Merge branch 'kasp_refactor'

7ce36aa6 · Libor Peltan · 0c82e99f · 9a173fc6 · 7ce36aa6 · 7ce36aa6
Commit 7ce36aa6 authored May 04, 2017 by Libor Peltan
149 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -72,9 +72,9 @@

 # Binaries
 /src/kdig
-/src/keymgr
 /src/khost
 /src/kjournalprint
+/src/keymgr
 /src/knot1to2
 /src/knotc
 /src/knotd

--- a/Knot.files
+++ b/Knot.files
@@ -77,48 +77,16 @@ src/dnssec/lib/dnssec/binary.h
 src/dnssec/lib/dnssec/crypto.h
 src/dnssec/lib/dnssec/dnssec.h
 src/dnssec/lib/dnssec/error.h
-src/dnssec/lib/dnssec/event.h
-src/dnssec/lib/dnssec/kasp.h
 src/dnssec/lib/dnssec/key.h
 src/dnssec/lib/dnssec/keyid.h
-src/dnssec/lib/dnssec/keystate.h
 src/dnssec/lib/dnssec/keystore.h
 src/dnssec/lib/dnssec/keytag.h
-src/dnssec/lib/dnssec/keyusage.h
 src/dnssec/lib/dnssec/list.h
 src/dnssec/lib/dnssec/nsec.h
 src/dnssec/lib/dnssec/random.h
 src/dnssec/lib/dnssec/sign.h
 src/dnssec/lib/dnssec/tsig.h
 src/dnssec/lib/error.c
-src/dnssec/lib/event/action.h
-src/dnssec/lib/event/action/initial_key.c
-src/dnssec/lib/event/action/nsec3_resalt.c
-src/dnssec/lib/event/action/zsk_rollover.c
-src/dnssec/lib/event/event.c
-src/dnssec/lib/event/keystate.c
-src/dnssec/lib/event/utils.c
-src/dnssec/lib/event/utils.h
-src/dnssec/lib/kasp/dir/dir.c
-src/dnssec/lib/kasp/dir/escape.c
-src/dnssec/lib/kasp/dir/escape.h
-src/dnssec/lib/kasp/dir/file.c
-src/dnssec/lib/kasp/dir/file.h
-src/dnssec/lib/kasp/dir/json.c
-src/dnssec/lib/kasp/dir/json.h
-src/dnssec/lib/kasp/dir/keystore.c
-src/dnssec/lib/kasp/dir/keystore.h
-src/dnssec/lib/kasp/dir/policy.c
-src/dnssec/lib/kasp/dir/policy.h
-src/dnssec/lib/kasp/dir/zone.c
-src/dnssec/lib/kasp/dir/zone.h
-src/dnssec/lib/kasp/internal.h
-src/dnssec/lib/kasp/kasp.c
-src/dnssec/lib/kasp/keystore.c
-src/dnssec/lib/kasp/keystore_open.c
-src/dnssec/lib/kasp/policy.c
-src/dnssec/lib/kasp/zone.c
-src/dnssec/lib/kasp/zone.h
 src/dnssec/lib/key/algorithm.c
 src/dnssec/lib/key/algorithm.h
 src/dnssec/lib/key/convert.c
@@ -138,7 +106,6 @@ src/dnssec/lib/keystore/keystore.c
 src/dnssec/lib/keystore/pkcs11.c
 src/dnssec/lib/keystore/pkcs8.c
 src/dnssec/lib/keystore/pkcs8_dir.c
-src/dnssec/lib/keyusage/keyusage.c
 src/dnssec/lib/list/list.c
 src/dnssec/lib/list/ucw_clists.h
 src/dnssec/lib/nsec/bitmap.c
@@ -174,12 +141,6 @@ src/dnssec/shared/timestamp.h
 src/dnssec/shared/wire.h
 src/dnssec/tests/binary.c
 src/dnssec/tests/crypto.c
-src/dnssec/tests/event_keystate.c
-src/dnssec/tests/event_nsec3_resalt.c
-src/dnssec/tests/kasp_dir_escape.c
