coredns-utils: Apply ZSK patch
parent
9863169cc0
commit
47b54f3d08
@ -0,0 +1,219 @@
|
||||
From d1174e959f8b4153ba25dd17a533a902a5ecbe62 Mon Sep 17 00:00:00 2001
|
||||
From: andrewheberle <andrewheberle@users.noreply.github.com>
|
||||
Date: Tue, 7 Jan 2020 08:33:33 +0800
|
||||
Subject: [PATCH 1/3] Add option to generate ZSK
|
||||
|
||||
Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
|
||||
---
|
||||
coredns-keygen/main.go | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/coredns-keygen/main.go b/coredns-keygen/main.go
|
||||
index 0bd04a8..1bbedb0 100644
|
||||
--- a/coredns-keygen/main.go
|
||||
+++ b/coredns-keygen/main.go
|
||||
@@ -11,23 +11,30 @@ import (
|
||||
)
|
||||
|
||||
var helpFlag = flag.Bool("h", false, "show short help message")
|
||||
+var zskFlag = flag.Bool("zsk", false, "generate zone signing key (zsk)")
|
||||
+var keyFlag uint16 = 257 // CSK/KSK
|
||||
|
||||
func main() {
|
||||
flag.Usage = func() {
|
||||
fmt.Fprintf(os.Stderr, "Usage of %s [OPTIONS] ZONE [ZONE]...\n", os.Args[0])
|
||||
- fmt.Fprintf(os.Stderr, "Generate Common Signing Keys for DNSSEC.\n")
|
||||
+ fmt.Fprintf(os.Stderr, "Generate Keys for DNSSEC (default is CSK/KSK).\n")
|
||||
flag.PrintDefaults()
|
||||
}
|
||||
|
||||
flag.Parse()
|
||||
- if *helpFlag || len(os.Args[1:]) == 0 {
|
||||
+ if *helpFlag || len(flag.Args()) == 0 {
|
||||
flag.Usage()
|
||||
return
|
||||
}
|
||||
- for _, zone := range os.Args[1:] {
|
||||
+
|
||||
+ if *zskFlag {
|
||||
+ keyFlag = 256 // ZSK
|
||||
+ }
|
||||
+
|
||||
+ for _, zone := range flag.Args() {
|
||||
key := &dns.DNSKEY{
|
||||
Hdr: dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY},
|
||||
- Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3,
|
||||
+ Algorithm: dns.ECDSAP256SHA256, Flags: keyFlag, Protocol: 3,
|
||||
}
|
||||
priv, err := key.Generate(256)
|
||||
if err != nil {
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 18e1c3ac7be57b2332c4f768545f2586ba11924d Mon Sep 17 00:00:00 2001
|
||||
From: andrewheberle <andrewheberle@users.noreply.github.com>
|
||||
Date: Tue, 7 Jan 2020 08:34:40 +0800
|
||||
Subject: [PATCH 2/3] Update README for ZSK option
|
||||
|
||||
Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
|
||||
---
|
||||
coredns-keygen/README.md | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/coredns-keygen/README.md b/coredns-keygen/README.md
|
||||
index 195ff88..6a5d8ab 100644
|
||||
--- a/coredns-keygen/README.md
|
||||
+++ b/coredns-keygen/README.md
|
||||
@@ -6,15 +6,17 @@
|
||||
|
||||
## Description
|
||||
|
||||
-*coredns-keygen* generates a Common Signing Key for the purpose of signing zones. It has no options
|
||||
-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
|
||||
+*coredns-keygen* generates keys for the purpose of signing DNS zones. It has the option to
|
||||
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
|
||||
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
|
||||
|
||||
## Syntax
|
||||
|
||||
-~~~
|
||||
-coredns-keygen ZONES...
|
||||
+~~~sh
|
||||
+coredns-keygen [-zsk] ZONES...
|
||||
~~~
|
||||
|
||||
+* **-zsk** generate ZSK instead of CSK/KSK
|
||||
* **ZONES** zones it should generate keys for.
