summaryrefslogtreecommitdiff
path: root/bin/dnssec
diff options
context:
space:
mode:
authorInternet Software Consortium, Inc <@isc.org>2007-09-07 14:11:04 -0600
committerLaMont Jones <lamont@debian.org>2007-09-07 14:11:04 -0600
commit4dd5eedee98c3fc2f40a45078bc7006cd5efd7f0 (patch)
tree85b4b951eb54c6a7d489139cdc8f8a0b1fb87eeb /bin/dnssec
parente71238b670ee683d2177c93695465bb6b181c4b8 (diff)
downloadbind9-4dd5eedee98c3fc2f40a45078bc7006cd5efd7f0.tar.gz
9.2.0a1
Diffstat (limited to 'bin/dnssec')
-rw-r--r--bin/dnssec/Makefile.in36
-rw-r--r--bin/dnssec/dnssec-keygen.8168
-rw-r--r--bin/dnssec/dnssec-keygen.c51
-rw-r--r--bin/dnssec/dnssec-keygen.docbook327
-rw-r--r--bin/dnssec/dnssec-keygen.html575
-rw-r--r--bin/dnssec/dnssec-makekeyset.8113
-rw-r--r--bin/dnssec/dnssec-makekeyset.c73
-rw-r--r--bin/dnssec/dnssec-makekeyset.docbook233
-rw-r--r--bin/dnssec/dnssec-makekeyset.html407
-rw-r--r--bin/dnssec/dnssec-signkey.8108
-rw-r--r--bin/dnssec/dnssec-signkey.c75
-rw-r--r--bin/dnssec/dnssec-signkey.docbook237
-rw-r--r--bin/dnssec/dnssec-signkey.html407
-rw-r--r--bin/dnssec/dnssec-signzone.8155
-rw-r--r--bin/dnssec/dnssec-signzone.c53
-rw-r--r--bin/dnssec/dnssec-signzone.docbook325
-rw-r--r--bin/dnssec/dnssec-signzone.html556
-rw-r--r--bin/dnssec/dnssectool.c39
-rw-r--r--bin/dnssec/dnssectool.h7
19 files changed, 3826 insertions, 119 deletions
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index a1fe51e5..c157d4b2 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.13.2.1 2001/01/09 22:31:28 bwelling Exp $
+# $Id: Makefile.in,v 1.18.2.1 2001/06/01 00:46:25 bwelling Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -50,28 +50,48 @@ SRCS = dnssec-keygen.c dnssec-makekeyset.c \
dnssec-signkey.c dnssec-signzone.c \
dnssectool.c
+MANPAGES = dnssec-keygen.8 \
+ dnssec-makekeyset.8 \
+ dnssec-signkey.8 \
+ dnssec-signzone.8
+
+HTMLPAGES = dnssec-keygen.html \
+ dnssec-makekeyset.html \
+ dnssec-signkey.html \
+ dnssec-signzone.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
@BIND9_MAKE_RULES@
dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-keygen.@O@ ${OBJS} ${LIBS}
+ ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-keygen.@O@ ${OBJS} ${LIBS}
dnssec-makekeyset: dnssec-makekeyset.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-makekeyset.@O@ ${OBJS} ${LIBS}
+ ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-makekeyset.@O@ ${OBJS} ${LIBS}
dnssec-signkey: dnssec-signkey.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signkey.@O@ ${OBJS} ${LIBS}
+ ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-signkey.@O@ ${OBJS} ${LIBS}
dnssec-signzone.@O@: dnssec-signzone.c
- ${LIBTOOL} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" -c $<
+ ${LIBTOOL} ${PURIFY} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" -c $<
dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
- ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
+ ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
-clean distclean::
- rm -f ${TARGETS}
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+ for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+
+clean distclean::
+ rm -f ${TARGETS}
+
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
new file mode 100644
index 00000000..680c0d6e
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.8
@@ -0,0 +1,168 @@
+.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+.\" $Id: dnssec-keygen.8,v 1.17 2001/05/30 20:30:12 bwelling Exp $
+
+.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-keygen\fR generates keys for DNSSEC
+(Secure DNS), as defined in RFC 2535. It can also generate
+keys for use with TSIG (Transaction Signatures), as
+defined in RFC 2845.
+.SH "OPTIONS"
+.TP
+\fB-a \fIalgorithm\fB\fR
+Selects the cryptographic algorithm. The value of
+\fBalgorithm\fR must be one of RSAMD5 or RSA,
+DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+are case insensitive.
+
+Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the number of bits in the key. The choice of key
+size depends on the algorithm used. RSA keys must be between
+512 and 2048 bits. Diffie Hellman keys must be between
+128 and 4096 bits. DSA keys must be between 512 and 1024
+bits and an exact multiple of 64. HMAC-MD5 keys must be
+between 1 and 512 bits.
+.TP
+\fB-n \fInametype\fB\fR
+Specifies the owner type of the key. The value of
+\fBnametype\fR must either be ZONE (for a DNSSEC
+zone key), HOST or ENTITY (for a key associated with a host),
+or USER (for a key associated with a user). These values are
+case insensitive.
+.TP
+\fB-c \fIclass\fB\fR
+Indicates that the DNS record containing the key should have
+the specified class. If not specified, class IN is used.
+.TP
+\fB-e\fR
+If generating an RSA key, use a large exponent.
+.TP
+\fB-g \fIgenerator\fB\fR
+If generating a Diffie Hellman key, use this generator.
+Allowed values are 2 and 5. If no generator
+is specified, a known prime from RFC 2539 will be used
+if possible; otherwise the default is 2.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-keygen\fR.
+.TP
+\fB-p \fIprotocol\fB\fR
+Sets the protocol value for the generated key. The protocol
+is a number between 0 and 255. The default is 2 (email) for
+keys of type USER and 3 (DNSSEC) for all other key types.
+Other possible values for this argument are listed in
+RFC 2535 and its successors.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIstrength\fB\fR
+Specifies the strength value of the key. The strength is
+a number between 0 and 15, and currently has no defined
+purpose in DNSSEC.
+.TP
+\fB-t \fItype\fB\fR
+Indicates the use of the key. \fBtype\fR must be
+one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate
+data, and CONF the ability to encrypt data.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.SH "GENERATED KEYS"
+.PP
+When \fBdnssec-keygen\fR completes successfully,
+it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for
+the key it has generated. These strings can be used as arguments
+to \fBdnssec-makekeyset\fR.
+.TP 0.2i
+\(bu
+\fInnnn\fR is the key name.
+.TP 0.2i
+\(bu
+\fIaaa\fR is the numeric representation of the
+algorithm.
+.TP 0.2i
+\(bu
+\fIiiiii\fR is the key identifier (or footprint).
+.PP
+\fBdnssec-keygen\fR creates two file, with names based
+on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
+contains the public key, and
+\fIKnnnn.+aaa+iiiii.private\fR contains the private
+key.
