Commit 7ce36aa6 authored by Libor Peltan's avatar Libor Peltan

Merge branch 'kasp_refactor'

parents 0c82e99f 9a173fc6
......@@ -72,9 +72,9 @@
# Binaries
/src/kdig
/src/keymgr
/src/khost
/src/kjournalprint
/src/keymgr
/src/knot1to2
/src/knotc
/src/knotd
......
......@@ -77,48 +77,16 @@ src/dnssec/lib/dnssec/binary.h
src/dnssec/lib/dnssec/crypto.h
src/dnssec/lib/dnssec/dnssec.h
src/dnssec/lib/dnssec/error.h
src/dnssec/lib/dnssec/event.h
src/dnssec/lib/dnssec/kasp.h
src/dnssec/lib/dnssec/key.h
src/dnssec/lib/dnssec/keyid.h
src/dnssec/lib/dnssec/keystate.h
src/dnssec/lib/dnssec/keystore.h
src/dnssec/lib/dnssec/keytag.h
src/dnssec/lib/dnssec/keyusage.h
src/dnssec/lib/dnssec/list.h
src/dnssec/lib/dnssec/nsec.h
src/dnssec/lib/dnssec/random.h
src/dnssec/lib/dnssec/sign.h
src/dnssec/lib/dnssec/tsig.h
src/dnssec/lib/error.c
src/dnssec/lib/event/action.h
src/dnssec/lib/event/action/initial_key.c
src/dnssec/lib/event/action/nsec3_resalt.c
src/dnssec/lib/event/action/zsk_rollover.c
src/dnssec/lib/event/event.c
src/dnssec/lib/event/keystate.c
src/dnssec/lib/event/utils.c
src/dnssec/lib/event/utils.h
src/dnssec/lib/kasp/dir/dir.c
src/dnssec/lib/kasp/dir/escape.c
src/dnssec/lib/kasp/dir/escape.h
src/dnssec/lib/kasp/dir/file.c
src/dnssec/lib/kasp/dir/file.h
src/dnssec/lib/kasp/dir/json.c
src/dnssec/lib/kasp/dir/json.h
src/dnssec/lib/kasp/dir/keystore.c
src/dnssec/lib/kasp/dir/keystore.h
src/dnssec/lib/kasp/dir/policy.c
src/dnssec/lib/kasp/dir/policy.h
src/dnssec/lib/kasp/dir/zone.c
src/dnssec/lib/kasp/dir/zone.h
src/dnssec/lib/kasp/internal.h
src/dnssec/lib/kasp/kasp.c
src/dnssec/lib/kasp/keystore.c
src/dnssec/lib/kasp/keystore_open.c
src/dnssec/lib/kasp/policy.c
src/dnssec/lib/kasp/zone.c
src/dnssec/lib/kasp/zone.h
src/dnssec/lib/key/algorithm.c
src/dnssec/lib/key/algorithm.h
src/dnssec/lib/key/convert.c
......@@ -138,7 +106,6 @@ src/dnssec/lib/keystore/keystore.c
src/dnssec/lib/keystore/pkcs11.c
src/dnssec/lib/keystore/pkcs8.c
src/dnssec/lib/keystore/pkcs8_dir.c
src/dnssec/lib/keyusage/keyusage.c
src/dnssec/lib/list/list.c
src/dnssec/lib/list/ucw_clists.h
src/dnssec/lib/nsec/bitmap.c
......@@ -174,12 +141,6 @@ src/dnssec/shared/timestamp.h
src/dnssec/shared/wire.h
src/dnssec/tests/binary.c
src/dnssec/tests/crypto.c
src/dnssec/tests/event_keystate.c
src/dnssec/tests/event_nsec3_resalt.c
src/dnssec/tests/kasp_dir_escape.c
src/dnssec/tests/kasp_dir_file.c
src/dnssec/tests/kasp_policy.c
