--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/08/11 18:19:55 each Exp $
+
+rm -f dig.out.*
+rm -f ns2/named.conf
+rm -f */named.memstats
+rm -f ns2/*.nzf
+rm -f ns2/core*
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: added.db,v 1.2.2.2 2010/08/11 18:19:56 each Exp $
+
+$ORIGIN added.example.
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+ MX 10 mail
+
+a A 10.0.0.1
+mail A 10.0.0.2
--- /dev/null
+zone previous.example { type master; file "previous.db"; };
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named1.conf,v 1.2.2.2 2010/08/11 18:19:56 each Exp $ */
+
+controls { /* empty */ };
+
+options {
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ allow-query { any; };
+ recursion no;
+ allow-new-zones yes;
+};
+
+include "../../common/controls.conf";
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "normal.example" {
+ type master;
+ file "normal.db";
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named2.conf,v 1.2.2.2 2010/08/11 18:19:56 each Exp $ */
+
+controls { /* empty */ };
+
+include "../../common/controls.conf";
+
+options {
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion no;
+};
+
+view internal {
+ match-clients { 10.53.0.2; };
+ allow-new-zones no;
+
+ zone "." {
+ type hint;
+ file "../../common/root.hint";
+ };
+};
+
+view external {
+ match-clients { any; };
+ allow-new-zones yes;
+
+ zone "." {
+ type hint;
+ file "../../common/root.hint";
+ };
+};
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: normal.db,v 1.2.2.2 2010/08/11 18:19:56 each Exp $
+
+$ORIGIN normal.example.
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+ MX 10 mail
+
+a A 10.0.0.1
+mail A 10.0.0.2
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: previous.db,v 1.2.2.2 2010/08/11 18:19:57 each Exp $
+
+$ORIGIN previous.example.
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+ MX 10 mail
+
+a A 10.0.0.1
+mail A 10.0.0.2
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.3 2010/08/12 01:32:46 marka Exp $
+
+cp -f ns2/named1.conf ns2/named.conf
+cp -f ns2/default.nzf.in ns2/3bf305731dd26307.nzf
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/08/11 18:19:55 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p 5300"
+status=0
+n=0
+
+echo "I:checking normally loaded zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking previously added zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:adding new zone ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 addzone 'added.example { type master; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:deleting previously added zone ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 delzone previous.example 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.previous.example' dig.out.ns2.$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:deleting newly added zone ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 delzone added.example 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:attempt to delete a normally-loaded zone (should fail) ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 delzone normal.example 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:reconfiguring server with multiple views"
+rm -f ns2/named.conf
+cp -f ns2/named2.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig 2>&1 | sed 's/^/I:ns2 /'
+sleep 5
+
+echo "I:adding new zone to external view ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 addzone 'added.example in external { type master; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
+$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.int.$n > /dev/null || ret=1
+grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:deleting newly added zone ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:attempting to add zone to internal view (should fail) ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 addzone 'added.example in internal { type master; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+; This is a key-signing key, keyid 30676, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQAB
+PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
+Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
--- /dev/null
+; This is a key-signing key, keyid 30804, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQCB
+PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
+Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: cleanpkcs11.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
+
+../../pkcs11/pkcs11-destroy -s 0 -p 1234
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/08/16 05:14:14 marka Exp $
+
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.run
--- /dev/null
+Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: DNAME=10=example.net.=,v 1.2.2.2 2010/08/16 05:14:14 marka Exp $
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "DNAME 10 example.net.".
--- /dev/null
+Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: NS=10=example.com.=,v 1.1.2.2 2010/08/16 05:14:14 marka Exp $
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "NS 10 example.com.".
--- /dev/null
+Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=,v 1.1.2.2 2010/08/16 05:14:15 marka Exp $
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 0 0 0 10".
--- /dev/null
+Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: 10.53.0.1,v 1.2.2.2 2010/08/16 05:14:15 marka Exp $
+
+The contents of this file are not read by the filesystem driver.
+The presence of this file allows 10.53.0.1 to transfer this zone.
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/08/16 05:14:14 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+};
+
+dlz "file system zone" {
+ database "filesystem dns-root/ dns.d xfr.d 0 =";
+};
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/08/16 05:14:14 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+# Check the example.com. domain
+
+echo "I:checking DNAME at apex works ($n)"
+ret=0
+$DIG $DIGOPTS +norec foo.example.com. \
+ @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n > /dev/null || ret=1
+grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: badparam.db.in,v 1.2.2.2 2010/08/13 07:00:40 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2010081000 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.1 2010/06/03 06:31:42 marka Exp $
+$TTL 60
+example. 60 IN SOA example. . 0 0 0 0 0
+example. 60 IN NS example.
+example. 60 IN A 1.2.3.4
+; out of zone record
+out-of-zone. 60 IN A 1.2.3.4
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =
+ISCLIBS = .
+
+DNSDEPLIBS =
+ISCDEPLIBS =
+
+DEPLIBS =
+
+LIBS = @LIBS@
+
+TARGETS = filter-aaaa@EXEEXT@
+
+FILTEROBJS = filter-aaaa.@O@
+
+SRCS = filter-aaaa.c
+
+@BIND9_MAKE_RULES@
+
+all: filter-aaaa@EXEEXT@
+
+filter-aaaa@EXEEXT@: ${FILTEROBJS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${FILTEROBJS} ${LIBS}
+
+clean distclean::
+ rm -f ${TARGETS}
+
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $
+
+rm -f ns1/K*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/dsset-*
+rm -f ns1/named.run
+rm -f ns1/named.memstats
+
+rm -f ns2/named.run
+rm -f ns2/named.memstats
+
+rm -f ns3/named.run
+rm -f ns3/named.memstats
+
+rm -f ns4/K*
+rm -f ns4/*.signed
+rm -f ns4/signer.err
+rm -f ns4/dsset-*
+rm -f ns4/named.run
+rm -f ns4/named.memstats
+
+rm -f random.data
+rm -f dig.out.*
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad1.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 yes;
+ filter-aaaa { none; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad2.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+ /*
+ * While this matches the defaults, it is not a good configuration
+ * to have in named.conf as the two options contradict each other
+ * indicating a error on behalf of the operator.
+ *
+ * The default is to have filter-aaaa-on-v4 off, but if it is turned
+ * on then it applies to all IPv4 queries. This results in
+ * contradictory defaults.
+ */
+ filter-aaaa-on-v4 no;
+ filter-aaaa { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad3.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 no;
+};
+
+view myview {
+ filter-aaaa { any; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad4.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+ filter-aaaa { any; };
+};
+
+view myview {
+ filter-aaaa-on-v4 no;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad5.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+ filter-aaaa { none; };
+};
+
+view myview {
+ filter-aaaa-on-v4 yes;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad6.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 yes;
+};
+
+view myview {
+ filter-aaaa { none; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good1.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 yes;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good2.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 break-dnssec;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good3.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 break-dnssec;
+ filter-aaaa { 1.0.0.0/8; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good4.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 yes;
+ filter-aaaa { 1.0.0.0/8; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good5.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 yes;
+};
+
+view myview {
+ filter-aaaa { 1.0.0.0/8; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good6.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa { 1.0.0.0/8; };
+};
+
+view myview {
+ filter-aaaa-on-v4 yes;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good7.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+};
+
+view myview {
+ filter-aaaa { 1.0.0.0/8; };
+ filter-aaaa-on-v4 yes;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good8.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+ filter-aaaa-on-v4 no;
+};
+
+view myview {
+ filter-aaaa { 1.0.0.0/8; };
+ filter-aaaa-on-v4 yes;
+};
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: filter-aaaa.c,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $ */
+
+#include <config.h>
+
+int
+main(int argc, char **argv) {
+ argc = argc;
+ argv = argv;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ return (0);
+#else
+ return (1);
+#endif
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { fd92:7065:b8e:ffff::1; };
+ recursion no;
+ notify yes;
+ filter-aaaa-on-v4 yes;
+ filter-aaaa { 10.53.0.1; };
+};
+
+zone "." { type master; file "root.db"; };
+zone "signed" { type master; file "signed.db.signed"; };
+zone "unsigned" { type master; file "unsigned.db"; };
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+$TTL 120
+@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
+@ NS ns.utld
+ns.utld A 10.53.0.1
+;
+signed NS ns.utld
+unsigned NS ns.utld
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+dlvsets=
+
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db.signed
+outfile=signed.db.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: signed.db.in,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+$TTL 120
+@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@ NS ns.utld.
+a-only NS 1.0.0.1
+aaaa-only AAAA 2001:db8::2
+dual A 1.0.0.3
+dual AAAA 2001:db8::3
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: unsigned.db,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+$TTL 120
+@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@ NS ns.utld.
+a-only NS 1.0.0.4
+aaaa-only AAAA 2001:db8::5
+dual A 1.0.0.6
+dual AAAA 2001:db8::6
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { fd92:7065:b8e:ffff::2; };
+ recursion yes;
+ notify yes;
+ filter-aaaa-on-v4 yes;
+ filter-aaaa { 10.53.0.2; };
+};
+
+zone "." { type hint; file "hints"; };
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { fd92:7065:b8e:ffff::3; };
+ recursion yes;
+ notify yes;
+ filter-aaaa-on-v4 break-dnssec;
+ filter-aaaa { 10.53.0.3; };
+};
+
+zone "." { type hint; file "hints"; };
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { fd92:7065:b8e:ffff::4; };
+ recursion no;
+ notify yes;
+ filter-aaaa-on-v4 break-dnssec;
+ filter-aaaa { 10.53.0.4; };
+};
+
+zone "." { type master; file "root.db"; };
+zone "signed" { type master; file "signed.db.signed"; };
+zone "unsigned" { type master; file "unsigned.db"; };
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+$TTL 120
+@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
+@ NS ns.utld
+ns.utld A 10.53.0.1
+;
+signed NS ns.utld
+unsigned NS ns.utld
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+dlvsets=
+
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db.signed
+outfile=signed.db.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: signed.db.in,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+$TTL 120
+@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@ NS ns.utld.
+a-only NS 1.0.0.1
+aaaa-only AAAA 2001:db8::2
+dual A 1.0.0.3
+dual AAAA 2001:db8::3
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: unsigned.db,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+$TTL 120
+@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@ NS ns.utld.
+a-only NS 1.0.0.4
+aaaa-only AAAA 2001:db8::5
+dual A 1.0.0.6
+dual AAAA 2001:db8::6
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $
+
+if ./filter-aaaa
+then
+ :
+else
+ echo "I:This test requires --enable-filter-aaaa at compile time." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $
+
+sh clean.sh
+
+../../../tools/genrandom 400 random.data
+
+(cd ns1 && sh -e sign.sh)
+(cd ns4 && sh -e sign.sh)
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
+
+for conf in conf/good*.conf
+do
+ n=`expr $n + 1`
+ echo "I:checking that $conf is accepted ($n)"
+ ret=0
+ $CHECKCONF "$conf" || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+ n=`expr $n + 1`
+ echo "I:checking that $conf is rejected ($n)"
+ ret=0
+ $CHECKCONF "$conf" >/dev/null && ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+done
+
+#
+# Authoritative tests against:
+# filter-aaaa-on-v4 yes;
+# filter-aaaa { 10.53.0.1; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep ::2 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep ::5 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::1
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+#
+# Authoritative tests against:
+# filter-aaaa-on-v4 break-dnssec;
+# filter-aaaa { 10.53.0.4; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep ::2 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep ::5 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::4
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+#
+# Recursive tests against:
+# filter-aaaa-on-v4 yes;
+# filter-aaaa { 10.53.0.2; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::5 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::2
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+#
+# Recursive tests against:
+# filter-aaaa-on-v4 break-dnssec;
+# filter-aaaa { 10.53.0.3; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep ::5 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::3
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out random.data
+rm -f ns1/key ns1/named.memstats
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
+
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "example." {
+ type master;
+ file "example.db.signed";
+ allow-update { any; };
+};
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+
+zone=example
+infile=ns1/example.db.in
+zonefile=ns1/example.db
+
+$PK11GEN -b 1024 -l robie-zsk1 -i 01
+$PK11GEN -b 1024 -l robie-zsk2 -i 02
+$PK11GEN -b 2048 -l robie-ksk
+
+zsk1=`$KEYFRLAB -a RSASHA1 -l robie-zsk1 example`
+zsk2=`$KEYFRLAB -a RSASHA1 -l robie-zsk2 example`
+ksk=`$KEYFRLAB -a RSASHA1 -f ksk -l robie-ksk example`
+
+cat $infile $zsk1.key $ksk.key > $zonefile
+$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+cp $zsk2.key ns1/key
+mv Kexample* ns1
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+status=0
+ret=0
+
+zonefile=ns1/example.db
+
+echo "I:testing PKCS#11 key generation"
+
+count=`$PK11LIST | grep robie-ksk | wc -l`
+if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing offline signing with PKCS#11 keys"
+
+count=`grep RRSIG $zonefile.signed | wc -l`
+if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing inline signing with PKCS#11 keys"
+
+$NSUPDATE > /dev/null <<END || status=1
+server 10.53.0.1 5300
+ttl 300
+zone example.
+update add `grep -v ';' ns1/key`
+send
+END
+
+echo "I:waiting 20 seconds for key changes to take effect"
+sleep 20
+
+$DIG $DIGOPTS ns.example. @10.53.0.1 a > dig.out || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`grep RRSIG dig.out | wc -l`
+if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing PKCS#11 key destroy"
+
+ret=0
+$PK11DEL -l robie-zsk1 || ret=1
+$PK11DEL -i 02 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`$PK11LIST | grep robie-zsk | wc -l`
+if [ $count != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $count`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+This test relies on PKCS#11!
--- /dev/null
+#!/usr/bin/perl
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: testsock6.pl,v 1.2.2.4 2010/06/22 23:46:34 tbox Exp $
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use IO::Socket::INET6;
+
+foreach $addr ($ARGV) {
+ my $sock;
+ $sock = IO::Socket::INET6->new(LocalAddr => $addr,
+ LocalPort => 0,
+ Proto => tcp)
+ or die "Can't bind : $@\n";
+ close($sock);
+}
+#!/usr/bin/perl
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: testsock6.pl,v 1.2.2.4 2010/06/22 23:46:34 tbox Exp $
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use IO::Socket::INET6;
+
+foreach $addr ($ARGV) {
+ my $sock;
+ $sock = IO::Socket::INET6->new(LocalAddr => $addr,
+ LocalPort => 0,
+ Proto => tcp)
+ or die "Can't bind : $@\n";
+ close($sock);
+}
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.2.2 2010/06/17 05:43:49 marka Exp $
+
+TARGETS = libvtwrapper.so
+SRCS = vtwrapper.c
+CFLAGS += -fPIC
+LDFLAGS =
+LIBS =
+
+all: libvtwrapper.so
+
+.SUFFIXES: .c .o
+
+.c.o:
+ ${CC} ${CFLAGS} -c $<
+
+libvtwrapper.so: vtwrapper.o
+ ${CC} ${CFLAGS} ${LDFLAGS} -nostdlib -export-dynamic -shared -o $@ vtwrapper.o ${LIBS}
+
+clean distclean::
+ rm -f ${TARGETS} *.o
+
+SUBDIRS =
+
+test:
+ if test -f ./runall.sh; then sh ./runall.sh; fi
+
+testclean clean distclean::
+ if test -f ./cleanall.sh; then sh ./cleanall.sh; fi
+
+distclean::
+ rm -f conf.sh
--- /dev/null
+Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+This is copied from ../system.
+
+This test suite uses a virtual time, gettimeofday(), select(),
+poll(), kevent() and epoll_wait() Unix system calls are redirected:
+gettimeofday() returns a date in virtual/exponentially inflated
+delay from an epoch, select(), poll(), kevent() and epoll_wait()
+timeouts are deflated down to at least 10ms.
+
+These tests depends on LD_PRELOAD being supported by the runtime
+loader.
+
+Beware BIND clock uses unsigned integer, in 22 seconds isc_time_now()
+overflows and breaks assertions. Note 22 real seconds is 136 virtual
+years...
+
+$Id: README,v 1.2.2.2 2010/06/17 05:43:49 marka Exp $
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/21 02:36:42 marka Exp $
+
+#
+# Clean up after virtual time tests.
+#
+rm -f */K* */dsset-* */*.signed */*.jnl */tmp*
+rm -f dig.out.*
+rm -f random.data*
+rm -f */named.memstats
+rm -f */*vtwrapper.*
+rm -f ns1/example.db
+rm -f ns1/keyname
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.3 2010/06/21 23:46:26 tbox Exp $
+
+$TTL 60 ; 1 mn (to avoid to delay activation with ttl > prepublish)
+@ IN SOA ns root (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 12000 ; expire
+ 600 ; minimum
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ dnssec-enable yes;
+ dnssec-validation yes;
+ sig-validity-interval 20;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type master;
+ file "root.db";
+};
+
+zone "example." {
+ type master;
+ file "example.db.signed";
+ allow-query { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+example NS ns.example
+ns.example A 10.53.0.1
+
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data1
+RANDFILE2=../random.data2
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+
+cat $infile $zskname.key $kskname.key > $zonefile
+
+$SIGNER -P -e +1000d -r $RANDFILE -o $zone $zonefile > /dev/null
+
+# ksk
+keyname=`$KEYGEN -q -r $RANDFILE2 -a RSASHA1 -b 1024 -n zone \
+ -f KSK -P +20 -A +1h -R +6h -I +1d -D +1mo $zone`
+
+echo $keyname > keyname
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: wrap.sh,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+#
+# Wrapper for named
+#
+
+LD_PRELOAD=../../libvtwrapper.so
+export LD_PRELOAD
+
+exec $*
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/21 02:36:42 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
+../../../tools/genrandom 800 random.data
+dd if=random.data of=random.data1 bs=1k count=400 2> /dev/null
+dd if=random.data of=random.data2 bs=1k skip=400 2> /dev/null
+
+cd ns1 && sh sign.sh
+
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/21 02:36:42 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="+noadd +nosea +nostat +nocmd +noauth +dnssec -p 5300"
+
+ksk=ns1/`cat ns1/keyname`.key
+kskpat=`awk '/DNSKEY/ { print $8 }' $ksk`
+kskid=`sed 's/^Kexample\.+005+0*//' < ns1/keyname`
+rkskid=`expr \( $kskid + 128 \) \% 65536`
+
+echo "I:checking for KSK not yet published ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 5s real, 55s virtual, P +20
+sleep 4
+
+echo "I:checking for KSK published but not yet active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $kskid "'example\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 10s real, 2h15mn virtual, A +1h
+sleep 5
+
+echo "I:checking for KSK active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+grep 'RRSIG.*'" $kskid "'example\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 11s real, 6h7,m virtual, R +6h
+sleep 1
+
+echo "I:checking for KSK revoked ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+awk 'BEGIN { $noksk=1 } \
+/DNSKEY/ { $5==385 && $noksk=0 } \
+END { exit $noksk }' < dig.out.ns1.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $kskid "'example\. ' dig.out.ns1.test$n > /dev/null && ret=1
+grep 'RRSIG.*'" $rkskid "'example\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 13s real, 45h virtual, I +1d
+sleep 2
+
+echo "I:checking for KSK retired but not yet deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 17s real, 103d virtual, D +1mo
+sleep 4
+
+echo "I:checking for KSK deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null && ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $rkskid "'example\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+#
+# Clean up after virtual time tests.
+#
+rm -f */K* */dsset-* */*.signed */*.jnl */tmp*
+rm -f dig.out.*
+rm -f random.data*
+rm -f */named.memstats
+rm -f */*vtwrapper.*
+rm -f ns1/example.db
+rm -f ns1/keyname
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+$TTL 60 ; 1 mn (to avoid to delay activation with ttl > prepublish)
+@ IN SOA ns root (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 12000 ; expire
+ 600 ; minimum
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/21 02:36:44 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ dnssec-enable yes;
+ dnssec-validation yes;
+ sig-validity-interval 2;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type master;
+ file "root.db";
+};
+
+zone "example." {
+ type master;
+ file "example.db.signed";
+ allow-query { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+example NS ns.example
+ns.example A 10.53.0.1
+
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/21 02:36:44 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data1
+RANDFILE2=../random.data2
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+
+cat $infile $zskname.key $kskname.key > $zonefile
+
+$SIGNER -P -e +1000d -r $RANDFILE -o $zone $zonefile > /dev/null
+
+# zsk, no -R
+keyname=`$KEYGEN -q -r $RANDFILE2 -a RSASHA1 -b 768 -n zone \
+ -P +20 -A +1h -I +1d -D +1mo $zone`
+
+echo $keyname > keyname
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: wrap.sh,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+#
+# Wrapper for named
+#
+
+LD_PRELOAD=../../libvtwrapper.so
+export LD_PRELOAD
+
+exec $*
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
+../../../tools/genrandom 800 random.data
+dd if=random.data of=random.data1 bs=1k count=400 2> /dev/null
+dd if=random.data of=random.data2 bs=1k skip=400 2> /dev/null
+
+cd ns1 && sh sign.sh
+
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="+noadd +nosea +nostat +nocmd +noauth +dnssec -p 5300"
+
+zsk=ns1/`cat ns1/keyname`.key
+zskpat=`awk '/DNSKEY/ { print $8 }' $zsk`
+zskid=`sed 's/^Kexample\.+005+0*//' < ns1/keyname`
+
+echo "I:checking for ZSK not yet published ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null && ret=1
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 5s real, 55s virtual, P +20
+sleep 4
+
+echo "I:checking for ZSK published but not yet active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 10s real, 2h15mn virtual, A +1h
+sleep 5
+
+echo "I:checking for ZSK active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null || ret=1
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 13s real, 45h virtual, I +1d
+sleep 3
+
+echo "I:checking for ZSK retired but not yet deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 17s real, 103d virtual, D +1mo
+sleep 4
+
+echo "I:checking for ZSK deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null && ret=1
+# Note - this is looking for failure, hence the &&
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+echo "I:This test is not yet written." >&2
+exit 1
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: cleanall.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+#
+# Clean up after system tests.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+
+find . -type f \( \
+ -name 'K*' -o -name '*~' -o -name '*.core' -o -name '*.log' \
+ -o -name '*.pid' -o -name '*.keyset' -o -name named.run \
+ -o -name lwresd.run -o -name ans.run \) -print | xargs rm -f
+
+status=0
+
+for d in $SUBDIRS
+do
+ test ! -f $d/clean.sh || ( cd $d && sh clean.sh )
+done
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: controls.conf,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $ */
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rndc.conf,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $ */
+
+options {
+ default-key "rndc_key";
+};
+
+key rndc_key {
+ algorithm hmac-md5;
+ secret "1234abcd8765";
+};
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hint,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+$TTL 999999
+. IN NS a.root-servers.nil.
+a.root-servers.nil. IN A 10.53.0.1
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: conf.sh.in,v 1.2.2.3 2010/06/21 02:36:42 marka Exp $
+
+#
+# Common configuration data for system tests, to be sourced into
+# other shell scripts.
+#
+
+# Find the top of the BIND9 tree.
+TOP=${SYSTEMTESTTOP:=.}/../../..
+
+# Make it absolute so that it continues to work after we cd.
+TOP=`cd $TOP && pwd`
+
+NAMED=$TOP/bin/named/named
+# We must use "named -l" instead of "lwresd" because argv[0] is lost
+# if the program is libtoolized.
+LWRESD="$TOP/bin/named/named -l"
+DIG=$TOP/bin/dig/dig
+RNDC=$TOP/bin/rndc/rndc
+NSUPDATE=$TOP/bin/nsupdate/nsupdate
+DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+SIGNER=$TOP/bin/dnssec/dnssec-signzone
+REVOKE=$TOP/bin/dnssec/dnssec-revoke
+SETTIME=$TOP/bin/dnssec/dnssec-settime
+DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+CHECKZONE=$TOP/bin/check/named-checkzone
+CHECKCONF=$TOP/bin/check/named-checkconf
+
+SUBDIRS="slave autosign-zsk autosign-ksk"
+
+# PERL will be an empty string if no perl interpreter was found.
+PERL=@PERL@
+
+export NAMED LWRESD DIG NSUPDATE KEYGEN SIGNER KEYSIGNER KEYSETTOOL PERL \
+ SUBDIRS RNDC CHECKZONE
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: run.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+stopservers=true
+
+case $1 in
+ --keep) stopservers=false; shift ;;
+esac
+
+test $# -gt 0 || { echo "usage: $0 [--keep] test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+echo "S:$test:`date`" >&2
+echo "T:$test:1:A" >&2
+echo "A:Virtual time test $test" >&2
+
+if [ x$PERL = x ]
+then
+ echo "I:Perl not available. Skipping test." >&2
+ echo "R:UNTESTED" >&2
+ echo "E:$test:`date`" >&2
+ exit 0;
+fi
+
+$PERL testsock.pl || {
+ echo "I:Network interface aliases not set up. Skipping test." >&2
+ echo "R:UNTESTED" >&2
+ echo "E:$test:`date`" >&2
+ exit 0;
+}
+
+# Check for test-specific prerequisites.
+if
+ test ! -f $test/prereq.sh ||
+ ( cd $test && sh prereq.sh "$@" )
+then
+ : prereqs ok
+else
+ echo "I:Prerequisites for $test missing, skipping test." >&2
+ echo "R:UNTESTED" >&2
+ echo "E:$test:`date`" >&2
+ exit 0;
+fi
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+ ( cd $test && sh setup.sh "$@" )
+fi
+
+# Start name servers running
+$PERL start.pl $test || exit 1
+
+# Run the tests
+( cd $test ; sh tests.sh )
+
+status=$?
+
+if $stopservers
+then
+ :
+else
+ exit $status
+fi
+
+# Shutdown
+$PERL stop.pl $test
+
+status=`expr $status + $?`
+
+if [ $status != 0 ]; then
+ echo "R:FAIL"
+ # Don't clean up - we need the evidence.
+ find . -name core -exec chmod 0644 '{}' \;
+else
+ echo "R:PASS"
+
+ # Clean up.
+ if test -f $test/clean.sh
+ then
+ ( cd $test && sh clean.sh "$@" )
+ fi
+fi
+
+echo "E:$test:`date`"
+
+exit $status
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: runall.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+#
+# Run all the virtual time tests.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+$PERL testsock.pl || {
+ echo "I:Network interface aliases not set up. Skipping tests." >&2;
+ echo "R:UNTESTED" >&2;
+ echo "E:virtual-time:`date`" >&2;
+ exit 0;
+}
+
+status=0
+
+for d in $SUBDIRS
+do
+ sh run.sh $d || status=1
+done
+
+exit $status
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+#
+# Run a system test.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+test $# -gt 0 || { echo "usage: $0 test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+ ( cd $test && sh setup.sh "$@" )
+fi
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+#
+# Clean up after virtual time tests.
+#
+rm -f dig.out.*
+rm -f ns1/named.memstats
+rm -f ns1/vtwrapper.*
+rm -f ns1/example.db
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 12000 ; expire
+ 600 ; minimum
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type master;
+ file "root.db";
+};
+
+zone "example." {
+ type slave;
+ masters { 10.53.0.111; };
+ file "example.db";
+};
+
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+example NS ns.example
+ns.example A 10.53.0.1
+
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: wrap.sh,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $
+
+#
+# Wrapper for named
+#
+
+LD_PRELOAD=../../libvtwrapper.so
+export LD_PRELOAD
+
+exec $*
--- /dev/null
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+rm -f ns1/example.db
+cp ns1/example.db.in ns1/example.db
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/17 05:43:52 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
+
+echo "I:checking slave expiry"
+ret=0
+$DIG $DIGOPTS txt.example. txt @10.53.0.1 > dig.out.before || ret=1
+echo "I:waiting for expiry (10s real, 6h virtual)"
+sleep 10
+$DIG $DIGOPTS txt.example. txt @10.53.0.1 > dig.out.after || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+ret=0
+grep "status: NOERROR" dig.out.before > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo "I:failed (before)"; status=1
+fi
+ret=0
+grep "status: SERVFAIL" dig.out.after > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo "I:failed (after)"; status=1
+fi
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: start.pl,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+# Framework for starting test servers.
+# Based on the type of server specified, check for port availability, remove
+# temporary files, start the server, and verify that the server is running.
+# If a server is specified, start it. Otherwise, start all servers for test.
+
+use strict;
+use Cwd 'abs_path';
+use Getopt::Long;
+
+# Option handling
+# --noclean test [server [options]]
+#
+# --noclean - Do not cleanup files in server directory
+# test - name of the test directory
+# server - name of the server directory
+# options - alternate options for the server
+
+my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
+my $noclean;
+GetOptions('noclean' => \$noclean);
+my $test = $ARGV[0];
+my $server = $ARGV[1];
+my $options = $ARGV[2];
+
+if (!$test) {
+ print "$usage\n";
+}
+if (!-d $test) {
+ print "No test directory: \"$test\"\n";
+}
+if ($server && !-d "$test/$server") {
+ print "No server directory: \"$test/$server\"\n";
+}
+
+# Global variables
+my $topdir = abs_path("$test/..");
+my $testdir = abs_path("$test");
+my $NAMED = $ENV{'NAMED'};
+my $DIG = $ENV{'DIG'};
+my $PERL = $ENV{'PERL'};
+
+# Start the server(s)
+
+if ($server) {
+ if ($server =~ /^ns/) {
+ &check_ports($server);
+ }
+ &start_server($server, $options);
+ if ($server =~ /^ns/) {
+ &verify_server($server);
+ }
+} else {
+ # Determine which servers need to be started for this test.
+ opendir DIR, $testdir;
+ my @files = sort readdir DIR;
+ closedir DIR;
+
+ my @ns = grep /^ns[0-9]*$/, @files;
+
+ # Start the servers we found.
+ &check_ports();
+ foreach (@ns) {
+ &start_server($_);
+ }
+ foreach (@ns) {
+ &verify_server($_);
+ }
+}
+
+# Subroutines
+
+sub check_ports {
+ my $server = shift;
+ my $options = "";
+
+ if ($server && $server =~ /(\d+)$/) {
+ $options = "-i $1";
+ }
+
+ my $tries = 0;
+ while (1) {
+ my $return = system("$PERL $topdir/testsock.pl -p 5300 $options");
+ last if ($return == 0);
+ if (++$tries > 4) {
+ print "$0: could not bind to server addresses, still running?\n";
+ print "I:server sockets not available\n";
+ print "R:FAIL\n";
+ system("$PERL $topdir/stop.pl $testdir"); # Is this the correct behavior?
+ exit 1;
+ }
+ print "I:Couldn't bind to socket (yet)\n";
+ sleep 2;
+ }
+}
+
+sub start_server {
+ my $server = shift;
+ my $options = shift;
+
+ my $cleanup_files;
+ my $command;
+ my $pid_file;
+
+ if ($server =~ /^ns/) {
+ $cleanup_files = "{*.jnl,*.bk,*.st,named.run}";
+ $command = "sh wrap.sh ";
+ $command .= "$NAMED ";
+ if ($options) {
+ $command .= "$options";
+ } else {
+ $command .= "-m record,size,mctx ";
+ $command .= "-T clienttest ";
+ $command .= "-c named.conf -d 99 -g";
+ }
+ $command .= " >named.run 2>&1 &";
+ $pid_file = "named.pid";
+ } else {
+ print "I:Unknown server type $server\n";
+ print "R:FAIL\n";
+ system "$PERL $topdir/stop.pl $testdir";
+ exit 1;
+ }
+
+# print "I:starting server $server\n";
+
+ chdir "$testdir/$server";
+
+ unless ($noclean) {
+ unlink glob $cleanup_files;
+ }
+
+ system "$command";
+
+ my $tries = 0;
+ while (!-f $pid_file) {
+ if (++$tries > 14) {
+ print "I:Couldn't start server $server\n";
+ print "R:FAIL\n";
+ system "$PERL $topdir/stop.pl $testdir";
+ exit 1;
+ }
+ sleep 1;
+ }
+}
+
+sub verify_server {
+ my $server = shift;
+ my $n = $server;
+ $n =~ s/^ns//;
+
+ my $tries = 0;
+ while (1) {
+ my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
+ last if ($return == 0);
+ print `grep ";" dig.out`;
+ if (++$tries >= 30) {
+ print "I:no response from $server\n";
+ print "R:FAIL\n";
+ system("$PERL $topdir/stop.pl $testdir");
+ exit 1;
+ }
+ sleep 2;
+ }
+ unlink "dig.out";
+}
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: start.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+. ./conf.sh
+$PERL start.pl "$@"
--- /dev/null
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: stop.pl,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+# Framework for stopping test servers
+# Based on the type of server specified, signal the server to stop, wait
+# briefly for it to die, and then kill it if it is still alive.
+# If a server is specified, stop it. Otherwise, stop all servers for test.
+
+use strict;
+use Cwd 'abs_path';
+
+# Option handling
+# [--use-rndc] test [server]
+#
+# test - name of the test directory
+# server - name of the server directory
+
+my $usage = "usage: $0 [--use-rndc] test-directory [server-directory]";
+my $use_rndc;
+
+while (@ARGV && $ARGV[0] =~ /^-/) {
+ my $opt = shift @ARGV;
+ if ($opt eq '--use-rndc') {
+ $use_rndc = 1;
+ } else {
+ die "$usage\n";
+ }
+}
+
+my $test = $ARGV[0];
+my $server = $ARGV[1];
+
+my $errors = 0;
+
+die "$usage\n" unless defined($test);
+die "No test directory: \"$test\"\n" unless (-d $test);
+die "No server directory: \"$server\"\n" if (defined($server) && !-d "$test/$server");
+
+# Global variables
+my $testdir = abs_path($test);
+my @servers;
+
+
+# Determine which servers need to be stopped.
+if (defined $server) {
+ @servers = ($server);
+} else {
+ local *DIR;
+ opendir DIR, $testdir or die "$testdir: $!\n";
+ my @files = sort readdir DIR;
+ closedir DIR;
+
+ my @ns = grep /^ns[0-9]*$/, @files;
+
+ push @servers, @ns;
+}
+
+
+# Stop the server(s), pass 1: rndc.
+if ($use_rndc) {
+ foreach my $server (grep /^ns/, @servers) {
+ stop_rndc($server);
+ }
+
+ wait_for_servers(30, grep /^ns/, @servers);
+}
+
+
+# Pass 2: SIGTERM
+foreach my $server (@servers) {
+ stop_signal($server, "TERM");
+}
+
+wait_for_servers(60, @servers);
+
+# Pass 3: SIGABRT
+foreach my $server (@servers) {
+ stop_signal($server, "ABRT");
+}
+
+exit($errors ? 1 : 0);
+
+# Subroutines
+
+# Return the full path to a given server's PID file.
+sub server_pid_file {
+ my($server) = @_;
+
+ my $pid_file;
+ if ($server =~ /^ns/) {
+ $pid_file = "named.pid";
+ } else {
+ print "I:Unknown server type $server\n";
+ exit 1;
+ }
+ $pid_file = "$testdir/$server/$pid_file";
+}
+
+# Read a PID.
+sub read_pid {
+ my($pid_file) = @_;
+
+ local *FH;
+ my $result = open FH, "< $pid_file";
+ if (!$result) {
+ print "I:$pid_file: $!\n";
+ unlink $pid_file;
+ return;
+ }
+
+ my $pid = <FH>;
+ chomp($pid);
+ return $pid;
+}
+
+# Stop a named process with rndc.
+sub stop_rndc {
+ my($server) = @_;
+
+ return unless ($server =~ /^ns(\d+)$/);
+ my $ip = "10.53.0.$1";
+
+ # Ugly, but should work.
+ system("$ENV{RNDC} -c $testdir/../common/rndc.conf -s $ip -p 9953 stop | sed 's/^/I:$server /'");
+ return;
+}
+
+# Stop a server by sending a signal to it.
+sub stop_signal {
+ my($server, $sig) = @_;
+
+ my $pid_file = server_pid_file($server);
+ return unless -f $pid_file;
+
+ my $pid = read_pid($pid_file);
+ return unless defined($pid);
+
+ if ($sig eq 'ABRT') {
+ print "I:$server didn't die when sent a SIGTERM\n";
+ $errors++;
+ }
+
+ my $result = kill $sig, $pid;
+ if (!$result) {
+ print "I:$server died before a SIG$sig was sent\n";
+ unlink $pid_file;
+ $errors++;
+ }
+
+ return;
+}
+
+sub wait_for_servers {
+ my($timeout, @servers) = @_;
+
+ my @pid_files = grep { defined($_) }
+ map { server_pid_file($_) } @servers;
+
+ while ($timeout > 0 && @pid_files > 0) {
+ @pid_files = grep { -f $_ } @pid_files;
+ sleep 1 if (@pid_files > 0);
+ $timeout--;
+ }
+
+ return;
+}
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: stop.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+. ./conf.sh
+$PERL ./stop.pl "$@"
+
--- /dev/null
+#!/usr/bin/perl
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: testsock.pl,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use Socket;
+use Getopt::Long;
+
+my $port = 0;
+my $id = 0;
+GetOptions("p=i" => \$port,
+ "i=i" => \$id);
+
+my @ids;
+if ($id != 0) {
+ @ids = ($id);
+} else {
+ @ids = (1..5);
+}
+
+foreach $id (@ids) {
+ my $addr = pack("C4", 10, 53, 0, $id);
+ my $sa = pack_sockaddr_in($port, $addr);
+ socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp"))
+ or die "$0: socket: $!\n";
+ setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, pack("l", 1));
+
+ bind(SOCK, $sa)
+ or die sprintf("$0: bind(%s, %d): $!\n",
+ inet_ntoa($addr), $port);
+ close(SOCK);
+ sleep(1);
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: vtwrapper.c,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $ */
+
+#define _GNU_SOURCE
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <math.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#ifdef SYS_select
+#include <sys/select.h>
+#endif
+#ifdef SYS_poll
+#include <poll.h>
+#endif
+#ifdef SYS_kevent
+#include <sys/event.h>
+#endif
+#ifdef SYS_epoll_wait
+#include <sys/epoll.h>
+#endif
+
+
+#ifdef SYS_gettimeofday
+#define VIRTUAL_TIME
+#ifdef VIRTUAL_TIME
+static struct timeval epoch = { 0, 0 };
+static int _init_called = 0;
+
+void
+_init(void) {
+ (void)syscall(SYS_gettimeofday, &epoch, NULL);
+ _init_called = 1;
+}
+
+static void
+absolute_inflate(struct timeval *vt, struct timeval *rt)
+{
+ double d;
+
+ rt->tv_sec = vt->tv_sec;
+ rt->tv_usec = vt->tv_usec;
+
+ if ((epoch.tv_sec > vt->tv_sec) ||
+ ((epoch.tv_sec == vt->tv_sec) && (epoch.tv_usec > vt->tv_usec)))
+ return;
+
+ rt->tv_sec -= epoch.tv_sec;
+ rt->tv_usec -= epoch.tv_usec;
+ while (rt->tv_usec < 0) {
+ rt->tv_sec -= 1;
+ rt->tv_usec += 1000000;
+ }
+
+ if (rt->tv_sec == 0)
+ goto done;
+
+ d = (double) (rt->tv_sec - 1);
+ d += (double) rt->tv_usec / 1000000.;
+ d = exp(d);
+ rt->tv_sec = (time_t) d;
+ d -= (double) rt->tv_sec;
+ rt->tv_usec = (suseconds_t) (d * 1000000.);
+
+ done:
+ rt->tv_sec += epoch.tv_sec;
+ rt->tv_usec += epoch.tv_usec;
+ while (rt->tv_usec >= 1000000) {
+ rt->tv_sec += 1;
+ rt->tv_usec -= 1000000;
+ }
+ return;
+}
+
+static void
+absolute_deflate(struct timeval *rt, struct timeval *vt) {
+ double d;
+
+ vt->tv_sec = rt->tv_sec;
+ vt->tv_usec = rt->tv_usec;
+
+ if ((epoch.tv_sec > rt->tv_sec) ||
+ ((epoch.tv_sec == rt->tv_sec) && (epoch.tv_usec > rt->tv_usec)))
+ return;
+
+ vt->tv_sec -= epoch.tv_sec;
+ vt->tv_usec -= epoch.tv_usec;
+ while (vt->tv_usec < 0) {
+ vt->tv_sec -= 1;
+ vt->tv_usec += 1000000;
+ }
+
+ if (vt->tv_sec == 0)
+ goto done;
+
+ d = (double) vt->tv_sec;
+ d += (double) vt->tv_usec / 1000000.;
+ d = log(d);
+ vt->tv_sec = (time_t) d;
+ d -= (double) vt->tv_sec;
+ vt->tv_sec += 1;
+ vt->tv_usec = (suseconds_t) (d * 1000000.);
+
+ done:
+ vt->tv_sec += epoch.tv_sec;
+ vt->tv_usec += epoch.tv_usec;
+ while (vt->tv_usec >= 1000000) {
+ vt->tv_sec += 1;
+ vt->tv_usec -= 1000000;
+ }
+ return;
+}
+
+static void
+interval_inflate(struct timeval *vt, struct timeval *rt) {
+ struct timeval now, tv;
+
+ (void) gettimeofday(&now, NULL);
+
+ absolute_deflate(&now, &tv);
+
+ tv.tv_sec += vt->tv_sec;
+ tv.tv_usec += vt->tv_usec;
+ while (tv.tv_usec >= 1000000) {
+ tv.tv_sec += 1;
+ tv.tv_usec -= 1000000;
+ }
+
+ absolute_inflate(&tv, rt);
+
+ rt->tv_sec -= now.tv_sec;
+ rt->tv_usec -= now.tv_usec;
+ if (rt->tv_usec < 0) {
+ rt->tv_sec -= 1;
+ rt->tv_usec += 1000000;
+ }
+ return;
+}
+
+static void
+interval_deflate(struct timeval *rt, struct timeval *vt) {
+ struct timeval now, tv;
+
+ vt->tv_sec = rt->tv_sec;
+ vt->tv_usec = rt->tv_usec;
+
+ if ((vt->tv_sec == 0) && (vt->tv_usec <= 10000))
+ return;
+
+ (void) gettimeofday(&now, NULL);
+
+ tv.tv_sec = now.tv_sec + rt->tv_sec;
+ tv.tv_usec = now.tv_usec + rt->tv_usec;
+ while (tv.tv_usec >= 1000000) {
+ tv.tv_sec += 1;
+ tv.tv_usec -= 1000000;
+ }
+
+ absolute_deflate(&now, &now);
+ absolute_deflate(&tv, vt);
+
+ vt->tv_sec -= now.tv_sec;
+ vt->tv_usec -= now.tv_usec;
+ while (vt->tv_usec < 0) {
+ vt->tv_sec -= 1;
+ vt->tv_usec += 1000000;
+ }
+
+ if ((vt->tv_sec == 0) && (vt->tv_usec < 10000))
+ vt->tv_usec = 10000;
+ return;
+}
+#endif
+
+int
+gettimeofday(struct timeval *tv, struct timezone *tz) {
+#ifdef VIRTUAL_TIME
+ struct timeval now;
+ int ret;
+
+ if (!_init_called) _init();
+
+ if (epoch.tv_sec == 0)
+ return syscall(SYS_gettimeofday, tv, tz);
+
+ ret = syscall(SYS_gettimeofday, &now, tz);
+ if (ret == 0)
+ absolute_inflate(&now, tv);
+ return ret;
+#else
+ return syscall(SYS_gettimeofday, tv, tz);
+#endif
+}
+
+#ifdef SYS_select
+int
+select(int nfds, fd_set *rfds, fd_set *wfds, fd_set *xfds,
+ struct timeval *timeout)
+{
+#ifdef VIRTUAL_TIME
+ struct timeval tv;
+
+ if (!_init_called) _init();
+
+ if (epoch.tv_sec == 0 || timeout == NULL ||
+ (timeout->tv_sec == 0 && timeout->tv_usec == 0))
+ return syscall(SYS_select, nfds, rfds, wfds, xfds, timeout);
+
+ interval_deflate(timeout, &tv);
+ return syscall(SYS_select, nfds, rfds, wfds, xfds, &tv);
+#else
+ return syscall(SYS_select, nfds, rfds, wfds, xfds, timeout);
+#endif
+}
+#endif
+
+#ifdef SYS_poll
+int
+poll(struct pollfd fds[], nfds_t nfds, int timeout) {
+#ifdef VIRTUAL_TIME
+ struct timeval in, out;
+
+ if (!_init_called) _init();
+
+ if (timeout <= 0 || epoch.tv_sec == 0)
+ return syscall(SYS_poll, fds, nfds, timeout);
+
+ in.tv_sec = timeout / 1000;
+ in.tv_usec = (timeout % 1000) * 1000;
+ interval_deflate(&in, &out);
+ timeout = out.tv_sec * 1000 + out.tv_usec / 1000;
+ return syscall(SYS_poll, fds, nfds, timeout);
+#else
+ return syscall(SYS_poll, fds, nfds, timeout);
+#endif
+}
+#endif
+
+#ifdef SYS_kevent
+int
+kevent(int kq, struct kevent *changelist, int nchanges,
+ struct kevent *eventlist, int nevents, const struct timespec *timeout)
+{
+#ifdef VIRTUAL_TIME
+ struct timeval in, out;
+ struct timespec ts;
+
+ if (!_init_called) _init();
+
+ if (epoch.tv_sec == 0 || timeout == NULL ||
+ (timeout->tv_sec == 0 && timeout->tv_nsec == 0))
+ return syscall(SYS_kevent, kq, changelist, nchanges,
+ eventlist, nevents, timeout);
+
+ in.tv_sec = timeout->tv_sec;
+ in.tv_usec = timeout->tv_nsec / 1000;
+ interval_deflate(&in, &out);
+ ts.tv_sec = out.tv_sec;
+ ts.tv_nsec = out.tv_usec * 1000;
+ return syscall(SYS_kevent, kq, changelist, nchanges, eventlist,
+ nevents, &ts);
+#else
+ return syscall(SYS_kevent, kq, changelist, nchanges, eventlist,
+ nevents, timeout);
+#endif
+}
+#endif
+
+#ifdef SYS_epoll_wait
+int
+epoll_wait(int fd, struct epoll_event *events, int maxevents, int timeout) {
+#ifdef VIRTUAL_TIME
+ struct timeval in, out;
+
+ if (!_init_called) _init();
+
+ if (timeout == 0 || timeout == -1 || epoch.tv_sec == 0)
+ return syscall(SYS_epoll_wait, fd, events, maxevents, timeout);
+
+ in.tv_sec = timeout / 1000;
+ in.tv_usec = (timeout % 1000) * 1000;
+ interval_deflate(&in, &out);
+ timeout = out.tv_sec * 1000 + out.tv_usec / 1000;
+ return syscall(SYS_poll, fd, events, maxevents, timeout);
+#else
+ return syscall(SYS_poll, fd, events, maxevents, timeout);
+#endif
+}
+#endif
+#endif
--- /dev/null
+#
+# @(#) dnssec.conf vT0.99d (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de
+#
+
+# dnssec-zkt options
+Zonedir: "."
+Recursive: False
+PrintTime: True
+PrintAge: False
+LeftJustify: False
+
+# zone specific values
+ResignInterval: 1w # (604800 seconds)
+Sigvalidity: 10d # (864000 seconds)
+Max_TTL: 8h # (28800 seconds)
+Propagation: 5m # (300 seconds)
+KEY_TTL: 4h # (14400 seconds)
+Serialformat: incremental
+
+# signing key parameters
+Key_algo: RSASHA1 # (Algorithm ID 5)
+KSK_lifetime: 1y # (31536000 seconds)
+KSK_bits: 1300
+KSK_randfile: "/dev/urandom"
+ZSK_lifetime: 12w # (7257600 seconds)
+ZSK_bits: 512
+ZSK_randfile: "/dev/urandom"
+SaltBits: 24
+
+# dnssec-signer options
+LogFile: ""
+LogLevel: ERROR
+SyslogFacility: NONE
+SyslogLevel: NOTICE
+VerboseLog: 0
+Keyfile: "dnskey.db"
+Zonefile: "zone.db"
+DLV_Domain: ""
+Sig_Pseudorand: False
+Sig_GenerateDS: True
+Sig_Parameter: ""
--- /dev/null
+;% generationtime=20100221184315
+;% lifetime=14d
+dyn.example.net. IN DNSKEY 256 3 7 AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8Ris63E/oRRGQEH5U/ZS3A xz3aOhPFKzAAhjfaG3vTNW3Wl4bl4ITFZrk=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: +obStv0Rqv4+/vEGD2Vz1zMX7ZhRrxGKzrcT+hFEZAQflT9lLcDHPdo6E8UrMACGN9obe9M1bdaXhuXghMVmuQ==
+PublicExponent: AQAB
+PrivateExponent: 4osOepin5GdakfFkGIIWWZCDX7/whY4oZjtZnjUFEiZ6YGdQV8FwihgQ9ZdQwTY2QgaCiI/7l0yFE3X2YOk5HQ==
+Prime1: /eFIXmTu+XNTuXVfHYcXJTFc4UaThJszaKPmg/xm3ts=
+Prime2: /J5fOUcGkFGv4prHDAmige180r7zaYznUicuDvNwkvs=
+Exponent1: Alf7EAwEfL8IzdR8jUw69XfwMJAzOm0oW1XwAdXpqTM=
+Exponent2: FBUbCNimou57hw466LATZTTWCYL4otl6wkMvHC0qM+U=
+Coefficient: Q9eSjjf/S3Is3mcOn2RsloJKVzLuHiv54HaF7mwkbU4=
--- /dev/null
+;% generationtime=20100221184315
+;% lifetime=60d
+dyn.example.net. IN DNSKEY 257 3 7 AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmOoBYx8s1uLzmS/3APsh1e WCeoBgAjRry1tpM/bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjEnG4H CT58TuAVxjiefN+vb1pvyFlAL58YOkuGf9tG/NJMNc+XrULAU1ey2dT9 Fh+SCVO3
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 6oQNiADmWezVWwwmJl9NYwSC5qZ5WY6gFjHyzW4vOZL/cA+yHV5YJ6gGACNGvLW2kz9s+jDK7KATgfQunM1Aub1FuMOakM3wbCLcCMScbgcJPnxO4BXGOJ58369vWm/IWUAvnxg6S4Z/20b80kw1z5etQsBTV7LZ1P0WH5IJU7c=
+PublicExponent: AQAB
+PrivateExponent: F5/Z5RuCGQj8rUFaDn+HQjRQI4AdtWHiypmZhgxVgY1HYjiSjtbUNpp8kEL9e0Eq9UZsaf/EUXYGwQ6iK3WZ0WrVP72bkjcWQAB2THYIxP7DwmL4JcsbJ7uiMYeLrvUddoLwS3nKIFpc010iHA0y4hE/k/ny4zOyDCEhVr3WvQE=
+Prime1: /R+fSD2bb3N6UoapSNFXYRFyBpHWtcv/AZqsJx60/4UTGOCWNj52kcGsI/ROz/Pwbdicxi8CQqjX0f4QjSCAdw==
+Prime2: 7S5MPtJNSa+fHZBavW6vDnqpiHxAO7lIAcgtGxMM3L3553OzarlJV88Z452tn4HhfCCaIUW20j8cOJvTLkPWwQ==
+Exponent1: 9v56YPWszM40GH9KhMGxsAhj6cE5cGBEz33saqfuGj/yaJ4ONZQyAvynStZEaWsxux5ZrJGGdSFop4JxCCUk9Q==
+Exponent2: W8dembCnV6wt1jLV6he6hc/Rao8qC/JWetoLGj706zZYTcfn1ZR9XQ02521MkjygFHhJLDbd192z/fPOdEisAQ==
+Coefficient: +W6uvg4HkWaKi6OCpCz/0fRQwaRtPSbpKJ2Anam4PAy+B6cgM3Yo48OB7o+WoexlgySsNL0ui5p4BvJWvtca7w==
--- /dev/null
+2010-02-21 19:43:15.018: debug: Check RFC5011 status
+2010-02-21 19:43:15.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:43:15.018: debug: Check KSK status
+2010-02-21 19:43:15.018: debug: No active KSK found: generate new one
+2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935
+2010-02-21 19:43:15.330: debug: Check ZSK status
+2010-02-21 19:43:15.330: debug: No active ZSK found: generate new one
+2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323
+2010-02-21 19:43:15.368: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 19:43:15.368: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:43:15.368: debug: Signing zone "dyn.example.net."
+2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:43:15.368: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:43:15.368: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:43:15.374: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:43:15.374: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:43:15.382: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3."
+2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed!
+2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:43:15.382: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:43:15.382: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:45:36.415: debug: Check RFC5011 status
+2010-02-21 19:45:36.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:45:36.416: debug: Check KSK status
+2010-02-21 19:45:36.416: debug: Check ZSK status
+2010-02-21 19:45:36.416: debug: Re-signing not necessary!
+2010-02-21 19:45:36.416: debug: Check if there is a parent file to copy
+2010-02-21 19:45:41.448: debug: Check RFC5011 status
+2010-02-21 19:45:41.448: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:45:41.448: debug: Check KSK status
+2010-02-21 19:45:41.448: debug: Check ZSK status
+2010-02-21 19:45:41.448: debug: Re-signing necessary: Option -f
+2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:45:41.448: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:45:41.448: debug: Signing zone "dyn.example.net."
+2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:45:41.448: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:45:41.448: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:45:41.457: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:45:41.458: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:45:41.473: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
+2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed!
+2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:45:41.473: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:45:41.473: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:47:06.899: debug: Check RFC5011 status
+2010-02-21 19:47:06.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:47:06.899: debug: Check KSK status
+2010-02-21 19:47:06.899: debug: Check ZSK status
+2010-02-21 19:47:06.899: debug: Re-signing necessary: Option -f
+2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:47:06.899: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:47:06.900: debug: Signing zone "dyn.example.net."
+2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:47:06.900: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:47:06.900: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:47:06.910: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:47:06.910: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:47:06.926: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
+2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed!
+2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:47:06.926: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:47:06.926: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:58:40.972: debug: Check RFC5011 status
+2010-02-21 19:58:40.972: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:58:40.972: debug: Check KSK status
+2010-02-21 19:58:40.972: debug: Check ZSK status
+2010-02-21 19:58:40.973: debug: Re-signing necessary: Option -f
+2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:58:40.973: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:58:40.973: debug: Signing zone "dyn.example.net."
+2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:58:40.973: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 19:58:40.973: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:58:40.982: debug: Dynamic Zone signing: zone file manually edited: Use it as new input file
+2010-02-21 19:58:40.982: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:58:40.983: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:58:40.999: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
+2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed!
+2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:58:40.999: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 19:58:40.999: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:00:48.833: debug: Check RFC5011 status
+2010-02-21 20:00:48.833: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:00:48.833: debug: Check KSK status
+2010-02-21 20:00:48.833: debug: Check ZSK status
+2010-02-21 20:00:48.833: debug: Re-signing necessary: Option -f
+2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 20:00:48.833: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 20:00:48.834: debug: Signing zone "dyn.example.net."
