Merge branch 'main' into add-ldns-like-sign-zone-support

.github/workflows/pkg.yml

@@ -0,0 +1,23 @@
+name: Packaging
+
+on:
+  push:
+    branches:
+      - "main"
+    tags:
+      - v*
+
+  # Triggering on PRs and arbitrary branch pushes is not enabled because most of the time only the CI build should be
+  # triggered, not the packaging build. In cases where you want to test changes to this workflow this trigger enables
+  # you to manually invoke this workflow on an arbitrary branch as needed.
+  workflow_dispatch:
+
+jobs:
+  package:
+    #
+    # Set @vN to the latest released version.
+    # For more information see: https://github.com/NLnetLabs/ploutos/blob/main/README.md
+    #
+    uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v7
+
+    # TODO

Cargo.toml

@@ -1,21 +1,31 @@
 [package]
-name    = "dnst"
+name = "dnst"
 version = "0.1.0"
 edition = "2021"
+default-run = "dnst"
+
+[[bin]]
+name = "ldns"
+path = "src/bin/ldns.rs"
 
 [dependencies]
 bytes  = { version = "1.1", default-features = false }
-clap   = { version = "4", features = ["cargo", "derive"] }
+clap = { version = "4.3.4", features = ["cargo", "derive"] }
 domain = { git = "https://github.com/NLnetLabs/domain", branch = "multiple-key-signing", features = [
+    "bytes",
     "openssl",
     "ring",
     "unstable-sign",
+    "unstable-validate",
     "unstable-validator",
     "unstable-zonetree",
     "zonefile",
 ] }
 lexopt = "0.3.0"
 
 # for implementation of nsec3 hash until domain has it stabilized
-octseq = { version = "0.5.1", features = ["std"] }
+octseq = { version = "0.5.2", features = ["std"] }
 ring = { version = "0.17" }
+
+[dev-dependencies]
+tempfile = "3.14.0"

doc/manual/source/conf.py

@@ -100,7 +100,7 @@
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
@@ -189,8 +189,18 @@
 # (source start file, name, description, authors, manual section).
 man_pages = [
     ('man/dnst', 'dnst', 'DNS Management Tools', author, 1),
-    ('man/dnst-nsec3-hash', 'dnst-nsec3-hash', 'DNS Management Tools', author,
-     1),
+    ('man/dnst-key2ds', 'dnst-key2ds', 'Generate DS RRs from the DNSKEYs in a keyfile', author, 1),
+    ('man/ldns-key2ds', 'ldns-key2ds', 'Generate DS RRs from the DNSKEYs in a keyfile', author, 1),
+    ('man/dnst-keygen', 'dnst-keygen', 'Generate a new key pair for a domain name', author, 1),
+    ('man/ldns-keygen', 'ldns-keygen', 'Generate a new key pair for a domain name', author, 1),
+    ('man/dnst-notify', 'dnst-notify', 'Send a NOTIFY message to a list of name servers', author, 1),
+    ('man/ldns-notify', 'ldns-notify', 'Send a NOTIFY message to a list of name servers', author, 1),
+    ('man/dnst-nsec3-hash', 'dnst-nsec3-hash', 'Print out the NSEC3 hash of a domain name', author, 1),
+    ('man/ldns-nsec3-hash', 'ldns-nsec3-hash', 'Print out the NSEC3 hash of a domain name', author, 1),
+    ('man/dnst-signzone', 'dnst-signzone', 'Sign the zone with the given key(s)', author, 1),
+    ('man/ldns-signzone', 'ldns-signzone', 'Sign the zone with the given key(s)', author, 1),
+    ('man/dnst-update', 'dnst-update', 'Send a dynamic update packet to update an IP (or delete all existing IPs) for a domain name', author, 1),
+    ('man/ldns-update', 'ldns-update', 'Send a dynamic update packet to update an IP (or delete all existing IPs) for a domain name', author, 1),
 ]
 
 

doc/manual/source/index.rst

@@ -1,7 +1,12 @@
 dnst |version|
 ==============
 
-The manual goes here ...
+**dnst** is a DNS administration toolbox. It offers DNS and DNSSEC related
+functions like key generation, zone signing, printing NSEC3 hashed domain
+names, and sending UPDATE or NOTIFY messages to your name servers. More is
+coming soon.
+
+It depends on OpenSSL for its cryptography related functions.
 