src/dnssec/tests/kasp_store.c
src/dnssec/tests/key.c
src/dnssec/tests/key_algorithm.c
src/dnssec/tests/key_ds.c
......@@ -188,7 +149,6 @@ src/dnssec/tests/keystore_pkcs11.c
src/dnssec/tests/keystore_pkcs8.c
src/dnssec/tests/keystore_pkcs8_dir.c
src/dnssec/tests/keytag.c
src/dnssec/tests/keyusage.c
src/dnssec/tests/list.c
src/dnssec/tests/nsec_bitmap.c
src/dnssec/tests/nsec_hash.c
......@@ -234,6 +194,17 @@ src/knot/ctl/process.c
src/knot/ctl/process.h
src/knot/dnssec/context.c
src/knot/dnssec/context.h
src/knot/dnssec/kasp/kasp_db.c
src/knot/dnssec/kasp/kasp_db.h
src/knot/dnssec/kasp/kasp_zone.c
src/knot/dnssec/kasp/kasp_zone.h
src/knot/dnssec/kasp/keystate.c
src/knot/dnssec/kasp/keystate.h
src/knot/dnssec/kasp/keystore.c
src/knot/dnssec/kasp/keystore.h
src/knot/dnssec/kasp/policy.h
src/knot/dnssec/key-events.c
src/knot/dnssec/key-events.h
src/knot/dnssec/nsec-chain.c
src/knot/dnssec/nsec-chain.h
src/knot/dnssec/nsec3-chain.c
......@@ -259,8 +230,10 @@ src/knot/events/handlers/flush.c
src/knot/events/handlers/freeze_thaw.c
src/knot/events/handlers/load.c
src/knot/events/handlers/notify.c
src/knot/events/handlers/nsec3resalt.c
src/knot/events/handlers/refresh.c
src/knot/events/handlers/update.c
src/knot/events/handlers/zsk_rollover.c
src/knot/events/log.c
src/knot/events/log.h
src/knot/events/replan.c
......@@ -484,22 +457,11 @@ src/utils/kdig/kdig_exec.h
src/utils/kdig/kdig_main.c
src/utils/kdig/kdig_params.c
src/utils/kdig/kdig_params.h
src/utils/keymgr/cmdparse/command.c
src/utils/keymgr/cmdparse/command.h
src/utils/keymgr/cmdparse/match.h
src/utils/keymgr/cmdparse/parameter.c
src/utils/keymgr/cmdparse/parameter.h
src/utils/keymgr/cmdparse/value.c
src/utils/keymgr/cmdparse/value.h
src/utils/keymgr/keymgr.c
src/utils/keymgr/legacy/key.c
src/utils/keymgr/legacy/key.h
src/utils/keymgr/legacy/privkey.c
src/utils/keymgr/legacy/privkey.h
src/utils/keymgr/legacy/pubkey.c
src/utils/keymgr/legacy/pubkey.h
src/utils/keymgr/options.c
src/utils/keymgr/options.h
src/utils/keymgr/bind_privkey.c
src/utils/keymgr/bind_privkey.h
src/utils/keymgr/functions.c
src/utils/keymgr/functions.h
src/utils/keymgr/main.c
src/utils/khost/khost_main.c
src/utils/khost/khost_params.c
src/utils/khost/khost_params.h
......@@ -598,6 +560,7 @@ tests/test_confio.c
tests/test_dthreads.c
tests/test_fdset.c
tests/test_journal.c
tests/test_kasp_db.c
tests/test_node.c
tests/test_process_query.c
tests/test_query_module.c
......
