From 01d87a6fdf13de165ec6b2bfc48827e4ee5f60a4 Mon Sep 17 00:00:00 2001
From: Martin Mares <mj@ucw.cz>
Date: Wed, 30 Jan 2019 13:04:29 +0100
Subject: [PATCH] DNSSEC: Signing of reverse zones

Unlike primary and secondary zones, file names of reverse zones
and their configurations are different from full domain names.
So far, we ignored this difference when handling keys.

From this point on, key files are named after the configuration files
and key-gen is able to synthesize the full domain name by interpreting
the configuration. In bin/genzone, we extract the domain name from
$ORIGIN in the raw zone file.
---
 TODO            |  3 +--
 bin/genzone     |  9 +++++++--
 bin/key-gen     | 18 +++++++++++++-----
 cf.dist/domains |  2 ++
 m4/mkname.m4    | 10 ++++++++++
 5 files changed, 33 insertions(+), 9 deletions(-)
 create mode 100644 m4/mkname.m4

diff --git a/TODO b/TODO
index 15b6d8b..fe4cfb9 100644
--- a/TODO
+++ b/TODO
@@ -2,7 +2,6 @@ freebsd: don't use `-f' in hostname
 
 - NSCVER macro
 - Update or delete nsc.lsm
+- do we still need root.cache?
 
 DNSSEC:
-- in reverse zones, file name != zone name => need to pass zone name to genzone
-- signing reverse zones
diff --git a/bin/genzone b/bin/genzone
index cee907f..4af0867 100755
--- a/bin/genzone
+++ b/bin/genzone
@@ -28,9 +28,14 @@ else
 	$M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new
 	NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)"
 	if [ -f khash/$Z ] ; then
-		if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $Z -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
+		ORIGIN=$(grep '\$ORIGIN' zone/$Z.new | cut -d' ' -f2)
+		if [ -z "$ORIGIN" ] ; then
+			echo >&2 "FATAL: Cannot establish zone origin for $Z"
+			exit 1
+		fi
+		if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $ORIGIN -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
 			cat zone/$Z.tmp
-			echo >&2 "FATAL: Signing failed"
+			echo >&2 "FATAL: Cannot sign $Z"
 			exit 1
 		fi
 		rm -f zone/$Z.tmp
diff --git a/bin/key-gen b/bin/key-gen
index b73fd59..bf2a819 100755
--- a/bin/key-gen
+++ b/bin/key-gen
@@ -6,12 +6,20 @@ set -e
 . bin/shell-env
 
 if [ -z "$1" ] ; then
-	echo >&2 "Usage: $0 <zone> [<extra-keygen-params>]"
+	echo >&2 "Usage: $0 <config> [<extra-keygen-params>]"
 	exit 1
 fi
-D="$1"
+C="$1"
 shift
 
-mkdir -p keys/$D
-dnssec-keygen $KEYGEN_OPTIONS -K keys/$D "$@" $D
-bin/key-update $D
+if [ ! -f $CFDIR/$C ] ; then
+	echo >&2 "$CFDIR/$C: No such configuration file"
+	exit 1
+fi
+
+Z=$($M4 m4/mkname.m4 $CFDIR/$C)
+echo "Zone name: $Z"
+
+mkdir -p keys/$C
+dnssec-keygen $KEYGEN_OPTIONS -K keys/$C "$@" $Z
+bin/key-update $C
diff --git a/cf.dist/domains b/cf.dist/domains
index 35d1d94..d9ac601 100644
--- a/cf.dist/domains
+++ b/cf.dist/domains
@@ -55,8 +55,10 @@ ZONE_OPTIONS()
 ; Here are reverse delegations for two networks. NSC automatically creates
 ; the PTR records from A records in all mentioned zones. See cf/{0,1}.0.10.
 
+DNSSEC(`
 REVERSE(10.0.0, example.com, a.example.com)
 REVERSE(10.1.0, example.com, a.example.com, ip6.example.com)
+')
 
 ; You can even have reverse zones for larger networks
 
diff --git a/m4/mkname.m4 b/m4/mkname.m4
new file mode 100644
index 0000000..90c7191
--- /dev/null
+++ b/m4/mkname.m4
@@ -0,0 +1,10 @@
+dnl ###
+dnl ### NSC -- Zone Name Generator
+dnl ### (c) 2019 Martin Mares <mj@ucw.cz>
+dnl ###
+dnl ### Usage: m4 mkname.m4 domain-source-files >zone-name
+dnl ###
+include(m4/dnslib.m4)
+
+define(`SOA', `ifdef(`CURRENT_DOMAIN',,`define(`CURRENT_DOMAIN',$1)divert(0)$1
+divert(-1)')')
-- 
2.39.2