+2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 20:00:48.834: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 20:00:48.834: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 20:00:48.844: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 20:00:48.844: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 20:00:48.878: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 20:00:48.878: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 20:00:48.878: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:00:48.884: debug: Signing completed after 0s.
+2010-02-21 20:01:11.175: debug: Check RFC5011 status
+2010-02-21 20:01:11.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:01:11.175: debug: Check KSK status
+2010-02-21 20:01:11.175: debug: Check ZSK status
+2010-02-21 20:01:11.176: debug: Re-signing necessary: Option -f
+2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 20:01:11.176: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 20:01:11.176: debug: Signing zone "dyn.example.net."
+2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 20:01:11.176: debug: freeze dynamic zone "dyn.example.net."
+2010-02-21 20:01:11.176: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 20:01:11.181: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 20:01:11.181: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 20:01:11.202: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 20:01:11.203: debug: thaw dynamic zone "dyn.example.net."
+2010-02-21 20:01:11.203: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:01:11.208: debug: Signing completed after 0s.
+2010-02-21 20:01:17.175: debug: Check RFC5011 status
+2010-02-21 20:01:17.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:01:17.175: debug: Check KSK status
+2010-02-21 20:01:17.175: debug: Check ZSK status
+2010-02-21 20:01:17.176: debug: Re-signing not necessary!
+2010-02-21 20:01:17.176: debug: Check if there is a parent file to copy
+2010-02-25 23:42:29.326: debug: Check RFC5011 status
+2010-02-25 23:42:29.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:29.326: debug: Check KSK status
+2010-02-25 23:42:29.326: debug: Check ZSK status
+2010-02-25 23:42:29.326: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-02-25 23:42:29.326: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-02-25 23:42:29.327: debug: Signing zone "dyn.example.net."
+2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-25 23:42:29.327: debug: freeze dynamic zone "dyn.example.net."
+2010-02-25 23:42:29.327: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-25 23:42:29.388: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-25 23:42:29.425: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-25 23:42:29.471: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-25 23:42:29.471: debug: thaw dynamic zone "dyn.example.net."
+2010-02-25 23:42:29.471: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-25 23:42:29.486: debug: Signing completed after 0s.
+2010-03-02 10:59:46.770: debug: Check RFC5011 status
+2010-03-02 10:59:46.770: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:46.770: debug: Check KSK status
+2010-03-02 10:59:46.770: debug: Check ZSK status
+2010-03-02 10:59:46.770: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-03-02 10:59:46.770: debug: Writing key file "./dyn.example.net/dnskey.db"
+2010-03-02 10:59:46.770: debug: Signing zone "dyn.example.net."
+2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone
+2010-03-02 10:59:46.770: debug: freeze dynamic zone "dyn.example.net."
+2010-03-02 10:59:46.770: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-03-02 10:59:46.852: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-03-02 10:59:46.875: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-03-02 10:59:46.950: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone
+2010-03-02 10:59:46.950: debug: thaw dynamic zone "dyn.example.net."
+2010-03-02 10:59:46.950: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-03-02 10:59:46.964: debug: Signing completed after 0s.
--- /dev/null
+;% generationtime=20100311225233
+;% lifetime=60d
+example.net. IN DNSKEY 257 3 8 BQEAAAABDUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkG TECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJ JBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9 SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPY BQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: DUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkGTECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJJBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPYBQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: AeHyClC8SYdKB3mQtwWx/z08pCjHEs18KF9HbWddQnQrrJKP1lh1r6DGmJ5oigg3i2x/NEBUXw345FYQ7ynaVewt4KoQ2c6vT1ZyOXuoCmJknMxXKaVma5L3+hrGwdaS7tbJXGQrq6FHaYOO/2un8G7qRU5zoods+iR8qCRktkYVk2PS7wrdeQu9XaGUl5pPwh7fmNmjpfe16kyk3M2xoThEUQ==
+Prime1: A9GgY74jQxKOqTEMivti0zJIuxjlN7k1+MlTDQliH8EiFy8b/6HqRqddgdeuPDt8s0jv1cGxnMig4761JszH7CQeHbefeoLw95OXu7v6hpw3Uw==
+Prime2: A3qansKrFaIwWJw7n0//qO52mEKCxoljeMzbeXx4f+pgADmyMcv8ysHMUPP6BEwVxlxHVyv9a3lxQRa8ZdPtFV+QK3Zy3PfAV8SoahbYgi2ARw==
+Exponent1: v6z/wlryoSYkgnlkxM6uC6AEc7ZQQdla7cG+iaeEJq8pfzPClkU+WiBP9MJroO8ExM1mj/bjIfw3/Vel5NuLD9uU+BIV1qzcWKbPwo7xZnqh
+Exponent2: OPEA/pb22DU0GDyS1UmOmJGjyp2Irxe1LJL6J16bK/lCqPNenT8qIYbLY2EKUoRhAirvurd4/fXqnzNVYdw369C/DBtfZ6AeAfs4no/+Fnfx
+Coefficient: /pte3nUM+M1VmAs7z3bhTdbPWIJZk7z0RkcBhFvUn4ZGgImUSFF8/psPzvQFy9pyGzinviE16aI0UVEBxL7NkFfSs9cMX0jpItFDyJTcxvjA
--- /dev/null
+;% generationtime=20100311225233
+;% lifetime=14d
+example.net. IN DNSKEY 256 3 8 BQEAAAABy5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twH y339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: y5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twHy339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: uHA+A2dABi4t2afEHHud8MajxjMLqxw/+t0yzsRgye6eiAkJVuhYSdxxqmlqMmSayrBNSX2jYHdKmY49W6kmUQ==
+Prime1: 6pzzNfud8Hzw9UdeitwJwVzFaAfV/RmRmTCm4OLBGD0=
+Prime2: 3itJLwoOTYkb2rOQNjZ/4hMNov3plClxo5e9iPSARL0=
+Exponent1: w/gumsQA0FOkuuMBp5PcTsbHbebL9SAVDURQgLo2ZMU=
+Exponent2: ILYpsGsfTcHDSAmGbQBRSsFQEKw7Ghx/mIcWoUIN250=
+Coefficient: cwmz0VwEQ4Jjc3+T0tDgH9fhUiyISbuV/0Bz25E5bYA=
--- /dev/null
+Key_Algo: RSASHA256 # (Algorithm ID 8)
+NSEC3: OPTOUT
--- /dev/null
+;-----------------------------------------------------------------
+;
+; @(#) example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL 7200
+
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 353 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ) ; Minimum
+
+ IN NS ns1.example.net.
+
+ns1 IN A 1.0.0.5
+
+example.net. 3600 IN DNSKEY 257 3 5 (
+ BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+ +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
+ m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
+ SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
+ aQ==
+ ) ; key id = 33840
+
+example.net. 3600 IN DNSKEY 256 3 5 (
+ BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
+ IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+ ) ; key id = 48089
+
+_domainkey IN NS ns1.example.net.
+
--- /dev/null
+2010-02-06 00:26:54.533: debug: Check RFC5011 status
+2010-02-06 00:26:54.533: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:26:54.533: debug: Check KSK status
+2010-02-06 00:26:54.533: debug: Check ZSK status
+2010-02-06 00:26:54.533: debug: Re-signing not necessary!
+2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy
+2010-02-06 00:29:31.291: debug: Check RFC5011 status
+2010-02-06 00:29:31.291: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:29:31.291: debug: Check KSK status
+2010-02-06 00:29:31.292: debug: Check ZSK status
+2010-02-06 00:29:31.292: debug: Re-signing not necessary!
+2010-02-06 00:29:31.292: debug: Check if there is a parent file to copy
+2010-02-06 00:40:35.043: debug: Check RFC5011 status
+2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:40:35.043: debug: Check KSK status
+2010-02-06 00:40:35.043: debug: Check ZSK status
+2010-02-06 00:40:35.043: debug: Re-signing not necessary!
+2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy
+2010-02-06 00:52:55.403: debug: Check RFC5011 status
+2010-02-06 00:52:55.403: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:52:55.403: debug: Check KSK status
+2010-02-06 00:52:55.403: debug: Check ZSK status
+2010-02-06 00:52:55.403: debug: Re-signing not necessary!
+2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy
+2010-02-07 13:53:48.304: debug: Check RFC5011 status
+2010-02-07 13:53:48.304: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:53:48.304: debug: Check KSK status
+2010-02-07 13:53:48.304: debug: Check ZSK status
+2010-02-07 13:53:48.304: debug: Re-signing not necessary!
+2010-02-07 13:53:48.304: debug: Check if there is a parent file to copy
+2010-02-07 13:54:03.466: debug: Check RFC5011 status
+2010-02-07 13:54:03.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:03.466: debug: Check KSK status
+2010-02-07 13:54:03.466: debug: Check ZSK status
+2010-02-07 13:54:03.466: debug: Re-signing not necessary!
+2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy
+2010-02-07 13:54:08.019: debug: Check RFC5011 status
+2010-02-07 13:54:08.019: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:08.020: debug: Check KSK status
+2010-02-07 13:54:08.020: debug: Check ZSK status
+2010-02-07 13:54:08.020: debug: Re-signing necessary: Option -f
+2010-02-07 13:54:08.020: notice: "example.net.": re-signing triggered: Option -f
+2010-02-07 13:54:08.020: debug: Writing key file "./example.net/dnskey.db"
+2010-02-07 13:54:08.020: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-07 13:54:08.020: debug: Signing zone "example.net."
+2010-02-07 13:54:08.021: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-07 13:54:08.125: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:54:08.125: debug: Signing completed after 0s.
+2010-02-07 13:54:08.125: notice: "example.net.": distribution triggered
+2010-02-07 13:54:08.125: debug: Distribute zone "example.net."
+2010-02-07 13:54:08.125: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
+2010-02-07 13:54:08.129: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
+2010-02-07 13:54:08.129: notice: "example.net.": reload triggered
+2010-02-07 13:54:08.129: debug: Reload zone "example.net."
+2010-02-07 13:54:08.129: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
+2010-02-07 13:54:08.139: debug: ./dist.sh reload return: "rndc reload example.net. "
+2010-02-07 14:06:27.670: debug: Check RFC5011 status
+2010-02-07 14:06:27.670: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:27.670: debug: Check KSK status
+2010-02-07 14:06:27.670: debug: Check ZSK status
+2010-02-07 14:06:27.670: debug: Re-signing not necessary!
+2010-02-07 14:06:27.671: debug: Check if there is a parent file to copy
+2010-02-07 14:06:33.753: debug: Check RFC5011 status
+2010-02-07 14:06:33.753: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:33.753: debug: Check KSK status
+2010-02-07 14:06:33.753: debug: Check ZSK status
+2010-02-07 14:06:33.753: debug: Re-signing necessary: Option -f
+2010-02-07 14:06:33.753: notice: "example.net.": re-signing triggered: Option -f
+2010-02-07 14:06:33.753: debug: Writing key file "./example.net/dnskey.db"
+2010-02-07 14:06:33.754: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-07 14:06:33.754: debug: Signing zone "example.net."
+2010-02-07 14:06:33.754: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-07 14:06:33.790: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 14:06:33.790: debug: Signing completed after 0s.
+2010-02-07 14:06:33.790: notice: "example.net.": distribution triggered
+2010-02-07 14:06:33.790: debug: Distribute zone "example.net."
+2010-02-07 14:06:33.790: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
+2010-02-07 14:06:33.794: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
+2010-02-07 14:06:33.794: notice: "example.net.": reload triggered
+2010-02-07 14:06:33.794: debug: Reload zone "example.net."
+2010-02-07 14:06:33.794: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
+2010-02-07 14:06:33.797: debug: ./dist.sh reload return: "rndc reload example.net. "
+2010-02-21 12:50:43.587: debug: Check RFC5011 status
+2010-02-21 12:50:43.587: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:43.587: debug: Check KSK status
+2010-02-21 12:50:43.587: debug: Check ZSK status
+2010-02-21 12:50:43.587: debug: Lifetime(1209600 +/-150 sec) of active key 33002 exceeded (2394625 sec)
+2010-02-21 12:50:43.587: debug: ->depreciate it
+2010-02-21 12:50:43.587: debug: ->activate published key 29240
+2010-02-21 12:50:43.587: notice: "example.net.": lifetime of zone signing key 33002 exceeded: ZSK rollover done
+2010-02-21 12:50:43.587: debug: New key for publishing needed
+2010-02-21 12:50:43.658: debug: ->creating new key 5525
+2010-02-21 12:50:43.658: info: "example.net.": new key 5525 generated for publishing
+2010-02-21 12:50:43.658: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:43.658: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:43.658: debug: Writing key file "./example.net/dnskey.db"
+2010-02-21 12:50:43.665: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 12:50:43.665: debug: Signing zone "example.net."
+2010-02-21 12:50:43.665: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-21 12:50:43.733: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:43.733: debug: Signing completed after 0s.
+2010-02-21 12:50:51.205: debug: Check RFC5011 status
+2010-02-21 12:50:51.205: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:51.205: debug: Check KSK status
+2010-02-21 12:50:51.205: debug: Check ZSK status
+2010-02-21 12:50:51.205: debug: Re-signing not necessary!
+2010-02-21 12:50:51.205: debug: Check if there is a parent file to copy
+2010-02-21 12:51:23.497: debug: Check RFC5011 status
+2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:51:23.497: debug: Check KSK status
+2010-02-21 12:51:23.497: debug: Check ZSK status
+2010-02-21 12:51:23.497: debug: Re-signing not necessary!
+2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy
+2010-02-21 19:16:18.594: debug: Check RFC5011 status
+2010-02-21 19:16:18.594: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:16:18.594: debug: Check KSK status
+2010-02-21 19:16:18.594: debug: Check ZSK status
+2010-02-21 19:16:18.594: debug: Re-signing not necessary!
+2010-02-21 19:16:18.594: debug: Check if there is a parent file to copy
+2010-02-21 19:32:11.378: debug: Check RFC5011 status
+2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:11.378: debug: Check KSK status
+2010-02-21 19:32:11.378: debug: Check ZSK status
+2010-02-21 19:32:11.378: debug: Re-signing not necessary!
+2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy
+2010-02-21 19:32:15.982: debug: Check RFC5011 status
+2010-02-21 19:32:15.982: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:15.982: debug: Check KSK status
+2010-02-21 19:32:15.982: debug: Check ZSK status
+2010-02-21 19:32:15.982: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:15.982: notice: "example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:15.982: debug: Writing key file "./example.net/dnskey.db"
+2010-02-21 19:32:15.982: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 19:32:15.982: debug: Signing zone "example.net."
+2010-02-21 19:32:15.982: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-21 19:32:16.019: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:16.019: debug: Signing completed after 1s.
+2010-02-21 19:32:32.232: debug: Check RFC5011 status
+2010-02-21 19:32:32.232: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:32.233: debug: Check KSK status
+2010-02-21 19:32:32.233: debug: Check ZSK status
+2010-02-21 19:32:32.233: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:32.233: notice: "example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:32.233: debug: Writing key file "./example.net/dnskey.db"
+2010-02-21 19:32:32.233: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 19:32:32.233: debug: Signing zone "example.net."
+2010-02-21 19:32:32.233: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-21 19:32:32.273: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:32.273: debug: Signing completed after 0s.
+2010-02-25 00:12:27.060: debug: Check RFC5011 status
+2010-02-25 00:12:27.060: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 00:12:27.060: debug: Check KSK status
+2010-02-25 00:12:27.060: debug: Check ZSK status
+2010-02-25 00:12:27.060: debug: Lifetime(29100 sec) of depreciated key 33002 exceeded (300104 sec)
+2010-02-25 00:12:27.060: info: "example.net.": old ZSK 33002 removed
+2010-02-25 00:12:27.081: debug: ->remove it
+2010-02-25 00:12:27.082: debug: Re-signing necessary: Modfied zone key set
+2010-02-25 00:12:27.082: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 00:12:27.082: debug: Writing key file "./example.net/dnskey.db"
+2010-02-25 00:12:27.086: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-02-25 00:12:27.086: debug: Signing zone "example.net."
+2010-02-25 00:12:27.086: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-02-25 00:12:27.173: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 00:12:27.174: debug: Signing completed after 0s.
+2010-02-25 23:42:21.013: debug: Check RFC5011 status
+2010-02-25 23:42:21.013: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:21.013: debug: Check KSK status
+2010-02-25 23:42:21.013: debug: Check ZSK status
+2010-02-25 23:42:21.013: debug: Re-signing not necessary!
+2010-02-25 23:42:21.013: debug: Check if there is a parent file to copy
+2010-03-02 10:59:12.416: debug: Check RFC5011 status
+2010-03-02 10:59:12.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:12.416: debug: Check KSK status
+2010-03-02 10:59:12.416: debug: Check ZSK status
+2010-03-02 10:59:12.416: debug: Re-signing necessary: re-signing interval (2d) reached
+2010-03-02 10:59:12.416: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-03-02 10:59:12.416: debug: Writing key file "./example.net/dnskey.db"
+2010-03-02 10:59:12.449: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-02 10:59:12.449: debug: Signing zone "example.net."
+2010-03-02 10:59:12.450: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-02 10:59:12.530: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-02 10:59:12.530: debug: Signing completed after 0s.
+2010-03-03 23:22:00.415: debug: Check RFC5011 status
+2010-03-03 23:22:00.415: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-03 23:22:00.415: debug: Check KSK status
+2010-03-03 23:22:00.415: debug: Check ZSK status
+2010-03-03 23:22:00.416: debug: Re-signing not necessary!
+2010-03-03 23:22:00.416: debug: Check if there is a parent file to copy
+2010-03-08 23:11:50.170: debug: Check RFC5011 status
+2010-03-08 23:11:50.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:11:50.170: debug: Check KSK status
+2010-03-08 23:11:50.170: debug: Check ZSK status
+2010-03-08 23:11:50.171: debug: Lifetime(1209600 +/-150 sec) of active key 29240 exceeded (1333267 sec)
+2010-03-08 23:11:50.171: debug: ->depreciate it
+2010-03-08 23:11:50.171: debug: ->activate published key 5525
+2010-03-08 23:11:50.171: notice: "example.net.": lifetime of zone signing key 29240 exceeded: ZSK rollover done
+2010-03-08 23:11:50.171: debug: New key for publishing needed
+2010-03-08 23:11:50.228: debug: ->creating new key 21482
+2010-03-08 23:11:50.228: info: "example.net.": new key 21482 generated for publishing
+2010-03-08 23:11:50.228: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:11:50.228: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:11:50.228: debug: Writing key file "././example.net/dnskey.db"
+2010-03-08 23:11:50.235: debug: Incrementing serial number in file "././example.net/zone.db"
+2010-03-08 23:11:50.235: debug: Signing zone "example.net."
+2010-03-08 23:11:50.235: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-08 23:11:50.294: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:11:50.294: debug: Signing completed after 0s.
+2010-03-08 23:12:56.212: debug: Check RFC5011 status
+2010-03-08 23:12:56.212: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:12:56.212: debug: Check KSK status
+2010-03-08 23:12:56.212: debug: Check ZSK status
+2010-03-08 23:12:56.212: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:12:56.212: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:12:56.212: debug: Writing key file "././example.net/dnskey.db"
+2010-03-08 23:12:56.213: debug: Incrementing serial number in file "././example.net/zone.db"
+2010-03-08 23:12:56.213: debug: Signing zone "example.net."
+2010-03-08 23:12:56.213: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-08 23:12:56.278: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:12:56.279: debug: Signing completed after 0s.
+2010-03-08 23:13:36.984: debug: Check RFC5011 status
+2010-03-08 23:13:36.984: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:13:36.984: debug: Check KSK status
+2010-03-08 23:13:36.984: debug: Check ZSK status
+2010-03-08 23:13:36.985: debug: Re-signing not necessary!
+2010-03-08 23:13:36.985: debug: Check if there is a parent file to copy
+2010-03-08 23:18:52.287: debug: Check RFC5011 status
+2010-03-08 23:18:52.287: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:18:52.287: debug: Check KSK status
+2010-03-08 23:18:52.287: debug: Check ZSK status
+2010-03-08 23:18:52.287: debug: Re-signing not necessary!
+2010-03-08 23:18:52.287: debug: Check if there is a parent file to copy
+2010-03-11 23:46:35.831: debug: Check RFC5011 status
+2010-03-11 23:46:35.831: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:46:35.831: debug: Check KSK status
+2010-03-11 23:46:35.831: debug: Check ZSK status
+2010-03-11 23:46:35.831: debug: Lifetime(29100 sec) of depreciated key 29240 exceeded (261285 sec)
+2010-03-11 23:46:35.831: info: "example.net.": old ZSK 29240 removed
+2010-03-11 23:46:35.832: debug: ->remove it
+2010-03-11 23:46:35.832: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:46:35.832: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:46:35.832: debug: Writing key file "./example.net/dnskey.db"
+2010-03-11 23:46:35.841: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:46:35.841: debug: Signing zone "example.net."
+2010-03-11 23:46:35.841: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-11 23:46:35.929: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:46:35.929: debug: Signing completed after 0s.
+2010-03-11 23:52:33.132: debug: Check RFC5011 status
+2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:52:33.133: debug: Check KSK status
+2010-03-11 23:52:33.133: debug: No active KSK found: generate new one
+2010-03-11 23:52:33.374: info: "example.net.": generated new KSK 8406
+2010-03-11 23:52:33.374: debug: Check ZSK status
+2010-03-11 23:52:33.374: debug: No active ZSK found: generate new one
+2010-03-11 23:52:33.400: info: "example.net.": generated new ZSK 36257
+2010-03-11 23:52:33.400: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:52:33.400: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:52:33.400: debug: Writing key file "./example.net/dnskey.db"
+2010-03-11 23:52:33.400: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:52:33.400: debug: Signing zone "example.net."
+2010-03-11 23:52:33.400: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 69AE05 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-11 23:52:33.408: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
+2010-03-11 23:52:33.408: error: "example.net.": signing failed!
+2010-03-11 23:53:27.856: debug: Check RFC5011 status
+2010-03-11 23:53:27.856: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:53:27.856: debug: Check KSK status
+2010-03-11 23:53:27.856: debug: Check ZSK status
+2010-03-11 23:53:27.856: debug: Re-signing necessary: Modified keys
+2010-03-11 23:53:27.856: notice: "example.net.": re-signing triggered: Modified keys
+2010-03-11 23:53:27.856: debug: Writing key file "./example.net/dnskey.db"
+2010-03-11 23:53:27.856: debug: Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:53:27.856: debug: Signing zone "example.net."
+2010-03-11 23:53:27.856: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1"
+2010-03-11 23:53:27.920: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:53:27.920: debug: Signing completed after 0s.
--- /dev/null
+;% generationtime=20100311224635
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAZeWiMSfoNTQkZhKHK2+OXmKRSXgBjad7VBC9tZ40aIr5pPtDWCg 8iELYF4M6ybq0M1ffUO+GHZt89A624SkWps=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: l5aIxJ+g1NCRmEocrb45eYpFJeAGNp3tUEL21njRoivmk+0NYKDyIQtgXgzrJurQzV99Q74Ydm3z0DrbhKRamw==
+PublicExponent: AQAB
+PrivateExponent: ItWA0E4uUzkqe+hr9rED3B4eDboRM3PPGOaKenaBFdbONA8X6GbCTCAE6oF7DGSebfi6I9HTjLs24ZItD7bHwQ==
+Prime1: yLZLkD+0SqDwPDKXlK6qHMRKwGDcNw5MxELfv3ftyRM=
+Prime2: wVginHuVgdmvAxTX51WmK922+KTwk/w+Od+/W2N6IVk=
+Exponent1: XE5aGhDyHZA+a7DovVxGp8wuhKMHI9rTuz72H9xL4zk=
+Exponent2: XemKfknFGBp9WNjR+kru+RWrn2C2fpsiOohE8YYDN5k=
+Coefficient: ZmS8ZDDLz6CtwYEvGJgTsNTw/bj6JMaZ8cFh3x1Zd4Y=
--- /dev/null
+;% generationtime=20100308221149
+;% lifetime=3d
+sub.example.net. IN DNSKEY 256 3 7 AwEAAcIDTNHrG9ssCz/VueiPUQaw4IAM5GvECljWsX+SfXSCkhHg5loq +FXNRa80EJCyh5b0sicbdVOhJ9DVNaRKYxU=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: wgNM0esb2ywLP9W56I9RBrDggAzka8QKWNaxf5J9dIKSEeDmWir4Vc1FrzQQkLKHlvSyJxt1U6En0NU1pEpjFQ==
+PublicExponent: AQAB
+PrivateExponent: fYBY/ynROTQCiuacfh3HUka00uCEGloUP2eSJm4CjYyQyy/he5haU0hcJw5JvxhI0pGj+eDEzaE+5oq1pKntOQ==
+Prime1: 4YRNB1cSh3F9+pQglY5/H4STx2pIADAO0mRFO2Lu+Mc=
+Prime2: 3DzZhCWENMYZvx9ovZTtIUIUpXEPtN4p7FqYC0OFgUM=
+Exponent1: Dk7UjEir9kfvFDzdrF90FU3WCmrl0o06A4M1GUV3n/U=
+Exponent2: ppnBUZ2vrNxOja2M5hzKZOZACAbHAuMsg4bkjWC+lVE=
+Coefficient: LA7G4rCRiDP8P+Cg+JQUKBUgZ8F+dpGA3E/aVOYhaWw=
--- /dev/null
+;% generationtime=20100124184339
+;% lifetime=7d
+sub.example.net. IN DNSKEY 257 3 7 AwEAAfTQL8DTr3eYpPziT+cnKnzMewbEBtRxfkb697qoRK4pKkGYGVWu jIEyjts/aluYd+Nw85rvRFPNVJwmM63jvJapql1pKfyFPSl4YVJMxaCv OMhd1JATDnrTq70evQQmOHyxVKe8k9zk0GKeRgX8sl228AvdiGOfxWmT BoOxYowx
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 9NAvwNOvd5ik/OJP5ycqfMx7BsQG1HF+Rvr3uqhErikqQZgZVa6MgTKO2z9qW5h343Dzmu9EU81UnCYzreO8lqmqXWkp/IU9KXhhUkzFoK84yF3UkBMOetOrvR69BCY4fLFUp7yT3OTQYp5GBfyyXbbwC92IY5/FaZMGg7FijDE=
+PublicExponent: AQAB
+PrivateExponent: nn1ZLQDejBKqXX02NXPJsdm/m/W0ZjzDf7hiQNlG/WlxDd4mKK5EEDBnA9HeTUY792bcjuVv2sEHkb+5nU3efHdZypvY8wsvKKNUtxWJl9O5ip7GXh4/7YQeNKW/zgE1Xz+Yu6ht3e8XuxaIXHuQ5mBC0E5AUUYPhVBCTR08CkE=
+Prime1: /MeAn2UCjXS8VIoi5Zp90w2qB6ub0wqeLCI0zpXCxWlLTrDSpFORdGuPEctE5cNlDX7y9gq6a5vxnN/b+DnNdQ==
+Prime2: 9+6zb1zEpyJzcscrSVVjacjNbyI9OwfrA7XjU5PppCyFLRvP3+L/pjqgDhyoZmCo3VMqnOjxpIeffvmDsUjATQ==
+Exponent1: ddE+4AwifnAUf4rK7R1u2/oYb+7KeDkQtB1VY5xl5cFH+mtsIm9Y8lxXmMGXYUgLR5kOASPK8/EBUk78pdu7KQ==
+Exponent2: OIT16sEfI2q7HsNAnusUSp04F8maY8aeUK46MGdbr81mXq4kaUl6Ng7PRehKi2wlkq7O3A5OZ89zEKMY3mVTUQ==
+Coefficient: ZO4OrBf5SCcbAccN63xHAlm/Pelu4wWw3yo/BaWPYE3Sf+FJt0O3TJQsmm5B+KbrruLsX6lWWHf4ZerizKFhKQ==
--- /dev/null
+2010-02-06 00:26:54.532: debug: Check RFC5011 status
+2010-02-06 00:26:54.532: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:26:54.533: debug: Check KSK status
+2010-02-06 00:26:54.533: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h43m15s
+2010-02-06 00:26:54.533: debug: Check ZSK status
+2010-02-06 00:26:54.533: debug: Re-signing not necessary!
+2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy
+2010-02-06 00:29:31.290: debug: Check RFC5011 status
+2010-02-06 00:29:31.290: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:29:31.290: debug: Check KSK status
+2010-02-06 00:29:31.290: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h45m52s
+2010-02-06 00:29:31.290: debug: Check ZSK status
+2010-02-06 00:29:31.290: debug: Re-signing not necessary!
+2010-02-06 00:29:31.290: debug: Check if there is a parent file to copy
+2010-02-06 00:40:35.043: debug: Check RFC5011 status
+2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:40:35.043: debug: Check KSK status
+2010-02-06 00:40:35.043: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h56m56s
+2010-02-06 00:40:35.043: debug: Check ZSK status
+2010-02-06 00:40:35.043: debug: Re-signing not necessary!
+2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy
+2010-02-06 00:52:55.402: debug: Check RFC5011 status
+2010-02-06 00:52:55.402: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:52:55.402: debug: Check KSK status
+2010-02-06 00:52:55.403: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d5h9m16s
+2010-02-06 00:52:55.403: debug: Check ZSK status
+2010-02-06 00:52:55.403: debug: Re-signing not necessary!
+2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy
+2010-02-07 13:53:47.883: debug: Check RFC5011 status
+2010-02-07 13:53:47.883: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:53:47.883: debug: Check KSK status
+2010-02-07 13:53:47.883: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m8s
+2010-02-07 13:53:47.883: debug: Check ZSK status
+2010-02-07 13:53:47.883: debug: Re-signing necessary: re-signing interval (1d) reached
+2010-02-07 13:53:47.884: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached
+2010-02-07 13:53:47.884: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 13:53:47.884: debug: Signing zone "sub.example.net."
+2010-02-07 13:53:47.884: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 880820 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-07 13:53:48.303: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:53:48.304: debug: Signing completed after 1s.
+2010-02-07 13:54:03.465: debug: Check RFC5011 status
+2010-02-07 13:54:03.465: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:03.465: debug: Check KSK status
+2010-02-07 13:54:03.466: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m24s
+2010-02-07 13:54:03.466: debug: Check ZSK status
+2010-02-07 13:54:03.466: debug: Re-signing not necessary!
+2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy
+2010-02-07 13:54:07.955: debug: Check RFC5011 status
+2010-02-07 13:54:07.955: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:07.955: debug: Check KSK status
+2010-02-07 13:54:07.955: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m28s
+2010-02-07 13:54:07.955: debug: Check ZSK status
+2010-02-07 13:54:07.956: debug: Re-signing necessary: Option -f
+2010-02-07 13:54:07.956: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-07 13:54:07.956: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 13:54:07.956: debug: Signing zone "sub.example.net."
+2010-02-07 13:54:07.956: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 325964 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-07 13:54:08.003: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:54:08.003: debug: Signing completed after 1s.
+2010-02-07 13:54:08.003: notice: "sub.example.net.": distribution triggered
+2010-02-07 13:54:08.003: debug: Distribute zone "sub.example.net."
+2010-02-07 13:54:08.003: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 13:54:08.013: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
+2010-02-07 13:54:08.013: notice: "sub.example.net.": reload triggered
+2010-02-07 13:54:08.013: debug: Reload zone "sub.example.net."
+2010-02-07 13:54:08.013: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 13:54:08.019: debug: ./dist.sh reload return: "rndc reload sub.example.net. "
+2010-02-07 14:06:27.669: debug: Check RFC5011 status
+2010-02-07 14:06:27.669: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:27.669: debug: Check KSK status
+2010-02-07 14:06:27.669: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m48s
+2010-02-07 14:06:27.669: debug: Check ZSK status
+2010-02-07 14:06:27.669: debug: Re-signing not necessary!
+2010-02-07 14:06:27.670: debug: Check if there is a parent file to copy
+2010-02-07 14:06:33.713: debug: Check RFC5011 status
+2010-02-07 14:06:33.713: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:33.713: debug: Check KSK status
+2010-02-07 14:06:33.713: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m54s
+2010-02-07 14:06:33.713: debug: Check ZSK status
+2010-02-07 14:06:33.714: debug: Re-signing necessary: Option -f
+2010-02-07 14:06:33.714: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-07 14:06:33.714: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 14:06:33.714: debug: Signing zone "sub.example.net."
+2010-02-07 14:06:33.714: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 4A3DFB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-07 14:06:33.745: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 14:06:33.745: debug: Signing completed after 0s.
+2010-02-07 14:06:33.745: notice: "sub.example.net.": distribution triggered
+2010-02-07 14:06:33.745: debug: Distribute zone "sub.example.net."
+2010-02-07 14:06:33.745: debug: Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 14:06:33.749: debug: ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
+2010-02-07 14:06:33.749: notice: "sub.example.net.": reload triggered
+2010-02-07 14:06:33.749: debug: Reload zone "sub.example.net."
+2010-02-07 14:06:33.749: debug: Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 14:06:33.753: debug: ./dist.sh reload return: "rndc reload sub.example.net. "
+2010-02-21 12:50:43.176: debug: Check RFC5011 status
+2010-02-21 12:50:43.176: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:43.176: debug: Check KSK status
+2010-02-21 12:50:43.176: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m4s
+2010-02-21 12:50:43.176: debug: Check ZSK status
+2010-02-21 12:50:43.176: debug: Lifetime(259200 +/-150 sec) of active key 7505 exceeded (1345179 sec)
+2010-02-21 12:50:43.176: debug: ->depreciate it
+2010-02-21 12:50:43.176: debug: ->activate published key 57167
+2010-02-21 12:50:43.176: notice: "sub.example.net.": lifetime of zone signing key 7505 exceeded: ZSK rollover done
+2010-02-21 12:50:43.176: debug: New key for publishing needed
+2010-02-21 12:50:43.445: debug: ->creating new key 49712
+2010-02-21 12:50:43.445: info: "sub.example.net.": new key 49712 generated for publishing
+2010-02-21 12:50:43.445: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:43.445: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:43.445: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 12:50:43.445: debug: Signing zone "sub.example.net."
+2010-02-21 12:50:43.445: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 2E31B5 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 12:50:43.580: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:43.580: debug: Signing completed after 0s.
+2010-02-21 12:50:51.158: debug: Check RFC5011 status
+2010-02-21 12:50:51.158: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:51.158: debug: Check KSK status
+2010-02-21 12:50:51.159: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m12s
+2010-02-21 12:50:51.159: debug: Check ZSK status
+2010-02-21 12:50:51.159: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:51.159: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:51.159: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 12:50:51.159: debug: Signing zone "sub.example.net."
+2010-02-21 12:50:51.159: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 41F65A -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 12:50:51.205: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:51.205: debug: Signing completed after 0s.
+2010-02-21 12:51:23.497: debug: Check RFC5011 status
+2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:51:23.497: debug: Check KSK status
+2010-02-21 12:51:23.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m44s
+2010-02-21 12:51:23.497: debug: Check ZSK status
+2010-02-21 12:51:23.497: debug: Re-signing not necessary!
+2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy
+2010-02-21 19:16:18.384: debug: Check RFC5011 status
+2010-02-21 19:16:18.384: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:16:18.384: debug: Check KSK status
+2010-02-21 19:16:18.385: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h32m39s
+2010-02-21 19:16:18.385: debug: Check ZSK status
+2010-02-21 19:16:18.385: debug: Lifetime(390 sec) of depreciated key 7505 exceeded (23135 sec)
+2010-02-21 19:16:18.385: info: "sub.example.net.": old ZSK 7505 removed
+2010-02-21 19:16:18.401: debug: ->remove it
+2010-02-21 19:16:18.401: debug: Re-signing necessary: Modfied zone key set
+2010-02-21 19:16:18.401: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 19:16:18.401: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:16:18.401: debug: Signing zone "sub.example.net."
+2010-02-21 19:16:18.401: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 3DADF2 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:16:18.593: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:16:18.593: debug: Signing completed after 0s.
+2010-02-21 19:32:11.378: debug: Check RFC5011 status
+2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:11.378: debug: Check KSK status
+2010-02-21 19:32:11.378: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m32s
+2010-02-21 19:32:11.378: debug: Check ZSK status
+2010-02-21 19:32:11.378: debug: Re-signing not necessary!
+2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy
+2010-02-21 19:32:15.930: debug: Check RFC5011 status
+2010-02-21 19:32:15.930: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:15.930: debug: Check KSK status
+2010-02-21 19:32:15.930: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m36s
+2010-02-21 19:32:15.930: debug: Check ZSK status
+2010-02-21 19:32:15.930: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:15.930: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:15.930: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:32:15.931: debug: Signing zone "sub.example.net."
+2010-02-21 19:32:15.931: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 623FD7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:32:15.982: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:15.982: debug: Signing completed after 0s.
+2010-02-21 19:32:32.203: debug: Check RFC5011 status
+2010-02-21 19:32:32.203: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:32.203: debug: Check KSK status
+2010-02-21 19:32:32.203: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m53s
+2010-02-21 19:32:32.203: debug: Check ZSK status
+2010-02-21 19:32:32.203: debug: Re-signing necessary: Option -f
+2010-02-21 19:32:32.203: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:32.203: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:32:32.203: debug: Signing zone "sub.example.net."
+2010-02-21 19:32:32.203: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 C522CA -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:32:32.232: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:32.232: debug: Signing completed after 0s.
+2010-02-25 00:12:26.443: debug: Check RFC5011 status
+2010-02-25 00:12:26.443: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 00:12:26.443: debug: Check KSK status
+2010-02-25 00:12:26.443: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w3d4h28m47s
+2010-02-25 00:12:26.443: debug: Check ZSK status
+2010-02-25 00:12:26.443: debug: Lifetime(259200 +/-150 sec) of active key 57167 exceeded (300103 sec)
+2010-02-25 00:12:26.443: debug: ->depreciate it
+2010-02-25 00:12:26.444: debug: ->activate published key 49712
+2010-02-25 00:12:26.444: notice: "sub.example.net.": lifetime of zone signing key 57167 exceeded: ZSK rollover done
+2010-02-25 00:12:26.444: debug: New key for publishing needed
+2010-02-25 00:12:26.902: debug: ->creating new key 65009
+2010-02-25 00:12:26.902: info: "sub.example.net.": new key 65009 generated for publishing
+2010-02-25 00:12:26.902: debug: Re-signing necessary: Modfied zone key set
+2010-02-25 00:12:26.902: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 00:12:26.902: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-25 00:12:26.902: debug: Signing zone "sub.example.net."
+2010-02-25 00:12:26.902: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9AA7CB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-25 00:12:27.016: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 00:12:27.016: debug: Signing completed after 1s.
+2010-02-25 23:42:20.653: debug: Check RFC5011 status
+2010-02-25 23:42:20.653: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:20.653: debug: Check KSK status
+2010-02-25 23:42:20.653: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w4d3h58m41s
+2010-02-25 23:42:20.653: debug: Check ZSK status
+2010-02-25 23:42:20.653: debug: Lifetime(390 sec) of depreciated key 57167 exceeded (84594 sec)
+2010-02-25 23:42:20.653: info: "sub.example.net.": old ZSK 57167 removed
+2010-02-25 23:42:20.661: debug: ->remove it
+2010-02-25 23:42:20.661: debug: Re-signing necessary: Modfied zone key set
+2010-02-25 23:42:20.661: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:20.661: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-02-25 23:42:20.662: debug: Signing zone "sub.example.net."
+2010-02-25 23:42:20.662: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 2942EB -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-02-25 23:42:21.012: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 23:42:21.012: debug: Signing completed after 1s.
+2010-03-02 10:59:11.845: debug: Check RFC5011 status
+2010-03-02 10:59:11.845: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:11.845: debug: Check KSK status
+2010-03-02 10:59:11.846: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w1d15h15m32s
+2010-03-02 10:59:11.846: debug: Check ZSK status
+2010-03-02 10:59:11.846: debug: Lifetime(259200 +/-150 sec) of active key 49712 exceeded (470805 sec)
+2010-03-02 10:59:11.846: debug: ->depreciate it
+2010-03-02 10:59:11.846: debug: ->activate published key 65009
+2010-03-02 10:59:11.846: notice: "sub.example.net.": lifetime of zone signing key 49712 exceeded: ZSK rollover done
+2010-03-02 10:59:11.846: debug: New key for publishing needed
+2010-03-02 10:59:12.256: debug: ->creating new key 27377
+2010-03-02 10:59:12.256: info: "sub.example.net.": new key 27377 generated for publishing
+2010-03-02 10:59:12.256: debug: Re-signing necessary: Modfied zone key set
+2010-03-02 10:59:12.256: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-02 10:59:12.256: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-02 10:59:12.256: debug: Signing zone "sub.example.net."
+2010-03-02 10:59:12.256: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 F9A34F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-02 10:59:12.415: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-02 10:59:12.416: debug: Signing completed after 0s.
+2010-03-03 23:22:00.127: debug: Check RFC5011 status
+2010-03-03 23:22:00.127: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-03 23:22:00.127: debug: Check KSK status
+2010-03-03 23:22:00.127: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w3d3h38m21s
+2010-03-03 23:22:00.127: debug: Check ZSK status
+2010-03-03 23:22:00.127: debug: Lifetime(390 sec) of depreciated key 49712 exceeded (130969 sec)
+2010-03-03 23:22:00.127: info: "sub.example.net.": old ZSK 49712 removed
+2010-03-03 23:22:00.127: debug: ->remove it
+2010-03-03 23:22:00.127: debug: Re-signing necessary: Modfied zone key set
+2010-03-03 23:22:00.127: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-03 23:22:00.127: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-03 23:22:00.127: debug: Signing zone "sub.example.net."
+2010-03-03 23:22:00.127: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 A3B721 -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-03 23:22:00.394: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-03 23:22:00.394: debug: Signing completed after 0s.
+2010-03-08 23:11:49.663: debug: Check RFC5011 status
+2010-03-08 23:11:49.663: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:11:49.663: debug: Check KSK status
+2010-03-08 23:11:49.663: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h28m10s
+2010-03-08 23:11:49.664: debug: Check ZSK status
+2010-03-08 23:11:49.664: debug: Lifetime(259200 +/-150 sec) of active key 65009 exceeded (562358 sec)
+2010-03-08 23:11:49.664: debug: ->depreciate it
+2010-03-08 23:11:49.664: debug: ->activate published key 27377
+2010-03-08 23:11:49.664: notice: "sub.example.net.": lifetime of zone signing key 65009 exceeded: ZSK rollover done
+2010-03-08 23:11:49.664: debug: New key for publishing needed
+2010-03-08 23:11:50.060: debug: ->creating new key 41747
+2010-03-08 23:11:50.060: info: "sub.example.net.": new key 41747 generated for publishing
+2010-03-08 23:11:50.060: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:11:50.061: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:11:50.061: debug: Writing key file "././sub.example.net/dnskey.db"
+2010-03-08 23:11:50.061: debug: Signing zone "sub.example.net."
+2010-03-08 23:11:50.061: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 71C04F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-08 23:11:50.169: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:11:50.169: debug: Signing completed after 0s.
+2010-03-08 23:18:52.243: debug: Check RFC5011 status
+2010-03-08 23:18:52.243: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:18:52.243: debug: Check KSK status
+2010-03-08 23:18:52.243: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h35m13s
+2010-03-08 23:18:52.243: debug: Check ZSK status
+2010-03-08 23:18:52.243: debug: Lifetime(390 sec) of depreciated key 65009 exceeded (423 sec)
+2010-03-08 23:18:52.243: info: "sub.example.net.": old ZSK 65009 removed
+2010-03-08 23:18:52.243: debug: ->remove it
+2010-03-08 23:18:52.243: debug: Re-signing necessary: Modfied zone key set
+2010-03-08 23:18:52.243: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:18:52.243: debug: Writing key file "././sub.example.net/dnskey.db"
+2010-03-08 23:18:52.243: debug: Signing zone "sub.example.net."
+2010-03-08 23:18:52.243: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 CF729B -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-08 23:18:52.287: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:18:52.287: debug: Signing completed after 0s.
+2010-03-11 23:46:35.497: debug: Check RFC5011 status
+2010-03-11 23:46:35.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:46:35.497: debug: Check KSK status
+2010-03-11 23:46:35.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h2m56s
+2010-03-11 23:46:35.498: debug: Check ZSK status
+2010-03-11 23:46:35.498: debug: Lifetime(259200 +/-150 sec) of active key 27377 exceeded (261286 sec)
+2010-03-11 23:46:35.498: debug: ->depreciate it
+2010-03-11 23:46:35.498: debug: ->activate published key 41747
+2010-03-11 23:46:35.498: notice: "sub.example.net.": lifetime of zone signing key 27377 exceeded: ZSK rollover done
+2010-03-11 23:46:35.498: debug: New key for publishing needed
+2010-03-11 23:46:35.768: debug: ->creating new key 2048
+2010-03-11 23:46:35.768: info: "sub.example.net.": new key 2048 generated for publishing
+2010-03-11 23:46:35.768: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:46:35.768: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:46:35.768: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-11 23:46:35.768: debug: Signing zone "sub.example.net."
+2010-03-11 23:46:35.768: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B86C9F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-11 23:46:35.814: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:46:35.814: debug: Signing completed after 0s.
+2010-03-11 23:52:33.132: debug: Check RFC5011 status
+2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:52:33.132: debug: Check KSK status
+2010-03-11 23:52:33.132: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h8m54s
+2010-03-11 23:52:33.132: debug: Check ZSK status
+2010-03-11 23:52:33.132: debug: Re-signing not necessary!
+2010-03-11 23:52:33.132: debug: Check if there is a parent file to copy
+2010-03-11 23:53:27.804: debug: Check RFC5011 status
+2010-03-11 23:53:27.804: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:53:27.804: debug: Check KSK status
+2010-03-11 23:53:27.804: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h9m48s
+2010-03-11 23:53:27.804: debug: Check ZSK status
+2010-03-11 23:53:27.804: debug: Lifetime(390 sec) of depreciated key 27377 exceeded (412 sec)
+2010-03-11 23:53:27.804: info: "sub.example.net.": old ZSK 27377 removed
+2010-03-11 23:53:27.804: debug: ->remove it
+2010-03-11 23:53:27.804: debug: Re-signing necessary: Modfied zone key set
+2010-03-11 23:53:27.804: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:53:27.804: debug: Writing key file "./sub.example.net/dnskey.db"
+2010-03-11 23:53:27.804: debug: Signing zone "sub.example.net."
+2010-03-11 23:53:27.805: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 67AA7F -C -g -p -d ../keysets -o sub.example.net. -e +172800 -N unixtime zone.db K*.private 2>&1"
+2010-03-11 23:53:27.856: debug: Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:53:27.856: debug: Signing completed after 0s.
--- /dev/null
+;% generationtime=20100331230548
+;% lifetime=28d
+example.de. IN DNSKEY 256 3 5 BQEAAAABx4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/ 2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: x4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: MWWd0AvKmimZrtVrPrTAK/UD0ZrJuL3Rcxw6qzxPWE5S3KcdJNtt5HzOPeGWIZVN8rBtPCSRhiksjugrMqkMRQ==
+Prime1: 48VMTrU7heYjFQ5ou7rSOpqt2Eot+EBDjYUPKeOR268=
+Prime2: 4EGLA3LuyNrDfBHTn0xmGHdO3DvHn6YUmJKh/98WzFc=
+Exponent1: WhbPWcw2bisYr9cS59vOFmLxvbXUQgJZTZVYSDW3EF0=
+Exponent2: BoCEx7RES9scWl7PFrUZzrzjDIZiBUICbw4BViSUVWs=
+Coefficient: DmwngpeIb8+dzC9ETnQOojRJTv1MRpW4k0Jo1NfAC+c=
--- /dev/null
+;% generationtime=20100224232104
+;% lifetime=28d
+example.de. IN DNSKEY 256 3 5 BQEAAAABsbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFes ZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: sbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFesZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: PHPdKKwdgE+02a+6R+2xk7RfPUmjIW0dclILS0uQ2GL2lYJCaFKoMEZJb/30CkJLWBBGUS4XUPzplYQ8VLn6gQ==
+Prime1: 5efr+OinaF8nLpI/N1EuTxuoSbILnPn5pSWVpwJPgTk=
+Prime2: xdzEgtE9CEHT06oa0yM+lLMJp2K6RlBiByRo13Sd8VE=
+Exponent1: dE2UZNfo/uln1Yq9lz3pImp5gWDjeT+sYIdBBk8qfOk=
+Exponent2: TPXU6D9veGi9J41RR3KvLo4s3u/rQWHXyQrO6jQwX0E=
+Coefficient: t1ysP5l5JUhi+d3GvFN0EyZAv1nW31lsL+4979deLsw=
--- /dev/null
+;% generationtime=20100311230027
+;% lifetime=3d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABxKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+ fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: xKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: LDta/Lx7ETLqQamSm9XAERno+ixf6Dl/cq10zcd8QNLuvleFqMvtRURxfhFhNlrvFTuckz1IzIX7ufecSrarYQ==
+Prime1: 5x1rjqJnLrLUd+i4DUmSutQQrQZWg+vzwurpGkxBCTc=
+Prime2: 2dmVy5A1h7avKD9Ez0rcg1G96wxVkdp+/8AvXEYe+QM=
+Exponent1: Fx9QLrquictb9W74f5gmRs5wQcsyWjkNVXUE/eb84l0=
+Exponent2: kexPooMJG2rfGbnWG0Mnav28EcV7q7xNnIHELjRCfWU=
+Coefficient: Liq85Ma7Ki3tZePKv/v+he9UgH7J5tgDnmHof0370/M=
--- /dev/null
+;% generationtime=20100311234526
+;% lifetime=7d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13 EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W9 6dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZ lvW8DPh+/CM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W96dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZlvW8DPh+/CM=
+PublicExponent: AQAAAAE=
+PrivateExponent: fWmnzNBw5Pz/Zk7x3dJwg36L+myF19pas+uYon6bL1WuIYGSu5TnZbmPemkyo2XrWedlv5+sXdpY5H2axgpmKtDyBCmjCSL00ohcjQlFNmp5U4YPU1cvlfnCCCUMRVzzTwp1iZ39Y1rGKTALITOazux161s1V+C8xErGnMYXjhE=
+Prime1: +H/1W3Qgd6CCwi3cwrtfWzhosSjbb7+6WVo7bX2Rn6EBWyo07Y7WpIGAEdkBGsPn9Ow8JANPjzNzqrcF4LvUtw==
+Prime2: 7YuVHcg7Fa4MysfTgaLKupaCVKkJxQ3SDVp2mVABgu9GkKzKgPRlwznLANgKC2kWudUqKG0+jO97GxV6Jhff9Q==
+Exponent1: sCr44sRCtIX9o2izqQZAca6koln9//yloHgwXyQepvJGeuxWsfpSGmUf5gJlvaovrTdN4fpy5mA0b4vZnQRsBw==
+Exponent2: k3Q0J6VvHwFresOiQ8Ekzw/AHXgGY+X0+MJWJ+6IEy2dCQWOHPhguXyAKP8B8ootNijjM2Bzb76eeT0vz3mKXQ==
+Coefficient: A9rqRcjvB0xOPfSUAQDclV8JQPq+xHBOXIpOm5xDtrzQpjv/6uams+bgNeV7m9CPi5jyjWaM5XGwUQv+3itRyQ==
--- /dev/null
+;% generationtime=20100224232104
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAABw7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfe S9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87c vsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgX HLeDoqHQAFM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: w7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfeS9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87cvsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgXHLeDoqHQAFM=
+PublicExponent: AQAAAAE=
+PrivateExponent: uoruJIZElyAQA+KeL5wBYD8hdNbr9/By0IHg/cPVZd6526ahZpWob5ucps4xjq02rgLl/i0FvG+o/iJJKQ072Wvp4LoSzFpLKRQPQhrC8tf2Zqaup03gDlaMSe+mav59pisU/yRi42xkLdFCq9qAqOolhMYH/5rTTIQjLGm4N+E=
+Prime1: 6WHxgLrUdEcx9ByQvaC1+POsQpA77D9kAqrgR2iPXlmlBsp6JD/lImNCZCUcnt1TRJWEDmMoP3U1diWvvV69MQ==
+Prime2: 1qy3KTqZNxlxGOJ3GvtUT9AGvZrKCNDDvPYGW6UT1aMCaR7rVKOjuxsdTZGBgVQMSynTVhrsirOsUodhYfskww==
+Exponent1: gJeuTs2r2TORC6JlxWb7cWyKpTwlAiVZPO8V1bHwT9XoT5upILso6ozh8IB+o2SdxhxNSx0gXmnU9xPk58SJMQ==
+Exponent2: qT/gYLKfcgWDpIQ1/ZSaCNqeBuyzUVpR1+HTySxFSUD9+yu7Ra07/E+N5EFlfW4WshA762j1Ums8GtKNNZ3nKw==
+Coefficient: SwfLMVH9qp/SuXcmnOsYQd0kF9JcYdVyi3HiP3EvI/G97sKT2P/RXVi1hSPQ1AocBX6Fwke2FYQpFGyV0/IuwQ==
--- /dev/null
+;% generationtime=20100331230548
+;% lifetime=3d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2 uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: wp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
+PublicExponent: AQAAAAE=
+PrivateExponent: Xgmu9fyg1QoKridDOUywH7mZg92dEvGVIcz5QrpXMYZDhi/Z1NLB4UJwaO4Kmbg9EyAT+ms3fjjC8ncy+mVnEQ==
+Prime1: 9wrDpiFEJkYGuCC0JriZgA+uaLBYtzudTzUByr8BGU0=
+Prime2: yavdgu+a7BloewO3Fzg6JwxYvJYrfeAgYLVr4uXzwec=
+Exponent1: Z8tEYnN2N5LxFjL9+mdfnOjNhVxAouZ/wyyokWf0C4U=
+Exponent2: axnHnwpVRfb5Xt25+8oIVoVH4YdTXDCbr4nkcjru4As=
+Coefficient: dvqfAzS1VFtC6dvzFTgh+GoFt3EwIxHDXcskNmbFDto=
--- /dev/null
+;% generationtime=20100302100015
+;% lifetime=5d
+sub.example.de. IN DNSKEY 257 3 5 BQEAAAAB5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQ Q2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo 9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwq c3x8BzbIorM=
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQQ2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwqc3x8BzbIorM=
+PublicExponent: AQAAAAE=
+PrivateExponent: y+rt5sGw902oNDr4JAP2+erGfuYpp1g3UavEEPplKcyFZNg21fMasVCIyerS5ORCr/ktaNP9ZCuOkv/Ob9CY6hbbMMFKHIKGtBb7eu+et+fbbr71fdxyqHlcpqfAiRjsqYLuLw1r93Odw1HyCRpiIVR3Esiq7xTTsbd6v+mjqHE=
+Prime1: 9deZ3ccGM9abtuCR/vGI2v8dOR3WwzhClE+kmRKhB+++ON5hvg1Y+cJc60FpWLHTxKs96t4axX/6ijiRWZpyKw==
+Prime2: 7hv6lVRo8UCdt/q4n9OKbDnPu8z7GokPSXcqT5O8W7p/O7Yvuy0YMRbL8CTJw2A4IP202bScW5Lg5EWdPUa1mQ==
+Exponent1: TM/bBQFxZfgGdjnJ58qGE9e5GNuqjNgT7HacbqTtnvHKQmRTp6Z+es8qV7U6ise0Glyz/zwB9BuYynUU+XKpsw==
+Exponent2: MHiLBFWwhaeg21jfCAqblY6elrqmLWiq6qkk8mRPTHtyaCkr1fa4/4u6q54XiyIBQxLKUf3prhjzq+o+hagIYQ==
+Coefficient: fi1lTsYNS1ka3RHT8SxGcwur8oRZLPAaLu8UYFxy9bfAInYkUg/jnR3q3i5BcKcr4+UL6Pp9iPzl1AfMQj//fg==
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: wBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4QlglYkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
+PublicExponent: AQAAAAE=
+PrivateExponent: mcrUc9cypiq7j30rntMoCrIxE9SemJxzTJ/USNZPGqfa4MpfsfvIt6A+8JzgS0Sx+6piSk9d8QSdr55aVqgEYQ==
+Prime1: 6dRm4EGvg7WN5LFAMv/8HzeyZbNu7FlQwf08QZOmgYc=
+Prime2: 0lM7LrrOzTThb372TCC+7Wz0S6GuqfjhM33MWwNEeZE=
+Exponent1: Q8jFuxbjffHEGZxuUdLkkmWka0hDlACozr31blXYgCc=
+Exponent2: yqc1ijD9jaK8b5IUIqsx42nbJ6boeMyx77wfOUoXw7E=
+Coefficient: R4QnEkjxtLd7bPChAqblYPb9A8lcsD7KGh5fTR9LcFM=
--- /dev/null
+;% generationtime=20100302100004
+;% lifetime=2d
+sub.example.de. IN DNSKEY 256 3 5 BQEAAAABwBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4Qlgl YkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
--- /dev/null
+2010-02-06 00:54:11.045: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-02-21 12:51:38.667: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-02-25 00:21:05.030: info: "example.de.": new key 39599 generated for publishing
+2010-02-25 00:21:05.030: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 00:22:32.667: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:40.317: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-02 11:00:04.526: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-02 11:00:16.077: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-03 23:22:07.163: notice: "example.de.": lifetime of zone signing key 63077 exceeded: ZSK rollover done
+2010-03-03 23:22:07.163: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:00:27.706: info: "example.de.": old ZSK 63077 removed
+2010-03-12 00:00:27.710: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:45:26.305: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-04-01 01:05:48.848: notice: "example.de.": lifetime of zone signing key 39599 exceeded since 43m41s: ZSK rollover deferred: waiting for published key
+2010-04-01 01:05:48.928: info: "example.de.": new key 9743 generated for publishing
+2010-04-01 01:05:48.929: notice: "example.de.": re-signing triggered: Modfied zone key set
--- /dev/null
+2010-02-06 00:54:11.044: info: "sub.example.de.": kskrollover phase2: send new key 33580 to the parent zone
+2010-02-21 12:51:38.487: info: "sub.example.de.": kskrollover phase3: Remove old key 3831
+2010-02-21 12:51:38.488: notice: "sub.example.de.": lifetime of zone signing key 320 exceeded: ZSK rollover done
+2010-02-21 12:51:38.556: info: "sub.example.de.": new key 17513 generated for publishing
+2010-02-21 12:51:38.556: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 00:21:04.838: info: "sub.example.de.": kskrollover phase1: New key 27861 generated
+2010-02-25 00:21:04.838: info: "sub.example.de.": old ZSK 320 removed
+2010-02-25 00:21:04.838: notice: "sub.example.de.": lifetime of zone signing key 65003 exceeded: ZSK rollover done
+2010-02-25 00:21:04.876: info: "sub.example.de.": new key 31547 generated for publishing
+2010-02-25 00:21:04.876: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 01:01:09.615: info: "sub.example.de.": old ZSK 65003 removed
+2010-02-25 01:01:09.615: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:40.316: info: "sub.example.de.": kskrollover phase2: send new key 9663 to the parent zone
+2010-03-02 11:00:04.328: info: "sub.example.de.": kskrollover phase3: Remove old key 59961
+2010-03-02 11:00:04.328: notice: "sub.example.de.": lifetime of zone signing key 17513 exceeded: ZSK rollover done
+2010-03-02 11:00:04.444: info: "sub.example.de.": new key 63530 generated for publishing
+2010-03-02 11:00:04.444: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-02 11:00:16.024: info: "sub.example.de.": kskrollover phase1: New key 42639 generated
+2010-03-02 11:00:16.025: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-03 23:22:07.066: info: "sub.example.de.": kskrollover phase2: send new key 27861 to the parent zone
+2010-03-03 23:22:07.066: info: "sub.example.de.": old ZSK 17513 removed
+2010-03-03 23:22:07.067: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:00:27.495: info: "sub.example.de.": kskrollover phase3: Remove old key 9663
+2010-03-12 00:00:27.495: notice: "sub.example.de.": lifetime of zone signing key 31547 exceeded: ZSK rollover done
+2010-03-12 00:00:27.609: info: "sub.example.de.": new key 7295 generated for publishing
+2010-03-12 00:00:27.609: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:45:26.265: info: "sub.example.de.": kskrollover phase1: New key 8544 generated
+2010-03-12 00:45:26.265: info: "sub.example.de.": old ZSK 31547 removed
+2010-03-12 00:45:26.266: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-04-01 01:05:48.169: info: "sub.example.de.": kskrollover phase2: send new key 42639 to the parent zone
+2010-04-01 01:05:48.169: notice: "sub.example.de.": lifetime of zone signing key 63530 exceeded: ZSK rollover done
+2010-04-01 01:05:48.650: info: "sub.example.de.": new key 40559 generated for publishing
+2010-04-01 01:05:48.650: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the zkt-ls command
+# out of the example directory
+#
+
+if test ! -f dnssec.conf
+then
+ echo Please start this skript out of the flat or hierarchical sub directory
+ exit 1
+fi
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"
--- /dev/null
+#!/bin/sh
+#
+# Shell script to start the zkt-signer
+# command out of the example directory
+#
+
+if test ! -f dnssec.conf
+then
+ echo Please start this skript out of the flat or hierarchical sub directory
+ exit 1
+fi
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"
--- /dev/null
+.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt-conf \(em Secure DNS zone key config tool
+
+.SH SYNOPSYS
+.na
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.B \-d
+.RB [ \-O
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.RB [ \-s ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.B \-l
+.RB [ \-a ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
+
+.B zkt-conf
+.RB [ \-c
+.IR "file" ]
+.RB [ \-w ]
+.I "zonefile"
+
+.br
+.ad
+.SH DESCRIPTION
+The
+.I zkt-conf
+command helps to create and show a config file for use by
+the Zone Key Tool commands, which are currently
+.I zkt-ls(8) ,
+.I zkt-keyman(8) ,
+and
+.IR zkt-signer(8) .
