursively, and all dnssec keys found
a trusted-key section or as a DNSKEY resource record.
.PP
The command is also useful in dns key management.
-It allows key livetime monitoring and status change.
+It offers monitoring of key lifetime and modification of key status.
.SH GENERAL OPTIONS
.TP
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
-it's also possible to create a hard or softlink to the
+it is also possible to create a hard or softlink to the
executable file to give it an additional name like
.I dnssec-zkt-<view> .
.TP
to prevent dnsssec-zkt to list all keys found in subdirectories.
For example "dnssec-zkt -d *" will print out a list of all keys only found in
the current directory.
-Maybe it's easier to use "dnssec-zkt ." instead (without -r set).
+Maybe it is easier to use "dnssec-zkt ." instead (without -r set).
The option works similar to the \-d option of
.IR ls(1) .
.TP
.TP
.fam C
.B "dnssec-zkt --view intern
+.fam T
Print out a list of all zone keys found below the directory where all
the zones of view intern live.
There should be a seperate dnssec config file
Same as above.
The binary file
.I dnssec-zkt
-have linked to
-.I dnssec-zkt-intern .
+has another link, named
+.I dnssec-zkt-intern
+made, and
+.I dnssec-zkt
+examines argv[0] to find a view whose zones it proceeds to process.
.SH ENVIRONMENT VARIABLES
.TP
insist on domain names ending with a dot.
.PP
-.SH AUTHOR
-Holger Zuleger
+.SH AUTHORS
+Holger Zuleger, Mans Nilsson
.SH COPYRIGHT
Copyright (c) 2005 \- 2008 by Holger Zuleger.
-<!-- Creator : groff version 1.19.2 -->
-<!-- CreationDate: Sun Dec 28 23:15:24 2008 -->
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Tue Aug 4 21:33:40 2009 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
- p { margin-top: 0; margin-bottom: 0; }
- pre { margin-top: 0; margin-bottom: 0; }
- table { margin-top: 0; margin-bottom: 0; }
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
</style>
<title>dnssec-zkt</title>
</head>
<body>
-<h1 align=center>dnssec-zkt</h1>
+<h1 align="center">dnssec-zkt</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
<a href="#FILES">FILES</a><br>
<a href="#BUGS">BUGS</a><br>
-<a href="#AUTHOR">AUTHOR</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
<a href="#COPYRIGHT">COPYRIGHT</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
+<h2>NAME
<a name="NAME"></a>
-<h2>NAME</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-zkt
— Secure DNS zone key tool</p>
+<h2>SYNOPSYS
<a name="SYNOPSYS"></a>
-<h2>SYNOPSYS</h2>
+</h2>
<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
[<b>−c</b> <i>file</i>]</p>
+<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">The
<p style="margin-left:11%; margin-top: 1em">In the common
usage the command prints out information about all dnssec
(zone) keys found in the given (or predefined default)
-directory. It’s also possible to specify keyfiles
-(K*.key) as arguments. With option <b>−r</b>
-subdirectories will be searched recursively, and all dnssec
-keys found will be listed sorted by domain name, key type
-and generation time. In that mode the use of the
-<b>−p</b> option may be helpful to find the location
-of the keyfile in the directory tree.</p>
+directory. It is also possible to specify keyfiles (K*.key)
+as arguments. With option <b>−r</b> subdirectories
+will be searched recursively, and all dnssec keys found will
+be listed sorted by domain name, key type and generation
+time. In that mode the use of the <b>−p</b> option may
+be helpful to find the location of the keyfile in the
+directory tree.</p>
<p style="margin-left:11%; margin-top: 1em">Other forms of
the command print out keys in a format suitable for a
trusted-key section or as a DNSKEY resource record.</p>
<p style="margin-left:11%; margin-top: 1em">The command is
-also useful in dns key management. It allows key livetime
-monitoring and status change.</p>
+also useful in dns key management. It offers monitoring of
+key lifetime and modification of key status.</p>
+<h2>GENERAL OPTIONS
<a name="GENERAL OPTIONS"></a>
-<h2>GENERAL OPTIONS</h2>
+</h2>
<p style="margin-left:22%;">Try to read the default
configuration out of a file named
<i>dnssec-<view>.conf .</i> Instead of specifying the
-−V or --view option every time, it’s also
-possible to create a hard or softlink to the executable file
-to give it an additional name like
-<i>dnssec-zkt-<view> .</i></p>
+−V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like <i>dnssec-zkt-<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
prevent dnsssec-zkt to list all keys found in
subdirectories. For example "dnssec-zkt -d *" will
print out a list of all keys only found in the current
-directory. Maybe it’s easier to use "dnssec-zkt
+directory. Maybe it is easier to use "dnssec-zkt
." instead (without -r set). The option works similar
to the −d option of <i>ls(1)</i>.</p>
Also settable in the dnssec.conf file (Parameter:
PrintTime).</p>
-<table width="100%" border=0 rules="none" frame="void"
+<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
-
-<p style="margin-top: 1em" valign="top"><b>−h</b></p> </td>
+<p><b>−h</b></p></td>
<td width="8%"></td>
<td width="78%">
-<p style="margin-top: 1em" valign="top">No header or
-trusted-key section header and trailer in -T mode</p></td>
+<p>No header or trusted-key section header and trailer in
+-T mode</p></td></tr>
</table>
+<h2>COMMAND OPTIONS
<a name="COMMAND OPTIONS"></a>
-<h2>COMMAND OPTIONS</h2>
+</h2>
hierachical environment. Use --ksk-rollover for a little
more detailed description.</p>
+<h2>SAMPLE USAGE
<a name="SAMPLE USAGE"></a>
-<h2>SAMPLE USAGE</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
<p style="margin-left:11%;"><b>dnssec-zkt-intern</b></p>
<p style="margin-left:22%;">Same as above. The binary file
-<i>dnssec-zkt</i> have linked to <i>dnssec-zkt-intern
-.</i></p>
+<i>dnssec-zkt</i> has another link, named
+<i>dnssec-zkt-intern</i> made, and <i>dnssec-zkt</i>
+examines argv[0] to find a view whose zones it proceeds to
+process.</p>
+<h2>ENVIRONMENT VARIABLES
<a name="ENVIRONMENT VARIABLES"></a>
-<h2>ENVIRONMENT VARIABLES</h2>
+</h2>
<p style="margin-left:22%;">Specifies the name of the
default global configuration files.</p>
+<h2>FILES
<a name="FILES"></a>
-<h2>FILES</h2>
+</h2>
<p style="margin-left:22%;">Local configuration file (only
used in <b>−C</b> mode).</p>
+<h2>BUGS
<a name="BUGS"></a>
-<h2>BUGS</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">Some of the
The option <b>−l</b> and the ksk rollover options
insist on domain names ending with a dot.</p>
-<a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
-<p style="margin-left:11%; margin-top: 1em">Holger
-Zuleger</p>
+<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
+Mans Nilsson</p>
+<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
-<h2>COPYRIGHT</h2>
+</h2>
<p style="margin-left:11%; margin-top: 1em">Copyright (c)
Licences. There is NO warranty; not even for MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.</p>
+<h2>SEE ALSO
<a name="SEE ALSO"></a>
-<h2>SEE ALSO</h2>
+</h2>
extern const char *progname;
-static int inc_soa_serial (FILE *fp, int use_unixtime);
-static int is_soa_rr (const char *line);
-static const char *strfindstr (const char *str, const char *search);
-
/*****************************************************************
** getnameappendix (progname, basename)
** return a pointer to the substring in progname subsequent
-** following basename "-".
+** following "<basename>-".
*****************************************************************/
const char *getnameappendix (const char *progname, const char *basename)
{
return buf;
}
-#if 1
/*****************************************************************
** domain_canonicdup (s)
** returns NULL or a pointer to a dynamic string containing the
return new;
}
-#else
+#if 0 /* replaced by domain_canonicdup */
/*****************************************************************
** str_tolowerdup (s)
*****************************************************************/
char *start;
char *p;
- if ( !s ) /* is there a string ? */
- return s;
+ if ( !s ) /* no string present ? */
+ return NULL;
start = s;
for ( p = s; *p; p++ )
}
/*****************************************************************
-** splitpath (path, size, filename)
+** splitpath (path, pathsize, filename)
+** if filename is build of "path/file" then copy filename to path
+** and split of the filename part.
