From d1174e959f8b4153ba25dd17a533a902a5ecbe62 Mon Sep 17 00:00:00 2001 From: andrewheberle Date: Tue, 7 Jan 2020 08:33:33 +0800 Subject: [PATCH 1/3] Add option to generate ZSK Signed-off-by: Andrew Heberle --- coredns-keygen/main.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/coredns-keygen/main.go b/coredns-keygen/main.go index 0bd04a8..1bbedb0 100644 --- a/coredns-keygen/main.go +++ b/coredns-keygen/main.go @@ -11,23 +11,30 @@ import ( ) var helpFlag = flag.Bool("h", false, "show short help message") +var zskFlag = flag.Bool("zsk", false, "generate zone signing key (zsk)") +var keyFlag uint16 = 257 // CSK/KSK func main() { flag.Usage = func() { fmt.Fprintf(os.Stderr, "Usage of %s [OPTIONS] ZONE [ZONE]...\n", os.Args[0]) - fmt.Fprintf(os.Stderr, "Generate Common Signing Keys for DNSSEC.\n") + fmt.Fprintf(os.Stderr, "Generate Keys for DNSSEC (default is CSK/KSK).\n") flag.PrintDefaults() } flag.Parse() - if *helpFlag || len(os.Args[1:]) == 0 { + if *helpFlag || len(flag.Args()) == 0 { flag.Usage() return } - for _, zone := range os.Args[1:] { + + if *zskFlag { + keyFlag = 256 // ZSK + } + + for _, zone := range flag.Args() { key := &dns.DNSKEY{ Hdr: dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY}, - Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3, + Algorithm: dns.ECDSAP256SHA256, Flags: keyFlag, Protocol: 3, } priv, err := key.Generate(256) if err != nil { -- 2.20.1 From 18e1c3ac7be57b2332c4f768545f2586ba11924d Mon Sep 17 00:00:00 2001 From: andrewheberle Date: Tue, 7 Jan 2020 08:34:40 +0800 Subject: [PATCH 2/3] Update README for ZSK option Signed-off-by: Andrew Heberle --- coredns-keygen/README.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/coredns-keygen/README.md b/coredns-keygen/README.md index 195ff88..6a5d8ab 100644 --- a/coredns-keygen/README.md +++ b/coredns-keygen/README.md @@ -6,15 +6,17 @@ ## Description -*coredns-keygen* generates a Common Signing Key for the purpose of signing zones. It has no options -and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set. +*coredns-keygen* generates keys for the purpose of signing DNS zones. It has the option to +generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set. +All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve). ## Syntax -~~~ -coredns-keygen ZONES... +~~~sh +coredns-keygen [-zsk] ZONES... ~~~ +* **-zsk** generate ZSK instead of CSK/KSK * **ZONES** zones it should generate keys for. For each key pair the following files are created: @@ -27,14 +29,22 @@ For each generated key the base name of these file is printed to standard output ## Examples -Generate keys for example.org and example.net: +Generate CSK/KSK keys for example.org and example.net: -~~~ +~~~sh $ coredns-keygen example.org example.net Kexample.org.+013+09787 Kexample.net.+013+00440 ~~~ +Generate ZSK keys for example.org and example.net: + +~~~sh +$ coredns-keygen -zsk example.org example.net +Kexample.org.+013+00234 +Kexample.net.+013+08728 +~~~ + ## Also See dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and -- 2.20.1 From 667949438f59cb09d28692fe4120040b4ff8d9f4 Mon Sep 17 00:00:00 2001 From: andrewheberle Date: Tue, 7 Jan 2020 08:39:51 +0800 Subject: [PATCH 3/3] Update man page Signed-off-by: Andrew Heberle --- coredns-keygen/coredns-keygen.8 | 40 +++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/coredns-keygen/coredns-keygen.8 b/coredns-keygen/coredns-keygen.8 index eae220d..02116da 100644 --- a/coredns-keygen/coredns-keygen.8 +++ b/coredns-keygen/coredns-keygen.8 @@ -1,5 +1,5 @@ .\" Generated by Mmark Markdown Processer - mmark.miek.nl -.TH "COREDNS-KEYGEN" 8 "August 2019" "CoreDNS" "CoreDNS" +.TH "COREDNS-KEYGEN" 8 "January 2020" "CoreDNS" "CoreDNS" .SH "COREDNS-KEYGEN" .SH "NAME" @@ -8,19 +8,22 @@ .SH "DESCRIPTION" .PP -\fIcoredns-keygen\fP generates a Common Signing Key for the purpose of signing zones. It has no options -and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set. +\fIcoredns-keygen\fP generates keys for the purpose of signing DNS zones. It has the option to +generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set. +All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve). .SH "SYNTAX" .PP .RS .nf -coredns\-keygen ZONES... +coredns\-keygen [\-zsk] ZONES... .fi .RE +.IP \(bu 4 +\fB-zsk\fP generate ZSK instead of CSK/KSK .IP \(bu 4 \fBZONES\fP zones it should generate keys for. @@ -29,17 +32,19 @@ coredns\-keygen ZONES... For each key pair the following files are created: .IP \(bu 4 -\fB\fCK.++.key\fR for the DNSKEY RR, and +\fB\fCK.++.key\fR for the DNSKEY RR, +.IP \(bu 4 +\fB\fCK.++.ds\fR for the DS RR, and, .IP \(bu 4 \fB\fCK.++.private\fR for the private one. .PP -For each generate key the base name of these file is printed to standard output once. +For each generated key the base name of these file is printed to standard output once. .SH "EXAMPLES" .PP -Generate keys for example.org and example.net: +Generate CSK/KSK keys for example.org and example.net: .PP .RS @@ -52,8 +57,25 @@ Kexample.net.+013+00440 .fi .RE +.PP +Generate ZSK keys for example.org and example.net: + +.PP +.RS + +.nf +$ coredns\-keygen \-zsk example.org example.net +Kexample.org.+013+00234 +Kexample.net.+013+08728 + +.fi +.RE + .SH "ALSO SEE" .PP -dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035 -for the whole DNSSEC specification. +dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and +ldns-key2ds(1) or similar utilities. + +.PP +See RFC 4033, 4034, 4035 for the DNSSEC specification. -- 2.20.1