- cd pdns
- make -k -j 4 pdns_recursor
- rm -f pdns_recursor
- - ./pdnssec test-algorithms
+ - ./pdnsutil test-algorithms
- cd ..
- ./build-scripts/dist-recursor
- cd pdns/pdns-recursor-*/
%files
%doc COPYING README
%{_bindir}/pdns_control
-%{_bindir}/pdnssec
+%{_bindir}/pdnsutil
%{_bindir}/zone2ldap
%{_bindir}/zone2sql
%{_bindir}/zone2json
%{_mandir}/man1/pdns_server.1.gz
%{_mandir}/man1/zone2sql.1.gz
%{_mandir}/man1/zone2ldap.1.gz
-%{_mandir}/man1/pdnssec.1.gz
+%{_mandir}/man1/pdnsutil.1.gz
%{_initrddir}/pdns
%dir %{_libdir}/%{name}/
%{_libdir}/%{name}/librandombackend.so
%files
%doc COPYING README
%{_bindir}/pdns_control
-%{_bindir}/pdnssec
+%{_bindir}/pdnsutil
%{_bindir}/pdns-zone2ldap
%{_bindir}/zone2sql
%{_bindir}/zone2json
%{_mandir}/man1/pdns_server.1.gz
%{_mandir}/man1/zone2sql.1.gz
%{_mandir}/man1/pdns-zone2ldap.1.gz
-%{_mandir}/man1/pdnssec.1.gz
+%{_mandir}/man1/pdnsutil.1.gz
%{_unitdir}/pdns.service
%dir %{_libdir}/%{name}/
%{_libdir}/%{name}/librandombackend.so
%{_bindir}/pdns_control
%{_bindir}/zone2sql
%{_bindir}/zone2json
-%{_bindir}/pdnssec
+%{_bindir}/pdnsutil
%{_mandir}/man1/pdns_control.1
%{_mandir}/man1/pdns_server.1
%{_mandir}/man1/zone2sql.1
-%{_mandir}/man1/pdnssec.1
+%{_mandir}/man1/pdnsutil.1
%{_datadir}/doc/pdns/*.sql
%dir %{_sysconfdir}/powerdns/
usr/bin/pdns_control
usr/bin/zone2sql
-usr/bin/pdnssec
+usr/bin/pdnsutil
usr/lib/*/pdns/libbindbackend.so*
usr/lib/*/pdns/librandombackend.so*
usr/sbin/pdns_server
debian/tmp/usr/share/man/man1/pdns_control.1
debian/tmp/usr/share/man/man1/pdns_server.1
debian/tmp/usr/share/man/man1/zone2sql.1
-debian/tmp/usr/share/man/man1/pdnssec.1
+debian/tmp/usr/share/man/man1/pdnsutil.1
export NSEC3DIG=/usr/bin/nsec3dig
export SAXFR=/usr/bin/saxfr
export ZONE2SQL=/usr/bin/zone2sql
-export PDNSSEC=/usr/bin/pdnssec
+export PDNSUTIL=/usr/bin/pdnsutil
export PDNSCONTROL=/usr/bin/pdns_control
export GEM_HOME=${PWD}/gems
/var/run/pdns\.controlsocket -s gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/pdns\.pid -- gen_context(system_u:object_r:named_var_run_t,s0)
/usr/bin/pdns_control -- gen_context(system_u:object_r:ndc_exec_t,s0)
-/usr/bin/pdnssec -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/pdnsutil -- gen_context(system_u:object_r:ndc_exec_t,s0)
/var/(cache|lib)/pdns(/.*)? -- gen_context(system_u:object_r:named_cache_t,s0)
/var/(cache|lib)/pdns(/.*)? -d gen_context(system_u:object_r:named_cache_t,s0)
MANPAGES_TARGET_AUTH = pdns_server.1 \
pdns_control.1 \
- pdnssec.1 \
+ pdnsutil.1 \
zone2ldap.1 \
zone2sql.1
To view more options that are available use this program.
# SEE ALSO
-pdns_control(1), pdnssec(1), http://doc.powerdns.com/md/authoritative/
+pdns_control(1), pdnsutil(1), http://doc.powerdns.com/md/authoritative/
-% PDNSSEC(1) PowerDNS DNSSEC command and control
+% PDNSUTIL(1) PowerDNS DNSSEC command and control
% Matthijs Möhlmann <matthijs@cacholong.nl>
% November 2011
# NAME
-pdnssec - PowerDNS dnssec command and control
+pdnsutil - PowerDNS dnssec command and control
# SYNOPSIS
-pdnssec [OPTION]... *COMMAND*
+pdnsutil [OPTION]... *COMMAND*
# DESCRIPTION
-**pdnssec** is a powerful command that is the operator-friendly gateway into
-PowerDNSSEC configuration. Behind the scenes, **pdnssec** manipulates a PowerDNS
-backend database, which also means that for many databases, **pdnssec** can be
+**pdnsutil** is a powerful command that is the operator-friendly gateway into
+PowerDNSSEC configuration. Behind the scenes, **pdnsutil** manipulates a PowerDNS
+backend database, which also means that for many databases, **pdnsutil** can be
run remotely, and can configure key material on different servers.
# OPTIONS
Setting **narrow** will make PowerDNS send out "white lies" about the next
secure record. Instead of looking it up in the database, it will send out
the hash + 1 as the next secure record. <br><br>
- A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow".<br><br>
+ A sample commandline is: "pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow".<br><br>
**WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching from
NSEC to NSEC3 will require a DS update in the parent zone.
secure-zone *ZONE*
: Configures a zone called *ZONE* with reasonable DNSSEC settings. You should
- manually run 'pdnssec rectify-zone' afterwards.
+ manually run 'pdnsutil rectify-zone' afterwards.
set-meta *ZONE* *ATTRIBUTE* [*VALUE*]
: Set domainmetadata *ATTRIBUTE* for *ZONE* to *VALUE*. An empty value clears it.
|uint32\_t ttl|Time To Live of this record|
|int domain\_id| ID of the domain this record belongs to|
|time\_t last\_modified| If unzero, last time\_t this record was changed|
-|bool auth| Used for DNSSEC operations. See [DNSSEC](../authoritative/dnssec.md) and more specifically the [Migration](../authoritative/dnssec.md#migration) section. It is also useful to check out the `rectifyZone()` in pdnssec.cc|
+|bool auth| Used for DNSSEC operations. See [DNSSEC](../authoritative/dnssec.md) and more specifically the [Migration](../authoritative/dnssec.md#migration) section. It is also useful to check out the `rectifyZone()` in pdnsutil.cc|
|bool disabled|If set, this record is not to be served to DNS clients. Backends should not make these records available to PowerDNS unless indicated otherwise.|
#### SOAData
```
##### oracle-del-zone-metadata-query
-Delete all metadata entries of type ':kind' for the zone called ':name'. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default:
+Delete all metadata entries of type ':kind' for the zone called ':name'. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
```
DELETE FROM ZoneMetadata md
```
##### oracle-set-zone-metadata-query
-Create a metadata entry. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default:
+Create a metadata entry. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
```
INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content)
```
##### oracle-del-zone-key-query
-Delete a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default:
+Delete a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
```
DELETE FROM ZoneDNSKeys WHERE id = :keyid
```
##### oracle-add-zone-key-query
-Add a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default:
+Add a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
```
INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) "
```
##### oracle-set-zone-key-state-query
-Enable or disable a DNSSEC signing key. You can skip this if you do not plan to manage zones with the **pdnssec** tool. Default:
+Enable or disable a DNSSEC signing key. You can skip this if you do not plan to manage zones with the **pdnsutil** tool. Default:
```
UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid
For abi-versions 1 and 2, the two new fields fall back to default values. The default value for scopebits is 0. The default for auth is 1 (meaning authoritative).
## Direct backend commands
-With abi-version 5 you can use [backend-cmd](dnssec.md#pdnssec) for executing commands on your backend. PowerDNS will use the following query/answer format
+With abi-version 5 you can use [backend-cmd](dnssec.md#pdnsutil) for executing commands on your backend. PowerDNS will use the following query/answer format
```
CMD Whatever you wrote
Answer goes here
```
### `getDomainKeys`
-Retrieves any keys of kind. The id, flags are unsigned integers, and active is boolean. Content must be valid key record in format that PowerDNS understands. You are encouraged to implement [the section called "addDomainKey"](#adddomainkey), as you can use [`pdnssec`](internals.md#pdnssec) to provision keys.
+Retrieves any keys of kind. The id, flags are unsigned integers, and active is boolean. Content must be valid key record in format that PowerDNS understands. You are encouraged to implement [the section called "addDomainKey"](#adddomainkey), as you can use [`pdnsutil`](internals.md#pdnsutil) to provision keys.
* Mandatory: for DNSSEC
* Parameters: name, kind
```
### `feedEnts`
-This method is used by pdnssec rectify-zone to populate missing non-terminals. This is used when you have, say, record like \_sip.\_upd.example.com, but no \_udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to add one. If startTransaction is called, trxid identifies a transaction.
+This method is used by pdnsutil rectify-zone to populate missing non-terminals. This is used when you have, say, record like \_sip.\_upd.example.com, but no \_udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to add one. If startTransaction is called, trxid identifies a transaction.
