From: Pieter Lexis Date: Tue, 3 Nov 2015 10:13:47 +0000 (+0100) Subject: Rename pdnssec to pdnsutil X-Git-Tag: dnsdist-1.0.0-alpha1~165^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fd5076c8a04f60030590f71f501a4fce326479d0;p=pdns Rename pdnssec to pdnsutil --- diff --git a/.travis.yml b/.travis.yml index 0b4a2866b..5c4e2e4ac 100644 --- a/.travis.yml +++ b/.travis.yml @@ -114,7 +114,7 @@ script: - cd pdns - make -k -j 4 pdns_recursor - rm -f pdns_recursor - - ./pdnssec test-algorithms + - ./pdnsutil test-algorithms - cd .. - ./build-scripts/dist-recursor - cd pdns/pdns-recursor-*/ diff --git a/build-scripts/build-auth-rpm b/build-scripts/build-auth-rpm index 688cc0164..d33ef89b9 100755 --- a/build-scripts/build-auth-rpm +++ b/build-scripts/build-auth-rpm @@ -202,7 +202,7 @@ fi %files %doc COPYING README %{_bindir}/pdns_control -%{_bindir}/pdnssec +%{_bindir}/pdnsutil %{_bindir}/zone2ldap %{_bindir}/zone2sql %{_bindir}/zone2json @@ -211,7 +211,7 @@ fi %{_mandir}/man1/pdns_server.1.gz %{_mandir}/man1/zone2sql.1.gz %{_mandir}/man1/zone2ldap.1.gz -%{_mandir}/man1/pdnssec.1.gz +%{_mandir}/man1/pdnsutil.1.gz %{_initrddir}/pdns %dir %{_libdir}/%{name}/ %{_libdir}/%{name}/librandombackend.so @@ -475,7 +475,7 @@ exit 0 %files %doc COPYING README %{_bindir}/pdns_control -%{_bindir}/pdnssec +%{_bindir}/pdnsutil %{_bindir}/pdns-zone2ldap %{_bindir}/zone2sql %{_bindir}/zone2json @@ -485,7 +485,7 @@ exit 0 %{_mandir}/man1/pdns_server.1.gz %{_mandir}/man1/zone2sql.1.gz %{_mandir}/man1/pdns-zone2ldap.1.gz -%{_mandir}/man1/pdnssec.1.gz +%{_mandir}/man1/pdnsutil.1.gz %{_unitdir}/pdns.service %dir %{_libdir}/%{name}/ %{_libdir}/%{name}/librandombackend.so diff --git a/build-scripts/build-auth-semistatic b/build-scripts/build-auth-semistatic index e7977e584..15672282e 100755 --- a/build-scripts/build-auth-semistatic +++ b/build-scripts/build-auth-semistatic @@ -67,11 +67,11 @@ backend'. %{_bindir}/pdns_control %{_bindir}/zone2sql %{_bindir}/zone2json -%{_bindir}/pdnssec +%{_bindir}/pdnsutil %{_mandir}/man1/pdns_control.1 %{_mandir}/man1/pdns_server.1 %{_mandir}/man1/zone2sql.1 -%{_mandir}/man1/pdnssec.1 +%{_mandir}/man1/pdnsutil.1 %{_datadir}/doc/pdns/*.sql %dir %{_sysconfdir}/powerdns/ diff --git a/build-scripts/debian-authoritative/pdns-server.install b/build-scripts/debian-authoritative/pdns-server.install index edbf68a10..70034d8db 100644 --- a/build-scripts/debian-authoritative/pdns-server.install +++ b/build-scripts/debian-authoritative/pdns-server.install @@ -1,6 +1,6 @@ usr/bin/pdns_control usr/bin/zone2sql -usr/bin/pdnssec +usr/bin/pdnsutil usr/lib/*/pdns/libbindbackend.so* usr/lib/*/pdns/librandombackend.so* usr/sbin/pdns_server diff --git a/build-scripts/debian-authoritative/pdns-server.manpages b/build-scripts/debian-authoritative/pdns-server.manpages index d1c8b8c7f..a6704f761 100644 --- a/build-scripts/debian-authoritative/pdns-server.manpages +++ b/build-scripts/debian-authoritative/pdns-server.manpages @@ -1,4 +1,4 @@ debian/tmp/usr/share/man/man1/pdns_control.1 debian/tmp/usr/share/man/man1/pdns_server.1 debian/tmp/usr/share/man/man1/zone2sql.1 -debian/tmp/usr/share/man/man1/pdnssec.1 +debian/tmp/usr/share/man/man1/pdnsutil.1 diff --git a/build-scripts/test-auth b/build-scripts/test-auth index f6af18b9b..0ab9f04dc 100755 --- a/build-scripts/test-auth +++ b/build-scripts/test-auth @@ -21,7 +21,7 @@ export SDIG=/usr/bin/sdig export NSEC3DIG=/usr/bin/nsec3dig export SAXFR=/usr/bin/saxfr export ZONE2SQL=/usr/bin/zone2sql -export PDNSSEC=/usr/bin/pdnssec +export PDNSUTIL=/usr/bin/pdnsutil export PDNSCONTROL=/usr/bin/pdns_control export GEM_HOME=${PWD}/gems diff --git a/contrib/selinux/pdns.fc b/contrib/selinux/pdns.fc index 3e23a694d..871c11625 100644 --- a/contrib/selinux/pdns.fc +++ b/contrib/selinux/pdns.fc @@ -4,6 +4,6 @@ /var/run/pdns\.controlsocket -s gen_context(system_u:object_r:named_var_run_t,s0) /var/run/pdns\.pid -- gen_context(system_u:object_r:named_var_run_t,s0) /usr/bin/pdns_control -- gen_context(system_u:object_r:ndc_exec_t,s0) -/usr/bin/pdnssec -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/bin/pdnsutil -- gen_context(system_u:object_r:ndc_exec_t,s0) /var/(cache|lib)/pdns(/.*)? -- gen_context(system_u:object_r:named_cache_t,s0) /var/(cache|lib)/pdns(/.*)? -d gen_context(system_u:object_r:named_cache_t,s0) diff --git a/docs/Makefile.am b/docs/Makefile.am index 4cef06922..10a402146 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -1,6 +1,6 @@ MANPAGES_TARGET_AUTH = pdns_server.1 \ pdns_control.1 \ - pdnssec.1 \ + pdnsutil.1 \ zone2ldap.1 \ zone2sql.1 diff --git a/docs/manpages/pdns_server.1.md b/docs/manpages/pdns_server.1.md index f64bf17ec..6f0d42f37 100644 --- a/docs/manpages/pdns_server.1.md +++ b/docs/manpages/pdns_server.1.md @@ -37,4 +37,4 @@ See the online documentation for all options To view more options that are available use this program. # SEE ALSO -pdns_control(1), pdnssec(1), http://doc.powerdns.com/md/authoritative/ +pdns_control(1), pdnsutil(1), http://doc.powerdns.com/md/authoritative/ diff --git a/docs/manpages/pdnssec.1.md b/docs/manpages/pdnsutil.1.md similarity index 93% rename from docs/manpages/pdnssec.1.md rename to docs/manpages/pdnsutil.1.md index 384188359..cbbde8377 100644 --- a/docs/manpages/pdnssec.1.md +++ b/docs/manpages/pdnsutil.1.md @@ -1,17 +1,17 @@ -% PDNSSEC(1) PowerDNS DNSSEC command and control +% PDNSUTIL(1) PowerDNS DNSSEC command and control % Matthijs Möhlmann % November 2011 # NAME -pdnssec - PowerDNS dnssec command and control +pdnsutil - PowerDNS dnssec command and control # SYNOPSIS -pdnssec [OPTION]... *COMMAND* +pdnsutil [OPTION]... *COMMAND* # DESCRIPTION -**pdnssec** is a powerful command that is the operator-friendly gateway into -PowerDNSSEC configuration. Behind the scenes, **pdnssec** manipulates a PowerDNS -backend database, which also means that for many databases, **pdnssec** can be +**pdnsutil** is a powerful command that is the operator-friendly gateway into +PowerDNSSEC configuration. Behind the scenes, **pdnsutil** manipulates a PowerDNS +backend database, which also means that for many databases, **pdnsutil** can be run remotely, and can configure key material on different servers. # OPTIONS @@ -98,7 +98,7 @@ set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**] Setting **narrow** will make PowerDNS send out "white lies" about the next secure record. Instead of looking it up in the database, it will send out the hash + 1 as the next secure record.

- A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow".

+ A sample commandline is: "pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow".

**WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update in the parent zone. @@ -185,7 +185,7 @@ rectify-zone *ZONE* secure-zone *ZONE* : Configures a zone called *ZONE* with reasonable DNSSEC settings. You should - manually run 'pdnssec rectify-zone' afterwards. + manually run 'pdnsutil rectify-zone' afterwards. set-meta *ZONE* *ATTRIBUTE* [*VALUE*] : Set domainmetadata *ATTRIBUTE* for *ZONE* to *VALUE*. An empty value clears it. diff --git a/docs/markdown/appendix/backend-writers-guide.md b/docs/markdown/appendix/backend-writers-guide.md index f046fe5b8..381026dc0 100644 --- a/docs/markdown/appendix/backend-writers-guide.md +++ b/docs/markdown/appendix/backend-writers-guide.md @@ -175,7 +175,7 @@ Please note that a RandomBackend is actually in most PDNS releases. By default i |uint32\_t ttl|Time To Live of this record| |int domain\_id| ID of the domain this record belongs to| |time\_t last\_modified| If unzero, last time\_t this record was changed| -|bool auth| Used for DNSSEC operations. See [DNSSEC](../authoritative/dnssec.md) and more specifically the [Migration](../authoritative/dnssec.md#migration) section. It is also useful to check out the `rectifyZone()` in pdnssec.cc| +|bool auth| Used for DNSSEC operations. See [DNSSEC](../authoritative/dnssec.md) and more specifically the [Migration](../authoritative/dnssec.md#migration) section. It is also useful to check out the `rectifyZone()` in pdnsutil.cc| |bool disabled|If set, this record is not to be served to DNS clients. Backends should not make these records available to PowerDNS unless indicated otherwise.| #### SOAData diff --git a/docs/markdown/authoritative/backend-oracle.md b/docs/markdown/authoritative/backend-oracle.md index 7294cc4ed..218f96bcf 100644 --- a/docs/markdown/authoritative/backend-oracle.md +++ b/docs/markdown/authoritative/backend-oracle.md @@ -222,7 +222,7 @@ ORDER BY md.meta_ind ``` ##### oracle-del-zone-metadata-query -Delete all metadata entries of type ':kind' for the zone called ':name'. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default: +Delete all metadata entries of type ':kind' for the zone called ':name'. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default: ``` DELETE FROM ZoneMetadata md @@ -231,7 +231,7 @@ AND md.meta_type = :kind ``` ##### oracle-set-zone-metadata-query -Create a metadata entry. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default: +Create a metadata entry. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default: ``` INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content) @@ -261,14 +261,14 @@ WHERE z.name = lower(:name) ``` ##### oracle-del-zone-key-query -Delete a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default: +Delete a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default: ``` DELETE FROM ZoneDNSKeys WHERE id = :keyid ``` ##### oracle-add-zone-key-query -Add a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnssec` tool. Default: +Add a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default: ``` INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) " @@ -282,7 +282,7 @@ VALUES ( ``` ##### oracle-set-zone-key-state-query -Enable or disable a DNSSEC signing key. You can skip this if you do not plan to manage zones with the **pdnssec** tool. Default: +Enable or disable a DNSSEC signing key. You can skip this if you do not plan to manage zones with the **pdnsutil** tool. Default: ``` UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid diff --git a/docs/markdown/authoritative/backend-pipe.md b/docs/markdown/authoritative/backend-pipe.md index dbd7a374a..c9b4f6968 100644 --- a/docs/markdown/authoritative/backend-pipe.md +++ b/docs/markdown/authoritative/backend-pipe.md @@ -169,7 +169,7 @@ DATA scopebits auth qname qclass qtype ttl id content For abi-versions 1 and 2, the two new fields fall back to default values. The default value for scopebits is 0. The default for auth is 1 (meaning authoritative). ## Direct backend commands -With abi-version 5 you can use [backend-cmd](dnssec.md#pdnssec) for executing commands on your backend. PowerDNS will use the following query/answer format +With abi-version 5 you can use [backend-cmd](dnssec.md#pdnsutil) for executing commands on your backend. PowerDNS will use the following query/answer format ``` CMD Whatever you wrote Answer goes here diff --git a/docs/markdown/authoritative/backend-remote.md b/docs/markdown/authoritative/backend-remote.md index c594323d3..2bb28c3c4 100644 --- a/docs/markdown/authoritative/backend-remote.md +++ b/docs/markdown/authoritative/backend-remote.md @@ -312,7 +312,7 @@ Content-Type: text/javascript; charset=utf-8 ``` ### `getDomainKeys` -Retrieves any keys of kind. The id, flags are unsigned integers, and active is boolean. Content must be valid key record in format that PowerDNS understands. You are encouraged to implement [the section called "addDomainKey"](#adddomainkey), as you can use [`pdnssec`](internals.md#pdnssec) to provision keys. +Retrieves any keys of kind. The id, flags are unsigned integers, and active is boolean. Content must be valid key record in format that PowerDNS understands. You are encouraged to implement [the section called "addDomainKey"](#adddomainkey), as you can use [`pdnsutil`](internals.md#pdnsutil) to provision keys. * Mandatory: for DNSSEC * Parameters: name, kind @@ -801,7 +801,7 @@ Content-Type: text/javascript; charset=utf-8 ``` ### `feedEnts` -This method is used by pdnssec rectify-zone to populate missing non-terminals. This is used when you have, say, record like \_sip.\_upd.example.com, but no \_udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to add one. If startTransaction is called, trxid identifies a transaction. +This method is used by pdnsutil rectify-zone to populate missing non-terminals. This is used when you have, say, record like \_sip.\_upd.example.com, but no \_udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to add one. If startTransaction is called, trxid identifies a transaction. * Mandatory: No * Parameters: nonterm, trxid @@ -1013,7 +1013,7 @@ Content-Type: text/javascript; charset=utf-8 ``` ### `directBackendCmd` -Can be used to send arbitrary commands to your backend using (backend-cmd)(dnssec.md#pdnssec). +Can be used to send arbitrary commands to your backend using (backend-cmd)(dnssec.md#pdnsutil). * Mandatory: no * Parameters: query diff --git a/docs/markdown/authoritative/dnssec.md b/docs/markdown/authoritative/dnssec.md index 93ee920be..d22f3c1ed 100644 --- a/docs/markdown/authoritative/dnssec.md +++ b/docs/markdown/authoritative/dnssec.md @@ -12,8 +12,8 @@ If a DNSSEC configuration is found for a domain, the PowerDNS daemon will provid As an example, securing an existing zone can be as simple as: ``` -$ pdnssec secure-zone powerdnssec.org -$ pdnssec rectify-zone powerdnssec.org +$ pdnsutil secure-zone powerdnssec.org +$ pdnsutil rectify-zone powerdnssec.org ``` Alternatively, PowerDNS can serve pre-signed zones, without knowledge of private keys. @@ -88,14 +88,14 @@ As a special feature, PowerDNSSEC can operate as a signing server which operates In this way, if keying material is available for an unsigned zone that is retrieved from a master server, this keying material will be used when serving data from this zone. -As part of the zone retrieval, the equivalent of 'pdnssec rectify-zone' is run to make sure that all DNSSEC-related fields are set correctly. +As part of the zone retrieval, the equivalent of 'pdnsutil rectify-zone' is run to make sure that all DNSSEC-related fields are set correctly. ## PowerDNSSEC BIND-mode operation Starting with PowerDNS 3.1, the bindbackend can manage keys in an SQLite3 database without launching a separate gsqlite3 backend. -To use this mode, add "bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3" to pdns.conf, and run "pdnssec create-bind-db /var/db/bind-dnssec-db.sqlite3". Then, restart PowerDNS. +To use this mode, add "bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3" to pdns.conf, and run "pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3". Then, restart PowerDNS. -After this, you can use "pdnssec secure-zone" and all other pdnssec commands on your BIND zones without trouble. +After this, you can use "pdnsutil secure-zone" and all other pdnsutil commands on your BIND zones without trouble. ## PowerDNSSEC hybrid BIND-mode operation **Warning**: This mode is only supported in 3.0, 3.0.1 and 3.4.0 and up! In 3.1 to 3.3.1, the bindbackend always did its own key storage. In 3.4.0 and up hybrid bind mode operation is optional and enabled with the bindbackend `hybrid` config option. @@ -113,7 +113,7 @@ To benefit from this mode, include at least one database-based backend in the 'l ## Rules for filling out fields in database backends **Note**: The BIND Backend automates all the steps outlined below, and does not need 'manual' help -In PowerDNS 3.0 and up, two additional fields are important: 'auth' and 'ordername'. These fields are set correctly on an incoming zone transfer, and also by running `pdnssec rectify-zone`. zone2sql with the --dnssec flag aims to do this too but there are minor bugs in there, so please run `pdnssec rectify-zone` after `zone2sql`. +In PowerDNS 3.0 and up, two additional fields are important: 'auth' and 'ordername'. These fields are set correctly on an incoming zone transfer, and also by running `pdnsutil rectify-zone`. zone2sql with the --dnssec flag aims to do this too but there are minor bugs in there, so please run `pdnsutil rectify-zone` after `zone2sql`. The 'auth' field should be set to '1' for data for which the zone itself is authoritative, which includes the SOA record and its own NS records. @@ -123,7 +123,7 @@ The 'ordername' field needs to be filled out depending on the NSEC/NSEC3 mode. W In 'NSEC' mode, it should contain the *relative* part of a domain name, in reverse order, with dots replaced by spaces. So 'www.uk.powerdnssec.org' in the 'powerdnssec.org' zone should have 'uk www' as its ordername. -In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash of the full record name. **pdnssec hash-zone-record zone record** can be used to calculate this hash. +In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash of the full record name. **pdnsutil hash-zone-record zone record** can be used to calculate this hash. In addition, from 3.2 and up, PowerDNS fully supports empty non-terminals. If you have a zone example.com, and a host a.b.c.example.com in it, rectify-zone (and the AXFR client code) will insert b.c.example.com and c.example.com in the records table with type NULL (SQL NULL, not 'NULL'). Having these entries provides several benefits. We no longer reply NXDOMAIN for these shorter names (this was an RFC violation but not one that caused