From 47b54f3d08d91d8ae90605329538be2c014257fc Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Sat, 7 May 2022 16:36:32 +0000 Subject: [PATCH] coredns-utils: Apply ZSK patch --- projects/coredns-utils/ZSK.patch | 219 +++++++++++++++++++++++++++++++ projects/coredns-utils/build | 3 + projects/coredns-utils/config | 2 + 3 files changed, 224 insertions(+) create mode 100644 projects/coredns-utils/ZSK.patch diff --git a/projects/coredns-utils/ZSK.patch b/projects/coredns-utils/ZSK.patch new file mode 100644 index 0000000..dd62cf6 --- /dev/null +++ b/projects/coredns-utils/ZSK.patch @@ -0,0 +1,219 @@ +From d1174e959f8b4153ba25dd17a533a902a5ecbe62 Mon Sep 17 00:00:00 2001 +From: andrewheberle +Date: Tue, 7 Jan 2020 08:33:33 +0800 +Subject: [PATCH 1/3] Add option to generate ZSK + +Signed-off-by: Andrew Heberle +--- + coredns-keygen/main.go | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/coredns-keygen/main.go b/coredns-keygen/main.go +index 0bd04a8..1bbedb0 100644 +--- a/coredns-keygen/main.go ++++ b/coredns-keygen/main.go +@@ -11,23 +11,30 @@ import ( + ) + + var helpFlag = flag.Bool("h", false, "show short help message") ++var zskFlag = flag.Bool("zsk", false, "generate zone signing key (zsk)") ++var keyFlag uint16 = 257 // CSK/KSK + + func main() { + flag.Usage = func() { + fmt.Fprintf(os.Stderr, "Usage of %s [OPTIONS] ZONE [ZONE]...\n", os.Args[0]) +- fmt.Fprintf(os.Stderr, "Generate Common Signing Keys for DNSSEC.\n") ++ fmt.Fprintf(os.Stderr, "Generate Keys for DNSSEC (default is CSK/KSK).\n") + flag.PrintDefaults() + } + + flag.Parse() +- if *helpFlag || len(os.Args[1:]) == 0 { ++ if *helpFlag || len(flag.Args()) == 0 { + flag.Usage() + return + } +- for _, zone := range os.Args[1:] { ++ ++ if *zskFlag { ++ keyFlag = 256 // ZSK ++ } ++ ++ for _, zone := range flag.Args() { + key := &dns.DNSKEY{ + Hdr: dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY}, +- Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3, ++ Algorithm: dns.ECDSAP256SHA256, Flags: keyFlag, Protocol: 3, + } + priv, err := key.Generate(256) + if err != nil { +-- +2.20.1 + + +From 18e1c3ac7be57b2332c4f768545f2586ba11924d Mon Sep 17 00:00:00 2001 +From: andrewheberle +Date: Tue, 7 Jan 2020 08:34:40 +0800 +Subject: [PATCH 2/3] Update README for ZSK option + +Signed-off-by: Andrew Heberle +--- + coredns-keygen/README.md | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/coredns-keygen/README.md b/coredns-keygen/README.md +index 195ff88..6a5d8ab 100644 +--- a/coredns-keygen/README.md ++++ b/coredns-keygen/README.md +@@ -6,15 +6,17 @@ + + ## Description + +-*coredns-keygen* generates a Common Signing Key for the purpose of signing zones. It has no options +-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set. ++*coredns-keygen* generates keys for the purpose of signing DNS zones. It has the option to ++generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set. ++All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve). + + ## Syntax + +-~~~ +-coredns-keygen ZONES... ++~~~sh ++coredns-keygen [-zsk] ZONES... + ~~~ + ++* **-zsk** generate ZSK instead of CSK/KSK + * **ZONES** zones it should generate keys for. + + For each key pair the following files are created: +@@ -27,14 +29,22 @@ For each generated key the base name of these file is printed to standard output + + ## Examples + +-Generate keys for example.org and example.net: ++Generate CSK/KSK keys for example.org and example.net: + +-~~~ ++~~~sh + $ coredns-keygen example.org example.net + Kexample.org.+013+09787 + Kexample.net.+013+00440 + ~~~ + ++Generate ZSK keys for example.org and example.net: ++ ++~~~sh ++$ coredns-keygen -zsk example.org example.net ++Kexample.org.+013+00234 ++Kexample.net.