With the move of the normal output to stdout, we need a way how to silence the
extra output, so the signed file name can be captured in a simple way. This
commit adds `-q` command line option that will silence all the normal output
that get's printed from both tools.
This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)
The default is now `-2`. You can get the old behaviour with `-12`.
Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This commit only moves code around, with the following exceptions:
- the check_dns_dbiterator_current() macro and functions
is_delegation() and has_dname() were removed from
bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
functions are used both by the code in bin/dnssec/dnssec-signzone.c
and verifyzone(), but are not a good fit for being exported by a
code module responsible for zone verification,
- fatal() and check_result() were duplicated in lib/dns/zoneverify.c
as static functions which do not use the "program" variable any more
(as it is only set by the tools in bin/dnssec/); this is a temporary
step which only aims to prevent compilation from breaking - these
duplicate functions will be removed once lib/dns/zoneverify.c is
refactored not to use them,
- the list of header files included by lib/dns/zoneverify.c was
expanded to encompass all header files that are actually used by the
code in that file,
- a description of the purpose of the commented out "fields" inside
struct nsec3_chain_fixed was added.
DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains. Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records. Check that DNAME-obscured
records are not signed.
The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.
The isc_random family of functions internally use these CSPRNG (if available):
1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library
4757. [func] New "dnssec-cds" command creates a new parent DS
RRset based on CDS or CDNSKEY RRsets found in
a child zone, and generates either a dsset file
or stream of nsupdate commands to update the
parent. Thanks to Tony Finch. [RT #46090]
3730. [cleanup] Added "never" as a synonym for "none" when
configuring key event dates in the dnssec tools.
[RT #35277]
3729. [bug] dnssec-kegeyn could set the publication date
incorrectly when only the activation date was
specified on the command line. [RT #35278]
creating key files if there is a chance that the new
key ID will collide with an existing one after
either of the keys has been revoked. (To override
this in the case of dnssec-keyfromlabel, use the -y
option. dnssec-keygen will simply create a
different, noncolliding key, so an override is
not necessary.) [RT #20838]
will now ignore unrecognized fields when the
minor version number of the private key format
has been increased. It will reject any key with
the major version number increased. [RT #20310]
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943]
- dnssec-keygen and dnssec-settime can now set key
metadata fields 0 (to unset a value, use "none")
- dnssec-revoke sets the revocation date in
addition to the revoke bit
- dnssec-settime can now print individual metadata
fields instead of always printing all of them,
and can print them in unix epoch time format for
use by scripts
[RT #19942]