+.PP
+In general, the ZKT commands uses up to three consequitive sources for config
+parameter settings:
+.IP
+a)
+The build-in default parameters
+.IP
+b)
+The side wide config file or the file specified with option -c
+overloads the built-in vars.
+The file is
+.I /var/named/dnssec.conf
+or the one set by the environment variable ZKT_CONFFILE.
+.IP
+c)
+The local config file
+.I dnssec.conf
+in the current zone directory also overloads the parameter read so far.
+.PP
+Because of the overload feature, none of the config files has to have
+a complete parameter set.
+Typically the local config file will have only those parameters which are
+different from the global or built-in ones.
+.PP
+The default operation of
+.I zkt-conf(8)
+is to print the site wide config file (same as option
+.BR \-s ).
+Option
+.B \-d
+will print out the built-in defaults while
+.B \-l
+print those local parameters which are different to the global ones.
+In the last case
+.B \-a
+gives the fully
+.RB ( \-\-all )
+parameter list.
+.PP
+In all forms of the command, the parameters are changeable via option
+.B \-O
+.RB ( \-\-config-option ).
+.PP
+With option
+.B \-w
+.RB ( \-\-write )
+the confg parameters are written back to the config file.
+This is useful in case of an ZKT upgrade or if one or more parameters are changed
+by option
+.BR \-O .
+.PP
+Option
+.B \-t
+checks some of the parameter for reasonable values.
+.PP
+.PP
+Which config file is shown (or modified or checked) is determined by an option.
+.B \-d
+means the built-in defaults, option
+.B \-l
+is for the local config file and
+.B \-s
+specifies the site wide config file.
+Option
+.B \-s
+is the default.
+.PP
+In the last form of the command, the
+maximum TTL value of all the resource records of
+.I zonefile
+is calculated and print on stdout.
+Additional, the zonefile is checked if the key database
+.RI ( dnskey.db )
+is included in the zone file.
+If option
+.B \-w
+is set, than the INCLUDE directive will be added to the zone file if
+necessary, and the maximum ttl value is written to a local config file.
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BR \-d ", " \-\-built-in-defaults
+List all the built-in default parameter.
+.TP
+.BR \-s ", " \-\-sitecfg
+List all site wide config parameter (this is the default).
+.TP
+.BR \-l ", " \-\-localcfg
+List local config parameter which are different to the site wide config
+parameter.
+With otion
+.B \-a
+.RB ( \-\-all )
+all config parameters will be shown.
+
+.SH OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the
+.B \-V
+or
+.B \-\-view
+option every time, it is also possible to create a hard or softlink to the
+executable file and name it like
+.I zkt-conf-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read all parameter from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file parameter via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-a ", " \-\-all
+In case of showing the local config file parameter
+.RB ( \-l )
+this prints all parameter, not just the ones different to the site wide
+or built-in defaults.
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-conf \-d
+.fam T
+Print the built-in default config pars.
+.TP
+.fam C
+.B "zkt-conf \-d \-w
+.fam T
+Write all the built-in defaults into the site wide config file.
+.TP
+.fam C
+.B "zkt-conf \-s \-O ""SerialFormat: Incremental; Zonedir: /var/named/zones"" \-w"
+.fam T
+Change two parameters in the site wide
+.I dnssec.conf
+file.
+.TP
+.fam C
+.B "zkt-conf \-w zone.db
+.fam T
+Add
+.B "$INCLUDE dnskey.db"
+to the zone file and set the maximum ttl paramter in the local config file
+to the maximum ttl fond in any RR of
+.IR zone.db .
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (additionally used in
+.B \-l
+mode).
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), zkt-ls(8), zkt-keyman(8),
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Wed Mar 31 18:15:57 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
+</style>
+<title>zkt-conf</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-conf</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt-conf
+— Secure DNS zone key config tool</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf</b>
+[<b>−V</b> <i>name</i>] [<b>−w</b>]
+<b>−d</b> [<b>−O</b> <i>optstr</i>] <b><br>
+zkt-conf</b> [<b>−V</b> <i>name</i>] [<b>−w</b>]
+[<b>−s</b>] [<b>−c</b> <i>file</i>]
+[<b>−O</b> <i>optstr</i>] <b><br>
+zkt-conf</b> [<b>−V</b> <i>name</i>] [<b>−w</b>]
+<b>−l</b> [<b>−a</b>] [<b>−c</b>
+<i>file</i>] [<b>−O</b> <i>optstr</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf</b>
+[<b>−c</b> <i>file</i>] [<b>−w</b>]
+<i>zonefile</i></p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-conf</i> command helps to create and show a config
+file for use by the Zone Key Tool commands, which are
+currently <i>zkt-ls(8) , zkt-keyman(8) ,</i> and
+<i>zkt-signer(8)</i>.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In general, the
+ZKT commands uses up to three consequitive sources for
+config parameter settings:</p>
+
+<p style="margin-left:22%; margin-top: 1em">a) The build-in
+default parameters</p>
+
+<p style="margin-left:22%; margin-top: 1em">b) The side
+wide config file or the file specified with option -c
+overloads the built-in vars. The file is
+<i>/var/named/dnssec.conf</i> or the one set by the
+environment variable ZKT_CONFFILE.</p>
+
+<p style="margin-left:22%; margin-top: 1em">c) The local
+config file <i>dnssec.conf</i> in the current zone directory
+also overloads the parameter read so far.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Because of the
+overload feature, none of the config files has to have a
+complete parameter set. Typically the local config file will
+have only those parameters which are different from the
+global or built-in ones.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The default
+operation of <i>zkt-conf(8)</i> is to print the site wide
+config file (same as option <b>−s</b>). Option
+<b>−d</b> will print out the built-in defaults while
+<b>−l</b> print those local parameters which are
+different to the global ones. In the last case
+<b>−a</b> gives the fully (<b>−−all</b>)
+parameter list.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In all forms of
+the command, the parameters are changeable via option
+<b>−O</b> (<b>−−config-option</b>).</p>
+
+<p style="margin-left:11%; margin-top: 1em">With option
+<b>−w</b> (<b>−−write</b>) the confg
+parameters are written back to the config file. This is
+useful in case of an ZKT upgrade or if one or more
+parameters are changed by option <b>−O</b>.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Option
+<b>−t</b> checks some of the parameter for reasonable
+values.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Which config
+file is shown (or modified or checked) is determined by an
+option. <b>−d</b> means the built-in defaults, option
+<b>−l</b> is for the local config file and
+<b>−s</b> specifies the site wide config file. Option
+<b>−s</b> is the default.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the last
+form of the command, the maximum TTL value of all the
+resource records of <i>zonefile</i> is calculated and print
+on stdout. Additional, the zonefile is checked if the key
+database (<i>dnskey.db</i>) is included in the zone file. If
+option <b>−w</b> is set, than the INCLUDE directive
+will be added to the zone file if necessary, and the maximum
+ttl value is written to a local config file.</p>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−h</b>,
+<b>−−help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>−d</b>,
+<b>−−built-in-defaults</b></p>
+
+<p style="margin-left:22%;">List all the built-in default
+parameter.</p>
+
+<p style="margin-left:11%;"><b>−s</b>,
+<b>−−sitecfg</b></p>
+
+<p style="margin-left:22%;">List all site wide config
+parameter (this is the default).</p>
+
+<p style="margin-left:11%;"><b>−l</b>,
+<b>−−localcfg</b></p>
+
+<p style="margin-left:22%;">List local config parameter
+which are different to the site wide config parameter. With
+otion <b>−a</b> (<b>−−all</b>) all config
+parameters will be shown.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
+<i>view</i><b>, −−view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-<view>.conf .</i> Instead of specifying the
+<b>−V</b> or <b>−−view</b> option every
+time, it is also possible to create a hard or softlink to
+the executable file and name it like
+<i>zkt-conf-<view> .</i></p>
+
+<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
+−−config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read all parameter from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>−O</b>
+<i>optstr</i><b>,
+−−config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file parameter
+via the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>−a</b>,
+<b>−−all</b></p>
+
+<p style="margin-left:22%;">In case of showing the local
+config file parameter (<b>−l</b>) this prints all
+parameter, not just the ones different to the site wide or
+built-in defaults.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf
+−d</b></p>
+
+<p style="margin-left:22%;">Print the built-in default
+config pars.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf −d
+−w</b></p>
+
+<p style="margin-left:22%;">Write all the built-in defaults
+into the site wide config file.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf −s −O
+"SerialFormat: Incremental; Zonedir:
+/var/named/zones" <br>
+−w</b></p>
+
+<p style="margin-left:22%;">Change two parameters in the
+site wide <i>dnssec.conf</i> file.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf −w
+zone.db</b></p>
+
+<p style="margin-left:22%;">Add <b>$INCLUDE dnskey.db</b>
+to the zone file and set the maximum ttl paramter in the
+local config file to the maximum ttl fond in any RR of
+<i>zone.db</i>.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Default global configuration
+file. The name of the default global config file is settable
+via the environment variable ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file
+(additionally used in <b>−l</b> mode).</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 − 2010 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8),
+zkt-ls(8), zkt-keyman(8), <br>
+RFC4641 "DNSSEC Operational Practices" by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
--- /dev/null
+.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt-conf \(em Secure DNS zone key config tool
+
+.SH SYNOPSYS
+.na
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.B \-d|\-\-default
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.RB [ \-s ]
+.RB [ \-c|\-\-config
+.IR "file" ]
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.B \-l|\-\-local
+.RB [ \-c|\-\-config
+.IR "file" ]
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+
+.B zkt-conf
+.RB [ \-c
+.IR "file" ]
+.RB [ \-w|\-\-write ]
+.I "zonefile"
+
+.br
+.ad
+
+.SH DESCRIPTION
+The
+.I zkt-conf
+command helps to create and show a config file for use by
+the Zone Key Tool commands, which are currently
+.I dnssec-zkt(8)
+and
+.IR zkt-signer(8) .
+.PP
+In general, the ZKT commands uses three sources for the config parameters:
+.HP 3
+a)
+The build-in default parameters
+.HP 3
+b)
+The side wide config file or the file specified with option -c
+will overload the built-in vars.
+The site wide config file is the file
+.I /var/named/dnssec.conf
+or the one set by the environment variable ZKT_CONF.
+.HP 3
+c)
+The local config file
+.I dnssec.conf
+in the current zone directory will also overload the parameters read so far.
+.PP
+Because of this overloading feature, none of the config files has to have
+a complete parameter set.
+Typically the local config file will have only those parameters which are
+different from the global or built-in ones.
+.PP
+The default operation of
+.I zkt-conf(8)
+is to print the site wide config file (same as option
+.BR \-s ).
+Option
+.B \-d
+will print out the built-in defaults while
+.B \-l
+just print the local config parameters which are different to the global ones.
+In the last case
+.B \-a
+gives the complete
+.RB ( \-\-all )
+parameter list.
+.PP
+In all forms of the command, the parameters are changeable via option
+.B \-O
+.RB ( \-\-config-option ).
+.PP
+With option
+.B \-w
+.RB ( \-\-write )
+the parameters will be written back to the config file.
+This is useful in case of an ZKT upgrade or if one or more parameters are changed
+by option
+.BR \-O .
+.PP
+Option
+.B \-t
+checks some of the parameter for reasonable values.
+.PP
+If the option
+.B \-t
+is given, all config parameters are checked against reasonable values.
+.PP
+Which config file is shown (or modified or checked) is determined by option
+.B \-d
+which means the built-in defaults, option
+.B \-l
+which means the local config file or
+.B \-s
+which specifies the site wide config file.
+Option
+.B \-s
+is the default.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or \-\-view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like
+.I zkt-conf-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read all parameter from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file parameter via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-a ", " \-\-all
+In case of showing the local config file parameter
+.RI ( \-l )
+print all parameter, not just the ones different o the site wide or built-in defaults.
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BR \-d ", " \-\-built-in-defaults
+List all the built-in default paremeter.
+.TP
+.BR \-s ", " \-\-sidecfg
+List all side wide config parameters (this is the default).
+.TP
+.BR \-l ", " \-\-localconf
+List all local config parameters which are different to the site-wide config
+parameters.
+With otion
+.B \-a
+.RB ( \-\-all )
+all config parameters will be shown.
+
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-conf \-d
+.fam T
+Print the built-in default config pars.
+.TP
+.fam C
+.B "zkt-conf \-d \-w
+.fam T
+Write all the built-in defaults into the site wide config file.
+.TP
+.fam C
+.B "zkt-conf \-s \-\--option "SerialFormat: unixtime; Zonedir: /var/named/zones" "\-w
+.fam T
+Change two parameters in the site wide dnssec.conf file.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (additionallx used in
+.B \-l
+mode).
+
+.SH BUGS
+.PP
+Some of the general options will not be meaningful in all of the command modes.
+.PP
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), dnssec-zkt(8),
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+.TH zkt\-keyman 8 "Apr 1, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt\-keyman \(em A DNSSEC key management tool
+
+.SH SYNOPSYS
+.na
+.B zkt\-keyman
+.BR \-C <label>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-krpz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-create= <label>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-krpz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.BR \- { P | A | D | R } <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-published= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-active= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-depreciate= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-rename= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.BR \-\-destroy= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.B \-9 | \-\-ksk-rollover
+.br
+.B zkt\-keyman
+.B \-1 | \-\-ksk-roll-phase1
+.I "do.ma.in."
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-2 | \-\-ksk-roll-phase2
+.I "do.ma.in."
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-3 | \-\-ksk-roll-phase3
+.I do.ma.in.
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-0 | \-\-ksk-roll-stat
+.I do.ma.in.
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.ad
+
+.SH DESCRIPTION
+The
+.I zkt\-keyman
+command is a wrapper around
+.I dnssec-keygen(8)
+to assist in dnssec zone key management.
+.PP
+The command is useful in dns key management.
+It is suitable for modification of key status.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like
+.I zkt\-keyman\-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read default values from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-d ", " \-\-directory
+Skip directory arguments.
+This will be useful in combination with wildcard arguments
+to prevent dnsssec-zkt to list all keys found in subdirectories.
+For example "zkt\-keyman -d *" will print out a list of all keys only found in
+the current directory.
+Maybe it is easier to use "zkt\-keyman ." instead (without -r set).
+The option works similar to the \-d option of
+.IR ls(1) .
+.TP
+.BR \-k ", " \-\-ksk
+Select key signing keys only (default depends on command mode).
+.TP
+.BR \-z ", " \-\-zsk
+Select zone signing keys only (default depends on command mode).
+.TP
+.BR \-r ", " \-\-recursive
+Recursive mode (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: Recursive).
+.TP
+.BR \-F ", " \-\-setlifetime
+Set the key lifetime of all the selected keys.
+Use option -k, -z, -l or the file and dir argument for key selection.
+.PP
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BI \-C " zone" ", \-\-create=" zone
+Create a new zone signing key for the given zone.
+Add option
+.B \-k
+to create a key signing key.
+The key algorithm and key length will be examined from built-in default values
+or from the parameter settings in the
+.I dnssec.conf
+file.
+.br
+The keyfile will be created in the current directory if
+the
+.B \-p
+option is specified.
+.TP
+.BI \-R " keyid" ", \-\-revoke=" keyid
+Revoke the key signing key with the given keyid.
+A revoked key has bit 8 in the flags filed set (see RFC5011).
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+.TP
+.BI \-\-rename=" keyid
+Rename the key files of the key with the given keyid
+(Look at key file names starting with an lower 'k').
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+.TP
+.BI \-\-destroy= keyid
+Deletes the key with the given keyid.
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+Beware that this deletes both private and public keyfiles, thus the key is
+unrecoverable lost.
+.TP
+.BI \-P|A|D " keyid," " \-\-published=" keyid, " \-\-active=" keyid, " \-\-depreciated=" keyid
+Change the status of the given dnssec key to
+published
+.RB ( \-P ),
+active
+.RB ( \-A )
+or depreciated
+.RB ( \-D ).
+The
+.I keyid
+is the numeric keytag with an optionally added zone name separated by a colon.
+Setting the status to "published" or "depreciate" will change the filename
+of the private key file to ".published" or ".depreciated" respectivly.
+This prevents the usage of the key as a signing key by the use of
+.IR dnssec-signzone(8) .
+The time of status change will be stored in the 'mtime' field of the corresponding
+".key" file.
+Key activation via option
+.B \-A
+will restore the original timestamp and file name (".private").
+.TP
+.BI \-\-ksk-roll-phase[123] " do.ma.in."
+Initiate a key signing key rollover of the specified domain.
+This feature is currently in experimental status and is mainly for the use
+in an hierachical environment.
+Use --ksk-rollover for a little more detailed description.
+
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-keyman \-C example.net \-k \-r ./zonedir
+.fam T
+Create a new key signing key for the zone "example.net".
+Store the key in the same directory below "zonedir" where the other
+"example.net" keys live.
+.TP
+.fam C
+.B "zkt-keyman \-D 123245 \-r .
+.fam T
+Depreciate the key with tag "12345" below the current directory,
+.TP
+.fam C
+.B "zkt-keyman --view intern \-C example.net
+.fam T
+Create a new zone key for the internal zone example.net.
+.TP
+.fam C
+.B "zkt-keyman-intern
+.fam T
+Same as above.
+The binary file
+.I zkt\-keyman
+has another link, named
+.I zkt-keyman-intern
+made, and
+.I zkt\-keyman
+examines argv[0] to find a view whose zones it proceeds to process.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (only used in
+.B \-C
+mode).
+
+.SH BUGS
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2008 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-signer(8)
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Tue Mar 23 23:47:31 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
+</style>
+<title>zkt−keyman</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt−keyman</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#BUGS">BUGS</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt−keyman
+— A DNSSEC key management tool</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
+−C</b><label> [<b>−V|--view</b>
+<i>view</i>] [<b>−c</b> <i>file</i>]
+[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−keyman −−create=</b><label>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−krpz</b>]
+[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
+−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−keyman −−published=</b><keytag>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−keyman −−active=</b><keytag>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−keyman −−depreciate=</b><keytag>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−keyman −−rename=</b><keytag>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
+−−destroy=</b><keytag>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
+−9 | −−ksk-rollover <br>
+zkt−keyman −1 |
+−−ksk-roll-phase1</b> <i>do.ma.in.</i>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] <b><br>
+zkt−keyman −2 |
+−−ksk-roll-phase2</b> <i>do.ma.in.</i>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] <b><br>
+zkt−keyman −3 |
+−−ksk-roll-phase3</b> <i>do.ma.in.</i>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] <b><br>
+zkt−keyman −0 | −−ksk-roll-stat</b>
+<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
+[<b>−c</b> <i>file</i>]</p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt−keyman</i> command is a wrapper around
+<i>dnssec-keygen(8)</i> to assist in dnssec zone key
+management.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The command is
+useful in dns key management. It is suitable for
+modification of key status.</p>
+
+<h2>GENERAL OPTIONS
+<a name="GENERAL OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
+<i>view</i><b>, −−view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-<view>.conf .</i> Instead of specifying the
+−V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like
+<i>zkt−keyman−<view> .</i></p>
+
+<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
+−−config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read default values from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>−O</b>
+<i>optstr</i><b>,
+−−config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file option via
+the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>−d</b>,
+<b>−−directory</b></p>
+
+<p style="margin-left:22%;">Skip directory arguments. This
+will be useful in combination with wildcard arguments to
+prevent dnsssec-zkt to list all keys found in
+subdirectories. For example "zkt−keyman -d
+*" will print out a list of all keys only found in the
+current directory. Maybe it is easier to use
+"zkt−keyman ." instead (without -r set). The
+option works similar to the −d option of
+<i>ls(1)</i>.</p>
+
+<p style="margin-left:11%;"><b>−k</b>,
+<b>−−ksk</b></p>
+
+<p style="margin-left:22%;">Select key signing keys only
+(default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>−z</b>,
+<b>−−zsk</b></p>
+
+<p style="margin-left:22%;">Select zone signing keys only
+(default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>−r</b>,
+<b>−−recursive</b></p>
+
+<p style="margin-left:22%;">Recursive mode (default is
+off). <br>
+Also settable in the dnssec.conf file (Parameter:
+Recursive).</p>
+
+<p style="margin-left:11%;"><b>−F</b>,
+<b>−−setlifetime</b></p>
+
+<p style="margin-left:22%;">Set the key lifetime of all the
+selected keys. Use option -k, -z, -l or the file and dir
+argument for key selection.</p>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−h</b>,
+<b>−−help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>,
+−−create=</b><i>zone</i></p>
+
+<p style="margin-left:22%;">Create a new zone signing key
+for the given zone. Add option <b>−k</b> to create a
+key signing key. The key algorithm and key length will be
+examined from built-in default values or from the parameter
+settings in the <i>dnssec.conf</i> file. <br>
+The keyfile will be created in the current directory if the
+<b>−p</b> option is specified.</p>
+
+<p style="margin-left:11%;"><b>−R</b>
+<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p>
+
+<p style="margin-left:22%;">Revoke the key signing key with
+the given keyid. A revoked key has bit 8 in the flags filed
+set (see RFC5011). The keyid is the numeric keytag with an
+optionally added zone name separated by a colon.</p>
+
+
+<p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p>
+
+<p style="margin-left:22%;">Rename the key files of the key
+with the given keyid (Look at key file names starting with
+an lower ’k’). The keyid is the numeric keytag
+with an optionally added zone name separated by a colon.</p>
+
+
+<p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p>
+
+<p style="margin-left:22%;">Deletes the key with the given
+keyid. The keyid is the numeric keytag with an optionally
+added zone name separated by a colon. Beware that this
+deletes both private and public keyfiles, thus the key is
+unrecoverable lost.</p>
+
+<p style="margin-left:11%;"><b>−P|A|D</b>
+<i>keyid,</i> <b>−−published=</b><i>keyid,</i>
+<b>−−active=</b><i>keyid,</i>
+<b>−−depreciated=</b><i>keyid</i></p>
+
+<p style="margin-left:22%;">Change the status of the given
+dnssec key to published (<b>−P</b>), active
+(<b>−A</b>) or depreciated (<b>−D</b>). The
+<i>keyid</i> is the numeric keytag with an optionally added
+zone name separated by a colon. Setting the status to
+"published" or "depreciate" will change
+the filename of the private key file to
+".published" or ".depreciated"
+respectivly. This prevents the usage of the key as a signing
+key by the use of <i>dnssec-signzone(8)</i>. The time of
+status change will be stored in the ’mtime’
+field of the corresponding ".key" file. Key
+activation via option <b>−A</b> will restore the
+original timestamp and file name (".private").</p>
+
+
+<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b>
+<i>do.ma.in.</i></p>
+
+<p style="margin-left:22%;">Initiate a key signing key
+rollover of the specified domain. This feature is currently
+in experimental status and is mainly for the use in an
+hierachical environment. Use --ksk-rollover for a little
+more detailed description.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman
+−C example.net −k −r ./zonedir</b></p>
+
+<p style="margin-left:22%;">Create a new key signing key
+for the zone "example.net". Store the key in the
+same directory below "zonedir" where the other
+"example.net" keys live.</p>
+
+<p style="margin-left:11%;"><b>zkt-keyman −D 123245
+−r .</b></p>
+
+<p style="margin-left:22%;">Depreciate the key with tag
+"12345" below the current directory,</p>
+
+<p style="margin-left:11%;"><b>zkt-keyman --view intern
+−C example.net</b></p>
+
+<p style="margin-left:22%;">Create a new zone key for the
+internal zone example.net.</p>
+
+<p style="margin-left:11%;"><b>zkt-keyman-intern</b></p>
+
+<p style="margin-left:22%;">Same as above. The binary file
+<i>zkt−keyman</i> has another link, named
+<i>zkt-keyman-intern</i> made, and <i>zkt−keyman</i>
+examines argv[0] to find a view whose zones it proceeds to
+process.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Built-in default global
+configuration file. The name of the default global config
+file is settable via the environment variable
+ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file (only
+used in <b>−C</b> mode).</p>
+
+<h2>BUGS
+<a name="BUGS"></a>
+</h2>
+
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 − 2008 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
+zkt-ls(8), zkt-signer(8) <br>
+RFC4641 "DNSSEC Operational Practices" by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
--- /dev/null
+.TH zkt-ls 8 "February 25, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt\-ls \(em list dnskeys
+
+.SH SYNOPSYS
+.na
+.B zkt\-ls
+.B \-H
+
+.B zkt\-ls
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-adefhkLprtz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-ls
+.B \-T
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-trustedkeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-ls
+.B \-K
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhkrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-dnskeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhkrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.SH DESCRIPTION
+The
+.I zkt-ls
+command list all dnssec zone keys found in the given or predefined
+default directory.
+It is also possible to specify keyfiles (K*.key) as arguments.
+With option
+.B \-r
+subdirectories will be searched recursively and all dnssec keys found
+are listed, sorted by domain name, key type and generation time.
+In that mode the use of option
+.B \-p
+may be helpful to find the location of the keyfile in the directory tree.
+.PP
+Other forms of the command, print out keys in a format suitable for
+a trusted-key section
+.RB ( \-T )
+or as a DNSKEY
+.RB ( \-K )
+resource record.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like
+.I zkt-ls-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read default values from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BI \-l " list" ", \-\-label=" list
+Print out information solely about domains given in the comma or space separated
+list.
+Take care of, that every domain name has a trailing dot.
+.TP
+.BR \-d ", " \-\-directory
+Skip directory arguments.
+This will be useful in combination with wildcard arguments
+to prevent dnsssec-zkt to list all keys found in subdirectories.
+For example "zkt-ls -d *" will print out a list of all keys only found in
+the current directory.
+Maybe it is easier to use "zkt-ls ." instead (without -r set).
+The option works similar to the \-d option of
+.IR ls(1) .
+.TP
+.BR \-L ", " \-\-left-justify
+Print out the domain name left justified.
+.TP
+.BR \-k ", " \-\-ksk
+Select and print key signing keys only (default depends on command mode).
+.TP
+.BR \-z ", " \-\-zsk
+Select and print zone signing keys only (default depends on command mode).
+.TP
+.BR \-r ", " \-\-recursive
+Recursive mode (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: Recursive).
+.TP
+.BR \-p ", " \-\-path
+Print pathname in listing mode.
+In -C mode, don't create the new key in the same directory as (already existing)
+keys with the same label.
+.TP
+.BR \-a ", " \-\-age
+Print age of key in weeks, days, hours, minutes and seconds (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: PrintAge).
+.TP
+.BR \-f ", " \-\-lifetime
+Print the key lifetime.
+.TP
+.BR \-e ", " \-\-exptime
+Print the key expiration time.
+.TP
+.BR \-t ", " \-\-time
+Print the key generation time (default is on).
+.br
+Also settable in the dnssec.conf file (Parameter: PrintTime).
+.TP
+.B \-h
+No header or trusted-key section header and trailer in -T mode
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-H ", " \-\-help
+Print out the online help.
+.TP
+.BR \-T ", " \-\-list-trustedkeys
+List all key signing keys as a
+.I named.conf
+trusted-key section.
+Use
+.B \-h
+to supress the section header/trailer.
+.TP
+.BR \-K ", " \-\-list-dnskeys
+List the public part of all the keys in DNSKEY resource record format.
+Use
+.B \-h
+to suppress comment lines.
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt\-ls \-r .
+.fam T
+Print out a list of all zone keys found below the current directory.
+.TP
+.fam C
+.B "zkt\-ls \-Z \-c """"
+.fam T
+Print out the compiled in default parameters.
+.TP
+.fam C
+.B "zkt\-ls \-T ./zonedir/example.net
+.fam T
+Print out a trusted-key section containing the key signing keys of "example.net".
+.TP
+.fam C
+.B "zkt\-ls --view intern
+.fam T
+Print out a list of all zone keys found below the directory where all
+the zones of view intern live.
+There should be a seperate dnssec config file
+.I dnssec-intern.conf
+with a directory option to take affect of this.
+.TP
+.fam C
+.B "zkt\-ls\-intern
+.fam T
+Same as above.
+The binary file
+.I zkt\-ls
+has another link, named
+.I zkt\-ls\-intern
+made, and
+.I zkt\-ls
+examines argv[0] to find a view whose zones it proceeds to process.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (only used in
+.B \-C
+mode).
+
+.SH BUGS
+.PP
+Some of the general options will not be meaningful in all of the command modes.
+.br
+The option
+.B \-l
+and the ksk rollover options
+insist on domain names ending with a dot.
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-keyman(8), zkt-signer(8)
+.br
+RFC4641
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
--- /dev/null
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
+</style>
+<title>zkt-ls</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-ls</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#BUGS">BUGS</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt−ls
+— list dnskeys</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−H</b></p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−adefhkLprtz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−T</b> [<b>−V|--view</b> <i>view</i>]
+[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−ls −−list-trustedkeys</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−K</b> [<b>−V|--view</b> <i>view</i>]
+[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhkrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt−ls −−list-dnskeys</b>
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−l</b> <i>list</i>]
+[<b>−dhkrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-ls</i> command list all dnssec zone keys found in the
+given or predefined default directory. It is also possible
+to specify keyfiles (K*.key) as arguments. With option
+<b>−r</b> subdirectories will be searched recursively
+and all dnssec keys found are listed, sorted by domain name,
+key type and generation time. In that mode the use of option
+<b>−p</b> may be helpful to find the location of the
+keyfile in the directory tree.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Other forms of
+the command, print out keys in a format suitable for a
+trusted-key section (<b>−T</b>) or as a DNSKEY
+(<b>−K</b>) resource record.</p>
+
+<h2>GENERAL OPTIONS
+<a name="GENERAL OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
+<i>view</i><b>, −−view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-<view>.conf .</i> Instead of specifying the
+−V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like <i>zkt-ls-<view> .</i></p>
+
+<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
+−−config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read default values from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>−O</b>
+<i>optstr</i><b>,
+−−config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file option via
+the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>−l</b> <i>list</i><b>,
+−−label=</b><i>list</i></p>
+
+<p style="margin-left:22%;">Print out information solely
+about domains given in the comma or space separated list.
+Take care of, that every domain name has a trailing dot.</p>
+
+<p style="margin-left:11%;"><b>−d</b>,
+<b>−−directory</b></p>
+
+<p style="margin-left:22%;">Skip directory arguments. This
+will be useful in combination with wildcard arguments to
+prevent dnsssec-zkt to list all keys found in
+subdirectories. For example "zkt-ls -d *" will
+print out a list of all keys only found in the current
+directory. Maybe it is easier to use "zkt-ls ."
+instead (without -r set). The option works similar to the
+−d option of <i>ls(1)</i>.</p>
+
+<p style="margin-left:11%;"><b>−L</b>,
+<b>−−left-justify</b></p>
+
+<p style="margin-left:22%;">Print out the domain name left
+justified.</p>
+
+<p style="margin-left:11%;"><b>−k</b>,
+<b>−−ksk</b></p>
+
+<p style="margin-left:22%;">Select and print key signing
+keys only (default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>−z</b>,
+<b>−−zsk</b></p>
+
+<p style="margin-left:22%;">Select and print zone signing
+keys only (default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>−r</b>,
+<b>−−recursive</b></p>
+
+<p style="margin-left:22%;">Recursive mode (default is
+off). <br>
+Also settable in the dnssec.conf file (Parameter:
+Recursive).</p>
+
+<p style="margin-left:11%;"><b>−p</b>,
+<b>−−path</b></p>
+
+<p style="margin-left:22%;">Print pathname in listing mode.
+In -C mode, don’t create the new key in the same
+directory as (already existing) keys with the same
+label.</p>
+
+<p style="margin-left:11%;"><b>−a</b>,
+<b>−−age</b></p>
+
+<p style="margin-left:22%;">Print age of key in weeks,
+days, hours, minutes and seconds (default is off). <br>
+Also settable in the dnssec.conf file (Parameter:
+PrintAge).</p>
+
+<p style="margin-left:11%;"><b>−f</b>,
+<b>−−lifetime</b></p>
+
+<p style="margin-left:22%;">Print the key lifetime.</p>
+
+<p style="margin-left:11%;"><b>−e</b>,
+<b>−−exptime</b></p>
+
+<p style="margin-left:22%;">Print the key expiration
+time.</p>
+
+<p style="margin-left:11%;"><b>−t</b>,
+<b>−−time</b></p>
+
+<p style="margin-left:22%;">Print the key generation time
+(default is on). <br>
+Also settable in the dnssec.conf file (Parameter:
+PrintTime).</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+ cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="3%">
+
+
+<p><b>−h</b></p></td>
+<td width="8%"></td>
+<td width="78%">
+
+
+<p>No header or trusted-key section header and trailer in
+-T mode</p></td></tr>
+</table>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−H</b>,
+<b>−−help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>−T</b>,
+<b>−−list-trustedkeys</b></p>
+
+<p style="margin-left:22%;">List all key signing keys as a
+<i>named.conf</i> trusted-key section. Use <b>−h</b>
+to supress the section header/trailer.</p>
+
+<p style="margin-left:11%;"><b>−K</b>,
+<b>−−list-dnskeys</b></p>
+
+<p style="margin-left:22%;">List the public part of all the
+keys in DNSKEY resource record format. Use <b>−h</b>
+to suppress comment lines.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt−ls
+−r .</b></p>
+
+<p style="margin-left:22%;">Print out a list of all zone
+keys found below the current directory.</p>
+
+<p style="margin-left:11%;"><b>zkt−ls −Z
+−c ""</b></p>
+
+<p style="margin-left:22%;">Print out the compiled in
+default parameters.</p>
+
+<p style="margin-left:11%;"><b>zkt−ls −T
+./zonedir/example.net</b></p>
+
+<p style="margin-left:22%;">Print out a trusted-key section
+containing the key signing keys of
+"example.net".</p>
+
+<p style="margin-left:11%;"><b>zkt−ls --view
+intern</b></p>
+
+<p style="margin-left:22%;">Print out a list of all zone
+keys found below the directory where all the zones of view
+intern live. There should be a seperate dnssec config file
+<i>dnssec-intern.conf</i> with a directory option to take
+affect of this.</p>
+
+
+<p style="margin-left:11%;"><b>zkt−ls−intern</b></p>
+
+<p style="margin-left:22%;">Same as above. The binary file
+<i>zkt−ls</i> has another link, named
+<i>zkt−ls−intern</i> made, and
+<i>zkt−ls</i> examines argv[0] to find a view whose
+zones it proceeds to process.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Built-in default global
+configuration file. The name of the default global config
+file is settable via the environment variable
+ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file (only
+used in <b>−C</b> mode).</p>
+
+<h2>BUGS
+<a name="BUGS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Some of the
+general options will not be meaningful in all of the command
+modes. <br>
+The option <b>−l</b> and the ksk rollover options
+insist on domain names ending with a dot.</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 − 2010 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
+zkt-keyman(8), zkt-signer(8) <br>
+RFC4641 "DNSSEC Operational Practices" by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
--- /dev/null
+.TH zkt-signer 8 "Feb 2, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\" if n .nh
+.nh
+.SH NAME
+zkt-signer \(em Secure DNS zone signing tool
+
+.SH SYNOPSYS
+.na
+.B zkt-signer
+.RB [ \-L|--logfile
+.IR "file" ]
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-fhnr ]
+.RB [ \-v
+.RB [ \-v ]]
+.B \-N
+.I "named.conf"
+.RI [ zone
+.RI "" ... ]
+.br
+.B zkt-signer
+.RB [ \-L|--logfile
+.IR "file" ]
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-fhnr ]
+.RB [ \-v
+.RB [ \-v ]]
+.RB [ \-D
+.IR "directory" ]
+.RI [ zone
+.RI "" ... ]
+.br
+.B zkt-signer
+.RB [ \-L|--logfile
+.IR "file" ]
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-fhnr ]
+.RB [ \-v
+.RB [ \-v ]]
+.B \-o
+.IR "origin"
+.RI [ zonefile ]
+
+.SH DESCRIPTION
+The
+.I zkt-signer
+command is a wrapper around
+.I dnssec-signzone(8)
+and
+.I dnssec-keygen(8)
+to sign a zone and manage the necessary zone keys.
+It is able to increment the serial number before signing the zone
+and can trigger
+.I named(8)
+to reload the signed zone file.
+The command controls several secure zones and, if started in regular
+intervals via
+.IR cron(8) ,
+can do all that stuff automatically.
+.PP
+In the most useful usage scenario the command will be called with option
+.B \-N
+to read the secure zones out of the given
+.I named.conf
+file.
+If you have a configuration file with views, you have to use option
+-V viewname or --view viewname to specify the name of the view.
+Alternately you could link the executable file to a second name like
+.I zkt-signer-viewname
+and use that command to specify the name of the view.
+All master zone statements will be scanned for filenames
+ending with ".signed".
+These zones will be checked if the necessary zone- and key signing keys
+are existent and fresh enough to be used in the signing process.
+If one or more out-dated keys are found, new keying material will be generated via
+the
+.I dnssec-keygen(8)
+command and the old keys will be marked as depreciated.
+So the command do anything needed for a zone key rollover as defined by [2].
+.PP
+If the resigning interval is reached or any new key must be announced,
+the serial number of the zone will be incremented and the
+.I dnssec-signzone(8)
+command will be evoked to sign the zone.
+After that, if the option
+.B \-r
+is given, the
+.I rndc(8)
+command will be called to reload the zone on the
+nameserver.
+.PP
+In the second form of the command it is possible to specify a directory
+tree with the option
+.B \-D
+.IR dir .
+Every secure zone found in a subdirectory below
+.I dir
+will be signed.
+However, it is also possible to reduce the signing to those
+zones given as arguments.
+.ig
+In directory mode the pre-requisite is, that the directory name is
+exactly (including the trailing dot) the same as the zone name.
+..
+.PP
+In the last form of the command, the functionality is more or less the same
+as the
+.I dnssec-signzone (8)
+command.
+The parameter specifies the zone file name and the option
+.B \-o
+takes the name of the zone.
+.PP
+If neither
+.B \-N
+nor
+.B \-D
+nor
+.B \-o
+is given, then the default directory specified in the
+.I dnssec.conf
+file by the parameter
+.I zonedir
+will be used as top level directory.
+
+.SH OPTIONS
+.TP
+.BI \-L " file|dir" ", \-\-logfile=" file|dir
+Specify the name of a log file or a directory where
+logfiles are created with a name like
+.fam C
+.\"# define LOG_FNAMETMPL "/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
+.RI zkt- YYYY-MM-DD T hhmmss Z.log .
+.fam T
+.\" \&.
+If the argument is not an absolute path name and a zone directory
+is specified in the config file, this will be prepended to the given name.
+This option is also settable in the dnssec.conf file via the parameter
+.BI LogFile .
+.br
+The default is no file logging, but error logging to syslog with facility
+.BI USER
+at level
+.BI ERROR
+is enabled by default.
+These parameters are settable via the config file parameter
+.BI "SyslogFacility" ,
+.BI "SyslogLevel" ,
+.BI "LogFile"
+and
+.BI "Loglevel" .
+.br
+The additional parameter
+.BI VerboseLog
+specifies the verbosity (0|1|2) of messages that will be logged
+with level
+.BI DEBUG
+to file and syslog.
+
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard- or softlink to the
+executable file with an additional name like
+.I zkt-signer-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read configuration values out of the specified file.
+Otherwise the default config file is read or build-in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options can be specified via the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-f ", " \-\-force
+Force a resigning of the zone, regardless if the resigning interval
+is reached or new keys must be announced.
+.TP
+.BR \-n ", " \-\-noexec
+Don't execute the
+.I dnssec-signzone(8)
+command.
+Currently this option is of very limited usage.
+.TP
+.BR \-r ", " \-\-reload
+Reload the zone via
+.I rndc(8)
+after successful signing.
+In a production environment it is recommended to use this option
+to be sure that a freshly signed zone will be immediately propagated.
+However, that's only feasable if named runs on the signing
+machine, which is not recommended.
+.ig
+Otherwise the signed zonefile must be copied to the production
+server before reloading the zone.
+If this is the case, the parameter
+.I propagation
+in the
+.I dnssec.conf
+file must be set to a reasonable value.
+..
+.TP
+.BR \-v ", " \-\-verbose
+Verbose mode (recommended).
+A second
+.B \-v
+will be a little more verbose.
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+
+.SH SAMPLE USAGE
+.TP
+.fam C
+.B "zkt-signer \-N /var/named/named.conf \-r \-v \-v
+.fam T
+Sign all secure zones found in the named.conf file and, if necessary,
+trigger a reload of the zone.
+Print some explanatory remarks on stdout.
+.TP
+.fam C
+.B "zkt-signer \-D zonedir/example.net. \-f \-v \-v
+.fam T
+Force the signing of the zone found in the directory
+.I zonedir/example.net .
+Do not reload the zone.
+.TP
+.fam C
+.B "zkt-signer \-D zonedir \-f \-v \-v example.net.
+.fam T
+Same as above.
+.TP
+.fam C
+.B "zkt-signer \-f \-v \-v example.net.
+.fam T
+Same as above if the
+.I dnssec.conf
+file contains the path of the parent directory of the
+.I example.net
+zone.
+.TP
+.fam C
+.B "zkt-signer \-f \-v \-v \-o example.net. zone.db
+.fam T
+Same as above if we are in the directory containing the
+.I example.net
+files.
+.TP
+.fam C
+.B "zkt-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
+.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
+.fam T
+.br
+Sign the example.net zone but override some config file values with parameters
+given on the commandline.
+
+.SH Zone setup and initial preparation
+.TP
+Create a separate directory for every secure zone.
+.br
+This is useful because there are many additional files needed to
+secure a zone.
+Besides the zone file
+.RI ( zone.db ),
+there is a signed zone file
+.RI ( zone.db.signed),
+a minimum of four files containing the keying material,
+a file called
+.I dnskey.db
+with the current used keys,
+and the
+.I dsset-
+and
+.IR keyset- files
+created by the
+.I dnssec-signzone(8)
+command.
+So in summary there is a minimum of nine files used per secure zone.
+For every additional key there are two extra files and
+every delegated subzone creates also two or three files.
+.TP
+Name the directory just like the zone.
+.br
+That's only needed if you want to use the zkt-signer command in
+directory mode
+.RB ( \-D ).
+Then the name of the zone will be parsed out of the directory name.
+.TP
+Change the name of the zone file to \fIzone.db\fP
+Otherwise you have to set the name via the
+.I dnssec.conf
+parameter
+.IR zonefile ,
+or you have to use the option
+.B \-o
+to name the zone and specify the zone file as argument.
+.TP
+Add the name of the signed zonefile to the \fInamed.conf\fP file
+The filename is the name of the zone file with the
+extension
+.IR .signed .
+Create an empty file with the name
+.IB zonefile .signed
+in the zone directory.
+.TP
+Include the keyfile in the zone.
+The name of the keyfile is settable by the
+.I dnssec.conf
+parameter
+.I keyfile .
+The default is
+.I dnskey.db .
+.br
+.if t \{\
+.nf
+.fam C
+ ...
+ IN NS ns1.example.net.
+ IN NS ns2.example.net.
+$INCLUDE dnskey.db
+ ...
+.fi
+.fam T
+You can also run
+.I zkt-conf(8)
+in the secure zone directory to do this.
+Try
+.br
+.if t \{\
+.nf
+.fam C
+$ zkt-conf -w zone.db
+.fi
+.fam T
+.\}
+.TP
+Control the format of the SOA-Record
+For automatic incrementation of the serial number, the SOA-Record
+must be formated, so that the serial number is on a single line and
+left justified in a field of at least 10 spaces!
+.if t \{\
+.fam C
+.fi 0
+@ IN SOA ns1.example.net. hostmaster.example.net. (
+ 60 ; Serial
+ 43200 ; Refresh
+ 1800 ; Retry
+ 2W ; Expire
+ 7200 ); Minimum
+.fi
+.fam T
+.\}
+If you use BIND version 9.4 or later and
+use the unixtime format for the serial number (which is the default since ZKT-1.0)
+than this is not necessary.
+See also the parameter Serialformat in
+.IR dnssec.conf .
+.TP
+Try to sign the zone
+If the current working directory is the directory of the zone
+.IR example.net ,
+use the command
+.fam C
+.nf
+.sp 0.5
+ $ zkt-signer \-D .. \-v \-v example.net
+ or
+ $ zkt-signer \-o example.net.
+.sp 0.5
+.fi
+.fam T
+to create the initial keying material and a signed zone file.
+Then try to load the file on the name server.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+Use
+.I zkt-conf(8)
+with option
+.B \-w
+or
+.I dnssec-zkt(8)
+with option
+.B \-Z
+to create an initial config file.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file.
+The file contains typically only the diff to the global site wide config file.
+Use for example
+.fam C
+.nf
+.sp 0.5
+ $ zkt-conf -w -l -O "key_ttl: 5d"
+.sp 0.5
+.fi
+.fam T
+to create a local config file with a different key ttl time.
+.TP
+.I dnskey.db
+The file contains the currently used key and zone signing keys.
+It will be created by
+.IR dnsssec-signer(8) .
+The name of the file is settable via the dnssec configuration
+file (parameter
+.IR keyfile ).
+.TP
+.I zone.db
+This is the zone file.
+The name of the file is settable via the dnssec configuration
+file (parameter
+.IR zonefile ).
+
+.SH BUGS
+.PP
+The named.conf parser is a bit rudimental and not
+very well tested.
+
+.SH AUTHORS
+The man page is written by
+Holger Zuleger and Mans Nilsson
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-keygen(8)
+.br
+RFC4033, RFC4034, RFC4035
+.br
+[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
+.br
+[2] RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman
+.br
+(http://www.ietf.org/rfc/rfc4641.txt)
--- /dev/null
+<!-- Creator : groff version 1.20.1 -->
+<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+ p { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ table { margin-top: 0; margin-bottom: 0; vertical-align: top }
+ h1 { text-align: center }
+</style>
+<title>zkt-signer</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-signer</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt-signer
+— Secure DNS zone signing tool</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer</b>
+[<b>−L|--logfile</b> <i>file</i>]
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
+[<b>−v</b>]] <b>−N</b> <i>named.conf</i>
+[<i>zone ...</i>] <b><br>
+zkt-signer</b> [<b>−L|--logfile</b> <i>file</i>]
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
+[<b>−v</b>]] [<b>−D</b> <i>directory</i>]
+[<i>zone ...</i>] <b><br>
+zkt-signer</b> [<b>−L|--logfile</b> <i>file</i>]
+[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
+<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
+[<b>−v</b>]] <b>−o</b> <i>origin</i>
+[<i>zonefile</i>]</p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-signer</i> command is a wrapper around
+<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
+sign a zone and manage the necessary zone keys. It is able
+to increment the serial number before signing the zone and
+can trigger <i>named(8)</i> to reload the signed zone file.
