# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
#
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# Original script contributed by Jeffry A. Spain <spainj@countryday.net>
HELP="
Generates a set of <count> successive DNSSEC keys for <zone>
Key timings are based on a pre-publication rollover strategy
<life> (lifetime) is the key active lifetime in days [default 180]
<intro> (introduction time) is the number of days from publication
to activation of a key [default 30]
<ret> (retirement time) is the number of days from inactivation
to deletion of a key [default 30]
Options:
-a <alg> Cryptographic algorithm. See man dnssec-keygen for defaults.
-b <bits> Number of bits in the key. See man dnssec-keygen for defaults.
-k if present, generate Key Signing Keys (KSKs). Otherwise,
generate Zone Signing Keys (ZSKs).
-3 If present and if -a is not specified, use an NSEC3-
capable algorithm. See man dnssec-keygen for defaults.
The first two keys will be published by this date, and the
first one will be activated. Default is today.
-f <index> Index of first key generated. Defaults to 0.
-K <dir> Key repository: write keys to this directory. Defaults to CWD.
-d Dry run. No actual keys generated if present."
USAGE="Usage:
`basename $0` [-a <alg>] [-b <bits>] [-k] [-3] [-i <date>]
[-f <index>] [-d] <zone> <count> [<life>] [<intro>] [<ret>]"
ALGFLAG=''
BITSFLAG=''
KSKFLAG=''
NSEC3FLAG=''
KEYREPO=''
DRYRUN=false
OPTKSK=false
K=0
# Parse command line options
while getopts ":a:b:df:hkK:3i:" thisOpt
do
a)
;;
b)
;;
d)
DRYRUN=true
;;
f)
OPTKSK=true
K=$OPTARG
;;
h)
echo "$USAGE"
echo "$HELP"
exit 0
;;
k)
KSKFLAG=" -f KSK"
;;
K)
;;
3)
NSEC3FLAG=" -3"
;;
i)
;;
*)
echo 'Unrecognized option.'
echo "$USAGE"
exit 1
;;
esac
done
# Check that required arguments are present
echo "$USAGE"
exit 1
fi
# Remaining arguments:
# DNS zone name
ZONE=$1
shift
# Number of keys to be generated
COUNT=$1
shift
# Key active lifetime
[ $# -ne 0 ] && shift
# Key introduction time (publication to activation)
[ $# -ne 0 ] && shift
# Key retirement time (inactivation to deletion)
# Today's date in dnssec-keygen format (YYYYMMDD)
# Key repository defaults to CWD
if [ -z "$KEYREPO" ]; then
KEYREPO="."
fi
if $DRYRUN; then
echo 'Dry Run (no key files generated)'
elif [ ! -d "$KEYREPO" ]; then
# Create the key repository if it does not currently exist
fi
# Iterate through the key set. K is the index, zero-based.
# Epoch of the current key
# (zero for the first key, increments of key lifetime)
# The epoch is in days relative to the inception date of the key set
# Activation date in days is the same as the epoch
# Publication date in days relative to the key epoch
# Inactivation date in days relative to the key epoch
# Deletion date in days relative to the key epoch
# ... these values should not precede the key epoch
# Key timing dates in dnssec-keygen format (YYYYMMDD):
# publication, activation, inactivation, deletion
# Construct the dnssec-keygen command including all the specified options.
# Suppress key generation progress information, and save the key in
# the $KEYREPO directory.
KEYGENCMD="dnssec-keygen -q$ALGFLAG$BITSFLAG$NSEC3FLAG$KSKFLAG -P $PDATE -A $ADATE -I $IDATE -D $DDATE -K $KEYREPO $ZONE"
echo "$KEYLABEL $KEYGENCMD"
# Generate the key and retrieve its name
if $DRYRUN; then
else
fi
# Indicate the key status based on key timing dates relative to today
else
fi
# For published KSKs, generate the required DS records,
if $DRYRUN; then
else
fi
fi
K=`expr $K + 1`
done
exit 0