From: Bert Hubert Date: Thu, 6 Jan 2011 21:23:07 +0000 (+0000) Subject: more documentation, plus add importing as zsk, ksk, plus adding a zsk or ksk and... X-Git-Tag: auth-3.0~422 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=36c394e512772aa92a44d42110daea79765348a4;p=pdns more documentation, plus add importing as zsk, ksk, plus adding a zsk or ksk and specifying bitsize git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1825 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml index 95d29da96..76965e700 100644 --- a/pdns/docs/pdns.sgml +++ b/pdns/docs/pdns.sgml @@ -9053,7 +9053,10 @@ $ pdnssec rectify-zone tool can be used to fill out keying details, and 'rectify' the auth and ordername fields. - In short, 'pdnssec secure-zone powerdnssec.org && pdnssec rectify-zone powerdnssec.org' will deliver a correctly NSEC signed zone. + In short, 'pdnssec secure-zone powerdnssec.org ; pdnssec rectify-zone powerdnssec.org' will deliver a correctly NSEC signed zone. + + + In addition, so will the 'zone2sql' import tool when run with the '--dnssec' flag.
@@ -9105,8 +9108,7 @@ $ pdnssec rectify-zone add-zone-key ZONE [ksk|zsk] [bits] - Create a new key for zone ZONE, and make it a KSK or a ZSK. WARNING: Only ZSK is supported right now, no 'KSK' or 'ZSK' should - be passed on the command line. WARNING: 'bits' defaults to 1024 for now and can't be passed on the command line yet. + Create a new key for zone ZONE, and make it a KSK or a ZSK. @@ -9140,7 +9142,8 @@ $ pdnssec rectify-zone Import from 'filename' a full (private) key for zone called ZONE. The format - used is compatible with BIND and NSD/LDNS. WARNING: defaults to a KSK, option is ignored right now. + used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this + key should have on import. @@ -9254,6 +9257,35 @@ $ pdnssec rectify-zone
+
+ Rules for filling out fields in database backends + + The BIND Backend automates all the steps outlined below, and does not need 'manual' help + + + For DNSSEC, two additional fields are important: 'auth' and 'ordername'. These fields are set correctly + on an incoming zone transfer, and also by running 'pdnssec rectify-zone', or 'zone2sql' with the --dnssec flag. + + The 'auth' field should be set to '1' for + data for which is itself authoritative, which includes the SOA record and its own NS records. + + + The 'auth' field should be 0 however for NS records which are used for delegation, and also for any glue records + present for this purpose. + + + The 'ordername' field needs to be filled out depending on the NSEC/NSEC3 mode. When running in NSEC3 'Narrow' mode, + the ordername field is ignored and best left empty. + + + In 'NSEC' mode, it should contain the relative part of a domain name, in reverse order, with dots replaced + by spaces. So 'www.uk.powerdnssec.org' in the 'powerdnssec.org' zone should have 'uk www' as its ordername. + + + In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash + of the full record name. + +
Security diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index a24e928e0..c6657c919 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -282,9 +282,24 @@ try } else if(cmds[0] == "add-zone-key") { const string& zone=cmds[1]; - // need to get algorithm & ksk or zsk from commandline - cerr<<"Adding a ZSK"<