......@@ -7,7 +7,6 @@ Knot DNS has several dependencies:
* pkg-config
* liburcu >= 0.5.4
* gnutls >= 3.0
* jansson >= 2.3
* libedit
Embedded libraries:
......@@ -41,7 +40,7 @@ $ sudo apt-get upgrade
Install prerequisites:
$ sudo apt-get install \
libtool autoconf make pkg-config liburcu-dev libgnutls28-dev libjansson-dev libedit-dev
libtool autoconf make pkg-config liburcu-dev libgnutls28-dev libedit-dev
Install optional packages to override embedded libraries:
$ sudo apt-get install liblmdb-dev
......@@ -59,7 +58,7 @@ Install basic development tools:
Install prerequisites:
# dnf install \
libtool autoconf pkgconfig automake userspace-rcu-devel gnutls-devel jansson-devel libedit-devel
libtool autoconf pkgconfig automake userspace-rcu-devel gnutls-devel libedit-devel
Install optional packages to override embedded libraries:
# dnf install lmdb-devel
......
......@@ -125,9 +125,6 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.3 nettle], [
LIBS=$save_LIBS
])
# JSON for DNSSEC status storage
PKG_CHECK_MODULES([jansson], [jansson >= 2.3])
AC_ARG_ENABLE([recvmmsg],
AS_HELP_STRING([--enable-recvmmsg=auto|yes|no], [enable recvmmsg() network API [default=auto]]),
[], [enable_recvmmsg=auto])
......@@ -449,23 +446,6 @@ AS_IF([test "$with_libidn" != "no"],[
]) # Knot DNS utilities dependencies
# Bash completions
AC_ARG_WITH([bash-completions],
AC_HELP_STRING([--with-bash-completions=[DIR]], [Bash completions directory [default=no]]),
[with_bash_completions="$withval"],
[with_bash_completions=no]
)
AS_CASE([$with_bash_completions],
[yes], [PKG_CHECK_VAR([bash_completions_dir], [bash-completion], [completionsdir], [], [AC_MSG_ERROR([bash completions not found])])],
[no], [bash_completions_dir=],
[bash_completions_dir="$with_bash_completions"]
)
AM_CONDITIONAL([HAVE_BASH_COMPLETIONS], [test -n "$bash_completions_dir"])
AS_IF([test -n "$bash_completions_dir"],
[bash_completions_output="${bash_completions_dir}"],
[bash_completions_output=no]
)
AC_SEARCH_LIBS([pow], [m])
AC_SEARCH_LIBS([pthread_create], [pthread], [], [AC_MSG_ERROR([pthreads not found])])
AC_SEARCH_LIBS([dlopen], [dl])
......@@ -544,7 +524,6 @@ result_msg_base=" $PACKAGE $VERSION
LIBS: ${LIBS} ${LDFLAGS}
LibURCU: ${liburcu_LIBS} ${liburcu_CFLAGS}
GnuTLS: ${gnutls_LIBS} ${gnutls_CFLAGS}
Jansson: ${jansson_LIBS} ${jansson_CFLAGS}
Libedit: ${libedit_LIBS} ${libedit_CFLAGS}
LMDB: ${enable_lmdb} ${lmdb_LIBS} ${lmdb_CFLAGS}
......@@ -571,7 +550,6 @@ result_msg_base=" $PACKAGE $VERSION
Systemd integration: ${enable_systemd}
Dnstap support: ${opt_dnstap}
Code coverage: ${enable_code_coverage}
Bash completions: ${bash_completions_output}
PKCS #11 support: ${enable_pkcs11}"
result_msg_esc=$(echo -n "$result_msg_base" | sed '$!s/$/\\n/' | tr -d '\n')
......