+.PP
+.PP
+The \fI.key\fR file contains a DNS KEY record that
+can be inserted into a zone file (directly or with a $INCLUDE
+statement).
+.PP
+.PP
+The \fI.private\fR file contains algorithm specific
+fields. For obvious security reasons, this file does not have
+general read permission.
+.PP
+.PP
+Both \fI.key\fR and \fI.private\fR
+files are generated for symmetric encryption algorithm such as
+HMAC-MD5, even though the public and private key are equivalent.
+.PP
+.SH "EXAMPLE"
+.PP
+To generate a 768-bit DSA key for the domain
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
+.PP
+The command would print a string of the form:
+.PP
+\fBKexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-keygen\fR creates
+the files \fIKexample.com.+003+26160.key\fR and
+\fIKexample.com.+003+26160.private\fR
+.SH "SEE ALSO"
+.PP
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signkey\fR(8),
+\fBdnssec-signzone\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR,
+\fIRFC 2845\fR,
+\fIRFC 2539\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 13cfc229..8a2d2e1a 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.45.2.1 2001/01/09 22:31:29 bwelling Exp $ */
+/* $Id: dnssec-keygen.c,v 1.47 2001/02/15 23:26:29 bwelling Exp $ */
#include <config.h>
@@ -56,31 +56,34 @@ dsa_size_ok(int size) {
static void
usage(void) {
- printf("Usage:\n");
- printf(" %s -a alg -b bits -n type [options] name\n\n", program);
- printf("Required options:\n");
- printf(" -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
- printf(" -b key size, in bits:\n");
- printf(" RSA:\t\t[512..%d]\n", MAX_RSA);
- printf(" DH:\t\t[128..4096]\n");
- printf(" DSA:\t\t[512..1024] and divisible by 64\n");
- printf(" HMAC-MD5:\t[1..512]\n");
- printf(" -n nametype: ZONE | HOST | ENTITY | USER\n");
- printf(" name: owner of the key\n");
- printf("Other options:\n");
- printf(" -c class (default: IN)\n");
- printf(" -e use large exponent (RSA only)\n");
- printf(" -g use specified generator (DH only)\n");
- printf(" -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s -a alg -b bits -n type [options] name\n\n",
+ program);
+ fprintf(stderr, "Required options:\n");
+ fprintf(stderr, " -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5"
+ "\n");
+ fprintf(stderr, " -b key size, in bits:\n");
+ fprintf(stderr, " RSA:\t\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " DH:\t\t[128..4096]\n");
+ fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
+ fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
+ fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER\n");
+ fprintf(stderr, " name: owner of the key\n");
+ fprintf(stderr, "Other options:\n");
+ fprintf(stderr, " -c class (default: IN)\n");
+ fprintf(stderr, " -e use large exponent (RSA only)\n");
+ fprintf(stderr, " -g use specified generator (DH only)\n");
+ fprintf(stderr, " -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
- printf(" -p protocol value "
+ fprintf(stderr, " -p protocol value "
"(default: 2 [email] for USER, 3 [dnssec] otherwise)\n");
- printf(" -s strength value this key signs DNS records with "
- "(default: 0)\n");
- printf(" -r randomdev (a file containing random data)\n");
- printf(" -v verbose level\n");
- printf("Output:\n");
- printf(" K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private\n");
+ fprintf(stderr, " -s strength value this key signs DNS records "
+ "with (default: 0)\n");
+ fprintf(stderr, " -r randomdev (a file containing random data)\n");
+ fprintf(stderr, " -v verbose level\n");
+ fprintf(stderr, "Output:\n");
+ fprintf(stderr, " K<name>+<alg>+<id>.key, "
+ "K<name>+<alg>+<id>.private\n");
exit (-1);
}
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
new file mode 100644
index 00000000..e8b5590d
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -0,0 +1,327 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-keygen.docbook,v 1.3 2001/04/10 21:50:26 bwelling Exp $ -->
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-keygen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-keygen</application></refname>
+ <refpurpose>DNSSEC key generation tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-keygen</command>
+ <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+ <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
+ <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-e</option></arg>
+ <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
+ <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">name</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-keygen</command> generates keys for DNSSEC
+ (Secure DNS), as defined in RFC 2535. It can also generate
+ keys for use with TSIG (Transaction Signatures), as
+ defined in RFC 2845.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Selects the cryptographic algorithm. The value of
+ <option>algorithm</option> must be one of RSAMD5 or RSA,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+ </para>
+ <para>
+ Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+ and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-b <replaceable class="parameter">keysize</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSA keys must be between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-n <replaceable class="parameter">nametype</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the owner type of the key. The value of
+ <option>nametype</option> must either be ZONE (for a DNSSEC
+ zone key), HOST or ENTITY (for a key associated with a host),
+ or USER (for a key associated with a user). These values are
+ case insensitive.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e</term>
+ <listitem>
+ <para>
+ If generating an RSA key, use a large exponent.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-g <replaceable class="parameter">generator</replaceable></term>
+ <listitem>
+ <para>
+ If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-keygen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">protocol</replaceable></term>
+ <listitem>
+ <para>
+ Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 2 (email) for
+ keys of type USER and 3 (DNSSEC) for all other key types.
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">strength</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t <replaceable class="parameter">type</replaceable></term>
+ <listitem>
+ <para>
+ Indicates the use of the key. <option>type</option> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>GENERATED KEYS</title>
+ <para>
+ When <command>dnssec-keygen</command> completes successfully,
+ it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+ to the standard output. This is an identification string for
+ the key it has generated. These strings can be used as arguments
+ to <command>dnssec-makekeyset</command>.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>nnnn</filename> is the key name.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>aaa</filename> is the numeric representation of the
+ algorithm.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>iiiii</filename> is the key identifier (or footprint).
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ <command>dnssec-keygen</command> creates two file, with names based
+ on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
+ contains the public key, and
+ <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
+ key.