+** return pointer to filename part in path or NULL if path is too
+** small to hold "path+filename"
*****************************************************************/
-const char *splitpath (char *path, size_t size, const char *filename)
+const char *splitpath (char *path, size_t psize, const char *filename)
{
char *p;
if ( !path )
- return filename;
+ return NULL;
*path = '\0';
if ( !filename )
if ( (p = strrchr (filename, '/')) ) /* file arg contains path ? */
{
- if ( strlen (filename) > size )
+ if ( strlen (filename) + 1 > psize )
return filename;
- strcpy (path, filename);
- path[p-filename] = '\0';
+ strcpy (path, filename); /* copy whole filename to path */
+ path[p-filename] = '\0'; /* split of the file part */
filename = ++p;
}
return filename;
}
/*****************************************************************
-** is_dotfile (name)
+** is_dotfilename (name)
** Check if the given pathname 'name' looks like "." or "..".
** Returns 0 | 1
*****************************************************************/
-int is_dotfile (const char *name)
+int is_dotfilename (const char *name)
{
if ( name && (
(name[0] == '.' && name[1] == '\0') ||
t.tm_mon -= 1;
t.tm_isdst = 0;
-#if defined(HAS_TIMEGM) && HAS_TIMEGM
+#if defined(HAVE_TIMEGM) && HAVE_TIMEGM
sec = timegm (&t);
#else
{
- time_t ret;
- char *tz;
+ char tzstr[31+1];
+ char *tz;
tz = getenv("TZ");
- // setenv("TZ", "", 1);
- setenv("TZ", "UTC", 1);
+ snprintf (tzstr, sizeof (tzstr), "TZ=%s", "UTC");
+ putenv (tzstr);
tzset();
sec = mktime(&t);
if (tz)
- setenv("TZ", tz, 1);
+ snprintf (tzstr, sizeof (tzstr), "TZ=%s", tz);
else
- unsetenv("TZ");
+ snprintf (tzstr, sizeof (tzstr), "TZ=%s", "");
+ putenv (tzstr);
tzset();
}
#endif
return stop - start;
}
+
/****************************************************************
**
-** int inc_serial (filename, use_unixtime)
-**
-** This function depends on a special syntax formating the
-** SOA record in the zone file!!
+** int gensalt (saltstr, sizeofstalstr, bits)
**
-** To match the SOA record, the SOA RR must be formatted
-** like this:
-** @ [ttl] IN SOA <master.fq.dn.> <hostmaster.fq.dn.> (
-** <SPACEes or TABs> 1234567890; serial number
-** <SPACEes or TABs> 86400 ; other values
-** ...
-** The space from the first digit of the serial number to
-** the first none white space char or to the end of the line
-** must be at least 10 characters!
-** So you have to left justify the serial number in a field
-** of at least 10 characters like this:
-** <SPACEes or TABs> 1 ; Serial
+** generate a random hexstring of 'bits' salt and store it
+** in saltstr. return 1 on success, otherwise 0.
**
-****************************************************************/
-int inc_serial (const char *fname, int use_unixtime)
-{
- FILE *fp;
- char buf[4095+1];
- int error;
-
- /**
- since BIND 9.4, there is a dnssec-signzone option available for
- serial number increment.
- If the user request "unixtime" than use this mechanism
- **/
-#if defined(BIND_VERSION) && BIND_VERSION >= 940
- if ( use_unixtime )
- return 0;
-#endif
- if ( (fp = fopen (fname, "r+")) == NULL )
- return -1;
-
- /* read until the line matches the beginning of a soa record ... */
- while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
- ;
-
- if ( feof (fp) )
- {
- fclose (fp);
- return -2;
- }
-
- error = inc_soa_serial (fp, use_unixtime); /* .. inc soa serial no ... */
-
- if ( fclose (fp) != 0 )
- return -5;
- return error;
-}
-
-/*****************************************************************
-** check if line is the beginning of a SOA RR record, thus
-** containing the string "IN .* SOA" and ends with a '('
-** returns 1 if true
*****************************************************************/
-static int is_soa_rr (const char *line)
+int gensalt (char *salt, size_t saltsize, int saltbits)
{
- const char *p;
-
- assert ( line != NULL );
-
- if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") ) /* line contains "IN" and "SOA" */
- {
- p = line + strlen (line) - 1;
- while ( p > line && isspace (*p) )
- p--;
- if ( *p == '(' ) /* last character have to be a '(' to start a multi line record */
- return 1;
- }
-
- return 0;
-}
+ static char hexstr[] = "0123456789ABCDEF";
+ static int seed = 0;
+ int saltlen = 0; /* current length of salt in hex nibbles */
+ int i;
+ int hex;
-/*****************************************************************
-** Find string 'search' in 'str' and ignore case in comparison.
-** returns the position of 'search' in 'str' or NULL if not found.
-*****************************************************************/
-static const char *strfindstr (const char *str, const char *search)
-{
- const char *p;
- int c;
-
- assert ( str != NULL );
- assert ( search != NULL );
-
- c = tolower (*search);
- p = str;
- do {
- while ( *p && tolower (*p) != c )
- p++;
- if ( strncasecmp (p, search, strlen (search)) == 0 )
- return p;
- p++;
- } while ( *p );
+ if ( seed == 0 )
+ srandom (seed = (unsigned int)time (NULL));
- return NULL;
-}
-
-/*****************************************************************
-** return the serial number of the current day in the form
-** of YYYYmmdd00
-*****************************************************************/
-static ulong today_serialtime ()
-{
- struct tm *t;
- ulong serialtime;
- time_t now;
-
- now = time (NULL);
- t = gmtime (&now);
- serialtime = (t->tm_year + 1900) * 10000;
- serialtime += (t->tm_mon+1) * 100;
- serialtime += t->tm_mday;
- serialtime *= 100;
-
- return serialtime;
-}
+ saltlen = saltbits / 4;
+ if ( saltlen+1 > saltsize )
+ return 0;
-/*****************************************************************
-** inc_soa_serial (fp, use_unixtime)
-** increment the soa serial number of the file 'fp'
-** 'fp' must be opened "r+"
-*****************************************************************/
-static int inc_soa_serial (FILE *fp, int use_unixtime)
-{
- int c;
- long pos, eos;
- ulong serial;
- int digits;
- ulong today;
-
- /* move forward until any non ws reached */
- while ( (c = getc (fp)) != EOF && isspace (c) )
- ;
- ungetc (c, fp); /* push back the last char */
-
- pos = ftell (fp); /* mark position */
-
- serial = 0L; /* read in the current serial number */
- /* be aware of the trailing space in the format string !! */
- if ( fscanf (fp, "%lu ", &serial) != 1 ) /* try to get serial no */
- return -3;
- eos = ftell (fp); /* mark first non digit/ws character pos */
-
- digits = eos - pos;
- if ( digits < 10 ) /* not enough space for serial no ? */
- return -4;
-
- if ( use_unixtime )
- today = time (NULL);
- else
+ for ( i = 0; i < saltlen; i++ )
{
- today = today_serialtime (); /* YYYYmmdd00 */
- if ( serial > 1970010100L && serial < today )
- serial = today; /* set to current time */
- serial++; /* increment anyway */
+ hex = random () % 16;
+ assert ( hex >= 0 && hex < 16 );
+ salt[i] = hexstr[hex];
}
+ salt[i] = '\0';
- fseek (fp, pos, SEEK_SET); /* go back to the beginning */
- fprintf (fp, "%-*lu", digits, serial); /* write as many chars as before */
-
- return 1; /* yep! */
-}
-
-/*****************************************************************
-** return the error text of the inc_serial return coode
-*****************************************************************/
-const char *inc_errstr (int err)
-{
- switch ( err )
- {
- case -1: return "couldn't open zone file for modifying";
- case -2: return "unexpected end of file";
- case -3: return "no serial number found in zone file";
- case -4: return "not enough space left for serialno";
- case -5: return "error on closing zone file";
- }
- return "";
+ return 1;
}
-#ifdef SOA_TEST
-const char *progname;
-main (int argc, char *argv[])
-{
- ulong now;
- int err;
- char cmd[255];
-
- progname = *argv;
-
- now = today_serialtime ();
- printf ("now = %lu\n", now);
-
- if ( (err = inc_serial (argv[1], 0)) <= 0 )
- {
- error ("can't change serial errno=%d\n", err);
- exit (1);
- }
-
- snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
- system (cmd);
-}
-#endif
#ifdef COPYZONE_TEST
const char *progname;
extern void logmesg (char *fmt, ...);
extern void verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...);
extern void logflush (void);
-extern int inc_serial (const char *fname, int use_unixtime);
-extern const char *inc_errstr (int err);
+extern int gensalt (char *salt, size_t saltsize, int saltbits);
extern char *str_untaint (char *str);
extern char *str_chop (char *str, char c);
-extern int is_dotfile (const char *name);
+extern int is_dotfilename (const char *name);
extern void parseurl (char *url, char **proto, char **host, char **port, char **para);
#endif
/*****************************************************************
**
-** parse_namedconf (const char *filename, int (*func) ())
+** parse_namedconf (const char *filename, chroot_dir, dir, dirsize, int (*func) ())