-src/dnssec/tests/kasp_dir_file.c
-src/dnssec/tests/kasp_policy.c
-src/dnssec/tests/kasp_store.c
 src/dnssec/tests/key.c
 src/dnssec/tests/key_algorithm.c
 src/dnssec/tests/key_ds.c
@@ -188,7 +149,6 @@ src/dnssec/tests/keystore_pkcs11.c
 src/dnssec/tests/keystore_pkcs8.c
 src/dnssec/tests/keystore_pkcs8_dir.c
 src/dnssec/tests/keytag.c
-src/dnssec/tests/keyusage.c
 src/dnssec/tests/list.c
 src/dnssec/tests/nsec_bitmap.c
 src/dnssec/tests/nsec_hash.c
@@ -234,6 +194,17 @@ src/knot/ctl/process.c
 src/knot/ctl/process.h
 src/knot/dnssec/context.c
 src/knot/dnssec/context.h
+src/knot/dnssec/kasp/kasp_db.c
+src/knot/dnssec/kasp/kasp_db.h
+src/knot/dnssec/kasp/kasp_zone.c
+src/knot/dnssec/kasp/kasp_zone.h
+src/knot/dnssec/kasp/keystate.c
+src/knot/dnssec/kasp/keystate.h
+src/knot/dnssec/kasp/keystore.c
+src/knot/dnssec/kasp/keystore.h
+src/knot/dnssec/kasp/policy.h
+src/knot/dnssec/key-events.c
+src/knot/dnssec/key-events.h
 src/knot/dnssec/nsec-chain.c
 src/knot/dnssec/nsec-chain.h
 src/knot/dnssec/nsec3-chain.c
@@ -259,8 +230,10 @@ src/knot/events/handlers/flush.c
 src/knot/events/handlers/freeze_thaw.c
 src/knot/events/handlers/load.c
 src/knot/events/handlers/notify.c
+src/knot/events/handlers/nsec3resalt.c
 src/knot/events/handlers/refresh.c
 src/knot/events/handlers/update.c
+src/knot/events/handlers/zsk_rollover.c
 src/knot/events/log.c
 src/knot/events/log.h
 src/knot/events/replan.c
@@ -484,22 +457,11 @@ src/utils/kdig/kdig_exec.h
 src/utils/kdig/kdig_main.c
 src/utils/kdig/kdig_params.c
 src/utils/kdig/kdig_params.h
-src/utils/keymgr/cmdparse/command.c
-src/utils/keymgr/cmdparse/command.h
-src/utils/keymgr/cmdparse/match.h
-src/utils/keymgr/cmdparse/parameter.c
-src/utils/keymgr/cmdparse/parameter.h
-src/utils/keymgr/cmdparse/value.c
-src/utils/keymgr/cmdparse/value.h
-src/utils/keymgr/keymgr.c
-src/utils/keymgr/legacy/key.c
-src/utils/keymgr/legacy/key.h
-src/utils/keymgr/legacy/privkey.c
-src/utils/keymgr/legacy/privkey.h
-src/utils/keymgr/legacy/pubkey.c
-src/utils/keymgr/legacy/pubkey.h
-src/utils/keymgr/options.c
-src/utils/keymgr/options.h
+src/utils/keymgr/bind_privkey.c
+src/utils/keymgr/bind_privkey.h
+src/utils/keymgr/functions.c
+src/utils/keymgr/functions.h
+src/utils/keymgr/main.c
 src/utils/khost/khost_main.c
 src/utils/khost/khost_params.c
 src/utils/khost/khost_params.h
@@ -598,6 +560,7 @@ tests/test_confio.c
 tests/test_dthreads.c
 tests/test_fdset.c
 tests/test_journal.c
+tests/test_kasp_db.c
 tests/test_node.c
 tests/test_process_query.c
 tests/test_query_module.c