+ </para>
+ <para>
+ The <filename>.key</filename> file contains a DNS KEY record that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </para>
+ <para>
+ The <filename>.private</filename> file contains algorithm specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </para>
+ <para>
+ Both <filename>.key</filename> and <filename>.private</filename>
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ To generate a 768-bit DSA key for the domain
+ <userinput>example.com</userinput>, the following command would be
+ issued:
+ </para>
+ <para>
+ <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
+ </para>
+ <para>
+ The command would print a string of the form:
+ </para>
+ <para>
+ <userinput>Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ In this example, <command>dnssec-keygen</command> creates
+ the files <filename>Kexample.com.+003+26160.key</filename> and
+ <filename>Kexample.com.+003+26160.private</filename>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-makekeyset</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signkey</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2535</citetitle>,
+ <citetitle>RFC 2845</citetitle>,
+ <citetitle>RFC 2539</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
new file mode 100644
index 00000000..bbec232c
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.html
@@ -0,0 +1,575 @@
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-keygen.html,v 1.3 2001/04/10 21:50:27 bwelling Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-keygen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+>&nbsp;--&nbsp;DNSSEC key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> {-a <TT
+CLASS="REPLACEABLE"
+><I
+>algorithm</I
+></TT
+>} {-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+>} {-n <TT
+CLASS="REPLACEABLE"
+><I
+>nametype</I
+></TT
+>} [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e</TT
+>] [<TT
+CLASS="OPTION"
+>-g <TT
+CLASS="REPLACEABLE"
+><I
+>generator</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>strength</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {name}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN48"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> generates keys for DNSSEC
+ (Secure DNS), as defined in RFC 2535. It can also generate
+ keys for use with TSIG (Transaction Signatures), as
+ defined in RFC 2845.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN52"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a <TT
+CLASS="REPLACEABLE"
+><I
+>algorithm</I
+></TT
+></DT
+><DD
+><P
+> Selects the cryptographic algorithm. The value of
+ <TT
+CLASS="OPTION"
+>algorithm</TT
+> must be one of RSAMD5 or RSA,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+ </P
+><P
+> Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+ and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ </P
+></DD
+><DT
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></DT
+><DD
+><P
+> Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSA keys must be between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+ </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>nametype</I
+></TT
+></DT
+><DD
+><P
+> Specifies the owner type of the key. The value of
+ <TT
+CLASS="OPTION"
+>nametype</TT
+> must either be ZONE (for a DNSSEC
+ zone key), HOST or ENTITY (for a key associated with a host),
+ or USER (for a key associated with a user). These values are
+ case insensitive.
+ </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+> Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </P
+></DD
+><DT
+>-e</DT
+><DD
+><P
+> If generating an RSA key, use a large exponent.
+ </P
+></DD
+><DT
+>-g <TT
+CLASS="REPLACEABLE"
+><I
+>generator</I
+></TT
+></DT
+><DD
+><P
+> If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+ </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></DT
+><DD
+><P
+> Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 2 (email) for
+ keys of type USER and 3 (DNSSEC) for all other key types.
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>strength</I
+></TT
+></DT
+><DD
+><P
+> Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+ </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></DT
+><DD
+><P
+> Indicates the use of the key. <TT
+CLASS="OPTION"
+>type</TT
+> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN121"
+></A
+><H2
+>GENERATED KEYS</H2
+><P
+> When <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> completes successfully,
+ it prints a string of the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+ to the standard output. This is an identification string for
+ the key it has generated. These strings can be used as arguments
+ to <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+> <TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the key name.
+ </P
+></LI
+><LI
+><P
+> <TT
+CLASS="FILENAME"
+>aaa</TT
+> is the numeric representation of the
+ algorithm.
+ </P
+></LI
+><LI
+><P
+> <TT
+CLASS="FILENAME"
+>iiiii</TT
+> is the key identifier (or footprint).
+ </P
+></LI
+></UL
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates two file, with names based
+ on the printed string. <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.key</TT
+>
+ contains the public key, and
+ <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.private</TT
+> contains the private
+ key.
+ </P
+><P
+> The <TT
+CLASS="FILENAME"
+>.key</TT
+> file contains a DNS KEY record that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </P
+><P
+> The <TT
+CLASS="FILENAME"
+>.private</TT
+> file contains algorithm specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </P
+><P
+> Both <TT
+CLASS="FILENAME"
+>.key</TT
+> and <TT
+CLASS="FILENAME"
+>.private</TT
+>
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN148"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> To generate a 768-bit DSA key for the domain
+ <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>, the following command would be
+ issued:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-keygen -a DSA -b 768 -n ZONE example.com</B
+></TT
+>
+ </P
+><P
+> The command would print a string of the form:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>Kexample.com.+003+26160</B
+></TT
+>
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates
+ the files <TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.key</TT
+> and
+ <TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.private</TT
+>
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN161"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>,
+ <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2845</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2539</I
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN177"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
diff --git a/bin/dnssec/dnssec-makekeyset.8 b/bin/dnssec/dnssec-makekeyset.8
new file mode 100644
index 00000000..a2489a79
--- /dev/null
+++ b/bin/dnssec/dnssec-makekeyset.8
@@ -0,0 +1,113 @@
+.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+.\" $Id: dnssec-makekeyset.8,v 1.14 2001/05/30 20:30:13 bwelling Exp $
+
+.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-makekeyset \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-makekeyset\fR generates a key set from one
+or more keys created by \fBdnssec-keygen\fR. It creates
+a file containing a KEY record for each key, and self-signs the key
+set with each zone key. The output file is of the form
+\fIkeyset-nnnn.\fR, where \fInnnn\fR
+is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-makekeyset\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t \fIttl\fB\fR
+Specify the TTL (time to live) of the KEY and SIG records.
+The default is 3600 seconds.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkey\fR
+Lists the keys included in the keyset file. These keys
+are expressed in the form \fIKnnnn.+aaa+iiiii\fR
+as generated by \fBdnssec-keygen\fR.
+.SH "EXAMPLE"
+.PP
+The following command generates a keyset containing the DSA key for
+\fBexample.com\fR generated in the
+\fBdnssec-keygen\fR man page.
+.PP
+\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-makekeyset\fR creates
+the file \fIkeyset-example.com.\fR. This file
+contains the specified key and a self-generated signature.