* Mandatory: No
* Parameters: nonterm, trxid
```
### `directBackendCmd`
-Can be used to send arbitrary commands to your backend using (backend-cmd)(dnssec.md#pdnssec).
+Can be used to send arbitrary commands to your backend using (backend-cmd)(dnssec.md#pdnsutil).
* Mandatory: no
* Parameters: query
As an example, securing an existing zone can be as simple as:
```
-$ pdnssec secure-zone powerdnssec.org
-$ pdnssec rectify-zone powerdnssec.org
+$ pdnsutil secure-zone powerdnssec.org
+$ pdnsutil rectify-zone powerdnssec.org
```
Alternatively, PowerDNS can serve pre-signed zones, without knowledge of private keys.
In this way, if keying material is available for an unsigned zone that is retrieved from a master server, this keying material will be used when serving data from this zone.
-As part of the zone retrieval, the equivalent of 'pdnssec rectify-zone' is run to make sure that all DNSSEC-related fields are set correctly.
+As part of the zone retrieval, the equivalent of 'pdnsutil rectify-zone' is run to make sure that all DNSSEC-related fields are set correctly.
## PowerDNSSEC BIND-mode operation
Starting with PowerDNS 3.1, the bindbackend can manage keys in an SQLite3 database without launching a separate gsqlite3 backend.
-To use this mode, add "bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3" to pdns.conf, and run "pdnssec create-bind-db /var/db/bind-dnssec-db.sqlite3". Then, restart PowerDNS.
+To use this mode, add "bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3" to pdns.conf, and run "pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3". Then, restart PowerDNS.
-After this, you can use "pdnssec secure-zone" and all other pdnssec commands on your BIND zones without trouble.
+After this, you can use "pdnsutil secure-zone" and all other pdnsutil commands on your BIND zones without trouble.
## PowerDNSSEC hybrid BIND-mode operation
**Warning**: This mode is only supported in 3.0, 3.0.1 and 3.4.0 and up! In 3.1 to 3.3.1, the bindbackend always did its own key storage. In 3.4.0 and up hybrid bind mode operation is optional and enabled with the bindbackend `hybrid` config option.
## Rules for filling out fields in database backends
**Note**: The BIND Backend automates all the steps outlined below, and does not need 'manual' help
-In PowerDNS 3.0 and up, two additional fields are important: 'auth' and 'ordername'. These fields are set correctly on an incoming zone transfer, and also by running `pdnssec rectify-zone`. zone2sql with the --dnssec flag aims to do this too but there are minor bugs in there, so please run `pdnssec rectify-zone` after `zone2sql`.
+In PowerDNS 3.0 and up, two additional fields are important: 'auth' and 'ordername'. These fields are set correctly on an incoming zone transfer, and also by running `pdnsutil rectify-zone`. zone2sql with the --dnssec flag aims to do this too but there are minor bugs in there, so please run `pdnsutil rectify-zone` after `zone2sql`.
The 'auth' field should be set to '1' for data for which the zone itself is authoritative, which includes the SOA record and its own NS records.
In 'NSEC' mode, it should contain the *relative* part of a domain name, in reverse order, with dots replaced by spaces. So 'www.uk.powerdnssec.org' in the 'powerdnssec.org' zone should have 'uk www' as its ordername.
-In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash of the full record name. **pdnssec hash-zone-record zone record** can be used to calculate this hash.
+In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash of the full record name. **pdnsutil hash-zone-record zone record** can be used to calculate this hash.
In addition, from 3.2 and up, PowerDNS fully supports empty non-terminals. If you have a zone example.com, and a host a.b.c.example.com in it, rectify-zone (and the AXFR client code) will insert b.c.example.com and c.example.com in the records table with type NULL (SQL NULL, not 'NULL'). Having these entries provides several benefits. We no longer reply NXDOMAIN for these shorter names (this was an RFC violation but not one that caused trouble). But more importantly, to do NSEC3 correctly, we need to be able to prove existence of these shorter names. The type=NULL records entry gives us a place to store the NSEC3 hash of these names.
## From an existing PowerDNS installation
To migrate an existing database-backed PowerDNS installation, a few changes must be made to the database schema. First, the records table gains two new fields: 'auth' and 'ordername'. Some data in a zone, like glue records, should not be signed, and this is signified by setting 'auth' to 0.
-**Warning**: Once the database schema has been updated, and the relevant `gsql-dnssec` switch has been set, stricter rules apply for filling out the database! The short version is: run `pdnssec rectify-all-zones`, even those not secured with DNSSEC!
+**Warning**: Once the database schema has been updated, and the relevant `gsql-dnssec` switch has been set, stricter rules apply for filling out the database! The short version is: run `pdnsutil rectify-all-zones`, even those not secured with DNSSEC!
Additionally, NSEC and NSEC3 in non-narrow mode require ordering data in order to perform (hashed) denial of existence. The 'ordername' field is used for this purpose.
Finally, two new tables are needed. DNSSEC keying material is stored in the 'cryptokeys' table (in a portable standard format). Domain metadata is stored in the 'domainmetadata' table. This includes NSEC3 settings.
-Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or [the PowerDNSSEC wiki](http://wiki.powerdns.com/trac/wiki/PDNSSEC) for the update statements), the `pdnssec` tool can be used to fill out keying details, and 'rectify' the auth and ordername fields.
+Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or [the PowerDNSSEC wiki](http://wiki.powerdns.com/trac/wiki/PDNSUTIL) for the update statements), the `pdnsutil` tool can be used to fill out keying details, and 'rectify' the auth and ordername fields.
-In short, `pdnssec secure-zone powerdnssec.org ; pdnssec rectify-zone powerdnssec.org` will deliver a correctly NSEC signed zone.
+In short, `pdnsutil secure-zone powerdnssec.org ; pdnsutil rectify-zone powerdnssec.org` will deliver a correctly NSEC signed zone.
In addition, so will the [`zone2sql`](migration.md#zone2sql) import tool when run with the `--dnssec` flag.
## From existing DNSSEC non-PowerDNS setups, pre-signed
Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign.
-PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run `pdnssec set-presigned zone`.
+PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run `pdnsutil set-presigned zone`.
-**Warning** Right now, you will also need to configure NSEC(3) settings for pre-signed zones using `pdnssec set-nsec3`. Default is NSEC, in which case no further configuration is necessary.
+**Warning** Right now, you will also need to configure NSEC(3) settings for pre-signed zones using `pdnsutil set-nsec3`. Default is NSEC, in which case no further configuration is necessary.
## From existing DNSSEC non-PowerDNS setups, live signing
-The `pdnssec` tool features the option to import zone keys in the industry standard private key format, version 1.2. To import an existing KSK, use `pdnssec import-zone-key zonename filename KSK`, replace KSK by ZSK for a Zone Signing Key.
+The `pdnsutil` tool features the option to import zone keys in the industry standard private key format, version 1.2. To import an existing KSK, use `pdnsutil import-zone-key zonename filename KSK`, replace KSK by ZSK for a Zone Signing Key.
If all keys are imported using this tool, a zone will serve mostly identical records to before, with the important change that the RRSIG inception dates will be different.
In order to facilitate interoperability with existing technologies, PowerDNSSEC keys can be imported and exported in industry standard formats.
-Keys and hashes are configured using the 'pdnssec' tool, which is described next.
+Keys and hashes are configured using the 'pdnsutil' tool, which is described next.
## (Hashed) Denial of Existence
**Note**: Why Thursday? POSIX-based operating systems count the time since GMT midnight January 1st of 1970, which was a Thursday. PowerDNS inception/expiration times are generated based on an integral number of weeks having passed since the start of the 'epoch'.
-# `pdnssec`
-`pdnssec` is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, `pdnssec` manipulates a PowerDNS backend database, which also means that for many databases, `pdnssec` can be run remotely, and can configure key material on different servers.
+# `pdnsutil`
+`pdnsutil` is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, `pdnsutil` manipulates a PowerDNS backend database, which also means that for many databases, `pdnsutil` can be run remotely, and can configure key material on different servers.
-For a list of available commands, see the [manpage](../manpages/pdnssec.1.md).
+For a list of available commands, see the [manpage](../manpages/pdnsutil.1.md).
#Â DNSSEC advice & precautions
DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings that can be configured.
It is well possible to configure DNSSEC in such a way that your domain will not operate reliably, or even, at all.
-We advise operators to stick to the keying defaults of `pdnssec secure-zone`: RSASHA256 (algorithm 8), 1 Key Signing Key of 2048 bits and 1 active Zone Signing Key of 1024 bits.
+We advise operators to stick to the keying defaults of `pdnsutil secure-zone`: RSASHA256 (algorithm 8), 1 Key Signing Key of 2048 bits and 1 active Zone Signing Key of 1024 bits.
While the 'GOST' and 'ECDSA' algorithms are better choices in theory, not many DNSSEC resolvers can validate answers signed with such keys. Much the same goes for RSASHA512, except that it does not offer better performance either.
In this chapter various DNSSEC transitions are discussed, and how to execute them within PowerDNSSEC.
## Publishing a DS
-To publish a DS to a parent zone, utilize 'pdnssec show-zone' and take the DS from its output, and transfer it securely to your parent zone.
+To publish a DS to a parent zone, utilize 'pdnsutil show-zone' and take the DS from its output, and transfer it securely to your parent zone.