--- a/README
+++ b/README
@@ -7,7 +7,6 @@ Knot DNS has several dependencies:
 * pkg-config
 * liburcu >= 0.5.4
 * gnutls >= 3.0
-* jansson >= 2.3
 * libedit

 Embedded libraries:
@@ -41,7 +40,7 @@ $ sudo apt-get upgrade

 Install prerequisites:
 $ sudo apt-get install \
-  libtool autoconf make pkg-config liburcu-dev libgnutls28-dev libjansson-dev libedit-dev
+  libtool autoconf make pkg-config liburcu-dev libgnutls28-dev libedit-dev

 Install optional packages to override embedded libraries:
 $ sudo apt-get install liblmdb-dev
@@ -59,7 +58,7 @@ Install basic development tools:

 Install prerequisites:
 # dnf install \
-  libtool autoconf pkgconfig automake userspace-rcu-devel gnutls-devel jansson-devel libedit-devel
+  libtool autoconf pkgconfig automake userspace-rcu-devel gnutls-devel libedit-devel

 Install optional packages to override embedded libraries:
 # dnf install lmdb-devel

--- a/configure.ac
+++ b/configure.ac
@@ -125,9 +125,6 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.3 nettle], [
    LIBS=$save_LIBS
 ])

-# JSON for DNSSEC status storage
-PKG_CHECK_MODULES([jansson], [jansson >= 2.3])
-
 AC_ARG_ENABLE([recvmmsg],
   AS_HELP_STRING([--enable-recvmmsg=auto|yes|no], [enable recvmmsg() network API [default=auto]]),
   [], [enable_recvmmsg=auto])
@@ -449,23 +446,6 @@ AS_IF([test "$with_libidn" != "no"],[

 ]) # Knot DNS utilities dependencies

-# Bash completions
-AC_ARG_WITH([bash-completions],
-  AC_HELP_STRING([--with-bash-completions=[DIR]], [Bash completions directory [default=no]]),
-  [with_bash_completions="$withval"],
-  [with_bash_completions=no]
-)
-AS_CASE([$with_bash_completions],
-  [yes], [PKG_CHECK_VAR([bash_completions_dir], [bash-completion], [completionsdir], [], [AC_MSG_ERROR([bash completions not found])])],
-  [no], [bash_completions_dir=],
-  [bash_completions_dir="$with_bash_completions"]
-)
-AM_CONDITIONAL([HAVE_BASH_COMPLETIONS], [test -n "$bash_completions_dir"])
-AS_IF([test -n "$bash_completions_dir"],
-  [bash_completions_output="${bash_completions_dir}"],
-  [bash_completions_output=no]
-)
-
 AC_SEARCH_LIBS([pow], [m])
 AC_SEARCH_LIBS([pthread_create], [pthread], [], [AC_MSG_ERROR([pthreads not found])])
 AC_SEARCH_LIBS([dlopen], [dl])
@@ -544,7 +524,6 @@ result_msg_base="  $PACKAGE $VERSION
    LIBS:     ${LIBS} ${LDFLAGS}
    LibURCU:  ${liburcu_LIBS} ${liburcu_CFLAGS}
    GnuTLS:   ${gnutls_LIBS} ${gnutls_CFLAGS}
-    Jansson:  ${jansson_LIBS} ${jansson_CFLAGS}
    Libedit:  ${libedit_LIBS} ${libedit_CFLAGS}
    LMDB:     ${enable_lmdb} ${lmdb_LIBS} ${lmdb_CFLAGS}

@@ -571,7 +550,6 @@ result_msg_base="  $PACKAGE $VERSION
    Systemd integration: ${enable_systemd}
    Dnstap support:      ${opt_dnstap}
    Code coverage:       ${enable_code_coverage}
-    Bash completions:    ${bash_completions_output}
    PKCS #11 support:    ${enable_pkcs11}"

 result_msg_esc=$(echo -n "$result_msg_base" | sed '$!s/$/\\n/' | tr -d '\n')

