Commit b83e4936 authored by Jan Včelák's avatar Jan Včelák 🚀

Merge 'DNSSEC policy in configuration'

MR !543
parents 657d54a1 d6f20660
......@@ -22,8 +22,9 @@ CONFIG_H = 'src/config.h'
INCLUDES = [
('src/dnssec/shared', ['src/dnssec/lib', 'src/dnssec/lib/dnssec']),
('src/dnssec/lib', ['src/dnssec/shared', 'src/dnssec/lib/dnssec']),
('src/dnssec/utils', ['src/dnssec/shared', 'src/dnssec/lib', 'src']),
('src/dnssec/tests', ['src/dnssec/shared', 'src/dnssec/lib', 'src/dnssec/lib/dnssec', 'libtap']),
('src/utils/keymgr', ['src/dnssec', 'src/dnssec/lib', 'src']),
('src/utils/knsec3hash', ['src/dnssec', 'src/dnssec/lib', 'src']),
('src', ['src/dnssec/lib']),
('tests', ['src', 'src/dnssec/lib', 'libtap']),
]
......
......@@ -454,6 +454,8 @@ src/utils/keymgr/legacy/privkey.c
src/utils/keymgr/legacy/privkey.h
src/utils/keymgr/legacy/pubkey.c
src/utils/keymgr/legacy/pubkey.h
src/utils/keymgr/options.c
src/utils/keymgr/options.h
src/utils/khost/khost_main.c
src/utils/khost/khost_params.c
src/utils/khost/khost_params.h
......
......@@ -5,7 +5,6 @@ src/dnssec
src/dnssec/lib
src/dnssec/lib/dnssec
src/dnssec/shared
src/dnssec/utils
src/zscanner
tests
tests-fuzz
......
......@@ -133,7 +133,7 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.0 nettle], [
LIBS="$LIBS $gnutls_LIBS"
AC_CHECK_FUNC([gnutls_pkcs11_copy_pubkey], [enable_pkcs11=yes], [enable_pkcs11=no])
AS_IF([test "$enable_pkcs11" = yes],
[AC_DEFINE([ENABLE_PKCS11], [1], [PKCS 11 support available])])
[AC_DEFINE([ENABLE_PKCS11], [1], [PKCS #11 support available])])
LIBS=$save_LIBS
])
......@@ -597,7 +597,7 @@ AC_MSG_RESULT([
Dnstap support: ${opt_dnstap}
Code coverage: ${enable_code_coverage}
Bash completions: ${bash_completions_output}
PKCS 11 support: ${enable_pkcs11}
PKCS #11 support: ${enable_pkcs11}
Continue with 'make' command
])
This diff is collapsed.
......@@ -59,13 +59,62 @@ a name must be unique amongst the other names.
.SS Global options
.INDENT 0.0
.TP
\fB\-\-dir\fP \fIpath\fP
The location of the KASP database to work with. Defaults to current working
directory or \fBKEYMGR_DIR\fP environment variable (if set).
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
Use a textual configuration file to get the KASP database location.
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
Use a binary configuration database directory to get the KASP database location.
.TP
\fB\-d\fP, \fB\-\-dir\fP \fIpath\fP
Use a specified KASP database path to work with.
.TP
\fB\-h\fP, \fB\-\-help\fP
Print the program help.
.TP
\fB\-l\fP, \fB\-\-legacy\fP
Enable legacy mode. Zone, policy, and keystore configuration is stored
in KASP database (not in server configuration).
.TP
\fB\-V\fP, \fB\-\-version\fP
Print the program version.
.UNINDENT
.SS KASP database location
.sp
The location of the KASP database is determined as follows:
.INDENT 0.0
.IP 1. 3
The path specified with \fB\-\-dir\fP\&.
.IP 2. 3
The path read from the server configuration specified with \fB\-\-confdb\fP or
\fB\-\-config\fP\&.
.IP 3. 3
The path read from the server default configuration database.
.IP 4. 3
The path read from the server default configuration file.
.UNINDENT
.sp
In legacy mode, the path is determined as follows:
.INDENT 0.0
.IP 1. 3
The path specified with \fB\-\-dir\fP\&.
.IP 2. 3
The path specified in the \fBKEYMGR_DIR\fP environment variable.
.IP 3. 3
The current working dir.
.UNINDENT
.SS Main commands
.INDENT 0.0
.TP
\fBtsig\fP ...
Operations with TSIG keys.