## ZSK rollover
```
-$ pdnssec activate-zone-key ZONE next-key-id
-$ pdnssec deactivate-zone-key ZONE prev-key-id
-$ pdnssec remove-zone-key ZONE prev-key-id
+$ pdnsutil activate-zone-key ZONE next-key-id
+$ pdnsutil deactivate-zone-key ZONE prev-key-id
+$ pdnsutil remove-zone-key ZONE prev-key-id
```
##Â KSK rollover
```
-pdnssec add-zone-key ZONE ksk
-pdnssec show-zone ZONE
+pdnsutil add-zone-key ZONE ksk
+pdnsutil show-zone ZONE
```
Communicate duplicate DS
```
-pdnssec activate-zone-key ZONE next-key-id
-pdnssec deactivate-zone-key ZONE prev-key-id
-pdnssec remove-zone-key ZONE prev-key-id
+pdnsutil activate-zone-key ZONE next-key-id
+pdnsutil deactivate-zone-key ZONE prev-key-id
+pdnsutil remove-zone-key ZONE prev-key-id
```
## Going insecure
-`pdnssec disable-dnssec ZONE`
+`pdnsutil disable-dnssec ZONE`
## NSEC(3) change
This section describes how to change NSEC(3) parameters when they are already set.
**Warning**: The following instructions might not be correct or complete!
```
-pdnssec set-nsec3 ZONE 'parameters'
-pdnssec show-zone ZONE
+pdnsutil set-nsec3 ZONE 'parameters'
+pdnsutil show-zone ZONE
```
Communicate duplicate DS.
-For further details, please see [the `pdnssec`](#pdnssec) documentation.
+For further details, please see [the `pdnsutil`](#pdnsutil) documentation.
#Â PKCS\#11 support
**Note**: This feature is experimental, and not ready for production. Use at your own risk!
- Assign the keys using (note that token label is not necessarely same as object label, see p11-kit -l)
```
- pdnssec hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
+ pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
```
- Verify that everything worked, you should see valid data there
```
- pdnssec show-zone zone
+ pdnsutil show-zone zone
```
- SoftHSM signatures are fast enough to be used in live environment.
- Assign the keys using
```
- pdnssec hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
+ pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
```
- Verify that everything worked, you should see valid data there.
```
- pdnssec show-zone zone
+ pdnsutil show-zone zone
```
- Note that the physical token is pretty slow, so you have to use it as hidden master. It has been observed to produce about 1.5signatures/second.
## NSEC3NARROW
Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. See
-`set-nsec3` for [`pdnssec`](dnssec.md#pdnssec).
+`set-nsec3` for [`pdnsutil`](dnssec.md#pdnsutil).
## NSEC3PARAM
NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM
record. If present, NSEC3 is used, if not present, zones default to NSEC. See
-`set-nsec3` in [`pdnssec`](dnssec.md#pdnssec). Example content: "1 0 1 ab".
+`set-nsec3` in [`pdnsutil`](dnssec.md#pdnsutil). Example content: "1 0 1 ab".
## PRESIGNED
This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets
this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC
records in the zone. However, if you import a presigned zone using `zone2sql` or
-`pdnssec load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that
+`pdnsutil load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that
PowerDNS will not be able to correctly serve the zone if the imported data is
-bogus or incomplete. Also see `set-presigned` in [`pdnssec`](dnssec.md#pdnssec).
+bogus or incomplete. Also see `set-presigned` in [`pdnsutil`](dnssec.md#pdnsutil).
## PUBLISH_CDNSKEY, PUBLISH_CDS
Whether to publish CDNSKEY and/or CDS recording defined in [RFC 7344](https://tools.ietf.org/html/rfc7344).
To publish CDS records for the KSKs in the zone, set `PUBLISH_CDS` to a comma-
separated list of [signature algorithm numbers](http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1).
-This metadata can also be set using the [`pdnssec`](dnssec.md#pdnssec) options
+This metadata can also be set using the [`pdnsutil`](dnssec.md#pdnsutil) options
`set-publish-cdnskey` and `set-publish-cds`. For an example for an RFC 7344
key rollover, see the [CDS and CDNSKEY howto](howtos.md#cds-dnskey-key-rollover).
# CDS & CDNSKEY Key Rollover
If the upstream registry supports [RFC 7344](https://tools.ietf.org/html/rfc7344)
-key rollovers you can use several [`pdnssec`](dnssec.md#pdnssec) commands to do
+key rollovers you can use several [`pdnsutil`](dnssec.md#pdnsutil) commands to do
this rollover. This HowTo follows the rollover example from the RFCs [Appendix B](https://tools.ietf.org/html/rfc7344#appendix-B).
We assume the zone name is example.com and is already DNSSEC signed.
-Start by adding a new KSK to the zone: `pdnssec add-zone-key example.com ksk 2048 passive`.
+Start by adding a new KSK to the zone: `pdnsutil add-zone-key example.com ksk 2048 passive`.
The "passive" means that the key is not used to sign any ZSK records. This limits
the size of `ANY` and DNSKEY responses.
-Publish the CDS records: `pdnssec set-publish-cds example.com`, these records
+Publish the CDS records: `pdnsutil set-publish-cds example.com`, these records
will tell the parent zone to update its DS records. Now wait for the DS records
to be updated in the parent zone.
-Once the DS records are updated, do the actual key-rollover: `pdnssec activate-zone-key example.com new-key-id`
-and `pdnssec deactivate-zone-key example.com old-key-id`. You can get the `new-key-id`
-and `old-key-id` by listing them through `pdnssec show-zone example.com`.
+Once the DS records are updated, do the actual key-rollover: `pdnsutil activate-zone-key example.com new-key-id`
+and `pdnsutil deactivate-zone-key example.com old-key-id`. You can get the `new-key-id`
+and `old-key-id` by listing them through `pdnsutil show-zone example.com`.
After the rollover, wait *at least* until the TTL on the DNSKEY records have
expired so validating resolvers won't mark the zone as BOGUS. When the wait is
-over, delete the old key from the zone: `pdnssec remove-zone-key example.com old-key-id`.
+over, delete the old key from the zone: `pdnsutil remove-zone-key example.com old-key-id`.
This updates the CDS records to reflect only the new key.
Wait for the parent to pick up on the CDS change. Once the upstream DS records
show only the DS records for the new KSK, you may disable sending out the CDS
-responses: `pdnssec unset-pushish-cds example.com`.
+responses: `pdnsutil unset-pushish-cds example.com`.
Done!
PowerDNS does not operate as a 'slave' or 'master' server with all backends.
Only the [Generic SQL](backend-generic-mypgsql.md), [BIND](backend-bind.md) backends have the ability to act as master or slave.
-To migrate, the `zone2sql` tool is provided. There are also scripts from external contributors for migrating from `MyDNS` server. See https://github.com/PowerDNS/pdns/wiki/Migrating-DBs-FROM-MyDNS for details. There is also tool in pdnssec to migrate using various backends, most notably bind and mydns. See below for more information.
+To migrate, the `zone2sql` tool is provided. There are also scripts from external contributors for migrating from `MyDNS` server. See https://github.com/PowerDNS/pdns/wiki/Migrating-DBs-FROM-MyDNS for details. There is also tool in pdnsutil to migrate using various backends, most notably bind and mydns. See below for more information.
Additionally, the PowerDNS source comes with a number of diagnostic tools, which can be helpful in verifying proper PowerDNS operation, versus incumbent nameservers. See [Tools to analyse DNS traffic](../tools/analysis.md) for more details.
NB! This is experimental feature.
-Syntax: `pdnssec b2b-migrate old new`
+Syntax: `pdnsutil b2b-migrate old new`
This tool lets you migrate data from one backend to another, it moves all data, including zones, metadata and crypto keys (if present). Some example use cases are moving from Bind style zonefiles to SQL based, or other way around, or moving from MyDNS to gMySQL.
Configure both backends to pdns.conf, if you have source configured, you can just add target backend. **DO NOT RESTART AUTH SERVER BEFORE YOU HAVE FINISHED**
-Then run `pdnssec b2b-migrate old new`, the old and new being configuration prefixes in pdns.conf. If something goes wrong, make sure you properly clear **ALL** data from target backend before retrying.
+Then run `pdnsutil b2b-migrate old new`, the old and new being configuration prefixes in pdns.conf. If something goes wrong, make sure you properly clear **ALL** data from target backend before retrying.
-Remove (or comment out) old backend from pdns.conf, and run `pdnssec rectify-all-zones` and `pdnssec check-all-zones` to make sure everything is OK.
+Remove (or comment out) old backend from pdns.conf, and run `pdnsutil rectify-all-zones` and `pdnsutil check-all-zones` to make sure everything is OK.
If everything is OK, then go ahead to restart your pdns auth process. Check logs to make sure everything went ok.
* Default: rsasha256
The algorithm that should be used for the KSK when running
-[`pdnssec secure-zone`](internals.md#pdnssec).
+[`pdnsutil secure-zone`](internals.md#pdnsutil).
Must be one of:
* rsamd5
* dh
* Default: whichever is default for `default-ksk-algorithms`
The default keysize for the KSK generated with
-[`pdnssec secure-zone`](internals.md#pdnssec).
+[`pdnsutil secure-zone`](internals.md#pdnsutil).