+.PP
+The DNS administrator for \fBexample.com\fR could
+send \fIkeyset-example.com.\fR to the DNS
+administrator for \fB.com\fR for signing, if the
+\&.com zone is DNSSEC-aware and the administrators of the two zones
+have some mechanism for authenticating each other and exchanging
+the keys and signatures securely.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-makekeyset.c b/bin/dnssec/dnssec-makekeyset.c
index e4ce8e0e..12c5c8d5 100644
--- a/bin/dnssec/dnssec-makekeyset.c
+++ b/bin/dnssec/dnssec-makekeyset.c
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-makekeyset.c,v 1.45.4.2 2001/03/26 19:11:53 gson Exp $ */
+/* $Id: dnssec-makekeyset.c,v 1.52 2001/05/10 06:04:56 bwelling Exp $ */
#include <config.h>
@@ -99,6 +99,32 @@ usage(void) {
exit(0);
}
+static isc_boolean_t
+zonekey_on_list(dst_key_t *key) {
+ keynode_t *keynode;
+ for (keynode = ISC_LIST_HEAD(keylist);
+ keynode != NULL;
+ keynode = ISC_LIST_NEXT(keynode, link))
+ {
+ if (dst_key_compare(keynode->key, key))
+ return (ISC_TRUE);
+ }
+ return (ISC_FALSE);
+}
+
+static isc_boolean_t
+rdata_on_list(dns_rdata_t *rdata, dns_rdatalist_t *list) {
+ dns_rdata_t *trdata;
+ for (trdata = ISC_LIST_HEAD(list->rdata);
+ trdata != NULL;
+ trdata = ISC_LIST_NEXT(trdata, link))
+ {
+ if (dns_rdata_compare(trdata, rdata) == 0)
+ return (ISC_TRUE);
+ }
+ return (ISC_FALSE);
+}
+
int
main(int argc, char *argv[]) {
int i, ch;
@@ -220,7 +246,6 @@ main(int argc, char *argv[]) {
for (i = 0; i < argc; i++) {
char namestr[DNS_NAME_FORMATSIZE];
- dns_fixedname_t fname;
isc_buffer_t namebuf;
key = NULL;
@@ -232,14 +257,10 @@ main(int argc, char *argv[]) {
rdatalist.rdclass = dst_key_class(key);
isc_buffer_init(&namebuf, namestr, sizeof namestr);
- dns_fixedname_init(&fname);
- dns_name_downcase(dst_key_name(key),
- dns_fixedname_name(&fname),
- NULL);
- result = dns_name_totext(dns_fixedname_name(&fname),
- ISC_FALSE,
- &namebuf);
- check_result(result, "dns_name_totext");
+ result = dns_name_tofilenametext(dst_key_name(key),
+ ISC_FALSE,
+ &namebuf);
+ check_result(result, "dns_name_tofilenametext");
isc_buffer_putuint8(&namebuf, 0);
if (savedname == NULL) {
@@ -272,27 +293,26 @@ main(int argc, char *argv[]) {
if (domain == NULL) {
dns_fixedname_init(&fdomain);
domain = dns_fixedname_name(&fdomain);
- isc_buffer_init(&b, namestr, strlen(namestr));
- isc_buffer_add(&b, strlen(namestr));
- result = dns_name_fromtext(domain, &b, dns_rootname,
- ISC_FALSE, NULL);
- if (result != ISC_R_SUCCESS)
- fatal("%s is not a valid name: %s",
- namestr, isc_result_totext(result));
+ dns_name_copy(dst_key_name(key), domain, NULL);
}
if (dst_key_iszonekey(key)) {
dst_key_t *zonekey = NULL;
result = dst_key_fromnamedfile(argv[i],
+ DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &zonekey);
if (result != ISC_R_SUCCESS)
fatal("failed to read private key %s: %s",
argv[i], isc_result_totext(result));
- keynode = isc_mem_get(mctx, sizeof (keynode_t));
- if (keynode == NULL)
- fatal("out of memory");
- keynode->key = zonekey;
- ISC_LIST_INITANDAPPEND(keylist, keynode, link);
+ if (!zonekey_on_list(zonekey)) {
+ keynode = isc_mem_get(mctx,
+ sizeof (keynode_t));
+ if (keynode == NULL)
+ fatal("out of memory");
+ keynode->key = zonekey;
+ ISC_LIST_INITANDAPPEND(keylist, keynode, link);
+ } else
+ dst_key_free(&zonekey);
}
rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
if (rdata == NULL)
@@ -309,7 +329,12 @@ main(int argc, char *argv[]) {
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(rdata, rdatalist.rdclass,
dns_rdatatype_key, &r);
- ISC_LIST_APPEND(rdatalist.rdata, rdata, link);
+ if (!rdata_on_list(rdata, &rdatalist))
+ ISC_LIST_APPEND(rdatalist.rdata, rdata, link);
+ else {
+ isc_mem_put(mctx, data, BUFSIZE);
+ isc_mem_put(mctx, rdata, sizeof *rdata);
+ }
dst_key_free(&key);
}
@@ -368,7 +393,7 @@ main(int argc, char *argv[]) {
}
db = NULL;
- result = dns_db_create(mctx, "rbt", domain, dns_dbtype_zone,
+ result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
rdataset.rdclass, 0, NULL, &db);
if (result != ISC_R_SUCCESS) {
char domainstr[DNS_NAME_FORMATSIZE];
diff --git a/bin/dnssec/dnssec-makekeyset.docbook b/bin/dnssec/dnssec-makekeyset.docbook
new file mode 100644
index 00000000..0522b749
--- /dev/null
+++ b/bin/dnssec/dnssec-makekeyset.docbook
@@ -0,0 +1,233 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-makekeyset.docbook,v 1.2 2001/04/10 21:50:30 bwelling Exp $ -->
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-makekeyset</application></refname>
+ <refpurpose>DNSSEC zone signing tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-makekeyset</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-p</option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req" rep="repeat">key</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-makekeyset</command> generates a key set from one
+ or more keys created by <command>dnssec-keygen</command>. It creates
+ a file containing a KEY record for each key, and self-signs the key
+ set with each zone key. The output file is of the form
+ <filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
+ is the zone name.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Verify all generated signatures.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <option>start-time</option> is specified, the current
+ time is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e <replaceable class="parameter">end-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ expire. As with <option>start-time</option>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <option>end-time</option> is
+ specified, 30 days from the start time is used as a default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-makekeyset</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t <replaceable class="parameter">ttl</replaceable></term>
+ <listitem>
+ <para>
+ Specify the TTL (time to live) of the KEY and SIG records.
+ The default is 3600 seconds.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>key</term>
+ <listitem>
+ <para>
+ Lists the keys included in the keyset file. These keys
+ are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
+ as generated by <command>dnssec-keygen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ The following command generates a keyset containing the DSA key for
+ <userinput>example.com</userinput> generated in the
+ <command>dnssec-keygen</command> man page.
+ </para>
+ <para>
+ <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ In this example, <command>dnssec-makekeyset</command> creates
+ the file <filename>keyset-example.com.</filename>. This file
+ contains the specified key and a self-generated signature.
+ </para>
+ <para>
+ The DNS administrator for <userinput>example.com</userinput> could
+ send <filename>keyset-example.com.</filename> to the DNS
+ administrator for <userinput>.com</userinput> for signing, if the
+ .com zone is DNSSEC-aware and the administrators of the two zones
+ have some mechanism for authenticating each other and exchanging
+ the keys and signatures securely.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signkey</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2535</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-makekeyset.html b/bin/dnssec/dnssec-makekeyset.html
new file mode 100644
index 00000000..5e0a652d
--- /dev/null
+++ b/bin/dnssec/dnssec-makekeyset.html
@@ -0,0 +1,407 @@
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-makekeyset.html,v 1.2 2001/04/10 21:50:31 bwelling Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-makekeyset</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+><TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN38"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> generates a key set from one
+ or more keys created by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>. It creates
+ a file containing a KEY record for each key, and self-signs the key
+ set with each zone key. The output file is of the form
+ <TT
+CLASS="FILENAME"
+>keyset-nnnn.</TT
+>, where <TT
+CLASS="FILENAME"
+>nnnn</TT
+>
+ is the zone name.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN45"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+> Verify all generated signatures.
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+ time is used.