**
** Very dumb named.conf parser.
** - In a zone declaration the _first_ keyword MUST be "type"
** - For every master zone "func (directory, zone, filename)" will be called
**
*****************************************************************/
-int parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())
+int parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())
{
FILE *fp;
int tok;
snprintf (path, sizeof (path), "%s/%s", dir, strval);
else
snprintf (path, sizeof (path), "%s", strval);
- snprintf (dir, dirsize, "%s", path);
+
+ /* prepend chroot directory (do it only once) */
+ if ( chroot_dir && *chroot_dir )
+ {
+ snprintf (dir, dirsize, "%s%s%s", chroot_dir, *path == '/' ? "": "/", path);
+ chroot_dir = NULL;
+ }
+ else
+ snprintf (dir, dirsize, "%s", path);
dbg_val ("parse_namedconf: new dir \"%s\" \n", dir);
}
}
snprintf (path, sizeof (path), "%s/%s", dir, strval);
else
snprintf (path, sizeof (path), "%s", strval);
- if ( !parse_namedconf (path, dir, dirsize, func) )
+ if ( !parse_namedconf (path, chroot_dir, dir, dirsize, func) )
return 0;
}
else
directory[0] = '\0';
if ( --argc == 0 )
- parse_namedconf ("/var/named/named.conf", directory, sizeof (directory), printzone);
+ parse_namedconf ("/var/named/named.conf", NULL, directory, sizeof (directory), printzone);
else
- parse_namedconf (argv[1], directory, sizeof (directory), printzone);
+ parse_namedconf (argv[1], NULL, directory, sizeof (directory), printzone);
}
#endif
#ifndef NCPARSE_H
# define NCPARSE_H
-extern int parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ());
+extern int parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ());
#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) nscomm.c (c) 2005 - 2009 Holger Zuleger hznet.de
+**
+** Copyright (c) 2005 - 2009, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include "config_zkt.h"
+#include "zconf.h"
+#define extern
+#include "nscomm.h"
+#undef extern
+
+
+/*****************************************************************
+** dyn_update_freeze ()
+*****************************************************************/
+int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
+{
+ char cmdline[254+1];
+ char str[254+1];
+ char *action;
+ FILE *fp;
+
+ assert (z != NULL);
+ if ( freeze )
+ action = "freeze";
+ else
+ action = "thaw";
+
+ if ( z->view )
+ snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
+ else
+ snprintf (str, sizeof (str), "\"%s\"", domain);
+
+ lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
+ verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
+
+ if ( z->view )
+ snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
+ else
+ snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
+
+ verbmesg (2, z, "\t Run cmd \"%s\"\n", cmdline);
+ *str = '\0';
+ if ( z->noexec == 0 )
+ {
+ if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+ return -1;
+ pclose (fp);
+ }
+
+ verbmesg (2, z, "\t rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
+
+ return 0;
+}
+
+/*****************************************************************
+** distribute and reload a zone via "distribute_command"
+*****************************************************************/
+int dist_and_reload (const zone_t *zp)
+{
+ char path[MAX_PATHSIZE+1];
+ char cmdline[254+1];
+ char zone[254+1];
+ char str[254+1];
+ FILE *fp;
+
+ assert (zp != NULL);
+ assert (zp->conf->dist_cmd != NULL);
+
+ if ( !is_exec_ok (zp->conf->dist_cmd) )
+ {
+ char *mesg;
+
+ if ( getuid () == 0 )
+ mesg = "\tDistribution command %s not run as root\n";
+ else
+ mesg = "\tDistribution command %s not run due to strange file mode settings\n";
+
+ verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
+ lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
+
+ return -1;
+ }
+
+ if ( zp->conf->view )
+ snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
+ else
+ snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
+
+
+ pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
+
+ lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
+ verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
+ if ( zp->conf->view )
+ snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
+ else
+ snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
+
+ *str = '\0';
+ if ( zp->conf->noexec == 0 )
+ {
+ verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
+ if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+ return -2;
+ pclose (fp);
+ verbmesg (2, zp->conf, "\t %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+ }
+
+
+ lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
+ verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
+ if ( zp->conf->view )
+ snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
+ else
+ snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
+
+ *str = '\0';
+ if ( zp->conf->noexec == 0 )
+ {
+ verbmesg (2, zp->conf, "\t Run cmd \"%s\"\n", cmdline);
+ if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+ return -2;
+ pclose (fp);
+ verbmesg (2, zp->conf, "\t %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+ }
+
+ return 0;
+}
+
+/*****************************************************************
+** reload a zone via "rndc"
+*****************************************************************/
+int reload_zone (const char *domain, const zconf_t *z)
+{
+ char cmdline[254+1];
+ char str[254+1];
+ FILE *fp;
+
+ assert (z != NULL);
+ dbg_val3 ("reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
+ if ( z->view )
+ snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
+ else
+ snprintf (str, sizeof (str), "\"%s\"", domain);
+
+ lg_mesg (LG_NOTICE, "%s: reload triggered", str);
+ verbmesg (1, z, "\tReload zone %s\n", str);
+
+ if ( z->view )
+ snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
+ else
+ snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
+
+ *str = '\0';
+ if ( z->noexec == 0 )
+ {
+ verbmesg (2, z, "\t Run cmd \"%s\"\n", cmdline);
+ if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+ return -1;
+ pclose (fp);
+ verbmesg (2, z, "\t rndc reload return: \"%s\"\n", str_chop (str, '\n'));
+ }
+
+ return 0;
+}
--- /dev/null
+/*****************************************************************
+**
+** @(#) nscomm.h (c) 2005 - 2009 Holger Zuleger hznet.de
+**
+** Copyright (c) 2005 - 2009, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+#ifndef NSCOMM_H
+# include <assert.h>
+# include <unistd.h>
+# include <sys/types.h>
+
+# include "zconf.h"
+# include "zone.h"
+# include "log.h"
+# include "misc.h"
+# include "debug.h"
+# define NSCOMM_H
+
+extern int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
+extern int reload_zone (const char *domain, const zconf_t *z);
+extern int dist_and_reload (const zone_t *zp);
+#endif
if ( ksk )
dkp = dki_new (dir, domain, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
else
- dkp = dki_new (dir, domain, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+ dkp = dki_new (dir, domain, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+ dki_add (listp, dkp);
+ dki_setstatus (dkp, status);
+
+ return dkp;
+}
+
+static dki_t *genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
+{
+ dki_t *dkp;
+
+ if ( listp == NULL || domain == NULL )
+ return NULL;
+
+ if ( ksk )
+ dkp = dki_new (dir, domain, DKI_KSK, conf->k2_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+ else
+ dkp = dki_new (dir, domain, DKI_ZSK, conf->k2_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
dki_add (listp, dkp);
dki_setstatus (dkp, status);
/* check if we have to change the ksk ? */
if ( lifetime > 0 && age > lifetime && !fileexist (path) ) /* lifetime is over and no kskrollover in progress */
{
- /* we are using hierachical mode and the parent directory contains a signed zone ? */
+ /* we are in hierachical mode and the parent directory contains a signed zone ? */
if ( z->keysetdir && strcmp (z->keysetdir, "..") == 0 && is_parentdirsigned (zonelist, zp) )
{
verbmesg (2, z, "\t\tkskrollover: create new key signing key\n");
lg_mesg (LG_INFO, "\"%s\": kskrollover phase1: New key %d generated", zp->zone, ksk->tag);
/* find the oldest active ksk to create the parent file */
- if ( (ksk = (dki_t *)dki_find (zp->keys, 1, 'a', 1)) == NULL )
+ if ( (ksk = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, zp->conf->k_algo, 'a', 1)) == NULL )
lg_mesg (LG_ERROR, "kskrollover phase1: Couldn't find the old active key\n");
if ( !create_parent_file (path, 1, z->key_ttl, ksk) )
lg_mesg (LG_ERROR, "Couldn't create parentfile %s\n", path);
{
exptime = get_exptime (dkp, z);
if ( dki_isrevoked (dkp) )
- lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key with exptime of: %s", domain, time2str (exptime, 's'));
+ lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key (id=%d exptime=%s); waiting for remove hold down time",
+ domain, dkp->tag, time2str (exptime, 's'));
/* revoked key is older than 30 days? */
if ( dki_isrevoked (dkp) && currtime > exptime + REMOVE_HOLD_DOWN )
lg_mesg (LG_DEBUG, "Stb time: %s", time2str (dki_time (standbykey), 's'));
lg_mesg (LG_DEBUG, "Stb time+wait: %s", time2str (dki_time (standbykey) + min (DAYSEC * 30, z->key_ttl), 's'));
#endif
- /* At the time we first introduce a standby key, the lifetime of the current KSK should not be expired, */
+ /* At the first time we introduce a standby key, the lifetime of the current KSK shouldn't be expired, */
/* otherwise we run into an (nearly) immediate key rollover! */
if ( currtime > exptime && currtime > dki_time (standbykey) + min (ADD_HOLD_DOWN, z->key_ttl) )
{
lg_mesg (LG_ERROR, "\%s\": can't generate new standby KSK", domain);
}
else
- lg_mesg (LG_INFO, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
+ lg_mesg (LG_NOTICE, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
/* standby key gets active */
verbmesg (2, z, "\t\t=>Activating old standby key %d \n", standbykey->tag);
verbmesg (1, z, "\tCheck KSK status\n");
/* check if a key signing key exist ? */
- akey = (dki_t *)dki_find (zp->keys, 1, 'a', 1);
+ akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k_algo, 'a', 1);
if ( akey == NULL )
{
verbmesg (1, z, "\tNo active KSK found: generate new one\n");
lg_mesg (LG_INFO, "\"%s\": generated new KSK %d", zp->zone, akey->tag);
return akey != NULL; /* return value of 1 forces a resigning of the zone */
}
- else /* try to start a full automatic ksk rollover */
+ else /* try to start a full automated ksk rollover */
kskrollover (akey, zonelist, zp);
+ /* is a second algorithm requested ? (since 0.99) */
+ if ( z->k2_algo && z->k2_algo != z->k_algo )
+ {
+ /* check for ksk supporting the additional algorithm */
+ akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k2_algo, 'a', 1);
+ if ( akey == NULL )
+ {
+ verbmesg (1, z, "\tNo active KSK for second algorithm found: generate new one\n");
+ akey = genkey2 (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
+ if ( !akey )
+ {
+ error ("\tcould not generate new KSK for 2nd algorithm\n");
+ lg_mesg (LG_ERROR, "\"%s\": can't generate new KSK for 2nd algorithm: \"%s\"",
+ zp->zone, dki_geterrstr());
+ }
+ else
+ lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for 2nd algorithm",
+ zp->zone, akey->tag);
+ return 1; /* return value of 1 forces a resigning of the zone */
+ }
+ }
+
return 0;
}
/* check status of active key */
dbg_msg("zskstatus check status of active key ");
lifetime = z->z_life; /* global configured lifetime for zsk */
- akey = (dki_t *)dki_find (*listp, 0, 'a', 1);
+ akey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'a', 1);
if ( akey == NULL && lifetime > 0 ) /* no active key found */
{
verbmesg (1, z, "\tNo active ZSK found: generate new one\n");
lifetime, (OFFSET) , akey->tag, dki_age (akey, currtime) );
/* depreciate the key only if there is another active or published key */
- if ( (nextkey = (dki_t *)dki_find (*listp, 0, 'a', 2)) == NULL ||
+ if ( (nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'a', 2)) == NULL ||
nextkey == akey )
- nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
+ nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
/* Is the published key sufficient long in the zone ? */
/* As mentioned by Olaf, this should be the ttl of the DNSKEY RR ! */
* time will be checked just before the active key will be removed.