## `default-soa-name`
* String
* Default: rsasha256
The algorithm that should be used for the ZSK when running
-[`pdnssec secure-zone`](internals.md#pdnssec).
+[`pdnsutil secure-zone`](internals.md#pdnsutil).
Must be one of:
* rsamd5
* dh
* Default: whichever is default for `default-zsk-algorithms`
The default keysize for the ZSK generated with
-[`pdnssec secure-zone`](internals.md#pdnssec).
+[`pdnsutil secure-zone`](internals.md#pdnsutil).
## `direct-dnskey`
* Boolean
# 3.X.X to 3.3.2
-Please run "pdnssec rectify-all-zones" and trigger an AXFR for all DNSSEC
+Please run "pdnsutil rectify-all-zones" and trigger an AXFR for all DNSSEC
zones to make sure you benefit from all the compliance improvements present in
this version.
alter table supermasters alter column ip type VARCHAR(64);
```
-`pdnssec secure-zone` now creates one KSK and one ZSK, instead of two ZSKs.
+`pdnsutil secure-zone` now creates one KSK and one ZSK, instead of two ZSKs.
The 'rec\_name\_index' index was dropped from the gmysql schema, as it was superfluous.
create index recordorder on records (domain_id, ordername);
```
-You can test the BINARY change with the new and experimental 'pdnssec test-schema' command. For PostgreSQL, there are no real schema changes, but our indexes turned out to be inefficient, especially given the changed ordername queries in 3.2. Changes:
+You can test the BINARY change with the new and experimental 'pdnsutil test-schema' command. For PostgreSQL, there are no real schema changes, but our indexes turned out to be inefficient, especially given the changed ordername queries in 3.2. Changes:
```
drop index orderindex;
A: Yes, as long as the relevant '-dnssec' setting is not enabled. These settings are typically called 'gmysql-dnssec', 'gpgsql-dnssec', 'gsqlite3-dnssec'. If this setting IS enabled, 3.x expects the new schema to be in place.
Q: If I run 3.0 with the new schema, and I have set '-dnssec', do I need to rectify my zones?
-A: Yes. If the '-dnssec' setting is enabled, PowerDNS expects the 'auth' field to be filled out correctly. When slaving zones this happens automatically. For other zones, run 'pdnssec rectify-zone zonename'. Even if a zone is not DNSSEC secured, as long as the new schema is in place, the zone must be rectified (or at least have the 'auth' field set correctly).
+A: Yes. If the '-dnssec' setting is enabled, PowerDNS expects the 'auth' field to be filled out correctly. When slaving zones this happens automatically. For other zones, run 'pdnsutil rectify-zone zonename'. Even if a zone is not DNSSEC secured, as long as the new schema is in place, the zone must be rectified (or at least have the 'auth' field set correctly).
Q: I want to fill out the 'auth' and 'ordername' fields directly, how do I do this?
A: The 'auth' field should be '1' or 'true' for all records that are within your zone. For a zone without delegations, this means 'auth' should always be set. If you have delegations, both the NS records for that delegation and possible glue records for it should not have 'auth' set.
Where `<algo>` is one of the supported key algos in lowercase OR the
numeric id, see
-[http://rtfm.powerdns.com/pdnssec.html](http://rtfm.powerdns.com/pdnssec.html)
+[http://rtfm.powerdns.com/pdnsutil.html](http://rtfm.powerdns.com/pdnsutil.html)
URL: /servers/:server\_id/zones/:zone\_name/cryptokeys/:cryptokey\_id
---------------------------------------------------------------------
The CNAME record specifies the canonical name of a record. It is stored plainly. Like all other records, it is not terminated by a dot. A sample might be 'webserver-01.yourcompany.com'.
## DNSKEY
-Since 2.9.21. The DNSKEY DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnssec`](authoritative/dnssec.md#pdnssec "'pdnssec' for PowerDNSSEC command & control").
+Since 2.9.21. The DNSKEY DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNSSEC command & control").
## DS
-Since 2.9.21, The DS DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnssec`](authoritative/dnssec.md#pdnssec "'pdnssec' for PowerDNSSEC command & control").
+Since 2.9.21, The DS DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNSSEC command & control").
## HINFO
Hardware Info record, used to specify CPU and operating system. Stored with a single space separating these two, example: 'i386 Linux'.
Nameserver record. Specifies nameservers for a domain. Stored plainly: 'ns1.powerdns.com', as always without a terminating dot.
## NSEC
-Since 2.9.21. The NSEC DNSSEC record type is fully supported, as described in [RFC 3757](http://tools.ietf.org/html/rfc3757). Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnssec`](authoritative/dnssec.md#pdnssec "'pdnssec' for PowerDNSSEC command & control").
+Since 2.9.21. The NSEC DNSSEC record type is fully supported, as described in [RFC 3757](http://tools.ietf.org/html/rfc3757). Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNSSEC command & control").
## OPENPGPKEY
Since 3.4.7. The OPENPGPKEY records, specified in [RFC TBD](https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-06), are used to bind OpenPGP certificates to email addresses.
Responsible Person record, as described in [RFC 1183](http://tools.ietf.org/html/rfc1183). Stored with a single space between the mailbox name and the more-information pointer. Example 'peter.powerdns.com peter.people.powerdns.com', to indicate that `peter@powerdns.com` is responsible and that more information about peter is available by querying the TXT record of peter.people.powerdns.com.
## RRSIG
-Since 2.9.21. The RRSIG DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC prcessing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [pdnssec](authoritative/dnssec.md#pdnssec).
+Since 2.9.21. The RRSIG DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC prcessing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [pdnsutil](authoritative/dnssec.md#pdnsutil).
## SOA
The Start of Authority record is one of the most complex available. It specifies a lot about a domain: the name of the master nameserver ('the primary'), the hostmaster and a set of numbers indicating how the data in this domain expires and how often it needs to be checked. Further more, it contains a serial number which should rise on each change of the domain.
- 'Manpage: zone2ldap.1': manpages/zone2ldap.1.md
- 'Manpage: zone2sql.1': manpages/zone2sql.1.md
- 'Manpage: pdns_control.1': manpages/pdns_control.1.md
- - 'Manpage: pdnssec.1': manpages/pdnssec.1.md
+ - 'Manpage: pdnsutil.1': manpages/pdnsutil.1.md
- 'Manpage: pdns_server.1': manpages/pdns_server.1.md
- Authoritative Backends:
- BIND: authoritative/backend-bind.md
}
int LUABackend::addDomainKey(const string& name, const KeyData& key) {
-// there is no logging function in pdnssec when running this routine?
+// there is no logging function in pdnsutil when running this routine?
