You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
220 lines
6.2 KiB
Diff
220 lines
6.2 KiB
Diff
From d1174e959f8b4153ba25dd17a533a902a5ecbe62 Mon Sep 17 00:00:00 2001
|
|
From: andrewheberle <andrewheberle@users.noreply.github.com>
|
|
Date: Tue, 7 Jan 2020 08:33:33 +0800
|
|
Subject: [PATCH 1/3] Add option to generate ZSK
|
|
|
|
Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
|
|
---
|
|
coredns-keygen/main.go | 15 +++++++++++----
|
|
1 file changed, 11 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/coredns-keygen/main.go b/coredns-keygen/main.go
|
|
index 0bd04a8..1bbedb0 100644
|
|
--- a/coredns-keygen/main.go
|
|
+++ b/coredns-keygen/main.go
|
|
@@ -11,23 +11,30 @@ import (
|
|
)
|
|
|
|
var helpFlag = flag.Bool("h", false, "show short help message")
|
|
+var zskFlag = flag.Bool("zsk", false, "generate zone signing key (zsk)")
|
|
+var keyFlag uint16 = 257 // CSK/KSK
|
|
|
|
func main() {
|
|
flag.Usage = func() {
|
|
fmt.Fprintf(os.Stderr, "Usage of %s [OPTIONS] ZONE [ZONE]...\n", os.Args[0])
|
|
- fmt.Fprintf(os.Stderr, "Generate Common Signing Keys for DNSSEC.\n")
|
|
+ fmt.Fprintf(os.Stderr, "Generate Keys for DNSSEC (default is CSK/KSK).\n")
|
|
flag.PrintDefaults()
|
|
}
|
|
|
|
flag.Parse()
|
|
- if *helpFlag || len(os.Args[1:]) == 0 {
|
|
+ if *helpFlag || len(flag.Args()) == 0 {
|
|
flag.Usage()
|
|
return
|
|
}
|
|
- for _, zone := range os.Args[1:] {
|
|
+
|
|
+ if *zskFlag {
|
|
+ keyFlag = 256 // ZSK
|
|
+ }
|
|
+
|
|
+ for _, zone := range flag.Args() {
|
|
key := &dns.DNSKEY{
|
|
Hdr: dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY},
|
|
- Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3,
|
|
+ Algorithm: dns.ECDSAP256SHA256, Flags: keyFlag, Protocol: 3,
|
|
}
|
|
priv, err := key.Generate(256)
|
|
if err != nil {
|
|
--
|
|
2.20.1
|
|
|
|
|
|
From 18e1c3ac7be57b2332c4f768545f2586ba11924d Mon Sep 17 00:00:00 2001
|
|
From: andrewheberle <andrewheberle@users.noreply.github.com>
|
|
Date: Tue, 7 Jan 2020 08:34:40 +0800
|
|
Subject: [PATCH 2/3] Update README for ZSK option
|
|
|
|
Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
|
|
---
|
|
coredns-keygen/README.md | 22 ++++++++++++++++------
|
|
1 file changed, 16 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/coredns-keygen/README.md b/coredns-keygen/README.md
|
|
index 195ff88..6a5d8ab 100644
|
|
--- a/coredns-keygen/README.md
|
|
+++ b/coredns-keygen/README.md
|
|
@@ -6,15 +6,17 @@
|
|
|
|
## Description
|
|
|
|
-*coredns-keygen* generates a Common Signing Key for the purpose of signing zones. It has no options
|
|
-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
|
|
+*coredns-keygen* generates keys for the purpose of signing DNS zones. It has the option to
|
|
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
|
|
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
|
|
|
|
## Syntax
|
|
|
|
-~~~
|
|
-coredns-keygen ZONES...
|
|
+~~~sh
|
|
+coredns-keygen [-zsk] ZONES...
|
|
~~~
|
|
|
|
+* **-zsk** generate ZSK instead of CSK/KSK
|
|
* **ZONES** zones it should generate keys for.