* See above).
*/
- nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
+ nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
if ( nextkey == NULL && lifetime > 0 && (akey == NULL ||
dki_age (akey, currtime + z->resign) > lifetime - (OFFSET)) )
{
domain, dki_geterrstr());
}
}
+
+ /* is a second algorithm requested ? (since 0.99) */
+ if ( z->k2_algo && z->k2_algo != z->k_algo )
+ {
+ /* check for zsk supporting the additional algorithm */
+ akey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k2_algo, 'a', 1);
+ if ( akey == NULL )
+ {
+ verbmesg (1, z, "\tNo active ZSK for second algorithm found: generate new one\n");
+ akey = genkey2 (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
+ if ( !akey )
+ {
+ error ("\tcould not generate new ZSK for 2nd algorithm\n");
+ lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK for 2nd algorithm: \"%s\"",
+ domain, dki_geterrstr());
+ }
+ else
+ lg_mesg (LG_INFO, "\"%s\": generated new ZSK %d for 2nd algorithm",
+ domain, akey->tag);
+ return 1; /* return value of 1 forces a resigning of the zone */
+ }
+ }
+
return keychange;
}
--- /dev/null
+/*****************************************************************
+**
+** @(#) soaserial.c -- helper function for the dnssec zone key tools
+**
+** Copyright (c) Jan 2005, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <ctype.h>
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <time.h>
+# include <utime.h>
+# include <assert.h>
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+# include "zconf.h"
+# include "log.h"
+# include "debug.h"
+#define extern
+# include "soaserial.h"
+#undef extern
+
+static int inc_soa_serial (FILE *fp, int use_unixtime);
+static int is_soa_rr (const char *line);
+static const char *strfindstr (const char *str, const char *search);
+
+
+/****************************************************************
+**
+** int inc_serial (filename, use_unixtime)
+**
+** This function depends on a special syntax formating the
+** SOA record in the zone file!!
+**
+** To match the SOA record, the SOA RR must be formatted
+** like this:
+** @ [ttl] IN SOA <master.fq.dn.> <hostmaster.fq.dn.> (
+** <SPACEes or TABs> 1234567890; serial number
+** <SPACEes or TABs> 86400 ; other values
+** ...
+** The space from the first digit of the serial number to
+** the first none white space char or to the end of the line
+** must be at least 10 characters!
+** So you have to left justify the serial number in a field
+** of at least 10 characters like this:
+** <SPACEes or TABs> 1 ; Serial
+**
+****************************************************************/
+int inc_serial (const char *fname, int use_unixtime)
+{
+ FILE *fp;
+ char buf[4095+1];
+ int error;
+
+ /**
+ since BIND 9.4, there is a dnssec-signzone option available for
+ serial number increment.
+ If the user requests "unixtime"; then use this mechanism.
+ **/
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+ if ( use_unixtime )
+ return 0;
+#endif
+ if ( (fp = fopen (fname, "r+")) == NULL )
+ return -1;
+
+ /* read until the line matches the beginning of a soa record ... */
+ while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
+ ;
+
+ if ( feof (fp) )
+ {
+ fclose (fp);
+ return -2;
+ }
+
+ error = inc_soa_serial (fp, use_unixtime); /* .. inc soa serial no ... */
+
+ if ( fclose (fp) != 0 )
+ return -5;
+ return error;
+}
+
+/*****************************************************************
+** check if line is the beginning of a SOA RR record, thus
+** containing the string "IN .* SOA" and ends with a '('
+** returns 1 if true
+*****************************************************************/
+static int is_soa_rr (const char *line)
+{
+ const char *p;
+
+ assert ( line != NULL );
+
+ if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") ) /* line contains "IN" and "SOA" */
+ {
+ p = line + strlen (line) - 1;
+ while ( p > line && isspace (*p) )
+ p--;
+ if ( *p == '(' ) /* last character have to be a '(' to start a multi line record */
+ return 1;
+ }
+
+ return 0;
+}
+
+/*****************************************************************
+** Find string 'search' in 'str' and ignore case in comparison.
+** returns the position of 'search' in 'str' or NULL if not found.