trouble). But more importantly, to do NSEC3 correctly, we need to be able to prove existence of these shorter names. The type=NULL records entry gives us a place to store the NSEC3 hash of these names. @@ -137,15 +137,15 @@ This chapter discusses various migration strategies, from existing PowerDNS setu ## From an existing PowerDNS installation To migrate an existing database-backed PowerDNS installation, a few changes must be made to the database schema. First, the records table gains two new fields: 'auth' and 'ordername'. Some data in a zone, like glue records, should not be signed, and this is signified by setting 'auth' to 0. -**Warning**: Once the database schema has been updated, and the relevant `gsql-dnssec` switch has been set, stricter rules apply for filling out the database! The short version is: run `pdnssec rectify-all-zones`, even those not secured with DNSSEC! +**Warning**: Once the database schema has been updated, and the relevant `gsql-dnssec` switch has been set, stricter rules apply for filling out the database! The short version is: run `pdnsutil rectify-all-zones`, even those not secured with DNSSEC! Additionally, NSEC and NSEC3 in non-narrow mode require ordering data in order to perform (hashed) denial of existence. The 'ordername' field is used for this purpose. Finally, two new tables are needed. DNSSEC keying material is stored in the 'cryptokeys' table (in a portable standard format). Domain metadata is stored in the 'domainmetadata' table. This includes NSEC3 settings. -Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or [the PowerDNSSEC wiki](http://wiki.powerdns.com/trac/wiki/PDNSSEC) for the update statements), the `pdnssec` tool can be used to fill out keying details, and 'rectify' the auth and ordername fields. +Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or [the PowerDNSSEC wiki](http://wiki.powerdns.com/trac/wiki/PDNSUTIL) for the update statements), the `pdnsutil` tool can be used to fill out keying details, and 'rectify' the auth and ordername fields. -In short, `pdnssec secure-zone powerdnssec.org ; pdnssec rectify-zone powerdnssec.org` will deliver a correctly NSEC signed zone. +In short, `pdnsutil secure-zone powerdnssec.org ; pdnsutil rectify-zone powerdnssec.org` will deliver a correctly NSEC signed zone. In addition, so will the [`zone2sql`](migration.md#zone2sql) import tool when run with the `--dnssec` flag. @@ -156,12 +156,12 @@ TBD, see [Migration](migration.md). ## From existing DNSSEC non-PowerDNS setups, pre-signed Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign. -PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run `pdnssec set-presigned zone`. +PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run `pdnsutil set-presigned zone`. -**Warning** Right now, you will also need to configure NSEC(3) settings for pre-signed zones using `pdnssec set-nsec3`. Default is NSEC, in which case no further configuration is necessary. +**Warning** Right now, you will also need to configure NSEC(3) settings for pre-signed zones using `pdnsutil set-nsec3`. Default is NSEC, in which case no further configuration is necessary. ## From existing DNSSEC non-PowerDNS setups, live signing -The `pdnssec` tool features the option to import zone keys in the industry standard private key format, version 1.2. To import an existing KSK, use `pdnssec import-zone-key zonename filename KSK`, replace KSK by ZSK for a Zone Signing Key. +The `pdnsutil` tool features the option to import zone keys in the industry standard private key format, version 1.2. To import an existing KSK, use `pdnsutil import-zone-key zonename filename KSK`, replace KSK by ZSK for a Zone Signing Key. If all keys are imported using this tool, a zone will serve mostly identical records to before, with the important change that the RRSIG inception dates will be different. @@ -178,7 +178,7 @@ As elucidated above, there are several ways in which DNSSEC can deny the existen In order to facilitate interoperability with existing technologies, PowerDNSSEC keys can be imported and exported in industry standard formats. -Keys and hashes are configured using the 'pdnssec' tool, which is described next. +Keys and hashes are configured using the 'pdnsutil' tool, which is described next. ## (Hashed) Denial of Existence @@ -201,17 +201,17 @@ Precisely speaking, the time period used is always from the start of the previou **Note**: Why Thursday? POSIX-based operating systems count the time since GMT midnight January 1st of 1970, which was a Thursday. PowerDNS inception/expiration times are generated based on an integral number of weeks having passed since the start of the 'epoch'. -# `pdnssec` -`pdnssec` is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, `pdnssec` manipulates a PowerDNS backend database, which also means that for many databases, `pdnssec` can be run remotely, and can configure key material on different servers. +# `pdnsutil` +`pdnsutil` is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, `pdnsutil` manipulates a PowerDNS backend database, which also means that for many databases, `pdnsutil` can be run remotely, and can configure key material on different servers. -For a list of available commands, see the [manpage](../manpages/pdnssec.1.md). +For a list of available commands, see the [manpage](../manpages/pdnsutil.1.md). # DNSSEC advice & precautions DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings that can be configured. It is well possible to configure DNSSEC in such a way that your domain will not operate reliably, or even, at all. -We advise operators to stick to the keying defaults of `pdnssec secure-zone`: RSASHA256 (algorithm 8), 1 Key Signing Key of 2048 bits and 1 active Zone Signing Key of 1024 bits. +We advise operators to stick to the keying defaults of `pdnsutil secure-zone`: RSASHA256 (algorithm 8), 1 Key Signing Key of 2048 bits and 1 active Zone Signing Key of 1024 bits. While the 'GOST' and 'ECDSA' algorithms are better choices in theory, not many DNSSEC resolvers can validate answers signed with such keys. Much the same goes for RSASHA512, except that it does not offer better performance either. @@ -240,44 +240,44 @@ In addition, the larger your DNS answers, the more critical the above becomes. I In this chapter various DNSSEC transitions are discussed, and how to execute them within PowerDNSSEC. ## Publishing a DS -To publish a DS to a parent zone, utilize 'pdnssec show-zone' and take the DS from its output, and transfer it securely to your parent zone. +To publish a DS to a parent zone, utilize 'pdnsutil show-zone' and take the DS from its output, and transfer it securely to your parent zone. ## ZSK rollover ``` -$ pdnssec activate-zone-key ZONE next-key-id -$ pdnssec deactivate-zone-key ZONE prev-key-id -$ pdnssec remove-zone-key ZONE prev-key-id +$ pdnsutil activate-zone-key ZONE next-key-id +$ pdnsutil deactivate-zone-key ZONE prev-key-id +$ pdnsutil remove-zone-key ZONE prev-key-id ``` ## KSK rollover ``` -pdnssec add-zone-key ZONE ksk -pdnssec show-zone ZONE +pdnsutil add-zone-key ZONE ksk +pdnsutil show-zone ZONE ``` Communicate duplicate DS ``` -pdnssec activate-zone-key ZONE next-key-id -pdnssec deactivate-zone-key ZONE prev-key-id -pdnssec remove-zone-key ZONE prev-key-id +pdnsutil activate-zone-key ZONE next-key-id +pdnsutil deactivate-zone-key ZONE prev-key-id +pdnsutil remove-zone-key ZONE prev-key-id ``` ## Going insecure -`pdnssec disable-dnssec ZONE` +`pdnsutil disable-dnssec ZONE` ## NSEC(3) change This section describes how to change NSEC(3) parameters when they are already set. **Warning**: The following instructions might not be correct or complete! ``` -pdnssec set-nsec3 ZONE 'parameters' -pdnssec show-zone ZONE +pdnsutil set-nsec3 ZONE 'parameters' +pdnsutil show-zone ZONE ``` Communicate duplicate DS. -For further details, please see [the `pdnssec`](#pdnssec) documentation. +For further details, please see [the `pdnsutil`](#pdnsutil) documentation. # PKCS\#11 support **Note**: This feature is experimental, and not ready for production. Use at your own risk! @@ -319,13 +319,13 @@ Instructions on how to setup SoftHSM to work with the feature after compilation - Assign the keys using (note that token label is not necessarely same as object label, see p11-kit -l) ``` - pdnssec hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk + pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk ``` - Verify that everything worked, you should see valid data there ``` - pdnssec show-zone zone + pdnsutil show-zone zone ``` - SoftHSM signatures are fast enough to be used in live environment. @@ -390,13 +390,13 @@ Instructions on how to use CryptAS [`Athena IDProtect Key USB Token V2J`](http:/ - Assign the keys using ``` - pdnssec hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk + pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk ``` - Verify that everything worked, you should see valid data there. ``` - pdnssec show-zone zone + pdnsutil show-zone zone ``` - Note that the physical token is pretty slow, so you have to use it as hidden master. It has been observed to produce about 1.5signatures/second. diff --git a/docs/markdown/authoritative/domainmetadata.md b/docs/markdown/authoritative/domainmetadata.md index 7024c8ec4..4530927fa 100644 --- a/docs/markdown/authoritative/domainmetadata.md +++ b/docs/markdown/authoritative/domainmetadata.md @@ -48,20 +48,20 @@ Script to be used to edit incoming AXFRs, see [Modifying a slave zone using a sc ## NSEC3NARROW Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. See -`set-nsec3` for [`pdnssec`](dnssec.md#pdnssec). +`set-nsec3` for [`pdnsutil`](dnssec.md#pdnsutil). ## NSEC3PARAM NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones default to NSEC. See -`set-nsec3` in [`pdnssec`](dnssec.md#pdnssec). Example content: "1 0 1 ab". +`set-nsec3` in [`pdnsutil`](dnssec.md#pdnsutil). Example content: "1 0 1 ab". ## PRESIGNED This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC records in the zone. However, if you import a presigned zone using `zone2sql` or -`pdnssec load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that +`pdnsutil load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that PowerDNS will not be able to correctly serve the zone if the imported data is -bogus or incomplete. Also see `set-presigned` in [`pdnssec`](dnssec.md#pdnssec). +bogus or incomplete. Also see `set-presigned` in [`pdnsutil`](dnssec.md#pdnsutil). ## PUBLISH_CDNSKEY, PUBLISH_CDS Whether to publish CDNSKEY and/or CDS recording defined in [RFC 7344](https://tools.ietf.org/html/rfc7344). @@ -71,7 +71,7 @@ To publish CDNSKEY records of the KSKs for the zone, set `PUBLISH_CDNSKEY` to `1 To publish CDS records for the KSKs in the zone, set `PUBLISH_CDS` to a comma- separated list of [signature algorithm numbers](http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1). -This metadata can also be set using the [`pdnssec`](dnssec.md#pdnssec) options +This metadata can also be set using the [`pdnsutil`](dnssec.md#pdnsutil) options `set-publish-cdnskey` and `set-publish-cds`. For an example for an RFC 7344 key rollover, see the [CDS and CDNSKEY howto](howtos.md#cds-dnskey-key-rollover). diff --git a/docs/markdown/authoritative/howtos.md b/docs/markdown/authoritative/howtos.md index 5fb51c64a..a6c07bb7e 100644 --- a/docs/markdown/authoritative/howtos.md +++ b/docs/markdown/authoritative/howtos.md @@ -1,29 +1,29 @@ # CDS & CDNSKEY Key Rollover If the upstream registry supports [RFC 7344](https://tools.ietf.org/html/rfc7344) -key rollovers you can use several [`pdnssec`](dnssec.md#pdnssec) commands to do +key rollovers you can use several [`pdnsutil`](dnssec.md#pdnsutil) commands to do this rollover. This HowTo follows the rollover example from the RFCs [Appendix B](https://tools.ietf.org/html/rfc7344#appendix-B). We assume the zone name is example.com and is already DNSSEC signed. -Start by adding a new KSK to the zone: `pdnssec add-zone-key example.com ksk 2048 passive`. +Start by adding a new KSK to the zone: `pdnsutil add-zone-key example.com ksk 2048 passive`. The "passive" means that the key is not used to sign any ZSK records. This limits the size of `ANY` and DNSKEY responses. -Publish the CDS records: `pdnssec set-publish-cds example.com`, these records +Publish the CDS records: `pdnsutil set-publish-cds example.com`, these records will tell the parent zone to update its DS records. Now wait for the DS records to be updated in the parent zone. -Once the DS records are updated, do the actual key-rollover: `pdnssec activate-zone-key example.com new-key-id` -and `pdnssec deactivate-zone-key example.com old-key-id`. You can get the `new-key-id` -and `old-key-id` by listing them through `pdnssec show-zone example.com`. +Once the DS records are updated, do the actual key-rollover: `pdnsutil activate-zone-key example.com new-key-id` +and `pdnsutil deactivate-zone-key example.com old-key-id`. You can get the `new-key-id` +and `old-key-id` by listing them through `pdnsutil show-zone example.com`. After the rollover, wait *at least* until the TTL on the DNSKEY records have expired so validating resolvers won't mark the zone as BOGUS. When the wait is -over, delete the old key from the zone: `pdnssec remove-zone-key example.com old-key-id`. +over, delete the old key from the zone: `pdnsutil remove-zone-key example.com old-key-id`. This updates the CDS records to reflect only the new key. Wait for the parent to pick up on the CDS change. Once the upstream DS records show only the DS records for the new KSK, you may disable sending out the CDS -responses: `pdnssec unset-pushish-cds example.com`. +responses: `pdnsutil unset-pushish-cds example.com`. Done! diff --git a/docs/markdown/authoritative/migration.md b/docs/markdown/authoritative/migration.md index f4e66e219..8699376f3 100644 --- a/docs/markdown/authoritative/migration.md +++ b/docs/markdown/authoritative/migration.md @@ -4,7 +4,7 @@ Before migrating to PowerDNS a few things should be considered. PowerDNS does not operate as a 'slave' or 'master' server with all backends. Only the [Generic SQL](backend-generic-mypgsql.md), [BIND](backend-bind.md) backends have the ability to act as master or slave. -To migrate, the `zone2sql` tool is provided. There are also scripts from external contributors for migrating from `MyDNS` server. See https://github.com/PowerDNS/pdns/wiki/Migrating-DBs-FROM-MyDNS for details. There is also tool in pdnssec to migrate using various backends, most notably bind and mydns. See below for more information. +To migrate, the `zone2sql` tool is provided. There are also scripts from external contributors for migrating from `MyDNS` server. See https://github.com/PowerDNS/pdns/wiki/Migrating-DBs-FROM-MyDNS for details. There is also tool in pdnsutil to migrate using various backends, most notably bind and mydns. See below for more information. Additionally, the PowerDNS source comes with a number of diagnostic tools, which can be helpful in verifying proper PowerDNS operation, versus incumbent nameservers. See [Tools to analyse DNS traffic](../tools/analysis.md) for more details. @@ -60,7 +60,7 @@ When parsing a single zone without $ORIGIN statement, set this as the zone name. NB! This is experimental feature. -Syntax: `pdnssec b2b-migrate old new` +Syntax: `pdnsutil b2b-migrate old new` This tool lets you migrate data from one backend to another, it moves all data, including zones, metadata and crypto keys (if present). Some example use cases are moving from Bind style zonefiles to SQL based, or other way around, or moving from MyDNS to gMySQL. @@ -77,8 +77,8 @@ Take backups of everything. Configure both backends to pdns.conf, if you have source configured, you can just add target backend. **DO NOT RESTART AUTH SERVER BEFORE YOU HAVE FINISHED** -Then run `pdnssec b2b-migrate old new`, the old and new being configuration prefixes in pdns.conf. If something goes wrong, make sure you properly clear **ALL** data from target backend before retrying. +Then run `pdnsutil b2b-migrate old new`, the old and new being configuration prefixes in pdns.conf. If something goes wrong, make sure you properly clear **ALL** data from target backend before retrying. -Remove (or comment out) old backend from pdns.conf, and run `pdnssec rectify-all-zones` and `pdnssec check-all-zones` to make sure everything is OK. +Remove (or comment out) old backend from pdns.conf, and run `pdnsutil rectify-all-zones` and `pdnsutil check-all-zones` to make sure everything is OK. If everything is OK, then go ahead to restart your pdns auth process. Check logs to make sure everything went ok. diff --git a/docs/markdown/authoritative/settings.md b/docs/markdown/authoritative/settings.md index 97e312958..90c752a60 100644 --- a/docs/markdown/authoritative/settings.md +++ b/docs/markdown/authoritative/settings.md @@ -119,7 +119,7 @@ Operate as a daemon. * Default: rsasha256 The algorithm that should be used for the KSK when running -[`pdnssec secure-zone`](internals.md#pdnssec). +[`pdnsutil secure-zone`](internals.md#pdnsutil). Must be one of: * rsamd5 * dh @@ -138,7 +138,7 @@ Must be one of: * Default: whichever is default for `default-ksk-algorithms` The default keysize for the KSK generated with -[`pdnssec secure-zone`](internals.md#pdnssec). +[`pdnsutil secure-zone`](internals.md#pdnsutil). ## `default-soa-name` * String @@ -176,7 +176,7 @@ TTL to use when none is provided. * Default: rsasha256 The algorithm that should be used for the ZSK when running -[`pdnssec secure-zone`](internals.md#pdnssec). +[`pdnsutil secure-zone`](internals.md#pdnsutil). Must be one of: * rsamd5 * dh @@ -195,7 +195,7 @@ Must be one of: * Default: whichever is default for `default-zsk-algorithms` The default keysize for the ZSK generated with -[`pdnssec secure-zone`](internals.md#pdnssec). +[`pdnsutil secure-zone`](internals.md#pdnsutil). ## `direct-dnskey` * Boolean diff --git a/docs/markdown/authoritative/upgrading.md b/docs/markdown/authoritative/upgrading.md index 5dd2ceb6f..b165303dd 100644 --- a/docs/markdown/authoritative/upgrading.md +++ b/docs/markdown/authoritative/upgrading.md @@ -4,7 +4,7 @@ Before proceeding, it is advised to check the release notes for your PDNS versio # 3.X.X to 3.3.2 -Please run "pdnssec rectify-all-zones" and trigger an AXFR for all DNSSEC +Please run "pdnsutil rectify-all-zones" and trigger an AXFR for all DNSSEC zones to make sure you benefit from all the compliance improvements present in this version. @@ -208,7 +208,7 @@ For PostgreSQL: alter table supermasters alter column ip type VARCHAR(64); ``` -`pdnssec secure-zone` now creates one KSK and one ZSK, instead of two ZSKs. +`pdnsutil secure-zone` now creates one KSK and one ZSK, instead of two ZSKs. The 'rec\_name\_index' index was dropped from the gmysql schema, as it was superfluous. @@ -225,7 +225,7 @@ drop index orderindex on records; create index recordorder on records (domain_id, ordername); ``` -You can test the BINARY change with the new and experimental 'pdnssec test-schema' command. For PostgreSQL, there are no real schema changes, but our indexes turned out to be inefficient, especially given the changed ordername queries in 3.2. Changes: +You can test the BINARY change with the new and experimental 'pdnsutil test-schema' command. For PostgreSQL, there are no real schema changes, but our indexes turned out to be inefficient, especially given the changed ordername queries in 3.2. Changes: ``` drop index orderindex; @@ -286,7 +286,7 @@ Q: Can 3.x versions read the 2.9 pre-DNSSEC database schema? A: Yes, as long as the relevant '-dnssec' setting is not enabled. These settings are typically called 'gmysql-dnssec', 'gpgsql-dnssec', 'gsqlite3-dnssec'. If this setting IS enabled, 3.x expects the new schema to be in place. Q: If I run 3.0 with the new schema, and I have set '-dnssec', do I need to rectify my zones? -A: Yes. If the '-dnssec' setting is enabled, PowerDNS expects the 'auth' field to be filled out correctly. When slaving zones this happens automatically. For other zones, run 'pdnssec rectify-zone zonename'. Even if a zone is not DNSSEC secured, as long as the new schema is in place, the zone must be rectified (or at least have the 'auth' field set correctly). +A: Yes. If the '-dnssec' setting is enabled, PowerDNS expects the 'auth' field to be filled out correctly. When slaving zones this happens automatically. For other zones, run 'pdnsutil rectify-zone zonename'. Even if a zone is not DNSSEC secured, as long as the new schema is in place, the zone must be rectified (or at least have the 'auth' field set correctly). Q: I want to fill out the 'auth' and 'ordername' fields directly, how do I do this? A: The 'auth' field should be '1' or 'true' for all records that are within your zone. For a zone without delegations, this means 'auth' should always be set. If you have delegations, both the NS records for that delegation and possible glue records for it should not have 'auth' set. diff --git a/docs/markdown/httpapi/api_spec.md b/docs/markdown/httpapi/api_spec.md index 9a8022752..780d2741f 100644 --- a/docs/markdown/httpapi/api_spec.md +++ b/docs/markdown/httpapi/api_spec.md @@ -646,7 +646,7 @@ following additional fields MAY be supplied: Where `` is one of the supported key algos in lowercase OR the numeric id, see -[http://rtfm.powerdns.com/pdnssec.html](http://rtfm.powerdns.com/pdnssec.html) +[http://rtfm.powerdns.com/pdnsutil.html](http://rtfm.powerdns.com/pdnsutil.html) URL: /servers/:server\_id/zones/:zone\_name/cryptokeys/:cryptokey\_id --------------------------------------------------------------------- diff --git a/docs/markdown/types.md b/docs/markdown/types.md index ef36decbb..bfe1f615a 100644 --- a/docs/markdown/types.md +++ b/docs/markdown/types.md @@ -27,10 +27,10 @@ Since 4.0.0. The CDS ([Child DS](https://tools.ietf.org/html/rfc7344#section-3.1 The CNAME record specifies the canonical name of a record. It is stored plainly. Like all other records, it is not terminated by a dot. A sample might be 'webserver-01.yourcompany.com'. ## DNSKEY -Since 2.9.21. The DNSKEY DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnssec`](authoritative/dnssec.md#pdnssec "'pdnssec' for PowerDNSSEC command & control"). +Since 2.9.21. The DNSKEY DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNSSEC command & control"). ## DS -Since 2.9.21, The DS DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnssec`](authoritative/dnssec.md#pdnssec "'pdnssec' for PowerDNSSEC command & control"). +Since 2.9.21, The DS DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNSSEC command & control"). ## HINFO Hardware Info record, used to specify CPU and operating system. Stored with a single space separating these two, example: 'i386 Linux'. @@ -57,7 +57,7 @@ The fields are: order, preference, flags, service, regex, replacement. Note that Nameserver record. Specifies nameservers for a domain. Stored plainly: 'ns1.powerdns.com', as always without a terminating dot. ## NSEC -Since 2.9.21. The NSEC DNSSEC record type is fully supported, as described in [RFC 3757](http://tools.ietf.org/html/rfc3757). Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnssec`](authoritative/dnssec.md#pdnssec "'pdnssec' for PowerDNSSEC command & control"). +Since 2.9.21. The NSEC DNSSEC record type is fully supported, as described in [RFC 3757](http://tools.ietf.org/html/rfc3757). Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNSSEC command & control"). ## OPENPGPKEY Since 3.4.7. The OPENPGPKEY records, specified in [RFC TBD](https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-06), are used to bind OpenPGP certificates to email addresses. @@ -69,7 +69,7 @@ Reverse pointer, used to specify the host name belonging to an IP or IPv6 addres Responsible Person record, as described in [RFC 1183](http://tools.ietf.org/html/rfc1183). Stored with a single space between the mailbox name and the more-information pointer. Example 'peter.powerdns.com peter.people.powerdns.com', to indicate that `peter@powerdns.com` is responsible and that more information about peter is available by querying the TXT record of peter.people.powerdns.com. ## RRSIG -Since 2.9.21. The RRSIG DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC prcessing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [pdnssec](authoritative/dnssec.md#pdnssec). +Since 2.9.21. The RRSIG DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC prcessing, since 3.0 PowerDNS is able to fully process DNSSEC. This can be done with [pdnsutil](authoritative/dnssec.md#pdnsutil). ## SOA The Start of Authority record is one of the most complex available. It specifies a lot about a domain: the name of the master nameserver ('the primary'), the hostmaster and a set of numbers indicating how the data in this domain expires and how often it needs to be checked. Further more, it contains a serial number which should rise on each change of the domain. diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index d1f12800a..ec0e8901a 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -35,7 +35,7 @@ pages: - 'Manpage: zone2ldap.1': manpages/zone2ldap.1.md - 'Manpage: zone2sql.1': manpages/zone2sql.1.md - 'Manpage: pdns_control.1': manpages/pdns_control.1.md - - 'Manpage: pdnssec.1': manpages/pdnssec.1.md + - 'Manpage: pdnsutil.1': manpages/pdnsutil.1.md - 'Manpage: pdns_server.1': manpages/pdns_server.1.md - Authoritative Backends: - BIND: authoritative/backend-bind.md diff --git a/modules/luabackend/dnssec.cc b/modules/luabackend/dnssec.cc index 401bdcdc1..480e6414e 100644 --- a/modules/luabackend/dnssec.cc +++ b/modules/luabackend/dnssec.cc @@ -323,7 +323,7 @@ bool LUABackend::removeDomainKey(const string& name, unsigned int id) { } int LUABackend::addDomainKey(const string& name, const KeyData& key) { -// there is no logging function in pdnssec when running this routine? +// there is no logging function in pdnsutil when running this routine? //key = id, flags, active, content diff --git a/modules/luabackend/test/pdnssec b/modules/luabackend/test/pdnssec deleted file mode 100755 index 5d679e169..000000000 --- a/modules/luabackend/test/pdnssec +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env bash - -../../../pdns/pdnssec --config-dir=./ $@ diff --git a/modules/luabackend/test/pdnstool b/modules/luabackend/test/pdnstool new file mode 100755 index 000000000..86a8126cc --- /dev/null +++ b/modules/luabackend/test/pdnstool @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +../../../pdns/pdnsutil --config-dir=./ $@ diff --git a/modules/remotebackend/regression-tests/direct-command/command b/modules/remotebackend/regression-tests/direct-command/command index fb7571135..e0288bc41 100755 --- a/modules/remotebackend/regression-tests/direct-command/command +++ b/modules/remotebackend/regression-tests/direct-command/command @@ -1,3 +1,3 @@ #!