/_build
# sphinx-build manpages
/man/kdig.1
/man/knot.conf.5
/man/knotc.8
/man/knotd.8
/man/keymgr.8
/man/pykeymgr.8
/man/kdig.1
/man/khost.1
/man/kjournalprint.1
/man/knot.conf.5
/man/knot1to2.1
/man/knotc.8
/man/knotd.8
/man/knsec3hash.1
/man/knsupdate.1
/man/kzonecheck.1
MANPAGES_IN = man/knot.conf.5in man/knotc.8in man/knotd.8in man/kdig.1in man/khost.1in man/kjournalprint.1in man/knsupdate.1in man/knot1to2.1in man/knsec3hash.1in man/keymgr.8in man/kzonecheck.1in
MANPAGES_RST = reference.rst man_knotc.rst man_knotd.rst man_kdig.rst man_khost.rst man_kjournalprint.rst man_knsupdate.rst man_knot1to2.rst man_knsec3hash.rst man_keymgr.rst man_kzonecheck.rst
MANPAGES_IN = \
man/knot.conf.5in \
man/knotc.8in \
man/knotd.8in \
man/keymgr.8in \
man/pykeymgr.8in \
man/kdig.1in \
man/khost.1in \
man/kjournalprint.1in \
man/knsupdate.1in \
man/knot1to2.1in \
man/knsec3hash.1in \
man/kzonecheck.1in
MANPAGES_RST = \
reference.rst \
man_knotc.rst \
man_knotd.rst \
man_keymgr.rst \
man_pykeymgr.rst \
man_kdig.rst \
man_khost.rst \
man_kjournalprint.rst \
man_knsupdate.rst \
man_knot1to2.rst \
man_knsec3hash.rst \
man_kzonecheck.rst
EXTRA_DIST = \
conf.py \
conf.py \
\
configuration.rst \
index.rst \
......@@ -58,24 +83,41 @@ man_SPHINXOPTS = $(_SPHINXOPTS) \
man_MANS =
if HAVE_DAEMON
man_MANS += man/knot.conf.5 man/knotc.8 man/knotd.8
man_MANS += \
man/knot.conf.5 \
man/knotc.8 \
man/knotd.8 \
man/knot1to2.1
endif # HAVE_DAEMON
if HAVE_UTILS
man_MANS += man/kdig.1 man/khost.1 man/kjournalprint.1 man/knsupdate.1 man/knot1to2.1 man/knsec3hash.1 man/keymgr.8 man/kzonecheck.1
if HAVE_DAEMON
man_MANS += \
man/keymgr.8 \
man/pykeymgr.8 \
man/kjournalprint.1 \
man/kzonecheck.1
endif # HAVE_DAEMON
man_MANS += \
man/kdig.1 \
man/khost.1 \
man/knsupdate.1 \
man/knsec3hash.1
endif # HAVE_UTILS
man/knot.conf.5: man/knot.conf.5in
man/knotc.8: man/knotc.8in
man/knotd.8: man/knotd.8in
man/kdig.1: man/kdig.1in
man/khost.1: man/khost.1in
man/kjournalprint.1: man/kjournalprint.1in
man/knsupdate.1: man/knsupdate.1in
man/knot1to2.1: man/knot1to2.1in
man/knsec3hash.1: man/knsec3hash.1in
man/keymgr.8: man/keymgr.8in
man/kzonecheck.1: man/kzonecheck.1in
man/knot.conf.5: man/knot.conf.5in
man/knotc.8: man/knotc.8in
man/knotd.8: man/knotd.8in
man/keymgr.8: man/keymgr.8in
man/pykeymgr.8: man/pykeymgr.8in
man/kdig.1: man/kdig.1in
man/khost.1: man/khost.1in
man/kjournalprint.1: man/kjournalprint.1in
man/knsupdate.1: man/knsupdate.1in
man/knot1to2.1: man/knot1to2.1in
man/knsec3hash.1: man/knsec3hash.1in
man/kzonecheck.1: man/kzonecheck.1in
man_SUBST = $(AM_V_GEN)mkdir -p man; sed -e 's,[@]VERSION@,$(VERSION),' -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' $< > $@
......