+*****************************************************************/
+static const char *strfindstr (const char *str, const char *search)
+{
+ const char *p;
+ int c;
+
+ assert ( str != NULL );
+ assert ( search != NULL );
+
+ c = tolower (*search);
+ p = str;
+ do {
+ while ( *p && tolower (*p) != c )
+ p++;
+ if ( strncasecmp (p, search, strlen (search)) == 0 )
+ return p;
+ p++;
+ } while ( *p );
+
+ return NULL;
+}
+
+/*****************************************************************
+** return the serial number of the given time in the form
+** of YYYYmmdd00 as ulong value
+*****************************************************************/
+static ulong serialtime (time_t sec)
+{
+ struct tm *t;
+ ulong serialtime;
+
+ t = gmtime (&sec);
+ serialtime = (t->tm_year + 1900) * 10000;
+ serialtime += (t->tm_mon+1) * 100;
+ serialtime += t->tm_mday;
+ serialtime *= 100;
+
+ return serialtime;
+}
+
+/*****************************************************************
+** inc_soa_serial (fp, use_unixtime)
+** increment the soa serial number of the file 'fp'
+** 'fp' must be opened "r+"
+*****************************************************************/
+static int inc_soa_serial (FILE *fp, int use_unixtime)
+{
+ int c;
+ long pos, eos;
+ ulong serial;
+ int digits;
+ ulong today;
+
+ /* move forward until any non ws reached */
+ while ( (c = getc (fp)) != EOF && isspace (c) )
+ ;
+ ungetc (c, fp); /* push back the last char */
+
+ pos = ftell (fp); /* mark position */
+
+ serial = 0L; /* read in the current serial number */
+ /* be aware of the trailing space in the format string !! */
+ if ( fscanf (fp, "%lu ", &serial) != 1 ) /* try to get serial no */
+ return -3;
+ eos = ftell (fp); /* mark first non digit/ws character pos */
+
+ digits = eos - pos;
+ if ( digits < 10 ) /* not enough space for serial no ? */
+ return -4;
+
+ today = time (NULL);
+ if ( !use_unixtime )
+ {
+ today = serialtime (today); /* YYYYmmdd00 */
+ if ( serial > 1970010100L && serial < today )
+ serial = today; /* set to current time */
+ serial++; /* increment anyway */
+ }
+
+ fseek (fp, pos, SEEK_SET); /* go back to the beginning */
+ fprintf (fp, "%-*lu", digits, serial); /* write as many chars as before */
+
+ return 1; /* yep! */
+}
+
+/*****************************************************************
+** return the error text of the inc_serial return coode
+*****************************************************************/
+const char *inc_errstr (int err)
+{
+ switch ( err )
+ {
+ case -1: return "couldn't open zone file for modifying";
+ case -2: return "unexpected end of file";
+ case -3: return "no serial number found in zone file";
+ case -4: return "not enough space left for serialno";
+ case -5: return "error on closing zone file";
+ }
+ return "";
+}
+
+#ifdef SOA_TEST
+const char *progname;
+main (int argc, char *argv[])
+{
+ ulong now;
+ int err;
+ char cmd[255];
+
+ progname = *argv;
+
+ now = time (NULL);
+ now = serialtime (now);
+ printf ("now = %lu\n", now);
+
+ if ( (err = inc_serial (argv[1], 0)) <= 0 )
+ {
+ error ("can't change serial errno=%d\n", err);
+ exit (1);
+ }
+
+ snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
+ system (cmd);
+}
+#endif
+
--- /dev/null
+/*****************************************************************
+**
+** @(#) soserial.h (c) 2005 - 2007 Holger Zuleger hznet.de
+**
+** Copyright (c) 2005 - 2007, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+#ifndef SOASERIAL_H
+# define SOASERIAL_H
+extern int inc_serial (const char *fname, int use_unixtime);
+extern const char *inc_errstr (int err);
+#endif
!_TAG_PROGRAM_AUTHOR Darren Hiebert /dhiebert@users.sourceforge.net/
!_TAG_PROGRAM_NAME Exuberant Ctags //
!_TAG_PROGRAM_URL http://ctags.sourceforge.net /official site/
-!_TAG_PROGRAM_VERSION 5.5.4 //
-CONF_ALGO zconf.c /^ CONF_ALGO,$/;" e file:
-CONF_BOOL zconf.c /^ CONF_BOOL,$/;" e file:
-CONF_COMMENT zconf.c /^ CONF_COMMENT,$/;" e file:
-CONF_END zconf.c /^ CONF_END = 0,$/;" e file:
-CONF_FACILITY zconf.c /^ CONF_FACILITY,$/;" e file:
-CONF_INT zconf.c /^ CONF_INT,$/;" e file:
-CONF_LEVEL zconf.c /^ CONF_LEVEL,$/;" e file:
-CONF_SERIAL zconf.c /^ CONF_SERIAL,$/;" e file:
-CONF_STRING zconf.c /^ CONF_STRING,$/;" e file:
-CONF_TIMEINT zconf.c /^ CONF_TIMEINT,$/;" e file:
-ISCOMMENT zconf.c 68;" d file:
-ISDELIM zconf.c 70;" d file:
-ISTRUE zconf.c 66;" d file:
-KEYSET_FILE_PFX dnssec-signer.c 691;" d file:
+!_TAG_PROGRAM_VERSION 5.6 //
+CONF_ALGO zconf.c /^ CONF_ALGO,$/;" e enum:__anon2 file:
+CONF_BOOL zconf.c /^ CONF_BOOL,$/;" e enum:__anon2 file:
+CONF_COMMENT zconf.c /^ CONF_COMMENT,$/;" e enum:__anon2 file:
+CONF_END zconf.c /^ CONF_END = 0,$/;" e enum:__anon2 file:
+CONF_FACILITY zconf.c /^ CONF_FACILITY,$/;" e enum:__anon2 file:
+CONF_INT zconf.c /^ CONF_INT,$/;" e enum:__anon2 file:
+CONF_LEVEL zconf.c /^ CONF_LEVEL,$/;" e enum:__anon2 file:
+CONF_SERIAL zconf.c /^ CONF_SERIAL,$/;" e enum:__anon2 file:
+CONF_STRING zconf.c /^ CONF_STRING,$/;" e enum:__anon2 file:
+CONF_TIMEINT zconf.c /^ CONF_TIMEINT,$/;" e enum:__anon2 file:
+ISCOMMENT zconf.c 67;" d file:
+ISDELIM zconf.c 69;" d file:
+ISTRUE zconf.c 65;" d file:
+KEYSET_FILE_PFX dnssec-signer.c 709;" d file:
KeyWords ncparse.c /^static struct KeyWords {$/;" s file:
MAXFNAME log.c 97;" d file:
-STRCONFIG_DELIMITER zconf.c 513;" d file:
+STRCONFIG_DELIMITER zconf.c 529;" d file:
TAINTEDCHARS misc.c 60;" d file:
TOK_DELEGATION ncparse.c 59;" d file:
TOK_DIR ncparse.c 49;" d file:
TOK_UNKNOWN ncparse.c 64;" d file:
TOK_VIEW ncparse.c 60;" d file:
TOK_ZONE ncparse.c 52;" d file:
-a domaincmp.c /^ char *a;$/;" m file:
+a domaincmp.c /^ char *a;$/;" m struct:__anon1 file:
add2zonelist dnssec-signer.c /^static int add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;" f file:
age2str misc.c /^char *age2str (time_t sec)$/;" f
ageflag dnssec-zkt.c /^int ageflag = 0;$/;" v
-b domaincmp.c /^ char *b;$/;" m file:
-bind94_dynzone dnssec-signer.c 131;" d file:
-bind96_dynzone dnssec-signer.c 132;" d file:
+b domaincmp.c /^ char *b;$/;" m struct:__anon1 file:
+bind94_dynzone dnssec-signer.c 130;" d file:
+bind96_dynzone dnssec-signer.c 131;" d file:
bool2str zconf.c /^static const char *bool2str (int val)$/;" f file:
check_keydb_timestamp dnssec-signer.c /^static int check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;" f file:
checkconfig zconf.c /^int checkconfig (const zconf_t *z)$/;" f
-cmdline zconf.c /^ int cmdline; \/* is this a command line parameter ? *\/$/;" m file:
+cmdline zconf.c /^ int cmdline; \/* is this a command line parameter ? *\/$/;" m struct:__anon3 file:
cmpfile misc.c /^int cmpfile (const char *file1, const char *file2)$/;" f
config dnssec-signer.c /^static zconf_t *config;$/;" v file:
config zconf.c /^static zconf_t *config;$/;" v file:
create_parent_file dnssec-zkt.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
create_parent_file rollover.c /^static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;" f file:
createkey dnssec-zkt.c /^static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;" f file:
-ctype_t zconf.c /^} ctype_t;$/;" t file:
+ctype_t zconf.c /^} ctype_t;$/;" t typeref:enum:__anon2 file:
def zconf.c /^static zconf_t def = {$/;" v file:
dirflag dnssec-zkt.c /^static int dirflag = 0;$/;" v file:
-dirname dnssec-signer.c /^const char *dirname = NULL;$/;" v
-dist_and_reload dnssec-signer.c /^static int dist_and_reload (const zone_t *zp)$/;" f file:
+dirname dnssec-signer.c /^static const char *dirname = NULL;$/;" v file:
+dist_and_reload nscomm.c /^int dist_and_reload (const zone_t *zp)$/;" f
dki_add dki.c /^dki_t *dki_add (dki_t **list, dki_t *new)$/;" f