/bin/sh -$PDNSSEC --config-name=remote --config-dir=. backend-cmd remote HELLO +$PDNSUTIL --config-name=remote --config-dir=. backend-cmd remote HELLO diff --git a/pdns/.gitignore b/pdns/.gitignore index 6d3ce8105..262b3f56c 100644 --- a/pdns/.gitignore +++ b/pdns/.gitignore @@ -9,7 +9,7 @@ /pdns_control /pdns_server /pdns_recursor -/pdnssec +/pdnsutil /sdig /saxfr /dnslabeltext.cc diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 7a61ee7ef..ab4c12522 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -71,7 +71,7 @@ sysconf_DATA = pdns.conf-dist sbin_PROGRAMS = pdns_server bin_PROGRAMS = \ pdns_control \ - pdnssec \ + pdnsutil \ zone2sql \ zone2json @@ -255,7 +255,7 @@ if GSS_TSIG pdns_server_LDADD += $(GSS_LIBS) endif -pdnssec_SOURCES = \ +pdnsutil_SOURCES = \ arguments.cc \ backends/gsql/gsqlbackend.cc backends/gsql/gsqlbackend.hh \ backends/gsql/ssql.hh \ @@ -286,7 +286,7 @@ pdnssec_SOURCES = \ misc.cc misc.hh \ nsecrecords.cc \ packetcache.cc \ - pdnssec.cc \ + pdnsutil.cc \ mbedtlssigners.cc \ qtype.cc \ randomhelper.cc \ @@ -300,12 +300,12 @@ pdnssec_SOURCES = \ unix_utility.cc \ zoneparser-tng.cc -pdnssec_LDFLAGS = \ +pdnsutil_LDFLAGS = \ $(AM_LDFLAGS) \ $(DYNLINKFLAGS) \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) -pdnssec_LDADD = \ +pdnsutil_LDADD = \ @moduleobjects@ \ @modulelibs@ \ $(LIBDL) \ @@ -314,41 +314,41 @@ pdnssec_LDADD = \ $(YAHTTP_LIBS) if BOTAN110 -pdnssec_SOURCES += botan110signers.cc botansigners.cc -pdnssec_LDADD += $(BOTAN110_LIBS) +pdnsutil_SOURCES += botan110signers.cc botansigners.cc +pdnsutil_LDADD += $(BOTAN110_LIBS) endif if BOTAN18 -pdnssec_SOURCES += botan18signers.cc botansigners.cc -pdnssec_LDADD += $(BOTAN18_LIBS) +pdnsutil_SOURCES += botan18signers.cc botansigners.cc +pdnsutil_LDADD += $(BOTAN18_LIBS) endif if CRYPTOPP -pdnssec_SOURCES += cryptoppsigners.cc -pdnssec_LDADD += $(CRYPTOPP_LIBS) +pdnsutil_SOURCES += cryptoppsigners.cc +pdnsutil_LDADD += $(CRYPTOPP_LIBS) endif if LIBSODIUM -pdnssec_SOURCES += sodiumsigners.cc -pdnssec_LDADD += $(LIBSODIUM_LIBS) +pdnsutil_SOURCES += sodiumsigners.cc +pdnsutil_LDADD += $(LIBSODIUM_LIBS) endif if SQLITE3 -pdnssec_SOURCES += ssqlite3.cc ssqlite3.hh -pdnssec_LDADD += $(SQLITE3_LIBS) +pdnsutil_SOURCES += ssqlite3.cc ssqlite3.hh +pdnsutil_LDADD += $(SQLITE3_LIBS) endif if ORACLE -pdnssec_LDADD += $(ORACLE_LIBS) +pdnsutil_LDADD += $(ORACLE_LIBS) endif if PKCS11 -pdnssec_SOURCES += pkcs11signers.cc pkcs11signers.hh -pdnssec_LDADD += $(P11KIT1_LIBS) +pdnsutil_SOURCES += pkcs11signers.cc pkcs11signers.hh +pdnsutil_LDADD += $(P11KIT1_LIBS) endif if GSS_TSIG -pdnssec_LDADD += $(GSS_LIBS) +pdnsutil_LDADD += $(GSS_LIBS) endif zone2sql_SOURCES = \ diff --git a/pdns/dnsrecords.hh b/pdns/dnsrecords.hh index e5cf61d49..f7eb2441b 100644 --- a/pdns/dnsrecords.hh +++ b/pdns/dnsrecords.hh @@ -670,7 +670,7 @@ RNAME##RecordContent::RNAME##RecordContent(const string& zoneData) xfrPacket(rtr); \ } \ catch(RecordTextException& rtr) { \ - throw MOADNSException("Parsing record content (try 'pdnssec check-zone'): "+string(rtr.what())); \ + throw MOADNSException("Parsing record content (try 'pdnsutil check-zone'): "+string(rtr.what())); \ } \ } \ \ diff --git a/pdns/mbedtlssigners.cc b/pdns/mbedtlssigners.cc index 7ad0a0dd4..6e89a0688 100644 --- a/pdns/mbedtlssigners.cc +++ b/pdns/mbedtlssigners.cc @@ -19,9 +19,9 @@ #include "dnssecinfra.hh" using namespace boost::assign; -#define PDNSSEC_MI(x) mbedtls_mpi_init(&d_context.x) -#define PDNSSEC_MC(x) PDNSSEC_MI(x); mbedtls_mpi_copy(&d_context.x, const_cast(&orig.d_context.x)) -#define PDNSSEC_MF(x) mbedtls_mpi_free(&d_context.x) +#define PDNSUTIL_MI(x) mbedtls_mpi_init(&d_context.x) +#define PDNSUTIL_MC(x) PDNSUTIL_MI(x); mbedtls_mpi_copy(&d_context.x, const_cast(&orig.d_context.x)) +#define PDNSUTIL_MF(x) mbedtls_mpi_free(&d_context.x) class RSADNSCryptoKeyEngine : public DNSCryptoKeyEngine { @@ -31,14 +31,14 @@ public: explicit RSADNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm) { memset(&d_context, 0, sizeof(d_context)); - PDNSSEC_MI(N); - PDNSSEC_MI(E); PDNSSEC_MI(D); PDNSSEC_MI(P); PDNSSEC_MI(Q); PDNSSEC_MI(DP); PDNSSEC_MI(DQ); PDNSSEC_MI(QP); PDNSSEC_MI(RN); PDNSSEC_MI(RP); PDNSSEC_MI(RQ); + PDNSUTIL_MI(N); + PDNSUTIL_MI(E); PDNSUTIL_MI(D); PDNSUTIL_MI(P); PDNSUTIL_MI(Q); PDNSUTIL_MI(DP); PDNSUTIL_MI(DQ); PDNSUTIL_MI(QP); PDNSUTIL_MI(RN); PDNSUTIL_MI(RP); PDNSUTIL_MI(RQ); } ~RSADNSCryptoKeyEngine() { - PDNSSEC_MF(N); - PDNSSEC_MF(E); PDNSSEC_MF(D); PDNSSEC_MF(P); PDNSSEC_MF(Q); PDNSSEC_MF(DP); PDNSSEC_MF(DQ); PDNSSEC_MF(QP); PDNSSEC_MF(RN); PDNSSEC_MF(RP); PDNSSEC_MF(RQ); + PDNSUTIL_MF(N); + PDNSUTIL_MF(E); PDNSUTIL_MF(D); PDNSUTIL_MF(P); PDNSUTIL_MF(Q); PDNSUTIL_MF(DP); PDNSUTIL_MF(DQ); PDNSUTIL_MF(QP); PDNSUTIL_MF(RN); PDNSUTIL_MF(RP); PDNSUTIL_MF(RQ); } bool operator<(const RSADNSCryptoKeyEngine& rhs) const @@ -56,8 +56,8 @@ public: d_context.padding = orig.d_context.padding; d_context.hash_id = orig.d_context.hash_id; - PDNSSEC_MC(N); - PDNSSEC_MC(E); PDNSSEC_MC(D); PDNSSEC_MC(P); PDNSSEC_MC(Q); PDNSSEC_MC(DP); PDNSSEC_MC(DQ); PDNSSEC_MC(QP); PDNSSEC_MC(RN); PDNSSEC_MC(RP); PDNSSEC_MC(RQ); + PDNSUTIL_MC(N); + PDNSUTIL_MC(E); PDNSUTIL_MC(D); PDNSUTIL_MC(P); PDNSUTIL_MC(Q); PDNSUTIL_MC(DP); PDNSUTIL_MC(DQ); PDNSUTIL_MC(QP); PDNSUTIL_MC(RN); PDNSUTIL_MC(RP); PDNSUTIL_MC(RQ); } RSADNSCryptoKeyEngine& operator=(const RSADNSCryptoKeyEngine& orig) @@ -100,9 +100,9 @@ private: }; // see above -#undef PDNSSEC_MC -#undef PDNSSEC_MI -#undef PDNSSEC_MF +#undef PDNSUTIL_MC +#undef PDNSUTIL_MI +#undef PDNSUTIL_MF inline bool operator<(const mbedtls_mpi& a, const mbedtls_mpi& b) diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 7dd2d9a6e..f6b3656a9 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1462,9 +1462,9 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) goto sendit; // check whether this could be fixed easily // if (*(rr.qname.rbegin()) == '.') { - // L<qdomain<<"|"<qtype.getCode()<<"): you have a trailing dot, this could be the problem (or run pdnssec rectify-zone " <qdomain<<"|"<qtype.getCode()<<"): you have a trailing dot, this could be the problem (or run pdnsutil rectify-zone " <qdomain<<"|"<qtype.getCode()<<"): please run pdnssec rectify-zone "<qdomain<<"|"<qtype.getCode()<<"): please run pdnsutil rectify-zone "< [params ..]\n"< [params ..]\n"<(cmds[1]))) @@ -1495,7 +1495,7 @@ try if(cmds[0] == "create-bind-db") { #ifdef HAVE_SQLITE3 if(cmds.size() != 2) { - cerr << "Syntax: pdnssec create-bind-db FNAME"< 2) { - cerr << "Syntax: pdnssec list-all-zones [master|slave|native]"< 3) ? cmds[3] : "", atoi(cmds[2].c_str())); } else if(cmds[0] == "verify-crypto") { if(cmds.size() != 2) { - cerr << "Syntax: pdnssec verify-crypto FILE"< 2) { - cerr<<"Syntax: pdnssec list-keys [ZONE]"< mustRectify; @@ -1783,7 +1783,7 @@ try } else if (cmds[0] == "secure-all-zones") { if (cmds.size() >= 2 && !pdns_iequals(cmds[1], "increase-serial")) { - cerr << "Syntax: pdnssec secure-all-zones [increase-serial]"< 2 ? cmds[2] : "1 0 1 ab"; @@ -1848,7 +1848,7 @@ try } else if(cmds[0]=="set-presigned") { if(cmds.size() < 2) { - cerr<<"Syntax: pdnssec set-presigned ZONE"< keys; if (cmds.size() < 9) { - std::cout << "Usage: pdnssec hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL" << std::endl; + std::cout << "Usage: pdnsutil hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL" << std::endl; return 1; } @@ -2407,7 +2407,7 @@ try } else if (cmds[1] == "create-key") { if (cmds.size() < 4) { - cerr << "Usage: pdnssec hsm create-key ZONE KEY-ID [BITS]" << endl; + cerr << "Usage: pdnsutil hsm create-key ZONE KEY-ID [BITS]" << endl; return 1; } DomainInfo di; diff --git a/pdns/signingpipe.cc b/pdns/signingpipe.cc index 2ffe5b3db..b0b5f447d 100644 --- a/pdns/signingpipe.cc +++ b/pdns/signingpipe.cc @@ -359,7 +359,7 @@ vector ChunkedSigningPipe::getChunk(bool final) signal(SIGCHLD, SIG_IGN); if(!fork()) { // child dup2(fds[1], 