Names of key files should also have their /'s translated to @

[nsc-5.git] / bin / genzone

diff --git a/bin/genzone b/bin/genzone
index 7805e59c728e144d2e46c114813e1d38552da414..432ad43e8e8cd6503d6b6b5f37c50300141f6360 100755 (executable)
--- a/bin/genzone
+++ b/bin/genzone
@@ -13,33 +13,45 @@ Z=$1
 shift
 
 CURRENT_HASH=$($M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1)
 shift
 
 CURRENT_HASH=$($M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1)

-if [ -f $KEYDIR/$Z.hash ] ; then
-       CURRENT_HASH=$CURRENT_HASH:$(cat $KEYDIR/$Z.hash)
-       if [ -f $KEYDIR/resign-stamp ] ; then
-               CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' $KEYDIR/resign-stamp)
+if [ -f khash/$Z ] ; then
+       CURRENT_HASH=$CURRENT_HASH:$(cat khash/$Z)
+       if [ -f keys/resign-stamp ] ; then
+               CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' keys/resign-stamp)

        fi
 fi
 
        fi
 fi
 

-PREV_HASH=$(if [ -s $HASHDIR/$Z ] ; then cat $HASHDIR/$Z ; fi)
+PREV_HASH=$(if [ -s hash/$Z ] ; then cat hash/$Z ; fi)

 if [ "X$CURRENT_HASH" = "X$PREV_HASH" ] ; then
        echo "-- $Z: No changes"
 if [ "X$CURRENT_HASH" = "X$PREV_HASH" ] ; then
        echo "-- $Z: No changes"

-       touch $ZONEDIR/$Z $HASHDIR/$Z
+       touch zone/$Z hash/$Z

 else
 else

-       $M4 -DVERS=$VERSDIR/$Z m4/nsc.m4 "$@" >$ZONEDIR/$Z.new
-       NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" $ZONEDIR/$Z.new)"
-       if [ -f $KEYDIR/$Z.hash ] ; then
-               if ! dnssec-signzone -a -d $DSSDIR -g -K $KEYDIR/$Z $SIGNZONE_OPTIONS -f $ZONEDIR/$Z.signed -o $Z -S -3 - $ZONEDIR/$Z.new &>$ZONEDIR/$Z.tmp ; then
-                       cat $ZONEDIR/$Z.tmp
-                       echo >&2 "FATAL: Signing failed"
+       $M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new
+       NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)"
+       if [ -f khash/$Z ] ; then
+               ORIGIN=$(grep '\$ORIGIN' zone/$Z.new | cut -d' ' -f2)
+               if [ -z "$ORIGIN" ] ; then
+                       echo >&2 "FATAL: Cannot establish zone origin for $Z"

                        exit 1
                fi
                        exit 1
                fi

-               rm -f $ZONEDIR/$Z.tmp
-               mv $ZONEDIR/$Z.signed $ZONEDIR/$Z
+               NSEC="-3 -"
+               if [ -f bin/dnssec-hacks ] ; then
+                       # Undocumented hook for hacks
+                       . bin/dnssec-hacks
+               fi
+               if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $ORIGIN -S $NSEC zone/$Z.new &>zone/$Z.tmp ; then
+                       cat zone/$Z.tmp
+                       echo >&2 "FATAL: Cannot sign $Z"
+                       exit 1
+               fi
+               rm -f zone/$Z.tmp
+               rm -f tmp/dsset-*
+               mv zone/$Z.signed zone/$Z
+               rm -f zone/$Z.new

                SIGNED=" (signed)"
        else
                SIGNED=" (signed)"
        else

-               mv $ZONEDIR/$Z.new $ZONEDIR/$Z
+               mv zone/$Z.new zone/$Z

                SIGNED=
        fi
        echo "** $Z: New version $NEWVER$SIGNED"
                SIGNED=
        fi
        echo "** $Z: New version $NEWVER$SIGNED"

-       echo $CURRENT_HASH >$HASHDIR/$Z
+       echo $CURRENT_HASH >hash/$Z

 fi
 fi