shift
CURRENT_HASH=$($M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1)
-if [ -f keys/$Z.hash ] ; then
- CURRENT_HASH=$CURRENT_HASH:$(cat keys/$Z.hash)
+if [ -f khash/$Z ] ; then
+ CURRENT_HASH=$CURRENT_HASH:$(cat khash/$Z)
if [ -f keys/resign-stamp ] ; then
CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' keys/resign-stamp)
fi
else
$M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new
NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)"
- if [ -f keys/$Z.hash ] ; then
- if ! dnssec-signzone -a -d dss -g -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $Z -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
+ if [ -f khash/$Z ] ; then
+ ORIGIN=$(grep '\$ORIGIN' zone/$Z.new | cut -d' ' -f2)
+ if [ -z "$ORIGIN" ] ; then
+ echo >&2 "FATAL: Cannot establish zone origin for $Z"
+ exit 1
+ fi
+ NSEC="-3 -"
+ if [ -f bin/dnssec-hacks ] ; then
+ # Undocumented hook for hacks
+ . bin/dnssec-hacks
+ fi
+ if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $ORIGIN -S $NSEC zone/$Z.new &>zone/$Z.tmp ; then
cat zone/$Z.tmp
- echo >&2 "FATAL: Signing failed"
+ echo >&2 "FATAL: Cannot sign $Z"
exit 1
fi
rm -f zone/$Z.tmp
+ rm -f tmp/dsset-*
mv zone/$Z.signed zone/$Z
+ rm -f zone/$Z.new
SIGNED=" (signed)"
else
mv zone/$Z.new zone/$Z