.TP
\fBzone\fP ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
.UNINDENT
.SS Main commands (legacy)
.INDENT 0.0
.TP
\fBinit\fP
Initialize new KASP database or upgrade existing one. The command is
idempotent and therefore it is safe to be run multiple times.
......@@ -74,10 +123,6 @@ The command creates a default policy and default key store (both named
\fIdefault\fP). In case of upgrade, existing objects are checked and any missing
attributes are filled in.
.TP
\fBzone\fP ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
.TP
\fBpolicy\fP ...
Operations with KASP policies. A policy holds parameters that define the
way how a zone is signed.
......@@ -86,29 +131,23 @@ way how a zone is signed.
Operations with key stores configured for the KASP database. A private key
store holds private key material for zone signing separately from the zone
metadata.
.UNINDENT
.SS tsig commands
.INDENT 0.0
.TP
\fBtsig\fP ...
Operations with TSIG keys.
\fBtsig\fP \fBgenerate\fP \fIname\fP [\fBalgorithm\fP \fIid\fP] [\fBsize\fP \fIbits\fP]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to \fIhmac\-sha256\fP\&. The default key size is determined optimally based
on the selected algorithm.
.sp
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one\-line key format accepted by client
utilities.
.UNINDENT
.SS zone commands
.INDENT 0.0
.TP
\fBzone\fP \fBadd\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Add a zone into the database. The policy defaults to \(aqdefault\(aq.
.TP
\fBzone\fP \fBlist\fP [\fIpattern\fP]
List zones in the database matching the \fIpattern\fP as a substring.
.TP
\fBzone\fP \fBremove\fP \fIzone\-name\fP [\fBforce\fP]
Remove a zone from the database. If some keys are currently active, the
\fBforce\fP argument must be specified.
.TP
\fBzone\fP \fBset\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Change zone configuration. At the moment, only a policy can be changed.
.TP
\fBzone\fP \fBshow\fP \fIzone\-name\fP
Show zone details.
.TP
\fBzone\fP \fBkey\fP \fBlist\fP \fIzone\-name\fP [\fBfilter\fP]
List key IDs and tags of zone keys.
.TP
......@@ -163,7 +202,26 @@ The \fItime\fP accepts YYYYMMDDHHMMSS format, unix timestamp, or offset from the
current time. For the offset, add \fB+\fP or \fB\-\fP prefix and optionally a
suffix \fBmi\fP, \fBh\fP, \fBd\fP, \fBw\fP, \fBmo\fP, or \fBy\fP\&. If no suffix is specified,
the offset is in seconds.
.SS policy commands
.SS zone commands (legacy)
.INDENT 0.0
.TP
\fBzone\fP \fBadd\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Add a zone into the database. The policy defaults to \(aqdefault\(aq.
.TP
\fBzone\fP \fBlist\fP [\fIpattern\fP]
List zones in the database matching the \fIpattern\fP as a substring.
.TP
\fBzone\fP \fBremove\fP \fIzone\-name\fP [\fBforce\fP]
Remove a zone from the database. If some keys are currently active, the
\fBforce\fP argument must be specified.
.TP
\fBzone\fP \fBset\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Change zone configuration. At the moment, only a policy can be changed.
.TP
\fBzone\fP \fBshow\fP \fIzone\-name\fP
Show zone details.
.UNINDENT
.SS policy commands (legacy)
.INDENT 0.0
.TP
\fBpolicy\fP \fBlist\fP
......@@ -236,7 +294,7 @@ Name of the key store to be used for private key material.
.UNINDENT
.UNINDENT
.UNINDENT
.SS keystore commands
.SS keystore commands (legacy)
.INDENT 0.0
.TP
\fBkeystore\fP \fBlist\fP
......@@ -276,126 +334,36 @@ the later case, the module is looked up in the default modules location.
.UNINDENT
.UNINDENT
.UNINDENT
.SS tsig commands
.INDENT 0.0
.TP
\fBtsig\fP \fBgenerate\fP \fIname\fP [\fBalgorithm\fP \fIid\fP] [\fBsize\fP \fIbits\fP]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to \fIhmac\-sha256\fP\&. The default key size is determined optimally based
on the selected algorithm.
.sp
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one\-line key format accepted by client
utilities.