//key = id, flags, active, content
+++ /dev/null
-#!/usr/bin/env bash
-
-../../../pdns/pdnssec --config-dir=./ $@
--- /dev/null
+#!/usr/bin/env bash
+
+../../../pdns/pdnsutil --config-dir=./ $@
#!/bin/sh
-$PDNSSEC --config-name=remote --config-dir=. backend-cmd remote HELLO
+$PDNSUTIL --config-name=remote --config-dir=. backend-cmd remote HELLO
/pdns_control
/pdns_server
/pdns_recursor
-/pdnssec
+/pdnsutil
/sdig
/saxfr
/dnslabeltext.cc
sbin_PROGRAMS = pdns_server
bin_PROGRAMS = \
pdns_control \
- pdnssec \
+ pdnsutil \
zone2sql \
zone2json
pdns_server_LDADD += $(GSS_LIBS)
endif
-pdnssec_SOURCES = \
+pdnsutil_SOURCES = \
arguments.cc \
backends/gsql/gsqlbackend.cc backends/gsql/gsqlbackend.hh \
backends/gsql/ssql.hh \
misc.cc misc.hh \
nsecrecords.cc \
packetcache.cc \
- pdnssec.cc \
+ pdnsutil.cc \
mbedtlssigners.cc \
qtype.cc \
randomhelper.cc \
unix_utility.cc \
zoneparser-tng.cc
-pdnssec_LDFLAGS = \
+pdnsutil_LDFLAGS = \
$(AM_LDFLAGS) \
$(DYNLINKFLAGS) \
$(BOOST_PROGRAM_OPTIONS_LDFLAGS)
-pdnssec_LDADD = \
+pdnsutil_LDADD = \
@moduleobjects@ \
@modulelibs@ \
$(LIBDL) \
$(YAHTTP_LIBS)
if BOTAN110
-pdnssec_SOURCES += botan110signers.cc botansigners.cc
-pdnssec_LDADD += $(BOTAN110_LIBS)
+pdnsutil_SOURCES += botan110signers.cc botansigners.cc
+pdnsutil_LDADD += $(BOTAN110_LIBS)
endif
if BOTAN18
-pdnssec_SOURCES += botan18signers.cc botansigners.cc
-pdnssec_LDADD += $(BOTAN18_LIBS)
+pdnsutil_SOURCES += botan18signers.cc botansigners.cc
+pdnsutil_LDADD += $(BOTAN18_LIBS)
endif
if CRYPTOPP
-pdnssec_SOURCES += cryptoppsigners.cc
-pdnssec_LDADD += $(CRYPTOPP_LIBS)
+pdnsutil_SOURCES += cryptoppsigners.cc
+pdnsutil_LDADD += $(CRYPTOPP_LIBS)
endif
if LIBSODIUM
-pdnssec_SOURCES += sodiumsigners.cc
-pdnssec_LDADD += $(LIBSODIUM_LIBS)
+pdnsutil_SOURCES += sodiumsigners.cc
+pdnsutil_LDADD += $(LIBSODIUM_LIBS)
endif
if SQLITE3
-pdnssec_SOURCES += ssqlite3.cc ssqlite3.hh
-pdnssec_LDADD += $(SQLITE3_LIBS)
+pdnsutil_SOURCES += ssqlite3.cc ssqlite3.hh
+pdnsutil_LDADD += $(SQLITE3_LIBS)
endif
if ORACLE
-pdnssec_LDADD += $(ORACLE_LIBS)
+pdnsutil_LDADD += $(ORACLE_LIBS)
endif
if PKCS11
-pdnssec_SOURCES += pkcs11signers.cc pkcs11signers.hh
-pdnssec_LDADD += $(P11KIT1_LIBS)
+pdnsutil_SOURCES += pkcs11signers.cc pkcs11signers.hh
+pdnsutil_LDADD += $(P11KIT1_LIBS)
endif
if GSS_TSIG
-pdnssec_LDADD += $(GSS_LIBS)
+pdnsutil_LDADD += $(GSS_LIBS)
endif
zone2sql_SOURCES = \
xfrPacket(rtr); \
} \
catch(RecordTextException& rtr) { \
- throw MOADNSException("Parsing record content (try 'pdnssec check-zone'): "+string(rtr.what())); \
+ throw MOADNSException("Parsing record content (try 'pdnsutil check-zone'): "+string(rtr.what())); \
} \
} \
\
#include "dnssecinfra.hh"
using namespace boost::assign;
-#define PDNSSEC_MI(x) mbedtls_mpi_init(&d_context.x)
-#define PDNSSEC_MC(x) PDNSSEC_MI(x); mbedtls_mpi_copy(&d_context.x, const_cast<mbedtls_mpi*>(&orig.d_context.x))
-#define PDNSSEC_MF(x) mbedtls_mpi_free(&d_context.x)
+#define PDNSUTIL_MI(x) mbedtls_mpi_init(&d_context.x)
+#define PDNSUTIL_MC(x) PDNSUTIL_MI(x); mbedtls_mpi_copy(&d_context.x, const_cast<mbedtls_mpi*>(&orig.d_context.x))
+#define PDNSUTIL_MF(x) mbedtls_mpi_free(&d_context.x)
class RSADNSCryptoKeyEngine : public DNSCryptoKeyEngine
{
explicit RSADNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm)
{
memset(&d_context, 0, sizeof(d_context));
- PDNSSEC_MI(N);
- PDNSSEC_MI(E); PDNSSEC_MI(D); PDNSSEC_MI(P); PDNSSEC_MI(Q); PDNSSEC_MI(DP); PDNSSEC_MI(DQ); PDNSSEC_MI(QP); PDNSSEC_MI(RN); PDNSSEC_MI(RP); PDNSSEC_MI(RQ);
+ PDNSUTIL_MI(N);
+ PDNSUTIL_MI(E); PDNSUTIL_MI(D); PDNSUTIL_MI(P); PDNSUTIL_MI(Q); PDNSUTIL_MI(DP); PDNSUTIL_MI(DQ); PDNSUTIL_MI(QP); PDNSUTIL_MI(RN); PDNSUTIL_MI(RP); PDNSUTIL_MI(RQ);
}
~RSADNSCryptoKeyEngine()
{
- PDNSSEC_MF(N);
- PDNSSEC_MF(E); PDNSSEC_MF(D); PDNSSEC_MF(P); PDNSSEC_MF(Q); PDNSSEC_MF(DP); PDNSSEC_MF(DQ); PDNSSEC_MF(QP); PDNSSEC_MF(RN); PDNSSEC_MF(RP); PDNSSEC_MF(RQ);
+ PDNSUTIL_MF(N);
+ PDNSUTIL_MF(E); PDNSUTIL_MF(D); PDNSUTIL_MF(P); PDNSUTIL_MF(Q); PDNSUTIL_MF(DP); PDNSUTIL_MF(DQ); PDNSUTIL_MF(QP); PDNSUTIL_MF(RN); PDNSUTIL_MF(RP); PDNSUTIL_MF(RQ);
}
bool operator<(const RSADNSCryptoKeyEngine& rhs) const
d_context.padding = orig.d_context.padding;
d_context.hash_id = orig.d_context.hash_id;
- PDNSSEC_MC(N);
- PDNSSEC_MC(E); PDNSSEC_MC(D); PDNSSEC_MC(P); PDNSSEC_MC(Q); PDNSSEC_MC(DP); PDNSSEC_MC(DQ); PDNSSEC_MC(QP); PDNSSEC_MC(RN); PDNSSEC_MC(RP); PDNSSEC_MC(RQ);
+ PDNSUTIL_MC(N);
+ PDNSUTIL_MC(E); PDNSUTIL_MC(D); PDNSUTIL_MC(P); PDNSUTIL_MC(Q); PDNSUTIL_MC(DP); PDNSUTIL_MC(DQ); PDNSUTIL_MC(QP); PDNSUTIL_MC(RN); PDNSUTIL_MC(RP); PDNSUTIL_MC(RQ);
}
RSADNSCryptoKeyEngine& operator=(const RSADNSCryptoKeyEngine& orig)
};
// see above
-#undef PDNSSEC_MC
-#undef PDNSSEC_MI
-#undef PDNSSEC_MF
+#undef PDNSUTIL_MC
+#undef PDNSUTIL_MI
+#undef PDNSUTIL_MF
inline bool operator<(const mbedtls_mpi& a, const mbedtls_mpi& b)
goto sendit;
// check whether this could be fixed easily
// if (*(rr.qname.rbegin()) == '.') {
- // L<<Logger::Error<<"Should not get here ("<<p->qdomain<<"|"<<p->qtype.getCode()<<"): you have a trailing dot, this could be the problem (or run pdnssec rectify-zone " <<sd.qname<<")"<<endl;
+ // L<<Logger::Error<<"Should not get here ("<<p->qdomain<<"|"<<p->qtype.getCode()<<"): you have a trailing dot, this could be the problem (or run pdnsutil rectify-zone " <<sd.qname<<")"<<endl;
// } else {
- L<<Logger::Error<<"Should not get here ("<<p->qdomain<<"|"<<p->qtype.getCode()<<"): please run pdnssec rectify-zone "<<sd.qname<<endl;
+ L<<Logger::Error<<"Should not get here ("<<p->qdomain<<"|"<<p->qtype.getCode()<<"): please run pdnsutil rectify-zone "<<sd.qname<<endl;
// }
}
else {
if (isSecure && isOptOut && (rr.qname.countLabels() && rr.qname.getRawLabels()[0] == "*")) {
cout<<"[Warning] wildcard record '"<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<<" "<<rr.content<<"' is insecure"<<endl;
- cout<<"[Info] Wildcard records in opt-out zones are insecure. Disable the opt-out flag for this zone to avoid this warning. Command: pdnssec set-nsec3 "<<zone.toString()<<endl;
+ cout<<"[Info] Wildcard records in opt-out zones are insecure. Disable the opt-out flag for this zone to avoid this warning. Command: pdnsutil set-nsec3 "<<zone.toString()<<endl;
numwarnings++;
}
if(rr.auth == 0 && rr.qtype.getCode()!=QType::NS && rr.qtype.getCode()!=QType::A && rr.qtype.getCode()!=QType::AAAA)
{
- cout<<"[Error] Following record is auth=0, run pdnssec rectify-zone?: "<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<< " " << rr.content<<endl;
+ cout<<"[Error] Following record is auth=0, run pdnsutil rectify-zone?: "<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<< " " << rr.content<<endl;
numerrors++;
}
}
else if (toUpper(type) == "NATIVE")
kindFilter = 2;
else {
- cerr<<"Syntax: pdnssec list-all-zones [master|slave|native]"<<endl;
+ cerr<<"Syntax: pdnsutil list-all-zones [master|slave|native]"<<endl;
return 1;
}
}
}
if(dk.isSecuredZone(zone)) {
- cerr << "Zone '"<<zone.toString()<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
+ cerr << "Zone '"<<zone.toString()<<"' already secure, remove keys with pdnsutil remove-zone-key if needed"<<endl;
return false;
}
if(di.kind == DomainInfo::Slave)
{
cout<<"Warning! This is a slave domain! If this was a mistake, please run"<<endl;
- cout<<"pdnssec disable-dnssec "<<zone.toString()<<" right now!"<<endl;
+ cout<<"pdnsutil disable-dnssec "<<zone.toString()<<" right now!"<<endl;
}
if (k_size)
cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl;
cerr<<"If you run with the BIND backend, make sure you have configured"<<endl;
cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl;
- cerr<<"'pdnssec create-bind-db /path/fname'!"<<endl;
+ cerr<<"'pdnsutil create-bind-db /path/fname'!"<<endl;
return false;
}
g_verbose = g_vm.count("verbose");
