bind-9.7.0a3 genkey.sh and dnssec-signzone missing check
Paul Wouters
paul at xelerance.com
Mon Sep 21 23:45:33 UTC 2009
Hi,
When using 9.7.0a3 with dnssec-signzone and PKCS#11, one can use the genkey.sh
as a tool to generate keys. It is however hardcoded to RSASHA1. (We needed NSECRSASHA1)
The below tiny patch addresses this.
Related, the dnssec-signzone command created a zone with algo 5 DNSKEY's with
NSEC3 records, which is a bogus zone that stupid people like me should not be allowed
to create :)
Paul
--- genkey.sh.org 2009-09-21 19:40:17.000000000 -0400
+++ genkey.sh 2009-09-21 19:40:45.000000000 -0400
@@ -1,8 +1,8 @@
#!/bin/bash
-usage="Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path"
+usage="Usage: $0 -z zone -x ext -p pin -a algonum -b bits -e engine [-f] -k key_path"
tmp_file=/tmp/cur_key.$$
-while getopts ":z:x:p:t:k:b:e:f" opt; do
+while getopts ":z:x:p:t:k:b:e:a:f" opt; do
case $opt in
z ) zone=$OPTARG ;;
x ) ext=$OPTARG ;;
@@ -12,6 +12,7 @@ while getopts ":z:x:p:t:k:b:e:f" opt; do
e ) engine=$OPTARG ;;
b ) bits=$OPTARG ;;
k ) key_path=$OPTARG ;;
+ a ) algo=$OPTARG ;;
\? ) echo $usage
exit 1 ;;
esac
@@ -42,9 +43,9 @@ if [ $? -ne 0 ] ; then exit 1 ; fi
echo "Generating DNSKEY RR"
if [ "$flag" ] ; then
- keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i $tmp_file $zone`
+ keytag=`$mypath/keyconv.pl -a $algo -k -e $engine -l $label -p $key_path -i $tmp_file $zone`
else
- keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i $tmp_file $zone`
+ keytag=`$mypath/keyconv.pl -a $algo -e $engine -l $label -p $key_path -i $tmp_file $zone`
fi
if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi
More information about the bind-users
mailing list