search

northox / dnssec-reverb

Automate DNSSEC key rotation for both ZSK KSK
Other
26 stars 10 forks source link

[BUG]: Bind9 in Alpine Linux says `-n` option to `dnssec-dsfromkey` does not exist. #25

Open zenny opened 1 week ago

zenny commented 1 week ago

Hi,

Thanks for posting.

Meanwhile, I tried with Bind in Alpine linux with dnssec-reverb.conf with the following config:

MASTERDIR="/etc/bind/zones/master/"

KEYGEN_CMD="$(which dnssec-keygen)"
SIGNZONE_CMD="$(which dnssec-signzone)"
KEY2DS_CMD="$(which dnssec-dsfromkey)"
CHECKZONE_CMD="$(which named-checkzone)"
CONTROL_CMD="$(which rndc)"
#RELOAD_CMD="(echo -n 'reload is '; $CONTROL_CMD reload) && (echo -n 'notify is '; $CONTROL_CMD notify)"

KSK_PARAM="-n zone -a ECDSAP256SHA256 -f ksk"
ZSK_PARAM="-n zone -a ECDSAP256SHA256 "
SIGN_PARAM="-N increment"
#DS_HASH="2" # 1=SHA1 2=SHA256 3=GOST 4=SHA384
DS_PARAM="-2"

#EXPIRE_DAYS="33"
#ZSK_PARAM_example.net=-a RSASHA1-NSEC3-SHA1

the keys were generated, but I got the following error, telling the -n option to dnssec-dsfromkey command does not exist, fyi:

# dnssec-reverb keygen example.net
Generating key pair.
Generating key pair.
New keys created
example.net -- https://dnsviz.net/d/example.net/dnssec/
 type state  id    algo hash (expiration)        (digest)
dnssec-dsfromkey: invalid argument -n
Usage:
    dnssec-dsfromkey [options] keyfile

    dnssec-dsfromkey [options] -f zonefile [zonename]

    dnssec-dsfromkey [options] -s dnsname

    dnssec-dsfromkey [-h|-V]

Version: 9.18.27
Options:
    -1: digest algorithm SHA-1
    -2: digest algorithm SHA-256
    -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)
    -A: include all keys in DS set, not just KSKs (-f only)
    -c class: rdata class for DS set (default IN) (-f or -s only)
    -C: print CDS records
    -f zonefile: read keys from a zone file
    -h: print help information
    -K directory: where to find key or keyset files
    -s: read keys from keyset-<dnsname> file
    -T: TTL of output records (omitted by default)
    -v level: verbosity
    -V: print version information
Output: DS or CDS RRs
 ZSK  active 25997 13    2

Thanks. /zenny

zenny commented 4 days ago

@northox bump

northox commented 4 days ago

I use and test dnssec-reverb on OpenBSD with NSD. Seems like you use bind. Please confirm this is addressed by the latest patch or provide your own patch. I will close this issue in 2w if I have no news.