if(cmds.empty() || g_vm.count("help")) {
- cerr<<"Usage: \npdnssec [options] <command> [params ..]\n"<<endl;
+ cerr<<"Usage: \npdnsutil [options] <command> [params ..]\n"<<endl;
cerr<<"Commands:"<<endl;
cerr<<"activate-tsig-key ZONE NAME {master|slave}"<<endl;
cerr<<" Enable TSIG key for a zone"<<endl;
if (cmds[0] == "test-algorithm") {
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec test-algorithm algonum"<<endl;
+ cerr << "Syntax: pdnsutil test-algorithm algonum"<<endl;
return 0;
}
if (testAlgorithm(lexical_cast<int>(cmds[1])))
if(cmds[0] == "create-bind-db") {
#ifdef HAVE_SQLITE3
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec create-bind-db FNAME"<<endl;
+ cerr << "Syntax: pdnsutil create-bind-db FNAME"<<endl;
return 0;
}
try {
if (cmds[0] == "test-schema") {
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec test-schema ZONE"<<endl;
+ cerr << "Syntax: pdnsutil test-schema ZONE"<<endl;
return 0;
}
testSchema(dk, DNSName(cmds[1]));
}
if(cmds[0] == "rectify-zone") {
if(cmds.size() < 2) {
- cerr << "Syntax: pdnssec rectify-zone ZONE [ZONE..]"<<endl;
+ cerr << "Syntax: pdnsutil rectify-zone ZONE [ZONE..]"<<endl;
return 0;
}
unsigned int exitCode = 0;
}
else if(cmds[0] == "check-zone") {
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec check-zone ZONE"<<endl;
+ cerr << "Syntax: pdnsutil check-zone ZONE"<<endl;
return 0;
}
UeberBackend B("default");
}
else if (cmds[0] == "list-all-zones") {
if (cmds.size() > 2) {
- cerr << "Syntax: pdnssec list-all-zones [master|slave|native]"<<endl;
+ cerr << "Syntax: pdnsutil list-all-zones [master|slave|native]"<<endl;
return 0;
}
if (cmds.size() == 2)
#endif
else if(cmds[0] == "test-speed") {
if(cmds.size() < 2) {
- cerr << "Syntax: pdnssec test-speed numcores [signing-server]"<<endl;
+ cerr << "Syntax: pdnsutil test-speed numcores [signing-server]"<<endl;
return 0;
}
testSpeed(dk, DNSName(cmds[1]), (cmds.size() > 3) ? cmds[3] : "", atoi(cmds[2].c_str()));
}
else if(cmds[0] == "verify-crypto") {
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec verify-crypto FILE"<<endl;
+ cerr << "Syntax: pdnsutil verify-crypto FILE"<<endl;
return 0;
}
verifyCrypto(cmds[1]);
else if(cmds[0] == "show-zone") {
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec show-zone ZONE"<<endl;
+ cerr << "Syntax: pdnsutil show-zone ZONE"<<endl;
return 0;
}
if (!showZone(dk, DNSName(cmds[1]))) return 1;
}
else if(cmds[0] == "disable-dnssec") {
if(cmds.size() != 2) {
- cerr << "Syntax: pdnssec disable-dnssec ZONE"<<endl;
+ cerr << "Syntax: pdnsutil disable-dnssec ZONE"<<endl;
return 0;
}
DNSName zone(cmds[1]);
}
else if(cmds[0] == "activate-zone-key") {
if(cmds.size() != 3) {
- cerr << "Syntax: pdnssec activate-zone-key ZONE KEY-ID"<<endl;
+ cerr << "Syntax: pdnsutil activate-zone-key ZONE KEY-ID"<<endl;
return 0;
}
DNSName zone(cmds[1]);
}
else if(cmds[0] == "deactivate-zone-key") {
if(cmds.size() != 3) {
- cerr << "Syntax: pdnssec deactivate-zone-key ZONE KEY-ID"<<endl;
+ cerr << "Syntax: pdnsutil deactivate-zone-key ZONE KEY-ID"<<endl;
return 0;
}
DNSName zone(cmds[1]);
}
else if(cmds[0] == "add-zone-key") {
if(cmds.size() < 3 ) {
- cerr << "Syntax: pdnssec add-zone-key ZONE zsk|ksk [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]"<<endl;
+ cerr << "Syntax: pdnsutil add-zone-key ZONE zsk|ksk [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]"<<endl;
return 0;
}
DNSName zone(cmds[1]);
}
else if(cmds[0] == "remove-zone-key") {
if(cmds.size() < 3) {
- cerr<<"Syntax: pdnssec remove-zone-key ZONE KEY-ID"<<endl;
+ cerr<<"Syntax: pdnsutil remove-zone-key ZONE KEY-ID"<<endl;
return 0;
}
DNSName zone(cmds[1]);
}
else if(cmds[0] == "delete-zone") {
if(cmds.size() != 2) {
- cerr<<"Syntax: pdnssec delete-zone ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil delete-zone ZONE"<<endl;
return 0;
}
exit(deleteZone(DNSName(cmds[1])));
}
else if(cmds[0] == "create-zone") {
if(cmds.size() != 2) {
- cerr<<"Syntax: pdnssec create-zone ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil create-zone ZONE"<<endl;
return 0;
}
exit(createZone(DNSName(cmds[1])));
}
else if(cmds[0] == "list-zone") {
if(cmds.size() != 2) {
- cerr<<"Syntax: pdnssec list-zone ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil list-zone ZONE"<<endl;
return 0;
}
if(cmds[1]==".")
}
else if(cmds[0] == "list-keys") {
if(cmds.size() > 2) {
- cerr<<"Syntax: pdnssec list-keys [ZONE]"<<endl;
+ cerr<<"Syntax: pdnsutil list-keys [ZONE]"<<endl;
return 0;
}
string zname = (cmds.size() == 2) ? cmds[1] : "all";
}
else if(cmds[0] == "load-zone") {
if(cmds.size() != 3) {
- cerr<<"Syntax: pdnssec load-zone ZONE FILENAME"<<endl;
+ cerr<<"Syntax: pdnsutil load-zone ZONE FILENAME"<<endl;
return 0;
}
if(cmds[1]==".")
}
else if(cmds[0] == "secure-zone") {
if(cmds.size() < 2) {
- cerr << "Syntax: pdnssec secure-zone ZONE"<<endl;
+ cerr << "Syntax: pdnsutil secure-zone ZONE"<<endl;
return 0;
}
vector<DNSName> mustRectify;
}
else if (cmds[0] == "secure-all-zones") {
if (cmds.size() >= 2 && !pdns_iequals(cmds[1], "increase-serial")) {
- cerr << "Syntax: pdnssec secure-all-zones [increase-serial]"<<endl;
+ cerr << "Syntax: pdnsutil secure-all-zones [increase-serial]"<<endl;
return 0;
}
}
else if(cmds[0]=="set-nsec3") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec set-nsec3 ZONE 'params' [narrow]"<<endl;
+ cerr<<"Syntax: pdnsutil set-nsec3 ZONE 'params' [narrow]"<<endl;
return 0;
}
string nsec3params = cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
}
else if(cmds[0]=="set-presigned") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec set-presigned ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil set-presigned ZONE"<<endl;
return 0;
}
if (! dk.setPresigned(DNSName(cmds[1]))) {
}
else if(cmds[0]=="set-publish-cdnskey") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec set-publish-cdnskey ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil set-publish-cdnskey ZONE"<<endl;
return 0;
}
if (! dk.setPublishCDNSKEY(DNSName(cmds[1]))) {
}
else if(cmds[0]=="set-publish-cds") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec set-publish-cds ZONE [DIGESTALGOS]"<<endl;
+ cerr<<"Syntax: pdnsutil set-publish-cds ZONE [DIGESTALGOS]"<<endl;
return 0;
}
}
else if(cmds[0]=="unset-presigned") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec unset-presigned ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil unset-presigned ZONE"<<endl;
return 0;
}
if (! dk.unsetPresigned(DNSName(cmds[1]))) {
}
else if(cmds[0]=="unset-publish-cdnskey") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec unset-publish-cdnskey ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil unset-publish-cdnskey ZONE"<<endl;
return 0;
}
if (! dk.unsetPublishCDNSKEY(DNSName(cmds[1]))) {
}
else if(cmds[0]=="unset-publish-cds") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec unset-publish-cds ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil unset-publish-cds ZONE"<<endl;
return 0;
}
if (! dk.unsetPublishCDS(DNSName(cmds[1]))) {
}
else if(cmds[0]=="hash-zone-record") {
if(cmds.size() < 3) {
- cerr<<"Syntax: pdnssec hash-zone-record ZONE RNAME"<<endl;
+ cerr<<"Syntax: pdnsutil hash-zone-record ZONE RNAME"<<endl;
return 0;
}
DNSName zone(cmds[1]);
}
else if(cmds[0]=="unset-nsec3") {
if(cmds.size() < 2) {
- cerr<<"Syntax: pdnssec unset-nsec3 ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil unset-nsec3 ZONE"<<endl;
return 0;
}
if ( ! dk.unsetNSEC3PARAM(DNSName(cmds[1]))) {
}
else if(cmds[0]=="export-zone-key") {
if(cmds.size() < 3) {
- cerr<<"Syntax: pdnssec export-zone-key ZONE KEY-ID"<<endl;
+ cerr<<"Syntax: pdnsutil export-zone-key ZONE KEY-ID"<<endl;
return 0;
}
}
else if(cmds[0]=="increase-serial") {
if (cmds.size() < 2) {
- cerr<<"Syntax: pdnssec increase-serial ZONE"<<endl;
+ cerr<<"Syntax: pdnsutil increase-serial ZONE"<<endl;