--- a/doc/.gitignore
+++ b/doc/.gitignore
 /_build

 # sphinx-build manpages
-/man/kdig.1
+/man/knot.conf.5
+/man/knotc.8
+/man/knotd.8
 /man/keymgr.8
+/man/pykeymgr.8
+/man/kdig.1
 /man/khost.1
 /man/kjournalprint.1
-/man/knot.conf.5
 /man/knot1to2.1
-/man/knotc.8
-/man/knotd.8
 /man/knsec3hash.1
 /man/knsupdate.1
 /man/kzonecheck.1
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
-MANPAGES_IN = man/knot.conf.5in man/knotc.8in man/knotd.8in man/kdig.1in man/khost.1in man/kjournalprint.1in man/knsupdate.1in man/knot1to2.1in man/knsec3hash.1in man/keymgr.8in man/kzonecheck.1in
-MANPAGES_RST = reference.rst man_knotc.rst man_knotd.rst man_kdig.rst man_khost.rst man_kjournalprint.rst man_knsupdate.rst man_knot1to2.rst man_knsec3hash.rst man_keymgr.rst man_kzonecheck.rst
+MANPAGES_IN = \
+	man/knot.conf.5in	\
+	man/knotc.8in		\
+	man/knotd.8in		\
+	man/keymgr.8in		\
+	man/pykeymgr.8in	\
+	man/kdig.1in		\
+	man/khost.1in		\
+	man/kjournalprint.1in	\
+	man/knsupdate.1in	\
+	man/knot1to2.1in	\
+	man/knsec3hash.1in	\
+	man/kzonecheck.1in
+
+MANPAGES_RST = \
+	reference.rst		\
+	man_knotc.rst		\
+	man_knotd.rst		\
+	man_keymgr.rst		\
+	man_pykeymgr.rst	\
+	man_kdig.rst		\
+	man_khost.rst		\
+	man_kjournalprint.rst	\
+	man_knsupdate.rst	\
+	man_knot1to2.rst	\
+	man_knsec3hash.rst	\
+	man_kzonecheck.rst

 EXTRA_DIST = \
-	conf.py		\
+	conf.py			\
 	\
 	configuration.rst	\
 	index.rst		\
@@ -58,24 +83,41 @@ man_SPHINXOPTS = $(_SPHINXOPTS) \
 man_MANS =

 if HAVE_DAEMON
-man_MANS += man/knot.conf.5 man/knotc.8 man/knotd.8
+man_MANS += \
+	man/knot.conf.5		\
+	man/knotc.8		\
+	man/knotd.8		\
+	man/knot1to2.1
 endif # HAVE_DAEMON

 if HAVE_UTILS
-man_MANS += man/kdig.1 man/khost.1 man/kjournalprint.1 man/knsupdate.1 man/knot1to2.1 man/knsec3hash.1 man/keymgr.8 man/kzonecheck.1
+if HAVE_DAEMON
+man_MANS += \
+	man/keymgr.8		\
+	man/pykeymgr.8		\
+	man/kjournalprint.1	\
+	man/kzonecheck.1
+endif # HAVE_DAEMON
+
+man_MANS += \
+	man/kdig.1		\
+	man/khost.1		\
+	man/knsupdate.1		\
+	man/knsec3hash.1
 endif # HAVE_UTILS

-man/knot.conf.5: man/knot.conf.5in
-man/knotc.8: man/knotc.8in
-man/knotd.8: man/knotd.8in
-man/kdig.1: man/kdig.1in
-man/khost.1: man/khost.1in
-man/kjournalprint.1: man/kjournalprint.1in
-man/knsupdate.1: man/knsupdate.1in
-man/knot1to2.1: man/knot1to2.1in
-man/knsec3hash.1: man/knsec3hash.1in
-man/keymgr.8: man/keymgr.8in
-man/kzonecheck.1: man/kzonecheck.1in
+man/knot.conf.5:	man/knot.conf.5in
+man/knotc.8:		man/knotc.8in
+man/knotd.8:		man/knotd.8in
+man/keymgr.8:		man/keymgr.8in
+man/pykeymgr.8:		man/pykeymgr.8in
+man/kdig.1:		man/kdig.1in
+man/khost.1:		man/khost.1in
+man/kjournalprint.1:	man/kjournalprint.1in
+man/knsupdate.1:	man/knsupdate.1in
+man/knot1to2.1:		man/knot1to2.1in
+man/knsec3hash.1:	man/knsec3hash.1in
+man/kzonecheck.1:	man/kzonecheck.1in

 man_SUBST = $(AM_V_GEN)mkdir -p man; sed -e 's,[@]VERSION@,$(VERSION),' -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' $< > $@


