Operate as a daemon.
.. _setting-default-ksk-algorithms:
+.. _setting-default-ksk-algorithm:
-``default-ksk-algorithms``
+``default-ksk-algorithm``
--------------------------
- String
- Default: ecdsa256
+.. versionchanged:: 4.1.0
+ Renamed from ``default-ksk-algorithms``. Does no longer support multiple algorithm names.
+
The algorithm that should be used for the KSK when running
:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>`. Must be one
of:
--------------------
- Integer
-- Default: whichever is default for ``default-ksk-algorithms``
+- Default: whichever is default for `default-ksk-algorithm`_
The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
+Only relevant for algorithms with non-fixed keysizes (like RSA)
.. _setting-default-soa-name:
TTL to use when none is provided.
.. _setting-default-zsk-algorithms:
+.. _setting-default-zsk-algorithm:
-``default-zsk-algorithms``
+``default-zsk-algorithm``
--------------------------
- String
- Default: (empty)
+.. versionchanged:: 4.1.0
+ Renamed from ``default-zsk-algorithms``. Does no longer support multiple algorithm names.
+
The algorithm that should be used for the ZSK when running
:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>`. Must be one
of:
--------------------
- Integer
-- Default: whichever is default for ``default-zsk-algorithms``
+- Default: 0 (automatic default for `default-zsk-algorithm`_)
The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
+Only relevant for algorithms with non-fixed keysizes (like RSA)
.. _setting-direct-dnskey:
::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
- ::arg().set("default-ksk-algorithms","Default KSK algorithms")="ecdsa256";
+ ::arg().set("default-ksk-algorithm","Default KSK algorithms")="ecdsa256";
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
- ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="";
+ ::arg().set("default-zsk-algorithm","Default ZSK algorithms")="";
::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
cleanSlashes(configname);
- ::arg().set("default-ksk-algorithms","Default KSK algorithms")="ecdsa256";
+ ::arg().set("default-ksk-algorithm","Default KSK algorithms")="ecdsa256";
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
- ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="";
+ ::arg().set("default-zsk-algorithm","Default ZSK algorithms")="";
::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
::arg().set("default-soa-edit","Default SOA-EDIT value")="";
::arg().set("default-soa-edit-signed","Default SOA-EDIT value for signed zones")="";
bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
{
// parse attribute
- vector<string> k_algos;
- vector<string> z_algos;
int k_size;
int z_size;
// temp var for addKey
int64_t id;
- stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,");
+ string k_algo = ::arg()["default-ksk-algorithm"];
k_size = ::arg().asNum("default-ksk-size");
- stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,");
+ string z_algo = ::arg()["default-zsk-algorithm"];
z_size = ::arg().asNum("default-zsk-size");
if (k_size < 0) {
throw runtime_error("KSK key size must be equal to or greater than 0");
}
- if (k_algos.size() < 1 && z_algos.size() < 1) {
+ if (k_algo == "" && z_algo == "") {
throw runtime_error("Zero algorithms given for KSK+ZSK in total");
}
cerr<<"pdnsutil disable-dnssec "<<zone<<" right now!"<<endl;
}
- if (k_size)
- cout << "Securing zone with key size " << k_size << endl;
- else
- cout << "Securing zone with default key size" << endl;
-
- if (k_algos.empty()) { /* only a ZSK was requested by the defaults, set the SEP bit */
- }
+ if (k_algo != "") { // Add a KSK
+ if (k_size)
+ cout << "Securing zone with key size " << k_size << endl;
+ else
+ cout << "Securing zone with default key size" << endl;
- for(auto &k_algo: k_algos) {
- cout << "Adding "<<(z_algos.empty()? "CSK (257)" : "KSK")<<" with algorithm " << k_algo << endl;
+ cout << "Adding "<<(z_algo == "" ? "CSK (257)" : "KSK")<<" with algorithm " << k_algo << endl;
- int algo = DNSSECKeeper::shorthand2algorithm(k_algo);
+ int k_real_algo = DNSSECKeeper::shorthand2algorithm(k_algo);
- if (!dk.addKey(zone, true, algo, id, k_size, true)) {
+ if (!dk.addKey(zone, true, k_real_algo, id, k_size, true)) {
cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
}
}
- for(auto &z_algo : z_algos)
- {
- cout << "Adding "<<(k_algos.empty()? "CSK (256)" : "ZSK")<<" with algorithm " << z_algo << endl;
+ if (z_algo != "") {
+ cout << "Adding "<<(k_algo == "" ? "CSK (256)" : "ZSK")<<" with algorithm " << z_algo << endl;
- int algo = DNSSECKeeper::shorthand2algorithm(z_algo);
+ int z_real_algo = DNSSECKeeper::shorthand2algorithm(z_algo);
- if (!dk.addKey(zone, false, algo, id, z_size, true)) {
+ if (!dk.addKey(zone, false, z_real_algo, id, z_size, true)) {
cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;