+ </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ expire. As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+ specified, 30 days from the start time is used as a default.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+ </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+> Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+></DT
+><DD
+><P
+> Specify the TTL (time to live) of the KEY and SIG records.
+ The default is 3600 seconds.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+> Lists the keys included in the keyset file. These keys
+ are expressed in the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+ as generated by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN98"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> The following command generates a keyset containing the DSA key for
+ <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> generated in the
+ <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> man page.
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
+></TT
+>
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> creates
+ the file <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+>. This file
+ contains the specified key and a self-generated signature.
+ </P
+><P
+> The DNS administrator for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> could
+ send <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+> to the DNS
+ administrator for <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> for signing, if the
+ .com zone is DNSSEC-aware and the administrators of the two zones
+ have some mechanism for authenticating each other and exchanging
+ the keys and signatures securely.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+ <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN123"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
diff --git a/bin/dnssec/dnssec-signkey.8 b/bin/dnssec/dnssec-signkey.8
new file mode 100644
index 00000000..bd3cdd3a
--- /dev/null
+++ b/bin/dnssec/dnssec-signkey.8
@@ -0,0 +1,108 @@
+.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+.\" $Id: dnssec-signkey.8,v 1.16 2001/05/30 20:30:14 bwelling Exp $
+
+.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signkey \- DNSSEC key set signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signkey\fR signs a keyset. Typically
+the keyset will be for a child zone, and will have been generated
+by \fBdnssec-makekeyset\fR. The child zone's keyset
+is signed with the zone keys for its parent zone. The output file
+is of the form \fIsignedkey-nnnn.\fR, where
+\fInnnn\fR is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the key sets.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signkey\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkeyset\fR
+The file containing the child's keyset.
+.TP
+\fBkey\fR
+The keys used to sign the child's keyset.
+.SH "EXAMPLE"
+.PP
+The DNS administrator for a DNSSEC-aware \fB.com\fR
+zone would use the following command to sign the
+\fIkeyset\fR file for \fBexample.com\fR
+created by \fBdnssec-makekeyset\fR with a key generated
+by \fBdnssec-keygen\fR:
+.PP
+\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
+.PP
+In this example, \fBdnssec-signkey\fR creates
+the file \fIsignedkey-example.com.\fR, which
+contains the \fBexample.com\fR keys and the
+signatures by the \fB.com\fR keys.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signzone\fR(8).
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-signkey.c b/bin/dnssec/dnssec-signkey.c
index 53a8e692..ddf699e8 100644
--- a/bin/dnssec/dnssec-signkey.c
+++ b/bin/dnssec/dnssec-signkey.c
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signkey.c,v 1.45.2.2 2001/03/26 19:11:55 gson Exp $ */
+/* $Id: dnssec-signkey.c,v 1.50 2001/05/10 06:04:57 bwelling Exp $ */
#include <config.h>
@@ -30,6 +30,7 @@
#include <isc/util.h>
#include <dns/db.h>
+#include <dns/dbiterator.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/log.h>
@@ -37,6 +38,7 @@
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/result.h>
#include <dns/secalg.h>
@@ -161,6 +163,8 @@ main(int argc, char *argv[]) {
dns_db_t *db;
dns_dbnode_t *node;
dns_dbversion_t *version;
+ dns_dbiterator_t *dbiter;
+ dns_rdatasetiter_t *rdsiter;
dst_key_t *key = NULL;
dns_rdata_t *rdata;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -169,7 +173,6 @@ main(int argc, char *argv[]) {
dns_rdata_sig_t sig;
isc_result_t result;
isc_buffer_t b;
- isc_region_t r;
isc_textregion_t tr;
isc_log_t *log = NULL;
keynode_t *keynode;
@@ -257,19 +260,46 @@ main(int argc, char *argv[]) {
if (strlen(argv[0]) < 8 || strncmp(argv[0], "keyset-", 7) != 0)
fatal("keyset file '%s' must start with keyset-", argv[0]);
+ db = NULL;
+ result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+ rdclass, 0, NULL, &db);
+ check_result(result, "dns_db_create()");
+
+ result = dns_db_load(db, argv[0]);
+ if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+ fatal("failed to load database from '%s': %s", argv[0],
+ isc_result_totext(result));
+
dns_fixedname_init(&fdomain);
domain = dns_fixedname_name(&fdomain);
- isc_buffer_init(&b, argv[0] + strlen("keyset-"),
- strlen(argv[0]) - strlen("keyset-"));
- isc_buffer_add(&b, strlen(argv[0]) - strlen("keyset-"));
- result = dns_name_fromtext(domain, &b, dns_rootname, ISC_TRUE, NULL);
+
+ dbiter = NULL;
+ result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+ check_result(result, "dns_db_createiterator()");
+
+ result = dns_dbiterator_first(dbiter);
+ check_result(result, "dns_dbiterator_first()");
+ while (result == ISC_R_SUCCESS) {
+ node = NULL;
+ dns_dbiterator_current(dbiter, &node, domain);
+ rdsiter = NULL;
+ result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
+ check_result(result, "dns_db_allrdatasets()");
+ result = dns_rdatasetiter_first(rdsiter);
+ dns_rdatasetiter_destroy(&rdsiter);
+ if (result == ISC_R_SUCCESS)
+ break;
+ dns_db_detachnode(db, &node);
+ result = dns_dbiterator_next(dbiter);
+ }
+ dns_dbiterator_destroy(&dbiter);
if (result != ISC_R_SUCCESS)
- fatal("'%s' does not contain a valid domain name", argv[0]);
+ fatal("failed to find data in keyset file");
+
isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
- result = dns_name_totext(domain, ISC_FALSE, &b);
- check_result(result, "dns_name_totext()");
- isc_buffer_usedregion(&b, &r);
- tdomain[r.length] = 0;
+ result = dns_name_tofilenametext(domain, ISC_FALSE, &b);
+ check_result(result, "dns_name_tofilenametext()");
+ isc_buffer_putuint8(&b, 0);
output = isc_mem_allocate(mctx,
strlen("signedkey-") + strlen(tdomain) + 1);
@@ -278,28 +308,9 @@ main(int argc, char *argv[]) {
strcpy(output, "signedkey-");
strcat(output, tdomain);
- db = NULL;
- result = dns_db_create(mctx, "rbt", domain, dns_dbtype_zone,
- rdclass, 0, NULL, &db);
- check_result(result, "dns_db_create()");
-
- result = dns_db_load(db, argv[0]);
- if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
- fatal("failed to load database from '%s': %s", argv[0],
- isc_result_totext(result));
-
version = NULL;
dns_db_newversion(db, &version);
- node = NULL;
- result = dns_db_findnode(db, domain, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS) {
- char domainstr[DNS_NAME_FORMATSIZE];
- dns_name_format(domain, domainstr, sizeof domainstr);
- fatal("failed to find database node '%s': %s",
- domainstr, isc_result_totext(result));
- }
-
dns_rdataset_init(&rdataset);
dns_rdataset_init(&sigrdataset);
result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
@@ -370,7 +381,9 @@ main(int argc, char *argv[]) {
for (i = 0; i < argc; i++) {
key = NULL;
- result = dst_key_fromnamedfile(argv[i], DST_TYPE_PRIVATE,
+ result = dst_key_fromnamedfile(argv[i],
+ DST_TYPE_PUBLIC |
+ DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("failed to read key %s from disk: %s",
diff --git a/bin/dnssec/dnssec-signkey.docbook b/bin/dnssec/dnssec-signkey.docbook
new file mode 100644
index 00000000..cea3b62e
--- /dev/null
+++ b/bin/dnssec/dnssec-signkey.docbook
@@ -0,0 +1,237 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signkey.docbook,v 1.2 2001/04/10 21:50:34 bwelling Exp $ -->