......@@ -218,17 +218,18 @@ latex_domain_indices = False
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
('reference', 'knot.conf', 'Knot DNS configuration file', author, 5),
('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1),
('man_keymgr', 'keymgr', ' DNSSEC key management utility', author, 8),
('man_khost', 'khost', 'Simple DNS lookup utility', author, 1),
('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 1),
('man_knot1to2', 'knot1to2', 'Knot DNS configuration conversion utility', author, 1),
('man_knotc', 'knotc', 'Knot DNS control utility', author, 8),
('man_knotd', 'knotd', 'Knot DNS server daemon', author, 8),
('man_knsec3hash', 'knsec3hash', "Simple utility to compute NSEC3 hash", author, 1),
('man_knsupdate', 'knsupdate', 'Dynamic DNS update utility', author, 1),
('man_kzonecheck', 'kzonecheck', 'Knot DNS zone check tool', author, 1),
('reference', 'knot.conf', 'Knot DNS configuration file', author, 5),
('man_knotc', 'knotc', 'Knot DNS control utility', author, 8),
('man_knotd', 'knotd', 'Knot DNS server daemon', author, 8),
('man_keymgr', 'keymgr', 'Knot DNS key management utility', author, 8),
('man_pykeymgr', 'pykeymgr', 'Knot DNS key management utility', author, 8),
('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1),
('man_khost', 'khost', 'Simple DNS lookup utility', author, 1),
('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 1),
('man_knot1to2', 'knot1to2', 'Knot DNS configuration conversion utility', author, 1),
('man_knsec3hash', 'knsec3hash', 'Simple utility to compute NSEC3 hash', author, 1),
('man_knsupdate', 'knsupdate', 'Dynamic DNS update utility', author, 1),
('man_kzonecheck', 'kzonecheck', 'Knot DNS zone check tool', author, 1),
]
# If true, show URL addresses after external links.
......
......@@ -286,8 +286,8 @@ can operate in two modes:
parameters must be assigned by the zone operator.
The DNSSEC signing process maintains some metadata which is stored in the
:abbr:`KASP (Key And Signature Policy)` database. This database is simply
a directory in the file-system containing files in the JSON format.
:abbr:`KASP (Key And Signature Policy)` database. This database is backed
by LMDB.
.. WARNING::
Make sure to set the KASP database permissions correctly. For manual key
......@@ -339,7 +339,7 @@ the server logs to see whether everything went well.
.. WARNING::
This guide assumes that the zone *myzone.test* was not signed prior to
enabling the automatic key management. If the zone was already signed, all
existing keys must be imported using ``keymgr zone key import`` command
existing keys must be imported using ``keymgr import-bind`` command
before enabling the automatic signing. Also the algorithm in the policy must
match the algorithm of all imported keys. Otherwise the zone will be resigned
at all.
......@@ -366,8 +366,8 @@ Let's use the Single-Type Signing scheme with two algorithms. Run:
.. code-block:: console
$ keymgr zone key generate myzone.test algorithm RSASHA256 size 1024
$ keymgr zone key generate myzone.test algorithm ECDSAP256SHA256 size 256
$ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024
$ keymgr -d path/to/keydir myzone.test. generate algorithm=ECDSAP256SHA256 size=256
And reload the server. The zone will be signed.
......@@ -377,14 +377,14 @@ it yet:
.. code-block:: console
$ keymgr zone key generate myzone.test algorithm RSASHA256 size 1024 active +1d
$ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024 active=now+1d
Take the key ID (or key tag) of the old RSA key and disable it the same time
the new key gets activated:
.. code-block:: console
$ keymgr zone key set myzone.test <old_key_id> retire +1d remove +1d
$ keymgr -d path/to/keydir myzone.test. set <old_key_id> retire=now+1d remove=now+1d
Reload the server again. The new key will be published (i.e. the DNSKEY record
will be added into the zone). Do not forget to update the DS record in the
......@@ -457,17 +457,6 @@ of the limitations will be hopefully removed in the near future.
- Legacy key export is not implemented.
- DS record export is not implemented.
.. _dnssec-keyusage:
DNSSEC keys used by multiple zones
----------------------------------
Using same key for multiple zones with automatic key management is possible.