--- a/doc/conf.py
+++ b/doc/conf.py
@@ -218,17 +218,18 @@ latex_domain_indices = False
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    ('reference', 'knot.conf', 'Knot DNS configuration file', author, 5),
-    ('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1),
-    ('man_keymgr', 'keymgr', ' DNSSEC key management utility', author, 8),
-    ('man_khost', 'khost', 'Simple DNS lookup utility', author, 1),
-    ('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 1),
-    ('man_knot1to2', 'knot1to2', 'Knot DNS configuration conversion utility', author, 1),
-    ('man_knotc', 'knotc', 'Knot DNS control utility', author, 8),
-    ('man_knotd', 'knotd', 'Knot DNS server daemon', author, 8),
-    ('man_knsec3hash', 'knsec3hash', "Simple utility to compute NSEC3 hash", author, 1),
-    ('man_knsupdate', 'knsupdate', 'Dynamic DNS update utility', author, 1),
-    ('man_kzonecheck', 'kzonecheck', 'Knot DNS zone check tool', author, 1),
+    ('reference',         'knot.conf',     'Knot DNS configuration file',               author, 5),
+    ('man_knotc',         'knotc',         'Knot DNS control utility',                  author, 8),
+    ('man_knotd',         'knotd',         'Knot DNS server daemon',                    author, 8),
+    ('man_keymgr',        'keymgr',        'Knot DNS key management utility',           author, 8),
+    ('man_pykeymgr',      'pykeymgr',      'Knot DNS key management utility',           author, 8),
+    ('man_kdig',          'kdig',          'Advanced DNS lookup utility',               author, 1),
+    ('man_khost',         'khost',         'Simple DNS lookup utility',                 author, 1),
+    ('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility',            author, 1),
+    ('man_knot1to2',      'knot1to2',      'Knot DNS configuration conversion utility', author, 1),
+    ('man_knsec3hash',    'knsec3hash',    'Simple utility to compute NSEC3 hash',      author, 1),
+    ('man_knsupdate',     'knsupdate',     'Dynamic DNS update utility',                author, 1),
+    ('man_kzonecheck',    'kzonecheck',    'Knot DNS zone check tool',                  author, 1),
 ]

 # If true, show URL addresses after external links.

--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -286,8 +286,8 @@ can operate in two modes:
   parameters must be assigned by the zone operator.

 The DNSSEC signing process maintains some metadata which is stored in the
-:abbr:`KASP (Key And Signature Policy)` database. This database is simply
-a directory in the file-system containing files in the JSON format.
+:abbr:`KASP (Key And Signature Policy)` database. This database is backed
+by LMDB.

 .. WARNING::
  Make sure to set the KASP database permissions correctly. For manual key
@@ -339,7 +339,7 @@ the server logs to see whether everything went well.
 .. WARNING::
  This guide assumes that the zone *myzone.test* was not signed prior to
  enabling the automatic key management. If the zone was already signed, all
-  existing keys must be imported using ``keymgr zone key import`` command
+  existing keys must be imported using ``keymgr import-bind`` command
  before enabling the automatic signing. Also the algorithm in the policy must
  match the algorithm of all imported keys. Otherwise the zone will be resigned
  at all.
@@ -366,8 +366,8 @@ Let's use the Single-Type Signing scheme with two algorithms. Run:

 .. code-block:: console

-  $ keymgr zone key generate myzone.test algorithm RSASHA256 size 1024
-  $ keymgr zone key generate myzone.test algorithm ECDSAP256SHA256 size 256
+  $ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024
+  $ keymgr -d path/to/keydir myzone.test. generate algorithm=ECDSAP256SHA256 size=256

 And reload the server. The zone will be signed.

@@ -377,14 +377,14 @@ it yet:

 .. code-block:: console

-  $ keymgr zone key generate myzone.test algorithm RSASHA256 size 1024 active +1d
+  $ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024 active=now+1d

 Take the key ID (or key tag) of the old RSA key and disable it the same time
 the new key gets activated:

 .. code-block:: console

-  $ keymgr zone key set myzone.test <old_key_id> retire +1d remove +1d
+  $ keymgr -d path/to/keydir myzone.test. set <old_key_id> retire=now+1d remove=now+1d

 Reload the server again. The new key will be published (i.e. the DNSKEY record
 will be added into the zone). Do not forget to update the DS record in the
@@ -457,17 +457,6 @@ of the limitations will be hopefully removed in the near future.
  - Legacy key export is not implemented.
  - DS record export is not implemented.