dki_age dki.c /^int dki_age (const dki_t *dkp, time_t curr)$/;" f
+dki_algo dki.c /^time_t dki_algo (const dki_t *dkp)$/;" f
dki_algo2sstr dki.c /^char *dki_algo2sstr (int algo)$/;" f
dki_algo2str dki.c /^char *dki_algo2str (int algo)$/;" f
dki_allcmp dki.c /^int dki_allcmp (const dki_t *a, const dki_t *b)$/;" f
dki_estr dki.c /^static char dki_estr[255+1];$/;" v file:
dki_exptime dki.c /^time_t dki_exptime (const dki_t *dkp)$/;" f
dki_find dki.c /^const dki_t *dki_find (const dki_t *list, int ksk, int status, int no)$/;" f
+dki_findalgo dki.c /^const dki_t *dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)$/;" f
dki_free dki.c /^void dki_free (dki_t *dkp)$/;" f
dki_freelist dki.c /^void dki_freelist (dki_t **listp)$/;" f
dki_gentime dki.c /^time_t dki_gentime (const dki_t *dkp)$/;" f
domaincmp domaincmp.c /^int domaincmp (const char *a, const char *b)$/;" f
dosigning dnssec-signer.c /^static int dosigning (zone_t *zonelist, zone_t *zp)$/;" f file:
dupconfig zconf.c /^zconf_t *dupconfig (const zconf_t *conf)$/;" f
-dyn_update_freeze dnssec-signer.c /^static int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;" f file:
+dyn_update_freeze nscomm.c /^int dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;" f
dynamic_zone dnssec-signer.c /^static int dynamic_zone = 0; \/* dynamic zone ? *\/$/;" v file:
error misc.c /^void error (char *fmt, ...)$/;" f
-ex domaincmp.c /^} ex[] = {$/;" v file:
+ex domaincmp.c /^} ex[] = {$/;" v typeref:struct:__anon1 file:
exptimeflag dnssec-zkt.c /^int exptimeflag = 0;$/;" v
extern dki.c 59;" d file:
extern dki.c 61;" d file:
extern misc.c 58;" d file:
extern ncparse.c 44;" d file:
extern ncparse.c 46;" d file:
+extern nscomm.c 45;" d file:
+extern nscomm.c 47;" d file:
extern rollover.c 57;" d file:
extern rollover.c 59;" d file:
-extern zconf.c 61;" d file:
-extern zconf.c 63;" d file:
+extern soaserial.c 53;" d file:
+extern soaserial.c 55;" d file:
+extern zconf.c 60;" d file:
+extern zconf.c 62;" d file:
extern zkt.c 47;" d file:
extern zkt.c 49;" d file:
extern zone.c 53;" d file:
filesize misc.c /^size_t filesize (const char *name)$/;" f
force dnssec-signer.c /^static int force = 0;$/;" v file:
genkey rollover.c /^static dki_t *genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
+genkey2 rollover.c /^static dki_t *genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;" f file:
+gensalt misc.c /^int gensalt (char *salt, size_t saltsize, int saltbits)$/;" f
get_exptime rollover.c /^static time_t get_exptime (dki_t *key, const zconf_t *z)$/;" f file:
get_parent_phase dnssec-zkt.c /^static int get_parent_phase (const char *file)$/;" f file:
get_parent_phase rollover.c /^static int get_parent_phase (const char *file)$/;" f file:
goto_labelstart domaincmp.c 47;" d file:
headerflag dnssec-zkt.c /^int headerflag = 1;$/;" v
in_strarr misc.c /^int in_strarr (const char *str, char *const arr[], int cnt)$/;" f
-inc_errstr misc.c /^const char *inc_errstr (int err)$/;" f
-inc_serial misc.c /^int inc_serial (const char *fname, int use_unixtime)$/;" f
-inc_soa_serial misc.c /^static int inc_soa_serial (FILE *fp, int use_unixtime)$/;" f file:
+inc_errstr soaserial.c /^const char *inc_errstr (int err)$/;" f
+inc_serial soaserial.c /^int inc_serial (const char *fname, int use_unixtime)$/;" f
+inc_soa_serial soaserial.c /^static int inc_soa_serial (FILE *fp, int use_unixtime)$/;" f file:
is_directory misc.c /^int is_directory (const char *name)$/;" f
-is_dotfile misc.c /^int is_dotfile (const char *name)$/;" f
+is_dotfilename misc.c /^int is_dotfilename (const char *name)$/;" f
is_exec_ok misc.c /^int is_exec_ok (const char *prog)$/;" f
is_keyfilename misc.c /^int is_keyfilename (const char *name)$/;" f
is_parentdirsigned rollover.c /^static int is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;" f file:
-is_soa_rr misc.c /^static int is_soa_rr (const char *line)$/;" f file:
+is_soa_rr soaserial.c /^static int is_soa_rr (const char *line)$/;" f file:
isinlist strlist.c /^int isinlist (const char *str, const char *list)$/;" f
ksk5011status rollover.c /^int ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;" f
ksk_roll dnssec-zkt.c /^static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;" f file:
kskflag dnssec-zkt.c /^int kskflag = 1;$/;" v
kskrollover rollover.c /^static int kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;" f file:
kskstatus rollover.c /^int kskstatus (zone_t *zonelist, zone_t *zp)$/;" f
-kw ncparse.c /^} kw[] = {$/;" v file:
-label zconf.c /^ char *label; \/* the name of the paramter *\/$/;" m file:
+kw ncparse.c /^} kw[] = {$/;" v typeref:struct:KeyWords file:
+label zconf.c /^ char *label; \/* the name of the paramter *\/$/;" m struct:__anon3 file:
labellist dnssec-zkt.c /^char *labellist = NULL;$/;" v
-level log.c /^ lg_lvl_t level;$/;" m file:
+level log.c /^ lg_lvl_t level;$/;" m struct:__anon4 file:
lg_args log.c /^void lg_args (lg_lvl_t level, int argc, char * const argv[])$/;" f
lg_close log.c /^int lg_close ()$/;" f
lg_errcnt log.c /^static long lg_errcnt;$/;" v file:
lg_seterrcnt log.c /^long lg_seterrcnt (long value)$/;" f
lg_str2lvl log.c /^lg_lvl_t lg_str2lvl (const char *name)$/;" f
lg_str2syslog log.c /^int lg_str2syslog (const char *facility)$/;" f
-lg_symtbl_t log.c /^} lg_symtbl_t;$/;" t file:
+lg_symtbl_t log.c /^} lg_symtbl_t;$/;" t typeref:struct:__anon4 file:
lg_syslogging log.c /^static int lg_syslogging;$/;" v file:
lifetime dnssec-zkt.c /^int lifetime = 0;$/;" v
lifetimeflag dnssec-zkt.c /^int lifetimeflag = 0;$/;" v
ljustflag dnssec-zkt.c /^int ljustflag = 0;$/;" v
loadconfig zconf.c /^zconf_t *loadconfig (const char *filename, zconf_t *z)$/;" f
loadconfig_fromstr zconf.c /^zconf_t *loadconfig_fromstr (const char *str, zconf_t *z)$/;" f
-logfile dnssec-signer.c /^const char *logfile = NULL;$/;" v
+logfile dnssec-signer.c /^static const char *logfile = NULL;$/;" v file:
logflush misc.c /^void logflush ()$/;" f
logmesg misc.c /^void logmesg (char *fmt, ...)$/;" f
-long_options dnssec-signer.c /^static struct option long_options[] = {$/;" v file:
-long_options dnssec-zkt.c /^static struct option long_options[] = {$/;" v file:
-lopt_usage dnssec-signer.c 323;" d file:
+long_options dnssec-signer.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
+long_options dnssec-zkt.c /^static struct option long_options[] = {$/;" v typeref:struct:option file:
lopt_usage dnssec-signer.c 326;" d file:
+lopt_usage dnssec-signer.c 329;" d file:
lopt_usage dnssec-zkt.c 402;" d file:
lopt_usage dnssec-zkt.c 405;" d file:
-loptstr dnssec-signer.c 324;" d file:
loptstr dnssec-signer.c 327;" d file:
+loptstr dnssec-signer.c 330;" d file:
loptstr dnssec-zkt.c 403;" d file:
loptstr dnssec-zkt.c 406;" d file:
main dnssec-signer.c /^int main (int argc, char *const argv[])$/;" f
main log.c /^int main (int argc, char *argv[])$/;" f
main misc.c /^main (int argc, char *argv[])$/;" f
main ncparse.c /^main (int argc, char *argv[])$/;" f
+main soaserial.c /^main (int argc, char *argv[])$/;" f
main strlist.c /^main (int argc, char *argv[])$/;" f
main zconf.c /^main (int argc, char *argv[])$/;" f
main zkt-soaserial.c /^int main (int argc, char *argv[])$/;" f
name ncparse.c /^ char *name;$/;" m struct:KeyWords file:
-namedconf dnssec-signer.c /^const char *namedconf = NULL;$/;" v
+namedconf dnssec-signer.c /^static const char *namedconf = NULL;$/;" v file:
new_keysetfiles dnssec-signer.c /^static int new_keysetfiles (const char *dir, time_t zone_signing_time)$/;" f file:
noexec dnssec-signer.c /^static int noexec = 0;$/;" v file:
-origin dnssec-signer.c /^const char *origin = NULL;$/;" v
