-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathZSK.patch
219 lines (180 loc) · 6.25 KB
/
ZSK.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
From d1174e959f8b4153ba25dd17a533a902a5ecbe62 Mon Sep 17 00:00:00 2001
From: andrewheberle <[email protected]>
Date: Tue, 7 Jan 2020 08:33:33 +0800
Subject: [PATCH 1/3] Add option to generate ZSK
Signed-off-by: Andrew Heberle <[email protected]>
---
coredns-keygen/main.go | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/coredns-keygen/main.go b/coredns-keygen/main.go
index 0bd04a8..1bbedb0 100644
--- a/coredns-keygen/main.go
+++ b/coredns-keygen/main.go
@@ -11,23 +11,30 @@ import (
)
var helpFlag = flag.Bool("h", false, "show short help message")
+var zskFlag = flag.Bool("zsk", false, "generate zone signing key (zsk)")
+var keyFlag uint16 = 257 // CSK/KSK
func main() {
flag.Usage = func() {
fmt.Fprintf(os.Stderr, "Usage of %s [OPTIONS] ZONE [ZONE]...\n", os.Args[0])
- fmt.Fprintf(os.Stderr, "Generate Common Signing Keys for DNSSEC.\n")
+ fmt.Fprintf(os.Stderr, "Generate Keys for DNSSEC (default is CSK/KSK).\n")
flag.PrintDefaults()
}
flag.Parse()
- if *helpFlag || len(os.Args[1:]) == 0 {
+ if *helpFlag || len(flag.Args()) == 0 {
flag.Usage()
return
}
- for _, zone := range os.Args[1:] {
+
+ if *zskFlag {
+ keyFlag = 256 // ZSK
+ }
+
+ for _, zone := range flag.Args() {
key := &dns.DNSKEY{
Hdr: dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY},
- Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3,
+ Algorithm: dns.ECDSAP256SHA256, Flags: keyFlag, Protocol: 3,
}
priv, err := key.Generate(256)
if err != nil {
--
2.20.1
From 18e1c3ac7be57b2332c4f768545f2586ba11924d Mon Sep 17 00:00:00 2001
From: andrewheberle <[email protected]>
Date: Tue, 7 Jan 2020 08:34:40 +0800
Subject: [PATCH 2/3] Update README for ZSK option
Signed-off-by: Andrew Heberle <[email protected]>
---
coredns-keygen/README.md | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/coredns-keygen/README.md b/coredns-keygen/README.md
index 195ff88..6a5d8ab 100644
--- a/coredns-keygen/README.md
+++ b/coredns-keygen/README.md
@@ -6,15 +6,17 @@
## Description
-*coredns-keygen* generates a Common Signing Key for the purpose of signing zones. It has no options
-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
+*coredns-keygen* generates keys for the purpose of signing DNS zones. It has the option to
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
## Syntax
-~~~
-coredns-keygen ZONES...
+~~~sh
+coredns-keygen [-zsk] ZONES...
~~~
+* **-zsk** generate ZSK instead of CSK/KSK
* **ZONES** zones it should generate keys for.
For each key pair the following files are created:
@@ -27,14 +29,22 @@ For each generated key the base name of these file is printed to standard output
## Examples
-Generate keys for example.org and example.net:
+Generate CSK/KSK keys for example.org and example.net:
-~~~
+~~~sh
$ coredns-keygen example.org example.net
Kexample.org.+013+09787
Kexample.net.+013+00440
~~~
+Generate ZSK keys for example.org and example.net:
+
+~~~sh
+$ coredns-keygen -zsk example.org example.net
+Kexample.org.+013+00234
+Kexample.net.+013+08728
+~~~
+
## Also See
dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
--
2.20.1
From 667949438f59cb09d28692fe4120040b4ff8d9f4 Mon Sep 17 00:00:00 2001
From: andrewheberle <[email protected]>
Date: Tue, 7 Jan 2020 08:39:51 +0800
Subject: [PATCH 3/3] Update man page
Signed-off-by: Andrew Heberle <[email protected]>
---
coredns-keygen/coredns-keygen.8 | 40 +++++++++++++++++++++++++--------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/coredns-keygen/coredns-keygen.8 b/coredns-keygen/coredns-keygen.8
index eae220d..02116da 100644
--- a/coredns-keygen/coredns-keygen.8
+++ b/coredns-keygen/coredns-keygen.8
@@ -1,5 +1,5 @@
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
-.TH "COREDNS-KEYGEN" 8 "August 2019" "CoreDNS" "CoreDNS"
+.TH "COREDNS-KEYGEN" 8 "January 2020" "CoreDNS" "CoreDNS"
.SH "COREDNS-KEYGEN"
.SH "NAME"
@@ -8,19 +8,22 @@
.SH "DESCRIPTION"
.PP
-\fIcoredns-keygen\fP generates a Common Signing Key for the purpose of signing zones. It has no options
-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
+\fIcoredns-keygen\fP generates keys for the purpose of signing DNS zones. It has the option to
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
.SH "SYNTAX"
.PP
.RS
.nf
-coredns\-keygen ZONES...
+coredns\-keygen [\-zsk] ZONES...
.fi
.RE
+.IP \(bu 4
+\fB-zsk\fP generate ZSK instead of CSK/KSK
.IP \(bu 4
\fBZONES\fP zones it should generate keys for.
@@ -29,17 +32,19 @@ coredns\-keygen ZONES...
For each key pair the following files are created:
.IP \(bu 4
-\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR, and
+\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR,
+.IP \(bu 4
+\fB\fCK<zone>.+<algorithm>+<keytag>.ds\fR for the DS RR, and,
.IP \(bu 4
\fB\fCK<zone>.+<algorithm>+<keytag>.private\fR for the private one.
.PP
-For each generate key the base name of these file is printed to standard output once.
+For each generated key the base name of these file is printed to standard output once.
.SH "EXAMPLES"
.PP
-Generate keys for example.org and example.net:
+Generate CSK/KSK keys for example.org and example.net:
.PP
.RS
@@ -52,8 +57,25 @@ Kexample.net.+013+00440
.fi
.RE
+.PP
+Generate ZSK keys for example.org and example.net:
+
+.PP
+.RS
+
+.nf
+$ coredns\-keygen \-zsk example.org example.net
+Kexample.org.+013+00234
+Kexample.net.+013+08728
+
+.fi
+.RE
+
.SH "ALSO SEE"
.PP
-dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035
-for the whole DNSSEC specification.
+dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
+ldns-key2ds(1) or similar utilities.
+
+.PP
+See RFC 4033, 4034, 4035 for the DNSSEC specification.
--
2.20.1