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.IP 1. 3
Initialize a new KASP database and add a zone \fIexample.com\fP with the
\fIdefault\fP policy assigned:
Generate two RSA\-SHA\-256 signing keys. The first key will be used as a KSK,
the second one as a ZSK:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr init
$ keymgr policy add default
$ keymgr zone add example.com policy default
$ keymgr zone key generate example.com algorithm rsasha256 size 2048 ksk
$ keymgr zone key generate example.com algorithm rsasha256 size 1024
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
List zones containing \fI\&.com\fP substring:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr zone list .com
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
Add a testing policy \fIlab\fP with rapid key rollovers. Apply the policy to an
existing zone:
Import a key in legacy format. The used algorithm must match with the one
configured in the policy:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add lab rrsig\-lifetime 300 rrsig\-refresh 150 \e
zsk\-lifetime 600 delay 10
$ keymgr zone set example.com policy lab
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 4. 3
Add an existing and already secured zone. Let the keys be managed by the
KASP. Make sure to import all used keys. Also the used algorithm must match
with the one configured in the policy:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr zone add example.com policy default
$ keymgr zone key import example.com Kexample.com+010+12345.private
$ keymgr zone key import example.com Kexample.com+010+67890.private
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 5. 3
Disable automatic key management for a secured zone. For this purpose,
create a policy named \(aqmanual\(aq with otherwise default signing parameters:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add manual manual true
$ keymgr zone set example.com policy manual
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 6. 3
Add a zone to be signed with manual key maintenance. Generate one ECDSA
signing key. The Single\-Type Signing scheme will be used:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key gen example.com algo 13 size 256
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 7. 3
Add a zone to be signed with manual key maintenance. Generate two
RSA\-SHA\-256 signing keys. The first key will be used as a KSK, the second
one as a ZSK:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key generate example.com algorithm rsasha256 size 2048 ksk
$ keymgr zone key generate example.com algorithm rsasha256 size 1024
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 8. 3
.IP 3. 3
Generate a TSIG key named \fIoperator.key\fP:
.INDENT 3.0
.INDENT 3.5
......@@ -407,23 +375,6 @@ $ keymgr tsig generate operator.key algorithm hmac\-sha512
.fi
.UNINDENT
.UNINDENT
.IP 9. 3
Add a new key store named \fIhsm\fP and backed by the SoftHSM PKCS #11 module,
then add a new policy named \fIsecure\fP with default parameters using this key
store, and finally add the zone \fIexample.com\fP which will use this policy:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr keystore add hsm backend pkcs11 \e
config "pkcs11:token=knot;pin\-value=1234 libsofthsm2.so"
$ keymgr policy add secure keystore hsm
$ keymgr zone add example.com policy secure
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
......
......@@ -66,10 +66,10 @@ the following symbols:
| – Choice
.UNINDENT
.sp
There are 8 main sections (\fBserver\fP, \fBkey\fP, \fBacl\fP, \fBcontrol\fP,
\fBremote\fP, \fBtemplate\fP, \fBzone\fP and \fBlog\fP) and module sections with the
\fBmod\-\fP prefix. The most of the sections (excluding \fBserver\fP and
\fBcontrol\fP) are sequences of settings blocks. Each settings block
There are 10 main sections (\fBserver\fP, \fBcontrol\fP, \fBlog\fP, \fBkeystore\fP,
\fBpolicy\fP, \fBkey\fP, \fBacl\fP, \fBremote\fP, \fBtemplate\fP, and \fBzone\fP) and
module sections with the \fBmod\-\fP prefix. Most of the sections (excluding
\fBserver\fP and \fBcontrol\fP) are sequences of settings blocks. Each settings block
begins with a unique identifier, which can be used as a reference from other
sections (such identifier must be defined in advance).
.sp
......@@ -427,6 +427,158 @@ A UNIX socket path where the server listens for control commands.
Maximum time the control socket operations can take. Set 0 for infinity.
.sp
\fIDefault:\fP 5
.SH KEYSTORE SECTION
.sp
DNSSEC keystore configuration.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
keystore:
\- id: STR
backend: pem | pkcs11
config: STR
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A keystore identifier.
.SS backend
.sp
A key storage backend type. A directory with PEM files or a PKCS #11 storage.
.sp
\fIDefault:\fP pem
.SS config
.sp
A backend specific configuration. A directory with PEM files (the path can
be specified as a relative path to \fI\%kasp\-db\fP) or
a configuration string for PKCS #11 storage.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
Example configuration string for PKCS #11:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
"pkcs11:token=knot;pin\-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fIDefault:\fP \fI\%kasp\-db\fP/keys
.SH POLICY SECTION
.sp
DNSSEC policy configuration.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
policy:
\- id: STR
keystore: STR
manual: BOOL
algorithm: dsa | rsasha1 | dsa\-nsec3\-sha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk\-size: SIZE
zsk\-size: SIZE
dnskey\-ttl: TIME
zsk\-lifetime: TIME
rrsig\-lifetime: TIME
rrsig\-refresh: TIME
nsec3: BOOL
nsec3\-iterations: INT
nsec3\-salt\-length: INT
nsec3\-resalt: TIME
propagation\-delay: TIME
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A policy identifier.