+The command controls several secure zones and, if started in
+regular intervals via <i>cron(8)</i>, can do all that stuff
+automatically.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the most
+useful usage scenario the command will be called with option
+<b>−N</b> to read the secure zones out of the given
+<i>named.conf</i> file. If you have a configuration file
+with views, you have to use option -V viewname or --view
+viewname to specify the name of the view. Alternately you
+could link the executable file to a second name like
+<i>zkt-signer-viewname</i> and use that command to specify
+the name of the view. All master zone statements will be
+scanned for filenames ending with ".signed". These
+zones will be checked if the necessary zone- and key signing
+keys are existent and fresh enough to be used in the signing
+process. If one or more out-dated keys are found, new keying
+material will be generated via the <i>dnssec-keygen(8)</i>
+command and the old keys will be marked as depreciated. So
+the command do anything needed for a zone key rollover as
+defined by [2].</p>
+
+<p style="margin-left:11%; margin-top: 1em">If the
+resigning interval is reached or any new key must be
+announced, the serial number of the zone will be incremented
+and the <i>dnssec-signzone(8)</i> command will be evoked to
+sign the zone. After that, if the option <b>−r</b> is
+given, the <i>rndc(8)</i> command will be called to reload
+the zone on the nameserver.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the second
+form of the command it is possible to specify a directory
+tree with the option <b>−D</b> <i>dir</i>. Every
+secure zone found in a subdirectory below <i>dir</i> will be
+signed. However, it is also possible to reduce the signing
+to those zones given as arguments.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the last
+form of the command, the functionality is more or less the
+same as the <i>dnssec-signzone (8)</i> command. The
+parameter specifies the zone file name and the option
+<b>−o</b> takes the name of the zone.</p>
+
+<p style="margin-left:11%; margin-top: 1em">If neither
+<b>−N</b> nor <b>−D</b> nor <b>−o</b> is
+given, then the default directory specified in the
+<i>dnssec.conf</i> file by the parameter <i>zonedir</i> will
+be used as top level directory.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>−L</b>
+<i>file|dir</i><b>,
+−−logfile=</b><i>file|dir</i></p>
+
+<p style="margin-left:22%;">Specify the name of a log file
+or a directory where logfiles are created with a name like
+zkt-<i>YYYY-MM-DD</i>T<i>hhmmss</i>Z.log<i>.</i> If the
+argument is not an absolute path name and a zone directory
+is specified in the config file, this will be prepended to
+the given name. This option is also settable in the
+dnssec.conf file via the parameter <b>LogFile</b><i>.</i>
+<br>
+The default is no file logging, but error logging to syslog
+with facility <b>USER</b> at level <b>ERROR</b> is enabled
+by default. These parameters are settable via the config
+file parameter <b>SyslogFacility</b><i>,</i>
+<b>SyslogLevel</b><i>,</i> <b>LogFile</b> and
+<b>Loglevel</b><i>.</i> <br>
+The additional parameter <b>VerboseLog</b> specifies the
+verbosity (0|1|2) of messages that will be logged with level
+<b>DEBUG</b> to file and syslog.</p>
+
+<p style="margin-left:11%;"><b>−V</b> <i>view</i><b>,
+−−view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-<view>.conf .</i> Instead of specifying the
+−V or --view option every time, it is also possible to
+create a hard- or softlink to the executable file with an
+additional name like <i>zkt-signer-<view> .</i></p>
+
+<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
+−−config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read configuration values out
+of the specified file. Otherwise the default config file is
+read or build-in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>−O</b>
+<i>optstr</i><b>,
+−−config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file option via
+the commandline. Several config file options can be
+specified via the argument string but have to be delimited
+by semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>−f</b>,
+<b>−−force</b></p>
+
+<p style="margin-left:22%;">Force a resigning of the zone,
+regardless if the resigning interval is reached or new keys
+must be announced.</p>
+
+<p style="margin-left:11%;"><b>−n</b>,
+<b>−−noexec</b></p>
+
+<p style="margin-left:22%;">Don’t execute the
+<i>dnssec-signzone(8)</i> command. Currently this option is
+of very limited usage.</p>
+
+<p style="margin-left:11%;"><b>−r</b>,
+<b>−−reload</b></p>
+
+<p style="margin-left:22%;">Reload the zone via
+<i>rndc(8)</i> after successful signing. In a production
+environment it is recommended to use this option to be sure
+that a freshly signed zone will be immediately propagated.
+However, that’s only feasable if named runs on the
+signing machine, which is not recommended.</p>
+
+<p style="margin-left:11%;"><b>−v</b>,
+<b>−−verbose</b></p>
+
+<p style="margin-left:22%;">Verbose mode (recommended). A
+second <b>−v</b> will be a little more verbose.</p>
+
+<p style="margin-left:11%;"><b>−h</b>,
+<b>−−help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer
+−N /var/named/named.conf −r −v
+−v</b></p>
+
+<p style="margin-left:22%;">Sign all secure zones found in
+the named.conf file and, if necessary, trigger a reload of
+the zone. Print some explanatory remarks on stdout.</p>
+
+<p style="margin-left:11%;"><b>zkt-signer −D
+zonedir/example.net. −f −v −v</b></p>
+
+<p style="margin-left:22%;">Force the signing of the zone
+found in the directory <i>zonedir/example.net .</i> Do not
+reload the zone.</p>
+
+<p style="margin-left:11%;"><b>zkt-signer −D zonedir
+−f −v −v example.net.</b></p>
+
+<p style="margin-left:22%;">Same as above.</p>
+
+<p style="margin-left:11%;"><b>zkt-signer −f −v
+−v example.net.</b></p>
+
+<p style="margin-left:22%;">Same as above if the
+<i>dnssec.conf</i> file contains the path of the parent
+directory of the <i>example.net</i> zone.</p>
+
+<p style="margin-left:11%;"><b>zkt-signer −f −v
+−v −o example.net. zone.db</b></p>
+
+<p style="margin-left:22%;">Same as above if we are in the
+directory containing the <i>example.net</i> files.</p>
+
+<p style="margin-left:11%;"><b>zkt-signer
+−−config-option=’ResignInterval 1d;
+Sigvalidity 28h; \</b></p>
+
+<p style="margin-left:22%;"><b>ZSK_lifetime 2d;’
+−v −v −o example.net. zone.db</b> <br>
+Sign the example.net zone but override some config file
+values with parameters given on the commandline.</p>
+
+<h2>Zone setup and initial preparation
+<a name="Zone setup and initial preparation"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Create a
+separate directory for every secure zone.</p>
+
+<p style="margin-left:22%;">This is useful because there
+are many additional files needed to secure a zone. Besides
+the zone file (<i>zone.db</i>), there is a signed zone file
+(<i>zone.db.signed),</i> a minimum of four files containing
+the keying material, a file called <i>dnskey.db</i> with the
+current used keys, and the <i>dsset-</i> and
+<i>keyset-</i>files created by the <i>dnssec-signzone(8)</i>
+command. So in summary there is a minimum of nine files used
+per secure zone. For every additional key there are two
+extra files and every delegated subzone creates also two or
+three files.</p>
+
+<p style="margin-left:11%;">Name the directory just like
+the zone.</p>
+
+<p style="margin-left:22%;">That’s only needed if you
+want to use the zkt-signer command in directory mode
+(<b>−D</b>). Then the name of the zone will be parsed
+out of the directory name.</p>
+
+<p style="margin-left:11%;">Change the name of the zone
+file to <i>zone.db</i></p>
+
+<p style="margin-left:22%;">Otherwise you have to set the
+name via the <i>dnssec.conf</i> parameter <i>zonefile</i>,
+or you have to use the option <b>−o</b> to name the
+zone and specify the zone file as argument.</p>
+
+<p style="margin-left:11%;">Add the name of the signed
+zonefile to the <i>named.conf</i> file</p>
+
+<p style="margin-left:22%;">The filename is the name of the
+zone file with the extension <i>.signed</i>. Create an empty
+file with the name <i>zonefile</i><b>.signed</b> in the zone
+directory.</p>
+
+<p style="margin-left:11%;">Include the keyfile in the
+zone.</p>
+
+<p style="margin-left:22%;">The name of the keyfile is
+settable by the <i>dnssec.conf</i> parameter <i>keyfile
+.</i> The default is <i>dnskey.db .</i></p>
+<hr>
+</body>
+</html>
--- /dev/null
+/*****************************************************************
+**
+** tcap.c -- termcap color capabilities
+**
+** (c) Jan 1991 - Feb 2010 by hoz
+**
+** Feb 2002 max line size increased to 512 byte
+** default terminal "html" added
+** Feb 2010 color capabilities added
+**
+*****************************************************************/
+
+#include <stdio.h>
+#include <string.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+# include "config_zkt.h"
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+# ifdef HAVE_TERM_H
+# include <term.h>
+# endif
+# ifdef HAVE_CURSES_H
+# include <curses.h>
+# endif
+#endif
+
+#define extern
+# include "tcap.h"
+#undef extern
+
+/*****************************************************************
+** global vars
+*****************************************************************/
+/* termcap strings */
+static const char *is1 = "";
+static const char *is2 = "";
+static const char *r1 = "";
+static const char *r2 = "";
+static const char *bold_on = "";
+static const char *bold_off = "";
+static const char *italic_on = "";
+static const char *italic_off = "";
+static char colortab[8][31+1];
+
+/* termcap numbers */
+static int maxcolor;
+
+/* function declaration */
+static int tc_printattr (FILE *fp, const char *attstr);
+static int tc_color (FILE *fp, int color);
+
+static int html = 0;
+
+
+
+/*****************************************************************
+** global functions
+*****************************************************************/
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int tc_init (FILE *fp, const char *term)
+{
+ static char area[1024];
+ char buf[1024];
+ char *ap = area;
+ char *af = ""; /* AF */ /* ansi foreground */
+ int i;
+
+ /* clear all color strings */
+ for ( i = 0; i < 8; i++ )
+ colortab[i][0] = '\0';
+
+ if ( term == NULL || *term == '\0' ||
+ strcmp (term, "none") == 0 || strcmp (term, "dumb") == 0 )
+ return 0;
+
+ if ( strcmp (term, "html") == 0 || strcmp (term, "HTML") == 0 )
+ {
+ bold_on = "<B>";
+ bold_off = "</B>";
+ italic_on = "<I>";
+ italic_off = "</I>";
+ af = "";
+ maxcolor = 8;
+ snprintf (colortab[TC_BLACK], sizeof colortab[0], "<font color=black>");
+ snprintf (colortab[TC_BLUE], sizeof colortab[0], "<font color=blue>");
+ snprintf (colortab[TC_GREEN], sizeof colortab[0], "<font color=green>");
+ snprintf (colortab[TC_CYAN], sizeof colortab[0], "<font color=cyan>");
+ snprintf (colortab[TC_RED], sizeof colortab[0], "<font color=red>");
+ snprintf (colortab[TC_MAGENTA], sizeof colortab[0], "<font color=magenta>");
+ snprintf (colortab[TC_YELLOW], sizeof colortab[0], "<font color=yellow>");
+ snprintf (colortab[TC_WHITE], sizeof colortab[0], "<font color=white>");
+ html = 1;
+ return 0;
+ }
+#if 0
+ if ( !istty (fp) )
+ return 0;
+#endif
+ switch ( tgetent (buf, term) )
+ {
+ case -1: perror ("termcap file");
+ return -1;
+ case 0: fprintf (stderr, "unknown terminal %s\n", term);
+ return -1;
+ }
+
+ if ( !(is1 = tgetstr ("is1", &ap)) )
+ is1 = "";
+ if ( !(is2 = tgetstr ("is2", &ap)) )
+ is2 = "";
+ if ( !(r1 = tgetstr ("r1", &ap)) )
+ r1 = "";
+ if ( !(r2 = tgetstr ("r2", &ap)) )
+ r2 = "";
+
+ /* if bold is not present */
+ if ( !(bold_on = tgetstr ("md", &ap)) )
+ /* use standout mode */
+ if ( !(bold_on = tgetstr ("so", &ap)) )
+ bold_on = bold_off = "";
+ else
+ bold_off = tgetstr ("se", &ap);
+ else
+ bold_off = tgetstr ("me", &ap);
+
+ /* if italic not present */
+ if ( !(italic_on = tgetstr ("ZH", &ap)) )
+ /* use underline mode */
+ if ( !(italic_on = tgetstr ("us", &ap)) )
+ italic_on = italic_off = "";
+ else
+ italic_off = tgetstr ("ue", &ap);
+ else
+ italic_off = tgetstr ("ZR", &ap);
+
+ maxcolor = tgetnum ("Co");
+ if ( maxcolor < 0 ) /* no colors ? */
+ return 0;
+ if ( maxcolor > 8 )
+ maxcolor = 8;
+
+ if ( (af = tgetstr ("AF", &ap)) ) /* set ansi color foreground */
+ {
+ for ( i = 0; i < maxcolor; i++ )
+ snprintf (colortab[i], sizeof colortab[0], "%s", tparm (af, i));
+ }
+ else if ( (af = tgetstr ("Sf", &ap)) ) /* or set color foreground */
+ {
+ snprintf (colortab[TC_BLACK], sizeof colortab[0], "%s", tparm (af, 0));
+ snprintf (colortab[TC_BLUE], sizeof colortab[0], "%s", tparm (af, 1));
+ snprintf (colortab[TC_GREEN], sizeof colortab[0], "%s", tparm (af, 2));
+ snprintf (colortab[TC_CYAN], sizeof colortab[0], "%s", tparm (af, 3));
+ snprintf (colortab[TC_RED], sizeof colortab[0], "%s", tparm (af, 4));
+ snprintf (colortab[TC_MAGENTA], sizeof colortab[0], "%s", tparm (af, 5));
+ snprintf (colortab[TC_YELLOW], sizeof colortab[0], "%s", tparm (af, 6));
+ snprintf (colortab[TC_WHITE], sizeof colortab[0], "%s", tparm (af, 7));
+ }
+
+#if 0
+ if ( is1 && *is1 )
+ tc_printattr (fp, is1);
+ if ( is2 && *is2 )
+ tc_printattr (fp, is2);
+#endif
+
+ return 0;
+}
+#else
+int tc_init (FILE *fp, const char *term)
+{
+ int i;
+
+ is1 = "";
+ is2 = "";
+ r1 = "";
+ r2 = "";
+ bold_on = "";
+ bold_off = "";
+ italic_on = "";
+ italic_off = "";
+ for ( i = 0; i < 8; i++ )
+ colortab[i][0] = '\0';
+ maxcolor = 0;
+ html = 0;
+
+ return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int tc_end (FILE *fp, const char *term)
+{
+#if 0
+ if ( term )
+ {
+// if ( r1 && *r1 ) tc_printattr (fp, r1);
+ if ( r2 && *r2 )
+ tc_printattr (fp, r2);
+ }
+#endif
+ return 0;
+}
+#else
+int tc_end (FILE *fp, const char *term)
+{
+ return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int tc_attr (FILE *fp, tc_att_t attr, int on)
+{
+ int len;
+
+ len = 0;
+ if ( on ) /* turn attributes on ? */
+ {
+ if ( (attr & TC_BOLD) == TC_BOLD )
+ len += tc_printattr (fp, bold_on);
+ if ( (attr & TC_ITALIC) == TC_ITALIC )
+ len += tc_printattr (fp, italic_on);
+
+ if ( attr & 0xFF )
+ len += tc_color (fp, attr & 0xFF);
+ }
+ else /* turn attributes off */
+ {
+ if ( html )
+ len += fprintf (fp, "</font>");
+ else
+ len += tc_color (fp, TC_BLACK);
+
+ if ( (attr & TC_ITALIC) == TC_ITALIC )
+ len += tc_printattr (fp, italic_off);
+ if ( !html || (attr & TC_BOLD) == TC_BOLD )
+ len += tc_printattr (fp, bold_off);
+ }
+
+ return len;
+}
+#else
+int tc_attr (FILE *fp, tc_att_t attr, int on)
+{
+ return 0;
+}
+#endif
+
+/*****************************************************************
+** internal functions
+*****************************************************************/
+static FILE *tc_outfp;
+static int put (int c)
+{
+ return putc (c, tc_outfp);
+}
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+static int tc_printattr (FILE *fp, const char *attstr)
+{
+ tc_outfp = fp;
+ return tputs (attstr, 0, put);
+}
+#else
+static int tc_printattr (FILE *fp, const char *attstr)
+{
+ return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+static int tc_color (FILE *fp, int color)
+{
+ tc_outfp = fp;
+
+ if ( color < 0 || color >= maxcolor )
+ return 0;
+ return tputs (colortab[color], 0, put);
+}
+#else
+static int tc_color (FILE *fp, int color)
+{
+ return 0;
+}
+#endif
+
+
+#ifdef TEST
+static const char *progname;
+/*****************************************************************
+** test main()
+*****************************************************************/
+main (int argc, const char *argv[])
+{
+ extern char *getenv ();
+ char *term = getenv ("TERM");
+ int i;
+ const char *text;
+
+ progname = *argv;
+
+ tc_init (stdout, term);
+
+ // printattr (is); /* Initialisierungsstring ausgeben */
+
+ text = "Test";
+ if ( argc > 1 )
+ text = *++argv;
+
+ tc_attr (stdout, TC_BOLD, 1);
+ printf ("Bold Headline\n");
+ tc_attr (stdout, TC_BOLD, 0);
+ for ( i = 0; i < 8; i++ )
+ {
+ tc_attr (stdout, i, 1);
+ printf ("%s", text);
+ tc_attr (stdout, i, 0);
+
+#if 0
+ tc_attr (stdout, (i | TC_BOLD), 1);
+ printf ("\t%s", text);
+ tc_attr (stdout, (i | TC_BOLD), 0);
+
+ tc_attr (stdout, (i | TC_ITALIC), 1);
+ printf ("\t%s", text);
+ tc_attr (stdout, (i | TC_ITALIC), 0);
+
+ tc_attr (stdout, (i | TC_BOLD | TC_ITALIC), 1);
+ printf ("\t%s", text);
+ tc_attr (stdout, (i | TC_BOLD | TC_ITALIC), 0);
+#endif
+ printf ("\n");
+ }
+ printf ("now back to black\n");
+
+ // printattr (r2); /* Zuruecksetzen */
+
+ return (0);
+}
+#endif
--- /dev/null
+/*****************************************************************
+**
+** tcap.h -- termcap color capabilities
+**
+** (c) Mar 2010 by hoz
+**
+*****************************************************************/
+
+#ifndef TCAP_H
+# define TCAP_H
+
+typedef enum {
+ TC_BLACK = 0,
+ TC_RED,
+ TC_GREEN,
+ TC_YELLOW,
+ TC_BLUE,
+ TC_MAGENTA,
+ TC_CYAN,
+ TC_WHITE,
+
+ TC_BOLD = 0x100,
+ TC_ITALIC = 0x200
+} tc_att_t;
+
+extern int tc_init (FILE *fp, const char *term);
+extern int tc_end (FILE *fp, const char *term);
+extern int tc_attr (FILE *fp, tc_att_t attr, int on);
+#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) zfparse.c -- A zone file parser
+**
+** Copyright (c) Jan 2010 - Jan 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <unistd.h> /* for link(), unlink() */
+# include <ctype.h>
+# include <assert.h>
+#if 0
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <time.h>
+# include <utime.h>
+# include <errno.h>
+# include <fcntl.h>
+#endif
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+# include "zconf.h"
+# include "log.h"
+# include "debug.h"
+#define extern
+# include "zfparse.h"
+#undef extern
+
+
+extern const char *progname;
+
+/*****************************************************************
+** is_multiline_rr (const char *s)
+*****************************************************************/
+static const char *is_multiline_rr (int *multi_line_rr, const char *p)
+{
+ while ( *p && *p != ';' )
+ {
+ if ( *p == '\"' )
+ do
+ p++;
+ while ( *p && *p != '\"' );
+
+ if ( *p == '(' )
+ *multi_line_rr = 1;
+ if ( *p == ')' )
+ *multi_line_rr = 0;
+ p++;
+ }
+ return p;
+}
+
+/*****************************************************************
+** skipws (const char *s)
+*****************************************************************/
+static const char *skipws (const char *s)
+{
+ while ( *s && (*s == ' ' || *s == '\t' || *s == '\n') )
+ s++;
+ return s;
+}
+
+/*****************************************************************
+** skiplabel (const char *s)
+*****************************************************************/
+static const char *skiplabel (const char *s)
+{
+ while ( *s && *s != ';' && *s != ' ' && *s != '\t' && *s != '\n' )
+ s++;
+ return s;
+}
+
+/*****************************************************************
+** setminmax ()
+*****************************************************************/
+static void setminmax (long *pmin, long val, long *pmax)
+{
+ if ( val < *pmin )
+ *pmin = val;
+ if ( val > *pmax )
+ *pmax = val;
+}
+
+/*****************************************************************
+** get_ttl ()
+*****************************************************************/
+static long get_ttl (const char *s)
+{
+ char quantity;
+ long lval;
+
+ quantity = 'd';
+ sscanf (s, "%ld%c", &lval, &quantity);
+ quantity = tolower (quantity);
+ if ( quantity == 'm' )
+ lval *= MINSEC;
+ else if ( quantity == 'h' )
+ lval *= HOURSEC;
+ else if ( quantity == 'd' )
+ lval *= DAYSEC;
+ else if ( quantity == 'w' )
+ lval *= WEEKSEC;
+ else if ( quantity == 'y' )
+ lval *= YEARSEC;
+
+ return lval;
+}
+
+/*****************************************************************
+** addkeydb ()
+*****************************************************************/
+int addkeydb (const char *file, const char *keydbfile)
+{
+ FILE *fp;
+
+ if ( (fp = fopen (file, "a")) == NULL )
+ return -1;
+
+ fprintf (fp, "\n");
+ fprintf (fp, "$INCLUDE %s\t; this is the database of public DNSKEY RR\n", keydbfile);
+
+ fclose (fp);
+
+ return 0;
+}
+
+/*****************************************************************
+** parsezonefile ()
+** parse the BIND zone file 'file' and store the minimum and
+** maximum ttl value in the corresponding parameter.
+** if keydbfile is set, check if this file is already include.
+** return 0 if keydbfile is not included
+** return 1 if keydbfile is included
+** return -1 on error
+*****************************************************************/
+int parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile)
+{
+ FILE *infp;
+ int len;
+ int lnr;
+ long ttl;
+ int multi_line_rr;
+ int keydbfilefound;
+ char buf[1024];
+ const char *p;
+
+ assert (file != NULL);
+ assert (pminttl != NULL);
+ assert (pmaxttl != NULL);
+
+ dbg_val4 ("parsezonefile (\"%s\", %ld, %ld, \"%s\")\n", file, *pminttl, *pmaxttl, keydbfile);
+
+ if ( (infp = fopen (file, "r")) == NULL )
+ return -1;
+
+ lnr = 0;
+ keydbfilefound = 0;
+ multi_line_rr = 0;
+ while ( fgets (buf, sizeof buf, infp) != NULL )
+ {
+ len = strlen (buf);
+ if ( buf[len-1] != '\n' ) /* line too long ? */
+ fprintf (stderr, "line too long\n");
+ lnr++;
+
+ p = buf;
+ if ( multi_line_rr ) /* skip line if it's part of a multiline rr */
+ {
+ is_multiline_rr (&multi_line_rr, p);
+ continue;
+ }
+
+ if ( *p == '$' ) /* special directive ? */
+ {
+ if ( strncmp (p+1, "TTL", 3) == 0 ) /* $TTL ? */
+ {
+ ttl = get_ttl (p+4);
+ dbg_val3 ("%s:%d:ttl %ld\n", file, lnr, ttl);
+ setminmax (pminttl, ttl, pmaxttl);
+ }
+ else if ( strncmp (p+1, "INCLUDE", 7) == 0 ) /* $INCLUDE ? */
+ {
+ char fname[30+1];
+
+ sscanf (p+9, "%30s", fname);
+ dbg_val ("$INCLUDE directive for file \"%s\" found\n", fname);
+ if ( keydbfile && strcmp (fname, keydbfile) == 0 )
+ keydbfilefound = 1;
+ else
+ keydbfilefound = parsezonefile (fname, pminttl, pmaxttl, keydbfile);
+ }
+ }
+ else if ( !isspace (*p) ) /* label ? */
+ p = skiplabel (p);
+
+ p = skipws (p);
+ if ( *p == ';' ) /* skip line if it's a comment line */
+ continue;
+
+ /* skip class (hesiod is not supported now) */
+ if ( (toupper (*p) == 'I' && toupper (p[1]) == 'N') ||
+ (toupper (*p) == 'C' && toupper (p[1]) == 'H') )
+ p += 2;
+ p = skipws (p);
+
+ if ( isdigit (*p) ) /* ttl ? */
+ {
+ ttl = get_ttl (p);
+ dbg_val3 ("%s:%d:ttl %ld\n", file, lnr, ttl);
+ setminmax (pminttl, ttl, pmaxttl);
+ }
+
+ /* check the rest of the line if it's the beginning of a multi_line_rr */
+ is_multiline_rr (&multi_line_rr, p);
+ }
+
+ if ( file )
+ fclose (infp);
+
+ dbg_val5 ("parsezonefile (\"%s\", %ld, %ld, \"%s\") ==> %d\n",
+ file, *pminttl, *pmaxttl, keydbfile, keydbfilefound);
+ return keydbfilefound;
+}
+
+
+#ifdef TEST
+const char *progname;
+int main (int argc, char *argv[])
+{
+ long minttl;
+ long maxttl;
+ int keydbfound;
+ char *dnskeydb;
+
+ progname = *argv;
+ dnskeydb = NULL;
+ dnskeydb = "dnskey.db";
+
+ minttl = 0x7FFFFFFF;
+ maxttl = 0;
+ keydbfound = parsezonefile (argv[1], &minttl, &maxttl, dnskeydb);
+ if ( keydbfound < 0 )
+ error ("can't parse zone file %s\n", argv[1]);
+
+ if ( dnskeydb && !keydbfound )
+ {
+ printf ("$INCLUDE %s directive added \n", dnskeydb);
+ addkeydb (argv[1], dnskeydb);
+ }
+
+ printf ("minttl = %ld\n", minttl);
+ printf ("maxttl = %ld\n", maxttl);
+
+ return 0;
+}
+#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) zfparse.h -- headerfile for a zone file parser
+**
+** Copyright (c) Jan 2010 - Feb 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+#ifndef ZFPARSE_H
+# define ZFPARSE_H
+extern int parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile);
+extern int addkeydb (const char *file, const char *keydbfile);
+#endif
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-conf.c (c) Jan 2005 / Jan 2010 Holger Zuleger hznet.de
+**
+** A config file utility for the DNSSEC Zone Key Tool
+**
+** Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h> /* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+# include <time.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "zfparse.h"
+# include "zconf.h"
+
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+
+static const char *view = "";
+static int writeflag = 0;
+static int allflag = 0;
+static int testflag = 0;
+
+# define short_options ":aC:c:O:dlstvwV:rh"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"compability", required_argument, NULL, 'C'},
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"default", no_argument, NULL, 'd'},
+ {"sidecfg", no_argument, NULL, 's'},
+ {"localcfg", no_argument, NULL, 'l'},
+ {"all-values", no_argument, NULL, 'a'},
+ {"test", no_argument, NULL, 't'},
+ {"overwrite", no_argument, NULL, 'w'},
+ {"version", no_argument, NULL, 'v' },
+ {"write", no_argument, NULL, 'w'},
+ {"view", required_argument, NULL, 'V' },
+ {"help", no_argument, NULL, 'h'},
+ {0, 0, 0, 0}
+};
+#endif
+
+static void usage (char *mesg);
+
+
+int main (int argc, char *argv[])
+{
+ int c;
+ int opt_index;
+ int action;
+ int major;
+ int minor;
+ const char *file;
+ const char *defconfname = NULL;
+ const char *confname = NULL;
+ char *p;
+ char str[254+1];
+ zconf_t *refconfig = NULL;
+ zconf_t *config;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+ view = getnameappendix (progname, "zkt-conf");
+
+ defconfname = getdefconfname (view);
+ dbg_val0 ("Load built in config \"%s\"\n");
+ config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+
+ if ( fileexist (defconfname) ) /* load default config file */
+ {
+ dbg_val ("Load site wide config file \"%s\"\n", defconfname);
+ config = loadconfig (defconfname, config);
+ }
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ confname = defconfname;
+
+ opterr = 0;
+ opt_index = 0;
+ action = 0;
+ setconfigversion (100);
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+ case 'V': /* view name */
+ view = optarg;
+ defconfname = getdefconfname (view);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ confname = defconfname;
+ break;
+ case 'O': /* read option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ break;
+ case 'C':
+ switch ( sscanf (optarg, "%d.%d", &major, &minor) )
+ {
+ case 2: major = major * 100 + minor;
+ case 1: break;
+ default:
+ usage ("illegal release number");
+ }
+ setconfigversion (major);
+ break;
+ case 'c':
+ if ( *optarg == '\0' )
+ usage ("empty config file name");
+ config = loadconfig (optarg, config);
+ if ( *optarg == '-' || strcmp (optarg, "stdin") == 0 )
+ confname = "stdout";
+ else
+ confname = optarg;
+ break;
+ case 'd': /* built-in default config */
+ config = loadconfig ("", config); /* load built-in config */
+ confname = defconfname;
+ break;
+ case 's': /* side wide config */
+ /* this is the default **/
+ break;
+ case 'a': /* set all flag */
+ allflag = 1;
+ break;
+ case 'l': /* local config file */
+ refconfig = dupconfig (config); /* duplicate current config */
+ confname = LOCALCONF_FILE;
+ if ( fileexist (LOCALCONF_FILE) ) /* try to load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
+ config = loadconfig (LOCALCONF_FILE, config);
+ }
+ else if ( !writeflag )
+ usage ("error: no local config file found");
+ break;
+ case 't': /* test config */
+ testflag = 1;
+ break;
+ case 'v': /* version */
+ fprintf (stderr, "%s version %s compiled for BIND version %d\n",
+ progname, ZKT_VERSION, BIND_VERSION);
+ fprintf (stderr, "ZKT %s\n", ZKT_COPYRIGHT);
+ return 0;
+ break;
+ case 'w': /* write back conf file */
+ writeflag = 1;
+ break;
+ case 'h': /* print help */
+ usage ("");
+ break;
+ case ':':
+ snprintf (str, sizeof(str), "option \"-%c\" requires an argument.",
+ optopt);
+ usage (str);
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (str, sizeof(str), "Unknown option \"-%c\".",
+ optopt);
+ else
+ snprintf (str, sizeof (str), "Unknown option char \\x%x.",
+ optopt);
+ usage (str);
+ break;
+ default:
+ abort();
+ }
+ }
+
+ c = optind;
+ if ( c >= argc ) /* no arguments given on commandline */
+ {
+ if ( testflag )
+ {
+ if ( checkconfig (config) )
+ fprintf (stderr, "All config file parameter seems to be ok\n");
+ }
+ else
+ {
+ if ( !writeflag ) /* print to stdout */
+ confname = "stdout";
+
+ if ( refconfig ) /* have we seen a local config file ? */
+ if ( allflag )
+ printconfig (confname, config);
+ else
+ printconfigdiff (confname, refconfig, config);
+ else
+ printconfig (confname, config);
+ }
+ }
+ else /* command line argument found: use it as name of zone file */
+ {
+ long minttl;
+ long maxttl;
+ int keydbfound;
+ char *dnskeydb;
+
+ file = argv[c++];
+
+ dnskeydb = config->keyfile;
+
+ minttl = 0x7FFFFFFF;
+ maxttl = 0;
+ keydbfound = parsezonefile (file, &minttl, &maxttl, dnskeydb);
+ if ( keydbfound < 0 )
+ error ("can't parse zone file %s\n", file);
+
+ if ( dnskeydb && !keydbfound )
+ {
+ if ( writeflag )
+ {
+ addkeydb (file, dnskeydb);
+ printf ("\"$INCLUDE %s\" directive added to \"%s\"\n", dnskeydb, file);
+ }
+ else
+ printf ("\"$INCLUDE %s\" should be added to \"%s\" (run with option -w)\n",
+ dnskeydb, file);
+ }
+
+ if ( minttl < (10 * MINSEC) )
+ fprintf (stderr, "Min_TTL of %s (%ld seconds) is too low to use it in a signed zone (see RFC4641)\n",
+ timeint2str (minttl), minttl);
+ else
+ fprintf (stderr, "Min_TTL:\t%s\t# (%ld seconds)\n", timeint2str (minttl), minttl);
+ fprintf (stdout, "Max_TTL:\t%s\t# (%ld seconds)\n", timeint2str (maxttl), maxttl);
+
+ if ( writeflag )
+ {
+ refconfig = dupconfig (config); /* duplicate current config */
+ confname = LOCALCONF_FILE;
+ if ( fileexist (LOCALCONF_FILE) ) /* try to load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
+ config = loadconfig (LOCALCONF_FILE, config);
+ }
+ setconfigpar (config, "Max_TTL", &maxttl);
+ printconfigdiff (confname, refconfig, config);
+ }
+ }
+
+
+ return 0;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg)
+{
+ fprintf (stderr, "%s version %s\n", progname, ZKT_VERSION);
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "usage: %s -h\n", progname);
+ fprintf (stderr, "usage: %s [-V view] [-w|-t] -d [-O <optstr>]\n", progname);
+ fprintf (stderr, "usage: %s [-V view] [-w|-t] [-s] [-c config] [-O <optstr>]\n", progname);
+ fprintf (stderr, "usage: %s [-V view] [-w|-t] [-a] -l [-c config] [-O <optstr>]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "usage: %s [-c config] [-w] <zonefile>\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, " -V name%s", loptstr (", --view=name\n", ""));
+ fprintf (stderr, "\t\t specify the view name \n");
+ fprintf (stderr, " -d%s\tprint built-in default config parameter\n", loptstr (", --default", ""));
+ fprintf (stderr, " -s%s\tprint site wide config file parameter (this is the default)\n", loptstr (", --sitecfg", ""));
+ fprintf (stderr, " -l%s\tprint local config file parameter\n", loptstr (", --localcfg", ""));
+ fprintf (stderr, " -a%s\tprint all parameter not only the different one\n", loptstr (", --all", ""));
+ fprintf (stderr, " -c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, " \t\tread config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, " -O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, " \t\tread config options from commandline\n");
+ fprintf (stderr, " -t%s\ttest the config parameter if they are useful \n", loptstr (", --test", "\t"));
+ fprintf (stderr, " -w%s\twrite or rewrite config file \n", loptstr (", --write", "\t"));
+ fprintf (stderr, " -h%s\tprint this help \n", loptstr (", --help", "\t"));
+ exit (1);
+}
+
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-keyman.c (c) Jan 2005 - Apr 2010 Holger Zuleger hznet.de
+**
+** ZKT key managing tool (formely knon as dnsses-zkt)
+** A wrapper command around the BIND dnssec-keygen utility
+**
+** Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h> /* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "strlist.h"
+# include "zconf.h"
+# include "dki.h"
+# include "zkt.h"
+
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+
+char *labellist = NULL;
+
+int headerflag = 1;
+int ageflag = 0;
+int lifetime = 0;
+int lifetimeflag = 0;
+int timeflag = 1;
+int exptimeflag = 0;
+int pathflag = 0;
+int kskflag = 1;
+int zskflag = 1;
+int ljustflag = 0;
+
+static int dirflag = 0;
+static int recflag = RECURSIVE;
+static char *kskdomain = "";
+static const char *view = "";
+
+# define short_options ":0:1:2:3:9A:C:D:P:S:R:h:ZV:F:c:O:krz"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"ksk-rollover", no_argument, NULL, '9'},
+ {"ksk-status", required_argument, NULL, '0'},
+ {"ksk-roll-status", required_argument, NULL, '0'},
+ {"ksk-newkey", required_argument, NULL, '1'},
+ {"ksk-publish", required_argument, NULL, '2'},
+ {"ksk-delkey", required_argument, NULL, '3'},
+ {"ksk-roll-phase1", required_argument, NULL, '1'},
+ {"ksk-roll-phase2", required_argument, NULL, '2'},
+ {"ksk-roll-phase3", required_argument, NULL, '3'},
+ {"ksk", no_argument, NULL, 'k'},
+ {"zsk", no_argument, NULL, 'z'},
+ {"recursive", no_argument, NULL, 'r'},
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"published", required_argument, NULL, 'P'},
+ {"standby", required_argument, NULL, 'S'},
+ {"active", required_argument, NULL, 'A'},
+ {"depreciated", required_argument, NULL, 'D'},
+ {"create", required_argument, NULL, 'C'},
+ {"revoke", required_argument, NULL, 'R'},
+ {"remove", required_argument, NULL, 19 },
+ {"destroy", required_argument, NULL, 20 },
+ {"setlifetime", required_argument, NULL, 'F' },
+ {"view", required_argument, NULL, 'V' },
+ {"help", no_argument, NULL, 'h'},
+ {0, 0, 0, 0}
+};
+#endif
+
+static int parsedirectory (const char *dir, dki_t **listp);
+static void parsefile (const char *file, dki_t **listp);
+static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf);
+static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf);
+static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp);
+static void usage (char *mesg, zconf_t *cp);
+static const char *parsetag (const char *str, int *tagp);
+
+static void setglobalflags (zconf_t *config)
+{
+ recflag = config->recursive;
+}
+
+int main (int argc, char *argv[])
+{
+ dki_t *data = NULL;
+ dki_t *dkp;
+ int c;
+ int opt_index;
+ int action;
+ const char *file;
+ const char *defconfname = NULL;
+ char *p;
+ char str[254+1];
+ const char *keyname = NULL;
+ int searchtag;
+ zconf_t *config;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+ view = getnameappendix (progname, "dnssec-zkt");
+
+ defconfname = getdefconfname (view);
+ config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+
+ opterr = 0;
+ opt_index = 0;
+ action = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+ case '9': /* ksk rollover help */
+ ksk_roll ("help", c - '0', NULL, NULL);
+ exit (1);
+ case '1': /* ksk rollover: create new key */
+ case '2': /* ksk rollover: publish DS */
+ case '3': /* ksk rollover: delete old key */
+ case '0': /* ksk rollover: show current status */
+ action = c;
+ if ( !optarg )
+ usage ("ksk rollover requires an domain argument", config);
+ kskdomain = domain_canonicdup (optarg);
+ break;
+ case 'h':
+ case 'K':
+ case 'Z':
+ action = c;
+ break;
+ case 'C':
+ pathflag = !pathflag;
+ /* fall through */
+ case 'P':
+ case 'S':
+ case 'A':
+ case 'D':
+ case 'R':
+ case 's':
+ case 19:
+ case 20:
+ if ( (keyname = parsetag (optarg, &searchtag)) != NULL )
+ keyname = domain_canonicdup (keyname);
+ action = c;
+ break;
+ case 'F': /* set key lifetime */
+ lifetime = atoi (optarg);
+ action = c;
+ break;
+ case 'V': /* view name */
+ view = optarg;
+ defconfname = getdefconfname (view);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+ break;
+ case 'c':
+ config = loadconfig (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'O': /* read option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'd': /* ignore directory arg */
+ dirflag = 1;
+ break;
+ case 'k': /* ksk only */
+ zskflag = 0;
+ break;
+ case 'r': /* switch recursive flag */
+ recflag = !recflag;
+ break;
+ case 'z': /* zsk only */
+ kskflag = 0;
+ break;
+ case ':':
+ snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
+ optopt);
+ usage (str, config);
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
+ optopt);
+ else
+ snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
+ optopt);
+ usage (str, config);
+ break;
+ default:
+ abort();
+ }
+ }
+
+ if ( kskflag == 0 && zskflag == 0 )
+ kskflag = zskflag = 1;
+
+ c = optind;
+ do {
+ if ( c >= argc ) /* no args left */
+ file = config->zonedir; /* use default directory */
+ else
+ file = argv[c++];
+
+ if ( is_directory (file) )
+ parsedirectory (file, &data);
+ else
+ parsefile (file, &data);
+
+ } while ( c < argc ); /* for all arguments */
+
+ switch ( action )
+ {
+ case 'h':
+ usage ("", config);
+ case 'C':
+ createkey (keyname, data, config);
+ break;
+ case 'P':
+ case 'S':
+ case 'A':
+ case 'D':
+ if ( (dkp = (dki_t*)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ if ( (c = dki_setstatus_preservetime (dkp, action)) != 0 )
+ fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
+ break;
+ case 19: /* remove (rename) key file */
+ if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ dki_remove (dkp);
+ break;
+ case 20: /* destroy the key (remove the files!) */
+ if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ dki_destroy (dkp);
+ break;
+ case 'R':
+ if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+ fatal ("Key with tag %u not found\n", searchtag);
+ else if ( dkp == (void *) 01 )
+ fatal ("Key with tag %u found multiple times\n", searchtag);
+ if ( (c = dki_setstatus (dkp, action)) != 0 )
+ fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
+ break;
+ case '1': /* ksk rollover new key */
+ case '2': /* ksk rollover publish DS */
+ case '3': /* ksk rollover delete old key */
+ case '0': /* ksk rollover status */
+ ksk_roll (kskdomain, action - '0', data, config);
+ break;
+ case 'F':
+ zkt_setkeylifetime (data);
+ /* fall through */
+ default:
+ zkt_list_keys (data);
+ }
+
+ return 0;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg, zconf_t *cp)
+{
+ fprintf (stderr, "DNS Zone Key Management Tool %s\n", ZKT_VERSION);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Create a new key \n");
+ sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\t\tKSK (use -k): %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
+ fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
+ fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
+ sopt_usage ("\tusage: %s -P|-A|-D <keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --published=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --active=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --depreciated=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Revoke specified key (<keyspec> := tag | tag:name) \n");
+ sopt_usage ("\tusage: %s -R <keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --revoke=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Remove (rename) or destroy (delete) specified key (<keyspec> := tag | tag:name) \n");
+ lopt_usage ("\tusage: %s --remove=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --destroy=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "Initiate a semi-automated KSK rollover");
+ fprintf (stderr, "('%s -9%s' prints out a brief description)\n", progname, loptstr ("|--ksk-rollover", ""));
+ sopt_usage ("\tusage: %s {-1} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-phase1|--ksk-newkey} do.ma.in.\n", progname);
+ sopt_usage ("\tusage: %s {-2} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-phase2|--ksk-publish} do.ma.in.\n", progname);
+ sopt_usage ("\tusage: %s {-3} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-phase3|--ksk-delkey} do.ma.in.\n", progname);
+ sopt_usage ("\tusage: %s {-0} do.ma.in.\n", progname);
+ lopt_usage ("\tusage: %s {--ksk-roll-status|--ksk-status} do.ma.in.\n", progname);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "\n");
+ fprintf (stderr, "General options \n");
+ fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, "\t\t read config options from commandline\n");
+ fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
+ fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
+ fprintf (stderr, "\t-F days%s=days\t set key lifetime\n", loptstr (", --setlifetime", "\t"));
+ fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
+ fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ exit (1);
+}
+
+static void createkey (const char *keyname, const dki_t *list, const zconf_t *conf)
+{
+ const char *dir = "";
+ dki_t *dkp;
+
+ if ( keyname == NULL || *keyname == '\0' )
+ fatal ("Create key: no keyname!");
+
+ dbg_val2 ("createkey: keyname %s, pathflag = %d\n", keyname, pathflag);
+ /* search for already existent key to get the directory name */
+ if ( pathflag && (dkp = (dki_t *)zkt_search (list, 0, keyname)) != NULL )
+ {
+ char path[MAX_PATHSIZE+1];
+ zconf_t localconf;
+
+ dir = dkp->dname;
+ pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
+ if ( fileexist (path) ) /* load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", path);
+ memcpy (&localconf, conf, sizeof (zconf_t));
+ conf = loadconfig (path, &localconf);
+ }
+ }
+
+ if ( zskflag )
+ dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+ else
+ dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+ if ( dkp == NULL )
+ fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
+
+ /* create a new key always in state published, which means "standby" for ksk */
+ dki_setstatus (dkp, DKI_PUB);
+}
+
+static int get_parent_phase (const char *file)
+{
+ FILE *fp;
+ int phase;
+
+ if ( (fp = fopen (file, "r")) == NULL )
+ return -1;
+
+ phase = 0;
+ if ( fscanf (fp, "; KSK rollover phase%d", &phase) != 1 )
+ phase = 0;
+
+ fclose (fp);
+ return phase;
+}
+
+static void ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)
+{
+ char path[MAX_PATHSIZE+1];
+ zconf_t localconf;
+ const char *dir;
+ dki_t *keylist;
+ dki_t *dkp;
+ dki_t *standby;
+ int parent_exist;
+ int parent_age;
+ int parent_phase;
+ int parent_propagation;
+ int key_ttl;
+ int ksk;
+
+ if ( phase == 9 ) /* usage */
+ {
+ fprintf (stderr, "A KSK rollover requires three consecutive steps:\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-1%s", loptstr ("|--ksk-roll-phase1 (--ksk-newkey)\n", ""));
+ fprintf (stderr, "\t Create a new KSK.\n");
+ fprintf (stderr, "\t This step also creates a parent-<domain> file which contains only\n");
+ fprintf (stderr, "\t the _old_ key. This file will be copied in hierarchical mode\n");
+ fprintf (stderr, "\t by dnssec-signer to the parent directory as keyset-<domain> file.\n");
+ fprintf (stderr, "\t Wait until the new keyset is propagated, before going to the next step.\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-2%s", loptstr ("|--ksk-roll-phase2 (--ksk-publish)\n", ""));
+ fprintf (stderr, "\t This step creates a parent-<domain> file with the _new_ key only.\n");
+ fprintf (stderr, "\t Please send this file immediately to the parent (In hierarchical\n");
+ fprintf (stderr, "\t mode this will be done automatically by the dnssec-signer command).\n");
+ fprintf (stderr, "\t Then wait until the new DS is generated by the parent and propagated\n");
+ fprintf (stderr, "\t to all the parent name server, plus the old DS TTL before going to step three.\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-3%s", loptstr ("|--ksk-roll-phase3 (--ksk-delkey)\n", ""));
+ fprintf (stderr, "\t Remove (rename) the old KSK and the parent-<domain> file.\n");
+ fprintf (stderr, "\t You have to manually delete the old KSK (look at file names beginning\n");
+ fprintf (stderr, "\t with an lower 'k').\n");
+ fprintf (stderr, "\n");
+ fprintf (stderr, "-0%s", loptstr ("|--ksk-roll-stat (--ksk-status)\n", ""));
+ fprintf (stderr, "\t Show the current KSK rollover state of a domain.\n");
+
+ fprintf (stderr, "\n");
+
+ return;
+ }
+
+ if ( keyname == NULL || *keyname == '\0' )
+ fatal ("ksk rollover: no domain!");
+
+ dbg_val2 ("ksk_roll: keyname %s, phase = %d\n", keyname, phase);
+
+ /* search for already existent key to get the directory name */
+ if ( (keylist = (dki_t *)zkt_search (list, 0, keyname)) == NULL )
+ fatal ("ksk rollover: domain %s not found!\n", keyname);
+ dkp = keylist;
+
+ /* try to read local config file */
+ dir = dkp->dname;
+ pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
+ if ( fileexist (path) ) /* load local config file */
+ {
+ dbg_val ("Load local config file \"%s\"\n", path);
+ memcpy (&localconf, conf, sizeof (zconf_t));
+ conf = loadconfig (path, &localconf);
+ }
+ key_ttl = conf->key_ttl;
+
+ /* check if parent-file already exist */
+ pathname (path, sizeof (path), dir, "parent-", keyname);
+ parent_phase = parent_age = 0;
+ if ( (parent_exist = fileexist (path)) != 0 )
+ {
+ parent_phase = get_parent_phase (path);
+ parent_age = file_age (path);
+ }
+ // parent_propagation = 2 * DAYSEC;
+ parent_propagation = 5 * MINSEC;
+
+ ksk = 0; /* count active(!) key signing keys */
+ standby = NULL; /* find standby key if available */
+ for ( dkp = keylist; dkp; dkp = dkp->next )
+ if ( dki_isksk (dkp) )
+ {
+ if ( dki_status (dkp) == DKI_ACT )
+ ksk++;
+ else if ( dki_status (dkp) == DKI_PUB )
+ standby = dkp;
+ }
+
+ switch ( phase )
+ {
+ case 0: /* print status (debug) */
+ fprintf (stdout, "ksk_rollover:\n");
+ fprintf (stdout, "\t domain = %s\n", keyname);
+ fprintf (stdout, "\t phase = %d\n", parent_phase);
+ fprintf (stdout, "\t parent_file %s %s\n", path, parent_exist ? "exist": "not exist");
+ if ( parent_exist )
+ fprintf (stdout, "\t age of parent_file %d %s\n", parent_age, str_delspace (age2str (parent_age)));
+ fprintf (stdout, "\t # of active key signing keys %d\n", ksk);
+ fprintf (stdout, "\t parent_propagation %d %s\n", parent_propagation, str_delspace (age2str (parent_propagation)));
+ fprintf (stdout, "\t keys ttl %d %s\n", key_ttl, age2str (key_ttl));
+
+ for ( dkp = keylist; dkp; dkp = dkp->next )
+ {
+ /* TODO: Nur zum testen */
+ dki_prt_dnskey (dkp, stdout);
+ }
+ break;
+ case 1:
+ if ( parent_exist || ksk > 1 )
+ fatal ("Can\'t create new ksk because there is already an ksk rollover in progress\n");
+
+ fprintf (stdout, "create new ksk \n");
+ dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+ if ( dkp == NULL )
+ fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
+ if ( standby )
+ {
+ dki_setstatus (standby, DKI_ACT); /* activate standby key */
+ dki_setstatus (dkp, DKI_PUB); /* new key will be the new standby */
+ }
+
+ // dkp = keylist; /* use old key to create the parent file */
+ if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL ) /* find the oldest active ksk to create the parent file */
+ fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
+ if ( !create_parent_file (path, phase, key_ttl, dkp) )
+ fatal ("Couldn't create parentfile %s\n", path);
+ break;
+
+ case 2:
+ if ( ksk < 2 )
+ fatal ("Can\'t publish new key because no one exist\n");
+ if ( !parent_exist )
+ fatal ("More than one KSK but no parent file found!\n");
+ if ( parent_phase != 1 )
+ fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
+ if ( parent_age < conf->proptime + key_ttl )
+ fatal ("ksk_rollover (phase2): you have to wait for the propagation of the new KSK (at least %dsec or %s)\n",
+ conf->proptime + key_ttl - parent_age,
+ str_delspace (age2str (conf->proptime + key_ttl - parent_age)));
+
+ fprintf (stdout, "save new ksk in parent file\n");
+ dkp = keylist->next; /* set dkp to new ksk */
+ if ( !create_parent_file (path, phase, key_ttl, dkp) )
+ fatal ("Couldn't create parentfile %s\n", path);
+ break;
+ case 3:
+ if ( !parent_exist || ksk < 2 )
+ fatal ("ksk-delkey only allowed after ksk-publish\n");
+ if ( parent_phase != 2 )
+ fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
+ if ( parent_age < parent_propagation + key_ttl )
+ fatal ("ksk_rollover (phase3): you have to wait for DS propagation (at least %dsec or %s)\n",
+ parent_propagation + key_ttl - parent_age,
+ str_delspace (age2str (parent_propagation + key_ttl - parent_age)));
+ /* remove the parentfile */
+ fprintf (stdout, "remove parentfile \n");
+ unlink (path);
+ /* remove or rename the old key */
+ fprintf (stdout, "old ksk renamed \n");
+ dkp = keylist; /* set dkp to old ksk */
+ dki_remove (dkp);
+ break;
+ default: assert (phase == 1 || phase == 2 || phase == 3);
+ }
+}
+
+/*****************************************************************
+** create_parent_file ()
+*****************************************************************/
+static int create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)
+{
+ FILE *fp;
+
+ assert ( fname != NULL );
+
+ if ( dkp == NULL || (phase != 1 && phase != 2) )
+ return 0;
+
+ if ( (fp = fopen (fname, "w")) == NULL )
+ fatal ("can\'t create new parentfile \"%s\"\n", fname);
+
+ if ( phase == 1 )
+ fprintf (fp, "; KSK rollover phase1 (old key)\n");
+ else
+ fprintf (fp, "; KSK rollover phase2 (new key)\n");
+
+ dki_prt_dnskeyttl (dkp, fp, ttl);
+ fclose (fp);
+
+ return phase;
+}
+
+static int parsedirectory (const char *dir, dki_t **listp)
+{
+ dki_t *dkp;
+ DIR *dirp;
+ struct dirent *dentp;
+ char path[MAX_PATHSIZE+1];
+
+ if ( dirflag )
+ return 0;
+
+ dbg_val ("directory: opendir(%s)\n", dir);
+ if ( (dirp = opendir (dir)) == NULL )
+ return 0;
+
+ while ( (dentp = readdir (dirp)) != NULL )
+ {
+ if ( is_dotfilename (dentp->d_name) )
+ continue;
+
+ dbg_val ("directory: check %s\n", dentp->d_name);
+ pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+ if ( is_directory (path) && recflag )
+ {
+ dbg_val ("directory: recursive %s\n", path);
+ parsedirectory (path, listp);
+ }
+ else if ( is_keyfilename (dentp->d_name) )
+ if ( (dkp = dki_read (dir, dentp->d_name)) )
+ {
+ // fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, 1);
+#else
+ dki_add (listp, dkp);
+#endif
+ }
+ }
+ closedir (dirp);
+ return 1;
+}
+
+static void parsefile (const char *file, dki_t **listp)
+{
+ char path[MAX_PATHSIZE+1];
+ dki_t *dkp;
+
+ /* file arg contains path ? ... */
+ file = splitpath (path, sizeof (path), file); /* ... then split of */
+
+ if ( is_keyfilename (file) ) /* plain file name looks like DNS key file ? */
+ {
+ if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, 1); /* ... and add to tree */
+#else
+ dki_add (listp, dkp); /* ... and add to list */
+#endif
+ else
+ error ("error parsing %s: (%s)\n", file, dki_geterrstr());
+ }
+}
+
+static const char *parsetag (const char *str, int *tagp)
+{
+ const char *p;
+
+ *tagp = 0;
+ while ( isspace (*str) ) /* skip leading ws */
+ str++;
+
+ p = str;
+ if ( isdigit (*p) ) /* keytag starts with digit */
+ {
+ sscanf (p, "%u", tagp); /* read keytag as number */
+ do /* eat up to the end of the number */
+ p++;
+ while ( isdigit (*p) );
+
+ if ( *p == ':' ) /* label follows ? */
+ return p+1; /* return that */
+ if ( *p == '\0' )
+ return NULL; /* no label */
+ }
+ return str; /* return as label string if not a numeric keytag */
+}
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-ls.c (c) Jan 2010 Holger Zuleger hznet.de
+**
+** Secure DNS zone key tool
+** A command to list dnssec keys
+**
+** Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+**
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h> /* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "strlist.h"
+# include "zconf.h"
+# include "dki.h"
+# include "tcap.h"
+# include "zkt.h"
+
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+
+char *labellist = NULL;
+
+int headerflag = 1;
+int ageflag = 0;
+int lifetime = 0;
+int lifetimeflag = 0;
+int timeflag = 1;
+int exptimeflag = 0;
+int pathflag = 0;
+int kskflag = 1;
+int zskflag = 1;
+int ljustflag = 0;
+int subdomain_before_parent = 1;
+
+static int dirflag = 0;
+static int recflag = RECURSIVE;
+static int trustedkeyflag = 0;
+static const char *view = "";
+static const char *term = NULL;
+
+#if defined(COLOR_MODE) && COLOR_MODE
+# define short_options ":HKTV:afC::c:O:dhkLl:prstez"
+#else
+# define short_options ":HKTV:af:c:O:dhkLl:prstez"
+#endif
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"list-dnskeys", no_argument, NULL, 'K'},
+ {"list-trustedkeys", no_argument, NULL, 'T'},
+ {"ksk", no_argument, NULL, 'k'},
+ {"zsk", no_argument, NULL, 'z'},
+ {"age", no_argument, NULL, 'a'},
+ {"lifetime", no_argument, NULL, 'f'},
+ {"time", no_argument, NULL, 't'},
+ {"expire", no_argument, NULL, 'e'},
+ {"recursive", no_argument, NULL, 'r'},
+ {"leftjust", no_argument, NULL, 'L'},
+ {"label-list", no_argument, NULL, 'l'},
+ {"path", no_argument, NULL, 'p'},
+ {"sort", no_argument, NULL, 's'},
+ {"subdomain", no_argument, NULL, 's'},
+ {"nohead", no_argument, NULL, 'h'},
+ {"directory", no_argument, NULL, 'd'},
+#if defined(COLOR_MODE) && COLOR_MODE
+ {"color", optional_argument, NULL, 'C'},
+#endif
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"view", required_argument, NULL, 'V' },
+ {"help", no_argument, NULL, 'H'},
+ {0, 0, 0, 0}
+};
+#endif
+
+static int parsedirectory (const char *dir, dki_t **listp, int sub_before);
+static void parsefile (const char *file, dki_t **listp, int sub_before);
+static void usage (char *mesg, zconf_t *cp);
+
+static void setglobalflags (zconf_t *config)
+{
+ recflag = config->recursive;
+ ageflag = config->printage;
+ timeflag = config->printtime;
+ ljustflag = config->ljust;
+ term = config->colorterm;
+ if ( term && *term == '\0' )
+ term = getenv ("TERM");
+}
+
+int main (int argc, char *argv[])
+{
+ dki_t *data = NULL;
+ int c;
+ int opt_index;
+ int action;
+ const char *file;
+ const char *defconfname = NULL;
+ char *p;
+ char str[254+1];
+ zconf_t *config;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+ view = getnameappendix (progname, "zkt-ls");
+
+ defconfname = getdefconfname (view);
+ config = loadconfig ("", (zconf_t *)NULL); /* load built in config */
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+
+ opterr = 0;
+ opt_index = 0;
+ action = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+#if defined(COLOR_MODE) && COLOR_MODE
+ case 'C': /* color mode on; optional with terminal name */
+ if ( optarg )
+ term = optarg;
+ else
+ term = getenv ("TERM");
+ break;
+#endif
+ case 'T':
+ trustedkeyflag = 1;
+ subdomain_before_parent = 0;
+ zskflag = pathflag = 0;
+ /* fall through */
+ case 'H':
+ case 'K':
+ case 'Z':
+ action = c;
+ break;
+ case 'a': /* age */
+ ageflag = !ageflag;
+ break;
+ case 'f': /* key lifetime */
+ lifetimeflag = !lifetimeflag;
+ break;
+ case 'V': /* view name */
+ view = optarg;
+ defconfname = getdefconfname (view);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ setglobalflags (config);
+ break;
+ case 'c':
+ config = loadconfig (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'O': /* read option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ setglobalflags (config);
+ checkconfig (config);
+ break;
+ case 'd': /* ignore directory arg */
+ dirflag = 1;
+ break;
+ case 'h': /* print no headline */
+ headerflag = 0;
+ break;
+ case 'k': /* ksk only */
+ zskflag = 0;
+ break;
+ case 'L': /* ljust */
+ ljustflag = !ljustflag;
+ break;
+ case 'l': /* label list */
+ labellist = prepstrlist (optarg, LISTDELIM);
+ if ( labellist == NULL )
+ fatal ("Out of memory\n");
+ break;
+ case 'p': /* print path */
+ pathflag = 1;
+ break;
+ case 'r': /* switch recursive flag */
+ recflag = !recflag;
+ break;
+ case 's': /* switch subdomain sorting flag */
+ subdomain_before_parent = !subdomain_before_parent;
+ break;
+ case 't': /* time */
+ timeflag = !timeflag;
+ break;
+ case 'e': /* expire time */
+ exptimeflag = !exptimeflag;
+ break;
+ case 'z': /* zsk only */
+ kskflag = 0;
+ break;
+ case ':':
+ snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
+ optopt);
+ usage (str, config);
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
+ optopt);
+ else
+ snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
+ optopt);
+ usage (str, config);
+ break;
+ default:
+ abort();
+ }
+ }
+
+ if ( kskflag == 0 && zskflag == 0 )
+ kskflag = zskflag = 1;
+
+ tc_init (stdout, term);
+
+ c = optind;
+ do {
+ if ( c >= argc ) /* no args left */
+ file = config->zonedir; /* use default directory */
+ else
+ file = argv[c++];
+
+ if ( is_directory (file) )
+ parsedirectory (file, &data, subdomain_before_parent);
+ else
+ parsefile (file, &data, subdomain_before_parent);
+
+ } while ( c < argc ); /* for all arguments */
+
+ switch ( action )
+ {
+ case 'H':
+ usage ("", config);
+ case 'K':
+ zkt_list_dnskeys (data);
+ break;
+ case 'T':
+ zkt_list_trustedkeys (data);
+ break;
+ default:
+ zkt_list_keys (data);
+ }
+
+ tc_end (stdout, term);
+
+ return 0;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg, zconf_t *cp)
+{
+ fprintf (stderr, "Secure DNS Zone Key Tool %s\n", ZKT_VERSION);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "List keys in current or given directory (-r for recursive mode)\n");
+ sopt_usage ("\tusage: %s [-adefhkLprtzC] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "List public part of keys in DNSKEY RR format\n");
+ sopt_usage ("\tusage: %s -K [-dhkrz] [-c config] [file|dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --list-dnskeys [-dhkzr] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
+ fprintf (stderr, "List keys (output is suitable for trusted-keys section)\n");
+ sopt_usage ("\tusage: %s -T [-dhrz] [-c config] [file|dir ...]\n", progname);
+ lopt_usage ("\tusage: %s --list-trustedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "General options \n");
+ fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, "\t\t read config options from commandline\n");
+ fprintf (stderr, "\t-h%s\t no headline or trusted-key section header/trailer in -T mode\n", loptstr (", --nohead", "\t"));
+ fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
+ fprintf (stderr, "\t-L%s\t print the domain name left justified (default: %s)\n", loptstr (", --leftjust", "\t"), ljustflag ? "on": "off");
+ fprintf (stderr, "\t-l list%s", loptstr (", --label=\"list\"\n\t", ""));
+ fprintf (stderr, "\t\t print out only zone keys from the given domain list\n");
+ fprintf (stderr, "\t-C[term]%s", loptstr (", --color[=\"term\"]\n\t", ""));
+ fprintf (stderr, "\t\t turn color mode on \n");
+ fprintf (stderr, "\t-p%s\t show path of keyfile / create key in current directory\n", loptstr (", --path", "\t"));
+ fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
+ fprintf (stderr, "\t-s%s\t change sorting of subdomains\n", loptstr(", --subdomain", "\t"));
+ fprintf (stderr, "\t-a%s\t print age of key (default: %s)\n", loptstr (", --age", "\t"), ageflag ? "on": "off");
+ fprintf (stderr, "\t-t%s\t print key generation time (default: %s)\n", loptstr (", --time", "\t"),
+ timeflag ? "on": "off");
+ fprintf (stderr, "\t-e%s\t print key expiration time\n", loptstr (", --expire", "\t"));
+ fprintf (stderr, "\t-f%s\t print key lifetime\n", loptstr (", --lifetime", "\t"));
+ fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
+ fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ exit (1);
+}
+
+static int parsedirectory (const char *dir, dki_t **listp, int sub_before)
+{
+ dki_t *dkp;
+ DIR *dirp;
+ struct dirent *dentp;
+ char path[MAX_PATHSIZE+1];
+
+ if ( dirflag )
+ return 0;
+
+ dbg_val ("directory: opendir(%s)\n", dir);
+ if ( (dirp = opendir (dir)) == NULL )
+ return 0;
+
+ while ( (dentp = readdir (dirp)) != NULL )
+ {
+ if ( is_dotfilename (dentp->d_name) )
+ continue;
+
+ dbg_val ("directory: check %s\n", dentp->d_name);
+ pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+ if ( is_directory (path) && recflag )
+ {
+ dbg_val ("directory: recursive %s\n", path);
+ parsedirectory (path, listp, sub_before);
+ }
+ else if ( is_keyfilename (dentp->d_name) )
+ if ( (dkp = dki_read (dir, dentp->d_name)) )
+ {
+ // fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, sub_before);
+#else
+ dki_add (listp, dkp);
+#endif
+ }
+ }
+ closedir (dirp);
+ return 1;
+}
+
+static void parsefile (const char *file, dki_t **listp, int sub_before)
+{
+ char path[MAX_PATHSIZE+1];
+ dki_t *dkp;
+
+ /* file arg contains path ? ... */
+ file = splitpath (path, sizeof (path), file); /* ... then split of */
+
+ if ( is_keyfilename (file) ) /* plain file name looks like DNS key file ? */
+ {
+ if ( (dkp = dki_read (path, file)) ) /* read DNS key file ... */
+#if defined (USE_TREE) && USE_TREE
+ dki_tadd (listp, dkp, sub_before); /* ... and add to tree */
+#else
+ dki_add (listp, dkp); /* ... and add to list */
+#endif
+ else
+ error ("error parsing %s: (%s)\n", file, dki_geterrstr());
+ }
+}
--- /dev/null
+/*****************************************************************
+**
+** @(#) zkt-signer.c (c) Jan 2005 - Jan 2010 Holger Zuleger hznet.de
+**
+** A wrapper around the BIND dnssec-signzone command which is able
+** to resign a zone if necessary and doing a zone or key signing key rollover.