0); - execl("./pdnssec", "./pdnssec", "--config-dir=./", "signing-slave", NULL); + execl("./pdnsutil", "./pdnsutil", "--config-dir=./", "signing-slave", NULL); // helperWorker(new StartHelperStruct(this, n)); return; } diff --git a/regression-tests.nobackend/soa-edit/command b/regression-tests.nobackend/soa-edit/command index 5ceb41ca2..afe5c72bf 100755 --- a/regression-tests.nobackend/soa-edit/command +++ b/regression-tests.nobackend/soa-edit/command @@ -29,8 +29,8 @@ rm -f soa-edit/bind-dnssec.db now=$(date +%s) delta=$((now-1418860790)) # Wed Dec 17 23:59:50 2014 UTC -$PDNSSEC --config-dir=soa-edit create-bind-db soa-edit/bind-dnssec.db -$PDNSSEC --config-dir soa-edit/ set-meta minimal.com SOA-EDIT INCREMENT-WEEKS +$PDNSUTIL --config-dir=soa-edit create-bind-db soa-edit/bind-dnssec.db +$PDNSUTIL --config-dir soa-edit/ set-meta minimal.com SOA-EDIT INCREMENT-WEEKS faketime -m -f -$delta $PDNS --config-dir=soa-edit & bindwait diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master index 3354551a8..ae9fe7da8 100644 --- a/regression-tests/backends/bind-master +++ b/regression-tests/backends/bind-master @@ -48,7 +48,7 @@ gmysql-dnssec __EOF__ else echo "bind-dnssec-db=./dnssec.sqlite3" >> pdns-bind.conf - $PDNSSEC --config-dir=. --config-name=bind create-bind-db dnssec.sqlite3 + $PDNSUTIL --config-dir=. --config-name=bind create-bind-db dnssec.sqlite3 fi for zone in $(grep 'zone ' named.conf | cut -f2 -d\") @@ -61,10 +61,10 @@ __EOF__ securezone $zone bind if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ] then - $PDNSSEC --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 + $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 elif [ $context = bind-dnssec-nsec3-narrow ] then - $PDNSSEC --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 + $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 fi done @@ -85,8 +85,8 @@ __EOF__ skipreasons="nodyndns" fi - $PDNSSEC --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=bind activate-tsig-key tsig.com test master + $PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=bind activate-tsig-key tsig.com test master $RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \ --config-name=bind --socket-dir=./ --no-shuffle \ diff --git a/regression-tests/backends/bind-slave b/regression-tests/backends/bind-slave index 638a1d488..27ffa6463 100644 --- a/regression-tests/backends/bind-slave +++ b/regression-tests/backends/bind-slave @@ -8,7 +8,7 @@ rm -f dnssec-slave.sqlite3 - $PDNSSEC --config-dir=. create-bind-db dnssec-slave.sqlite3 + $PDNSUTIL --config-dir=. create-bind-db dnssec-slave.sqlite3 set +e echo $skipreasons | grep -q nodnssec diff --git a/regression-tests/backends/geoip-master b/regression-tests/backends/geoip-master index 64239d06c..0aa804408 100644 --- a/regression-tests/backends/geoip-master +++ b/regression-tests/backends/geoip-master @@ -60,7 +60,7 @@ EOF Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='continent.geo.example.com.', qtype=TXT EOF - # generate pdns.conf for pdnssec + # generate pdns.conf for pdnsutil cat > pdns-geoip.conf <> pdns-geoip.conf - $PDNSSEC --config-dir=. --config-name=geoip secure-zone geo.example.com + $PDNSUTIL --config-dir=. --config-name=geoip secure-zone geo.example.com geoipkeydir="--geoip-dnssec-keydir=$testsdir/geosec" fi diff --git a/regression-tests/backends/gmysql-slave b/regression-tests/backends/gmysql-slave index 3c6b6a26b..868360f55 100644 --- a/regression-tests/backends/gmysql-slave +++ b/regression-tests/backends/gmysql-slave @@ -31,11 +31,11 @@ __EOF__ "$GMYSQL2DB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')" done - $PDNSSEC --config-dir=. --config-name=gmysql2 import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=gmysql2 activate-tsig-key tsig.com test slave + $PDNSUTIL --config-dir=. --config-name=gmysql2 import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=gmysql2 activate-tsig-key tsig.com test slave if [[ $skipreasons != *nolua* ]] then - $PDNSSEC --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2 + $PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2 fi port=$((port+100)) diff --git a/regression-tests/backends/goracle-slave b/regression-tests/backends/goracle-slave index ab914d425..9e130e37b 100644 --- a/regression-tests/backends/goracle-slave +++ b/regression-tests/backends/goracle-slave @@ -30,11 +30,11 @@ __EOF__ echo "INSERT INTO domains (id, name, type, master) VALUES(domains_id_sequence.nextval, '$zone', 'SLAVE', '127.0.0.1:$port');" | sqlplus -S $GORACLE2USER/$GORACLE2PASSWD@xe >> goracle2.log done - $PDNSSEC --config-dir=. --config-name=goracle2 import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=goracle2 activate-tsig-key tsig.com test slave + $PDNSUTIL --config-dir=. --config-name=goracle2 import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=goracle2 activate-tsig-key tsig.com test slave if [[ $skipreasons != *nolua* ]] then - $PDNSSEC --config-dir=. --config-name=goracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2 + $PDNSUTIL --config-dir=. --config-name=goracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2 fi port=$((port+100)) diff --git a/regression-tests/backends/gpgsql-slave b/regression-tests/backends/gpgsql-slave index 4dd6e85db..94fdc6126 100644 --- a/regression-tests/backends/gpgsql-slave +++ b/regression-tests/backends/gpgsql-slave @@ -25,11 +25,11 @@ __EOF__ "$GPGSQL2DB" done - $PDNSSEC --config-dir=. --config-name=gpgsql2 import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=gpgsql2 activate-tsig-key tsig.com test slave + $PDNSUTIL --config-dir=. --config-name=gpgsql2 import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=gpgsql2 activate-tsig-key tsig.com test slave if [[ $skipreasons != *nolua* ]] then - $PDNSSEC --config-dir=. --config-name=gpgsql2 set-meta stest.com AXFR-SOURCE 127.0.0.2 + $PDNSUTIL --config-dir=. --config-name=gpgsql2 set-meta stest.com AXFR-SOURCE 127.0.0.2 fi port=$((port+100)) diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common index 9dc9cea01..0a1a38643 100644 --- a/regression-tests/backends/gsql-common +++ b/regression-tests/backends/gsql-common @@ -19,19 +19,19 @@ gsql_master() then if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ] then - $PDNSSEC --config-dir=. --config-name=$backend set-nsec3 $zone "1 $optout 1 abcd" 2>&1 + $PDNSUTIL --config-dir=. --config-name=$backend set-nsec3 $zone "1 $optout 1 abcd" 2>&1 elif [ $context = ${backend}-nsec3-narrow ] then - $PDNSSEC --config-dir=. --config-name=$backend set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 + $PDNSUTIL --config-dir=. --config-name=$backend set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 fi securezone $zone ${backend} else - $PDNSSEC --config-dir=. --config-name=$backend rectify-zone $zone 2>&1 + $PDNSUTIL --config-dir=. --config-name=$backend rectify-zone $zone 2>&1 fi done - $PDNSSEC --config-dir=. --config-name=$backend import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=$backend activate-tsig-key tsig.com test master + $PDNSUTIL --config-dir=. --config-name=$backend import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=$backend activate-tsig-key tsig.com test master $RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \ --config-name=$backend --socket-dir=./ --no-shuffle \ diff --git a/regression-tests/backends/gsqlite3-slave b/regression-tests/backends/gsqlite3-slave index 5b2060b63..79d7fe167 100644 --- a/regression-tests/backends/gsqlite3-slave +++ b/regression-tests/backends/gsqlite3-slave @@ -19,11 +19,11 @@ __EOF__ sqlite3 pdns.sqlite32 "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port');" done - $PDNSSEC --config-dir=. --config-name=gsqlite32 import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=gsqlite32 activate-tsig-key tsig.com test slave + $PDNSUTIL --config-dir=. --config-name=gsqlite32 import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=gsqlite32 activate-tsig-key tsig.com test slave if [[ $skipreasons != *nolua* ]] then - $PDNSSEC --config-dir=. --config-name=gsqlite32 set-meta stest.com AXFR-SOURCE 127.0.0.2 + $PDNSUTIL --config-dir=. --config-name=gsqlite32 set-meta stest.com AXFR-SOURCE 127.0.0.2 fi port=$((port+100)) diff --git a/regression-tests/backends/oracle-master b/regression-tests/backends/oracle-master index 00947d850..2f29bf252 100644 --- a/regression-tests/backends/oracle-master +++ b/regression-tests/backends/oracle-master @@ -35,7 +35,7 @@ __EOF__ securezone $zone oracle if [ $context = oracle-nsec3 ] then - $PDNSSEC --config-dir=. --config-name=oracle set-nsec3 $zone "1 0 1 abcd" 2>&1 + $PDNSUTIL --config-dir=. --config-name=oracle set-nsec3 $zone "1 0 1 abcd" 2>&1 fi done fi @@ -43,8 +43,8 @@ __EOF__ echo "TRUNCATE TABLE records;" | sqlplus -S $ORACLEUSER/$ORACLEPASSWD@xe >> oracle.log ../pdns/zone2sql --oracle | grep -v 'INSERT INTO Zones' | sqlplus -S $ORACLEUSER/$ORACLEPASSWD@xe >> oracle.log - $PDNSSEC --config-dir=. --config-name=oracle import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=oracle activate-tsig-key tsig.com test master + $PDNSUTIL --config-dir=. --config-name=oracle import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=oracle activate-tsig-key tsig.com test master $RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \ --config-name=oracle --socket-dir=./ --no-shuffle \ diff --git a/regression-tests/backends/oracle-slave b/regression-tests/backends/oracle-slave index 15c1aa7cd..e75027eee 100644 --- a/regression-tests/backends/oracle-slave +++ b/regression-tests/backends/oracle-slave @@ -26,14 +26,14 @@ __EOF__ echo "INSERT ALL INTO zones (id, name, type) VALUES (zones_id_seq.nextval, name, 'SLAVE') INTO zonemasters (zone_id, master) VALUES (zones_id_seq.nextval, master) SELECT '$zone' AS name, '127.0.0.1:$port' AS master FROM dual;" | sqlplus -S $ORACLE2USER/$ORACLE2PASSWD@xe >> oracle2.log done - $PDNSSEC --config-dir=. --config-name=oracle2 import-tsig-key test $ALGORITHM $KEY - $PDNSSEC --config-dir=. --config-name=oracle2 activate-tsig-key tsig.com test slave + $PDNSUTIL --config-dir=. --config-name=oracle2 import-tsig-key test $ALGORITHM $KEY + $PDNSUTIL --config-dir=. --config-name=oracle2 activate-tsig-key tsig.com test slave set +e echo $skipreasons | grep -q nolua if [ $? -ne 0 ] then - $PDNSSEC --config-dir=. --config-name=oracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2 + $PDNSUTIL --config-dir=. --config-name=oracle2 set-meta stest.com AXFR-SOURCE 127.0.0.2 fi set -e diff --git a/regression-tests/backends/remote-master b/regression-tests/backends/remote-master index 476be6b8f..a40d043f8 100644 --- a/regression-tests/backends/remote-master +++ b/regression-tests/backends/remote-master @@ -80,7 +80,7 @@ case $context in fi - # generate pdns.conf for pdnssec + # generate pdns.conf for pdnsutil cat > pdns-remote.conf <> pdns-remote.conf - $PDNSSEC --config-dir=. --config-name=remote secure-zone example.com - $PDNSSEC --config-dir=. --config-name=remote secure-zone up.example.com + $PDNSUTIL --config-dir=. --config-name=remote secure-zone example.com + $PDNSUTIL --config-dir=. --config-name=remote secure-zone up.example.com - ./gsql_feed_ds.pl up.example.com. example.com. "$PDNSSEC --config-dir=. --config-name=remote" "sqlite3 $testsdir/remote.sqlite3" + ./gsql_feed_ds.pl up.example.com. example.com. "$PDNSUTIL --config-dir=. --config-name=remote" "sqlite3 $testsdir/remote.sqlite3" # fix dot sqlite3 $testsdir/remote.sqlite3 "UPDATE records SET name = 'up.example.com.' WHERE name = 'up.example.com'" if [ "$remotesec" = "nsec3" ] then - $PDNSSEC --config-dir=. --config-name=remote set-nsec3 example.com - $PDNSSEC --config-dir=. --config-name=remote set-nsec3 up.example.com + $PDNSUTIL --config-dir=. --config-name=remote set-nsec3 example.com + $PDNSUTIL --config-dir=. --config-name=remote set-nsec3 up.example.com fi # add DS records into list-all-records - $PDNSSEC --config-dir=. --config-name=remote show-zone up.example.com | gawk '{ if ($1=="DS") { printf "up.example.com. 120 IN DS " $6 " " $7 " " $8 " " substr(toupper($9),0,56); if (length($9)>56) { print " " substr(toupper($9),57) } else { print "" } } }' > $testsdir/list-all-records/expected_dnssec_part2 + $PDNSUTIL --config-dir=. --config-name=remote show-zone up.example.com | gawk '{ if ($1=="DS") { printf "up.example.com. 120 IN DS " $6 " " $7 " " $8 " " substr(toupper($9),0,56); if (length($9)>56) { print " " substr(toupper($9),57) } else { print "" } } }' > $testsdir/list-all-records/expected_dnssec_part2 cat $testsdir/list-all-records/expected_dnssec_part1 $testsdir/list-all-records/expected_dnssec_part2 $testsdir/list-all-records/expected_dnssec_part3 > $testsdir/list-all-records/expected_result.dnssec cp -f $testsdir/list-all-records/expected_result.dnssec $testsdir/list-all-records/expected_result.nsec3 fi diff --git a/regression-tests/gsql_feed_ds.pl b/regression-tests/gsql_feed_ds.pl index ad3500f13..92a665563 100755 --- a/regression-tests/gsql_feed_ds.pl +++ b/regression-tests/gsql_feed_ds.pl @@ -4,16 +4,16 @@ use strict; use warnings; use 5.005; -# usage: feed_ds.pl domain parent pdnssec sqlcmd +# usage: feed_ds.pl domain parent pdnsutil sqlcmd my $domain = shift; my $parent = shift; -my $pdnssec = shift; +my $pdnsutil = shift; my $sqlcmd = shift; -die "Usage: $0 domain parent pdnssec sqlcmd" unless($domain and $parent and $pdnssec and $sqlcmd); +die "Usage: $0 domain parent pdnsutil sqlcmd" unless($domain and $parent and $pdnsutil and $sqlcmd); -open IN, "-|", "$pdnssec show-zone $domain 2>&1"; +open IN, "-|", "$pdnsutil show-zone $domain 2>&1"; my $recs = []; diff --git a/regression-tests/runtests b/regression-tests/runtests index c38e23b6b..18cb0ff02 100755 --- a/regression-tests/runtests +++ b/regression-tests/runtests @@ -9,7 +9,7 @@ export SDIG=${SDIG:-${PWD}/../pdns/sdig} export NSEC3DIG=${NSEC3DIG:-${PWD}/../pdns/nsec3dig} export SAXFR=${SAXFR:-${PWD}/../pdns/saxfr} export ZONE2SQL=${ZONE2SQL:-${PWD}/../pdns/zone2sql} -export PDNSSEC=${PDNSSEC:-${PWD}/../pdns/pdnssec} +export PDNSUTIL=${PDNSUTIL:-${PWD}/../pdns/pdnsutil} export PDNSCONTROL=${PDNSCONTROL:-${PWD}/../pdns/pdns_control} spectest=$1 diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop index 2db560efd..416d8ef07 100755 --- a/regression-tests/start-test-stop +++ b/regression-tests/start-test-stop @@ -9,7 +9,7 @@ export SDIG=${SDIG:-${PWD}/../pdns/sdig} export NSEC3DIG=${NSEC3DIG:-${PWD}/../pdns/nsec3dig} export SAXFR=${SAXFR:-${PWD}/../pdns/saxfr} export ZONE2SQL=${ZONE2SQL:-${PWD}/../pdns/zone2sql} -export PDNSSEC=${PDNSSEC:-${PWD}/../pdns/pdnssec} +export PDNSUTIL=${PDNSUTIL:-${PWD}/../pdns/pdnsutil} export PDNSCONTROL=${PDNSCONTROL:-${PWD}/../pdns/pdns_control} @@ -71,13 +71,13 @@ securezone () fi if [ "${zone: 0:16}" = "secure-delegated" ] then - $PDNSSEC --config-dir=. $configname import-zone-key $zone $zone.private ksk 2>&1 - $PDNSSEC --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1 - keyid=`$PDNSSEC --config-dir=. $configname show-zone $zone | grep ZSK | cut -d' ' -f3` - $PDNSSEC --config-dir=. $configname activate-zone-key $zone $keyid 2>&1 - $PDNSSEC --config-dir=. $configname rectify-zone $zone 2>&1 - $PDNSSEC --config-dir=. $configname set-publish-cds $zone 2>&1 - $PDNSSEC --config-dir=. $configname set-publish-cdnskey $zone 2>&1 + $PDNSUTIL --config-dir=. $configname import-zone-key $zone $zone.private ksk 2>&1 + $PDNSUTIL --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1 + keyid=`$PDNSUTIL --config-dir=. $configname show-zone $zone | grep ZSK | cut -d' ' -f3` + $PDNSUTIL --config-dir=. $configname activate-zone-key $zone $keyid 2>&1 + $PDNSUTIL --config-dir=. $configname rectify-zone $zone 2>&1 + $PDNSUTIL --config-dir=. $configname set-publish-cds $zone 2>&1 + $PDNSUTIL --config-dir=. $configname set-publish-cdnskey $zone 2>&1 else # check if PKCS#11 should be used if [ "$pkcs11" -eq 1 ]; then @@ -87,17 +87,17 @@ securezone () slot=$((slot+1)) fi sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot - kid=`$PDNSSEC --config-dir=. $configname hsm assign $zone rsasha256 ksk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'` + kid=`$PDNSUTIL --config-dir=. $configname hsm assign $zone rsasha256 ksk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'` # keep this until #1413 is merged - kid=`$PDNSSEC --config-dir=. $configname show-zone $zone | grep 'ID =.*KSK' | awk '{ print $3 }'` - $PDNSSEC --config-dir=. $configname hsm create-key $zone $kid + kid=`$PDNSUTIL --config-dir=. $configname show-zone $zone | grep 'ID =.*KSK' | awk '{ print $3 }'` + $PDNSUTIL --config-dir=. $configname hsm create-key $zone $kid slot=$((slot+1)) sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot - kid=`$PDNSSEC --config-dir=. $configname hsm assign $zone rsasha256 zsk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'` - kid=`$PDNSSEC --config-dir=. $configname show-zone $zone | grep 'ID =.*ZSK' | awk '{ print $3 }'` - $PDNSSEC --config-dir=. $configname hsm create-key $zone $kid + kid=`$PDNSUTIL --config-dir=. $configname hsm assign $zone rsasha256 zsk softhsm label$slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'` + kid=`$PDNSUTIL --config-dir=. $configname show-zone $zone | grep 'ID =.*ZSK' | awk '{ print $3 }'` + $PDNSUTIL --config-dir=. $configname hsm create-key $zone $kid else - $PDNSSEC --config-dir=. $configname secure-zone $zone 2>&1 + $PDNSUTIL --config-dir=. $configname secure-zone $zone 2>&1 fi fi }