.SS keystore
.sp
A \fI\%reference\fP to a keystore holding private key material
for zones. A special \fIdefault\fP value can be used for the default keystore settings.
.sp
\fIDefault:\fP default
.SS manual
.sp
If enabled, automatic key management is not used.
.sp
\fIDefault:\fP off
.SS algorithm
.sp
An algorithm of signing keys and issued signatures.
.sp
\fIDefault:\fP ecdsap256sha256
.SS ksk\-size
.sp
A length of newly generated KSK keys.
.sp
\fIDefault:\fP 1024 (dsa*), 2048 (rsa*), 256 (ecdsap256*), 384 (ecdsap384*)
.SS zsk\-size
.sp
A length of newly generated ZSK keys.
.sp
\fIDefault:\fP see default for \fI\%ksk\-size\fP
.SS dnskey\-ttl
.sp
A TTL value for DNSKEY records added into zone apex.
.sp
\fIDefault:\fP zone SOA TTL
.SS zsk\-lifetime
.sp
A period between ZSK publication and the next rollover initiation.
.sp
\fIDefault:\fP 30 days
.SS rrsig\-lifetime
.sp
A validity period of newly issued signatures.
.sp
\fIDefault:\fP 14 days
.SS rrsig\-refresh
.sp
A period how long before a signature expiration the signature will be refreshed.
.sp
\fIDefault:\fP 7 days
.SS nsec3
.sp
Specifies if NSEC3 will be used instead of NSEC.
.sp
\fIDefault:\fP off
.SS nsec3\-iterations
.sp
A number of additional times the hashing is performed.
.sp
\fIDefault:\fP 5
.SS nsec3\-salt\-length
.sp
A length of a salt field in octets, which is appended to the original owner
name before hashing.
.sp
\fIDefault:\fP 8
.SS nsec3\-resalt
.sp
A validity period of newly issued salt field.
.sp
\fIDefault:\fP 30 days
.SS propagation\-delay
.sp
An extra delay added for each key rollover step. This value should be high
enough to cover propagation of data from the master server to all slaves.
.sp
\fIDefault:\fP 1 day
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
......@@ -541,6 +693,7 @@ zone:
ixfr\-from\-differences: BOOL
max\-journal\-size: SIZE
dnssec\-signing: BOOL
dnssec\-policy: STR
kasp\-db: STR
request\-edns\-option: INT:[HEXSTR]
serial\-policy: increment | unixtime
......@@ -715,6 +868,12 @@ Cannot be enabled on a slave zone.
.UNINDENT
.sp
\fIDefault:\fP off
.SS dnssec\-policy
.sp
A \fI\%reference\fP to DNSSEC signing policy. A special \fIdefault\fP
value can be used for the default policy settings.
.sp
\fIRequired\fP
.SS kasp\-db
.sp
A KASP database path. Non absolute path is relative to
......
......@@ -36,13 +36,55 @@ a name must be unique amongst the other names.
Global options
..............
**--dir** *path*
The location of the KASP database to work with. Defaults to current working
directory or ``KEYMGR_DIR`` environment variable (if set).
**-c**, **--config** *file*
Use a textual configuration file to get the KASP database location.
**-C**, **--confdb** *directory*
Use a binary configuration database directory to get the KASP database location.
**-d**, **--dir** *path*
Use a specified KASP database path to work with.
**-h**, **--help**
Print the program help.
**-l**, **--legacy**
Enable legacy mode. Zone, policy, and keystore configuration is stored
in KASP database (not in server configuration).
**-V**, **--version**
Print the program version.
KASP database location
......................
The location of the KASP database is determined as follows:
1. The path specified with **--dir**.
2. The path read from the server configuration specified with **--confdb** or
**--config**.
3. The path read from the server default configuration database.
4. The path read from the server default configuration file.
In legacy mode, the path is determined as follows:
1. The path specified with **--dir**.
2. The path specified in the ``KEYMGR_DIR`` environment variable.
3. The current working dir.
Main commands
.............
**tsig** ...
Operations with TSIG keys.
**zone** ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
Main commands (legacy)
......................