-parse_namedconf ncparse.c /^int parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())$/;" f
+origin dnssec-signer.c /^static const char *origin = NULL;$/;" v file:
+parse_namedconf ncparse.c /^int parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())$/;" f
parseconfigline zconf.c /^static void parseconfigline (char *buf, unsigned int line, zconf_t *z)$/;" f file:
parsedir dnssec-signer.c /^static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;" f file:
parsedirectory dnssec-zkt.c /^static int parsedirectory (const char *dir, dki_t **listp)$/;" f file:
progname log.c /^const char *progname;$/;" v
progname misc.c /^const char *progname;$/;" v
progname ncparse.c /^char *progname;$/;" v
+progname soaserial.c /^const char *progname;$/;" v
progname zconf.c /^const char *progname;$/;" v
progname zkt-soaserial.c /^static const char *progname;$/;" v file:
read_serial_fromfile zkt-soaserial.c /^static int read_serial_fromfile (const char *fname, unsigned long *serial)$/;" f file:
recflag dnssec-zkt.c /^static int recflag = RECURSIVE;$/;" v file:
register_key dnssec-signer.c /^static void register_key (dki_t *list, const zconf_t *z)$/;" f file:
-reload_zone dnssec-signer.c /^static int reload_zone (const char *domain, const zconf_t *z)$/;" f file:
+reload_zone nscomm.c /^int reload_zone (const char *domain, const zconf_t *z)$/;" f
reloadflag dnssec-signer.c /^static int reloadflag = 0;$/;" v file:
-res domaincmp.c /^ int res;$/;" m file:
+res domaincmp.c /^ int res;$/;" m struct:__anon1 file:
searchitem zkt.c /^static int searchitem;$/;" v file:
searchkw ncparse.c /^static int searchkw (const char *keyword)$/;" f file:
searchresult zkt.c /^static const dki_t *searchresult;$/;" v file:
+serialtime soaserial.c /^static ulong serialtime (time_t sec)$/;" f file:
set_all_varptr zconf.c /^static void set_all_varptr (zconf_t *cp)$/;" f file:
-set_bind94_dynzone dnssec-signer.c 129;" d file:
-set_bind96_dynzone dnssec-signer.c 130;" d file:
+set_bind94_dynzone dnssec-signer.c 128;" d file:
+set_bind96_dynzone dnssec-signer.c 129;" d file:
set_keylifetime zkt.c /^static void set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
set_varptr zconf.c /^static int set_varptr (char *entry, void *ptr)$/;" f file:
setconfigpar zconf.c /^int setconfigpar (zconf_t *config, char *entry, const void *pval)$/;" f
setglobalflags dnssec-zkt.c /^static void setglobalflags (zconf_t *config)$/;" f file:
-short_options dnssec-signer.c 66;" d file:
short_options dnssec-signer.c 68;" d file:
+short_options dnssec-signer.c 70;" d file:
short_options dnssec-zkt.c 89;" d file:
sign_zone dnssec-signer.c /^static int sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;" f file:
-sopt_usage dnssec-signer.c 321;" d file:
+sopt_usage dnssec-signer.c 324;" d file:
sopt_usage dnssec-zkt.c 400;" d file:
-splitpath misc.c /^const char *splitpath (char *path, size_t size, const char *filename)$/;" f
+splitpath misc.c /^const char *splitpath (char *path, size_t psize, const char *filename)$/;" f
start_timer misc.c /^time_t start_timer ()$/;" f
stop_timer misc.c /^time_t stop_timer (time_t start)$/;" f
-str log.c /^ const char *str;$/;" m file:
+str log.c /^ const char *str;$/;" m struct:__anon4 file:
str_chop misc.c /^char *str_chop (char *str, char c)$/;" f
str_delspace misc.c /^char *str_delspace (char *s)$/;" f
-str_tolowerdup misc.c /^char *str_tolowerdup (const char *s)$/;" f
str_untaint misc.c /^char *str_untaint (char *str)$/;" f
-strfindstr misc.c /^static const char *strfindstr (const char *str, const char *search)$/;" f file:
+strfindstr soaserial.c /^static const char *strfindstr (const char *str, const char *search)$/;" f file:
symtbl log.c /^static lg_symtbl_t symtbl[] = {$/;" v file:
-syslog_level log.c /^ int syslog_level;$/;" m file:
+syslog_level log.c /^ int syslog_level;$/;" m struct:__anon4 file:
tag_search zkt.c /^static void tag_search (const dki_t **nodep, const VISIT which, int depth)$/;" f file:
time2isostr misc.c /^char *time2isostr (time_t sec, int precision)$/;" f
time2str misc.c /^char *time2str (time_t sec, int precision)$/;" f
timeint2str zconf.c /^static const char *timeint2str (ulong val)$/;" f file:
timestr zkt-soaserial.c /^static char *timestr (time_t sec)$/;" f file:
timestr2time misc.c /^time_t timestr2time (const char *timestr)$/;" f
-today_serialtime misc.c /^static ulong today_serialtime ()$/;" f file:
tok ncparse.c /^ int tok;$/;" m struct:KeyWords file:
tok2str ncparse.c /^static const char *tok2str (int tok)$/;" f file:
touch misc.c /^int touch (const char *fname, time_t sec)$/;" f
trustedkeyflag dnssec-zkt.c /^static int trustedkeyflag = 0;$/;" v file:
-type zconf.c /^ ctype_t type; \/* the parameter type *\/$/;" m file:
+type zconf.c /^ ctype_t type; \/* the parameter type *\/$/;" m struct:__anon3 file:
unprepstrlist strlist.c /^char *unprepstrlist (char *list, char delimc)$/;" f
usage dnssec-signer.c /^static void usage (char *mesg, zconf_t *conf)$/;" f file:
usage dnssec-zkt.c /^static void usage (char *mesg, zconf_t *cp)$/;" f file:
usage zkt-soaserial.c /^static void usage (const char *msg)$/;" f file:
-var zconf.c /^ void *var; \/* pointer to the parameter variable *\/$/;" m file:
+var zconf.c /^ void *var; \/* pointer to the parameter variable *\/$/;" m struct:__anon3 file:
verbmesg misc.c /^void verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...)$/;" f
verbose dnssec-signer.c /^static int verbose = 0;$/;" v file:
view dnssec-zkt.c /^static const char *view = "";$/;" v file:
-viewname dnssec-signer.c /^const char *viewname = NULL;$/;" v
+viewname dnssec-signer.c /^static const char *viewname = NULL;$/;" v file:
writekeyfile dnssec-signer.c /^static int writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;" f file:
-zconf_para_t zconf.c /^} zconf_para_t;$/;" t file:
+zconf_para_t zconf.c /^} zconf_para_t;$/;" t typeref:struct:__anon3 file:
zkt_list_dnskeys zkt.c /^void zkt_list_dnskeys (const dki_t *data)$/;" f
zkt_list_keys zkt.c /^void zkt_list_keys (const dki_t *data)$/;" f
zkt_list_trustedkeys zkt.c /^void zkt_list_trustedkeys (const dki_t *data)$/;" f
** Most of the code is from the SixXS Heartbeat Client
** written by Jeroen Massar <jeroen@sixxs.net>
**
-** New config types and some slightly code changes
-** by Holger Zuleger
+** New config types and some slightly code changes by Holger Zuleger
**
** Copyright (c) Aug 2005, Jeroen Massar, Holger Zuleger.
** All rights reserved.
PRINTTIME, PRINTAGE, LJUST,
SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Incremental,
RESIGN_INT,
- KSK_LIFETIME, KSK_ALGO, KSK_BITS, KSK_RANDOM,
- ZSK_LIFETIME, ZSK_ALGO, ZSK_BITS, ZSK_RANDOM,
+ KEY_ALGO, ADDITIONAL_KEY_ALGO,
+ KSK_LIFETIME, KSK_BITS, KSK_RANDOM,
+ ZSK_LIFETIME, ZSK_BITS, ZSK_RANDOM,
SALTLEN,
- NULL, /* viewname cmdline paramter */
+ NULL, /* viewname cmdline parameter */
+ 0, /* noexec cmdline parameter */
LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
DNSKEYFILE, ZONEFILE, KEYSETDIR,
LOOKASIDEDOMAIN,
SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_PARAM,
- DIST_CMD /* deafults to NULL which means to run "rndc reload" */
+ DIST_CMD, /* defaults to NULL which means to run "rndc reload" */
+ NAMED_CHROOT
};
typedef struct {
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "signing key parameters"},
+ { "Key_algo", 0, CONF_ALGO, &def.k_algo }, /* now used as general KEY algoritjm (KSK & ZSK) */
+ { "AddKey_algo", 0, CONF_ALGO, &def.k2_algo }, /* second key algorithm added (v0.99) */
{ "KSK_lifetime", 0, CONF_TIMEINT, &def.k_life },
- { "KSK_algo", 0, CONF_ALGO, &def.k_algo },