+**
+** Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+** This software is open source.
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions
+** are met:
+**
+** Redistributions of source code must retain the above copyright notice,
+** this list of conditions and the following disclaimer.
+**
+** Redistributions in binary form must reproduce the above copyright notice,
+** this list of conditions and the following disclaimer in the documentation
+** and/or other materials provided with the distribution.
+**
+** Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+** be used to endorse or promote products derived from this software without
+** specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+** "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+** TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+** PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+** LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+** CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+** SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+** INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+** CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+** ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+** POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <assert.h>
+# include <dirent.h>
+# include <errno.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+# include "zconf.h"
+# include "debug.h"
+# include "misc.h"
+# include "ncparse.h"
+# include "nscomm.h"
+# include "soaserial.h"
+# include "zone.h"
+# include "dki.h"
+# include "rollover.h"
+# include "log.h"
+
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+# define short_options "c:L:V:D:N:o:O:dfHhnrv"
+#else
+# define short_options "c:L:V:D:N:o:O:fHhnrv"
+#endif
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+ {"reload", no_argument, NULL, 'r'},
+ {"force", no_argument, NULL, 'f'},
+ {"noexec", no_argument, NULL, 'n'},
+ {"verbose", no_argument, NULL, 'v'},
+ {"directory", no_argument, NULL, 'd'},
+ {"config", required_argument, NULL, 'c'},
+ {"option", required_argument, NULL, 'O'},
+ {"config-option", required_argument, NULL, 'O'},
+ {"logfile", required_argument, NULL, 'L' },
+ {"view", required_argument, NULL, 'V' },
+ {"directory", required_argument, NULL, 'D'},
+ {"named-conf", required_argument, NULL, 'N'},
+ {"origin", required_argument, NULL, 'o'},
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+ {"dynamic", no_argument, NULL, 'd' },
+#endif
+ {"help", no_argument, NULL, 'h'},
+ {0, 0, 0, 0}
+};
+#endif
+
+
+/** function declaration **/
+static void usage (char *mesg, zconf_t *conf);
+static int add2zonelist (const char *dir, const char *view, const char *zone, const char *file);
+static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf);
+static int dosigning (zone_t *zonelist, zone_t *zp);
+static int check_keydb_timestamp (dki_t *keylist, time_t reftime);
+static int new_keysetfiles (const char *dir, time_t zone_signing_time);
+static int writekeyfile (const char *fname, const dki_t *list, int key_ttl);
+static int sign_zone (const zone_t *zp);
+static void register_key (dki_t *listp, const zconf_t *z);
+static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
+
+/** global command line options **/
+extern int optopt;
+extern int opterr;
+extern int optind;
+extern char *optarg;
+const char *progname;
+static const char *viewname = NULL;
+static const char *logfile = NULL;
+static const char *origin = NULL;
+static const char *namedconf = NULL;
+static const char *dirname = NULL;
+static int verbose = 0;
+static int force = 0;
+static int reloadflag = 0;
+static int noexec = 0;
+static int dynamic_zone = 0; /* dynamic zone ? */
+static zone_t *zonelist = NULL; /* must be static global because add2zonelist use it */
+static zconf_t *config;
+
+/** macros **/
+#define set_bind94_dynzone(dz) ((dz) = 1)
+#define set_bind96_dynzone(dz) ((dz) = 6)
+#define bind94_dynzone(dz) ( (dz) > 0 && (dz) < 6 )
+#define bind96_dynzone(dz) ( (dz) >= 6 )
+#define is_defined(str) ( (str) && *(str) )
+
+int main (int argc, char *const argv[])
+{
+ int c;
+ int errcnt;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ int opt_index;
+#endif
+ char errstr[255+1];
+ char *p;
+ const char *defconfname;
+ zone_t *zp;
+
+ progname = *argv;
+ if ( (p = strrchr (progname, '/')) )
+ progname = ++p;
+
+ if ( strncmp (progname, "dnssec-signer", 13) == 0 )
+ {
+ fprintf (stderr, "The use of dnssec-signer is deprecated, please run zkt-signer instead\n");
+ viewname = getnameappendix (progname, "dnssec-signer");
+ }
+ else
+ viewname = getnameappendix (progname, "zkt-signer");
+ defconfname = getdefconfname (viewname);
+ config = loadconfig ("", (zconf_t *)NULL); /* load build-in config */
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Couldn't load config: Out of memory\n");
+
+ zonelist = NULL;
+ opterr = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+ while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+ while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+ {
+ switch ( c )
+ {
+ case 'V': /* view name */
+ viewname = optarg;
+ defconfname = getdefconfname (viewname);
+ if ( fileexist (defconfname) ) /* load default config file */
+ config = loadconfig (defconfname, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ break;
+ case 'c': /* load config from file */
+ config = loadconfig (optarg, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ break;
+ case 'O': /* load config option from commandline */
+ config = loadconfig_fromstr (optarg, config);
+ if ( config == NULL )
+ fatal ("Out of memory\n");
+ break;
+ case 'o':
+ origin = optarg;
+ break;
+ case 'N':
+ namedconf = optarg;
+ break;
+ case 'D':
+ dirname = optarg;
+ break;
+ case 'L': /* error log file|directory */
+ logfile = optarg;
+ break;
+ case 'f':
+ force++;
+ break;
+ case 'H':
+ case 'h':
+ usage (NULL, config);
+ break;
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+ case 'd':
+# if BIND_VERSION >= 960
+ set_bind96_dynzone (dynamic_zone);
+# else
+ set_bind94_dynzone(dynamic_zone);
+# endif
+ /* dynamic zone requires a name server reload... */
+ reloadflag = 0; /* ...but "rndc thaw" reloads the zone anyway */
+ break;
+#endif
+ case 'n':
+ noexec = 1;
+ break;
+ case 'r':
+ if ( !dynamic_zone ) /* dynamic zones don't need a rndc reload (see "-d" */
+ reloadflag = 1;
+ break;
+ case 'v':
+ verbose++;
+ break;
+ case '?':
+ if ( isprint (optopt) )
+ snprintf (errstr, sizeof(errstr),
+ "Unknown option \"-%c\".\n", optopt);
+ else
+ snprintf (errstr, sizeof (errstr),
+ "Unknown option char \\x%x.\n", optopt);
+ usage (errstr, config);
+ break;
+ default:
+ abort();
+ }
+ }
+ dbg_line();
+
+ /* store some of the commandline parameter in the config structure */
+ setconfigpar (config, "--view", viewname);
+ setconfigpar (config, "-v", &verbose);
+ setconfigpar (config, "--noexec", &noexec);
+ if ( logfile == NULL )
+ logfile = config->logfile;
+
+ if ( lg_open (progname, config->syslogfacility, config->sysloglevel, config->zonedir, logfile, config->loglevel) < -1 )
+ fatal ("Couldn't open logfile %s in dir %s\n", logfile, config->zonedir);
+
+#if defined(DBG) && DBG
+ for ( zp = zonelist; zp; zp = zp->next )
+ zone_print ("in main: ", zp);
+#endif
+ lg_args (LG_NOTICE, argc, argv);
+
+ /* 1.0rc1: If the ttl for dynamic zones is not known or if it is 0, use sig valid time for this */
+ if ( config->max_ttl <= 0 || dynamic_zone )
+ {
+ // config = dupconfig (config);
+ config->max_ttl = config->sigvalidity;
+ }
+
+
+ if ( origin ) /* option -o ? */
+ {
+ int ret;
+
+ if ( (argc - optind) <= 0 ) /* no arguments left ? */
+ ret = zone_readdir (".", origin, NULL, &zonelist, config, dynamic_zone);
+ else
+ ret = zone_readdir (".", origin, argv[optind], &zonelist, config, dynamic_zone);
+
+ /* anyway, "delete" all (remaining) arguments */
+ optind = argc;
+
+ /* complain if nothing could read in */
+ if ( ret != 1 || zonelist == NULL )
+ {
+ lg_mesg (LG_FATAL, "\"%s\": couldn't read", origin);
+ fatal ("Couldn't read zone \"%s\"\n", origin);
+ }
+ }
+ if ( namedconf ) /* option -N ? */
+ {
+ char dir[255+1];
+
+ memset (dir, '\0', sizeof (dir));
+ if ( config->zonedir )
+ strncpy (dir, config->zonedir, sizeof(dir));
+ if ( !parse_namedconf (namedconf, config->chroot_dir, dir, sizeof (dir), add2zonelist) )
+ fatal ("Can't read file %s as namedconf file\n", namedconf);
+ if ( zonelist == NULL )
+ fatal ("No signed zone found in file %s\n", namedconf);
+ }
+ if ( dirname ) /* option -D ? */
+ {
+ char *dir = strdup (dirname);
+
+ p = dir + strlen (dir);
+ if ( p > dir )
+ p--;
+ if ( *p == '/' )
+ *p = '\0'; /* remove trailing path seperator */
+
+ if ( !parsedir (dir, &zonelist, config) )
+ fatal ("Can't read directory tree %s\n", dir);
+ if ( zonelist == NULL )
+ fatal ("No signed zone found in directory tree %s\n", dir);
+ free (dir);
+ }
+
+ /* none of the above: read current directory tree */
+ if ( zonelist == NULL )
+ parsedir (config->zonedir, &zonelist, config);
+
+ for ( zp = zonelist; zp; zp = zp->next )
+ if ( in_strarr (zp->zone, &argv[optind], argc - optind) )
+ {
+ dosigning (zonelist, zp);
+ verbmesg (1, zp->conf, "\n");
+ }
+
+ zone_freelist (&zonelist);
+
+ errcnt = lg_geterrcnt ();
+ lg_mesg (LG_NOTICE, "end of run: %d error%s occured", errcnt, errcnt == 1 ? "" : "s");
+ lg_close ();
+
+ return errcnt < 64 ? errcnt : 64;
+}
+
+# define sopt_usage(mesg, value) fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define lopt_usage(mesg, value) fprintf (stderr, mesg, value)
+# define loptstr(lstr, sstr) lstr
+#else
+# define lopt_usage(mesg, value)
+# define loptstr(lstr, sstr) sstr
+#endif
+static void usage (char *mesg, zconf_t *conf)
+{
+ fprintf (stderr, "%s version %s compiled for BIND %d\n", progname, ZKT_VERSION, BIND_VERSION);
+ fprintf (stderr, "ZKT %s\n", ZKT_COPYRIGHT);
+ fprintf (stderr, "\n");
+
+ fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
+ fprintf (stderr, "[-D directorytree] ");
+ fprintf (stderr, "[-fhnr] [-v [-v]] [zone ...]\n");
+
+ fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
+ fprintf (stderr, "-N named.conf ");
+ fprintf (stderr, "[-fhnr] [-v [-v]] [zone ...]\n");
+
+ fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
+ fprintf (stderr, "-o origin ");
+ fprintf (stderr, "[-fhnr] [-v [-v]] [zonefile.signed]\n");
+
+ fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+ fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+ fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+ fprintf (stderr, "\t\t set config options on the commandline\n");
+ fprintf (stderr, "\t-L file|dir%s", loptstr (", --logfile=file|dir\n", ""));
+ fprintf (stderr, "\t\t specify file or directory for the log output\n");
+ fprintf (stderr, "\t-V name%s", loptstr (", --view=name\n", ""));
+ fprintf (stderr, "\t\t specify the view name \n");
+ fprintf (stderr, "\t-D dir%s", loptstr (", --directory=dir\n", ""));
+ fprintf (stderr, "\t\t parse the given directory tree for a list of secure zones \n");
+ fprintf (stderr, "\t-N file%s", loptstr (", --named-conf=file\n", ""));
+ fprintf (stderr, "\t\t get the list of secure zones out of the named like config file \n");
+ fprintf (stderr, "\t-o zone%s", loptstr (", --origin=zone", ""));
+ fprintf (stderr, "\tspecify the name of the zone \n");
+ fprintf (stderr, "\t\t The file to sign should be given as an argument (default is \"%s.signed\")\n", conf->zonefile);
+ fprintf (stderr, "\t-h%s\t print this help\n", loptstr (", --help", "\t"));
+ fprintf (stderr, "\t-f%s\t force re-signing\n", loptstr (", --force", "\t"));
+ fprintf (stderr, "\t-n%s\t no execution of external signing command\n", loptstr (", --noexec", "\t"));
+ // fprintf (stderr, "\t-r%s\t reload zone via <rndc reload zone> (or via the external distribution command)\n", loptstr (", --reload", "\t"));
+ fprintf (stderr, "\t-r%s\t reload zone via %s\n", loptstr (", --reload", "\t"), conf->dist_cmd ? conf->dist_cmd: "rndc");
+ fprintf (stderr, "\t-v%s\t be verbose (use twice to be very verbose)\n", loptstr (", --verbose", "\t"));
+
+ fprintf (stderr, "\t[zone]\t sign only those zones given as argument\n");
+
+ fprintf (stderr, "\n");
+ fprintf (stderr, "\tif neither -D nor -N nor -o is given, the directory tree specified\n");
+ fprintf (stderr, "\tin the dnssec config file (\"%s\") will be parsed\n", conf->zonedir);
+
+ if ( mesg && *mesg )
+ fprintf (stderr, "%s\n", mesg);
+ exit (127);
+}
+
+/** fill zonelist with infos coming out of named.conf **/
+static int add2zonelist (const char *dir, const char *view, const char *zone, const char *file)
+{
+#ifdef DBG
+ fprintf (stderr, "printzone ");
+ fprintf (stderr, "view \"%s\" " , view);
+ fprintf (stderr, "zone \"%s\" " , zone);
+ fprintf (stderr, "file ");
+ if ( dir && *dir )
+ fprintf (stderr, "%s/", dir);
+ fprintf (stderr, "%s", file);
+ fprintf (stderr, "\n");
+#endif
+ dbg_line ();
+ if ( view[0] != '\0' ) /* view found in named.conf */
+ {
+ if ( viewname == NULL || viewname[0] == '\0' ) /* viewname wasn't set on startup ? */
+ {
+ dbg_line ();
+ error ("zone \"%s\" in view \"%s\" found in name server config, but no matching view was set on startup\n", zone, view);
+ lg_mesg (LG_ERROR, "\"%s\" in view \"%s\" found in name server config, but no matching view was set on startup", zone, view);
+ return 0;
+ }
+ dbg_line ();
+ if ( strcmp (viewname, view) != 0 ) /* zone is _not_ in current view */
+ return 0;
+ }
+ return zone_readdir (dir, zone, file, &zonelist, config, dynamic_zone);
+}
+
+static int parsedir (const char *dir, zone_t **zp, const zconf_t *conf)
+{
+ DIR *dirp;
+ struct dirent *dentp;
+ char path[MAX_PATHSIZE+1];
+
+ dbg_val ("parsedir: (%s)\n", dir);
+ if ( !is_directory (dir) )
+ return 0;
+
+ dbg_line ();
+ zone_readdir (dir, NULL, NULL, zp, conf, dynamic_zone);
+
+ dbg_val ("parsedir: opendir(%s)\n", dir);
+ if ( (dirp = opendir (dir)) == NULL )
+ return 0;
+
+ while ( (dentp = readdir (dirp)) != NULL )
+ {
+ if ( is_dotfilename (dentp->d_name) )
+ continue;
+
+ pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+ if ( !is_directory (path) )
+ continue;
+
+ dbg_val ("parsedir: recursive %s\n", path);
+ parsedir (path, zp, conf);
+ }
+ closedir (dirp);
+ return 1;
+}
+
+static int dosigning (zone_t *zonelist, zone_t *zp)
+{
+ char path[MAX_PATHSIZE+1];
+ int err;
+ int newkey;
+ int newkeysetfile;
+ int use_unixtime;
+ time_t currtime;
+ time_t zfile_time;
+ time_t zfilesig_time;
+ char mesg[255+1];
+
+ verbmesg (1, zp->conf, "parsing zone \"%s\" in dir \"%s\"\n", zp->zone, zp->dir);
+
+ pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
+ dbg_val("parsezonedir fileexist (%s)\n", path);
+ if ( !fileexist (path) )
+ {
+ error ("Not a secure zone directory (%s)!\n", zp->dir);
+ lg_mesg (LG_ERROR, "\"%s\": not a secure zone directory (%s)!", zp->zone, zp->dir);
+ return 1;
+ }
+ zfilesig_time = file_mtime (path);
+
+ pathname (path, sizeof (path), zp->dir, zp->file, NULL);
+ dbg_val("parsezonedir fileexist (%s)\n", path);
+ if ( !fileexist (path) )
+ {
+ error ("No zone file found (%s)!\n", path);
+ lg_mesg (LG_ERROR, "\"%s\": no zone file found (%s)!", zp->zone, path);
+ return 2;
+ }
+
+ zfile_time = file_mtime (path);
+ currtime = time (NULL);
+
+ /* check for domain based logging */
+ if ( is_defined (zp->conf->logdomaindir) ) /* parameter is not null or empty ? */
+ {
+ if ( strcmp (zp->conf->logdomaindir, ".") == 0 ) /* current (".") means zone directory */
+ lg_zone_start (zp->dir, zp->zone);
+ else
+ lg_zone_start (zp->conf->logdomaindir, zp->zone);
+ }
+
+ /* check rfc5011 key signing keys, create new one if necessary */
+ dbg_msg("parsezonedir check rfc 5011 ksk ");
+ newkey = ksk5011status (&zp->keys, zp->dir, zp->zone, zp->conf);
+ if ( (newkey & 02) != 02 ) /* not a rfc 5011 zone ? */
+ {
+ verbmesg (2, zp->conf, "\t\t->not a rfc5011 zone, looking for a regular ksk rollover\n");
+ /* check key signing keys, create new one if necessary */
+ dbg_msg("parsezonedir check ksk ");
+ newkey |= kskstatus (zonelist, zp);
+ }
+ else
+ newkey &= ~02; /* reset bit 2 */
+
+ /* check age of zone keys, probably retire (depreciate) or remove old keys */
+ dbg_msg("parsezonedir check zsk ");
+ newkey += zskstatus (&zp->keys, zp->dir, zp->zone, zp->conf);
+
+ /* check age of "dnskey.db" file against age of keyfiles */
+ pathname (path, sizeof (path), zp->dir, zp->conf->keyfile, NULL);
+ dbg_val("parsezonedir check_keydb_timestamp (%s)\n", path);
+ if ( !newkey )
+ newkey = check_keydb_timestamp (zp->keys, file_mtime (path));
+
+ newkeysetfile = 0;
+#if defined(ALWAYS_CHECK_KEYSETFILES) && ALWAYS_CHECK_KEYSETFILES /* patch from Shane Wegner 15. June 2009 */
+ /* check if there is a new keyset- file */
+ if ( !newkey )
+ newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#else
+ /* if we work in subdir mode, check if there is a new keyset- file */
+ if ( !newkey && zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
+ newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#endif
+
+ /**
+ ** Check if it is time to do a re-sign. This is the case if
+ ** a) the command line flag -f is set, or
+ ** b) new keys are generated, or
+ ** c) we found a new KSK of a delegated domain, or
+ ** d) the "dnskey.db" file is newer than "zone.db"
+ ** e) the "zone.db" is newer than "zone.db.signed" or
+ ** f) "zone.db.signed" is older than the re-sign interval
+ **/
+ mesg[0] = '\0';
+ if ( force )
+ snprintf (mesg, sizeof(mesg), "Option -f");
+ else if ( newkey )
+ snprintf (mesg, sizeof(mesg), "Modfied zone key set");
+ else if ( newkeysetfile )
+ snprintf (mesg, sizeof(mesg), "Modified KSK in delegated domain");
+ else if ( file_mtime (path) > zfilesig_time )
+ snprintf (mesg, sizeof(mesg), "Modified keys");
+ else if ( zfile_time > zfilesig_time )
+ snprintf (mesg, sizeof(mesg), "Zone file edited");
+ else if ( (currtime - zfilesig_time) > zp->conf->resign - (OFFSET) )
+ snprintf (mesg, sizeof(mesg), "re-signing interval (%s) reached",
+ str_delspace (age2str (zp->conf->resign)));
+ else if ( bind94_dynzone (dynamic_zone) )
+ snprintf (mesg, sizeof(mesg), "dynamic zone");
+
+ if ( *mesg )
+ verbmesg (1, zp->conf, "\tRe-signing necessary: %s\n", mesg);
+ else
+ verbmesg (1, zp->conf, "\tRe-signing not necessary!\n");
+
+ if ( *mesg )
+ lg_mesg (LG_NOTICE, "\"%s\": re-signing triggered: %s", zp->zone, mesg);
+
+ dbg_line ();
+ if ( !(force || newkey || newkeysetfile || zfile_time > zfilesig_time ||
+ file_mtime (path) > zfilesig_time ||
+ (currtime - zfilesig_time) > zp->conf->resign - (OFFSET) ||
+ bind94_dynzone (dynamic_zone)) )
+ {
+ verbmesg (2, zp->conf, "\tCheck if there is a parent file to copy\n");
+ if ( zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
+ copy_keyset (zp->dir, zp->zone, zp->conf); /* copy the parent- file if it exist */
+ if ( is_defined (zp->conf->logdomaindir) )
+ lg_zone_end ();
+ return 0; /* nothing to do */
+ }
+
+ /* let's start signing the zone */
+ dbg_line ();
+
+ /* create new "dnskey.db" file */
+ pathname (path, sizeof (path), zp->dir, zp->conf->keyfile, NULL);
+ verbmesg (1, zp->conf, "\tWriting key file \"%s\"\n", path);
+ if ( !writekeyfile (path, zp->keys, zp->conf->key_ttl) )
+ {
+ error ("Can't create keyfile %s \n", path);
+ lg_mesg (LG_ERROR, "\"%s\": can't create keyfile %s", zp->zone , path);
+ }
+
+ err = 1;
+ use_unixtime = ( zp->conf->serialform == Unixtime );
+ dbg_val1 ("Use unixtime = %d\n", use_unixtime);
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+ if ( !dynamic_zone && !use_unixtime ) /* increment serial number in static zone files */
+#else
+ if ( !dynamic_zone ) /* increment serial no in static zone files */
+#endif
+ {
+ pathname (path, sizeof (path), zp->dir, zp->file, NULL);
+ err = 0;
+ if ( noexec == 0 )
+ {
+ if ( (err = inc_serial (path, use_unixtime)) < 0 )
+ {
+ error ("could not increment serialno of domain %s in file %s: %s!\n",
+ zp->zone, path, inc_errstr (err));
+ lg_mesg (LG_ERROR,
+ "zone \"%s\": couldn't increment serialno in file %s: %s",
+ zp->zone, path, inc_errstr (err));
+ }
+ else
+ verbmesg (1, zp->conf, "\tIncrementing serial number in file \"%s\"\n", path);
+ }
+ else
+ verbmesg (1, zp->conf, "\tIncrementing serial number in file \"%s\"\n", path);
+ }
+
+ /* at last, sign the zone file */
+ if ( err > 0 )
+ {
+ time_t timer;
+
+ verbmesg (1, zp->conf, "\tSigning zone \"%s\"\n", zp->zone);
+ logflush ();
+
+ /* dynamic zones uses incremental signing, so we have to */
+ /* prepare the old (signed) file as new input file */
+ if ( dynamic_zone )
+ {
+ char zfile[MAX_PATHSIZE+1];
+
+ dyn_update_freeze (zp->zone, zp->conf, 1); /* freeze dynamic zone ! */
+
+ pathname (zfile, sizeof (zfile), zp->dir, zp->file, NULL);
+ pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
+ if ( filesize (path) == 0L ) /* initial signing request ? */
+ {
+ verbmesg (1, zp->conf, "\tDynamic Zone signing: Initial signing request: Add DNSKEYs to zonefile\n");
+ copyfile (zfile, path, zp->conf->keyfile);
+ }
+#if 1
+ else if ( zfile_time > zfilesig_time ) /* zone.db is newer than signed file */
+ {
+ verbmesg (1, zp->conf, "\tDynamic Zone signing: zone file manually edited: Use it as new input file\n");
+ copyfile (zfile, path, NULL);
+ }
+#endif
+ verbmesg (1, zp->conf, "\tDynamic Zone signing: copy old signed zone file %s to new input file %s\n",
+ path, zfile);
+
+ if ( newkey ) /* if we have new keys, they should be added to the zone file */
+ {
+ copyzonefile (path, zfile, zp->conf->keyfile);
+#if 0
+ if ( zp->conf->dist_cmd )
+ dist_and_reload (zp, 2); /* ... and send to the name server */
+#endif
+ }
+ else /* else we can do a simple file copy */
+ copyfile (path, zfile, NULL);
+ }
+
+ timer = start_timer ();
+ if ( (err = sign_zone (zp)) < 0 )
+ {
+ error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
+ lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
+ }
+ timer = stop_timer (timer);
+
+ if ( dynamic_zone )
+ dyn_update_freeze (zp->zone, zp->conf, 0); /* thaw dynamic zone file */
+
+ if ( err >= 0 )
+ {
+ const char *tstr = str_delspace (age2str (timer));
+
+ if ( !tstr || *tstr == '\0' )
+ tstr = "0s";
+ verbmesg (1, zp->conf, "\tSigning completed after %s.\n", tstr);
+ }
+ }
+
+ copy_keyset (zp->dir, zp->zone, zp->conf);
+
+ if ( err >= 0 && reloadflag )
+ {
+ if ( zp->conf->dist_cmd )
+ dist_and_reload (zp, 1);
+ else
+ reload_zone (zp->zone, zp->conf);
+
+ register_key (zp->keys, zp->conf);
+ }
+
+ if ( is_defined (zp->conf->logdomaindir) )
+ lg_zone_end ();
+
+ return err;
+}
+
+static void register_key (dki_t *list, const zconf_t *z)
+{
+ dki_t *dkp;
+ time_t currtime;
+ time_t age;
+
+ assert ( list != NULL );
+ assert ( z != NULL );
+
+ currtime = time (NULL);
+ for ( dkp = list; dkp && dki_isksk (dkp); dkp = dkp->next )
+ {
+ age = dki_age (dkp, currtime);
+#if 0
+ /* announce "new" and active key signing keys */
+ if ( REG_URL && *REG_URL && dki_status (dkp) == DKI_ACT && age <= z->resign * 4 )
+ {
+ if ( verbose )
+ logmesg ("\tRegister new KSK with tag %d for domain %s\n",
+ dkp->tag, dkp->name);
+ }
+#endif
+ }
+}
+
+/*
+ * This function is not working with symbolic links to keyset- files,
+ * because file_mtime() returns the mtime of the underlying file, and *not*
+ * that of the symlink file.
+ * This is bad, because the keyset-file will be newly generated by dnssec-signzone
+ * on every re-signing call.
+ * Instead, in the case of a hierarchical directory structure, we copy the file
+ * (and so we change the timestamp) only if it was modified after the last
+ * generation (checked with cmpfile(), see func sign_zone()).
+ */
+# define KEYSET_FILE_PFX "keyset-"
+static int new_keysetfiles (const char *dir, time_t zone_signing_time)
+{
+ DIR *dirp;
+ struct dirent *dentp;
+ char path[MAX_PATHSIZE+1];
+ int newkeysetfile;
+
+ if ( (dirp = opendir (dir)) == NULL )
+ return 0;
+
+ newkeysetfile = 0;
+ dbg_val2 ("new_keysetfile (%s, %s)\n", dir, time2str (zone_signing_time, 's'));
+ while ( !newkeysetfile && (dentp = readdir (dirp)) != NULL )
+ {
+ if ( strncmp (dentp->d_name, KEYSET_FILE_PFX, strlen (KEYSET_FILE_PFX)) != 0 )
+ continue;
+
+ pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+ dbg_val2 ("newkeysetfile timestamp of %s = %s\n", path, time2str (file_mtime(path), 's'));
+ if ( file_mtime (path) > zone_signing_time )
+ newkeysetfile = 1;
+ }
+ closedir (dirp);
+
+ return newkeysetfile;
+}
+
+static int check_keydb_timestamp (dki_t *keylist, time_t reftime)
+{
+ dki_t *key;
+
+ assert ( keylist != NULL );
+ if ( reftime == 0 )
+ return 1;
+
+ for ( key = keylist; key; key = key->next )
+ if ( dki_time (key) > reftime )
+ return 1;
+
+ return 0;
+}
+
+static int writekeyfile (const char *fname, const dki_t *list, int key_ttl)
+{
+ FILE *fp;
+ const dki_t *dkp;
+ time_t curr = time (NULL);
+ int ksk;
+
+ if ( (fp = fopen (fname, "w")) == NULL )
+ return 0;
+ fprintf (fp, ";\n");
+ fprintf (fp, ";\t!!! Don\'t edit this file by hand.\n");
+ fprintf (fp, ";\t!!! It will be generated by %s.\n", progname);
+ fprintf (fp, ";\n");
+ fprintf (fp, ";\t Last generation time %s\n", time2str (curr, 's'));
+ fprintf (fp, ";\n");
+
+ fprintf (fp, "\n");
+ fprintf (fp, "; *** List of Key Signing Keys ***\n");
+ ksk = 1;
+ for ( dkp = list; dkp; dkp = dkp->next )
+ {
+ if ( ksk && !dki_isksk (dkp) )
+ {
+ fprintf (fp, "; *** List of Zone Signing Keys ***\n");
+ ksk = 0;
+ }
+ dki_prt_comment (dkp, fp);
+ dki_prt_dnskeyttl (dkp, fp, key_ttl);
+ putc ('\n', fp);
+ }
+
+ fclose (fp);
+ return 1;
+}
+
+static int sign_zone (const zone_t *zp)
+{
+ char cmd[2047+1];
+ char str[1023+1];
+ char rparam[254+1];
+ char nsec3param[637+1];
+ char keysetdir[254+1];
+ const char *gends;
+ const char *dnskeyksk;
+ const char *pseudo;
+ const char *param;
+ int len;
+ FILE *fp;
+
+ const char *dir;
+ const char *domain;
+ const char *file;
+ const zconf_t *conf;
+
+ assert (zp != NULL);
+ dir = zp->dir;
+ domain = zp->zone;
+ file = zp->file;
+ conf = zp->conf;
+
+ len = 0;
+ str[0] = '\0';
+ if ( conf->lookaside && conf->lookaside[0] )
+ len = snprintf (str, sizeof (str), "-l %.250s", conf->lookaside);
+
+ dbg_line();
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+ if ( !dynamic_zone && conf->serialform == Unixtime )
+ snprintf (str+len, sizeof (str) - len, " -N unixtime");
+#endif
+
+ gends = "";
+ if ( conf->sig_gends )
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+ gends = "-C -g ";
+#else
+ gends = "-g ";
+#endif
+
+ dnskeyksk = "";
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+ if ( conf->sig_dnskeyksk )
+ dnskeyksk = "-x ";
+#endif
+
+ pseudo = "";
+ if ( conf->sig_pseudo )
+ pseudo = "-p ";
+
+ param = "";
+ if ( conf->sig_param && conf->sig_param[0] )
+ param = conf->sig_param;
+
+ nsec3param[0] = '\0';
+#if defined(BIND_VERSION) && BIND_VERSION >= 960
+ if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 ||
+ conf->nsec3 != NSEC3_OFF )
+ {
+ char salt[510+1]; /* salt has a maximum of 255 bytes == 510 hex nibbles */
+ const char *update;
+ const char *optout;
+ unsigned int seed;
+
+# if defined(BIND_VERSION) && BIND_VERSION >= 970
+ update = "-u "; /* trailing blank is necessary */
+# else
+ update = "";
+# endif
+ if ( conf->nsec3 == NSEC3_OPTOUT )
+ optout = "-A ";
+ else
+ optout = "";
+
+ /* static zones can use always a new salt (full zone signing) */
+ seed = 0L; /* no seed: use mechanism build in gensalt() */
+ if ( dynamic_zone )
+ { /* dynamic zones have to reuse the salt on signing */
+ const dki_t *kp;
+
+ /* use gentime timestamp of ZSK for seeding rand generator */
+ kp = dki_find (zp->keys, DKI_ZSK, DKI_ACTIVE, 1);
+ assert ( kp != NULL );
+ if ( kp->gentime )
+ seed = kp->gentime;
+ else
+ seed = kp->time;
+ }
+
+ if ( gensalt (salt, sizeof (salt), conf->saltbits, seed) )
+ snprintf (nsec3param, sizeof (nsec3param), "%s%s-3 %s ", update, optout, salt);
+ }
+#endif
+
+ dbg_line();
+ rparam[0] = '\0';
+ if ( conf->sig_random && conf->sig_random[0] )
+ snprintf (rparam, sizeof (rparam), "-r %.250s ", conf->sig_random);
+
+ dbg_line();
+ keysetdir[0] = '\0';
+ if ( conf->keysetdir && conf->keysetdir[0] && strcmp (conf->keysetdir, "..") != 0 )
+ snprintf (keysetdir, sizeof (keysetdir), "-d %.250s ", conf->keysetdir);
+
+ if ( dir == NULL || *dir == '\0' )
+ dir = ".";
+
+ dbg_line();
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+ if ( dynamic_zone )
+ snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
+ dir, SIGNCMD, param, nsec3param, dnskeyksk, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
+ else
+#endif
+ snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
+ dir, SIGNCMD, param, nsec3param, dnskeyksk, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
+ verbmesg (2, conf, "\t Run cmd \"%s\"\n", cmd);
+ *str = '\0';
+ if ( noexec == 0 )
+ {
+#if 0
+ if ( (fp = popen (cmd, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+ return -1;
+#else
+ if ( (fp = popen (cmd, "r")) == NULL )
+ return -1;
+ str[0] = '\0';
+ while ( fgets (str, sizeof str, fp) != NULL ) /* eat up all output until the last line */
+ ;
+#endif
+ pclose (fp);
+ }
+
+ dbg_line();
+ verbmesg (2, conf, "\t Cmd dnssec-signzone return: \"%s\"\n", str_chop (str, '\n'));
+ len = strlen (str) - 6;
+ if ( len < 0 || strcmp (str+len, "signed") != 0 )
+ return -1;
+
+ return 0;
+}
+
+static void copy_keyset (const char *dir, const char *domain, const zconf_t *conf)
+{
+ char fromfile[1024];
+ char tofile[1024];
+ int ret;
+
+ /* propagate "keyset"-file to parent dir */
+ if ( conf->keysetdir && strcmp (conf->keysetdir, "..") == 0 )
+ {
+ /* check if special parent-file exist (ksk rollover) */
+ snprintf (fromfile, sizeof (fromfile), "%s/parent-%s", dir, domain);
+ if ( !fileexist (fromfile) ) /* use "normal" keyset-file */
+ snprintf (fromfile, sizeof (fromfile), "%s/keyset-%s", dir, domain);
+
+ /* verbmesg (2, conf, "\t check \"%s\" against parent dir\n", fromfile); */
+ snprintf (tofile, sizeof (tofile), "%s/../keyset-%s", dir, domain);
+ if ( cmpfile (fromfile, tofile) != 0 )
+ {
+ verbmesg (2, conf, "\t copy \"%s\" to parent dir\n", fromfile);
+ if ( (ret = copyfile (fromfile, tofile, NULL)) != 0 )
+ {
+ error ("Couldn't copy \"%s\" to parent dir (%d:%s)\n",
+ fromfile, ret, strerror(errno));
+ lg_mesg (LG_ERROR, "\%s\": can't copy \"%s\" to parent dir (%d:%s)",
+ domain, fromfile, ret, strerror(errno));
+ }
+ }
+ }
+}
--- /dev/null
+
+
+
+BEHAVE WG M. Bagnulo
+Internet-Draft UC3M
+Intended status: Standards Track A. Sullivan
+Expires: January 6, 2011 Shinkuro
+ P. Matthews
+ Alcatel-Lucent
+ I. van Beijnum
+ IMDEA Networks
+ July 5, 2010
+
+
+DNS64: DNS extensions for Network Address Translation from IPv6 Clients
+ to IPv4 Servers
+ draft-ietf-behave-dns64-10
+
+Abstract
+
+ DNS64 is a mechanism for synthesizing AAAA records from A records.
+ DNS64 is used with an IPv6/IPv4 translator to enable client-server
+ communication between an IPv6-only client and an IPv4-only server,
+ without requiring any changes to either the IPv6 or the IPv4 node,
+ for the class of applications that work through NATs. This document
+ specifies DNS64, and provides suggestions on how it should be
+ deployed in conjunction with IPv6/IPv4 translators.
+
+Status of this Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on January 6, 2011.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 1]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 2]
+\f
+Internet-Draft DNS64 July 2010
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3. Background to DNS64-DNSSEC interaction . . . . . . . . . . . . 8
+ 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 5. DNS64 Normative Specification . . . . . . . . . . . . . . . . 10
+ 5.1. Resolving AAAA queries and the answer section . . . . . . 11
+ 5.1.1. The answer when there is AAAA data available . . . . . 11
+ 5.1.2. The answer when there is an error . . . . . . . . . . 11
+ 5.1.3. Dealing with timeouts . . . . . . . . . . . . . . . . 12
+ 5.1.4. Special exclusion set for AAAA records . . . . . . . . 12
+ 5.1.5. Dealing with CNAME and DNAME . . . . . . . . . . . . . 12
+ 5.1.6. Data for the answer when performing synthesis . . . . 13
+ 5.1.7. Performing the synthesis . . . . . . . . . . . . . . . 13
+ 5.1.8. Querying in parallel . . . . . . . . . . . . . . . . . 14
+ 5.2. Generation of the IPv6 representations of IPv4
+ addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 5.3. Handling other Resource Records and the Additional
+ Section . . . . . . . . . . . . . . . . . . . . . . . . . 15
+ 5.3.1. PTR Resource Record . . . . . . . . . . . . . . . . . 15
+ 5.3.2. Handling the additional section . . . . . . . . . . . 16
+ 5.3.3. Other Resource Records . . . . . . . . . . . . . . . . 17
+ 5.4. Assembling a synthesized response to a AAAA query . . . . 17
+ 5.5. DNSSEC processing: DNS64 in recursive resolver mode . . . 17
+ 6. Deployment notes . . . . . . . . . . . . . . . . . . . . . . . 18
+ 6.1. DNS resolvers and DNS64 . . . . . . . . . . . . . . . . . 19
+ 6.2. DNSSEC validators and DNS64 . . . . . . . . . . . . . . . 19
+ 6.3. DNS64 and multihomed and dual-stack hosts . . . . . . . . 19
+ 6.3.1. IPv6 multihomed hosts . . . . . . . . . . . . . . . . 19
+ 6.3.2. Accidental dual-stack DNS64 use . . . . . . . . . . . 20
+ 6.3.3. Intentional dual-stack DNS64 use . . . . . . . . . . . 20
+ 7. Deployment scenarios and examples . . . . . . . . . . . . . . 21
+ 7.1. Example of An-IPv6-network-to-IPv4-Internet setup with
+ DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 22
+ 7.2. An example of an-IPv6-network-to-IPv4-Internet setup
+ with DNS64 in stub-resolver mode . . . . . . . . . . . . . 23
+ 7.3. Example of IPv6-Internet-to-an-IPv4-network setup
+ DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 24
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 27
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
+ 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27
+ 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
+ 12.2. Informative References . . . . . . . . . . . . . . . . . . 28
+ Appendix A. Motivations and Implications of synthesizing AAAA
+ Resource Records when real AAAA Resource Records
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 3]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ exist . . . . . . . . . . . . . . . . . . . . . . . . 29
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 4]
+\f
+Internet-Draft DNS64 July 2010
+
+
+1. Introduction
+
+ This document specifies DNS64, a mechanism that is part of the
+ toolbox for IPv6-IPv4 transition and co-existence. DNS64, used
+ together with an IPv6/IPv4 translator such as stateful NAT64
+ [I-D.ietf-behave-v6v4-xlate-stateful], allows an IPv6-only client to
+ initiate communications by name to an IPv4-only server.
+
+ DNS64 is a mechanism for synthesizing AAAA resource records (RRs)
+ from A RRs. A synthetic AAAA RR created by the DNS64 from an
+ original A RR contains the same owner name of the original A RR but
+ it contains an IPv6 address instead of an IPv4 address. The IPv6
+ address is an IPv6 representation of the IPv4 address contained in
+ the original A RR. The IPv6 representation of the IPv4 address is
+ algorithmically generated from the IPv4 address returned in the A RR
+ and a set of parameters configured in the DNS64 (typically, an IPv6
+ prefix used by IPv6 representations of IPv4 addresses and optionally
+ other parameters).
+
+ Together with an IPv6/IPv4 translator, these two mechanisms allow an
+ IPv6-only client to initiate communications to an IPv4-only server
+ using the FQDN of the server.
+
+ These mechanisms are expected to play a critical role in the IPv4-
+ IPv6 transition and co-existence. Due to IPv4 address depletion, it
+ is likely that in the future, many IPv6-only clients will want to
+ connect to IPv4-only servers. In the typical case, the approach only
+ requires the deployment of IPv6/IPv4 translators that connect an
+ IPv6-only network to an IPv4-only network, along with the deployment
+ of one or more DNS64-enabled name servers. However, some advanced
+ features require performing the DNS64 function directly in the end-
+ hosts themselves.
+
+
+2. Overview
+
+ This section provides a non-normative introduction to the DNS64
+ mechanism.
+
+ We assume that we have one or more IPv6/IPv4 translator boxes
+ connecting an IPv4 network and an IPv6 network. The IPv6/IPv4
+ translator device provides translation services between the two
+ networks enabling communication between IPv4-only hosts and IPv6-only
+ hosts. (NOTE: By IPv6-only hosts we mean hosts running IPv6-only
+ applications, hosts that can only use IPv6, as well as cases where
+ only IPv6 connectivity is available to the client. By IPv4-only
+ servers we mean servers running IPv4-only applications, servers that
+ can only use IPv4, as well as cases where only IPv4 connectivity is
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 5]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ available to the server). Each IPv6/IPv4 translator used in
+ conjunction with DNS64 must allow communications initiated from the
+ IPv6-only host to the IPv4-only host.
+
+ To allow an IPv6 initiator to do a standard AAAA RR DNS lookup to
+ learn the address of the responder, DNS64 is used to synthesize a
+ AAAA record from an A record containing a real IPv4 address of the
+ responder, whenever the DNS64 cannot retrieve a AAAA record for the
+ queried name. The DNS64 service appears as a regular DNS server or
+ resolver to the IPv6 initiator. The DNS64 receives a AAAA DNS query
+ generated by the IPv6 initiator. It first attempts a resolution for
+ the requested AAAA records. If there are no AAAA records available
+ for the target node (which is the normal case when the target node is
+ an IPv4-only node), DNS64 performs a query for A records. For each A
+ record discovered, DNS64 creates a synthetic AAAA RR from the
+ information retrieved in the A RR.
+
+ The owner name of a synthetic AAAA RR is the same as that of the
+ original A RR, but an IPv6 representation of the IPv4 address
+ contained in the original A RR is included in the AAAA RR. The IPv6
+ representation of the IPv4 address is algorithmically generated from
+ the IPv4 address and additional parameters configured in the DNS64.
+ Among those parameters configured in the DNS64, there is at least one
+ IPv6 prefix. If not explicitly mentioned, all prefixes are treated
+ equally and the operations described in this document are performed
+ using the prefixes available. So as to be general, we will call any
+ of these prefixes Pref64::/n, and describe the operations made with
+ the generic prefix Pref64::/n. The IPv6 address representing IPv4
+ addresses included in the AAAA RR synthesized by the DNS64 contain
+ Pref64::/n and they also embed the original IPv4 address.
+
+ The same algorithm and the same Pref64::/n prefix(es) must be
+ configured both in the DNS64 device and the IPv6/IPv4 translator(s),
+ so that both can algorithmically generate the same IPv6
+ representation for a given IPv4 address. In addition, it is required
+ that IPv6 packets addressed to an IPv6 destination address that
+ contains the Pref64::/n be delivered to an IPv6/IPv4 translator that
+ has that particular Pref64::/n configured, so they can be translated
+ into IPv4 packets.
+
+ Once the DNS64 has synthesized the AAAA RRs, the synthetic AAAA RRs
+ are passed back to the IPv6 initiator, which will initiate an IPv6
+ communication with the IPv6 address associated with the IPv4
+ receiver. The packet will be routed to an IPv6/IPv4 translator which
+ will forward it to the IPv4 network.
+
+ In general, the only shared state between the DNS64 and the IPv6/IPv4
+ translator is the Pref64::/n and an optional set of static
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 6]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ parameters. The Pref64::/n and the set of static parameters must be
+ configured to be the same on both; there is no communication between
+ the DNS64 device and IPv6/IPv4 translator functions. The mechanism
+ to be used for configuring the parameters of the DNS64 is beyond the
+ scope of this memo.
+
+ The prefixes to be used as Pref64::/n and their applicability are
+ discussed in [I-D.ietf-behave-address-format]. There are two types
+ of prefixes that can be used as Pref64::/n.
+
+ The Pref64::/n can be the Well-Known Prefix 64:FF9B::/96 reserved
+ by [I-D.ietf-behave-address-format] for the purpose of
+ representing IPv4 addresses in IPv6 address space.
+
+ The Pref64::/n can be a Network-Specific Prefix (NSP). An NSP is
+ an IPv6 prefix assigned by an organization to create IPv6
+ representations of IPv4 addresses.
+
+ The main difference in the nature of the two types of prefixes is
+ that the NSP is a locally assigned prefix that is under control of
+ the organization that is providing the translation services, while
+ the Well-Known Prefix is a prefix that has a global meaning since it
+ has been assigned for the specific purpose of representing IPv4
+ addresses in IPv6 address space.
+
+ The DNS64 function can be performed in any of three places. The
+ terms below are more formally defined in Section 4.
+
+ The first option is to locate the DNS64 function in authoritative
+ servers for a zone. In this case, the authoritative server provides
+ synthetic AAAA RRs for an IPv4-only host in its zone. This is one
+ type of DNS64 server.
