diff --git a/doc/manual/source/man/dnst-signzone.rst b/doc/manual/source/man/dnst-signzone.rst index 648d7375..7d1639a6 100644 --- a/doc/manual/source/man/dnst-signzone.rst +++ b/doc/manual/source/man/dnst-signzone.rst @@ -30,11 +30,6 @@ Arguments Options ------- -.. option:: -b - - Add comments on DNSSEC records. Without this option only DNSKEY RRs - will have their key tag annotated in the comment. - .. option:: -d Do not add used keys to the resulting zonefile. @@ -66,6 +61,20 @@ Options If this would NOT result in the SOA serial increasing it will be incremented instead. +.. option:: -n + + Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings + are used: SHA-1, no extra iterations, empty salt. To use different NSEC3 + settings see :ref:`dnst-signzone-nsec3-options`. + +.. option:: -A + + Sign DNSKEYs with all keys instead of the minimal set. + +.. option:: -U + + Sign with every unique algorithm in the provided keys. + .. option:: -z <[SCHEME:]HASH> Add a ZONEMD resource record. Accepts both mnemonics and numbers. @@ -81,14 +90,6 @@ Options ... argument becomes optional and determines whether to sign the zone. -.. TODO: document -A and -U when implemented - -.. option:: -n - - Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings - are used: SHA-1, no extra iterations, empty salt. To use different NSEC3 - settings see :ref:`dnst-signzone-nsec3-options`. - .. option:: -H Hash only, don't sign. With this option, the normally mandatory ... @@ -100,6 +101,36 @@ Options ``--help``). +.. _dnst-signzone-formatting-options: + +Output formatting options +-------------------------------- + +The following options can be used to affect the format of the output. + +.. option:: -b + + Add comments on DNSSEC records. Without this option only DNSKEY RRs + will have their key tag annotated in the comment. + +.. option:: -L + + Preceed the zone output by a list that contains the NSEC3 hashes of the + original ownernames. + +.. option:: -O + + Order NSEC3 RRs by unhashed owner name. + +.. option:: -R + + Order RRSIG RRs by the record type that they cover. + +.. option:: -T + + Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch. + + .. _dnst-signzone-nsec3-options: NSEC3 options @@ -112,19 +143,19 @@ settings used. Specify the hashing algorithm. Defaults to SHA-1. -.. option:: -t - - Set the number of extra hash iterations. Defaults to 0. - .. option:: -s Specify the salt as a hex string. Defaults to ``-``, meaning empty salt. +.. option:: -t + + Set the number of extra hash iterations. Defaults to 0. + .. option:: -p Set the opt-out flag on all NSEC3 RRs. -.. option:: -A +.. option:: -P Set the opt-out flag on all NSEC3 RRs and skip unsigned delegations. diff --git a/doc/manual/source/man/ldns-signzone.rst b/doc/manual/source/man/ldns-signzone.rst index 1f1b6fe3..37fdeb0a 100644 --- a/doc/manual/source/man/ldns-signzone.rst +++ b/doc/manual/source/man/ldns-signzone.rst @@ -26,6 +26,10 @@ Arguments Note: Unlike the original LDNS, any existing NSEC(3), NSEC3PARAM and/or RRSIG resource records will be skipped when loading the zonefile. + Note: Unlike the original LDNS, the origin must be explicitly specified + either via an ``$ORIGIN`` directive in the zonefile or using the ``-o`` + command line argument. + .. option:: ... The keys to sign the zonefile with. diff --git a/src/commands/signzone.rs b/src/commands/signzone.rs index d2c82378..6844a43f 100644 --- a/src/commands/signzone.rs +++ b/src/commands/signzone.rs @@ -150,8 +150,18 @@ pub struct SignZone { #[arg(short = 'u', default_value_t = false)] set_soa_serial_to_epoch_time: bool, - // SKIPPED: -v - // This should be handled at the dnst top level, not per subcommand. + /// Use NSEC3 instead of NSEC + #[arg(short = 'n', default_value_t = false, group = "nsec3")] + use_nsec3: bool, + + /// Sign DNSKEYs with all keys instead of the minimal set + #[arg(short = 'A', default_value_t = false)] + sign_dnskeys_with_all_keys: bool, + + /// Sign with every unique algorithm in the provided keys + #[arg(short = 'U', default_value_t = false)] + sign_with_every_unique_algorithm: bool, + /// Add a ZONEMD resource record /// /// currently supports "SHA384" (1) or "SHA512" (2). @@ -173,18 +183,6 @@ pub struct SignZone { #[arg(short = 'Z', requires = "zonemd")] allow_zonemd_without_signing: bool, - /// Sign DNSKEYs with all keys instead of minimal - #[arg(short = 'A', default_value_t = false)] - sign_dnskeys_with_all_keys: bool, - - /// Sign with every unique algorithm in the provided keys - #[arg(short = 'U', default_value_t = false)] - sign_with_every_unique_algorithm: bool, - - /// Use NSEC3 instead of NSEC - #[arg(short = 'n', default_value_t = false, group = "nsec3")] - use_nsec3: bool, - /// Hashing algorithm #[arg( help_heading = Some("NSEC3 (when using '-n')"), @@ -243,14 +241,6 @@ pub struct SignZone { #[arg(short = 'H', default_value_t = false)] hash_only: bool, - /// Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch. - #[arg( - help_heading = Some("OUTPUT FORMATTING"), - short = 'T', - default_value_t = false - )] - use_yyyymmddhhmmss_rrsig_format: bool, - /// Preceed the zone output by a list that contains the NSEC3 hashes of the /// original ownernames. #[arg( @@ -261,6 +251,16 @@ pub struct SignZone { )] preceed_zone_with_hash_list: bool, + /// Order NSEC3 RRs by unhashed owner name. + #[arg( + help_heading = Some("OUTPUT FORMATTING"), + short = 'O', + default_value_t = false, + default_value_if("extra_comments", "true", Some("true")), + requires = "nsec3", + )] + order_nsec3_rrs_by_unhashed_owner_name: bool, + /// Order RRSIG RRs by the record type that they cover. #[arg( help_heading = Some("OUTPUT FORMATTING"), @@ -270,15 +270,13 @@ pub struct SignZone { )] order_rrsigs_after_the_rtype_they_cover: bool, - /// Order NSEC3 RRs by unhashed owner name. + /// Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch. #[arg( help_heading = Some("OUTPUT FORMATTING"), - short = 'O', - default_value_t = false, - default_value_if("extra_comments", "true", Some("true")), - requires = "nsec3", + short = 'T', + default_value_t = false )] - order_nsec3_rrs_by_unhashed_owner_name: bool, + use_yyyymmddhhmmss_rrsig_format: bool, // ----------------------------------------------------------------------- // Original ldns-signzone positional arguments in position order: