Show
Ignore:
Timestamp:
01/06/11 15:52:10 (2 years ago)
Author:
ahu
Message:

make pdnssec output useful help
rename order-zone to rectify-zone and make it also set the 'auth' field
plus make it clear the order field for narrow nsec3 zones

Files:
1 modified

Legend:

Unmodified
Added
Removed

  • trunk/pdns/pdns/pdnssec.cc

    r1810 r1816  
    8686} 
    8787 
    88 void orderZone(DNSSECKeeper& dk, const std::string& zone) 
    89 { 
    90      
     88void rectifyZone(DNSSECKeeper& dk, const std::string& zone) 
     89{ 
    9190  UeberBackend* B = new UeberBackend("default"); 
    9291  SOAData sd; 
    9392   
    9493  if(!B->getSOA(zone, sd)) { 
    95     cerr<<"No SOA!"<<endl; 
     94    cerr<<"No SOA known for '"<<zone<<"', is such a zone in the database?"<<endl; 
    9695    return; 
    9796  }  
    98   cerr<<"ID: "<<sd.domain_id<<endl; 
    9997  sd.db->list(zone, sd.domain_id); 
    10098  DNSResourceRecord rr; 
    10199 
    102   set<string> qnames; 
     100  set<string> qnames, nsset; 
    103101   
    104102  while(sd.db->get(rr)) { 
    105   //  cerr<<rr.qname<<endl; 
    106103    qnames.insert(rr.qname); 
     104    if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, zone))  
     105      nsset.insert(rr.qname); 
    107106  } 
    108107 
    109108  NSEC3PARAMRecordContent ns3pr; 
    110   dk.getNSEC3PARAM(zone, &ns3pr); 
     109  bool narrow; 
     110  dk.getNSEC3PARAM(zone, &ns3pr, &narrow); 
    111111  string hashed; 
    112112  if(ns3pr.d_salt.empty())  
    113113    cerr<<"Adding NSEC ordering information"<<endl; 
    114   else 
    115     cerr<<"Adding NSEC3 hashed ordering information"<<endl; 
     114  else if(!narrow) 
     115    cerr<<"Adding NSEC3 hashed ordering information for '"<<zone<<"'"<<endl; 
     116  else  
     117    cerr<<"Erasing NSEC3 ordering since we are narrow, only setting 'auth' fields"<<endl; 
    116118   
    117119  BOOST_FOREACH(const string& qname, qnames) 
    118120  { 
     121    string shorter(qname); 
     122    bool auth=true; 
     123    do { 
     124      if(nsset.count(shorter)) {   
     125        auth=false; 
     126        break; 
     127      } 
     128    }while(chopOff(shorter)); 
     129 
    119130    if(ns3pr.d_salt.empty()) // NSEC 
    120       sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, true); 
     131      sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth); 
    121132    else { 
    122       hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))); 
    123       cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl; 
    124       sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, true); 
     133      if(!narrow) { 
     134        hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))); 
     135        cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl; 
     136      } 
     137      sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth); 
    125138    } 
    126139  } 
     
    185198 
    186199  if(cmds.empty() || g_vm.count("help")) { 
    187     cerr<<"Usage: \npdnssec [options] [show-zone] [secure-zone] [alter-zone] [order-zone] [add-zone-key] [deactivate-zone-key] [remove-zone-key] [activate-zone-key]\n"; 
    188     cerr<<"         [import-zone-key] [export-zone-key] [set-nsec3] [unset-nsec3] [export-zone-dnskey]"<<endl; 
     200    cerr<<"Usage: \npdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key] [deactivate-zone-key] [remove-zone-key] [activate-zone-key]\n"; 
     201    cerr<<"         [import-zone-key] [export-zone-key] [set-nsec3] [unset-nsec3] [export-zone-dnskey]\n\n"; 
     202    cerr<<"activate-zone-key ZONE KEY-ID   Activate the key with key id KEY-ID in ZONE\n"; 
     203    cerr<<"add-zone-key ZONE [zsk|ksk]     Add a ZSK or KSK to a zone (ZSK only now)\n"; 
     204    cerr<<"deactivate-zone-key             Dectivate the key with key id KEY-ID in ZONE\n"; 
     205    cerr<<"export-zone-dnskey ZONE KEY-ID  Export to stdout the public DNSKEY described\n"; 
     206    cerr<<"export-zone-key ZONE KEY-ID     Export to stdout the private key described\n"; 
     207    cerr<<"import-zone-key ZONE FILE       Import from a file a private KSK\n";             
     208    cerr<<"rectify-zone ZONE               Fix up DNSSEC fields (order, auth)\n"; 
     209    cerr<<"remove-zone-key ZONE KEY-ID     Remove key with KEY-ID from ZONE\n"; 
     210    cerr<<"secure-zone                     Add KSK and two ZSKs\n"; 
     211    cerr<<"set-nsec3 'params' [narrow]     Enable NSEC3 with PARAMs. Optionally narrow\n"; 
     212    cerr<<"show-zone ZONE                  Show DNSSEC (public) key details about a zone\n"; 
     213    cerr<<"unset-nsec3 ZONE                Switch back to NSEC\n\n"; 
     214 
    189215    cerr<<"Options:"<<endl; 
    190216    cerr<<desc<<endl; 
     
    196222  DNSSECKeeper dk; 
    197223 
    198   if(cmds[0] == "order-zone") { 
     224  if(cmds[0] == "rectify-zone" || cmds[0] == "order-zone") { 
    199225    if(cmds.size() != 2) { 
    200226      cerr << "Error: "<<cmds[0]<<" takes exactly 1 parameter"<<endl; 
    201227      return 0; 
    202228    } 
    203     orderZone(dk, cmds[1]); 
     229    rectifyZone(dk, cmds[1]); 
    204230  } 
    205231  else if(cmds[0] == "check-zone") {