From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Mon, 10 Jan 2011 07:51:58 +0000 (+0000)
Subject: show-zone output partially went to stderr
X-Git-Tag: auth-3.0~396
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7ddd79a776e0ac4ee01453606a78a81c39bedd0f;p=pdns

show-zone output partially went to stderr
we can now roundtrip a zone via export-zone-key and import-zone-key and things remain identical!
reinstated the check-zone command


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1851 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 9d8faca62..6d5e997cb 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -54,13 +54,14 @@ void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm
   DNSSECPrivateKey dpk;
   dpk.d_key.create(bits); 
   dpk.d_algorithm = algorithm;
-  addKey(name, keyOrZone, dpk, active);
+  dpk.d_flags = keyOrZone ? 257 : 256;
+  addKey(name, dpk, active);
 }
 
-void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, const DNSSECPrivateKey& dpk, bool active)
+void DNSSECKeeper::addKey(const std::string& name, const DNSSECPrivateKey& dpk, bool active)
 {
   DNSBackend::KeyData kd;
-  kd.flags = 256 + keyOrZone;
+  kd.flags = dpk.d_flags; // the dpk doesn't get stored, only they key part
   kd.active = active;
   kd.content = dpk.d_key.convertToISC(dpk.d_algorithm);
  // now store it
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 2f87ffc62..f004e0698 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -124,7 +124,7 @@ public:
   keyset_t getKeys(const std::string& zone, boost::tribool allOrKeyOrZone = boost::indeterminate);
   DNSSECPrivateKey getKeyById(const std::string& zone, unsigned int id);
   void addKey(const std::string& zname, bool keyOrZone, int algorithm=5, int bits=0, bool active=true);
-  void addKey(const std::string& zname, bool keyOrZone, const DNSSECPrivateKey& dpk, bool active=true);
+  void addKey(const std::string& zname, const DNSSECPrivateKey& dpk, bool active=true);
   void removeKey(const std::string& zname, unsigned int id);
   void activateKey(const std::string& zname, unsigned int id);
   void deactivateKey(const std::string& zname, unsigned int id);
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 0a1faf42b..8adb374ac 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -142,7 +142,6 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
 
 void checkZone(DNSSECKeeper& dk, const std::string& zone)
 {
-  reportAllTypes();  
   UeberBackend* B = new UeberBackend("default");
   SOAData sd;
   
@@ -150,7 +149,6 @@ void checkZone(DNSSECKeeper& dk, const std::string& zone)
     cerr<<"No SOA!"<<endl;
     return;
   } 
-  cerr<<"ID: "<<sd.domain_id<<endl;
   sd.db->list(zone, sd.domain_id);
   DNSResourceRecord rr;
   uint64_t numrecords=0, numerrors=0;
@@ -158,7 +156,10 @@ void checkZone(DNSSECKeeper& dk, const std::string& zone)
   while(sd.db->get(rr)) {
     if(rr.qtype.getCode() == QType::MX) 
       rr.content = lexical_cast<string>(rr.priority)+" "+rr.content;
-      
+    if(rr.auth == 0 && rr.qtype.getCode()!=QType::NS && rr.qtype.getCode()!=QType::A)
+    {
+      cerr<<"Following record is auth=0, run pdnssec rectify-zone?: "<<rr.qname<<" IN " <<rr.qtype.getName()<< " " << rr.content<<endl;
+    }
     try {
       shared_ptr<DNSRecordContent> drc(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content));
       string tmp=drc->serialize(rr.qname);
@@ -181,9 +182,9 @@ void showZone(DNSSECKeeper& dk, const std::string& zone)
   dk.getNSEC3PARAM(zone, &ns3pr, &narrow);
   
   if(ns3pr.d_salt.empty()) 
-    cerr<<"Zone has NSEC semantics"<<endl;
+    cout<<"Zone has NSEC semantics"<<endl;
   else
-    cerr<<"Zone has " << (narrow ? "NARROW " : "") <<"hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl;
+    cout<<"Zone has " << (narrow ? "NARROW " : "") <<"hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl;
   
   DNSSECKeeper::keyset_t keyset=dk.getKeys(zone);
 