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-signkey</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-signkey</application></refname>
+ <refpurpose>DNSSEC key set signing tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-signkey</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-p</option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">keyset</arg>
+ <arg choice="req" rep="repeat">key</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-signkey</command> signs a keyset. Typically
+ the keyset will be for a child zone, and will have been generated
+ by <command>dnssec-makekeyset</command>. The child zone's keyset
+ is signed with the zone keys for its parent zone. The output file
+ is of the form <filename>signedkey-nnnn.</filename>, where
+ <filename>nnnn</filename> is the zone name.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Verify all generated signatures.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the DNS class of the key sets.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <option>start-time</option> is specified, the current
+ time is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e <replaceable class="parameter">end-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ expire. As with <option>start-time</option>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <option>end-time</option> is
+ specified, 30 days from the start time is used as a default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-signkey</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>keyset</term>
+ <listitem>
+ <para>
+ The file containing the child's keyset.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>key</term>
+ <listitem>
+ <para>
+ The keys used to sign the child's keyset.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
+ zone would use the following command to sign the
+ <filename>keyset</filename> file for <userinput>example.com</userinput>
+ created by <command>dnssec-makekeyset</command> with a key generated
+ by <command>dnssec-keygen</command>:
+ </para>
+ <para>
+ <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
+ </para>
+ <para>
+ In this example, <command>dnssec-signkey</command> creates
+ the file <filename>signedkey-example.com.</filename>, which
+ contains the <userinput>example.com</userinput> keys and the
+ signatures by the <userinput>.com</userinput> keys.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-makekeyset</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-signkey.html b/bin/dnssec/dnssec-signkey.html
new file mode 100644
index 00000000..6a5db403
--- /dev/null
+++ b/bin/dnssec/dnssec-signkey.html
@@ -0,0 +1,407 @@
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signkey.html,v 1.2 2001/04/10 21:50:35 bwelling Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-signkey</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+>&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {keyset} {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN39"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> signs a keyset. Typically
+ the keyset will be for a child zone, and will have been generated
+ by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>. The child zone's keyset
+ is signed with the zone keys for its parent zone. The output file
+ is of the form <TT
+CLASS="FILENAME"
+>signedkey-nnnn.</TT
+>, where
+ <TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the zone name.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+> Verify all generated signatures.
+ </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+> Specifies the DNS class of the key sets.
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+ time is used.
+ </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ expire. As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+ specified, 30 days from the start time is used as a default.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+>.
+ </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+> Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+><DT
+>keyset</DT
+><DD
+><P
+> The file containing the child's keyset.
+ </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+> The keys used to sign the child's keyset.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> The DNS administrator for a DNSSEC-aware <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+>
+ zone would use the following command to sign the
+ <TT
+CLASS="FILENAME"
+>keyset</TT
+> file for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+ created by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> with a key generated
+ by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
+></TT
+>
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> creates
+ the file <TT
+CLASS="FILENAME"
+>signedkey-example.com.</TT
+>, which
+ contains the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> keys and the
+ signatures by the <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> keys.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN128"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
new file mode 100644
index 00000000..f0b34582
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.8
@@ -0,0 +1,155 @@
+.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+.\" $Id: dnssec-signzone.8,v 1.21 2001/05/30 20:30:16 bwelling Exp $
+
+.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-h\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signzone\fR signs a zone. It generates NXT
+and SIG records and produces a signed version of the zone. If there
+is a \fIsignedkey\fR file from the zone's parent,
+the parent's signatures will be incorporated into the generated
+signed zone file. The security status of delegations from the the
+signed zone (that is, whether the child zones are secure or not) is
+determined by the presence or absence of a
+\fIsignedkey\fR file for each child zone.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the zone.
+.TP
+\fB-d \fIdirectory\fB\fR
+Look for \fIsignedkey\fR files in
+\fBdirectory\fR as the directory
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-f \fIoutput-file\fB\fR
+The name of the output file containing the signed zone. The
+default is to append \fI.signed\fR to the
+input file.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signzone\fR.
+.TP
+\fB-i \fIinterval\fB\fR
+When a previously signed zone is passed as input, records
+may be resigned. The \fBinterval\fR option
+specifies the cycle interval as an offset from the current
+time (in seconds). If a SIG record expires after the
+cycle interval, it is retained. Otherwise, it is considered
+to be expiring soon, and it will be replaced.
+
+The default cycle interval is one quarter of the difference
+between the signature end and start times. So if neither
+\fBend-time\fR or \fBstart-time\fR
+are specified, \fBdnssec-signzone\fR generates
+signatures that are valid for 30 days, with a cycle
+interval of 7.5 days. Therefore, if any existing SIG records
+are due to expire in less than 7.5 days, they would be
+replaced.
+.TP
+\fB-n \fIncpus\fB\fR
+Specifies the number of threads to use. By default, one
+thread is started for each detected CPU.
+.TP
+\fB-o \fIorigin\fB\fR
+The zone origin. If not specified, the name of the zone file
+is assumed to be the origin.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t\fR
+Print statistics at completion.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBzonefile\fR
+The file containing the zone to be signed.
+Sets the debugging level.
+.TP
+\fBkey\fR
+The keys used to sign the zone. If no keys are specified, the
+default all zone keys that have private key files in the
+current directory.
+.SH "EXAMPLE"
+.PP
+The following command signs the \fBexample.com\fR
+zone with the DSA key generated in the \fBdnssec-keygen\fR
+man page. The zone's keys must be in the zone. If there are
+\fIsignedkey\fR files associated with this zone
+or any child zones, they must be in the current directory.
