</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>hash-zone-record ZONE RECORDNAME</term>
+ <listitem>
+ <para>
+ This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE.
+ Refuses to hash for zones with no NSEC3 settings.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>import-zone-dnskey ZONE filename [ksk|zsk]</term>
<listitem>
<warning>
<para>
For now, it is necessary to execute a manual SQL 'insert' into the domains table of the backend hosting
- the keying material. This is needed to generate a zone-id for the relevant domain.
+ the keying material. This is needed to generate a zone-id for the relevant domain. Sample SQL statement:
+ <command>insert into domains (name, type) values ('powerdnssec.org', 'NATIVE');</command>.
</para>
</warning>
</section>
data for which is itself authoritative, which includes the SOA record and its own NS records.
</para>
<para>
- The 'auth' field should be 0 however for NS records which are used for delegation, and also for any glue records
- present for this purpose.
+ The 'auth' field should be 0 however for NS records which are used for delegation, and also for any glue (A, AAAA) records
+ present for this purpose. Do note that the DS record for a secure delegation should be authoritative!
</para>
<para>
The 'ordername' field needs to be filled out depending on the NSEC/NSEC3 mode. When running in NSEC3 'Narrow' mode,
</para>
<para>
In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash
- of the full record name.
+ of the full record name. <command>pdnssec hash-zone-record zone record</command> can be used to calculate this hash.
</para>
</section>
</section>
<listitem><para>Roy Arends (Nominet)</para></listitem>
<listitem><para>Miek Gieben</para></listitem>
<listitem><para>Stephane Bortzmeyer (AFNIC)</para></listitem>
- <listitem><para>Michael Braunoede (nic.at)</para></listitem>
+ <listitem><para>Michael Braunoeder (nic.at)</para></listitem>
<listitem><para>Peter van Dijk</para></listitem>
<listitem><para>Maik Zumstrull</para></listitem>
<listitem><para>Jose Arthur Benetasso Villanova</para></listitem>
}
if(p.d.rcode)
- L<<Logger::Warning<<"Received unsuccesful notification report for '"<<p.qdomain<<"' from "<<p.getRemote()<<", rcode: "<<p.d.rcode<<endl;
+ L<<Logger::Warning<<"Received unsucces
sful notification report for '"<<p.qdomain<<"' from "<<p.getRemote()<<", rcode: "<<p.d.rcode<<endl;
if(d_nq.removeIf(p.getRemote(), p.d.id, p.qdomain))
L<<Logger::Warning<<"Removed from notification list: '"<<p.qdomain<<"' to "<<p.getRemote()<< (p.d.rcode ? "" : " (was acknowledged)")<<endl;
NSEC3PARAMRecordContent ns3pr(nsec3params);
dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
}
+ else if(cmds[0]=="hash-zone-record") {
+ if(cmds.size() < 3) {
+ cerr<<"Wrong number of arguments, syntax: hash-zone-record ZONE RECORD"<<endl;
+ return 0;
+ }
+ string& zone=cmds[1];
+ string& record=cmds[2];
+ NSEC3PARAMRecordContent ns3pr;
+ bool narrow;
+ if(!dk.getNSEC3PARAM(zone, &ns3pr, &narrow)) {
+ cerr<<"The '"<<zone<<"' zone does not use NSEC3"<<endl;
+ return 0;
+ }
+ if(!narrow) {
+ cerr<<"The '"<<zone<<"' zone uses narrow NSEC3, but calculating hash anyhow"<<endl;
+ }
+
+ cout<<toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, record)))<<endl;
+ }
else if(cmds[0]=="unset-nsec3") {
dk.unsetNSEC3PARAM(cmds[1]);
}
projects / pdns / commitdiff