+ { "KSK_algo", 1, CONF_ALGO, &def.k_algo }, /* old KSK value changed to key algorithm */
{ "KSK_bits", 0, CONF_INT, &def.k_bits },
{ "KSK_randfile", 0, CONF_STRING, &def.k_random },
{ "ZSK_lifetime", 0, CONF_TIMEINT, &def.z_life },
- { "ZSK_algo", 0, CONF_ALGO, &def.z_algo },
+ /* { "ZSK_algo", 1, CONF_ALGO, &def.z_algo }, ZSK algo removed (set to same as ksk) */
+ { "ZSK_algo", 1, CONF_ALGO, &def.k2_algo }, /* if someone using it already, map the algo to the additional key algorithm */
{ "ZSK_bits", 0, CONF_INT, &def.z_bits },
{ "ZSK_randfile", 0, CONF_STRING, &def.z_random },
{ "SaltBits", 0, CONF_INT, &def.saltbits },
{ "", 0, CONF_COMMENT, NULL },
{ "", 0, CONF_COMMENT, "dnssec-signer options"},
{ "--view", 1, CONF_STRING, &def.view },
+ { "--noexec", 1, CONF_BOOL, &def.noexec },
{ "LogFile", 0, CONF_STRING, &def.logfile },
{ "LogLevel", 0, CONF_LEVEL, &def.loglevel },
{ "SyslogFacility", 0, CONF_FACILITY, &def.syslogfacility },
{ "DLV_Domain", 0, CONF_STRING, &def.lookaside },
{ "Sig_Randfile", 0, CONF_STRING, &def.sig_random },
{ "Sig_Pseudorand", 0, CONF_BOOL, &def.sig_pseudo },
- { "Sig_GenerateDS", 1, CONF_BOOL, &def.sig_gends },
+ { "Sig_GenerateDS", 0, CONF_BOOL, &def.sig_gends },
{ "Sig_Parameter", 0, CONF_STRING, &def.sig_param },
{ "Distribute_Cmd", 0, CONF_STRING, &def.dist_cmd },
+ { "NamedChrootDir", 0, CONF_STRING, &def.chroot_dir },
{ NULL, 0, CONF_END, NULL},
};
#endif
set_varptr ("serialformat", &cp->serialform);
+ set_varptr ("key_algo", &cp->k_algo);
+ set_varptr ("addkey_algo", &cp->k2_algo);
set_varptr ("ksk_lifetime", &cp->k_life);
- set_varptr ("ksk_algo", &cp->k_algo);
+ set_varptr ("ksk_algo", &cp->k_algo); /* to be removed in next release */
set_varptr ("ksk_bits", &cp->k_bits);
set_varptr ("ksk_randfile", &cp->k_random);
set_varptr ("zsk_lifetime", &cp->z_life);
- set_varptr ("zsk_algo", &cp->z_algo);
+ // set_varptr ("zsk_algo", &cp->z_algo);
+ set_varptr ("zsk_algo", &cp->k2_algo);
set_varptr ("zsk_bits", &cp->z_bits);
set_varptr ("zsk_randfile", &cp->z_random);
set_varptr ("saltbits", &cp->saltbits);
set_varptr ("--view", &cp->view);
+ set_varptr ("--noexec", &cp->noexec);
set_varptr ("logfile", &cp->logfile);
set_varptr ("loglevel", &cp->loglevel);
set_varptr ("syslogfacility", &cp->syslogfacility);
set_varptr ("sig_generateds", &cp->sig_gends);
set_varptr ("sig_parameter", &cp->sig_param);
set_varptr ("distribute_cmd", &cp->dist_cmd);
+ set_varptr ("namedchrootdir", &cp->chroot_dir);
}
static void parseconfigline (char *buf, unsigned int line, zconf_t *z)
{
char **str;
char quantity;
- int ival;
+ long lval;
found = 1;
switch ( c->type )
break;
case CONF_TIMEINT:
quantity = 'd';
- sscanf (val, "%d%c", &ival, &quantity);
+ sscanf (val, "%ld%c", &lval, &quantity);
if ( quantity == 'm' )
- ival *= MINSEC;
+ lval *= MINSEC;
else if ( quantity == 'h' )
- ival *= HOURSEC;
+ lval *= HOURSEC;
else if ( quantity == 'd' )
- ival *= DAYSEC;
+ lval *= DAYSEC;
else if ( quantity == 'w' )
- ival *= WEEKSEC;
+ lval *= WEEKSEC;
else if ( quantity == 'y' )
- ival *= YEARSEC;
- (*(int *)c->var) = ival;
+ lval *= YEARSEC;
+ (*(long *)c->var) = lval;
break;
case CONF_ALGO:
if ( strcasecmp (val, "rsa") == 0 || strcasecmp (val, "rsamd5") == 0 )
static void printconfigline (FILE *fp, zconf_para_t *cp)
{
int i;
+ long lval;
assert (fp != NULL);
assert (cp != NULL);
fprintf (fp, "%s:\t%s\n", cp->label, bool2str ( *(int*)cp->var ));
break;
case CONF_TIMEINT:
- i = *(ulong*)cp->var;
- fprintf (fp, "%s:\t%s", cp->label, timeint2str (i));
- if ( i )
- fprintf (fp, "\t# (%d seconds)", i);
+ lval = *(ulong*)cp->var; /* in that case it should be of type ulong */
+ fprintf (fp, "%s:\t%s", cp->label, timeint2str (lval));
+ if ( lval )
+ fprintf (fp, "\t# (%ld seconds)", lval);
putc ('\n', fp);
break;
case CONF_ALGO:
i = *(int*)cp->var;
- fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
- fprintf (fp, "\t# (Algorithm ID %d)\n", i);
+ if ( i )
+ {
+ fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
+ fprintf (fp, "\t# (Algorithm ID %d)\n", i);
+ }
break;
case CONF_SERIAL:
fprintf (fp, "%s:\t", cp->label);
/* fall through */
case CONF_ALGO:
/* fall through */
- case CONF_TIMEINT:
- /* fall through */
case CONF_INT:
*((int *)c->var) = *((int *)pval);
break;
+ case CONF_TIMEINT:
+ *((long *)c->var) = *((long *)pval);
+ break;
case CONF_SERIAL:
*((serial_form_t *)c->var) = *((serial_form_t *)pval);
break;
if ( z->resign < (z->max_ttl + z->proptime) )
{
fprintf (stderr, "Re-signing interval (%s) should be ", timeint2str (z->resign));
- fprintf (stderr, "greater than max_ttl (%d) plus ", z->max_ttl);
- fprintf (stderr, "propagation time (%d)\n", z->proptime);
+ fprintf (stderr, "greater than max_ttl (%ld) plus ", z->max_ttl);
+ fprintf (stderr, "propagation time (%ld)\n", z->proptime);
}
if ( z->max_ttl >= z->sigvalidity )
- fprintf (stderr, "Max TTL (%d) should be less than signatur validity (%d)\n",
+ fprintf (stderr, "Max TTL (%ld) should be less than signature validity (%ld)\n",
z->max_ttl, z->sigvalidity);
if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
# define ZCONF_H
-# define MINSEC 60
+# define MINSEC 60L
# define HOURSEC (MINSEC * 60)
# define DAYSEC (HOURSEC * 24)
# define WEEKSEC (DAYSEC * 7)
#if 0
# define ZSK_LIFETIME ((SIG_VALID_DAYS * 3) * DAYSEC) /* set to three times the sig validity */
#else
-# define ZSK_LIFETIME ((MONTH * 3) * DAYSEC) /* set fixed to 3 month */
+# if 0
+# define ZSK_LIFETIME ((MONTH * 3) * DAYSEC) /* set fixed to 3 month */
+# else
+# define ZSK_LIFETIME (12 * WEEKSEC) /* set fixed to 3 month */
+# endif
#endif
-# define KSK_ALGO (DK_ALGO_RSASHA1)
+/* # define KSK_ALGO (DK_ALGO_RSASHA1) KSK_ALGO renamed to KEY_ALGO (v0.99) */
+# define KEY_ALGO (DK_ALGO_RSASHA1) /* general KEY_ALGO used for both ksk and zsk */
+# define ADDITIONAL_KEY_ALGO 0
# define KSK_BITS (1300)
# define KSK_RANDOM "/dev/urandom" /* was NULL before v0.94 */
-# define ZSK_ALGO (DK_ALGO_RSASHA1)
+/* # define ZSK_ALGO (DK_ALGO_RSASHA1) ZSK_ALGO has to be the same as KSK, so this is no longer used (v0.99) */
# define ZSK_BITS (512)
# define ZSK_RANDOM "/dev/urandom"
# define SALTLEN 24 /* salt length in bits (resolution is 4 bits)*/
# define SIG_GENDS 1
# define SIG_PARAM ""
# define DIST_CMD NULL /* default is to run "rndc reload" */
+# define NAMED_CHROOT NULL /* default is none */
#ifndef CONFIG_PATH
# define CONFIG_PATH "/var/named/"
int printtime;
int printage;
int ljust;
- int sigvalidity; /* should be less than expire time */
- int max_ttl; /* should be set to the maximum used ttl in the zone */
- int key_ttl;
- int proptime; /* expected time offset for zone propagation */
+ long sigvalidity; /* should be less than expire time */
+ long max_ttl; /* should be set to the maximum used ttl in the zone */
+ long key_ttl;
+ long proptime; /* expected time offset for zone propagation */
#if defined (DEF_TTL)
- int def_ttl; /* default ttl set in soa record */
+ long def_ttl; /* default ttl set in soa record */
#endif
serial_form_t serialform; /* format of serial no */
- int resign; /* resign interval */
+ long resign; /* resign interval */
- int k_life;
int k_algo;
+ int k2_algo;
+ long k_life;
int k_bits;
char *k_random;
- int z_life;
- int z_algo;
+ long z_life;
+ /* int z_algo; no longer used; renamed to k2_algo (v0.99) */
int z_bits;
char *z_random;
int saltbits;
char *view;
+ int noexec;
// char *errlog;
char *logfile;
char *loglevel;
int sig_gends;
char *sig_param;
char *dist_cmd; /* cmd to run instead of "rndc reload" */
+ char *chroot_dir; /* chroot directory of named */
} zconf_t;
extern zconf_t *loadconfig (const char *filename, zconf_t *z);
projects / thirdparty / bind9.git / commitdiff