+
+ Another option is to locate the DNS64 function in recursive name
+ servers serving end hosts. In this case, when an IPv6-only host
+ queries the name server for AAAA RRs for an IPv4-only host, the name
+ server can perform the synthesis of AAAA RRs and pass them back to
+ the IPv6-only initiator. The main advantage of this mode is that
+ current IPv6 nodes can use this mechanism without requiring any
+ modification. This mode is called "DNS64 in DNS recursive resolver
+ mode" . This is a second type of DNS64 server, and it is also one
+ type of DNS64 resolver.
+
+ The last option is to place the DNS64 function in the end hosts,
+ coupled to the local (stub) resolver. In this case, the stub
+ resolver will try to obtain (real) AAAA RRs and in case they are not
+ available, the DNS64 function will synthesize AAAA RRs for internal
+ usage. This mode is compatible with some advanced functions like
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 7]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ DNSSEC validation in the end host. The main drawback of this mode is
+ its deployability, since it requires changes in the end hosts. This
+ mode is called "DNS64 in stub-resolver mode". This is the second
+ type of DNS64 resolver.
+
+
+3. Background to DNS64-DNSSEC interaction
+
+ DNSSEC ([RFC4033], [RFC4034], [RFC4035]) presents a special challenge
+ for DNS64, because DNSSEC is designed to detect changes to DNS
+ answers, and DNS64 may alter answers coming from an authoritative
+ server.
+
+ A recursive resolver can be security-aware or security-oblivious.
+ Moreover, a security-aware recursive resolver can be validating or
+ non-validating, according to operator policy. In the cases below,
+ the recursive resolver is also performing DNS64, and has a local
+ policy to validate. We call this general case vDNS64, but in all the
+ cases below the DNS64 functionality should be assumed needed.
+
+ DNSSEC includes some signaling bits that offer some indicators of
+ what the query originator understands.
+
+ If a query arrives at a vDNS64 device with the "DNSSEC OK" (DO) bit
+ set, the query originator is signaling that it understands DNSSEC.
+ The DO bit does not indicate that the query originator will validate
+ the response. It only means that the query originator can understand
+ responses containing DNSSEC data. Conversely, if the DO bit is
+ clear, that is evidence that the querying agent is not aware of
+ DNSSEC.
+
+ If a query arrives at a vDNS64 device with the "Checking Disabled"
+ (CD) bit set, it is an indication that the querying agent wants all
+ the validation data so it can do checking itself. By local policy,
+ vDNS64 could still validate, but it must return all data to the
+ querying agent anyway.
+
+ Here are the possible cases:
+
+ 1. A DNS64 (DNSSEC-aware or DNSSEC-oblivious) receives a query with
+ the DO bit clear. In this case, DNSSEC is not a concern, because
+ the querying agent does not understand DNSSEC responses.
+
+ 2. A security-oblivious DNS64 receives a query with the DO bit set,
+ and the CD bit clear or set. This is just like the case of a
+ non-DNS64 case: the server doesn't support it, so the querying
+ agent is out of luck.
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 8]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ 3. A security-aware and non-validating DNS64 receives a query with
+ the DO bit set and the CD bit clear. Such a resolver is not
+ validating responses, likely due to local policy (see [RFC4035],
+ section 4.2). For that reason, this case amounts to the same as
+ the previous case, and no validation happens.
+
+ 4. A security-aware and non-validating DNS64 receives a query with
+ the DO bit set and the CD bit set. In this case, the resolver is
+ supposed to pass on all the data it gets to the query initiator
+ (see section 3.2.2 of [RFC4035]). This case will not work with
+ DNS64, unless the validating resolver is prepared to do DNS64
+ itself. If the DNS64 server modifies the record, the client will
+ get the data back and try to validate it, and the data will be
+ invalid as far as the client is concerned.
+
+ 5. A security-aware and validating DNS64 node receives a query with
+ the DO bit clear and CD clear. In this case, the resolver
+ validates the data. If it fails, it returns RCODE 2 (Server
+ failure); otherwise, it returns the answer. This is the ideal
+ case for vDNS64. The resolver validates the data, and then
+ synthesizes the new record and passes that to the client. The
+ client, which is presumably not validating (else it should have
+ set DO and CD), cannot tell that DNS64 is involved.
+
+ 6. A security-aware and validating DNS64 node receives a query with
+ the DO bit set and CD clear. This works like the previous case,
+ except that the resolver should also set the "Authentic Data"
+ (AD) bit on the response.
+
+ 7. A security-aware and validating DNS64 node receives a query with
+ the DO bit set and CD set. This is effectively the same as the
+ case where a security-aware and non-validating recursive resolver
+ receives a similar query, and the same thing will happen: the
+ downstream validator will mark the data as invalid if DNS64 has
+ performed synthesis. The node needs to do DNS64 itself, or else
+ communication will fail.
+
+
+4. Terminology
+
+ This section provides definitions for the special terms used in the
+ document.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 9]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ Authoritative server: A DNS server that can answer authoritatively a
+ given DNS question.
+
+ DNS64: A logical function that synthesizes DNS resource records (e.g
+ AAAA records containing IPv6 addresses) from DNS resource records
+ actually contained in the DNS (e.g., A records containing IPv4
+ addresses).
+
+ DNS64 recursor: A recursive resolver that provides the DNS64
+ functionality as part of its operation. This is the same thing as
+ "DNS64 in recursive resolver mode".
+
+ DNS64 resolver: Any resolver (stub resolver or recursive resolver)
+ that provides the DNS64 function.
+
+ DNS64 server: Any server providing the DNS64 function.
+
+ Recursive resolver: A DNS server that accepts requests from one
+ resolver, and asks another server (of some description) for the
+ answer on behalf of the first resolver.
+
+ Synthetic RR: A DNS resource record (RR) that is not contained in
+ any zone data file, but has been synthesized from other RRs. An
+ example is a synthetic AAAA record created from an A record.
+
+ IPv6/IPv4 translator: A device that translates IPv6 packets to IPv4
+ packets and vice-versa. It is only required that the
+ communication initiated from the IPv6 side be supported.
+
+ For a detailed understanding of this document, the reader should also
+ be familiar with DNS terminology from [RFC1034], [RFC1035] and
+ current NAT terminology from [RFC4787]. Some parts of this document
+ assume familiarity with the terminology of the DNS security
+ extensions outlined in [RFC4035]. It is worth emphasizing that while
+ DNS64 is a logical function separate from the DNS, it is nevertheless
+ closely associated with that protocol. It depends on the DNS
+ protocol, and some behavior of DNS64 will interact with regular DNS
+ responses.
+
+
+5. DNS64 Normative Specification
+
+ DNS64 is a logical function that synthesizes AAAA records from A
+ records. The DNS64 function may be implemented in a stub resolver,
+ in a recursive resolver, or in an authoritative name server. It
+ works within those DNS functions, and appears on the network as
+ though it were a "plain" DNS resolver or name server conforming to
+ [RFC1034], and [RFC1035].
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 10]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ The implementation SHOULD support mapping of separate IPv4 address
+ ranges to separate IPv6 prefixes for AAAA record synthesis. This
+ allows handling of special use IPv4 addresses [RFC5735].
+
+ DNS64 also responds to PTR queries involving addresses containing any
+ of the IPv6 prefixes it uses for synthesis of AAAA RRs.
+
+5.1. Resolving AAAA queries and the answer section
+
+ When the DNS64 receives a query for RRs of type AAAA and class IN, it
+ first attempts to retrieve non-synthetic RRs of this type and class,
+ either by performing a query or, in the case of an authoritative
+ server, by examining its own results. The query may be answered from
+ a local cache, if one is available. DNS64 operation for classes
+ other than IN is undefined, and a DNS64 MUST behave as though no
+ DNS64 function is configured.
+
+5.1.1. The answer when there is AAAA data available
+
+ If the query results in one or more AAAA records in the answer
+ section, the result is returned to the requesting client as per
+ normal DNS semantics, except in the case where any of the AAAA
+ records match a special exclusion set of prefixes, considered in
+ Section 5.1.4. If there is (non-excluded) AAAA data available, DNS64
+ SHOULD NOT include synthetic AAAA RRs in the response (see Appendix A
+ for an analysis of the motivations for and the implications of not
+ complying with this recommendation). By default DNS64
+ implementations MUST NOT synthesize AAAA RRs when real AAAA RRs
+ exist.
+
+5.1.2. The answer when there is an error
+
+ If the query results in a response with RCODE other than 0 (No error
+ condition), then there are two possibilities. A result with RCODE=3
+ (Name Error) is handled according to normal DNS operation (which is
+ normally to return the error to the client). This stage is still
+ prior to any synthesis having happened, so a response to be returned
+ to the client does not need any special assembly than would usually
+ happen in DNS operation.
+
+ Any other RCODE is treated as though the RCODE were 0 and the answer
+ section were empty. This is because of the large number of different
+ responses from deployed name servers when they receive AAAA queries
+ without a AAAA record being available (see [RFC4074]). Note that
+ this means, for practical purposes, that several different classes of
+ error in the DNS are all treated as though a AAAA record is not
+ available for that owner name.
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 11]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ It is important to note that, as of this writing, some servers
+ respond with RCODE=3 to a AAAA query even if there is an A record
+ available for that owner name. Those servers are in clear violation
+ of the meaning of RCODE 3, and it is expected that they will decline
+ in use as IPv6 deployment increases.
+
+5.1.3. Dealing with timeouts
+
+ If the query receives no answer before the timeout (which might be
+ the timeout from every authoritative server, depending on whether the
+ DNS64 is in recursive resolver mode), it is treated as RCODE=2
+ (Server failure). .
+
+5.1.4. Special exclusion set for AAAA records
+
+ Some IPv6 addresses are not actually usable by IPv6-only hosts. If
+ they are returned to IPv6-only querying agents as AAAA records,
+ therefore, the goal of decreasing the number of failure modes will
+ not be attained. Examples include AAAA records with addresses in the
+ ::ffff:0:0/96 network, and possibly (depending on the context) AAAA
+ records with the site's Pref::64/n or the Well-Known Prefix (see
+ below for more about the Well-Known Prefix). A DNS64 implementation
+ SHOULD provide a mechanism to specify IPv6 prefix ranges to be
+ treated as though the AAAA containing them were an empty answer. An
+ implementation SHOULD include the ::ffff/96 network in that range by
+ default. Failure to provide this facility will mean that clients
+ querying the DNS64 function may not be able to communicate with hosts
+ that would be reachable from a dual-stack host.
+
+ When the DNS64 performs its initial AAAA query, if it receives an
+ answer with only AAAA records containing addresses in the excluded
+ range(s), then it MUST treat the answer as though it were an empty
+ answer, and proceed accordingly. If it receives an answer with at
+ least one AAAA record containing an address outside any of the
+ excluded range(s), then it MAY build an answer section for a response
+ including only the AAAA record(s) that do not contain any of the
+ addresses inside the excluded ranges. That answer section is used in
+ the assembly of a response as detailed in Section 5.4.
+ Alternatively, it MAY treat the answer as though it were an empty
+ answer, and proceed accordingly. It MUST NOT return the offending
+ AAAA records as part of a response.
+
+5.1.5. Dealing with CNAME and DNAME
+
+ If the response contains a CNAME or a DNAME, then the CNAME or DNAME
+ chain is followed until the first terminating A or AAAA record is
+ reached. This may require the DNS64 to ask for an A record, in case
+ the response to the original AAAA query is a CNAME or DNAME without a
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 12]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ AAAA record to follow. The resulting AAAA or A record is treated
+ like any other AAAA or A case, as appropriate.
+
+ When assembling the answer section, any chains of CNAME or DNAME RRs
+ are included as part of the answer along with the synthetic AAAA (if
+ appropriate).
+
+5.1.6. Data for the answer when performing synthesis
+
+ If the query results in no error but an empty answer section in the
+ response, the DNS64 attempts to retrieve A records for the name in
+ question, either by performing another query or, in the case of an
+ authoritative server, by examining its own results. If this new A RR
+ query results in an empty answer or in an error, then the empty
+ result or error is used as the basis for the answer returned to the
+ querying client. If instead the query results in one or more A RRs,
+ the DNS64 synthesizes AAAA RRs based on the A RRs according to the
+ procedure outlined in Section 5.1.7. The DNS64 returns the
+ synthesized AAAA records in the answer section, removing the A
+ records that form the basis of the synthesis.
+
+5.1.7. Performing the synthesis
+
+ A synthetic AAAA record is created from an A record as follows:
+
+ o The NAME field is set to the NAME field from the A record
+
+ o The TYPE field is set to 28 (AAAA)
+
+ o The CLASS field is set to the original CLASS field, 1. Under this
+ specification, DNS64 for any CLASS other than 1 is undefined.
+
+ o The TTL field is set to the minimum of the TTL of the original A
+ RR and the SOA RR for the queried domain. (Note that in order to
+ obtain the TTL of the SOA RR, the DNS64 does not need to perform a
+ new query, but it can remember the TTL from the SOA RR in the
+ negative response to the AAAA query. If the SOA RR was not
+ delivered with the negative response to the AAAA query, then the
+ DNS64 SHOULD use a default value of 600 seconds. It is possible
+ instead to query explicitly for the SOA RR and use the result of
+ that query, but this will increase query load and time to
+ resolution for little additional benefit.) This is in keeping
+ with the approach used in negative caching ([RFC2308]
+
+ o The RDLENGTH field is set to 16
+
+ o The RDATA field is set to the IPv6 representation of the IPv4
+ address from the RDATA field of the A record. The DNS64 SHOULD
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 13]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ check each A RR against configured IPv4 address ranges and select
+ the corresponding IPv6 prefix to use in synthesizing the AAAA RR.
+ See Section 5.2 for discussion of the algorithms to be used in
+ effecting the transformation.
+
+5.1.8. Querying in parallel
+
+ The DNS64 MAY perform the query for the AAAA RR and for the A RR in
+ parallel, in order to minimize the delay. However, this would result
+ in performing unnecessary A RR queries in the case where no AAAA RR
+ synthesis is required. A possible trade-off would be to perform them
+ sequentially but with a very short interval between them, so if we
+ obtain a fast reply, we avoid doing the additional query. (Note that
+ this discussion is relevant only if the DNS64 function needs to
+ perform external queries to fetch the RR. If the needed RR
+ information is available locally, as in the case of an authoritative
+ server, the issue is no longer relevant.)
+
+5.2. Generation of the IPv6 representations of IPv4 addresses
+
+ DNS64 supports multiple algorithms for the generation of the IPv6
+ representation of an IPv4 address. The constraints imposed on the
+ generation algorithms are the following:
+
+ The same algorithm to create an IPv6 address from an IPv4 address
+ MUST be used by both a DNS64 to create the IPv6 address to be
+ returned in the synthetic AAAA RR from the IPv4 address contained
+ in an original A RR, and by a IPv6/IPv4 translator to create the
+ IPv6 address to be included in the source address field of the
+ outgoing IPv6 packets from the IPv4 address included in the source
+ address field of the incoming IPv4 packet.
+
+ The algorithm MUST be reversible; i.e., it MUST be possible to
+ derive the original IPv4 address from the IPv6 representation.
+
+ The input for the algorithm MUST be limited to the IPv4 address,
+ the IPv6 prefix (denoted Pref64::/n) used in the IPv6
+ representations and optionally a set of stable parameters that are
+ configured in the DNS64 and in the NAT64 (such as fixed string to
+ be used as a suffix).
+
+ For each prefix Pref64::/n, n MUST be less than or equal to 96.
+ If one or more Pref64::/n are configured in the DNS64 through
+ any means (such as manually configured, or other automatic
+ means not specified in this document), the default algorithm
+ MUST use these prefixes (and not use the Well-Known Prefix).
+ If no prefix is available, the algorithm MUST use the Well-
+ Known Prefix 64:FF9B::/96 defined in
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 14]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ [I-D.ietf-behave-address-format] to represent the IPv4 unicast
+ address range
+
+ [[anchor8: Note in document: The value 64:FF9B::/96 is proposed as
+ the value for the Well-Known prefix and needs to be confirmed
+ whenis published as RFC.]][I-D.ietf-behave-address-format]
+
+ A DNS64 MUST support the algorithm for generating IPv6
+ representations of IPv4 addresses defined in Section 2 of
+ [I-D.ietf-behave-address-format]. Moreover, the aforementioned
+ algorithm MUST be the default algorithm used by the DNS64. While the
+ normative description of the algorithm is provided in
+ [I-D.ietf-behave-address-format], a sample description of the
+ algorithm and its application to different scenarios is provided in
+ Section 7 for illustration purposes.
+
+5.3. Handling other Resource Records and the Additional Section
+
+5.3.1. PTR Resource Record
+
+ If a DNS64 server receives a PTR query for a record in the IP6.ARPA
+ domain, it MUST strip the IP6.ARPA labels from the QNAME, reverse the
+ address portion of the QNAME according to the encoding scheme
+ outlined in section 2.5 of [RFC3596], and examine the resulting
+ address to see whether its prefix matches any of the locally-
+ configured Pref64::/n. There are two alternatives for a DNS64 server
+ to respond to such PTR queries. A DNS64 server MUST provide one of
+ these, and SHOULD NOT provide both at the same time unless different
+ IP6.ARPA zones require answers of different sorts:
+
+ 1. The first option is for the DNS64 server to respond
+ authoritatively for its prefixes. If the address prefix matches
+ any Pref64::/n used in the site, either a NSP or the Well-Known
+ Prefix (i.e. 64:FF9B::/96), then the DNS64 server MAY answer the
+ query using locally-appropriate RDATA. The DNS64 server MAY use
+ the same RDATA for all answers. Note that the requirement is to
+ match any Pref64::/n used at the site, and not merely the
+ locally-configured Pref64::/n. This is because end clients could
+ ask for a PTR record matching an address received through a
+ different (site-provided) DNS64, and if this strategy is in
+ effect, those queries should never be sent to the global DNS.
+ The advantage of this strategy is that it makes plain to the
+ querying client that the prefix is one operated by the (DNS64)
+ site, and that the answers the client is getting are generated by
+ DNS64. The disadvantage is that any useful reverse-tree
+ information that might be in the global DNS is unavailable to the
+ clients querying the DNS64.
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 15]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ 2. The second option is for the DNS64 nameserver to synthesize a
+ CNAME mapping the IP6.ARPA namespace to the corresponding IN-
+ ADDR.ARPA name. The rest of the response would be the normal DNS
+ processing. The CNAME can be signed on the fly if need be. The
+ advantage of this approach is that any useful information in the
+ reverse tree is available to the querying client. The
+ disadvantage is that it adds additional load to the DNS64
+ (because CNAMEs have to be synthesized for each PTR query that
+ matches the Pref64::/n), and that it may require signing on the
+ fly. In addition, the generated CNAME could correspond to an
+ unpopulated in-addr.arpa zone, so the CNAME would provide a
+ reference to a non-existent record.
+
+ If the address prefix does not match any Pref64::/n, then the DNS64
+ server MUST process the query as though it were any other query; i.e.
+ a recursive nameserver MUST attempt to resolve the query as though it
+ were any other (non-A/AAAA) query, and an authoritative server MUST
+ respond authoritatively or with a referral, as appropriate.
+
+5.3.2. Handling the additional section
+
+ DNS64 synthesis MUST NOT be performed on any records in the
+ additional section of synthesized answers. The DNS64 MUST pass the
+ additional section unchanged.
+
+ It may appear that adding synthetic records to the additional section
+ is desirable, because clients sometimes use the data in the
+ additional section to proceed without having to re-query. There is
+ in general no promise, however, that the additional section will
+ contain all the relevant records, so any client that depends on the
+ additional section being able to satisfy its needs (i.e. without
+ additional queries) is necessarily broken. An IPv6-only client that
+ needs a AAAA record, therefore, will send a query for the necessary
+ AAAA record if it is unable to find such a record in the additional
+ section of an answer it is consuming. For a correctly-functioning
+ client, the effect would be no different if the additional section
+ were empty.
+
+ The alternative, of removing the A records in the additional section
+ and replacing them with synthetic AAAA records, may cause a host
+ behind a NAT64 to query directly a nameserver that is unaware of the
+ NAT64 in question. The result in this case will be resolution
+ failure anyway, only later in the resolution operation.
+
+ The prohibition on synthetic data in the additional section reduces,
+ but does not eliminate, the possibility of resolution failures due to
+ cached DNS data from behind the DNS64. See Section 6.
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 16]
+\f
+Internet-Draft DNS64 July 2010
+
+
+5.3.3. Other Resource Records
+
+ If the DNS64 is in recursive resolver mode, then considerations
+ outlined in [I-D.ietf-dnsop-default-local-zones] may be relevant.
+
+ All other RRs MUST be returned unchanged. This includes responses to
+ queries for A RRs.
+
+5.4. Assembling a synthesized response to a AAAA query
+
+ A DNS64 uses different pieces of data to build the response returned
+ to the querying client.
+
+ The query that is used as the basis for synthesis results either in
+ an error, an answer that can be used as a basis for synthesis, or an
+ empty (authoritative) answer. If there is an empty answer, then the
+ DNS64 responds to the original querying client with the answer the
+ DNS64 received to the original (initiator's) query. Otherwise, the
+ response is assembled as follows.
+
+ The header fields are set according to the usual rules for recursive
+ or authoritative servers, depending on the role that the DNS64 is
+ serving. The question section is copied from the original
+ (initiator's) query. The answer section is populated according to
+ the rules in Section 5.1.7. The authority and additional sections
+ are copied from the response to the final query that the DNS64
+ performed, and used as the basis for synthesis.
+
+ The final response from the DNS64 is subject to all the standard DNS
+ rules, including truncation [RFC1035] and EDNS0 handling [RFC2671].
+
+5.5. DNSSEC processing: DNS64 in recursive resolver mode
+
+ We consider the case where a recursive resolver that is performing
+ DNS64 also has a local policy to validate the answers according to
+ the procedures outlined in [RFC4035] Section 5. We call this general
+ case vDNS64.
+
+ The vDNS64 uses the presence of the DO and CD bits to make some
+ decisions about what the query originator needs, and can react
+ accordingly:
+
+ 1. If CD is not set and DO is not set, vDNS64 SHOULD perform
+ validation and do synthesis as needed. See the next item for
+ rules about how to do validation and synthesis. In this case,
+ however, vDNS64 MUST NOT set the AD bit in any response.
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 17]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ 2. If CD is not set and DO is set, then vDNS64 SHOULD perform
+ validation. Whenever vDNS64 performs validation, it MUST
+ validate the negative answer for AAAA queries before proceeding
+ to query for A records for the same name, in order to be sure
+ that there is not a legitimate AAAA record on the Internet.
+ Failing to observe this step would allow an attacker to use DNS64
+ as a mechanism to circumvent DNSSEC. If the negative response
+ validates, and the response to the A query validates, then the
+ vDNS64 MAY perform synthesis and SHOULD set the AD bit in the
+ answer to the client. This is acceptable, because [RFC4035],
+ section 3.2.3 says that the AD bit is set by the name server side
+ of a security-aware recursive name server if and only if it
+ considers all the RRSets in the Answer and Authority sections to
+ be authentic. In this case, the name server has reason to
+ believe the RRSets are all authentic, so it SHOULD set the AD
+ bit. If the data does not validate, the vDNS64 MUST respond with
+ RCODE=2 (Server failure).
+ A security-aware end point might take the presence of the AD bit
+ as an indication that the data is valid, and may pass the DNS
+ (and DNSSEC) data to an application. If the application attempts
+ to validate the synthesized data, of course, the validation will
+ fail. One could argue therefore that this approach is not
+ desirable, but security aware stub resolvers must not place any
+ reliance on data received from resolvers and validated on their
+ behalf without certain criteria established by [RFC4035], section
+ 4.9.3. An application that wants to perform validation on its
+ own should use the CD bit.
+
+ 3. If the CD bit is set and DO is set, then vDNS64 MAY perform
+ validation, but MUST NOT perform synthesis. It MUST return the
+ data to the query initiator, just like a regular recursive
+ resolver, and depend on the client to do the validation and the
+ synthesis itself.
+ The disadvantage to this approach is that an end point that is
+ translation-oblivious but security-aware and validating will not
+ be able to use the DNS64 functionality. In this case, the end
+ point will not have the desired benefit of NAT64. In effect,
+ this strategy means that any end point that wishes to do
+ validation in a NAT64 context must be upgraded to be translation-
+ aware as well.
+
+
+6. Deployment notes
+
+ While DNS64 is intended to be part of a strategy for aiding IPv6
+ deployment in an internetworking environment with some IPv4-only and
+ IPv6-only networks, it is important to realise that it is
+ incompatible with some things that may be deployed in an IPv4-only or
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 18]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ dual-stack context.
+
+6.1. DNS resolvers and DNS64
+
+ Full-service resolvers that are unaware of the DNS64 function can be
+ (mis)configured to act as mixed-mode iterative and forwarding
+ resolvers. In a native IPv4 context, this sort of configuration may
+ appear to work. It is impossible to make it work properly without it
+ being aware of the DNS64 function, because it will likely at some
+ point obtain IPv4-only glue records and attempt to use them for
+ resolution. The result that is returned will contain only A records,
+ and without the ability to perform the DNS64 function the resolver
+ will be unable to answer the necessary AAAA queries.
+
+6.2. DNSSEC validators and DNS64
+
+ An existing DNSSEC validator (i.e. that is unaware of DNS64) might
+ reject all the data that comes from DNS64 as having been tampered
+ with (even if it did not set CD when querying). If it is necessary
+ to have validation behind the DNS64, then the validator must know how
+ to perform the DNS64 function itself. Alternatively, the validating
+ host may establish a trusted connection with a DNS64, and allow the
+ DNS64 recursor to do all validation on its behalf.
+
+6.3. DNS64 and multihomed and dual-stack hosts
+
+6.3.1. IPv6 multihomed hosts
+
+ Synthetic AAAA records may be constructed on the basis of the network
+ context in which they were constructed. If a host sends DNS queries
+ to resolvers in multiple networks, it is possible that some of them
+ will receive answers from a DNS64 without all of them being connected
+ via a NAT64. For instance, suppose a system has two interfaces, i1
+ and i2. Whereas i1 is connected to the IPv4 Internet via NAT64, i2
+ has native IPv6 connectivity only. I1 might receive a AAAA answer
+ from a DNS64 that is configured for a particular NAT64; the IPv6
+ address contained in that AAAA answer will not connect with anything
+ via i2.
+
+ +---------------+ +-------------+
+ | i1 (IPv6)+----NAT64--------+IPv4 Internet|
+ | | +-------------+
+ | host |
+ | | +-------------+
+ | i2 (IPv6)+-----------------+IPv6 Internet|
+ +---------------+ +-------------+
+
+ Figure 1: IPv6 multihomed hosts
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 19]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ This example illustrates why it is generally preferable that hosts
+ treat DNS answers from one interface as local to that interface. The
+ answer received on one interface will not work on the other
+ interface. Hosts that attempt to use DNS answers globally may
+ encounter surprising failures in these cases.
+
+ Note that the issue is not that there are two interfaces, but that
+ there are two networks involved. The same results could be achieved
+ with a single interface routed to two different networks.
+
+6.3.2. Accidental dual-stack DNS64 use
+
+ Similarly, suppose that i1 has IPv6 connectivity and can connect to
+ the IPv4 Internet through NAT64, but i2 has native IPv4 connectivity.
+ In this case, i1 could receive an IPv6 address from a synthetic AAAA
+ that would better be reached via native IPv4. Again, it is worth
+ emphasising that this arises because there are two networks involved.
+
+ +---------------+ +-------------+
+ | i1 (IPv6)+----NAT64--------+IPv4 Internet|
+ | | +-------------+
+ | host |
+ | | +-------------+
+ | i2 (IPv4)+-----------------+IPv4 Internet|
+ +---------------+ +-------------+
+
+ Figure 2: Accidental dual-stack DNS64 use
+
+ The default configuration of dual-stack hosts is that IPv6 is
+ preferred over IPv4 ([RFC3484]). In that arrangement the host will
+ often use the NAT64 when native IPv4 would be more desirable. For
+ this reason, hosts with IPv4 connectivity to the Internet should
+ avoid using DNS64. This can be partly resolved by ISPs when
+ providing DNS resolvers to clients, but that is not a guarantee that
+ the NAT64 will never be used when a native IPv4 connection should be
+ used. There is no general-purpose mechanism to ensure that native
+ IPv4 transit will always be preferred, because to a DNS64-oblivious
+ host, the DNS64 looks just like an ordinary DNS server. Operators of
+ a NAT64 should expect traffic to pass through the NAT64 even when it
+ is not necessary.
+
+6.3.3. Intentional dual-stack DNS64 use
+
+ Finally, consider the case where the IPv4 connectivity on i2 is only
+ with a LAN, and not with the IPv4 Internet. The IPv4 Internet is
+ only accessible using the NAT64. In this case, it is critical that
+ the DNS64 not synthesize AAAA responses for hosts in the LAN, or else
+ that the DNS64 be aware of hosts in the LAN and provide context-
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 20]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ sensitive answers ("split view" DNS answers) for hosts inside the
+ LAN. As with any split view DNS arrangement, operators must be
+ prepared for data to leak from one context to another, and for
+ failures to occur because nodes accessible from one context are not
+ accessible from the other.
+
+ +---------------+ +-------------+
+ | i1 (IPv6)+----NAT64--------+IPv4 Internet|
+ | | +-------------+
+ | host |
+ | |
+ | i2 (IPv4)+---(local LAN only)
+ +---------------+
+
+ Figure 3: Intentional dual-stack DNS64 use
+
+ It is important for deployers of DNS64 to realise that, in some
+ circumstances, making the DNS64 available to a dual-stack host will
+ cause the host to prefer to send packets via NAT64 instead of via
+ native IPv4, with the associated loss of performance or functionality
+ (or both) entailed by the NAT. At the same time, some hosts are not
+ able to learn about DNS servers provisioned on IPv6 addresses, or
+ simply cannot send DNS packets over IPv6.
+
+
+7. Deployment scenarios and examples
+
+ In this section, we walk through some sample scenarios that are
+ expected to be common deployment cases. It should be noted that this
+ is provided for illustrative purposes and this section is not
+ normative. The normative definition of DNS64 is provided in
+ Section 5 and the normative definition of the address transformation
+ algorithm is provided in [I-D.ietf-behave-address-format].
+
+ In this section we illustrate how the DNS64 behaves in different
+ scenarios that are expected to be common. In particular we will
+ consider the following scenarios defined in
+ [I-D.ietf-behave-v6v4-framework]: the an-IPv6-network-to-IPv4-
+ Internet scenario (both with DNS64 in DNS server mode and in stub-
+ resolver mode) and the IPv6-Internet-to-an-IPv4-network setup (with
+ DNS64 in DNS server mode only).
+
+ In all the examples below, there is a IPv6/IPv4 translator connecting
+ the IPv6 domain to the IPv4 one. Also there is a name server that is
+ a dual-stack node, so it can communicate with IPv6 hosts using IPv6
+ and with IPv4 nodes using IPv4. In addition, we assume that in the
+ examples, the DNS64 function learns which IPv6 prefix it needs to use
+ to map the IPv4 address space through manual configuration.
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 21]
+\f
+Internet-Draft DNS64 July 2010
+
+
+7.1. Example of An-IPv6-network-to-IPv4-Internet setup with DNS64 in
+ DNS server mode
+
+ In this example, we consider an IPv6 node located in an IPv6-only
+ site that initiates a communication to an IPv4 node located in the
+ IPv4 Internet.
+
+ The scenario for this case is depicted in the following figure:
+
+
+ +---------------------+ +---------------+
+ |IPv6 network | | IPv4 |
+ | | +-------------+ | Internet |
+ | |--| Name server |--| |
+ | | | with DNS64 | | +----+ |
+ | +----+ | +-------------+ | | H2 | |
+ | | H1 |---| | | +----+ |
+ | +----+ | +------------+ | 192.0.2.1 |
+ | |---| IPv6/IPv4 |--| |
+ | | | Translator | | |
+ | | +------------+ | |
+ | | | | |
+ +---------------------+ +---------------+
+
+ Figure 4: An-IPv6-network-to-IPv4-Internet setup with DNS64 in DNS
+ server mode
+
+ The figure shows an IPv6 node H1 and an IPv4 node H2 with IPv4
+ address 192.0.2.1 and FQDN h2.example.com
+
+ The IPv6/IPv4 Translator has an IPv4 address 203.0.113.1 assigned to
+ its IPv4 interface and it is using the WKP 64:FF9B::/96 to create
+ IPv6 representations of IPv4 addresses. The same prefix is
+ configured in the DNS64 function in the local name server.
+
+ For this example, assume the typical DNS situation where IPv6 hosts
+ have only stub resolvers, and they are configured with the IP address
+ of a name server that they always have to query and that performs
+ recursive lookups (henceforth called "the recursive nameserver").
+
+ The steps by which H1 establishes communication with H2 are:
+
+ 1. H1 does a DNS lookup for h2.example.com. H1 does this by sending
+ a DNS query for a AAAA record for H2 to the recursive name
+ server. The recursive name server implements DNS64
+ functionality.
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 22]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ 2. The recursive name server resolves the query, and discovers that
+ there are no AAAA records for H2.
+
+ 3. The recursive name server performs an A-record query for H2 and
+ gets back an RRset containing a single A record with the IPv4
+ address 192.0.2.1. The name server then synthesizes a AAAA
+ record. The IPv6 address in the AAAA record contains the prefix
+ assigned to the IPv6/IPv4 Translator in the upper 96 bits and the
+ received IPv4 address in the lower 32 bits i.e. the resulting
+ IPv6 address is 64:FF9B::192.0.2.1
+
+ 4. H1 receives the synthetic AAAA record and sends a packet towards
+ H2. The packet is sent to the destination address 64:FF9B::
+ 192.0.2.1.
+
+ 5. The packet is routed to the IPv6 interface of the IPv6/IPv4
+ translator and the subsequent communication flows by means of the
+ IPv6/IPv4 translator mechanisms.
+
+7.2. An example of an-IPv6-network-to-IPv4-Internet setup with DNS64 in
+ stub-resolver mode
+
+ This case is depicted in the following figure:
+
+
+ +---------------------+ +---------------+
+ |IPv6 network | | IPv4 |
+ | | +--------+ | Internet |
+ | |-----| Name |----| |
+ | +-----+ | | server | | +----+ |
+ | | H1 | | +--------+ | | H2 | |
+ | |with |---| | | +----+ |
+ | |DNS64| | +------------+ | 192.0.2.1 |
+ | +----+ |---| IPv6/IPv4 |--| |
+ | | | Translator | | |
+ | | +------------+ | |
+ | | | | |
+ +---------------------+ +---------------+
+
+
+ Figure 5: An-IPv6-network-to-IPv4-Internet setup with DNS64 in stub-
+ resolver mode
+
+ The figure shows an IPv6 node H1 implementing the DNS64 function and
+ an IPv4 node H2 with IPv4 address 192.0.2.1 and FQDN h2.example.com
+
+ The IPv6/IPv4 Translator has an IPv4 address 203.0.113.1 assigned to
+ its IPv4 interface and it is using the WKP 64:FF9B::/96 to create
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 23]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ IPv6 representations of IPv4 addresses. The same prefix is
+ configured in the DNS64 function in H1.
+
+ For this example, assume the typical DNS situation where IPv6 hosts
+ have only stub resolvers, and they are configured with the IP address
+ of a name server that they always have to query and that performs
+ recursive lookups (henceforth called "the recursive nameserver").
+ The recursive name server does not perform the DNS64 function.
+
+ The steps by which H1 establishes communication with H2 are:
+
+ 1. H1 does a DNS lookup for h2.example.com. H1 does this by sending
+ a DNS query for a AAAA record for H2 to the recursive name
+ server.
+
+ 2. The recursive DNS server resolves the query, and returns the
+ answer to H1. Because there are no AAAA records in the global
+ DNS for H2, the answer is empty.
+
+ 3. The stub resolver at H1 then queries for an A record for H2 and
+ gets back an A record containing the IPv4 address 192.0.2.1. The
+ DNS64 function within H1 then synthesizes a AAAA record. The
+ IPv6 address in the AAAA record contains the prefix assigned to
+ the IPv6/IPv4 translator in the upper 96 bits, then the received
+ IPv4 address i.e. the resulting IPv6 address is 64:FF9B::
+ 192.0.2.1.
+
+ 4. H1 sends a packet towards H2. The packet is sent to the
+ destination address 64:FF9B::192.0.2.1.
+
+ 5. The packet is routed to the IPv6 interface of the IPv6/IPv4
+ translator and the subsequent communication flows using the IPv6/
+ IPv4 translator mechanisms.
+
+7.3. Example of IPv6-Internet-to-an-IPv4-network setup DNS64 in DNS
+ server mode
+
+ In this example, we consider an IPv6 node located in the IPv6
+ Internet that initiates a communication to an IPv4 node located in
+ the IPv4 site.
+
+ In some cases, this scenario can be addressed without using any form
+ of DNS64 function. This is so because it is possible to assign a
+ fixed IPv6 address to each of the IPv4 nodes. Such an IPv6 address
+ would be constructed using the address transformation algorithm
+ defined in [I-D.ietf-behave-address-format] that takes as input the
+ Pref64::/96 and the IPv4 address of the IPv4 node. Note that the
+ IPv4 address can be a public or a private address; the latter does
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 24]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ not present any additional difficulty, since an NSP must be used as
+ Pref64::/96 (in this scenario the usage of the Well-Known prefix is
+ not supported as discussed in [I-D.ietf-behave-address-format]).
+ Once these IPv6 addresses have been assigned to represent the IPv4
+ nodes in the IPv6 Internet, real AAAA RRs containing these addresses
+ can be published in the DNS under the site's domain. This is the
+ recommended approach to handle this scenario, because it does not
+ involve synthesizing AAAA records at the time of query.
+
+ However, there are some more dynamic scenarios, where synthesizing
+ AAAA RRs in this setup may be needed. In particular, when DNS Update
+ [RFC2136] is used in the IPv4 site to update the A RRs for the IPv4
+ nodes, there are two options: One option is to modify the DNS server
+ that receives the dynamic DNS updates. That would normally be the
+ authoritative server for the zone. So the authoritative zone would
+ have normal AAAA RRs that are synthesized as dynamic updates occur.
+ The other option is modify all the authoritative servers to generate
+ synthetic AAAA records for a zone, possibly based on additional
+ constraints, upon the receipt of a DNS query for the AAAA RR. The
+ first option -- in which the AAAA is synthesized when the DNS update
+ message is received, and the data published in the relevant zone --
+ is recommended over the second option (i.e. the synthesis upon
+ receipt of the AAAA DNS query). This is because it is usually easier
+ to solve problems of misconfiguration when the DNS responses are not
+ being generated dynamically. However, it may be the case where the
+ primary server (that receives all the updates) cannot be upgraded for
+ whatever reason, but where a secondary can be upgraded in order to
+ handle the (comparatively small amount) of AAAA queries. In such
+ case, it is possible to use the DNS64 as described next. The DNS64
+ behavior that we describe in this section covers the case of
+ synthesizing the AAAA RR when the DNS query arrives.
+
+ The scenario for this case is depicted in the following figure:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 25]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ +-----------+ +----------------------+
+ | | | IPv4 site |
+ | IPv6 | +------------+ | +----+ |
+ | Internet |----| IPv6/IPv4 |--|---| H2 | |
+ | | | Translator | | +----+ |
+ | | +------------+ | |
+ | | | | 192.0.2.1 |
+ | | +------------+ | |
+ | |----| Name server|--| |
+ | | | with DNS64 | | |
+ +-----------+ +------------+ | |
+ | | | |
+ +----+ | |
+ | H1 | +----------------------+
+ +----+
+
+ Figure 6: IPv6-Internet-to-an-IPv4-network setup DNS64 in DNS server
+ mode
+
+ The figure shows an IPv6 node H1 and an IPv4 node H2 with IPv4
+ address 192.0.2.1 and FQDN h2.example.com.
+
+ The IPv6/IPv4 Translator is using a NSP 2001:DB8::/96 to create IPv6
+ representations of IPv4 addresses. The same prefix is configured in
+ the DNS64 function in the local name server. The name server that
+ implements the DNS64 function is the authoritative name server for
+ the local domain.
+
+ The steps by which H1 establishes communication with H2 are:
+
+ 1. H1 does a DNS lookup for h2.example.com. H1 does this by sending
+ a DNS query for a AAAA record for H2. The query is eventually
+ forwarded to the server in the IPv4 site.
+
+ 2. The local DNS server resolves the query (locally), and discovers
+ that there are no AAAA records for H2.
+
+ 3. The name server verifies that h2.example.com and its A RR are
+ among those that the local policy defines as allowed to generate
+ a AAAA RR from. If that is the case, the name server synthesizes
+ a AAAA record from the A RR and the prefix 2001:DB8::/96. The
+ IPv6 address in the AAAA record is 2001:DB8::192.0.2.1.
+
+ 4. H1 receives the synthetic AAAA record and sends a packet towards
+ H2. The packet is sent to the destination address 2001:DB8::
+ 192.0.2.1.
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 26]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ 5. The packet is routed through the IPv6 Internet to the IPv6
+ interface of the IPv6/IPv4 translator and the communication flows
+ using the IPv6/IPv4 translator mechanisms.
+
+
+8. Security Considerations
+
+ DNS64 operates in combination with the DNS, and is therefore subject
+ to whatever security considerations are appropriate to the DNS mode
+ in which the DNS64 is operating (i.e. authoritative, recursive, or
+ stub resolver mode).
+
+ DNS64 has the potential to interfere with the functioning of DNSSEC,
+ because DNS64 modifies DNS answers, and DNSSEC is designed to detect
+ such modification and to treat modified answers as bogus. See the
+ discussion above in Section 3, Section 5.5, and Section 6.2.
+
+
+9. IANA Considerations
+
+ This memo makes no request of IANA.
+
+
+10. Contributors
+
+ Dave Thaler
+
+ Microsoft
+
+ dthaler@windows.microsoft.com
+
+
+11. Acknowledgements
+
+ This draft contains the result of discussions involving many people,
+ including the participants of the IETF BEHAVE Working Group. The
+ following IETF participants made specific contributions to parts of
+ the text, and their help is gratefully acknowledged: Jaap Akkerhuis,
+ Mark Andrews, Jari Arkko, Rob Austein, Timothy Baldwin, Fred Baker,
+ Doug Barton, Marc Blanchet, Cameron Byrne, Brian Carpenter, Zhen Cao,
+ Hui Deng, Francis Dupont, Patrik Faltstrom, David Harrington, Ed
+ Jankiewicz, Peter Koch, Suresh Krishnan, Martti Kuparinen, Ed Lewis,
+ Xing Li, Bill Manning, Matthijs Mekking, Hiroshi Miyata, Simon
+ Perrault, Teemu Savolainen, Jyrki Soini, Dave Thaler, Mark Townsley,
+ Rick van Rein, Stig Venaas, Magnus Westerlund, Jeff Westhead, Florian
+ Weimer, Dan Wing, Xu Xiaohu, Xiangsong Cui.
+
+ Marcelo Bagnulo and Iljitsch van Beijnum are partly funded by
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 27]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ Trilogy, a research project supported by the European Commission
+ under its Seventh Framework Program.
+
+
+12. References
+
+12.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+ STD 13, RFC 1034, November 1987.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC4787] Audet, F. and C. Jennings, "Network Address Translation
+ (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
+ RFC 4787, January 2007.
+
+ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+ RFC 2671, August 1999.
+
+ [I-D.ietf-behave-address-format]
+ Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
+ Li, "IPv6 Addressing of IPv4/IPv6 Translators",
+ draft-ietf-behave-address-format-08 (work in progress),
+ May 2010.
+
+12.2. Informative References
+
+ [I-D.ietf-behave-v6v4-xlate-stateful]
+ Bagnulo, M., Matthews, P., and I. Beijnum, "Stateful
+ NAT64: Network Address and Protocol Translation from IPv6
+ Clients to IPv4 Servers",
+ draft-ietf-behave-v6v4-xlate-stateful-11 (work in
+ progress), March 2010.
+
+ [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+ RFC 2136, April 1997.
+
+ [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
+ NCACHE)", RFC 2308, March 1998.
+
+ [RFC3484] Draves, R., "Default Address Selection for Internet
+ Protocol version 6 (IPv6)", RFC 3484, February 2003.
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 28]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
+ "DNS Extensions to Support IP Version 6", RFC 3596,
+ October 2003.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC4074] Morishita, Y. and T. Jinmei, "Common Misbehavior Against
+ DNS Queries for IPv6 Addresses", RFC 4074, May 2005.
+
+ [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
+ BCP 153, RFC 5735, January 2010.
+
+ [I-D.ietf-behave-v6v4-framework]
+ Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
+ IPv4/IPv6 Translation",
+ draft-ietf-behave-v6v4-framework-09 (work in progress),
+ May 2010.
+
+ [I-D.ietf-dnsop-default-local-zones]
+ Andrews, M., "Locally-served DNS Zones",
+ draft-ietf-dnsop-default-local-zones-13 (work in
+ progress), April 2010.
+
+
+Appendix A. Motivations and Implications of synthesizing AAAA Resource
+ Records when real AAAA Resource Records exist
+
+ The motivation for synthesizing AAAA RRs when real AAAA RRs exist is
+ to support the following scenario:
+
+ An IPv4-only server application (e.g. web server software) is
+ running on a dual-stack host. There may also be dual-stack server
+ applications running on the same host. That host has fully
+ routable IPv4 and IPv6 addresses and hence the authoritative DNS
+ server has an A and a AAAA record.
+
+ An IPv6-only client (regardless of whether the client application
+ is IPv6-only, the client stack is IPv6-only, or it only has an
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 29]
+\f
+Internet-Draft DNS64 July 2010
+
+
+ IPv6 address) wants to access the above server.
+
+ The client issues a DNS query to a DNS64 resolver.
+
+ If the DNS64 only generates a synthetic AAAA if there's no real AAAA,
+ then the communication will fail. Even though there's a real AAAA,
+ the only way for communication to succeed is with the translated
+ address. So, in order to support this scenario, the administrator of
+ a DNS64 service may want to enable the synthesis of AAAA RRs even
+ when real AAAA RRs exist.
+
+ The implication of including synthetic AAAA RRs when real AAAA RRs
+ exist is that translated connectivity may be preferred over native
+ connectivity in some cases where the DNS64 is operated in DNS server
+ mode.
+
+ RFC3484 [RFC3484] rules use longest prefix match to select the
+ preferred destination address to use. So, if the DNS64 resolver
+ returns both the synthetic AAAA RRs and the real AAAA RRs, then if
+ the DNS64 is operated by the same domain as the initiating host, and
+ a global unicast prefix (called an NSP in
+ [I-D.ietf-behave-address-format]) is used, then a synthetic AAAA RR
+ is likely to be preferred.
+
+ This means that without further configuration:
+
+ In the "An IPv6 network to the IPv4 Internet" scenario, the host
+ will prefer translated connectivity if an NSP is used. If the
+ Well-Known Prefix defined in [I-D.ietf-behave-address-format] is
+ used, it will probably prefer native connectivity.
+
+ In the "IPv6 Internet to an IPv4 network" scenario, it is possible
+ to bias the selection towards the real AAAA RR if the DNS64
+ resolver returns the real AAAA first in the DNS reply, when an NSP
+ is used (the Well-Known Prefix usage is not supported in this
+ case)
+
+ In the "An IPv6 network to IPv4 network" scenario, for local
+ destinations (i.e., target hosts inside the local site), it is
+ likely that the NSP and the destination prefix are the same, so we
+ can use the order of RR in the DNS reply to bias the selection
+ through native connectivity. If the Well-Known Prefix is used,
+ the longest prefix match rule will select native connectivity.
+
+ The problem can be solved by properly configuring the RFC3484
+ [RFC3484] policy table.
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 30]
+\f
+Internet-Draft DNS64 July 2010
+
+
+Authors' Addresses
+
+ Marcelo Bagnulo
+ UC3M
+ Av. Universidad 30
+ Leganes, Madrid 28911
+ Spain
+
+ Phone: +34-91-6249500
+ Fax:
+ Email: marcelo@it.uc3m.es
+ URI: http://www.it.uc3m.es/marcelo
+
+
+ Andrew Sullivan
+ Shinkuro
+ 4922 Fairmont Avenue, Suite 250
+ Bethesda, MD 20814
+ USA
+
+ Phone: +1 301 961 3131
+ Email: ajs@shinkuro.com
+
+
+ Philip Matthews
+ Unaffiliated
+ 600 March Road
+ Ottawa, Ontario
+ Canada
+
+ Phone: +1 613-592-4343 x224
+ Fax:
+ Email: philip_matthews@magma.ca
+ URI:
+
+
+ Iljitsch van Beijnum
+ IMDEA Networks
+ Av. Universidad 30
+ Leganes, Madrid 28911
+ Spain
+
+ Phone: +34-91-6246245
+ Email: iljitsch@muada.com
+
+
+
+
+
+
+
+Bagnulo, et al. Expires January 6, 2011 [Page 31]
+\f
--- /dev/null
+
+
+
+DNS Extensions Working Group S. Rose
+Internet-Draft NIST
+Updates: 2536, 2539, 3110, 4034, August 11, 2010
+4398, 5155, 5702, 5933
+(if approved)
+Intended status: Standards Track
+Expires: February 12, 2011
+
+
+ Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA
+ Registry
+ draft-ietf-dnsext-dnssec-registry-fixes-06
+
+Abstract
+
+ The DNS Security Extensions (DNSSEC) requires the use of
+ cryptographic algorithm suites for generating digital signatures over
+ DNS data. There is currently an IANA registry for these algorithms
+ that is incomplete in that it lacks the implementation status of each
+ algorithm. This document provides an applicability statement on
+ algorithm status for DNSSEC implementations. This document replaces
+ that registry table with a new IANA registry table for Domain Name
+ System Security (DNSSEC) Algorithm Numbers which lists each
+ algorithm's status based on the current reference. If that status is
+ not defined in the original specification, this document assigns a
+ status.
+
+Status of This Memo
+
+ This Internet-Draft is submitted to IETF in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+
+
+
+Rose Expires February 12, 2011 [Page 1]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+ This Internet-Draft will expire on February 12, 2011.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3
+
+ 2. The DNS Security Algorithm Number Subregistry . . . . . . . . . 3
+ 2.1. Individual Changes . . . . . . . . . . . . . . . . . . . . 3
+ 2.2. Domain Name System (DNS) Security Algorithm Number
+ Registry Table . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.3. Specifying New Algorithms and Updating Status of
+ Existing Entries . . . . . . . . . . . . . . . . . . . . . 6
+
+ 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
+
+ 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
+
+ 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 5.1. Normative References . . . . . . . . . . . . . . . . . . . 6
+ 5.2. Informative References . . . . . . . . . . . . . . . . . . 8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose Expires February 12, 2011 [Page 2]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+1. Introduction
+
+ The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033],
+ [RFC4034], and [RFC4035] uses digital signatures over DNS data to
+ provide source authentication and integrity protection. DNSSEC uses
+ an IANA registry to allocate codes for digital signature algorithms
+ (consisting of a cryptographic algorithm and one-way hash function).
+
+ The original list of algorithm status is found in [RFC4034]. Other
+ DNSSEC documents have added new algorithms or changed the status of
+ algorithms in the registry. However, currently implementors must
+ read through all the documents in order to discover the current
+ status of each algorithm in the registry.
+
+ This document replaces the current IANA registry for Domain Name
+ System Security (DNSSEC) Algorithm Numbers with a newly defined
+ registry table. This new table (Section 2.2 below) contains a column
+ that will list the current status of each digital signature algorithm
+ in the registry at the time of writing and assigns status for some
+ algorithms used with DNSSEC that did not have an identified status in
+ their specification. This document updates the following: [RFC2536],
+ [RFC2539], [RFC3110], [RFC4034], [RFC4398], [RFC5155], [RFC5702], and
+ [RFC5933].
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+2. The DNS Security Algorithm Number Subregistry
+
+ The DNS Security Algorithm Number subregistry (part of the Domain
+ Name System (DNS) Security Number registry) will be replaced with the
+ table below. This table contains a column that contains the current
+ implementation requirements of the given algorithm.
+
+ There are additional differences to entries that are described in
+ sub-section 2.1. The overall new registry table is in sub-section
+ 2.2. The values for the status were obtained from [RFC4034] with
+ updates for algorithms specified after the original DNSSEC
+ specification. If no status was listed in the original
+ specification, this document assigns one.
+
+2.1. Individual Changes
+
+ This document changes three entries in the Domain Name System
+ Security (DNSSEC) Algorithm Registry. They are:
+
+
+
+Rose Expires February 12, 2011 [Page 3]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+ The description for assignment number 4 is changed to "Reserved until
+ 2020".
+
+ The description for assignment number 9 is changed to "Reserved until
+ 2020".
+
+ The description for assignment number 11 is changed to "Reserved
+ until 2020".
+
+ Registry entries 13-251 remains Unassigned.
+
+ The status of RSASHA1-NSEC3-SHA1 and DSA-NSEC3-SHA1 are set to
+ RECOMMENDED and OPTIONAL respectively. The difference is due to the
+ fact that RSA/SHA-1 is REQUIRED and DSA/SHA-1 is only OPTIONAL. The
+ status of RSA/SHA-256 and RSA/SHA-512 are set to RECOMMENDED as it is
+ believed that these algorithms will replace older algorithms (e.g.
+ RSA/SHA-1) that have a perceived weakness in their hash algorithm
+ (SHA-1).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose Expires February 12, 2011 [Page 4]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+2.2. Domain Name System (DNS) Security Algorithm Number Registry Table
+
+ The Domain Name System (DNS) Security Algorithm Number registry is
+ hereby specified as follows:
+
+ Zone Transaction
+Number Description Mnemonic Sign Sign Status Reference
+------ ----------- ------ ---- ----- ------------ ---------
+ 0 Reserved [RFC4398]
+ 1 RSA/MD5 RSAMD5 N Y MUST NOT [RFC4034],
+ IMPLEMENT [RFC3110]
+ (this memo)
+ 2 Diffie-Hellman DH N Y [RFC2539]
+ (this memo)
+ 3 DSA/SHA-1 DSASHA1 Y Y [RFC2536],
+ [RFC4034],
+ FIPS 186-3,
+ FIPS 180-3
+ (this memo)
+ 4 Reserved until ECC (this memo)
+ 2020
+ 5 RSA/SHA-1 RSASHA1 Y Y REQUIRED [RFC4034]
+ (this memo)
+ 6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y [RFC5155]
+ -SHA1 (this memo)
+ 7 RSASHA1-NSEC3 RSASHA1- Y Y RECOMMENDED [RFC5155]
+ -SHA1 NSEC3- (this memo)
+ SHA1
+ 8 RSA/SHA-256 RSASHA256 Y * RECOMMENDED [RFC5702]
+ (this memo)
+ 9 Reserved until (this memo)
+ 2020
+ 10 RSA/SHA-512 RSASHA512 Y * RECOMMENDED [RFC5702]
+ (this memo)
+ 11 Reserved until (this memo)
+ 2020
+ 12 GOST R GOST-ECC Y * [RFC5933]
+ 34.10-2001 (this memo)
+13-251 Unassigned
+ 252 Reserved for INDIRECT N N [RFC4034]
+ Indirect keys (this memo)
+ 253 private PRIVATE Y Y [RFC4034]
+ algorithm (this memo)
+ 254 private PRIVATEOID Y Y [RFC4034]
+ algorithm OID (this memo)
+ 255 Reserved
+
+
+
+
+
+Rose Expires February 12, 2011 [Page 5]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+2.3. Specifying New Algorithms and Updating Status of Existing Entries
+
+ [I-D.ietf-dnsext-dnssec-alg-allocation] establishes a parallel
+ procedure for obtaining an algorithm number for new algorithms other
+ than a standards track document. Algorithms entered into the
+ registry using that procedure do not have a listed status.