+013+08728 ++~~~ ++ + ## Also See + + dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and +-- +2.20.1 + + +From 667949438f59cb09d28692fe4120040b4ff8d9f4 Mon Sep 17 00:00:00 2001 +From: andrewheberle +Date: Tue, 7 Jan 2020 08:39:51 +0800 +Subject: [PATCH 3/3] Update man page + +Signed-off-by: Andrew Heberle +--- + coredns-keygen/coredns-keygen.8 | 40 +++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/coredns-keygen/coredns-keygen.8 b/coredns-keygen/coredns-keygen.8 +index eae220d..02116da 100644 +--- a/coredns-keygen/coredns-keygen.8 ++++ b/coredns-keygen/coredns-keygen.8 +@@ -1,5 +1,5 @@ + .\" Generated by Mmark Markdown Processer - mmark.miek.nl +-.TH "COREDNS-KEYGEN" 8 "August 2019" "CoreDNS" "CoreDNS" ++.TH "COREDNS-KEYGEN" 8 "January 2020" "CoreDNS" "CoreDNS" + + .SH "COREDNS-KEYGEN" + .SH "NAME" +@@ -8,19 +8,22 @@ + + .SH "DESCRIPTION" + .PP +-\fIcoredns-keygen\fP generates a Common Signing Key for the purpose of signing zones. It has no options +-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set. ++\fIcoredns-keygen\fP generates keys for the purpose of signing DNS zones. It has the option to ++generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set. ++All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve). + + .SH "SYNTAX" + .PP + .RS + + .nf +-coredns\-keygen ZONES... ++coredns\-keygen [\-zsk] ZONES... + + .fi + .RE + ++.IP \(bu 4 ++\fB-zsk\fP generate ZSK instead of CSK/KSK + .IP \(bu 4 + \fBZONES\fP zones it should generate keys for. + +@@ -29,17 +32,19 @@ coredns\-keygen ZONES... + For each key pair the following files are created: + + .IP \(bu 4 +-\fB\fCK.++.key\fR for the DNSKEY RR, and ++\fB\fCK.++.key\fR for the DNSKEY RR, ++.IP \(bu 4 ++\fB\fCK.++.ds\fR for the DS RR, and, + .IP \(bu 4 + \fB\fCK.++.private\fR for the private one. + + + .PP +-For each generate key the base name of these file is printed to standard output once. ++For each generated key the base name of these file is printed to standard output once. + + .SH "EXAMPLES" + .PP +-Generate keys for example.org and example.net: ++Generate CSK/KSK keys for example.org and example.net: + + .PP + .RS +@@ -52,8 +57,25 @@ Kexample.net.+013+00440 + .fi + .RE + ++.PP ++Generate ZSK keys for example.org and example.net: ++ ++.PP ++.RS ++ ++.nf ++$ coredns\-keygen \-zsk example.org example.net ++Kexample.org.+013+00234 ++Kexample.net.+013+08728 ++ ++.fi ++.RE ++ + .SH "ALSO SEE" + .PP +-dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035 +-for the whole DNSSEC specification. ++dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and ++ldns-key2ds(1) or similar utilities. ++ ++.PP ++See RFC 4033, 4034, 4035 for the DNSSEC specification. + +-- +2.20.1 + diff --git a/projects/coredns-utils/build b/projects/coredns-utils/build index 6b3a486..33f5b36 100644 --- a/projects/coredns-utils/build +++ b/projects/coredns-utils/build @@ -13,6 +13,9 @@ mkdir -p $GOPATH/src/github.com/coredns tar -C $GOPATH/src/github.com/coredns -xf [% project %]-[% c('version') %].tar.gz mv $GOPATH/src/github.com/coredns/coredns-utils-[% c('version') %] $GOPATH/src/github.com/coredns/coredns-utils +cd $GOPATH/src/github.com/coredns/coredns-utils +patch -p1 < $rootdir/ZSK.patch + # TODO: Remove static build ID after migrating to Go 1.13.3+ go install $TAGS -ldflags '-s -buildid=' github.com/coredns/coredns-utils/coredns-keygen diff --git a/projects/coredns-utils/config b/projects/coredns-utils/config index 8497af2..ce201ff 100644 --- a/projects/coredns-utils/config +++ b/projects/coredns-utils/config @@ -20,3 +20,5 @@ input_files: project: go - name: godns project: godns + - filename: ZSK.patch + # From https://github.com/coredns/coredns-utils/pull/4