|
||||
|
||||
For each key pair the following files are created:
|
||||
@@ -27,14 +29,22 @@ For each generated key the base name of these file is printed to standard output
|
||||
|
||||
## Examples
|
||||
|
||||
-Generate keys for example.org and example.net:
|
||||
+Generate CSK/KSK keys for example.org and example.net:
|
||||
|
||||
-~~~
|
||||
+~~~sh
|
||||
$ coredns-keygen example.org example.net
|
||||
Kexample.org.+013+09787
|
||||
Kexample.net.+013+00440
|
||||
~~~
|
||||
|
||||
+Generate ZSK keys for example.org and example.net:
|
||||
+
|
||||
+~~~sh
|
||||
+$ coredns-keygen -zsk example.org example.net
|
||||
+Kexample.org.+013+00234
|
||||
+Kexample.net.+013+08728
|
||||
+~~~
|
||||
+
|
||||
## Also See
|
||||
|
||||
dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 667949438f59cb09d28692fe4120040b4ff8d9f4 Mon Sep 17 00:00:00 2001
|
||||
From: andrewheberle <andrewheberle@users.noreply.github.com>
|
||||
Date: Tue, 7 Jan 2020 08:39:51 +0800
|
||||
Subject: [PATCH 3/3] Update man page
|
||||
|
||||
Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
|
||||
---
|
||||
coredns-keygen/coredns-keygen.8 | 40 +++++++++++++++++++++++++--------
|
||||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/coredns-keygen/coredns-keygen.8 b/coredns-keygen/coredns-keygen.8
|
||||
index eae220d..02116da 100644
|
||||
--- a/coredns-keygen/coredns-keygen.8
|
||||
+++ b/coredns-keygen/coredns-keygen.8
|
||||
@@ -1,5 +1,5 @@
|
||||
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
|
||||
-.TH "COREDNS-KEYGEN" 8 "August 2019" "CoreDNS" "CoreDNS"
|
||||
+.TH "COREDNS-KEYGEN" 8 "January 2020" "CoreDNS" "CoreDNS"
|
||||
|
||||
.SH "COREDNS-KEYGEN"
|
||||
.SH "NAME"
|
||||
@@ -8,19 +8,22 @@
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
-\fIcoredns-keygen\fP generates a Common Signing Key for the purpose of signing zones. It has no options
|
||||
-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
|
||||
+\fIcoredns-keygen\fP generates keys for the purpose of signing DNS zones. It has the option to
|
||||
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
|
||||
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
|
||||
|
||||
.SH "SYNTAX"
|
||||
.PP
|
||||
.RS
|
||||
|
||||
.nf
|
||||
-coredns\-keygen ZONES...
|
||||
+coredns\-keygen [\-zsk] ZONES...
|
||||
|
||||
.fi
|
||||
.RE
|
||||
|
||||
+.IP \(bu 4
|
||||
+\fB-zsk\fP generate ZSK instead of CSK/KSK
|
||||
.IP \(bu 4
|
||||
\fBZONES\fP zones it should generate keys for.
|
||||
|
||||
@@ -29,17 +32,19 @@ coredns\-keygen ZONES...
|
||||
For each key pair the following files are created:
|
||||
|
||||
.IP \(bu 4
|
||||
-\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR, and
|
||||
+\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR,
|
||||
+.IP \(bu 4
|
||||
+\fB\fCK<zone>.+<algorithm>+<keytag>.ds\fR for the DS RR, and,
|
||||
.IP \(bu 4
|
||||
\fB\fCK<zone>.+<algorithm>+<keytag>.private\fR for the private one.
|
||||
|
||||
|
||||
.PP
|
||||
-For each generate key the base name of these file is printed to standard output once.
|
||||
+For each generated key the base name of these file is printed to standard output once.
|
||||
|
||||
.SH "EXAMPLES"
|
||||
.PP
|
||||
-Generate keys for example.org and example.net:
|
||||
+Generate CSK/KSK keys for example.org and example.net:
|
||||
|
||||
.PP
|
||||
.RS
|
||||
@@ -52,8 +57,25 @@ Kexample.net.+013+00440
|
||||
.fi
|
||||
.RE
|
||||
|
||||
+.PP
|
||||
+Generate ZSK keys for example.org and example.net:
|
||||
+
|
||||
+.PP
|
||||
+.RS
|
||||
+
|
||||
+.nf
|
||||
+$ coredns\-keygen \-zsk example.org example.net
|
||||
+Kexample.org.+013+00234
|
||||
+Kexample.net.+013+08728
|
||||
+
|
||||
+.fi
|
||||
+.RE
|
||||
+
|
||||
.SH "ALSO SEE"
|
||||
.PP
|
||||
-dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035
|
||||
-for the whole DNSSEC specification.
|
||||
+dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
|
||||
+ldns-key2ds(1) or similar utilities.
|
||||
+
|
||||
+.PP
|
||||
+See RFC 4033, 4034, 4035 for the DNSSEC specification.
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
Loading…
Reference in New Issue