+ Specifications that follow this path do not need to obsolete or
+ update this document.
+
+ Adding a newly specified algorithm to the registry with a status
+ SHALL entail obsoleting this document and replacing the registry
+ table (with the new algorithm entry). Altering the status column
+ value of any existing algorithm in the registry SHALL entail
+ obsoleting this document and replacing the registry table.
+
+ This document cannot be updated, only made obsolete and replaced by a
+ successor document.
+
+3. IANA Considerations
+
+ This document replaces the Domain Name System (DNS) Security
+ Algorithm Numbers registry. The new registry table is in Section
+ 2.2.
+
+ The original Domain Name System (DNS) Security Algorithm Number
+ registry is available at http://www.iana.org/assignments/
+ dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml.
+
+4. Security Considerations
+
+ This document replaces the Domain Name System (DNS) Security
+ Algorithm Numbers registry. It is not meant to be a discussion on
+ algorithm superiority. No new security considerations are raised in
+ this document.
+
+5. References
+
+5.1. Normative References
+
+ [I-D.ietf-dnsext-dnssec-alg-allocation] Hoffman, P., "Cryptographic
+ Algorithm Identifier
+ Allocation for DNSSEC", draf
+ t-ietf-dnsext-dnssec-alg-
+ allocation-03 (work in
+ progress), March 2010.
+
+ [RFC2119] Bradner, S., "Key words for
+ use in RFCs to Indicate
+
+
+
+Rose Expires February 12, 2011 [Page 6]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+ Requirement Levels", BCP 14,
+ RFC 2119, March 1997.
+
+ [RFC2536] Eastlake, D., "DSA KEYs and
+ SIGs in the Domain Name
+ System (DNS)", RFC 2536,
+ March 1999.
+
+ [RFC2539] Eastlake, D., "Storage of
+ Diffie-Hellman Keys in the
+ Domain Name System (DNS)",
+ RFC 2539, March 1999.
+
+ [RFC3110] Eastlake, D., "RSA/SHA-1
+ SIGs and RSA KEYs in the
+ Domain Name System (DNS)",
+ RFC 3110, May 2001.
+
+ [RFC4033] Arends, R., Austein, R.,
+ Larson, M., Massey, D., and
+ S. Rose, "DNS Security
+ Introduction and
+ Requirements", RFC 4033,
+ March 2005.
+
+ [RFC4034] Arends, R., Austein, R.,
+ Larson, M., Massey, D., and
+ S. Rose, "Resource Records
+ for the DNS Security
+ Extensions", RFC 4034,
+ March 2005.
+
+ [RFC4035] Arends, R., Austein, R.,
+ Larson, M., Massey, D., and
+ S. Rose, "Protocol
+ Modifications for the DNS
+ Security Extensions",
+ RFC 4035, March 2005.
+
+ [RFC4398] Josefsson, S., "Storing
+ Certificates in the Domain
+ Name System (DNS)",
+ RFC 4398, March 2006.
+
+ [RFC5155] Laurie, B., Sisson, G.,
+ Arends, R., and D. Blacka,
+ "DNS Security (DNSSEC)
+ Hashed Authenticated Denial
+
+
+
+Rose Expires February 12, 2011 [Page 7]
+\f
+Internet-Draft IANA Registry Fixes August 2010
+
+
+ of Existence", RFC 5155,
+ March 2008.
+
+ [RFC5702] Jansen, J., "Use of SHA-2
+ Algorithms with RSA in
+ DNSKEY and RRSIG Resource
+ Records for DNSSEC",
+ RFC 5702, October 2009.
+
+ [RFC5933] Dolmatov, V., Chuprina, A.,
+ and I. Ustinov, "Use of GOST
+ Signature Algorithms in
+ DNSKEY and RRSIG Resource
+ Records for DNSSEC",
+ RFC 5933, July 2010.
+
+5.2. Informative References
+
+ [FIPS.180-3.2008] National Institute of
+ Standards and Technology,
+ "Secure Hash Standard",
+ FIPS PUB 180-3,
+ October 2008, <http://
+ csrc.nist.gov/publications/
+ fips/fips180-3/
+ fips180-3.pdf>.
+
+ [FIPS.186-3.2009] National Institute of
+ Standards and Technology,
+ "Digital Signature
+ Standard", FIPS PUB 186-3,
+ June 2009, <http://
+ csrc.nist.gov/publications/
+ fips/fips186-3/
+ fips_186-3.pdf>.
+
+Author's Address
+
+ Scott Rose
+ NIST
+ 100 Bureau Dr.
+ Gaithersburg, MD 20899
+ USA
+
+ Phone: +1-301-975-8439
+ EMail: scottr.nist@gmail.com
+
+
+
+
+
+Rose Expires February 12, 2011 [Page 8]
+\f
--- /dev/null
+
+
+
+Internet Engineering Task Force S. Morris
+Internet-Draft ISC
+Intended status: Informational J. Ihren
+Expires: January 2, 2011 Netnod
+ J. Dickinson
+ Sinodun
+ July 1, 2010
+
+
+ DNSSEC Key Timing Considerations
+ draft-ietf-dnsop-dnssec-key-timing-00.txt
+
+Abstract
+
+ This document describes the issues surrounding the timing of events
+ in the rolling of a key in a DNSSEC-secured zone. It presents
+ timelines for the key rollover and explicitly identifies the
+ relationships between the various parameters affecting the process.
+
+Status of this Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on January 2, 2011.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 1]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Key Rolling Considerations . . . . . . . . . . . . . . . . 3
+ 1.2. Types of Keys . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Rollover Methods . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.1. ZSK Rollovers . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.2. KSK Rollovers . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.3. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 3. Key Rollover Timelines . . . . . . . . . . . . . . . . . . . . 8
+ 3.1. Key States . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.2. Zone-Signing Key Timelines . . . . . . . . . . . . . . . . 9
+ 3.2.1. Pre-Publication Method . . . . . . . . . . . . . . . . 9
+ 3.2.2. Double-Signature Method . . . . . . . . . . . . . . . 13
+ 3.2.3. Double-RRSIG Method . . . . . . . . . . . . . . . . . 14
+ 3.3. Key-Signing Key Rollover Timelines . . . . . . . . . . . . 17
+ 3.3.1. Double-Signature Method . . . . . . . . . . . . . . . 17
+ 3.3.2. Double-DS Method . . . . . . . . . . . . . . . . . . . 20
+ 3.3.3. Double-RRset Method . . . . . . . . . . . . . . . . . 22
+ 3.3.4. Interaction with Configured Trust Anchors . . . . . . 25
+ 3.3.4.1. Addition of KSK . . . . . . . . . . . . . . . . . 25
+ 3.3.4.2. Removal of KSK . . . . . . . . . . . . . . . . . . 25
+ 3.3.5. Introduction of First KSK . . . . . . . . . . . . . . 26
+ 4. Standby Keys . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 5. Algorithm Considerations . . . . . . . . . . . . . . . . . . . 28
+ 6. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 28
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29
+ 10. Change History . . . . . . . . . . . . . . . . . . . . . . . . 29
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
+ 11.1. Normative References . . . . . . . . . . . . . . . . . . . 30
+ 11.2. Informative References . . . . . . . . . . . . . . . . . . 30
+ Appendix A. List of Symbols . . . . . . . . . . . . . . . . . . . 30
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 2]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+1. Introduction
+
+1.1. Key Rolling Considerations
+
+ When a zone is secured with DNSSEC, the zone manager must be prepared
+ to replace ("roll") the keys used in the signing process. The
+ rolling of keys may be caused by compromise of one or more of the
+ existing keys, or it may be due to a management policy that demands
+ periodic key replacement for security or operational reasons. In
+ order to implement a key rollover, the keys need to be introduced
+ into and removed from the zone at the appropriate times.
+ Considerations that must be taken into account are:
+
+ o DNSKEY records and associated information (such as RRSIG records
+ created with the key or the associated DS records) are not only
+ held at the authoritative nameserver, they are also cached at
+ client resolvers. The data on these systems can be interlinked,
+ e.g. a validating resolver may try to validate a signature
+ retrieved from a cache with a key obtained separately.
+
+ o A query for the key RRset returns all DNSKEY records in the zone.
+ As there is limited space in the UDP packet (even with EDNS0
+ support), dead key records must be periodically removed. (For the
+ same reason, the number of stand-by keys in the zone should be
+ restricted to the minimum required to support the key management
+ policy.)
+
+ o Zone "boot-strapping" events, where a zone is signed for the first
+ time, can be common in configurations where a large number of
+ zones are being served. Procedures should be able to cope with
+ the introduction of keys into the zone for the first time as well
+ as "steady-state", where the records are being replaced as part of
+ normal zone maintenance.
+
+ o To allow for an emergency re-signing of the zone as soon as
+ possible after a key compromise has been detected, stand-by keys
+ (additional keys over and above those used to sign the zone) need
+ to be present.
+
+ Management policy, e.g. how long a key is used for, also needs to be
+ considered. However, the point of key management logic is not to
+ ensure that a "rollover" is completed at a certain time but rather to
+ ensure that no changes are made to the state of keys published in the
+ zone until it is "safe" to do so ("safe" in this context meaning that
+ at no time during the rollover process does any part of the zone ever
+ go bogus). In other words, although key management logic enforces
+ policy, it may not enforce it strictly.
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 3]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+1.2. Types of Keys
+
+ Although DNSSEC validation treats all keys equally, [RFC4033]
+ recognises the broad classification of zone-signing keys (ZSK) and
+ key-signing keys (KSK). A ZSK is used to authenticate information
+ within the zone; a KSK is used to authenticate the key set in the
+ zone. The main implication for this distinction concerns the
+ consistency of information during a rollover.
+
+ During operation, a validating resolver must use separate pieces of
+ information to perform an authentication. At the time of
+ authentication, each piece of information may be in the validating
+ resolver's cache or may need to be retrieved from the authoritative
+ server. The rollover process needs to happen in such a way that at
+ all times through the rollover the information is consistent. With a
+ ZSK, the information is the RRSIG (plus associated RRset) and the
+ DNSKEY. These are both obtained from the same zone. In the case of
+ the KSK, the information is the DNSKEY and DS RRset with the latter
+ being obtained from a different zone.
+
+ There are similarities in the rolling of ZSKs and KSKs: replace the
+ RRSIG (plus RR) by the DNSKEY and replace the DNSKEY by the DS, and
+ the ZSK rolling algorithms are virtually the same as the KSK
+ algorithms. However, there are a number of differences, and for this
+ reason the two types of rollovers are described separately in this
+ document.
+
+1.3. Terminology
+
+ The terminology used in this document is as defined in [RFC4033] and
+ [RFC5011].
+
+ A large number of symbols are used to identify times, intervals, etc.
+ All are listed in Appendix A.
+
+
+2. Rollover Methods
+
+2.1. ZSK Rollovers
+
+ A ZSK can be rolled in one of three ways:
+
+ o Pre-Publication. Described in [RFC4641], the new key is
+ introduced into the DNSKEY RRset, leaving the existing keys and
+ signatures in place. This state of affairs remains in place for
+ long enough to ensure that any DNSKEY RRsets cached in client
+ validating resolvers contain both keys. At that point signatures
+ created with the old key can be replaced by those created with the
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 4]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ new key, and the old signatures removed. During the re-signing
+ process (which may or may not be atomic depending on how the zone
+ is managed), it doesn't matter which key an RRSIG record retrieved
+ by a client was created with; clients with a cached copy of the
+ DNSKEY RRset will have a copy containing both the old and new
+ keys.
+
+ Once the zone contains only signatures created with the new key,
+ there is an interval during which RRSIG records created with the
+ old key expire from client caches. After this, there will be no
+ signatures anywhere that were created using the old key, and it
+ can can be removed from the DNSKEY RRset.
+
+ o Double-Signature. Also mentioned in [RFC4641], this involves
+ introducing the new key into the zone and using it to create
+ additional RRSIG records; the old key and existing RRSIG records
+ are retained. During the period in which the zone is being signed
+ (again, the signing process may not be atomic), client resolvers
+ are always able to validate RRSIGs: any combination of old and new
+ DNSKEY RRset and RRSIG allows at least one signature to be
+ validated.
+
+ Once the signing process is complete and enough time has elapsed
+ to allow all old information to expire from caches, the old key
+ and signatures can be removed from the zone. As before, during
+ this period any combination of DNSKEY RRset and RRSIG will allow
+ validation of at least one signature.
+
+ o Double-RRSIG. Strictly speaking, the use of the term "Double-
+ Signature" above is a misnomer as the method is not only double
+ signature, it is also double key as well. A true Double-Signature
+ method (here called the Double-RRSIG method) involves introducing
+ new signatures in the zone (while still retaining the old ones)
+ but not the new key.
+
+ Once the signing process is complete and enough time has elapsed
+ to ensure that all caches that may contain an RR and associated
+ RRSIG to have a copy of both signatures, the ZSK is changed.
+ After a further interval during which the old DNSKEY RRset expires
+ from caches, the old signatures are removed from the zone.
+
+ Of three methods, Double-Signature is the simplest conceptually -
+ introduce the new key and new signatures, then approximately one TTL
+ later remove the old key and signatures. The drawback of this method
+ is a noticeable increase in the size of the DNSSEC data, affecting
+ both the overall size of the zone and the size of the responses.
+
+ Pre-Publication is more complex - introduce the new key,
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 5]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ approximately one TTL later sign the records, and approximately one
+ TTL after that remove the old key. However, the amount of DNSSEC
+ data is kept to a minimum which reduces the impact on performance.
+
+ The Double-RRSIG combines the increase in data volume of the Double-
+ Signature method with the complexity of Pre-Publication. It has few
+ (if any) advantages and a description is only included here for
+ completeness.
+
+2.2. KSK Rollovers
+
+ In the ZSK case the issue for the validating resolver is to ensure
+ that it has access to the ZSK that corresponds to a particular
+ signature. In the KSK case this can never be a problem as the KSK is
+ only used for one signature (that over the DNSKEY RRset) and both the
+ key the signature travel together. Instead, the issue is to ensure
+ that the KSK is trusted.
+
+ Trust in the KSK is either due to the existence of an explicitly
+ configured trust anchor in the validating resolver or DS record in
+ the parent zone (which is itself trusted). If the former, [RFC5011]
+ timings will be needed to roll the keys. If the latter, the rollover
+ algorithm will need to involve the parent zone in the addition and
+ removal of DS records, so timings are not wholly under the control of
+ the zone manager. (The zone manager may elect to include [RFC5011]
+ timings in the key rolling process so as to cope with the possibility
+ that the key has also been explicitly configured as a trust anchor.)
+
+ It is important to note that this does not preclude the development
+ of key rollover logic; in accordance with the goal of the rollover
+ logic being able to determine when a state change is "safe", the only
+ effect of being dependent on the parent is that there may be a period
+ of waiting for the parent to respond in addition to any delay the key
+ rollover logic requires. Although this introduces additional delays,
+ even with a parent that is less than ideally responsive the only
+ effect will be a slowdown in the rollover state transitions. This
+ may cause a policy violation, but will not cause any operational
+ problems.
+
+ Like the ZSK case, there are three methods for rolling a KSK:
+
+ o Double-Signature: Also known as Double-DNSKEY, the new KSK is
+ added to the DNSKEY RRset which is then signed with both the old
+ and new key. After waiting for the old RRset to expire from
+ caches, the DS record in the parent zone is changed. After
+ waiting a further interval for this change to be reflected in
+ caches, the old key is removed from the RRset. (The name "Double-
+ Signature" is used because, like the ZSK method of the same name,
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 6]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ the new key is introduced and immediately used for signing.)
+
+ o Double-DS: the new DS record is published. After waiting for this
+ change to propagate into the caches of all validating resolvers,
+ the KSK is changed. After a further interval during which the old
+ DNSKEY RRset expires from caches, the old DS record is removed.
+
+ o Double-RRset: the new KSK is added to the DNSKEY RRset which is
+ then signed with both the old and new key, and the new DS record
+ added to the parent zone. After waiting a suitable interval for
+ the old DS and DNSKEY RRsets to expire from validating resolver
+ caches, the old DNSKEY and DS record are removed.
+
+ In essence, "Double-Signature" means that the new KSK is introduced
+ first and used to sign the DNSKEY RRset. The DS record is changed,
+ and finally the old KSK removed. With "Double-DS" it is the other
+ way around. Finally, Double-RRset does both updates more or less in
+ parallel.
+
+ The strategies have different advantages and disadvantages:
+
+ o Double-Signature minimizes the number of interactions with the
+ parent zone. However, for the period of the rollover the DNSKEY
+ RRset is signed with two KSKs, so increasing the size of the
+ response to a query for this data.
+
+ o Double-DS keeps the size of the DNSKEY RRset to a minimum, but
+ does require the additional administrative overhead of two
+ interactions with the parent to roll a KSK. (Although this can be
+ mitigated if the parent has the ability for a child zone to
+ schedule the withdrawal of the old key at the same time as the
+ introduction of the new one.)
+
+ o Finally, Double-RRset allows the rollover to be done in roughly
+ half the time of the other two methods; it also supports policies
+ that require a period of running with old and new KSKs
+ simultaneously. However, it does have the disadvantages of both
+ the other two methods - it requires two signatures during the
+ period of the rollover and two interactions with the parent.
+
+2.3. Summary
+
+ The methods can be summarised as follows:
+
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 7]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ +------------------+------------------+-----------------------------+
+ | ZSK Method | KSK Method | Description |
+ +------------------+------------------+-----------------------------+
+ | Pre-Publication | (not applicable) | Publish the DNSKEY before |
+ | | | the RRSIG. |
+ | Double-Signature | Double-Signature | Publish the DNSKEY and |
+ | | | RRSIG at same time. (For a |
+ | | | KSK, this happens before |
+ | | | the DS is published.) |
+ | Double-RRSIG | (not applicable) | Publish RRSIG before the |
+ | | | DNSKEY. |
+ | (not applicable) | Double-DS | Publish DS before the |
+ | | | DNSKEY. |
+ | (not applicable) | Double-RRset | Publish DNSKEY and DS in |
+ | | | parallel. |
+ +------------------+------------------+-----------------------------+
+
+ Table 1
+
+
+3. Key Rollover Timelines
+
+3.1. Key States
+
+ During the rolling process, a key moves through different states.
+ These states are:
+
+ Generated The key has been created, but has not yet been used for
+ anything.
+
+ Published The DNSKEY record - or information associated with it -
+ is published in the zone, but predecessors of the key (or
+ associated information) may be held in resolver caches.
+
+ The idea of "associated information" is used in rollover
+ methods where RRSIG or DS records are published first and
+ the DNSKEY is changed in an atomic operation. It allows
+ the rollover still to be thought of as moving through a
+ set of states. In the rest of this section, the term
+ "key" should be taken to mean "key or associated
+ information".
+
+ Ready The key has been published for long enough to guarantee
+ that all caches that might contain a copy of the key
+ RRset have a copy that includes this key.
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 8]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Active The key is in the zone and has started to be used to sign
+ RRsets or authenticate the DNSKEY RRset. Note that when
+ this state is entered, it might not be possible for every
+ validating resolver to use the key for validation: the
+ zone signing may not have finished, or the data might not
+ have reached the resolver because of propagation delays
+ and/or caching issues. If this is the case, the resolver
+ will have to rely on the key's predecessor instead.
+
+ Retired The key is in the zone but a successor key has become
+ active. As there may still be information in caches that
+ that require use of the key, it is being retained until
+ this information expires.
+
+ Dead The key is published in the zone but there is no
+ information anywhere that requires its presence.
+
+ Removed The key has been removed from the zone.
+
+ There is one additional state, used where [RFC5011] considerations
+ are in effect (see Section 3.3.4):
+
+ Revoked The key is published for a period with the "revoke" bit
+ set as a way of notifying validating resolvers that have
+ configured it as a trust anchor that it is about to be
+ removed from the zone.
+
+3.2. Zone-Signing Key Timelines
+
+3.2.1. Pre-Publication Method
+
+ The following diagram shows the time line of a particular ZSK and its
+ replacement by its successor using the Pre-Publication method. Time
+ increases along the horizontal scale from left to right and the
+ vertical lines indicate events in the life of the key. The events
+ are numbered; significant times and time intervals are marked.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 9]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ |1| |2| |3| |4| |5| |6| |7| |8| |9|
+ | | | | | | | | |
+ Key N | |<-Ipub->|<--->|<-------Lzsk----->|<-Iret->|<--->|
+ | | | | | | | | |
+ Key N+1 | | | | |<-Ipub->|<->|<---Lzsk-- - -
+ | | | | | | | | |
+ Tgen Tpub Trdy Tact TpubS Tret Tdea Trem
+
+ ---- Time ---->
+
+
+ Figure 1: Timeline for a Pre-Publication ZSK rollover.
+
+ Event 1: key N is generated at the generate time (Tgen). Although
+ there is no reason why the key cannot be generated immediately prior
+ to publication in the zone (Event 2), some implementations may find
+ it convenient to create a pool of keys in one operation and draw from
+ that pool as required. For this reason, it is shown as a separate
+ event. Keys that are available for use but not published are said to
+ be generated.
+
+ Event 2: key N's DNSKEY record is put into the zone, i.e. it is added
+ to the DNSKEY RRset which is then re-signed with the current key-
+ signing key. The time at which this occurs is the key's publication
+ time (Tpub), and the key is now said to be published. Note that the
+ key is not yet used to sign records.
+
+ Event 3: before it can be used, the key must be published for long
+ enough to guarantee that any resolver that has a copy of the DNSKEY
+ RRset from the zone in its cache will have a copy of the RRset that
+ includes this key: in other words, that any prior cached information
+ about the DNSKEY RRset has expired.
+
+ This interval is the publication interval (Ipub) and, for the second
+ or subsequent keys in the zone, is given by:
+
+ Ipub = Dprp + TTLkey
+
+ Here, Dprp is the propagation delay - the time taken for any change
+ introduced at the master to replicate to all slave servers - which
+ depends on the depth of the master-slave hierarchy. TTLkey is the
+ time-to-live (TTL) for the DNSKEY records in the zone. The sum is
+ therefore the time taken for existing DNSKEY records to expire from
+ the caches of downstream validating resolvers, regardless of the
+ nameserver from which they were retrieved.
+
+ In the case of the first key in the zone, Ipub is slightly different
+ because it is not information about a DNSKEY RRset that may be
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 10]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ cached, it is information about its absence. In this case:
+
+ Ipub = Dprp + Ingc
+
+ where Ingc is the negative cache interval from the zone's SOA record,
+ calculated according to [RFC2308] as the minimum of the TTL of the
+ SOA record itself (TTLsoa), and the "minimum" field in the record's
+ parameters (SOAmin), i.e.
+
+ Ingc = min(TTLsoa, SOAmin)
+
+ After a delay of Ipub, the key is said to be ready and could be used
+ to sign records. The time at which this event occurs is the key's
+ ready time (Trdy), which is given by:
+
+ Trdy = Tpub + Ipub
+
+ Event 4: at some later time, the key starts being used to sign
+ RRsets. This point is the active time (Tact) and after this, the key
+ is said to be active.
+
+ Event 5: while this key is active, thought must be given to its
+ successor (key N+1). As with the introduction of the currently
+ active key into the zone, the successor key will need to be published
+ at least Ipub before it is used. Denoting the publication time of
+ the successor key by TpubS, then:
+
+ TpubS <= Tact + Lzsk - Ipub
+
+ Here, Lzsk is the length of time for which a ZSK will be used (the
+ ZSK lifetime). It should be noted that unlike the publication
+ interval, Lzsk is not determined by timing logic, but by key
+ management policy. Lzsk will be set by the operator according to
+ their assessment of the risks posed by continuing to use a key and
+ the risks associated with key rollover. However, operational
+ considerations may mean a key is active for slightly more or less
+ than Lzsk.
+
+ Event 6: while the key N is still active, its successor becomes
+ ready. From this time onwards, it could be used to sign the zone.
+
+ Event 7: at some point the decision is made to start signing the zone
+ using the successor key. This will be when the current key has been
+ in use for an interval equal to the ZSK lifetime, hence:
+
+ Tret = Tact + Lzsk
+
+ This point in time is the retire time (Tret) of key N; after this the
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 11]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ key is said to be retired. (This time is also the point at which the
+ successor key becomes active.)
+
+ Event 8: the retired key needs to be retained in the zone whilst any
+ RRSIG records created using this key are still published in the zone
+ or held in resolver caches. (It is possible that a resolver could
+ have an unexpired RRSIG record and an expired DNSKEY RRset in the
+ cache when it is asked to provide both to a client. In this case the
+ DNSKEY RRset would need to be looked up again.) This means that once
+ the key is no longer used to sign records, it should be retained in
+ the zone for at least the retire interval (Iret) given by:
+
+ Iret = Dsgn + Dprp + TTLsig
+
+ Dsgn is the delay needed to ensure that all existing RRsets have been
+ re-signed with the new key. Dprp is (as described above) the
+ propagation delay, required to guarantee that the updated zone
+ information has reached all slave servers, and TTLsig is the TTL of
+ the RRSIG records.
+
+ (It should be noted that an upper limit on the retire interval is
+ given by:
+
+ Iret = Lsig + Dskw
+
+ where Lsig is the lifetime of a signature (i.e. the interval between
+ the time the signature was created and the signature end time), and
+ Dskw is the clock skew - the maximum difference in time between the
+ server and a validating resolver. The reasoning here is that
+ whatever happens, a key only has to be available while any signatures
+ created with it are valid. Wherever a signature record is held -
+ published in the zone and/or held in a resolver cache - it won't be
+ valid for longer than Lsig after it was created. The Dskw term is
+ present to account for the fact that the signature end time is an
+ absolute time rather than interval, and systems may not agree exactly
+ about the time.)
+
+ The time at which all RRSIG records created with this key have
+ expired from resolver caches is the dead time (Tdea), given by:
+
+ Tdea = Tret + Iret
+
+ ...at which point the key is said to be dead.
+
+ Event 9: at any time after the key becomes dead, it can be removed
+ from the zone and the DNSKEY RRset re-signed with the current key-
+ signing key. This time is the removal time (Trem), given by:
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 12]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Trem >= Tdea
+
+ ...at which time the key is said to be removed.
+
+3.2.2. Double-Signature Method
+
+ In the Double-Signature method, both the new key and signatures
+ created using it are introduced at the same time. After a period
+ during which this information propagates to validating resolver
+ caches, the old key and signature are removed. The time line for the
+ method is shown below:
+
+
+
+ |1| |2| |3| |4| |5| |6|
+ | | | | | |
+ Key N | |<-------Lzsk------>|<-----Iret----->| |
+ | | | | | |
+ Key N+1 | | | |<----------Lzsk------- - -
+ | | | | | |
+ Tgen Tact Tret Tdea Trem
+
+ ---- Time ---->
+
+
+ Figure 2: Timeline for a Double-Signature ZSK rollover.
+
+ Event 1: key N is generated at the generate time (Tgen). Although
+ there is no reason why the key cannot be generated immediately prior
+ to publication in the zone (Event 2), some implementations may find
+ it convenient to create a pool of keys in one operation and draw from
+ that pool as required. For this reason, it is shown as a separate
+ event. Keys that are available for use but not published are said to
+ be generated.
+
+ Event 2: key N is added to the DNSKEY RRset and is immediately used
+ to sign the zone; existing signatures in the zone are not removed.
+ This is the active time (Tact) and the key is said to be active.
+
+ Event 3: at some time later, the predecessor key (key N-1) and its
+ signatures can be withdrawn from the zone. (The timing of key
+ removal is discussed further in the description of event 5.)
+
+ Event 4: the successor key (key N+1) is introduced into the zone and
+ starts being used to sign RRsets. The successor is key is now active
+ and the current key (key N) is said to be retired. This time is the
+ retire time of the key (Tret); it is also the active time of the
+ successor key (TactS).
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 13]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Tret = Tact + Lzsk
+
+ Event 5: before key N can be withdrawn from the zone, all RRsets that
+ need to be signed must have been signed by the successor key (as a
+ result, all these RRsets are now signed twice, once by key N and once
+ by its successor) and the information must have reached all
+ validating resolvers that may have RRsets from this zone cached.
+
+ This takes Iret, the retire interval, given by the expression:
+
+ Iret = Dsgn + Dprp + max(TTLkey, TTLsig)
+
+ As before, Dsgn is the time taken to sign the zone with the new key
+ and Dprp is the propagation delay. The final term is the period to
+ wait for old key and signature data to expire from caches. After the
+ end of this interval, key N is said to be dead. This occurs at the
+ dead time (Tdea) so:
+
+ Tdea = Tret + Iret
+
+ Event 6: at some later time key N and its signatures can be removed
+ from the zone. This is the removal time Trem, given by:
+
+ Trem >= Tdea
+
+3.2.3. Double-RRSIG Method
+
+ As noted above, "Double-Signature" is simultaneous rollover of both
+ signature and key. The time line for a pure Double-Signature ZSK
+ rollover (the Double-RRSIG method) - where new signatures are
+ introduced, the key changed, and finally the old signatures removed -
+ is shown below:
+
+
+
+ |1||2| |3| |4||5| |6||7| |8||9| |10| |11|
+ | | | | | | | | | | |
+ Key N | |<-Dsgn->| | |<-----------Lzsk-------->|<-Iret->| |
+ | |<---IpubG-->| |<-IpubK->| | | | | |
+ | | | | | | | | | | |
+ Key N+1 | | | | | | |<-IpubG->| | | |
+ | | | | | | | | | | |
+ Tgen Tpub Trdy Tact TpubS TrdyS Tret Tdea Trem
+
+ ---- Time ---->
+
+
+ Figure 3: Timeline for a Double-Signature ZSK rollover.
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 14]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Event 1: key N is generated at the generate time (Tgen). Although
+ there is no reason why the key cannot be generated immediately prior
+ to publication in the zone (Event 2), some implementations may find
+ it convenient to create a pool of keys in one operation and draw from
+ that pool as required. For this reason, it is shown as a separate
+ event. Keys that are available for use but not published are said to
+ be generated.
+
+ Event 2: key N is used to sign the zone but existing signatures are
+ retained. Although the new ZSK is not published in the zone at this
+ point, for analogy with the other ZSK rollover methods and because
+ this is the first time that key information is visible (albeit
+ indirectly through the created signatures) this time is called the
+ publish time (Tpub).
+
+ Event 3: after the signing interval, Dsgn, all RRsets that need to be
+ signed have been signed by the new key. (As a result, all these
+ RRsets are now signed twice, once by the existing key and once by the
+ (still-absent) key N.
+
+ Event 4: there is now a delay while the this information reaches all
+ validating resolvers that may have RRsets from the zone cached. This
+ interval is given by the expression:
+
+ Dprp + TTLsig
+
+ ...comprising the delay for the information to propagate through the
+ nameserver infrastructure plus the time taken for signature
+ information to expire from caches.
+
+ Again in analogy with other key rollover methods, this is defined as
+ key N's ready time (Trdy) and the key is said to be in the ready
+ state. (Although the key is not in the zone, it is ready to be
+ used.) The interval between the publication and ready times is the
+ publication interval of the signature, IpubG, i.e.
+
+ Trdy = Tpub + IpubG
+
+ where
+
+ IpubG = Dsgn + Dprp + TTLsig
+
+ Event 5: at some later time the predecessor key is removed and the
+ key N added to the DNSKEY RRset. As all the RRs have signatures
+ created by the old and new keys, the records can still be
+ authenticated. This time is the active time (Tact) and the key is
+ now said to be active.
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 15]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Event 6: After IpubK - the publication interval of the key - the
+ newly added DNSKEY RRset has propagated through to all validating
+ resolvers. At this point the old signatures can be removed from the
+ zone. IpubK is given by:
+
+ IpubK = Dprp + TTLkey
+
+ Event 7: as before, at some later time thought must be given to
+ rolling the key. The first step is to publish signatures created by
+ the successor key (key N+1) early enough so that key N can be
+ replaced after it has been active for its scheduled lifetime. This
+ occurs at TpubS (the publication time of the successor), given by:
+
+ TpubS <= Tact + Lzsk - IpubG
+
+ Event 8: the signatures have propagated through the zone and the new
+ key could be added to the zone. This time is the ready time of the
+ successor (TrdyS).
+
+ TrdyS = TpubS + IpubG
+
+ ... where IpubG is as defined above.
+
+ Event 9: at some later time key N is removed from the zone and the
+ successor key added. This is the retire time of the key (Tret).
+
+ Event 10: The signatures must remain in the zone for long enough that
+ the new DNSKEY RRset has had enough time to propagate to all caches.
+ Once caches contain the new DNSKEY, the old signatures are no longer
+ of use and can be considered to be dead. The time at which this
+ occurs is the dead time (Tdea), given by:
+
+ Tdea = Tret + Iret
+
+ ... where Iret is the retire interval, given by:
+
+ Iret = IpubK
+
+ Event 11: At some later time the signatures can be removed from the
+ zone. Although the key has is not longer in the zone, this is
+ information associated with it and so the time can be regarded as the
+ key's remove time (Trem), given by:
+
+ Trem >= Tdea
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 16]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+3.3. Key-Signing Key Rollover Timelines
+
+3.3.1. Double-Signature Method
+
+ The Double-Signature method (also knows as the double-DNSKEY method)
+ involves introducing the new KSK to the zone and waiting until its
+ presence has been registered by all validating resolvers. At this
+ point, the DS record in the parent is changed. Once that change has
+ propagated to all validating resolvers, the old KSK is removed.
+
+ The timing diagram for such a rollover is:
+
+
+
+ |1| |2| |3| |4| |5| |6|
+ | | | | | |
+ Key N | |<-Ipub->|<--->|<-Dreg->|<---------Lksk--- - -
+ | | | | | |
+ Key N+1 | | | | | |
+ | | | | | |
+ Tgen Tpub Trdy Tsub Tact
+
+ ---- Time ---->
+
+ (continued...)
+
+ |7| |8| |9| |10| |11| |12|
+ | | | | | |
+ Key N - - -------------Lksk------->|<-Iret->| |
+ | | | | | |
+ Key N+1 |<-Ipub->|<--->|<-Dreg->|<--------Lksk----- - -
+ | | | | | |
+ TpubS TrdyS TsubS Tret Tdea Trem
+
+ ---- Time (cont) ---->
+
+
+ Figure 4: Timeline for a Double-Signature KSK rollover.
+
+ Event 1: key N is generated at time Tgen. As before, although there
+ is no reason why the key cannot be generated immediately prior to
+ publication, some implementations may find it convenient to create a
+ central pool of keys and draw from it. For this reason, it is again
+ shown as a separate event.
+
+ Event 2: key N is introduced into the zone; it is added to the DNSKEY
+ RRset, which is then signed by key N and all currently active KSKs.
+ (So at this point, the DNSKEY RRset is signed by both key N and its
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 17]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ predecessor KSK. If other KSKs were active, it is signed by these as
+ well.) This is the publication time (Tpub); after this the key is
+ said to be published.
+
+ Event 3: before it can be used, the key must be published for long
+ enough to guarantee that any validating resolver that has a copy of
+ the DNSKEY RRset from the zone in its cache will have a copy of the
+ RRset that includes this key: in other words, that any prior cached
+ information about the DNSKEY RRset has expired.
+
+ The interval is the publication interval (Ipub) and, for the second
+ or subsequent KSKs in the zone, is given by:
+
+ Ipub = Dprp + TTLkey
+
+ ... where Dprp is the propagation delay for the zone and TTLkey the
+ TTL for the DNSKEY RRset. The time at which this occurs is the key's
+ ready time, Trdy, given by:
+
+ Trdy = Tpub + Ipub
+
+ Event 4: at some later time, the DS RR corresponding to the new KSK
+ is submitted to the parent zone for publication. This time is the
+ submission time, Tsub.
+
+ Event 5: the DS record is published in the parent zone. As this is
+ the point at which all information for authentication - both DNSKEY
+ and DS record - is available in the two zones, it is the active time
+ of the key:
+
+ Tact = Tsub + Dreg
+
+ ... where Dreg is the registration delay, the time taken after the DS
+ record has been received by the parent zone manager for it to be
+ placed in the zone. (Parent zones are often managed by different
+ entities, and this term accounts of the organisational overhead of
+ transferring a record.)
+
+ Event 6: at some time later, all validating resolvers that have the
+ DS RRset cached will have a copy that includes the new DS record.
+ For the second or subsequent DS records, this interval is given by
+ the expression:
+
+ DprpP + TTLds
+
+ ... where DprpP is the propagation delay in the parent zone and TTLds
+ the TTL assigned to DS records in that zone.
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 18]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ In the case of the first DS record for the zone in question, the
+ expression is slightly different because it is not information about
+ a DS RRset that may be cached, it is information about its absence.
+ In this case, the interval is:
+
+ DprpP + IngcP
+
+ where IngcP is the negative cache interval from the zone's SOA
+ record, calculated according to [RFC2308] as the minimum of the TTL
+ of the parent SOA record itself (TTLsoaP), and the "minimum" field in
+ the record's parameters (SOAminP), i.e.
+
+ IngcP = min(TTLsoaP, SOAminP)
+
+ Event 7: while key N is active, thought needs to be given to its
+ successor (key N+1). At some time before the scheduled end of the
+ KSK lifetime, the successor KSK is introduced into the zone and is
+ used to sign the DNSKEY RRset. (As before, this means that the
+ DNSKEY RRset is signed by both the current and successor KSK.) This
+ is the publication time of the successor key, TpubS.
+
+ Event 8: after an interval Ipub, the successor key becomes ready (in
+ that all validating resolvers that have a copy of the DNSKEY RRset
+ have a copy of this key). This is the successor ready time, TrdyS.
+
+ Event 9: at the successor submission time (TsubS), the DS record
+ corresponding to the successor key is submitted to the parent zone.
+
+ Event 10: the successor DS record is published in the parent zone and
+ the current DS record withdrawn. The current key is said to be
+ retired and the time at which this occurs is Tret, given by:
+
+ The relationships between these times are:
+
+ TpubS <= Tact + Lksk - Dreg - Ipub
+
+ Tret = Tact + Lksk
+
+ ... where Lksk is the scheduled lifetime of the KSK.
+
+ Event 11: key N must remain in the zone until any validators that
+ have the DS RRset cached have a copy of the DS RRset containing the
+ new DS record. This interval is the retire interval, given by:
+
+ Iret = DprpP + TTLds
+
+ ... where DprpP is the propagation delay in the parent zone and TTLds
+ the TTL of a DS record.
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 19]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ As the key is no longer used for anything, it can also be said to be
+ dead, in which case:
+
+ Tdea = Tret + Iret
+
+ Event 12: at some later time, key N is removed from the zone (at the
+ remove time Trem); the key is now said to be removed.
+
+ Trem >= Tdea
+
+3.3.2. Double-DS Method
+
+ The Double-DS method is the reverse of the Double-Signature method is
+ that it is the DS record that is pre-published (in the parent), and
+ not the DNSKEY.
+
+ The timeline for the key rollover is shown below:
+
+
+
+ |1| |2| |3| |4| |5| |6|
+ | | | | | |
+ Key N | |<-Dreg->|<-IpubP->|<-->|<---------Lksk------- - -
+ | | | | | |
+ Key N+1 | | | | |<---->|<--Dreg+IpubP- - -
+ | | | | | |
+ Tgen Tsub Tpub Trdy Tact TsubS
+
+ ---- Time ---->
+
+ (continued...)
+
+ |7| |8| |9| |10|
+ | | | |
+ Key N - - -----Lksk---------->|<-Iret->| |
+ | | | |
+ Key N+1 - - --Dreg+IpubP->|<--->|<------Lksk------ - -
+ | | | |
+ TrdyS Tret Tdea Trem
+
+ ---- Time ---->
+
+
+ Figure 5: Timeline for a Double-DS KSK rollover.
+
+ Event 1: key N is generated at time Tgen. As before, although there
+ is no reason why the key cannot be generated immediately prior to
+ publication, some implementations may find it convenient to create a
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 20]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ central pool of keys and draw from it. For this reason, it is again
+ shown as a separate event.
+
+ Event 2: the DS record corresponding to key N is submitted for
+ publication in the parent zone. This time is the submission time
+ (Tsub).
+
+ Event 3: after the registration delay, Dreg, the DS record is
+ published in the parent zone. This is the publication time Tpub,
+ given by:
+
+ Tpub = Tsub + Dreg
+
+ Event 4: at some later time, any validating resolver that has copies
+ of the DS RRset in its cache will have a copy of the DS record for
+ key N. At this point, key N, if introduced into the DNSKEY RRset,
+ could be used to validate the zone. For this reason, this time is
+ known as the key's ready time, Trdy, and is given by:
+
+ Trdy = Tpub + IpubP
+
+ IpubP is the parent publication interval and is given by the
+ expression:
+
+ IpubP = DprpP + TTLds
+
+ ... where DprpP is the propagation delay in the parent zone and TTLds
+ the TTL assigned to DS records in that zone.
+
+ Event 5: at some later time, the key rollover takes place. The
+ predecessor key is withdrawn from the DNSKEY RRset and the new key
+ (key N) introduced and used to sign the RRset.
+
+ As both DS records have been in the parent zone long enough to ensure
+ that they are in the cache of any validating resolvers that have the
+ DS RRset cached, the zone can be authenticated throughout the
+ rollover - either the resolver has a copy of the DNSKEY RRset (and
+ associated RRSIGs) authenticated by the predecessor key, or it has a
+ copy of the updated RRset authenticated with the new key.
+
+ This time is the key's active time (Tact) and at this point the key
+ is said to be active.
+
+ Event 6: at some point thought must be given to key replacement. The
+ DS record for the successor key must be submitted to the parent zone
+ at a time such that when the current key is withdrawn, any validating
+ resolver that has DS records in its cache will have data about the DS
+ record of the successor key. The time at which this occurs is the
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 21]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ submission time of the successor, given by:
+
+ TsubS <= Tact + Lksk - IpubP - Dreg
+
+ ... where Lksk is the lifetime of the KSK.
+
+ Event 7: the successor key (key N+1) enters the ready state i.e. its
+ DS record is now in the caches of all validating resolvers that have
+ the parent DS RRset cached. (This is the ready time of the
+ successor, TrdyS.)
+
+ Event 8: when the current key has been active for its lifetime
+ (Lksk), the current key is removed from the DNSKEY RRset and the
+ successor key added; the RRset is then signed with the successor key.
+ This point is the retire time of the key, Tret, given by:
+
+ Tret = Tact + Lksk
+
+ Event 9: at some later time, all copies of the old DNSKEY RRset have
+ expired from caches and the old DS record is no longer needed. This
+ is called the dead time, Tdea, and is given by:
+
+ Tdea = Tret + Iret
+
+ ... where Iret is the retire interval, given by:
+
+ Iret = Dprp + TTLkey
+
+ As before, this term includes the time taken to propagate the RRset
+ change through the master-slave hierarchy and the time take for the
+ DNSKEY RRset to expire from caches.
+
+ Event 10: at some later time, the DS record is removed from the
+ parent zone. This is the removal time (Trem), given by:
+
+ Trem >= Tdea
+
+3.3.3. Double-RRset Method
+
+ In the Double-RRset method, both the DS and DNSKEY records are
+ changed at the same time, so for a period the zone can be
+ authenticated with either key. The advantage of this method is its
+ applicability in cases where zone management policy requires overlap
+ of authentication keys during a roll.
+
+ The timeline for this rollover is shown below:
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 22]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ |1| |2| |3| |4| |5| |6| |7|
+ | | | | | | |
+ Key N | |<-Dreg->|<-----Lksk----->|<-Iret->| |
+ | | | | | | |
+ Key N+1 | | | |<-Dreg->|<-----Lksk-- - -
+ | | | | | | |
+ Tgen Tpub Tact TpubS Tret Tdea Trem
+
+ ---- Time ---->
+
+
+ Figure 6: Timeline for a Double-RRset KSK rollover.
+
+ Event 1: key N is created at time Tgen and thereby immediately
+ becomes generated. As before, although there is no reason why the
+ key cannot be generated immediately prior to publication, some
+ implementations may find it convenient to create a central pool of
+ keys and draw from it. For this reason, it is again shown as a
+ separate event.
+
+ Event 2: the key is added to and used for signing the DNSKEY RRset
+ and is thereby published in the zone. At the same time the
+ corresponding DS record is submitted to the parent zone for
+ publication. This time is the publish time (Tpub) and the key is now
+ said to be published.
+
+ Event 3: after Dreg, the registration delay, the DS record is
+ published in the parent zone. At this point, the zones have all the
+ information needed for a validating resolver to authenticate the
+ zone, although the information may not yet have reached all
+ validating resolver caches. This time is the active time (Tact) and
+ the key is said to be active.
+
+ Tact = Tpub + Dreg
+
+ Event 4: at some point we need to give thought to key replacement.
+ The successor key must be introduced into the zone (and its DS record
+ submitted to the parent) at a time such that it becomes active when
+ the current key has been active for its lifetime, Lksk. This time is
+ TpubS, the publication time of the successor key, and is given by:
+
+ TpubS <= Tact + Lksk - Dreg
+
+ ... where Lksk is the lifetime of the KSK.
+
+ Event 5: the successor key's DS record appears in the parent zone and
+ the successor key becomes active. At this point, the current key
+ becomes retired. This occurs at Tret, given by:
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 23]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Tret = Tact + Lksk
+
+ Event 6: the current DNSKEY and DS record must be retained in the
+ zones until any any validating resolver that has cached the DNSKEY
+ and/or DS RRsets will have a copy of the data for the successor key.
+ At this point the current key information is dead, as any validating
+ resolver can perform authentication using the successor key. This is
+ the dead time, Tdea, given by:
+
+ Tdea = Tret + Iret
+
+ ... where Iret is the retire interval. This depends on how long both
+ the successor DNSKEY and DS records take to propagate through the
+ nameserver infrastructure and thence into validator caches. These
+ delays are the publication intervals of the child and parent zones
+ respectively, so a suitable expression for Iret is:
+
+ Iret = max(IpubP, IpubC)
+
+ IpubC is the publication interval of the DNSKEY in the child zone,
+ IpubP that of the DS record in the parent.
+
+ The child term comprises two parts - the time taken for the
+ introduction of the DNSKEY record to be propagated to the downstream
+ secondary servers (= DprpC, the child propagation delay) and the time
+ taken for information about the DNSKEY RRset to expire from the
+ validating resolver cache, i.e.
+
+ IpubC = DprpC + TTLkey
+
+ TTLkey is the TTL for a DNSKEY record in the child zone. The parent
+ term is similar:
+
+ IpubP = DprpP + TTLds
+
+ DprpP the propagation delay in the parent zone and TTLds the TTL for
+ a DS record in the parent zone.
+
+ Event 7: at some later time, the DNSKEY record can be removed from
+ the child zone and a request can be made to remove the DS record from
+ the parent zone. This is the removal time, Trem and is given by:
+
+ Trem >= Tdea
+
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 24]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+3.3.4. Interaction with Configured Trust Anchors
+
+ Although the preceding sections have been concerned with rolling KSKs
+ where the trust anchor is a DS record in the parent zone, zone
+ managers may want to take account of the possibility that some
+ validating resolvers may have configured trust anchors directly.
+
+ Rolling a configured trust anchor is dealt with in [RFC5011]. It
+ requires introducing the KSK to be used as the trust anchor into the
+ zone for a period of time before use, and retaining it (with the
+ "revoke" bit set) for some time after use. The Double-Signature and
+ Double-RRset methods can be adapted to include [RFC5011]
+ recommendations so that the rollover will also be signalled to
+ validating resolvers with configured trust anchors. (The
+ recommendations are not suitable for the Double-DS method.
+ Introducing the new key early and retaining the old key after use
+ effectively converts it into a form of Double-RRset.)
+
+3.3.4.1. Addition of KSK
+
+ When the new key is introduced, the publication interval (Ipub) in
+ the Double-Signature method should also be subject to the condition:
+
+ Ipub >= max(30 days, TTLkey)
+
+ ... where the right had side of the expression is the add hold-down
+ time defined in section 2.4.1 of [RFC5011].
+
+ In the Double-RRSIG method, the key should not be regarded as being
+ active until the add hold-down time has passed. In other words, the
+ following condition should be enforced:
+
+ Tact >= Tpub + max(30 days, TTLkey)
+
+ (Effectively, this means extending the lifetime of the key by an
+ appropriate amount.)
+
+3.3.4.2. Removal of KSK
+
+ The timeline for the removal of the key in both methods is modified
+ by introducing a new state, "revoked". When the key reaches the end
+ of the retire period, instead of being declared "dead", it is
+ revoked; the "revoke" bit is set on the DNSKEY RR and is published in
+ (and used to sign) the DNSKEY RRset. The key is maintained in this
+ state for the "revoke" interval, Irev, given by:
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 25]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Irev >= 30 days
+
+ ... 30 days being the [RFC5011] remove hold-down time. After this
+ time, the key is dead and can be removed from the zone when
+ convenient.
+
+3.3.5. Introduction of First KSK
+
+ There is an additional consideration when introducing a KSK into a
+ zone for the first time, and that is that no validating resolver
+ should be in a position where it can access the trust anchor before
+ the KSK appears in the zone. To do so will cause the validating
+ resolver to declare the zone to be bogus.
+
+ This is important: in the case of a secure parent, it means ensuring
+ that the DS record is not published in the parent zone until there is
+ no possibility that a validating resolver can obtain the record yet
+ not be able to obtain the corresponding DNSKEY. In the case of an
+ insecure parent, i.e. the initial creation of a new security apex, it
+ is important to not configure trust anchors in validating resolvers
+ until the DNSKEY RRset has had sufficient time to propagate. In both
+ cases, this time is the trust anchor availability time (Ttaa) given
+ by:
+
+ Ttaa >= Tpub + IpubC
+
+ where
+
+ IpubC = DprpC + TTLkeyC
+
+ or
+
+ IpubC = DprpC + IngcC
+
+ The first expression applies if there was previously a DNSKEY RRset
+ in the child zone, the expression for IpubC including the TTLkeyC
+ term to account for the time taken for that RRset to expire from
+ caches. (It is possible that the zone was signed but that the trust
+ anchor had not been submitted to the parent.)
+
+ If the introduction of the KSK caused the appearance of the first
+ DNSKEY RRset in the child zone, the second expression applies in
+ which the TTLkeyC term is replaced by Ingc to allow for the effect of
+ negative caching.
+
+ As before, IngcC is the negative cache interval from the child zone's
+ SOA record, calculated according to [RFC2308] as the minimum of the
+ TTL of the SOA record itself (TTLsoaC), and the "minimum" field in
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 26]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ the record's parameters (SOAminC), i.e.
+
+ IngcC = min(TTLsoaC, SOAminC)
+
+
+4. Standby Keys
+
+ Although keys will usually be rolled according to some regular
+ schedule, there may be occasions when an emergency rollover is
+ required, e.g. if the active key is suspected of being compromised.
+ The aim of the emergency rollover is to allow the zone to be re-
+ signed with a new key as soon as possible. As a key must be in the
+ ready state to sign the zone, having at least one additional key (a
+ standby key) in this state at all times will minimise delay.
+
+ In the case of a ZSK, a standby key only really makes sense with the
+ Pre-Publication method. A permanent standby DNSKEY RR should be
+ included in zone or successor keys could be introduced as soon as
+ possible after a key becomes active. Either way results in an
+ additional ZSK in the DNSKEY RRset that can immediately be used to
+ sign the zone if the current key is compromised.
+
+ (Although in theory the mechanism could be used with both the Double-
+ Signature and Double-RRSIG methods, it would require Pre-Publication
+ of the signatures. Essentially, the standby key would be permanently
+ active, as it would have to be periodically used to renew signatures.
+ Zones would also permanently require two sets of signatures,
+ something that could have a performance impact in large zones.)
+
+ A standby key can also be used with the Double-Signature and
+ Double-DS methods of rolling a KSK. (The idea of a standby key in
+ the Double-RRset effectively means having two active keys.) The
+ Double-Signature method requires that the standby KSK be included in
+ the DNSKEY RRset; rolling the key then requires just the introduction
+ of the DS record in the parent. (Note that the DNSKEY should also be
+ used to sign the DNSKEY RRset. As the RRset and its signatures
+ travel together, merely adding the DNSKEY does not provide the
+ desired time saving; to be used in a rollover requires that the
+ DNSKEY RRset be signed with the standby key, and this introduces a
+ delay whilst the RRset and its signatures propagate to the caches of
+ validating resolvers. There is no time advantage over introducing a
+ new DNSKEY and signing the RRset with it at the same time.)
+
+ In the Double-DS method of rolling a KSK, it is not a standby key
+ that is present, it is a standby DS record in the parent zone.
+ Whatever algorithm is used, the standby item of data can be
+ introduced as a permanent standby, or be a successor introduced as
+ early as possible.
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 27]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+5. Algorithm Considerations
+
+ The preceding sections have implicitly assumed that all keys and
+ signatures are created using a single algorithm. However, [RFC4035]
+ (section 2.4) states that "There MUST be an RRSIG for each RRset
+ using at least one DNSKEY of each algorithm in the zone apex DNSKEY
+ RRset".
+
+ Except in the case of an algorithm rollover - where the algorithms
+ used to create the signatures are being changed - there is no
+ relationship between the keys of different algorithms. This means
+ that they can be rolled independently of one another. In other
+ words, the key rollover logic described above should be run
+ separately for each algorithm; the union of the results is included
+ in the zone, which is signed using the active key for each algorithm.
+
+
+6. Summary
+
+ For ZSKs, "Pre-Publication" is generally considered to be the
+ preferred way of rolling keys. As shown in this document, the time
+ taken to roll is wholly dependent on parameters under the control of
+ the zone manager.
+
+ In contrast, "Double-RRset" is the most efficient method for KSK
+ rollover due to the ability to have new DS records and DNSKEY RRsets
+ propagate in parallel. The time taken to roll KSKs may depend on
+ factors related to the parent zone if the parent is signed. For
+ zones that intend to comply with the recommendations of [RFC5011], in
+ virtually all cases the rollover time will be determined by the
+ RFC5011 "add hold-down" and "remove hold-down" times. It should be
+ emphasized that this delay is a policy choice and not a function of
+ timing values and that it also requires changes to the rollover
+ process due to the need to manage revocation of trust anchors.
