DNSSEC: Signing of reverse zones

Unlike primary and secondary zones, file names of reverse zones
and their configurations are different from full domain names.
So far, we ignored this difference when handling keys.

From this point on, key files are named after the configuration files
and key-gen is able to synthesize the full domain name by interpreting
the configuration. In bin/genzone, we extract the domain name from
$ORIGIN in the raw zone file.

diff --git a/TODO b/TODO
index 15b6d8b0e14d2c126b627fe5143a2ba754ec3623..fe4cfb90a01bd27abbfae27d94459b7f6c02231a 100644 (file)
--- a/TODO
+++ b/TODO
@@ -2,7 +2,6 @@ freebsd: don't use `-f' in hostname
 
 - NSCVER macro
 - Update or delete nsc.lsm
+- do we still need root.cache?
 
 DNSSEC:
-- in reverse zones, file name != zone name => need to pass zone name to genzone
-- signing reverse zones

diff --git a/bin/genzone b/bin/genzone
index cee907f3a2d41c9903d5cb37179a97fe77d8b12f..4af086795f5b878f423f8652e2190082b72f4b6c 100755 (executable)
--- a/bin/genzone
+++ b/bin/genzone
@@ -28,9 +28,14 @@ else
        $M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new
        NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)"
        if [ -f khash/$Z ] ; then
-               if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $Z -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
+               ORIGIN=$(grep '\$ORIGIN' zone/$Z.new | cut -d' ' -f2)
+               if [ -z "$ORIGIN" ] ; then
+                       echo >&2 "FATAL: Cannot establish zone origin for $Z"
+                       exit 1
+               fi
+               if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $ORIGIN -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
                        cat zone/$Z.tmp
-                       echo >&2 "FATAL: Signing failed"
+                       echo >&2 "FATAL: Cannot sign $Z"
                        exit 1
                fi
                rm -f zone/$Z.tmp

diff --git a/bin/key-gen b/bin/key-gen
index b73fd59f60bb665ed5dedc5cfd628b15b4e5a122..bf2a8191fcd6da179577b4f35bacc925d5bd4394 100755 (executable)
--- a/bin/key-gen
+++ b/bin/key-gen
@@ -6,12 +6,20 @@ set -e
 . bin/shell-env
 
 if [ -z "$1" ] ; then
-       echo >&2 "Usage: $0 <zone> [<extra-keygen-params>]"
+       echo >&2 "Usage: $0 <config> [<extra-keygen-params>]"
        exit 1
 fi
-D="$1"
+C="$1"
 shift
 
-mkdir -p keys/$D
-dnssec-keygen $KEYGEN_OPTIONS -K keys/$D "$@" $D
-bin/key-update $D
+if [ ! -f $CFDIR/$C ] ; then
+       echo >&2 "$CFDIR/$C: No such configuration file"
+       exit 1
+fi
+
+Z=$($M4 m4/mkname.m4 $CFDIR/$C)
+echo "Zone name: $Z"
+
+mkdir -p keys/$C
+dnssec-keygen $KEYGEN_OPTIONS -K keys/$C "$@" $Z
+bin/key-update $C

diff --git a/cf.dist/domains b/cf.dist/domains
index 35d1d942a9a647c746a8cf46a21d6dd9fbf173c3..d9ac601771178fc3ededbaf98f5999a7385115ec 100644 (file)
--- a/cf.dist/domains
+++ b/cf.dist/domains
@@ -55,8 +55,10 @@ ZONE_OPTIONS()
 ; Here are reverse delegations for two networks. NSC automatically creates
 ; the PTR records from A records in all mentioned zones. See cf/{0,1}.0.10.
 
+DNSSEC(`
 REVERSE(10.0.0, example.com, a.example.com)
 REVERSE(10.1.0, example.com, a.example.com, ip6.example.com)
+')
 
 ; You can even have reverse zones for larger networks
 

diff --git a/m4/mkname.m4 b/m4/mkname.m4
new file mode 100644 (file)
index 0000000..90c7191
--- /dev/null
+++ b/m4/mkname.m4
@@ -0,0 +1,10 @@
+dnl ###
+dnl ### NSC -- Zone Name Generator
+dnl ### (c) 2019 Martin Mares <mj@ucw.cz>
+dnl ###
+dnl ### Usage: m4 mkname.m4 domain-source-files >zone-name
+dnl ###
+include(m4/dnslib.m4)
+
+define(`SOA', `ifdef(`CURRENT_DOMAIN',,`define(`CURRENT_DOMAIN',$1)divert(0)$1
+divert(-1)')')