Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ldns-signzone like support. #8

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add ldns-signzone like support. #8

wants to merge 3 commits into from

Conversation

ximon18
Copy link
Member

@ximon18 ximon18 commented Oct 17, 2024
edited
Loading

Currently depends on domain branch multiple-key-signing, see NLnetLabs/domain#418.

  • Supports the basic command line arguments zonefile key [key [key]] and the NSEC3 arguments -n, -a, -t, -s and -p.
  • Lacks support for all other command line arguments of ldns-signzone:
  -b            use layout in signed zone and print comments DNSSEC records
  -d            used keys are not added to the zone
  -e <date>     expiration date
  -f <file>     output zone to file (default <name>.signed)
  -i <date>     inception date
  -o <domain>   origin for the zone
  -u            set SOA serial to the number of seconds since 1-1-1970
  -v            print version and exit
  -z <[scheme:]hash>    Add ZONEMD resource record
                <scheme> should be "simple" (or 1)
                <hash> should be "sha384" or "sha512" (or 1 or 2)
                this option can be given more than once
  -Z            Allow ZONEMDs to be added without signing
  -A            sign DNSKEY with all keys instead of minimal
  -U            Sign with every unique algorithm in the provided keys
  -E <name>     use <name> as the crypto engine for signing
                This can have a lot of extra options, see the manual page for more info
  -k <algorithm>,<key>  use `key' with `algorithm' from engine as ZSK
  -K <algorithm>,<key>  use `key' with `algorithm' from engine as KSK
  • Needs tests.
  • Has a known bug where for some reason invoking with KSK then ZSK in that order on the command line produces a zone which fails validation but swapping the order to ZSK then KSK works fine:
$ cargo run -- signzone -n ../domain/test-data/zonefiles/nsd-example.txt /tmp/x/Kexample.com.+015+60019 /tmp/x/Kexample.com.+015+03191 | tee /tmp/t && ldns-verify-zone /tmp/t -V 9
...
Checking: example.com.
Error: Bogus DNSSEC signature for example.com.  DNSKEY
RRSet:
example.com.    86400   IN      DNSKEY  256 3 15 0ZkeiKDxUOeI/45qg2saMEOaWZKpZymNwvl8d5OtLic= ;{id = 3191 (zsk), size = 256b}
example.com.    86400   IN      DNSKEY  257 3 15 Ssh9h2E6uRIX5Rtm9ZRTRL5v5J5YjkQdS+wsnMzhAn4= ;{id = 60019 (ksk), size = 256b}
Signature:
example.com.    86400   IN      RRSIG   DNSKEY 15 2 86400 20241116133433 20241017133433 60019 example.com. FuQPxHTcPRtxRH3IqG1NxFjnxdWZS2SegZe59MFfRaaat7pWgMU/H/LQ2brptMA/ffLlmuSt6ckQDkplhpc9Dg==

@ximon18
Initial hacky WIP ldns-signzone like support using a modified version…
076df4d 
… of domain that has WIP nsec3 support and a modified version of the PR #406 key management support.
@ximon18
- Support multiple signing keys and more algorithms.
728f14f 
- Add the DNSKEY and NSEC3PARAM records before signing the zone.
- Use latest domain.
@ximon18
Load signing keys from BIND keyfile sets.
10309ca
@ximon18 ximon18 requested a review from a team October 17, 2024 13:32
@ximon18 ximon18 marked this pull request as ready for review October 17, 2024 13:32
@ximon18 ximon18 changed the title Add ldns-sign-zone like support. Add ldns-signzone like support. Oct 17, 2024
@ximon18 ximon18 mentioned this pull request Oct 17, 2024
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ximon18