|
|
|
|
For each key pair the following files are created:
|
|
@@ -27,14 +29,22 @@ For each generated key the base name of these file is printed to standard output
|
|
|
|
## Examples
|
|
|
|
-Generate keys for example.org and example.net:
|
|
+Generate CSK/KSK keys for example.org and example.net:
|
|
|
|
-~~~
|
|
+~~~sh
|
|
$ coredns-keygen example.org example.net
|
|
Kexample.org.+013+09787
|
|
Kexample.net.+013+00440
|
|
~~~
|
|
|
|
+Generate ZSK keys for example.org and example.net:
|
|
+
|
|
+~~~sh
|
|
+$ coredns-keygen -zsk example.org example.net
|
|
+Kexample.org.+013+00234
|
|
+Kexample.net.+013+08728
|
|
+~~~
|
|
+
|
|
## Also See
|
|
|
|
dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
|
|
--
|
|
2.20.1
|
|
|
|
|
|
From 667949438f59cb09d28692fe4120040b4ff8d9f4 Mon Sep 17 00:00:00 2001
|
|
From: andrewheberle <andrewheberle@users.noreply.github.com>
|
|
Date: Tue, 7 Jan 2020 08:39:51 +0800
|
|
Subject: [PATCH 3/3] Update man page
|
|
|
|
Signed-off-by: Andrew Heberle <andrew.heberle@gmail.com>
|
|
---
|
|
coredns-keygen/coredns-keygen.8 | 40 +++++++++++++++++++++++++--------
|
|
1 file changed, 31 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/coredns-keygen/coredns-keygen.8 b/coredns-keygen/coredns-keygen.8
|
|
index eae220d..02116da 100644
|
|
--- a/coredns-keygen/coredns-keygen.8
|
|
+++ b/coredns-keygen/coredns-keygen.8
|
|
@@ -1,5 +1,5 @@
|
|
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
|
|
-.TH "COREDNS-KEYGEN" 8 "August 2019" "CoreDNS" "CoreDNS"
|
|
+.TH "COREDNS-KEYGEN" 8 "January 2020" "CoreDNS" "CoreDNS"
|
|
|
|
.SH "COREDNS-KEYGEN"
|
|
.SH "NAME"
|
|
@@ -8,19 +8,22 @@
|
|
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
-\fIcoredns-keygen\fP generates a Common Signing Key for the purpose of signing zones. It has no options
|
|
-and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.
|
|
+\fIcoredns-keygen\fP generates keys for the purpose of signing DNS zones. It has the option to
|
|
+generate Zone Signing Key's (ZSK) however by default keys are generated with the KSK bit set.
|
|
+All keys are generated with the ECDSAP256SHA256 algorithm (elliptic curve).
|
|
|
|
.SH "SYNTAX"
|
|
.PP
|
|
.RS
|
|
|
|
.nf
|
|
-coredns\-keygen ZONES...
|
|
+coredns\-keygen [\-zsk] ZONES...
|
|
|
|
.fi
|
|
.RE
|
|
|
|
+.IP \(bu 4
|
|
+\fB-zsk\fP generate ZSK instead of CSK/KSK
|
|
.IP \(bu 4
|
|
\fBZONES\fP zones it should generate keys for.
|
|
|
|
@@ -29,17 +32,19 @@ coredns\-keygen ZONES...
|
|
For each key pair the following files are created:
|
|
|
|
.IP \(bu 4
|
|
-\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR, and
|
|
+\fB\fCK<zone>.+<algorithm>+<keytag>.key\fR for the DNSKEY RR,
|
|
+.IP \(bu 4
|
|
+\fB\fCK<zone>.+<algorithm>+<keytag>.ds\fR for the DS RR, and,
|
|
.IP \(bu 4
|
|
\fB\fCK<zone>.+<algorithm>+<keytag>.private\fR for the private one.
|
|
|
|
|
|
.PP
|
|
-For each generate key the base name of these file is printed to standard output once.
|
|
+For each generated key the base name of these file is printed to standard output once.
|
|
|
|
.SH "EXAMPLES"
|
|
.PP
|
|
-Generate keys for example.org and example.net:
|
|
+Generate CSK/KSK keys for example.org and example.net:
|
|
|
|
.PP
|
|
.RS
|
|
@@ -52,8 +57,25 @@ Kexample.net.+013+00440
|
|
.fi
|
|
.RE
|
|
|
|
+.PP
|
|
+Generate ZSK keys for example.org and example.net:
|
|
+
|
|
+.PP
|
|
+.RS
|
|
+
|
|
+.nf
|
|
+$ coredns\-keygen \-zsk example.org example.net
|
|
+Kexample.org.+013+00234
|
|
+Kexample.net.+013+08728
|
|
+
|
|
+.fi
|
|
+.RE
|
|
+
|
|
.SH "ALSO SEE"
|
|
.PP
|
|
-dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035
|
|
-for the whole DNSSEC specification.
|
|
+dnssec-keygen(8) can also used to generate keys and supports more options. ldns-keygen(1) and
|
|
+ldns-key2ds(1) or similar utilities.
|
|
+
|
|
+.PP
|
|
+See RFC 4033, 4034, 4035 for the DNSSEC specification.
|
|
|
|
--
|
|
2.20.1
|
|
|