+
+ Finally, the treatment of emergency key rollover is significantly
+ simplified by the introduction of stand-by keys as standard practice
+ during all types of rollovers.
+
+
+7. IANA Considerations
+
+ This memo includes no request to IANA.
+
+
+8. Security Considerations
+
+ This document does not introduce any new security issues beyond those
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 28]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ already discussed in [RFC4033], [RFC4034], [RFC4035] and [RFC5011].
+
+
+9. Acknowledgements
+
+ The authors gratefully acknowledge help and contributions from Roy
+ Arends and Wouter Wijngaards.
+
+
+10. Change History
+
+ o draft-morris-dnsop-dnssec-key-timing-02
+ * General restructuring.
+ * Added descriptions of more rollovers (IETF-76 meeting).
+ * Improved description of key states and removed diagram.
+ * Provided simpler description of standby keys.
+ * Added section concerning first key in a zone.
+ * Moved [RFC5011] to a separate section.
+ * Various nits fixed (Alfred Hones, Jeremy Reed, Scott Rose, Sion
+ Lloyd, Tony FinchX).
+
+ o draft-morris-dnsop-dnssec-key-timing-01
+ * Use latest boilerplate for IPR text.
+ * List different ways to roll a KSK (acknowledgements to Mark
+ Andrews).
+ * Restructure to concentrate on key timing, not management
+ procedures.
+ * Change symbol notation (Diane Davidowicz and others).
+ * Added key state transition diagram (Diane Davidowicz).
+ * Corrected spelling, formatting, grammatical and style errors
+ (Diane Davidowicz, Alfred Hoenes and Jinmei Tatuya).
+ * Added note that in the case of multiple algorithms, the
+ signatures and rollovers for each algorithm can be considered as
+ more or less independent (Alfred Hoenes).
+ * Take account of the fact that signing a zone is not atomic
+ (Chris Thompson).
+ * Add section contrasting pre-publication rollover with double
+ signature rollover (Matthijs Mekking).
+ * Retained distinction between first and subsequent keys in
+ definition of initial publication interval (Matthijs Mekking).
+
+ o draft-morris-dnsop-dnssec-key-timing-00
+ Initial draft.
+
+
+11. References
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 29]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+11.1. Normative References
+
+ [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
+ NCACHE)", RFC 2308, March 1998.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC)
+ Trust Anchors", RFC 5011, September 2007.
+
+11.2. Informative References
+
+ [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+ RFC 4641, September 2006.
+
+
+Appendix A. List of Symbols
+
+ The document defines a number of symbols, all of which are listed
+ here. All are of the form:
+
+ All symbols used in the text are of the form:
+
+ <TYPE><id><INST>
+
+ where:
+
+ <TYPE> is an upper-case character indicating what type the symbol is.
+ Defined types are:
+
+ D delay: interval that is a feature of the process
+
+ I interval between two events
+
+ L lifetime: interval set by the zone manager
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 30]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ SOA parameter related to SOA RR
+
+ T a point in time
+
+ TTL TTL of a record
+
+ T and I are self-explanatory. D, and L are also time periods, but
+ whereas I values are intervals between two events (even if the events
+ are defined in terms of the interval, e.g. the dead time occurs
+ "retire interval" after the retire time), D, and L are fixed
+ intervals. An "L" interval (lifetime) is chosen by the zone manager
+ and is a feature of policy. A "D" interval (delay) is a feature of
+ the process, probably outside control of the zone manager. SOA and
+ TTL are used just because they are common terms.
+
+ <id> is lower-case and defines what object or event the variable is
+ related to, e.g.
+
+ act active
+
+ ngc negative cache
+
+ pub publication
+
+ Finally, <INST> is a capital letter that distinguishes between the
+ same variable applying to different instances of an object and is one
+ of:
+
+ C child
+
+ G signature
+
+ K key
+
+ P parent
+
+ S successor
+
+ The list of variables used in the text is:
+
+ Dprp Propagation delay. The amount of time for a change made at
+ a master nameserver to propagate to all the slave
+ nameservers.
+
+ DprpC Propagation delay in the child zone.
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 31]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ DprpP Propagation delay in the parent zone.
+
+ Dreg Registration delay. As a parent zone is often managed by a
+ different organisation to that managing the child zone, the
+ delays associated with passing data between zones is
+ captured by this term.
+
+ Dskw Clock skew. The maximum difference in time between the
+ signing system and the resolver.
+
+ Dsgn Signing delay. After the introduction of a new ZSK, the
+ amount of time taken for all the RRs in the zone to be
+ signed with it.
+
+ Ingc Negative cache interval.
+
+ IngcP Negative cache interval of the child zone.
+
+ IngcP Negative cache interval of the parent zone.
+
+ Ipub Publication interval. The amount of time that must elapse
+ after the publication of a key before it can be considered
+ to have entered the ready state.
+
+ IpubC Publication interval in the child zone.
+
+ IpubG Publication interval for the signature.
+
+ IpubK Publication interval for the key.
+
+ IpubP Publication interval in the parent zone.
+
+ Iret Retire interval. The amount of time that must elapse after
+ a key enters the retire state for any signatures created
+ with it to be purged from validating resolver caches.
+
+ Irev Revoke interval. The amount of time that a KSK must remain
+ published with the revoke bit set to satisfy [RFC5011]
+ considerations.
+
+ Lksk Lifetime of a key-signing key. This is the intended amount
+ of time for which this particular KSK is regarded as the
+ active KSK. Depending on when the key is rolled-over, the
+ actual lifetime may be longer or shorter than this.
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 32]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Lzsk Lifetime of a zone-signing key. This is the intended
+ amount of time for which the ZSK is used to sign the zone.
+ Depending on when the key is rolled-over, the actual
+ lifetime may be longer or shorter than this.
+
+ Lsig Lifetime of a signature: the difference in time between the
+ signature's expiration time and the time at which the
+ signature was created. (Note that this is not the
+ difference between the signature's expiration and inception
+ times: the latter is usually set a small amount of time
+ before the signature is created to allow for clock skew
+ between the signing system and the validating resolver.)
+
+ SOAmin Value of the "minimum" field from an SOA record.
+
+ SOAminC Value of the "minimum" field from an SOA record in the
+ child zone.
+
+ SOAminP Value of the "minimum" field from an SOA record in the
+ parent zone.
+
+ Tact Active time of the key; the time at which the key is
+ regarded as the principal key for the zone.
+
+ TactS Active time of the successor key.
+
+ Tdea Dead time of a key. Applicable only to ZSKs, this is the
+ time at which any record signatures held in validating
+ resolver caches are guaranteed to be created with the
+ successor key.
+
+ Tgen Generate time of a key. The time that a key is created.
+
+ Tpub Publish time of a key. The time that a key appears in a
+ zone for the first time.
+
+ TpubS Publish time of the successor key.
+
+ Trem Removal time of a key. The time at which a key is removed
+ from the zone.
+
+ Tret Retire time of a key. The time at which a successor key
+ starts being used to sign the zone.
+
+ Trdy Ready time of a key. The time at which it can be
+ guaranteed that validating resolvers that have key
+ information from this zone cached have a copy of this key
+ in their cache. (In the case of KSKs, should the
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 33]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ validating resolvers also have DS information from the
+ parent zone cached, the cache must include information
+ about the DS record corresponding to the key.)
+
+ TrdyS Ready time of a successor key.
+
+ Tsub Submit time - the time at which the DS record of a KSK is
+ submitted to the parent.
+
+ TsubS Submit time of the successor key.
+
+ TTLds Time to live of a DS record (in the parent zone).
+
+ TTLkey Time to live of a DNSKEY record.
+
+ TTLkeyC Time to live of a DNSKEY record in the child zone.
+
+ TTLsoa Time to live of a SOA record.
+
+ TTLsoaC Time to live of a SOA record in the child zone.
+
+ TTLsoaP Time to live of a SOA record in the parent zone.
+
+ TTLsig Time to live of an RRSIG record.
+
+ Ttaa Trust anchor availability time. The time at which a trust
+ anchor record can be made available when a KSK is first
+ introduced into a zone.
+
+
+Authors' Addresses
+
+ Stephen Morris
+ Internet Systems Consortium
+ 950 Charter Street
+ Redwood City, CA 94063
+ USA
+
+ Phone: +1 650 423 1300
+ Email: stephen@isc.org
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 34]
+\f
+Internet-Draft DNSSEC Key Timing Considerations July 2010
+
+
+ Johan Ihren
+ Netnod
+ Franzengatan 5
+ Stockholm, SE-112 51
+ Sweden
+
+ Phone: +46 8615 8573
+ Email: johani@autonomica.se
+
+
+ John Dickinson
+ Sinodun Internet Technologies Ltd
+ Stables 4 Suite 11, Howbery Park
+ Wallingford, Oxfordshire OX10 8BA
+ UK
+
+ Phone: +44 1491 818120
+ Email: jad@sinodun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al. Expires January 2, 2011 [Page 35]
+\f
--- /dev/null
+
+
+
+Domain Name System Operations W. Mekking
+Internet-Draft NLnet Labs
+Intended status: Standards Track June 29, 2010
+Expires: December 31, 2010
+
+
+ Automated (DNSSEC) Child Parent Synchronization using DNS UPDATE
+ draft-mekking-dnsop-auto-cpsync-00
+
+Abstract
+
+ This document proposes a way to synchronise existing trust anchors
+ automatically between a child zone and its parent. The algorithm can
+ be used for other Resource Records that are required to delegate from
+ a parent to a child such as NS and glue records.
+
+Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+Status of This Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on December 31, 2010.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+
+
+
+Mekking Expires December 31, 2010 [Page 1]
+\f
+Internet-Draft Child Parent Synchronization June 2010
+
+
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+1. Introduction
+
+ This memo defines a way to synchronise existing trust anchors
+ automatically between a child zone and its parent. The algorithm can
+ be used for other Resource Records that are required to delegate from
+ a parent to a child such as NS and glue records.
+
+ To create a DNSSEC RFC 4035 [RFC4035] chain of trust, child zones
+ must submit their DNSKEYs, or hashes of their DNSKEYs, to their
+ parent zone. The parent zone publishes the hashes of the DNSKEYs in
+ the form of a DS record. The DNSKEY RRset at the child may change
+ over time. In order to keep the chain of trust intact, the DS
+ records at the parent zone also needs to be updated. The rolling of
+ the keys with the SEP bit on is one of the few tasks in DNSSEC that
+ yet has to be fully automated.
+
+ The DNS UPDATE mechanism RFC 2136 [RFC2136] can be used to push zone
+ changes to the parent.
+
+ To bootstrap the direct communication channel, information must be
+ exchanged in order to detect service location and granting update
+ privileges. A new or existing child zone can request a direct
+ communication channel with the parent. If the parent allows for
+ direct communication with child zones, the parent can share the
+ required data to set up the channel to the child zone. Once the
+ child has the required credentials, it can use the direct
+ communication channel with the parent to request zone changes related
+ to its delegation.
+
+ If a third party is involved, the third party can act on behalf of
+ the parent. In this case, the third party will give out the required
+ credentials to set up the communication channel.
+
+ It is RECOMMENDED that the direct communication channel is secured
+ with TSIG [RFC2845] or SIG0 [RFC2931].
+
+2. Access and Update Control
+
+ The DNS UPDATE normally is used for granting update permissions to a
+ machine that is within the boundary of the same organization. This
+ document proposes to grant child zones the same permissions.
+ However, it MUST NOT be possible that a child zone updates
+
+
+
+Mekking Expires December 31, 2010 [Page 2]
+\f
+Internet-Draft Child Parent Synchronization June 2010
+
+
+ information in the parent zone that falls outside the administrative
+ domain of the corresponding delegation. For example, it MUST NOT be
+ possible for a child zone to update the data that the parent is
+ authoritative for, or update a delegation that is pointed to a
+ different child zone. It MUST only be able to update records that
+ match one of the following:
+
+ Or: The owner name is equal the child zone name and RRtype is
+ delegation specific. Currently those are records with RRtype NS
+ or DS.
+
+ Or: The owner name is a subdomain of the child zone name and RRtype
+ is glue specific. Currently those are records with RRtype A or
+ AAAA.
+
+ This list may be expanded in the future, if there is need for more
+ delegation related zone content.
+
+ In case of adding or deleting delegation specific records, the DNSSEC
+ related RRs in the parent zone might need to be updated.
+
+ The service location may be handed out by the registrar during
+ bootstrap If this information is missing, the normal guidelines for
+ sending DNS UPDATE messages SHOULD be followed.
+
+3. Update Mechanism
+
+3.1. Child Duties
+
+ Updating the NS RRset or corresponding glue at the parent, an update
+ can be sent at any time. Updating the DS RRset is part of key
+ rollover, as described in RFC 4641 [RFC4641]. When performing a key
+ rollover that involves updating the RRset at the parent, the child
+ introduces a new DNSKEY in its zone that represents the security
+ entry point for determining the chain of trust. After a while, it
+ will revoke and/or remove the previous security entry point. The
+ timings when to update the DS RRset at the parent are described in
+ draft-dnsop-morris-dnssec-key-timing [keytiming]. When updating the
+ DS RRset at the parent automatically, these timing specifications
+ SHOULD be followed. To determine the propagation delays described in
+ this document, the child should poll the parent zone for a short
+ time, until the DS is visible at all parent name servers.
+
+ To discuss: A child zone might be unable to reach all parent name
+ servers.
+
+ The child notifies the parent of the requested changes by sending a
+ DNS UPDATE message. If it receives a NOERROR reply in return, the
+
+
+
+Mekking Expires December 31, 2010 [Page 3]
+\f
+Internet-Draft Child Parent Synchronization June 2010
+
+
+ update is acknowledged by the parent zone. Otherwise, the child MAY
+ retry transmitting the update. In order to prevent duplicate
+ updates, it SHOULD follow the guidelines described in RFC 2136
+ [RFC2136].
+
+3.2. Parent Duties
+
+ When the master DNS server of the parent receives a DNS UPDATE from
+ one of its children the following must be done:
+
+ Step 1: Check the TSIG/SIG0 credentials. In case of TSIG, the
+ parent should follow the TSIG processing described in section 3.2
+ of RFC 2845. In case of SIG0, the parent should follow the SIG0
+ processing described in section 3.2 of RFC 2931.
+
+ Step 2: Verify that the updates matches the update policy for child
+ zones.
+
+ Step 3: If verified, send back DNS UPDATE OK. Otherwise, send back
+ DNS UPDATE REFUSED.
+
+ Step 4: If verified, apply changes. How that is done is a matter of
+ policy.
+
+3.3. Proxy considerations
+
+ Some environments don't allow for direct communication between parent
+ and child zone. In these case, the parent duties can be performed by
+ a different party (for example, the registar). The third party will
+ forward the update to the parent zone. In what format depends on
+ local policy.
+
+4. Example BIND9 Configuration
+
+ This is how a parent zone can configure a policy to enable a child
+ zone synchronize delegation specific records. The first rule of the
+ update policy grants children to update their DS and NS records in
+ the parent zone, in this case example.com. The second rule of the
+ update policy grants children to update the corresponding glue
+ records.
+
+ key cs.example.com. {
+ algorithm HMAC-MD5;
+ secret "secretforcs";
+ }
+
+ key math.example.com. {
+ algorithm HMAC-MD5;
+
+
+
+Mekking Expires December 31, 2010 [Page 4]
+\f
+Internet-Draft Child Parent Synchronization June 2010
+
+
+ secret "secretformath";
+ }
+
+ ...
+
+ zone "example.com" {
+ type master;
+ file "example.com";
+ update-policy { grant *.example.com. self *.example.com. DS NS; };
+ update-policy { grant *.example.com. selfsub *.example.com. A AAAA;
+ };
+ };
+
+5. Security Considerations
+
+ Automating the synchronization of (DNSSEC) records between the parent
+ and child created a new channel. We have recommended that this
+ channel should be secured with TSIG or SIG0. There is an advantage
+ and a disadvantage of the new security channel. The disadvantage is
+ that you create a new attack window for your DNSSEC credentials. If
+ the automated synchronization is used for updating DS records at the
+ parent, you SHOULD pick a cryptographically an equally strong or
+ stronger TSIG/SIG0 key than the strength of your DNSSEC keys.
+
+ The advantage is that if somehow your DNSSEC keys are compromised,
+ you can still use this channel to perform an emergency key rollover.
+
+6. IANA Considerations
+
+ None.
+
+7. Acknowledgments
+
+ Rickard Bellgrim, Wolfgang Nagele, Wouter Wijngaards and more.
+
+8. References
+
+8.1. Informative References
+
+ [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS
+ UPDATE)", RFC 2136, April 1997.
+
+ [RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational
+ Practices", RFC 4641, September 2006.
+
+ [keytiming] Morris, S., Ihren, J., and J. Dickinson, "DNSSEC Key
+ Timing Considerations", March 2010.
+
+
+
+Mekking Expires December 31, 2010 [Page 5]
+\f
+Internet-Draft Child Parent Synchronization June 2010
+
+
+8.2. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
+ Wellington, "Secret Key Transaction Authentication for
+ DNS (TSIG)", RFC 2845, May 2000.
+
+ [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures (
+ SIG(0)s)", RFC 2931, September 2000.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+Author's Address
+
+ Matthijs Mekking
+ NLnet Labs
+ Science Park 140
+ Amsterdam 1098 XG
+ The Netherlands
+
+ EMail: matthijs@nlnetlabs.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mekking Expires December 31, 2010 [Page 6]
+\f
--- /dev/null
+\r
+\r
+Network Working Group J. Yao\r
+Internet-Draft X. Lee\r
+Intended status: Standards Track CNNIC\r
+Expires: February 12, 2011 P. Vixie\r
+ Internet Software Consortium\r
+ August 11, 2010\r
+\r
+\r
+ Bundle DNS Name Redirection\r
+ draft-yao-dnsext-bname-04.txt\r
+\r
+Abstract\r
+\r
+ This document defines a new DNS Resource Record called "BNAME", which\r
+ provides the capability to map itself and its subtree of the DNS name\r
+ space to another domain. It differs from the CNAME record which only\r
+ maps a single node of the DNS name space, from the DNAME which only\r
+ maps the subtree of the DNS name space to another domain.\r
+\r
+Status of this Memo\r
+\r
+ This Internet-Draft is submitted in full conformance with the\r
+ provisions of BCP 78 and BCP 79.\r
+\r
+ Internet-Drafts are working documents of the Internet Engineering\r
+ Task Force (IETF). Note that other groups may also distribute\r
+ working documents as Internet-Drafts. The list of current Internet-\r
+ Drafts is at http://datatracker.ietf.org/drafts/current/.\r
+\r
+ Internet-Drafts are draft documents valid for a maximum of six months\r
+ and may be updated, replaced, or obsoleted by other documents at any\r
+ time. It is inappropriate to use Internet-Drafts as reference\r
+ material or to cite them other than as "work in progress."\r
+\r
+ This Internet-Draft will expire on February 12, 2011.\r
+\r
+Copyright Notice\r
+\r
+ Copyright (c) 2010 IETF Trust and the persons identified as the\r
+ document authors. All rights reserved.\r
+\r
+ This document is subject to BCP 78 and the IETF Trust's Legal\r
+ Provisions Relating to IETF Documents\r
+ (http://trustee.ietf.org/license-info) in effect on the date of\r
+ publication of this document. Please review these documents\r
+ carefully, as they describe your rights and restrictions with respect\r
+ to this document. Code Components extracted from this document must\r
+ include Simplified BSD License text as described in Section 4.e of\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 1]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ the Trust Legal Provisions and are provided without warranty as\r
+ described in the Simplified BSD License.\r
+\r
+ This document may contain material from IETF Documents or IETF\r
+ Contributions published or made publicly available before November\r
+ 10, 2008. The person(s) controlling the copyright in some of this\r
+ material may not have granted the IETF Trust the right to allow\r
+ modifications of such material outside the IETF Standards Process.\r
+ Without obtaining an adequate license from the person(s) controlling\r
+ the copyright in such materials, this document may not be modified\r
+ outside the IETF Standards Process, and derivative works of it may\r
+ not be created outside the IETF Standards Process, except to format\r
+ it for publication as an RFC or to translate it into languages other\r
+ than English.\r
+\r
+\r
+Table of Contents\r
+\r
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3\r
+ 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3\r
+ 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3\r
+ 3. The BNAME Resource Record . . . . . . . . . . . . . . . . . . 4\r
+ 3.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 4\r
+ 3.2. The BNAME Substitution . . . . . . . . . . . . . . . . . . 4\r
+ 3.3. The BNAME Rules . . . . . . . . . . . . . . . . . . . . . 4\r
+ 4. Query Processing . . . . . . . . . . . . . . . . . . . . . . . 4\r
+ 4.1. Processing by Servers . . . . . . . . . . . . . . . . . . 5\r
+ 4.2. Processing by Resolvers . . . . . . . . . . . . . . . . . 8\r
+ 5. BNAME in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 9\r
+ 5.1. BNAME validating . . . . . . . . . . . . . . . . . . . . . 9\r
+ 5.2. BNAME alias algorithm identifiers . . . . . . . . . . . . 10\r
+ 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10\r
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10\r
+ 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11\r
+ 9. Change History . . . . . . . . . . . . . . . . . . . . . . . . 11\r
+ 9.1. draft-yao-dnsext-bname: Version 00 . . . . . . . . . . . . 11\r
+ 9.2. draft-yao-dnsext-bname: Version 01 . . . . . . . . . . . . 11\r
+ 9.3. draft-yao-dnsext-bname: Version 02 . . . . . . . . . . . . 11\r
+ 9.4. draft-yao-dnsext-bname: Version 03 . . . . . . . . . . . . 11\r
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12\r
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . . 12\r
+ 10.2. Informative References . . . . . . . . . . . . . . . . . . 13\r
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 2]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+1. Introduction\r
+\r
+ More and more internationalized domain name labels [RFC3490] appear\r
+ in the DNS trees. Some labels [RFC3743] are equivalent in some\r
+ languages. The internet users want them to be identical in the DNS\r
+ resolution. For example, color.exmaple.com==colour.example.com. The\r
+ BNAME represents for bundle names. This document defines a new DNS\r
+ Resource Record called "BNAME", which provides the capability to map\r
+ an entire tree of the DNS name space to another domain. It means\r
+ that the BNAME redirects both itself and its descendants to its\r
+ owner. The DNAME [RFC2672] and [RFC2672bis] do not redirect itself,\r
+ only the descendants. The domain name that owns a DNAME record is\r
+ allowed to have other resource record types at that domain name. The\r
+ domain name that owns a BNAME record is not allowed to have other\r
+ resource record types at that domain name unless they are the DNSSEC\r
+ related resource record types defined in [RFC4033], [RFC4034],\r
+ [RFC4035] and [RFC5155]. A server MAY refuse to load a zone that has\r
+ data at a sub-domain of a domain name owning a BNAME RR or that has\r
+ other data except the DNSSEC related resource record types and BNAME\r
+ at that name. BNAME is a singleton type, meaning only one BNAME is\r
+ allowed per name except the DNSSEC related resource record types.\r
+ Resolvers, servers and zone content administrators should be cautious\r
+ that usage of BNAME or its combination with CNAME or DNAME may lead\r
+ to form loops. The loops should be avoided.\r
+\r
+1.1. Terminology\r
+\r
+ All the basic terms used in this specification are defined in the\r
+ documents [RFC1034], [RFC1035] and [RFC2672].\r
+\r
+\r
+2. Motivation\r
+\r
+ In some languages, some characters have the variants, which look\r
+ differently or very similar but are identical in the meaning. For\r
+ example, Chinese character U+56FD and its variant U+570B look\r
+ differently, but are identical in the meaning. If Internationalized\r
+ Domain Label" or "IDL" [RFC3743] are composed of variant characters,\r
+ we regard this kind of IDL as the IDL variant. If these IDL variants\r
+ are put into the DNS for resolution, they are expected to be\r
+ identical in the DNS resolution. More comprehensible example is that\r
+ we expect color.exmaple.com to be equivalent with the\r
+ colour.exmaple.com in the DNS resolution. The BNAME Resource Record\r
+ and its processing rules are conceived as a solution to this\r
+ equivalence problem. Without the BNAME mechanism, current mechanisms\r
+ such as DNAME or CNAME are not enough capable to solve all the\r
+ problems with the emergence of internationalized domain names. The\r
+ internationalized domain names may have alias or equivalence of the\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 3]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ original one. The BNAME solution provides the solution to both ASCII\r
+ alias names and internationalized domain alias names.\r
+\r
+\r
+3. The BNAME Resource Record\r
+\r
+3.1. Format\r
+\r
+ The BNAME RR has mnemonic BNAME and type code xx (decimal). It is\r
+ not class-sensitive. Its RDATA is comprised of a single field,\r
+ <target>, which contains a fully qualified domain name that must be\r
+ sent in uncompressed form [RFC1035], [RFC3597]. The <target> field\r
+ MUST be present. The presentation format of <target> is that of a\r
+ domain name [RFC1035]. The wildcards in the BNAME RR SHOULD NOT be\r
+ used.\r
+\r
+ <owner> <ttl> <class> BNAME <target>\r
+\r
+ The effect of the BNAME RR is the substitution of the record's\r
+ <target> for its owner name, as a suffix of a domain name. This\r
+ substitution has to be applied for every BNAME RR found in the\r
+ resolution process, which allows fairly lengthy valid chains of BNAME\r
+ RRs.\r
+\r
+3.2. The BNAME Substitution\r
+\r
+ A BNAME substitution is performed by replacing the suffix labels of\r
+ the name being sought matching the owner name of the BNAME resource\r
+ record with the string of labels in the RDATA field. The matching\r
+ labels end with the root label in all cases. Only whole labels are\r
+ replaced.\r
+\r
+3.3. The BNAME Rules\r
+\r
+ There are two rules which governs the use of BNAMEs in a zone file.\r
+ The first one is that there SHOULD be no descendants under the owner\r
+ of the BNAME. The second one is that no resource records can co-\r
+ exist with the BNAME for the same name except the DNSSEC related\r
+ resource record types. It means that if a BNAME RR is present at a\r
+ node N, there MUST be no other data except the DNSSEC related\r
+ resource record types at N and no data at any descendant of N. This\r
+ restriction applies only to records of the same class as the BNAME\r
+ record.\r
+\r
+\r
+4. Query Processing\r
+\r
+ To exploit the BNAME mechanism the name resolution algorithms\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 4]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ [RFC1034] must be modified slightly for both servers and resolvers.\r
+ Both modified algorithms incorporate the operation of making a\r
+ substitution on a name (either QNAME or SNAME) under control of a\r
+ BNAME record. This operation will be referred to as "the BNAME\r
+ substitution".\r
+\r
+4.1. Processing by Servers\r
+\r
+ For a server performing non-recursive service steps 3.a, 3.c and 4 of\r
+ section 4.3.2 [RFC1034] are changed to check for a BNAME record, and\r
+ to return certain BNAME records from zone data and the cache.\r
+\r
+ If the owner name of the bname is the suffix of the name queryed but\r
+ different, when preparing a response, a server performing a BNAME\r
+ substitution will in all cases include the relevant BNAME RR in the\r
+ answer section. A CNAME RR is synthesized and included in the answer\r
+ section. This will help the client to reach the correct DNS data.\r
+\r
+ If the owner name of the bname is same with the name queryed, when\r
+ preparing a response, a server performing a BNAME substitution will\r
+ not include the relevant BNAME RR in the answer section unless the\r
+ type queryed is BNAME. A CNAME RR will be synthesized and included\r
+ in the answer section unless the type queryed is BNAME or the query\r
+ is the DNSSEC query.\r
+\r
+ The provided synthesized CNAME RR if there has one, MUST have\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 5]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ The same CLASS as the QCLASS of the query,\r
+\r
+ TTL equal to the corresponding BNAME RR,\r
+\r
+ An <owner> equal to the QNAME in effect at the moment the BNAME RR\r
+ was encountered, and\r
+\r
+ An RDATA field containing the new QNAME formed by the action of\r
+ the BNAME substitution.\r
+\r
+\r
+ The revised server algorithm is:\r
+\r
+\r
+ 1. Set or clear the value of recursion available in the response\r
+ depending on whether the name server is willing to provide\r
+ recursive service. If recursive service is available and\r
+ requested via the RD bit in the query, go to step 5, otherwise\r
+ step 2.\r
+\r
+ 2. Search the available zones for the zone which is the nearest\r
+ ancestor to QNAME. If such a zone is found, go to step 3,\r
+ otherwise step 4.\r
+\r
+ 3. Start matching down, label by label, in the zone. The matching\r
+ process can terminate several ways:\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 6]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ a. If the whole of QNAME is matched, we have found the node.\r
+\r
+ If the data at the node is a CNAME, and QTYPE doesn't match\r
+ CNAME, copy the CNAME RR into the answer section of the\r
+ response, change QNAME to the canonical name in the CNAME RR,\r
+ and go back to step 1.\r
+\r
+ If the data at the node is a BNAME, and QTYPE doesn't\r
+ match BNAME, copy the BNAME RR and also a corresponding,\r
+ synthesized CNAME RR into the answer section of the\r
+ response, change QNAME to the name carried as RDATA in\r
+ the BNAME RR, and go back to step 1.\r
+\r
+ Otherwise, copy all RRs which match QTYPE into the answer\r
+ section and go to step 6.\r
+\r
+ b. If a match would take us out of the authoritative data, we have\r
+ a referral. This happens when we encounter a node with NS RRs\r
+ marking cuts along the bottom of a zone.\r
+\r
+ Copy the NS RRs for the subzone into the authority section of\r
+ the reply. Put whatever addresses are available into the\r
+ additional section, using glue RRs if the addresses are not\r
+ available from authoritative data or the cache. Go to step 4.\r
+\r
+ c. If at some label, a match is impossible (i.e., the\r
+ corresponding label does not exist), look to see whether the\r
+ last label matched has a BNAME record.\r
+\r
+\r
+ If a BNAME record exists at that point, copy that record into\r
+ the answer section. If substitution of its <target> for its\r
+ <owner> in QNAME would overflow the legal size for a <domain-\r
+ name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise\r
+ perform the substitution and continue. The server SHOULD\r
+ synthesize a corresponding CNAME record as described above and\r
+ include it in the answer section. Go back to step 1.\r
+\r
+ If there was no BNAME record, look to see if the "*" label\r
+ exists.\r
+\r
+ If the "*" label does not exist, check whether the name we are\r
+ looking for is the original QNAME in the query or a name we\r
+ have followed due to a CNAME. If the name is original, set an\r
+ authoritative name error in the response and exit. Otherwise\r
+ just exit.\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 7]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+\r
+ If the "*" label does exist, match RRs at that node against\r
+ QTYPE. If any match, copy them into the answer section, but\r
+ set the owner of the RR to be QNAME, and not the node with the\r
+ "*" label. Go to step 6.\r
+\r
+\r
+ 4. Start matching down in the cache. If QNAME is found in the cache,\r
+ copy all RRs attached to it that match QTYPE into the answer\r
+ section. If QNAME is not found in the cache but a BNAME record is\r
+ present at QNAME, copy that BNAME record into the\r
+ answer section. If there was no delegation from authoritative\r
+ data, look for the best one from the cache, and put it in the\r
+ authority section. Go to step 6.\r
+\r
+ 5. Use the local resolver or a copy of its algorithm (see resolver\r
+ section of this memo) to answer the query. Store the results,\r
+ including any intermediate CNAMEs and BNAMEs, in the answer\r
+ section of the response.\r
+\r
+ 6. Using local data only, attempt to add other RRs which may be\r
+ useful to the additional section of the query. Exit.\r
+\r
+\r
+\r
+ Note that there will be at most one ancestor with a BNAME as\r
+ described in step 4 unless some zone's data is in violation of the\r
+ no-descendants limitation in section 3. An implementation might take\r
+ advantage of this limitation by stopping the search of step 3c or\r
+ step 4 when a BNAME record is encountered.\r
+\r
+\r
+4.2. Processing by Resolvers\r
+\r
+ A resolver or a server providing recursive service must be modified\r
+ to treat a BNAME as somewhat analogous to a CNAME. The resolver\r
+ algorithm of [RFC1034] section 5.3.3 is modified to renumber step 4.d\r
+ as 4.e and insert a new 4.d. The complete algorithm becomes:\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 8]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ 1. See if the answer is in local information, and if so return it to\r
+ the client.\r
+\r
+ 2. Find the best servers to ask.\r
+\r
+ 3. Send them queries until one returns a response.\r
+\r
+ 4. Analyze the response, either:\r
+\r
+ a. if the response answers the question or contains a name error,\r
+ cache the data as well as returning it back to the client.\r
+\r
+ b. if the response contains a better delegation to other servers,\r
+ cache the delegation information, and go to step 2.\r
+\r
+ c. if the response shows a CNAME and that is not the answer\r
+ itself, cache the CNAME, change the SNAME to the canonical name\r
+ in the CNAME RR and go to step 1.\r
+\r
+ d. if the response shows a BNAME and that is not the answer\r
+ itself, cache the BNAME. If substitution of the BNAME's\r
+ <target> for its <owner> in the SNAME would overflow the legal\r
+ size for a <domain-name>, return an implementation-dependent\r
+ error to the application; otherwise perform the substitution\r
+ and go to step 1.\r
+\r
+ e. if the response shows a server failure or other bizarre\r
+ contents, delete the server from the SLIST and go back to step\r
+ 3.\r
+\r
+\r
+ A resolver or recursive server which understands BNAME records but\r
+ sends non-extended queries MUST augment step 4.c by deleting from the\r
+ reply any CNAME records which have an <owner> which is a subdomain of\r
+ the <owner> of any BNAME record in the response.\r
+\r
+\r
+5. BNAME in DNSSEC\r
+\r
+5.1. BNAME validating\r
+\r
+ With the deployment of DNSSEC, more and more servers and resolvers\r
+ will support DNSSEC. In order to make BNAME valid in DNSSEC\r
+ verification, the DNSSEC enabled resolvers and servers MUST support\r
+ BNAME. The synthesized CNAME in the answer section for the BNAME\r
+ will never be signed if there has one.\r
+\r
+ If the owner name of the bname is the suffix of the name queryed but\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 9]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ different, DNSSEC validators MUST understand BNAME, verify the BNAME\r
+ and then checking that the CNAME was properly synthesized in order to\r
+ verify the synthesized CNAME.\r
+\r
+ If the owner name of the bname is same with the name queryed, DNSSEC\r
+ validators MUST understand BNAME and verify the BNAME. The BNAME\r
+ enabled resolver (validator) should do somewhat analogous to a CNAME\r
+ for further query.\r
+\r
+ In any negative response, the NSEC or NSEC3 [RFC5155] record type bit\r
+ map SHOULD be checked to see that there was no BNAME that could have\r
+ been applied. If the BNAME bit in the type bit map is set and the\r
+ query type is not BNAME, then BNAME substitution should have been\r
+ done.\r
+\r
+5.2. BNAME alias algorithm identifiers\r
+\r
+ In order to prevent BNAME-unaware resolvers from attempting to\r
+ validate responses from BNAME-signed zones, this specification\r
+ allocates two new DNSKEY algorithm identifiers. Algorithm Y, DSA-\r
+ BNAME-SHA1 is an alias for algorithm 3, DSA. Algorithm Z, RSASHA1-\r
+ BNAME-SHA1 is an alias for algorithm 5, RSASHA1. These are not new\r
+ algorithms, they are additional identifiers for the existing\r
+ algorithms. Zones signed according to this specification MUST only\r
+ use these algorithm identifiers for their DNSKEY RRs. The BNAME-\r
+ unaware resolvers will not know these new identifiers and treat\r
+ responses from the BNAME signed zone as insecure, otherwise the bname\r
+ RR will be regarded as bogus if there is no such a mechanism. These\r
+ algorithm identifiers are used with the BNAME hash algorithm SHA1.\r
+ Using other BNAME hash algorithms requires allocation of a new alias.\r
+ Validating resolvers which follow the BNAME specification MUST\r
+ recognize the new alias algorithm identifier.\r
+\r
+\r
+6. IANA Considerations\r
+\r
+ IANA is requested to assign the number to XX. This document updates\r
+ the IANA registry "DNS SECURITY ALGORITHM NUMBERS". IANA is\r
+ requested to assign the number to Y and Z.\r
+\r
+ [[anchor14: Note in draft: before this document goes to WG Last call,\r
+ it is better that we list all DNSSEC algorithms that need to be\r
+ aliased to reflect compatibility with this extension.]]\r
+\r
+\r
+7. Security Considerations\r
+\r
+ Both ASCII domain name labels and non-ASCII ones have some aliases.\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 10]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ We can bundle the domain name labels and their aliases through BNAME\r
+ in the DNS resolutions. The name labels and their aliases in the\r
+ particular languages are only known by those who know these\r
+ languages. Those labels may be regarded as different ones by those\r
+ who don't know those languages. Those who do not know the aliases\r
+ should only use the familar ones. The applications will not know the\r
+ aliases unless they are properly configured.\r
+\r
+\r
+8. Acknowledgements\r
+\r
+ Because the BNAME is very similar to DNAME, the authors learn a lot\r
+ from [RFC2672]. Many ideas are from the discussion in the DNSOP and\r
+ DNSEXT mailling list. Thanks a lot to all in the list. Many\r
+ important comments and suggestions are contributed by many members of\r
+ the DNSEXT and DNSOP WGs. The authors especially thanks the\r
+ following ones:Niall O'Reilly, Glen Zorn, Mark Andrews, George\r
+ Barwood,Olafur Gudmundsson, Sun Guonian and Hanfeng for improving\r
+ this document.\r
+\r
+\r
+9. Change History\r
+\r
+ [[anchor17: RFC Editor: Please remove this section.]]\r
+\r
+9.1. draft-yao-dnsext-bname: Version 00\r
+\r
+ o Bundle DNS Name Redirection\r
+\r
+9.2. draft-yao-dnsext-bname: Version 01\r
+\r
+ o Improve the algorithm\r
+ o Improve the text\r
+\r
+9.3. draft-yao-dnsext-bname: Version 02\r
+\r
+ o Add the DNSSEC discussion\r
+ o Improve the text\r
+\r
+9.4. draft-yao-dnsext-bname: Version 03\r
+\r
+ o Update the DNSSEC discussion\r
+ o Update the IANA consideration\r
+\r
+\r
+10. References\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 11]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+10.1. Normative References\r
+\r
+ [ASCII] American National Standards Institute (formerly United\r
+ States of America Standards Institute), "USA Code for\r
+ Information Interchange", ANSI X3.4-1968, 1968.\r
+\r
+ [EDNS0] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",\r
+ RFC 2671, August 1999.\r
+\r
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",\r
+ STD 13, RFC 1034, November 1987.\r
+\r
+ [RFC1035] Mockapetris, P., "Domain names - implementation and\r
+ specification", STD 13, RFC 1035, November 1987.\r
+\r
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate\r
+ Requirement Levels", BCP 14, RFC 2119, March 1997.\r
+\r
+ [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,\r
+ "Dynamic Updates in the Domain Name System (DNS UPDATE)",\r
+ RFC 2136, April 1997.\r
+\r
+ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",\r
+ RFC 2671, August 1999.\r
+\r
+ [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",\r
+ RFC 2672, August 1999.\r
+\r
+ [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,\r
+ "Internationalizing Domain Names in Applications (IDNA)",\r
+ RFC 3490, March 2003.\r
+\r
+ [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record\r
+ (RR) Types", RFC 3597, September 2003.\r
+\r
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO\r
+ 10646", RFC 3629, November 2003.\r
+\r
+ [RFC3743] Konishi, K., Huang, K., Qian, H., and Y. Ko, "Joint\r
+ Engineering Team (JET) Guidelines for Internationalized\r
+ Domain Names (IDN) Registration and Administration for\r
+ Chinese, Japanese, and Korean", RFC 3743, April 2004.\r
+\r
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.\r
+ Rose, "DNS Security Introduction and Requirements",\r
+ RFC 4033, March 2005.\r
+\r
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 12]\r
+\f\r
+Internet-Draft bname August 2010\r
+\r
+\r
+ Rose, "Resource Records for the DNS Security Extensions",\r
+ RFC 4034, March 2005.\r
+\r
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.\r
+ Rose, "Protocol Modifications for the DNS Security\r
+ Extensions", RFC 4035, March 2005.\r
+\r
+ [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS\r
+ Security (DNSSEC) Hashed Authenticated Denial of\r
+ Existence", RFC 5155, March 2008.\r
+\r
+10.2. Informative References\r
+\r
+ [RFC2672bis]\r
+ Rose, S. and W. Wijngaards, "Update to DNAME Redirection\r
+ in the DNS", Internet-Draft ietf-dnsext-rfc2672bis-dname-\r
+ 17.txt, 6 2009.\r
+\r
+\r
+Authors' Addresses\r
+\r
+ Jiankang YAO\r
+ CNNIC\r
+ No.4 South 4th Street, Zhongguancun\r
+ Beijing\r
+\r
+ Phone: +86 10 58813007\r
+ Email: yaojk@cnnic.cn\r
+\r
+\r
+ Xiaodong LEE\r
+ CNNIC\r
+ No.4 South 4th Street, Zhongguancun\r
+ Beijing\r
+\r
+ Phone: +86 10 58813020\r
+ Email: lee@cnnic.cn\r
+\r
+\r
+ Paul Vixie\r
+ Internet Software Consortium\r
+ 950 Charter Street\r
+ Redwood City, CA\r
+\r
+ Phone: +1 650 779 7001\r
+ Email: vixie@isc.org\r
+\r
+\r
+\r
+\r
+\r
+Yao, et al. Expires February 12, 2011 [Page 13]\r
+\f\r
+\r
+\r
--- /dev/null
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) V. Dolmatov, Ed.
+Request for Comments: 5933 A. Chuprina
+Category: Standards Track I. Ustinov
+ISSN: 2070-1721 Cryptocom Ltd.
+ July 2010
+
+
+ Use of GOST Signature Algorithms in DNSKEY
+ and RRSIG Resource Records for DNSSEC
+
+Abstract
+
+ This document describes how to produce digital signatures and hash
+ functions using the GOST R 34.10-2001 and GOST R 34.11-94 algorithms
+ for DNSKEY, RRSIG, and DS resource records, for use in the Domain
+ Name System Security Extensions (DNSSEC).
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5933.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 1]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 3
+ 2.1. Using a Public Key with Existing Cryptographic
+ Libraries . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.2. GOST DNSKEY RR Example . . . . . . . . . . . . . . . . . . 4
+ 3. RRSIG Resource Records . . . . . . . . . . . . . . . . . . . . 4
+ 3.1. RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 5
+ 4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 5
+ 4.1. DS RR Example . . . . . . . . . . . . . . . . . . . . . . . 5
+ 5. Deployment Considerations . . . . . . . . . . . . . . . . . . . 6
+ 5.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 5.2. Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 6
+ 5.3. Digest Sizes . . . . . . . . . . . . . . . . . . . . . . . 6
+ 6. Implementation Considerations . . . . . . . . . . . . . . . . . 6
+ 6.1. Support for GOST Signatures . . . . . . . . . . . . . . . . 6
+ 6.2. Support for NSEC3 Denial of Existence . . . . . . . . . . . 6
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
+ 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . . 7
+ 10.2. Informative References . . . . . . . . . . . . . . . . . . 8
+
+1. Introduction
+
+ The Domain Name System (DNS) is the global hierarchical distributed
+ database for Internet Naming. The DNS has been extended to use
+ cryptographic keys and digital signatures for the verification of the
+ authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034
+ [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
+ Extensions, called DNSSEC.
+
+ RFC 4034 describes how to store DNSKEY and RRSIG resource records,
+ and specifies a list of cryptographic algorithms to use. This
+ document extends that list with the signature and hash algorithms
+ GOST R 34.10-2001 ([GOST3410], [RFC5832]) and GOST R 34.11-94
+ ([GOST3411], [RFC5831]), and specifies how to store DNSKEY data and
+ how to produce RRSIG resource records with these algorithms.
+
+ Familiarity with DNSSEC and with GOST signature and hash algorithms
+ is assumed in this document.
+
+ The term "GOST" is not officially defined, but is usually used to
+ refer to the collection of the Russian cryptographic algorithms
+ GOST R 34.10-2001 [RFC5832], GOST R 34.11-94 [RFC5831], and
+
+
+
+Dolmatov, et al. Standards Track [Page 2]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+ GOST 28147-89 [RFC5830]. Since GOST 28147-89 is not used in DNSSEC,
+ "GOST" will only refer to GOST R 34.10-2001 and GOST R 34.11-94 in
+ this document.
+
+1.1. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+2. DNSKEY Resource Records
+
+ The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].
+
+ GOST R 34.10-2001 public keys are stored with the algorithm
+ number 12.
+
+ The wire format of the public key is compatible with RFC 4491
+ [RFC4491]:
+
+ According to [GOST3410] and [RFC5832], a public key is a point on the
+ elliptic curve Q = (x,y).
+
+ The wire representation of a public key MUST contain 64 octets, where
+ the first 32 octets contain the little-endian representation of x and
+ the second 32 octets contain the little-endian representation of y.
+
+ Corresponding public key parameters are those identified by
+ id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357],
+ and the digest parameters are those identified by
+ id-GostR3411-94-CryptoProParamSet (1.2.643.2.2.30.1) [RFC4357].
+
+2.1. Using a Public Key with Existing Cryptographic Libraries
+
+ At the time of this writing, existing GOST-aware cryptographic
+ libraries are capable of reading GOST public keys via a generic X509
+ API if the key is encoded according to RFC 4491 [RFC4491],
+ Section 2.3.2.
+
+ To make this encoding from the wire format of a GOST public key with
+ the parameters used in this document, prepend the 64 octets of key
+ data with the following 37-byte sequence:
+
+ 0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30
+ 0x12 0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a
+ 0x85 0x03 0x02 0x02 0x1e 0x01 0x03 0x43 0x00 0x04 0x40
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 3]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+2.2. GOST DNSKEY RR Example
+
+ Given a private key with the following value (the value of the
+ GostAsn1 field is split here into two lines to simplify reading; in
+ the private key file, it must be in one line):
+
+ Private-key-format: v1.2
+ Algorithm: 12 (ECC-GOST)
+ GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQg/9M
+ iXtXKg9FDXDN/R9CmVhJDyuzRAIgh4tPwCu4NHIs=
+
+ The following DNSKEY RR stores a DNS zone key for example.net:
+
+ example.net. 86400 IN DNSKEY 256 3 12 (
+ aRS/DcPWGQj2wVJydT8EcAVoC0kXn5pDVm2I
+ MvDDPXeD32dsSKcmq8KNVzigjL4OXZTV+t/6
+ w4X1gpNrZiC01g==
+ ) ; key id = 59732
+
+3. RRSIG Resource Records
+
+ The value of the signature field in the RRSIG RR follows RFC 4490
+ [RFC4490] and is calculated as follows. The values for the RDATA
+ fields that precede the signature data are specified in RFC 4034
+ [RFC4034].
+
+ hash = GOSTR3411(data)
+
+ where "data" is the wire format data of the resource record set that
+ is signed, as specified in RFC 4034 [RFC4034].
+
+ The hash MUST be calculated with GOST R 34.11-94 parameters
+ identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+ The signature is calculated from the hash according to the
+ GOST R 34.10-2001 standard, and its wire format is compatible with
+ RFC 4490 [RFC4490].
+
+ Quoting RFC 4490:
+
+ "The signature algorithm GOST R 34.10-2001 generates a digital
+ signature in the form of two 256-bit numbers, r and s. Its octet
+ string representation consists of 64 octets, where the first
+ 32 octets contain the big-endian representation of s and the second
+ 32 octets contain the big-endian representation of r".
+
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 4]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+3.1. RRSIG RR Example
+
+ With the private key from Section 2.2, sign the following RRSet,
+ consisting of one A record:
+
+ www.example.net. 3600 IN A 192.0.2.1
+
+ Setting the inception date to 2000-01-01 00:00:00 UTC and the
+ expiration date to 2030-01-01 00:00:00 UTC, the following signature
+ RR will be valid:
+
+ www.example.net. 3600 IN RRSIG A 12 3 3600 20300101000000 (
+ 20000101000000 59732 example.net.
+ 7vzzz6iLOmvtjs5FjVjSHT8XnRKFY15ki6Kp
+ kNPkUnS8iIns0Kv4APT+D9ibmHhGri6Sfbyy
+ zi67+wBbbW/jrA== )
+
+ Note: The ECC-GOST signature algorithm uses random data, so the
+ actual computed signature value will differ between signature
+ calculations.
+
+4. DS Resource Records
+
+ The GOST R 34.11-94 digest algorithm is denoted in DS RRs by the
+ digest type 3. The wire format of a digest value is compatible with
+ RFC 4490 [RFC4490], that is, the digest is in little-endian
+ representation.
+
+ The digest MUST always be calculated with GOST R 34.11-94 parameters
+ identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+4.1. DS RR Example
+
+ For Key Signing Key (KSK):
+
+ example.net. 86400 DNSKEY 257 3 12 (
+ LMgXRHzSbIJGn6i16K+sDjaDf/k1o9DbxScO
+ gEYqYS/rlh2Mf+BRAY3QHPbwoPh2fkDKBroF
+ SRGR7ZYcx+YIQw==
+ ) ; key id = 40692
+
+ The DS RR will be
+
+ example.net. 3600 IN DS 40692 12 3 (
+ 22261A8B0E0D799183E35E24E2AD6BB58533CBA7E3B14D659E9CA09B
+ 2071398F )
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 5]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+5. Deployment Considerations
+
+5.1. Key Sizes
+
+ According to RFC 4357 [RFC4357], the key size of GOST public keys
+ MUST be 512 bits.
+
+5.2. Signature Sizes
+
+ According to the GOST R 34.10-2001 digital signature algorithm
+ specification ([GOST3410], [RFC5832]), the size of a GOST signature
+ is 512 bits.
+
+5.3. Digest Sizes
+
+ According to GOST R 34.11-94 ([GOST3411], [RFC5831]), the size of a
+ GOST digest is 256 bits.
+
+6. Implementation Considerations
+
+6.1. Support for GOST Signatures
+
+ DNSSEC-aware implementations MAY be able to support RRSIG and DNSKEY
+ resource records created with the GOST algorithms as defined in this
+ document.
+
+6.2. Support for NSEC3 Denial of Existence
+
+ Any DNSSEC-GOST implementation MUST support both NSEC [RFC4035] and
+ NSEC3 [RFC5155].
+
+7. Security Considerations
+
+ Currently, the cryptographic resistance of the GOST R 34.10-2001
+ digital signature algorithm is estimated as 2**128 operations of
+ multiple elliptic curve point computations on prime modulus of order
+ 2**256.
+
+ Currently, the cryptographic resistance of the GOST R 34.11-94 hash
+ algorithm is estimated as 2**128 operations of computations of a step
+ hash function. (There is a known method to reduce this estimate to
+ 2**105 operations, but it demands padding the colliding message with
+ 1024 random bit blocks each of 256-bit length; thus, it cannot be
+ used in any practical implementation).
+
+
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 6]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+8. IANA Considerations
+
+ This document updates the IANA registry "DNS Security Algorithm
+ Numbers" [RFC4034]. The following entries have been added to the
+ registry:
+
+ Zone Trans.
+ Value Algorithm Mnemonic Signing Sec. References Status
+ 12 GOST R 34.10-2001 ECC-GOST Y * RFC 5933 OPTIONAL
+
+ This document updates the RFC 4034 Digest Types assignment
+ ([RFC4034], Section A.2) by adding the value and status for the
+ GOST R 34.11-94 algorithm:
+
+ Value Algorithm Status
+ 3 GOST R 34.11-94 OPTIONAL
+
+9. Acknowledgments
+
+ This document is a minor extension to RFC 4034 [RFC4034]. Also, we
+ tried to follow the documents RFC 3110 [RFC3110], RFC 4509 [RFC4509],
+ and RFC 4357 [RFC4357] for consistency. The authors of and
+ contributors to these documents are gratefully acknowledged for their
+ hard work.
+
+ The following people provided additional feedback, text, and valuable
+ assistance: Dmitry Burkov, Jaap Akkerhuis, Olafur Gundmundsson,
+ Jelte Jansen, and Wouter Wijngaards.
+
+10. References
+
+10.1. Normative References
+
+ [GOST3410] "Information technology. Cryptographic data security.
+ Signature and verification processes of [electronic]
+ digital signature.", GOST R 34.10-2001, Gosudarstvennyi
+ Standard of Russian Federation, Government Committee of
+ Russia for Standards, 2001. (In Russian).
+
+ [GOST3411] "Information technology. Cryptographic data security.
+ Hashing function.", GOST R 34.11-94, Gosudarstvennyi
+ Standard of Russian Federation, Government Committee of
+ Russia for Standards, 1994. (In Russian).
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 7]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+ [RFC3110] Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the
+ Domain Name System (DNS)", RFC 3110, May 2001.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional
+ Cryptographic Algorithms for Use with GOST 28147-89,
+ GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+ Algorithms", RFC 4357, January 2006.
+
+ [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the
+ GOST 28147-89, GOST R 34.11-94, GOST R 34.10-94, and
+ GOST R 34.10-2001 Algorithms with Cryptographic Message
+ Syntax (CMS)", RFC 4490, May 2006.
+
+ [RFC4491] Leontiev, S., Ed. and D. Shefanovski, Ed., "Using the
+ GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+ Algorithms with the Internet X.509 Public Key
+ Infrastructure Certificate and CRL Profile", RFC 4491,
+ May 2006.
+
+ [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+ Security (DNSSEC) Hashed Authenticated Denial of
+ Existence", RFC 5155, March 2008.
+
+10.2. Informative References
+
+ [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+ (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+ [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption,
+ Decryption, and Message Authentication Code (MAC)
+ Algorithms", RFC 5830, March 2010.
+
+ [RFC5831] Dolmatov, V., Ed., "GOST R 34.11-94: Hash Function
+ Algorithm", RFC 5831, March 2010.
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 8]
+\f
+RFC 5933 Use of GOST Signatures in DNSSEC July 2010
+
+
+ [RFC5832] Dolmatov, V., Ed., "GOST R 34.10-2001: Digital Signature
+ Algorithm", RFC 5832, March 2010.
+
+Authors' Addresses
+
+ Vasily Dolmatov (editor)
+ Cryptocom Ltd.
+ 14/2, Kedrova St.
+ Moscow, 117218
+ Russian Federation
+
+ Phone: +7 499 124 6226
+ EMail: dol@cryptocom.ru
+
+
+ Artem Chuprina
+ Cryptocom Ltd.
+ 14/2, Kedrova St.
+ Moscow, 117218
+ Russian Federation
+
+ Phone: +7 499 124 6226
+ EMail: ran@cryptocom.ru
+
+
+ Igor Ustinov
+ Cryptocom Ltd.
+ 14/2, Kedrova St.
+ Moscow, 117218
+ Russian Federation
+
+ Phone: +7 499 124 6226
+ EMail: igus@cryptocom.ru
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dolmatov, et al. Standards Track [Page 9]
+\f