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
+.PP
+The command would print a string of the form:
+.PP
+In this example, \fBdnssec-signzone\fR creates
+the file \fIdb.example.com.signed\fR. This file
+should be referenced in a zone statement in a
+\fInamed.conf\fR file.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 453b17bd..6cbab6c2 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.126.2.4 2001/04/09 20:50:37 gson Exp $ */
+/* $Id: dnssec-signzone.c,v 1.138 2001/05/10 06:04:58 bwelling Exp $ */
#include <config.h>
@@ -28,6 +28,7 @@
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/event.h>
+#include <isc/file.h>
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/os.h>
@@ -42,7 +43,6 @@
#include <dns/diff.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
-#include <dns/journal.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
@@ -99,6 +99,7 @@ static isc_mem_t *mctx = NULL;
static isc_entropy_t *ectx = NULL;
static dns_ttl_t zonettl;
static FILE *fp;
+static char *tempfile = NULL;
static const dns_master_style_t *masterstyle = &dns_master_style_explicitttl;
static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
static unsigned int nverified = 0, nverifyfailed = 0;
@@ -116,6 +117,7 @@ static unsigned int ntasks = 0;
static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
static unsigned int assigned = 0, completed = 0;
static isc_boolean_t nokeys = ISC_FALSE;
+static isc_boolean_t removefile = ISC_FALSE;
#define INCSTAT(counter) \
if (printstats) { \
@@ -221,7 +223,8 @@ keythatsigned(dns_rdata_sig_t *sig) {
return (NULL);
result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
- DST_TYPE_PRIVATE, NULL, mctx, &privkey);
+ DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+ NULL, mctx, &privkey);
if (result == ISC_R_SUCCESS) {
dst_key_free(&pubkey);
key = newkeystruct(privkey, ISC_FALSE);
@@ -505,7 +508,6 @@ static void
opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
dns_db_t **dbp)
{
- dns_fixedname_t fname;
char filename[256];
isc_buffer_t b;
isc_result_t result;
@@ -517,10 +519,8 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_putstr(&b, "/");
}
isc_buffer_putstr(&b, prefix);
- dns_fixedname_init(&fname);
- (void)dns_name_downcase(name, dns_fixedname_name(&fname), NULL);
- result = dns_name_totext(dns_fixedname_name(&fname), ISC_FALSE, &b);
- check_result(result, "dns_name_totext()");
+ result = dns_name_tofilenametext(name, ISC_FALSE, &b);
+ check_result(result, "dns_name_tofilenametext()");
if (isc_buffer_availablelength(&b) == 0) {
char namestr[DNS_NAME_FORMATSIZE];
dns_name_format(name, namestr, sizeof namestr);
@@ -528,7 +528,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
}
isc_buffer_putuint8(&b, 0);
- result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+ result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
rdclass, 0, NULL, dbp);
check_result(result, "dns_db_create()");
@@ -1338,7 +1338,7 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
check_result(result, "dns_db_create()");
result = dns_db_load(*db, file);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
fatal("failed loading zone from '%s': %s",
file, isc_result_totext(result));
}
@@ -1489,6 +1489,12 @@ usage(void) {
exit(0);
}
+static void
+removetempfile(void) {
+ if (removefile)
+ isc_file_remove(tempfile);
+}
+
int
main(int argc, char *argv[]) {
int i, ch;
@@ -1503,12 +1509,11 @@ main(int argc, char *argv[]) {
isc_boolean_t pseudorandom = ISC_FALSE;
unsigned int eflags;
isc_boolean_t free_output = ISC_FALSE;
+ int tempfilelen;
dns_rdataclass_t rdclass;
isc_textregion_t r;
isc_task_t **tasks = NULL;
-
-
check_result(isc_app_start(), "isc_app_start");
result = isc_mem_create(0, 0, &mctx);
@@ -1674,6 +1679,7 @@ main(int argc, char *argv[]) {
dst_key_t *newkey = NULL;
result = dst_key_fromnamedfile(argv[i],
+ DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &newkey);
if (result != ISC_R_SUCCESS)
@@ -1716,11 +1722,22 @@ main(int argc, char *argv[]) {
result = dns_db_newversion(gdb, &gversion);
check_result(result, "dns_db_newversion()");
+ tempfilelen = strlen(output) + 20;
+ tempfile = isc_mem_get(mctx, tempfilelen);
+ if (tempfile == NULL)
+ fatal("out of memory");
+
+ result = isc_file_mktemplate(output, tempfile, tempfilelen);
+ check_result(result, "isc_file_mktemplate");
+
fp = NULL;
- result = isc_stdio_open(output, "w", &fp);
+ result = isc_file_openunique(tempfile, &fp);
if (result != ISC_R_SUCCESS)
- fatal("failed to open output file %s: %s", output,
+ fatal("failed to open temporary output file: %s",
isc_result_totext(result));
+ removefile = ISC_TRUE;
+ setfatalcallback(&removetempfile);
+
print_time(fp);
print_version(fp);
@@ -1766,6 +1783,12 @@ main(int argc, char *argv[]) {
result = isc_stdio_close(fp);
check_result(result, "isc_stdio_close");
+ removefile = ISC_FALSE;
+
+ result = isc_file_rename(tempfile, output);
+ if (result != ISC_R_SUCCESS)
+ fatal("failed to rename temp file to %s: %s\n",
+ output, isc_result_totext(result));
DESTROYLOCK(&namelock);
if (printstats)
@@ -1784,6 +1807,8 @@ main(int argc, char *argv[]) {
isc_mem_put(mctx, key, sizeof(signer_key_t));
}
+ isc_mem_put(mctx, tempfile, tempfilelen);
+
if (free_output)
isc_mem_free(mctx, output);
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
new file mode 100644
index 00000000..14e0fa2e
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -0,0 +1,325 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signzone.docbook,v 1.2 2001/04/10 21:50:37 bwelling Exp $ -->
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-signzone</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-signzone</application></refname>
+ <refpurpose>DNSSEC zone signing tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-signzone</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+ <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+ <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
+ <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
+ <arg><option>-p</option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-t</option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">zonefile</arg>
+ <arg rep="repeat">key</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-signzone</command> signs a zone. It generates NXT
+ and SIG records and produces a signed version of the zone. If there
+ is a <filename>signedkey</filename> file from the zone's parent,
+ the parent's signatures will be incorporated into the generated
+ signed zone file. The security status of delegations from the the
+ signed zone (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ <filename>signedkey</filename> file for each child zone.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Verify all generated signatures.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the DNS class of the zone.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Look for <filename>signedkey</filename> files in
+ <option>directory</option> as the directory
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <option>start-time</option> is specified, the current
+ time is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e <replaceable class="parameter">end-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ expire. As with <option>start-time</option>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <option>end-time</option> is
+ specified, 30 days from the start time is used as a default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f <replaceable class="parameter">output-file</replaceable></term>
+ <listitem>
+ <para>
+ The name of the output file containing the signed zone. The
+ default is to append <filename>.signed</filename> to the
+ input file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-signzone</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">interval</replaceable></term>
+ <listitem>
+ <para>
+ When a previously signed zone is passed as input, records
+ may be resigned. The <option>interval</option> option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a SIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+ </para>
+ <para>
+ The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ <option>end-time</option> or <option>start-time</option>
+ are specified, <command>dnssec-signzone</command> generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing SIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-n <replaceable class="parameter">ncpus</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-o <replaceable class="parameter">origin</replaceable></term>
+ <listitem>
+ <para>
+ The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t</term>
+ <listitem>
+ <para>
+ Print statistics at completion.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>zonefile</term>
+ <listitem>
+ <para>
+ The file containing the zone to be signed.