-.. _dnssec-keyusage:
-
-DNSSEC keys used by multiple zones 
----------------------------------
-
-Using same key for multiple zones with automatic key management is possible. 
-However, all zones must be listed in keyusage (keys directory) or they will be deleted,
-when they retire in any zone.
-
-If keys are added manually as published, but not active (for next rollover event), they are added automatically.
-
 Performance Tuning
 ==================


--- a/doc/man/keymgr.8in
+++ b/doc/man/keymgr.8in
--- a/doc/man/knotd.8in
+++ b/doc/man/knotd.8in
@@ -63,7 +63,8 @@ Print the program version.
 .UNINDENT
 .SH SEE ALSO
 .sp
-\fBknotc(8)\fP, \fBknot.conf(5)\fP\&.
+\fBknot.conf(5)\fP, \fBknotc(8)\fP, \fBkeymgr(8)\fP,
+\fBkjournalprint(1)\fP\&.
 .SH AUTHOR
 CZ.NIC Labs <http://www.knot-dns.cz>
 .SH COPYRIGHT

--- a/doc/man/pykeymgr.8in
+++ b/doc/man/pykeymgr.8in
+.\" Man page generated from reStructuredText.
+.
+.TH "PYKEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+pykeymgr \- Knot DNS key management utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+\fBpykeymgr.py\fP [\fIglobal\-options\fP] [\fIcommand\fP\&...] [\fIarguments\fP\&...]
+.SH DESCRIPTION
+.sp
+The \fBpykeymgr\fP utility serves for key management in Knot DNS server.
+.sp
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+.sp
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The databse is backed by LMDB.
+.SS Global options
+.INDENT 0.0
+.TP
+\fB\-f\fP, \fB\-\-force\fP
+Skip some of consistency checks and continue with performed action with a warning.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.UNINDENT
+.SS Main commands
+.INDENT 0.0
+.TP
+\fB\-i\fP, \fB\-\-import\fP \fIKASP_db_dir\fP
+Import the legacy JSON\-format KASP database into the current LMDB\-backed one.
+(You can import multiple databases at once by repeating this option.)
+.UNINDENT
+.SS Parameters
+.INDENT 0.0
+.TP
+\fIKASP_db_dir\fP
+A path to the KASP db. It is the directory where \fIdata.mdb\fP and \fIlock.mdb\fP
+files are usually stored as well as legacy JSON configuration and \fIkeys\fP
+subdirectory containing PEM files.
+.UNINDENT
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Import legacy JSON\-based KASP db from Knot 2.4.x after upgrade:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ pykemgr.py \-i ${knot_data_dir}/keys
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 6781\fP \- DNSSEC Operational Practices.
+.sp
+\fBknot.conf(5)\fP,
+\fBknotc(8)\fP,
+\fBknotd(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <http://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2017, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.
--- a/doc/man_keymgr.rst
+++ b/doc/man_keymgr.rst
--- a/doc/man_knotd.rst
+++ b/doc/man_knotd.rst
@@ -41,4 +41,5 @@ Parameters
 See Also
 --------

-:manpage:`knotc(8)`, :manpage:`knot.conf(5)`.
+:manpage:`knot.conf(5)`, :manpage:`knotc(8)`, :manpage:`keymgr(8)`,
+:manpage:`kjournalprint(1)`.
--- a/doc/man_pykeymgr.rst
+++ b/doc/man_pykeymgr.rst
+.. highlight:: console
+
+pykeymgr – Key management utility
+=================================
+
+Synopsis
+--------
+
+:program:`pykeymgr.py` [*global-options*] [*command*...] [*arguments*...]
+
+Description
+-----------
+
+The :program:`pykeymgr` utility serves for key management in Knot DNS server.
+
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The databse is backed by LMDB.
+
+Global options
+..............
+
+**-f**, **--force** 
+  Skip some of consistency checks and continue with performed action with a warning.
+
+**-h**, **--help**
+  Print the program help.
+
+Main commands
+.............
+
+**-i**, **--import** *KASP_db_dir*
+  Import the legacy JSON-format KASP database into the current LMDB-backed one.
+  (You can import multiple databases at once by repeating this option.)
+
+Parameters
+..........
+
+*KASP_db_dir*
+  A path to the KASP db. It is the directory where `data.mdb` and `lock.mdb`
+  files are usually stored as well as legacy JSON configuration and `keys`
+  subdirectory containing PEM files.
+
+Examples
+--------
+
+1. Import legacy JSON-based KASP db from Knot 2.4.x after upgrade::
+
+    $ pykemgr.py -i ${knot_data_dir}/keys
+
+See Also
+--------
+
+:rfc:`6781` - DNSSEC Operational Practices.
+
+:manpage:`knot.conf(5)`,
+:manpage:`knotc(8)`,
+:manpage:`knotd(8)`.
--- a/doc/migration.rst
+++ b/doc/migration.rst
@@ -36,10 +36,10 @@ server configuration:
 3. Import all existing zone keys into the KASP database. Make sure that all
   the keys were imported correctly::