However, all zones must be listed in keyusage (keys directory) or they will be deleted,
when they retire in any zone.
If keys are added manually as published, but not active (for next rollover event), they are added automatically.
Performance Tuning
==================
......
This diff is collapsed.
......@@ -63,7 +63,8 @@ Print the program version.
.UNINDENT
.SH SEE ALSO
.sp
\fBknotc(8)\fP, \fBknot.conf(5)\fP\&.
\fBknot.conf(5)\fP, \fBknotc(8)\fP, \fBkeymgr(8)\fP,
\fBkjournalprint(1)\fP\&.
.SH AUTHOR
CZ.NIC Labs <http://www.knot-dns.cz>
.SH COPYRIGHT
......
.\" Man page generated from reStructuredText.
.
.TH "PYKEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
.SH NAME
pykeymgr \- Knot DNS key management utility
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.sp
\fBpykeymgr.py\fP [\fIglobal\-options\fP] [\fIcommand\fP\&...] [\fIarguments\fP\&...]
.SH DESCRIPTION
.sp
The \fBpykeymgr\fP utility serves for key management in Knot DNS server.
.sp
Functions for DNSSEC keys and KASP (Key And Signature Policy)
management are provided.
.sp
The DNSSEC and KASP configuration is stored in a so called KASP database.
The databse is backed by LMDB.
.SS Global options
.INDENT 0.0
.TP
\fB\-f\fP, \fB\-\-force\fP
Skip some of consistency checks and continue with performed action with a warning.
.TP
\fB\-h\fP, \fB\-\-help\fP
Print the program help.
.UNINDENT
.SS Main commands
.INDENT 0.0
.TP
\fB\-i\fP, \fB\-\-import\fP \fIKASP_db_dir\fP
Import the legacy JSON\-format KASP database into the current LMDB\-backed one.
(You can import multiple databases at once by repeating this option.)
.UNINDENT
.SS Parameters
.INDENT 0.0
.TP
\fIKASP_db_dir\fP
A path to the KASP db. It is the directory where \fIdata.mdb\fP and \fIlock.mdb\fP
files are usually stored as well as legacy JSON configuration and \fIkeys\fP
subdirectory containing PEM files.
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.IP 1. 3
Import legacy JSON\-based KASP db from Knot 2.4.x after upgrade:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ pykemgr.py \-i ${knot_data_dir}/keys
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
\fI\%RFC 6781\fP \- DNSSEC Operational Practices.
.sp
\fBknot.conf(5)\fP,
\fBknotc(8)\fP,
\fBknotd(8)\fP\&.
.SH AUTHOR
CZ.NIC Labs <http://www.knot-dns.cz>
.SH COPYRIGHT
Copyright 2010–2017, CZ.NIC, z.s.p.o.
.\" Generated by docutils manpage writer.
.
This diff is collapsed.
......@@ -41,4 +41,5 @@ Parameters
See Also
--------
:manpage:`knotc(8)`, :manpage:`knot.conf(5)`.
:manpage:`knot.conf(5)`, :manpage:`knotc(8)`, :manpage:`keymgr(8)`,
:manpage:`kjournalprint(1)`.
.. highlight:: console
pykeymgr – Key management utility
=================================
Synopsis
--------
:program:`pykeymgr.py` [*global-options*] [*command*...] [*arguments*...]
Description
-----------
The :program:`pykeymgr` utility serves for key management in Knot DNS server.
Functions for DNSSEC keys and KASP (Key And Signature Policy)
management are provided.
The DNSSEC and KASP configuration is stored in a so called KASP database.
The databse is backed by LMDB.
Global options
..............
**-f**, **--force**
Skip some of consistency checks and continue with performed action with a warning.
**-h**, **--help**
Print the program help.
Main commands
.............
**-i**, **--import** *KASP_db_dir*
Import the legacy JSON-format KASP database into the current LMDB-backed one.
(You can import multiple databases at once by repeating this option.)
Parameters
..........
*KASP_db_dir*
A path to the KASP db. It is the directory where `data.mdb` and `lock.mdb`
files are usually stored as well as legacy JSON configuration and `keys`
subdirectory containing PEM files.
Examples
--------
1. Import legacy JSON-based KASP db from Knot 2.4.x after upgrade::
$ pykemgr.py -i ${knot_data_dir}/keys
See Also
--------
:rfc:`6781` - DNSSEC Operational Practices.
:manpage:`knot.conf(5)`,
:manpage:`knotc(8)`,
:manpage:`knotd(8)`.
......@@ -36,10 +36,10 @@ server configuration:
3. Import all existing zone keys into the KASP database. Make sure that all
the keys were imported correctly::
$ keymgr zone key import example.com path/to/Kexample.com.+013+11111
$ keymgr zone key import example.com path/to/Kexample.com.+013+22222
$ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+11111
$ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+22222
$ ...
$ keymgr zone key list example.com
$ keymgr -d path/to/keydir example.com. list
.. NOTE::
The server can be run under a dedicated user account, usually ``knot``.
......
......@@ -12,6 +12,7 @@ the server. This section collects manual pages for all provided binaries:
man_kdig
man_keymgr
man_pykeymgr
man_khost
man_kjournalprint
man_knot1to2
......
......@@ -15,7 +15,7 @@ knot.sample.conf: knot.sample.conf.in
$(edit) $${srcdir}$@.in >$@.tmp
mv $@.tmp $@
EXTRA_DIST = knot.sample.conf.in example.com.zone keymgr-completion.sh keymgr-completion.zsh
EXTRA_DIST = knot.sample.conf.in example.com.zone
if HAVE_DAEMON
......@@ -24,19 +24,9 @@ install-data-local: knot.sample.conf
$(INSTALL) -d $(DESTDIR)/$(config_dir); \
$(INSTALL_DATA) knot.sample.conf $(srcdir)/example.com.zone $(DESTDIR)/$(config_dir); \
fi
if HAVE_BASH_COMPLETIONS
if [ \! -f $(DESTDIR)/$(bash_completions_dir)/keymgr ]; then \
$(INSTALL) -d $(DESTDIR)/$(bash_completions_dir); \
$(INSTALL_DATA) $(srcdir)/keymgr-completion.sh $(DESTDIR)/$(bash_completions_dir)/keymgr; \
fi
endif # HAVE_BASH_COMPLETIONS
uninstall-local:
-rm -rf $(DESTDIR)/$(config_dir)/knot.sample.conf \
$(DESTDIR)/$(config_dir)/example.com.zone
if HAVE_BASH_COMPLETIONS
-rm -rf $(DESTDIR)/$(bash_completions_dir)/keymgr
endif # HAVE_BASH_COMPLETIONS
endif # HAVE_DAEMON
......
# keymgr(1) completion -*- shell-script -*-
_keymgr()
{
local cur prev words cword
_init_completion || return
case $prev in
-V|-version)
return 0
;;
-h|--help)
return 0
;;
-d|--dir)
_filedir -d
return 0;
;;
esac
local count start cmd sub1cmd sub2cmd sub3cmd
if [[ ${words[1]} == -* ]]; then
start=3
else
start=1
fi
cmd=${words[start]}
sub1cmd=${words[$((start + 1))]}
sub2cmd=${words[$((start + 2))]}
sub3cmd=${words[$((start + 3))]}
if [[ -z $cmd ]]; then
case $cur in
-*)
local c="--version --help --dir"
COMPREPLY=( $( compgen -W "$c" -- "$cur" ) )
return 0
;;
esac
fi
count=1 #counts how many levels are we deep; required for user-input strings
case $cmd in
init)
;;
keystore)
case $sub1cmd in
list)
;;
*)
COMPREPLY=(