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>key</term>
+ <listitem>
+ <para>
+ The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ The following command signs the <userinput>example.com</userinput>
+ zone with the DSA key generated in the <command>dnssec-keygen</command>
+ man page. The zone's keys must be in the zone. If there are
+ <filename>signedkey</filename> files associated with this zone
+ or any child zones, they must be in the current directory.
+ <userinput>example.com</userinput>, the following command would be
+ issued:
+ </para>
+ <para>
+ <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ The command would print a string of the form:
+ </para>
+ <para>
+ In this example, <command>dnssec-signzone</command> creates
+ the file <filename>db.example.com.signed</filename>. This file
+ should be referenced in a zone statement in a
+ <filename>named.conf</filename> file.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signkey</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2535</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
new file mode 100644
index 00000000..eeb74ebd
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.html
@@ -0,0 +1,556 @@
+<!--
+ - Copyright (C) 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signzone.html,v 1.2 2001/04/10 21:50:38 bwelling Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-signzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>output-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>nthreads</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>origin</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {zonefile} [key...]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN56"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> signs a zone. It generates NXT
+ and SIG records and produces a signed version of the zone. If there
+ is a <TT
+CLASS="FILENAME"
+>signedkey</TT
+> file from the zone's parent,
+ the parent's signatures will be incorporated into the generated
+ signed zone file. The security status of delegations from the the
+ signed zone (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ <TT
+CLASS="FILENAME"
+>signedkey</TT
+> file for each child zone.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+> Verify all generated signatures.
+ </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+> Specifies the DNS class of the zone.
+ </P
+></DD
+><DT
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+> Look for <TT
+CLASS="FILENAME"
+>signedkey</TT
+> files in
+ <TT
+CLASS="OPTION"
+>directory</TT
+> as the directory
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+ time is used.
+ </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ expire. As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+ specified, 30 days from the start time is used as a default.
+ </P
+></DD
+><DT
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>output-file</I
+></TT
+></DT
+><DD
+><P
+> The name of the output file containing the signed zone. The
+ default is to append <TT
+CLASS="FILENAME"
+>.signed</TT
+> to the
+ input file.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+>.
+ </P
+></DD
+><DT
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></DT
+><DD
+><P
+> When a previously signed zone is passed as input, records
+ may be resigned. The <TT
+CLASS="OPTION"
+>interval</TT
+> option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a SIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+ </P
+><P
+> The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ <TT
+CLASS="OPTION"
+>end-time</TT
+> or <TT
+CLASS="OPTION"
+>start-time</TT
+>
+ are specified, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing SIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+ </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>ncpus</I
+></TT
+></DT
+><DD
+><P
+> Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+ </P
+></DD
+><DT
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>origin</I
+></TT
+></DT
+><DD
+><P
+> The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+ </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+> Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-t</DT
+><DD
+><P
+> Print statistics at completion.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+><DT
+>zonefile</DT
+><DD
+><P
+> The file containing the zone to be signed.
+ Sets the debugging level.
+ </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+> The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN154"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> The following command signs the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+ zone with the DSA key generated in the <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>
+ man page. The zone's keys must be in the zone. If there are
+ <TT
+CLASS="FILENAME"
+>signedkey</TT
+> files associated with this zone
+ or any child zones, they must be in the current directory.
+ <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>, the following command would be
+ issued:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</B
+></TT
+>
+ </P
+><P
+> The command would print a string of the form:
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> creates
+ the file <TT
+CLASS="FILENAME"
+>db.example.com.signed</TT
+>. This file
+ should be referenced in a zone statement in a
+ <TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN168"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+ <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN179"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index f4669fb7..e86fbce7 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.26.2.2 2001/06/08 23:27:29 bwelling Exp $ */
+/* $Id: dnssectool.c,v 1.28 2001/03/31 02:12:24 bwelling Exp $ */
#include <config.h>
@@ -45,6 +45,7 @@ extern const char *program;
static isc_entropysource_t *source = NULL;
static isc_keyboard_t kbd;
static isc_boolean_t wantkeyboard = ISC_FALSE;
+static fatalcallback_t *fatalcallback = NULL;
void
fatal(const char *format, ...) {
@@ -55,10 +56,17 @@ fatal(const char *format, ...) {
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
+ if (fatalcallback != NULL)
+ (*fatalcallback)();
exit(1);
}
void
+setfatalcallback(fatalcallback_t *callback) {
+ fatalcallback = callback;
+}
+
+void
check_result(isc_result_t result, const char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s: %s\n", program, message,
@@ -267,26 +275,23 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
fatal("could not create entropy object");
-
-#ifdef PATH_RANDOMDEV
- if (randomfile == NULL) {
- result = isc_entropy_createfilesource(*ectx, PATH_RANDOMDEV);
- if (result == ISC_R_SUCCESS)
- return;
- }
-#endif
-
- if (randomfile != NULL && strcasecmp(randomfile, "keyboard") == 0) {
- wantkeyboard = ISC_TRUE;
- randomfile = NULL;
- }
-
- if (randomfile != NULL) {
+ if (randomfile != NULL && strcasecmp(randomfile, "keyboard") != 0) {
result = isc_entropy_createfilesource(*ectx, randomfile);
if (result != ISC_R_SUCCESS)
fatal("could not open randomdev %s: %s", randomfile,
isc_result_totext(result));
- } else {
+ }
+ else {
+#ifdef PATH_RANDOMDEV
+ if (randomfile == NULL) {
+ result = isc_entropy_createfilesource(*ectx,
+ PATH_RANDOMDEV);
+ if (result == ISC_R_SUCCESS)
+ return;
+ }
+ else
+#endif
+ wantkeyboard = ISC_TRUE;
result = isc_entropy_createcallbacksource(*ectx, kbdstart,
kbdget, kbdstop,
&kbd, &source);
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 21f6491c..76883e0d 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.h,v 1.12.4.1 2001/01/09 22:31:36 bwelling Exp $ */
+/* $Id: dnssectool.h,v 1.14 2001/03/31 02:12:26 bwelling Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
@@ -25,10 +25,15 @@
#include <dns/rdatastruct.h>
#include <dst/dst.h>
+typedef void (fatalcallback_t)(void);
+
void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
+setfatalcallback(fatalcallback_t *callback);
+
+void
check_result(isc_result_t result, const char *message);
void
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-10 17:16:11 +0000