-   $ keymgr zone key import example.com path/to/Kexample.com.+013+11111
-   $ keymgr zone key import example.com path/to/Kexample.com.+013+22222
+   $ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+11111
+   $ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+22222
   $ ...
-   $ keymgr zone key list example.com
+   $ keymgr -d path/to/keydir example.com. list

   .. NOTE::
      The server can be run under a dedicated user account, usually ``knot``.

--- a/doc/utilities.rst
+++ b/doc/utilities.rst
@@ -12,6 +12,7 @@ the server. This section collects manual pages for all provided binaries:

   man_kdig
   man_keymgr
+   man_pykeymgr
   man_khost
   man_kjournalprint
   man_knot1to2

--- a/samples/Makefile.am
+++ b/samples/Makefile.am
@@ -15,7 +15,7 @@ knot.sample.conf: knot.sample.conf.in
 	  $(edit) $${srcdir}$@.in >$@.tmp
 	mv $@.tmp $@

-EXTRA_DIST = knot.sample.conf.in example.com.zone keymgr-completion.sh keymgr-completion.zsh
+EXTRA_DIST = knot.sample.conf.in example.com.zone

 if HAVE_DAEMON

@@ -24,19 +24,9 @@ install-data-local: knot.sample.conf
 	  $(INSTALL) -d $(DESTDIR)/$(config_dir); \
 	  $(INSTALL_DATA) knot.sample.conf $(srcdir)/example.com.zone $(DESTDIR)/$(config_dir); \
 	fi
-if HAVE_BASH_COMPLETIONS
-	if [ \! -f $(DESTDIR)/$(bash_completions_dir)/keymgr ]; then \
-	  $(INSTALL) -d $(DESTDIR)/$(bash_completions_dir); \
-	  $(INSTALL_DATA) $(srcdir)/keymgr-completion.sh $(DESTDIR)/$(bash_completions_dir)/keymgr; \
-	fi
-endif # HAVE_BASH_COMPLETIONS
-
 uninstall-local:
 	-rm -rf $(DESTDIR)/$(config_dir)/knot.sample.conf \
 	        $(DESTDIR)/$(config_dir)/example.com.zone
-if HAVE_BASH_COMPLETIONS
-	-rm -rf $(DESTDIR)/$(bash_completions_dir)/keymgr
-endif # HAVE_BASH_COMPLETIONS

 endif # HAVE_DAEMON


--- a/samples/keymgr-completion.sh
+++ b/samples/keymgr-completion.sh
-# keymgr(1) completion                                         -*- shell-script -*-
-
-_keymgr() 
-{
-	local cur prev words cword
-	_init_completion || return
-
-
-	case $prev in
-		-V|-version)
-			return 0
-			;;
-		-h|--help)
-			return 0
-			;;
-		-d|--dir)
-			_filedir -d
-			return 0;
-			;;
-	esac
-
-	local count start cmd sub1cmd sub2cmd sub3cmd
-	if [[ ${words[1]} == -* ]]; then
-		start=3
-	else
-		start=1
-	fi
-	cmd=${words[start]}
-	sub1cmd=${words[$((start + 1))]}
-	sub2cmd=${words[$((start + 2))]}
-	sub3cmd=${words[$((start + 3))]}
-
-	if [[ -z $cmd ]]; then
-		case $cur in
-			-*)
-				local c="--version --help --dir"
-				COMPREPLY=( $( compgen -W "$c" -- "$cur" ) )
-				return 0
-				;;
-		esac
-	fi
-
-	count=1      #counts how many levels are we deep; required for user-input strings
-	case $cmd in
-		init)
-			;;
-		keystore)
-			case $sub1cmd in
-				list)
-					;;
-				*)
-					COMPREPLY=(