@@ -230,12 +231,14 @@ try
     cerr<<"Usage: \npdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key] [deactivate-zone-key] [remove-zone-key] [activate-zone-key]\n";
     cerr<<"         [import-zone-key] [export-zone-key] [set-nsec3] [unset-nsec3] [export-zone-dnskey]\n\n";
     cerr<<"activate-zone-key ZONE KEY-ID   Activate the key with key id KEY-ID in ZONE\n";
-    cerr<<"add-zone-key ZONE [zsk|ksk] \n";
-    cerr<<"  [bits] [rsasha1|rsasha256]    Add a ZSK or KSK to a zone\n";
+    cerr<<"add-zone-key ZONE [zsk|ksk]     Add a ZSK or KSK to a zone\n";
+    cerr<<"  [bits] [rsasha1|rsasha256]    and specify algorithm & bits\n";
+    cerr<<"check-zone ZONE                 Check a zone for correctness\n";
     cerr<<"deactivate-zone-key             Dectivate the key with key id KEY-ID in ZONE\n";
     cerr<<"export-zone-dnskey ZONE KEY-ID  Export to stdout the public DNSKEY described\n";
     cerr<<"export-zone-key ZONE KEY-ID     Export to stdout the private key described\n";
-    cerr<<"import-zone-key ZONE FILE       Import from a file a private KSK\n";            
+    cerr<<"import-zone-key ZONE FILE       Import from a file a private key, ZSK or KSK\n";            
+    cerr<<"                [ksk|zsk]       Defaults to KSK\n";
     cerr<<"rectify-zone ZONE               Fix up DNSSEC fields (order, auth)\n";
     cerr<<"remove-zone-key ZONE KEY-ID     Remove key with KEY-ID from ZONE\n";
     cerr<<"secure-zone                     Add KSK and two ZSKs\n";
@@ -359,6 +362,12 @@ try
     dk.unsetNSEC3PARAM(cmds[1]);
   }
   else if(cmds[0]=="export-zone-key") {
+    if(cmds.size() < 3) {
+      cerr<<"Syntax: pdnssec export-zone-key zone-name id"<<endl;
+      cerr<<cmds.size()<<endl;
+      exit(1);
+    }
+
     string zone=cmds[1];
     unsigned int id=atoi(cmds[2].c_str());
     DNSSECPrivateKey dpk=dk.getKeyById(zone, id);
@@ -366,14 +375,19 @@ try
   }  
   else if(cmds[0]=="import-zone-key") {
     if(cmds.size() < 3) {
-      cerr<<"Syntax: pdnssec import-zone-key zone-name filename"<<endl;
+      cerr<<"Syntax: pdnssec import-zone-key zone-name filename [zsk|ksk]"<<endl;
       exit(1);
     }
     string zone=cmds[1];
     string fname=cmds[2];
     DNSSECPrivateKey dpk;
-    getRSAKeyFromISC(&dpk.d_key.getContext(), fname.c_str());
-    dpk.d_algorithm = 5;
+    DNSKEYRecordContent drc = getRSAKeyFromISC(&dpk.d_key.getContext(), fname.c_str());
+    dpk.d_algorithm = drc.d_algorithm;
+    
+    if(dpk.d_algorithm == 7)
+      dpk.d_algorithm = 5;
+      
+    cerr<<(int)dpk.d_algorithm<<endl;
     
     if(cmds.size() > 3) {
       if(pdns_iequals(cmds[3], "ZSK"))
@@ -388,9 +402,14 @@ try
     else
       dpk.d_flags = 257; 
       
-    dk.addKey(zone, true, dpk); // add a KSK
+    dk.addKey(zone, dpk); 
   }
   else if(cmds[0]=="export-zone-dnskey") {
+    if(cmds.size() < 3) {
+      cerr<<"Syntax: pdnssec export-zone-dnskey zone-name id"<<endl;
+      exit(1);
+    }
+
     string zone=cmds[1];
     unsigned int id=atoi(cmds[2].c_str());
     DNSSECPrivateKey dpk=dk.getKeyById(zone, id);
@@ -399,7 +418,6 @@ try
       cout << zone << " IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY(), 1).getZoneRepresentation() << endl;
       cout << zone << " IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY(), 2).getZoneRepresentation() << endl;
     }
-      
   }
   else {
     cerr<<"Unknown command '"<<cmds[0]<<"'\n";