Skip to content

Minimally update dnst signzone man page. #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ximon18 merged 4 commits into from
May 19, 2025
Merged

Minimally update dnst signzone man page. #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1863bef
Add missing arguments and re-order arguments to match -h output, plus…
ximon18 May 15, 2025
ef567b4
Remove orphaned comment.
ximon18 May 15, 2025
494781e
Note that we don't attempt to detect a zone file origin if not define…
ximon18 May 19, 2025
b73cf55
Merge branch 'add-ldns-like-sign-zone-support' into update-sign-zone-…
ximon18 May 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 49 additions & 18 deletions doc/manual/source/man/dnst-signzone.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,6 @@ Arguments
Options
-------

.. option:: -b

Add comments on DNSSEC records. Without this option only DNSKEY RRs
will have their key tag annotated in the comment.

.. option:: -d

Do not add used keys to the resulting zonefile.
Expand Down Expand Up @@ -66,6 +61,20 @@ Options
If this would NOT result in the SOA serial increasing it will be
incremented instead.

.. option:: -n

Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings
are used: SHA-1, no extra iterations, empty salt. To use different NSEC3
settings see :ref:`dnst-signzone-nsec3-options`.

.. option:: -A

Sign DNSKEYs with all keys instead of the minimal set.

.. option:: -U

Sign with every unique algorithm in the provided keys.

.. option:: -z <[SCHEME:]HASH>

Add a ZONEMD resource record. Accepts both mnemonics and numbers.
Expand All @@ -81,14 +90,6 @@ Options
<KEY>... argument becomes optional and determines whether to sign the
zone.

.. TODO: document -A and -U when implemented

.. option:: -n

Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings
are used: SHA-1, no extra iterations, empty salt. To use different NSEC3
settings see :ref:`dnst-signzone-nsec3-options`.

.. option:: -H

Hash only, don't sign. With this option, the normally mandatory <KEY>...
Expand All @@ -100,6 +101,36 @@ Options
``--help``).


.. _dnst-signzone-formatting-options:

Output formatting options
--------------------------------

The following options can be used to affect the format of the output.

.. option:: -b

Add comments on DNSSEC records. Without this option only DNSKEY RRs
will have their key tag annotated in the comment.

.. option:: -L

Preceed the zone output by a list that contains the NSEC3 hashes of the
original ownernames.

.. option:: -O

Order NSEC3 RRs by unhashed owner name.

.. option:: -R

Order RRSIG RRs by the record type that they cover.

.. option:: -T

Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch.


.. _dnst-signzone-nsec3-options:

NSEC3 options
Expand All @@ -112,19 +143,19 @@ settings used.

Specify the hashing algorithm. Defaults to SHA-1.

.. option:: -t <NUMBER>

Set the number of extra hash iterations. Defaults to 0.

.. option:: -s <STRING>

Specify the salt as a hex string. Defaults to ``-``, meaning empty salt.

.. option:: -t <NUMBER>

Set the number of extra hash iterations. Defaults to 0.

.. option:: -p

Set the opt-out flag on all NSEC3 RRs.

.. option:: -A
.. option:: -P

Set the opt-out flag on all NSEC3 RRs and skip unsigned delegations.

Expand Down
4 changes: 4 additions & 0 deletions doc/manual/source/man/ldns-signzone.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ Arguments
Note: Unlike the original LDNS, any existing NSEC(3), NSEC3PARAM and/or
RRSIG resource records will be skipped when loading the zonefile.

Note: Unlike the original LDNS, the origin must be explicitly specified
either via an ``$ORIGIN`` directive in the zonefile or using the ``-o``
command line argument.

.. option:: <KEY>...

The keys to sign the zonefile with.
Expand Down
54 changes: 26 additions & 28 deletions src/commands/signzone.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,8 +150,18 @@ pub struct SignZone {
#[arg(short = 'u', default_value_t = false)]
set_soa_serial_to_epoch_time: bool,

// SKIPPED: -v
// This should be handled at the dnst top level, not per subcommand.
/// Use NSEC3 instead of NSEC
#[arg(short = 'n', default_value_t = false, group = "nsec3")]
use_nsec3: bool,

/// Sign DNSKEYs with all keys instead of the minimal set
#[arg(short = 'A', default_value_t = false)]
sign_dnskeys_with_all_keys: bool,

/// Sign with every unique algorithm in the provided keys
#[arg(short = 'U', default_value_t = false)]
sign_with_every_unique_algorithm: bool,

/// Add a ZONEMD resource record
///
/// <hash> currently supports "SHA384" (1) or "SHA512" (2).
Expand All @@ -173,18 +183,6 @@ pub struct SignZone {
#[arg(short = 'Z', requires = "zonemd")]
allow_zonemd_without_signing: bool,

/// Sign DNSKEYs with all keys instead of minimal
#[arg(short = 'A', default_value_t = false)]
sign_dnskeys_with_all_keys: bool,

/// Sign with every unique algorithm in the provided keys
#[arg(short = 'U', default_value_t = false)]
sign_with_every_unique_algorithm: bool,

/// Use NSEC3 instead of NSEC
#[arg(short = 'n', default_value_t = false, group = "nsec3")]
use_nsec3: bool,

/// Hashing algorithm
#[arg(
help_heading = Some("NSEC3 (when using '-n')"),
Expand Down Expand Up @@ -243,14 +241,6 @@ pub struct SignZone {
#[arg(short = 'H', default_value_t = false)]
hash_only: bool,

/// Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch.
#[arg(
help_heading = Some("OUTPUT FORMATTING"),
short = 'T',
default_value_t = false
)]
use_yyyymmddhhmmss_rrsig_format: bool,

/// Preceed the zone output by a list that contains the NSEC3 hashes of the
/// original ownernames.
#[arg(
Expand All @@ -261,6 +251,16 @@ pub struct SignZone {
)]
preceed_zone_with_hash_list: bool,

/// Order NSEC3 RRs by unhashed owner name.
#[arg(
help_heading = Some("OUTPUT FORMATTING"),
short = 'O',
default_value_t = false,
default_value_if("extra_comments", "true", Some("true")),
requires = "nsec3",
)]
order_nsec3_rrs_by_unhashed_owner_name: bool,

/// Order RRSIG RRs by the record type that they cover.
#[arg(
help_heading = Some("OUTPUT FORMATTING"),
Expand All @@ -270,15 +270,13 @@ pub struct SignZone {
)]
order_rrsigs_after_the_rtype_they_cover: bool,

/// Order NSEC3 RRs by unhashed owner name.
/// Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch.
#[arg(
help_heading = Some("OUTPUT FORMATTING"),
short = 'O',
default_value_t = false,
default_value_if("extra_comments", "true", Some("true")),
requires = "nsec3",
short = 'T',
default_value_t = false
)]
order_nsec3_rrs_by_unhashed_owner_name: bool,
use_yyyymmddhhmmss_rrsig_format: bool,

// -----------------------------------------------------------------------
// Original ldns-signzone positional arguments in position order:
Expand Down
Loading