return 0;
}
return increaseSerial(DNSName(cmds[1]), dk);
}
else if(cmds[0]=="import-zone-key-pem") {
if(cmds.size() < 4) {
- cerr<<"Syntax: pdnssec import-zone-key-pem ZONE FILE ALGORITHM {ksk|zsk}"<<endl;
+ cerr<<"Syntax: pdnsutil import-zone-key-pem ZONE FILE ALGORITHM {ksk|zsk}"<<endl;
exit(1);
}
string zone=cmds[1];
}
else if(cmds[0]=="import-zone-key") {
if(cmds.size() < 3) {
- cerr<<"Syntax: pdnssec import-zone-key ZONE FILE [ksk|zsk] [active|passive]"<<endl;
+ cerr<<"Syntax: pdnsutil import-zone-key ZONE FILE [ksk|zsk] [active|passive]"<<endl;
exit(1);
}
string zone=cmds[1];
}
else if(cmds[0]=="export-zone-dnskey") {
if(cmds.size() < 3) {
- cerr<<"Syntax: pdnssec export-zone-dnskey ZONE KEY-ID"<<endl;
+ cerr<<"Syntax: pdnsutil export-zone-dnskey ZONE KEY-ID"<<endl;
exit(1);
}
}
else if(cmds[0] == "generate-zone-key") {
if(cmds.size() < 2 ) {
- cerr << "Syntax: pdnssec generate-zone-key zsk|ksk [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] [bits]"<<endl;
+ cerr << "Syntax: pdnsutil generate-zone-key zsk|ksk [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] [bits]"<<endl;
return 0;
}
// need to get algorithm, bits & ksk or zsk from commandline
std::vector<DNSBackend::KeyData> keys;
if (cmds.size() < 9) {
- std::cout << "Usage: pdnssec hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL" << std::endl;
+ std::cout << "Usage: pdnsutil hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL" << std::endl;
return 1;
}
} else if (cmds[1] == "create-key") {
if (cmds.size() < 4) {
- cerr << "Usage: pdnssec hsm create-key ZONE KEY-ID [BITS]" << endl;
+ cerr << "Usage: pdnsutil hsm create-key ZONE KEY-ID [BITS]" << endl;
return 1;
}
DomainInfo di;
signal(SIGCHLD, SIG_IGN);
if(!fork()) { // child
dup2(fds[1], 0);
- execl("./pdnssec", "./pdnssec", "--config-dir=./", "signing-slave", NULL);
+ execl("./pdnsutil", "./pdnsutil", "--config-dir=./", "signing-slave", NULL);
// helperWorker(new StartHelperStruct(this, n));
return;
}
now=$(date +%s)
delta=$((now-1418860790)) # Wed Dec 17 23:59:50 2014 UTC
-$PDNSSEC --config-dir=soa-edit create-bind-db soa-edit/bind-dnssec.db
-$PDNSSEC --config-dir soa-edit/ set-meta minimal.com SOA-EDIT INCREMENT-WEEKS
+$PDNSUTIL --config-dir=soa-edit create-bind-db soa-edit/bind-dnssec.db
+$PDNSUTIL --config-dir soa-edit/ set-meta minimal.com SOA-EDIT INCREMENT-WEEKS
faketime -m -f -$delta $PDNS --config-dir=soa-edit &
bindwait
__EOF__
else
echo "bind-dnssec-db=./dnssec.sqlite3" >> pdns-bind.conf
- $PDNSSEC --config-dir=. --config-name=bind create-bind-db dnssec.sqlite3
+ $PDNSUTIL --config-dir=. --config-name=bind create-bind-db dnssec.sqlite3
fi
for zone in $(grep 'zone ' named.conf | cut -f2 -d\")
securezone $zone bind
if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
then
- $PDNSSEC --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
+ $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
elif [ $context = bind-dnssec-nsec3-narrow ]
then
- $PDNSSEC --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
fi
done
skipreasons="nodyndns"
fi
- $PDNSSEC --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=bind activate-tsig-key tsig.com test master
+ $PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=bind activate-tsig-key tsig.com test master
$RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \
--config-name=bind --socket-dir=./ --no-shuffle \
rm -f dnssec-slave.sqlite3
- $PDNSSEC --config-dir=. create-bind-db dnssec-slave.sqlite3
+ $PDNSUTIL --config-dir=. create-bind-db dnssec-slave.sqlite3
set +e
echo $skipreasons | grep -q nodnssec
Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='continent.geo.example.com.', qtype=TXT
EOF
- # generate pdns.conf for pdnssec
+ # generate pdns.conf for pdnsutil
cat > pdns-geoip.conf <<EOF
module-dir=./modules
launch=geoip
if [ "$geoipdosec" = "yes" ]
then
echo "$geoipkeydir" >> pdns-geoip.conf
- $PDNSSEC --config-dir=. --config-name=geoip secure-zone geo.example.com
+ $PDNSUTIL --config-dir=. --config-name=geoip secure-zone geo.example.com
geoipkeydir="--geoip-dnssec-keydir=$testsdir/geosec"
fi
"$GMYSQL2DB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
done
- $PDNSSEC --config-dir=. --config-name=gmysql2 import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=gmysql2 activate-tsig-key tsig.com test slave
+ $PDNSUTIL --config-dir=. --config-name=gmysql2 import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=gmysql2 activate-tsig-key tsig.com test slave
if [[ $skipreasons != *nolua* ]]
then
- $PDNSSEC --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+ $PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
fi
port=$((port+100))
echo "INSERT INTO domains (id, name, type, master) VALUES(domains_id_sequence.nextval, '$zone', 'SLAVE', '127.0.0.1:$port');" | sqlplus -S $GORACLE2USER/$GORACLE2PASSWD@xe >> goracle2.log
done
- $PDNSSEC --config-dir=. --config-name=goracle2 import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=goracle2 activate-tsig-key tsig.com test slave
+ $PDNSUTIL --config-dir=. --config-name=goracle2 import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=goracle2 activate-tsig-key tsig.com test slave
if [[ $skipreasons != *nolua* ]]
then
- $PDNSSEC --config-dir=. --config-name=goracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+ $PDNSUTIL --config-dir=. --config-name=goracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2
fi
port=$((port+100))
"$GPGSQL2DB"
done
- $PDNSSEC --config-dir=. --config-name=gpgsql2 import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=gpgsql2 activate-tsig-key tsig.com test slave
+ $PDNSUTIL --config-dir=. --config-name=gpgsql2 import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=gpgsql2 activate-tsig-key tsig.com test slave
if [[ $skipreasons != *nolua* ]]
then
- $PDNSSEC --config-dir=. --config-name=gpgsql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+ $PDNSUTIL --config-dir=. --config-name=gpgsql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
fi
port=$((port+100))
then
if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ]
then
- $PDNSSEC --config-dir=. --config-name=$backend set-nsec3 $zone "1 $optout 1 abcd" 2>&1
+ $PDNSUTIL --config-dir=. --config-name=$backend set-nsec3 $zone "1 $optout 1 abcd" 2>&1
elif [ $context = ${backend}-nsec3-narrow ]
then
- $PDNSSEC --config-dir=. --config-name=$backend set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+ $PDNSUTIL --config-dir=. --config-name=$backend set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
fi
securezone $zone ${backend}
else
- $PDNSSEC --config-dir=. --config-name=$backend rectify-zone $zone 2>&1
+ $PDNSUTIL --config-dir=. --config-name=$backend rectify-zone $zone 2>&1
fi
done
- $PDNSSEC --config-dir=. --config-name=$backend import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=$backend activate-tsig-key tsig.com test master
+ $PDNSUTIL --config-dir=. --config-name=$backend import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=$backend activate-tsig-key tsig.com test master
$RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \
--config-name=$backend --socket-dir=./ --no-shuffle \
sqlite3 pdns.sqlite32 "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port');"
done
- $PDNSSEC --config-dir=. --config-name=gsqlite32 import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=gsqlite32 activate-tsig-key tsig.com test slave
+ $PDNSUTIL --config-dir=. --config-name=gsqlite32 import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=gsqlite32 activate-tsig-key tsig.com test slave
if [[ $skipreasons != *nolua* ]]
then
- $PDNSSEC --config-dir=. --config-name=gsqlite32 set-meta stest.com AXFR-SOURCE 127.0.0.2
+ $PDNSUTIL --config-dir=. --config-name=gsqlite32 set-meta stest.com AXFR-SOURCE 127.0.0.2
fi
port=$((port+100))
securezone $zone oracle
if [ $context = oracle-nsec3 ]
then
- $PDNSSEC --config-dir=. --config-name=oracle set-nsec3 $zone "1 0 1 abcd" 2>&1
+ $PDNSUTIL --config-dir=. --config-name=oracle set-nsec3 $zone "1 0 1 abcd" 2>&1
fi
done
fi
echo "TRUNCATE TABLE records;" | sqlplus -S $ORACLEUSER/$ORACLEPASSWD@xe >> oracle.log
../pdns/zone2sql --oracle | grep -v 'INSERT INTO Zones' | sqlplus -S $ORACLEUSER/$ORACLEPASSWD@xe >> oracle.log
- $PDNSSEC --config-dir=. --config-name=oracle import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=oracle activate-tsig-key tsig.com test master
+ $PDNSUTIL --config-dir=. --config-name=oracle import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=oracle activate-tsig-key tsig.com test master
$RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \
--config-name=oracle --socket-dir=./ --no-shuffle \
echo "INSERT ALL INTO zones (id, name, type) VALUES (zones_id_seq.nextval, name, 'SLAVE') INTO zonemasters (zone_id, master) VALUES (zones_id_seq.nextval, master) SELECT '$zone' AS name, '127.0.0.1:$port' AS master FROM dual;" | sqlplus -S $ORACLE2USER/$ORACLE2PASSWD@xe >> oracle2.log
done
- $PDNSSEC --config-dir=. --config-name=oracle2 import-tsig-key test $ALGORITHM $KEY
- $PDNSSEC --config-dir=. --config-name=oracle2 activate-tsig-key tsig.com test slave
+ $PDNSUTIL --config-dir=. --config-name=oracle2 import-tsig-key test $ALGORITHM $KEY
+ $PDNSUTIL --config-dir=. --config-name=oracle2 activate-tsig-key tsig.com test slave
set +e
echo $skipreasons | grep -q nolua
if [ $? -ne 0 ]
then
- $PDNSSEC --config-dir=. --config-name=oracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+ $PDNSUTIL --config-dir=. --config-name=oracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2
fi
set -e
fi
- # generate pdns.conf for pdnssec
+ # generate pdns.conf for pdnsutil
cat > pdns-remote.conf <<EOF
module-dir=./modules
launch=remote
if [ "$remotedosec" = "yes" ]
then
echo "remote-dnssec=yes" >> pdns-remote.conf
- $PDNSSEC --config-dir=. --config-name=remote secure-zone example.com
- $PDNSSEC --config-dir=. --config-name=remote secure-zone up.example.com
+ $PDNSUTIL --config-dir=. --config-name=remote secure-zone example.com
+ $PDNSUTIL --config-dir=. --config-name=remote secure-zone up.example.com
- ./gsql_feed_ds.pl up.example.com. example.com. "$PDNSSEC --config-dir=. --config-name=remote" "sqlite3 $testsdir/remote.sqlite3"
+ ./gsql_feed_ds.pl up.example.com. example.com. "$PDNSUTIL --config-dir=. --config-name=remote" "sqlite3 $testsdir/remote.sqlite3"
# fix dot
sqlite3 $testsdir/remote.sqlite3 "UPDATE records SET name = 'up.example.com.' WHERE name = 'up.example.com'"
if [ "$remotesec" = "nsec3" ]
then
- $PDNSSEC --config-dir=. --config-name=remote set-nsec3 example.com
- $PDNSSEC --config-dir=. --config-name=remote set-nsec3 up.example.com
+ $PDNSUTIL --config-dir=. --config-name=remote set-nsec3 example.com
+ $PDNSUTIL --config-dir=. --config-name=remote set-nsec3 up.example.com
fi
# add DS records into list-all-records
- $PDNSSEC --config-dir=. --config-name=remote show-zone up.example.com | gawk '{ if ($1=="DS") { printf "up.example.com. 120 IN DS " $6 " " $7 " " $8 " " substr(toupper($9),0,56); if (length($9)>56) { print " " substr(toupper($9),57) } else { print "" } } }' > $testsdir/list-all-records/expected_dnssec_part2
+ $PDNSUTIL --config-dir=. --config-name=remote show-zone up.example.com | gawk '{ if ($1=="DS") { printf "up.example.com. 120 IN DS " $6 " " $7 " " $8 " " substr(toupper($9),0,56); if (length($9)>56) { print " " substr(toupper($9),57) } else { print "" } } }' > $testsdir/list-all-records/expected_dnssec_part2
cat $testsdir/list-all-records/expected_dnssec_part1 $testsdir/list-all-records/expected_dnssec_part2 $testsdir/list-all-records/expected_dnssec_part3 > $testsdir/list-all-records/expected_result.dnssec
cp -f $testsdir/list-all-records/expected_result.dnssec $testsdir/list-all-records/expected_result.nsec3
fi
use warnings;
use 5.005;
-# usage: feed_ds.pl domain parent pdnssec sqlcmd
+# usage: feed_ds.pl domain parent pdnsutil sqlcmd
my $domain = shift;
my $parent = shift;
-my $pdnssec = shift;
+my $pdnsutil = shift;
my $sqlcmd = shift;
-die "Usage: $0 domain parent pdnssec sqlcmd" unless($domain and $parent and $pdnssec and $sqlcmd);
+die "Usage: $0 domain parent pdnsutil sqlcmd" unless($domain and $parent and $pdnsutil and $sqlcmd);
-open IN, "-|", "$pdnssec show-zone $domain 2>&1";
+open IN, "-|", "$pdnsutil show-zone $domain 2>&1";
my $recs = [];
export NSEC3DIG=${NSEC3DIG:-${PWD}/../pdns/nsec3dig}
export SAXFR=${SAXFR:-${PWD}/../pdns/saxfr}
export ZONE2SQL=${ZONE2SQL:-${PWD}/../pdns/zone2sql}
-export PDNSSEC=${PDNSSEC:-${PWD}/../pdns/pdnssec}
+export PDNSUTIL=${PDNSUTIL:-${PWD}/../pdns/pdnsutil}
export PDNSCONTROL=${PDNSCONTROL:-${PWD}/../pdns/pdns_control}
spectest=$1
export NSEC3DIG=${NSEC3DIG:-${PWD}/../pdns/nsec3dig}
export SAXFR=${SAXFR:-${PWD}/../pdns/saxfr}
export ZONE2SQL=${ZONE2SQL:-${PWD}/../pdns/zone2sql}
-export PDNSSEC=${PDNSSEC:-${PWD}/../pdns/pdnssec}
+export PDNSUTIL=${PDNSUTIL:-${PWD}/../pdns/pdnsutil}
export PDNSCONTROL=${PDNSCONTROL:-${PWD}/../pdns/pdns_control}
fi
if [ "${zone: 0:16}" = "secure-delegated" ]
then
- $PDNSSEC --config-dir=. $configname import-zone-key $zone $zone.private ksk 2>&1
- $PDNSSEC --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1
- keyid=`$PDNSSEC --config-dir=. $configname show-zone $zone | grep ZSK | cut -d' ' -f3`
- $PDNSSEC --config-dir=. $configname activate-zone-key $zone $keyid 2>&1
- $PDNSSEC --config-dir=. $configname rectify-zone $zone 2>&1
- $PDNSSEC --config-dir=. $configname set-publish-cds $zone 2>&1
- $PDNSSEC --config-dir=. $configname set-publish-cdnskey $zone 2>&1
+ $PDNSUTIL --config-dir=. $configname import-zone-key $zone $zone.private ksk 2>&1
+ $PDNSUTIL --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1
+ keyid=`$PDNSUTIL --config-dir=. $configname show-zone $zone | grep ZSK | cut -d' ' -f3`
+ $PDNSUTIL --config-dir=. $configname activate-zone-key $zone $keyid 2>&1
+ $PDNSUTIL --config-dir=. $configname rectify-zone $zone 2>&1
+ $PDNSUTIL --config-dir=. $configname set-publish-cds $zone 2>&1
+ $PDNSUTIL --config-dir=. $configname set-publish-cdnskey $zone 2>&1
else
# check if PKCS#11 should be used
if [ "$pkcs11" -eq 1 ]; then
slot=$((slot+1))
fi
sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot
- kid=`$PDNSSEC --config-dir=. $configname hsm assign $zone rsasha256 ksk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
+ kid=`$PDNSUTIL --config-dir=. $configname hsm assign $zone rsasha256 ksk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
# keep this until #1413 is merged
- kid=`$PDNSSEC --config-dir=. $configname show-zone $zone | grep 'ID =.*KSK' | awk '{ print $3 }'`
- $PDNSSEC --config-dir=. $configname hsm create-key $zone $kid
+ kid=`$PDNSUTIL --config-dir=. $configname show-zone $zone | grep 'ID =.*KSK' | awk '{ print $3 }'`
+ $PDNSUTIL --config-dir=. $configname hsm create-key $zone $kid
slot=$((slot+1))
sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot
- kid=`$PDNSSEC --config-dir=. $configname hsm assign $zone rsasha256 zsk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
- kid=`$PDNSSEC --config-dir=. $configname show-zone $zone | grep 'ID =.*ZSK' | awk '{ print $3 }'`
- $PDNSSEC --config-dir=. $configname hsm create-key $zone $kid
+ kid=`$PDNSUTIL --config-dir=. $configname hsm assign $zone rsasha256 zsk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
+ kid=`$PDNSUTIL --config-dir=. $configname show-zone $zone | grep 'ID =.*ZSK' | awk '{ print $3 }'`
+ $PDNSUTIL --config-dir=. $configname hsm create-key $zone $kid
else
- $PDNSSEC --config-dir=. $configname secure-zone $zone 2>&1
+ $PDNSUTIL --config-dir=. $configname secure-zone $zone 2>&1
fi
fi
}
projects / pdns / commitdiff