**init**
Initialize new KASP database or upgrade existing one. The command is
idempotent and therefore it is safe to be run multiple times.
......@@ -51,10 +93,6 @@ Main commands
*default*). In case of upgrade, existing objects are checked and any missing
attributes are filled in.
**zone** ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
**policy** ...
Operations with KASP policies. A policy holds parameters that define the
way how a zone is signed.
......@@ -64,27 +102,21 @@ Main commands
store holds private key material for zone signing separately from the zone
metadata.
**tsig** ...
Operations with TSIG keys.
zone commands
tsig commands
.............
**zone** **add** *zone-name* [**policy** *policy-name*]
Add a zone into the database. The policy defaults to 'default'.
**zone** **list** [*pattern*]
List zones in the database matching the *pattern* as a substring.
**zone** **remove** *zone-name* [**force**]
Remove a zone from the database. If some keys are currently active, the
**force** argument must be specified.
**tsig** **generate** *name* [**algorithm** *id*] [**size** *bits*]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to *hmac-sha256*. The default key size is determined optimally based
on the selected algorithm.
**zone** **set** *zone-name* [**policy** *policy-name*]
Change zone configuration. At the moment, only a policy can be changed.
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one-line key format accepted by client
utilities.
**zone** **show** *zone-name*
Show zone details.
zone commands
.............
**zone** **key** **list** *zone-name* [**filter**]
List key IDs and tags of zone keys.
......@@ -134,8 +166,27 @@ current time. For the offset, add **+** or **-** prefix and optionally a
suffix **mi**, **h**, **d**, **w**, **mo**, or **y**. If no suffix is specified,
the offset is in seconds.
policy commands
...............
zone commands (legacy)
......................
**zone** **add** *zone-name* [**policy** *policy-name*]
Add a zone into the database. The policy defaults to 'default'.
**zone** **list** [*pattern*]
List zones in the database matching the *pattern* as a substring.
**zone** **remove** *zone-name* [**force**]
Remove a zone from the database. If some keys are currently active, the
**force** argument must be specified.
**zone** **set** *zone-name* [**policy** *policy-name*]
Change zone configuration. At the moment, only a policy can be changed.
**zone** **show** *zone-name*
Show zone details.
policy commands (legacy)
........................
**policy** **list**
List policies in the database.
......@@ -201,8 +252,8 @@ Available *policy-parameter*\ s:
**keystore** *name*
Name of the key store to be used for private key material.
keystore commands
.................
keystore commands (legacy)
..........................
**keystore** **list**
List names of configured key stores.
......@@ -235,82 +286,23 @@ Supported key store backends:
The PKCS #11 module path can be an absolute path or just a module name. In
the later case, the module is looked up in the default modules location.
tsig commands
.............
**tsig** **generate** *name* [**algorithm** *id*] [**size** *bits*]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to *hmac-sha256*. The default key size is determined optimally based
on the selected algorithm.
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one-line key format accepted by client
utilities.
Examples
--------
1. Initialize a new KASP database and add a zone *example.com* with the
*default* policy assigned::
$ keymgr init
$ keymgr policy add default
$ keymgr zone add example.com policy default
2. List zones containing *.com* substring::
$ keymgr zone list .com
3. Add a testing policy *lab* with rapid key rollovers. Apply the policy to an
existing zone::
1. Generate two RSA-SHA-256 signing keys. The first key will be used as a KSK,
the second one as a ZSK::
$ keymgr policy add lab rrsig-lifetime 300 rrsig-refresh 150 \
zsk-lifetime 600 delay 10
$ keymgr zone set example.com policy lab
4. Add an existing and already secured zone. Let the keys be managed by the
KASP. Make sure to import all used keys. Also the used algorithm must match
with the one configured in the policy::
$ keymgr zone add example.com policy default
$ keymgr zone key import example.com Kexample.com+010+12345.private
$ keymgr zone key import example.com Kexample.com+010+67890.private
5. Disable automatic key management for a secured zone. For this purpose,
create a policy named 'manual' with otherwise default signing parameters::
$ keymgr policy add manual manual true
$ keymgr zone set example.com policy manual
6. Add a zone to be signed with manual key maintenance. Generate one ECDSA
signing key. The Single-Type Signing scheme will be used::
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key gen example.com algo 13 size 256
7. Add a zone to be signed with manual key maintenance. Generate two
RSA-SHA-256 signing keys. The first key will be used as a KSK, the second
one as a ZSK::
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key generate example.com algorithm rsasha256 size 2048 ksk