 .. toctree::
    :maxdepth: 2
@@ -10,5 +15,22 @@ The manual goes here ...
    :name: toc-reference
 
    man/dnst
+   man/dnst-key2ds
+   man/dnst-keygen
+   man/dnst-notify
    man/dnst-nsec3-hash
+   man/dnst-signzone
+   man/dnst-update
+
+.. toctree::
+   :maxdepth: 2
+   :hidden:
+   :caption: LDNS Tools reference
+   :name: toc-reference-ldns
 
+   man/ldns-key2ds
+   man/ldns-keygen
+   man/ldns-notify
+   man/ldns-nsec3-hash
+   man/ldns-signzone
+   man/ldns-update

doc/manual/source/man/dnst-key2ds.rst

@@ -0,0 +1,45 @@
+dnst key2ds
+===============
+
+Synopsis
+--------
+
+:program:`dnst key2ds` ``[OPTIONS]`` ``<KEYFILE>``
+
+Description
+-----------
+
+**dnst key2ds** generates a DS RR for each DNSKEY in ``<KEYFILE>``.
+
+The following file will be created for each key: ``K<name>+<alg>+<id>.ds``. The
+base name ``K<name>+<alg>+<id>`` will be printed to stdout.
+
+
+Options
+-------
+
+.. option:: -a <NUMBER OR MNEMONIC>, --algorithm <NUMBER OR MNEMONIC>
+
+      Use the given algorithm for the digest. Defaults to the digest algorithm
+      used for the DNSKEY, and if it can't be determined SHA-1.
+
+.. option:: -f, --force
+
+      Overwrite existing ``.ds`` files.
+
+.. option:: --ignore-sep
+
+      Ignore the SEP flag and make DS records for any key.
+
+.. option:: -n
+
+      Write the generated DS records to stdout instead of a file.
+
+.. option:: -h, --help
+
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).
+
+.. option:: -V, --version
+
+      Print the version.

doc/manual/source/man/dnst-keygen.rst

@@ -0,0 +1,74 @@
+dnst keygen
+===============
+
+Synopsis
+--------
+
+:program:`dnst keygen` ``[OPTIONS]`` ``-a <ALGORITHM>`` ``<DOMAIN NAME>``
+
+Description
+-----------
+
+**dnst keygen** generates a new key pair for a given domain name.
+
+The following files will be created:
+
+- ``K<name>+<alg>+<tag>.key``: The public key file containing a DNSKEY RR in
+  zone file format.
+
+- ``K<name>+<alg>+<tag>.private``: The private key file containing the private
+  key data fields in BIND's *Private-key-format*.
+
+- ``K<name>+<alg>+<tag>.ds``: The public key digest file containing the DS RR
+  in zone file format. It is only created for key signing keys.
+
+| ``<name>`` is the fully-qualified owner name for the key (with a trailing dot).
+| ``<alg>`` is the algorithm number of the key, zero-padded to 3 digits.
+| ``<tag>`` is the 16-bit tag of the key, zero-padded to 5 digits.
+
+Upon completion, ``K<name>+<alg>+<tag>`` will be printed.
+
+Options
+-------
+
+.. option:: -a <NUMBER OR MNEMONIC>
+
+      Use the given signing algorithm.
+
+      Possible values are:
+
+      =================== ========== =========================
+      **Mnemonic**        **Number** **Description**
+      =================== ========== =========================
+      ``list``                       List available algorithms
+      ``RSASHA256``        8         RSA with SHA-256
+      ``ECDSAP256SHA256`` 13         ECDSA P-256 with SHA-256
+      ``ECDSAP384SHA384`` 14         ECDSA P-384 with SHA-384
+      ``ED25519``         15         ED25519
+      ``ED448``           16         ED448
+      =================== ========== =========================
+
+.. option:: -k
+
+      Generate a key signing key (KSK) instead of a zone signing key (ZSK).
+
+.. option:: -b <BITS>
+
+      The length of the key (for RSA keys only). Defaults to 2048.
+
+.. option:: -r <DEVICE>
+
+      The randomness source to use for generation. Defaults to ``/dev/urandom``.
+
+.. option:: -s
+
+      Create symlinks ``.key`` and ``.private`` to the generated keys.
+
+.. option:: -f
+
+      Overwrite existing symlinks (for use with ``-s``).
+
+.. option:: -h, --help
+
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).

doc/manual/source/man/dnst-notify.rst

@@ -0,0 +1,50 @@
+dnst notify
+===============
+
+Synopsis
+--------
+
+:program:`dnst notify` ``[OPTIONS]`` ``-z <ZONE>`` ``<SERVERS>...``
+
+Description
+-----------
+
+**dnst notify** sends a NOTIFY message to the specified name servers. A name
+server can be specified as a domain name or IP address.
+
+This tells them that an updated zone is available at the primaries. It can
+perform TSIG signatures, and it can add a SOA serial number of the updated
+zone. If a server already has that serial number it will disregard the message.
+
+Options
+-------
+
+.. option:: -z <ZONE>
+
+      The zone to send the NOTIFY for.
+
+.. option:: -s <SOA VERSION>
+
+      SOA version number to include in the NOTIFY message.
+
+.. option:: -y, --tsig <NAME:KEY[:ALGO]>
+
+      A base64 TSIG key and optional algorithm to use for the NOTIFY message.
+      The algorithm defaults to **hmac-sha512**.
+
+.. option:: -p, --port <PORT>
+
+      Destination port to send the UDP packet to. Defaults to 53.
+
+.. option:: -d, --debug
+
+      Print debug information.
+
+.. option:: -r, --retries <RETRIES>
+
+      Max number of retries. Defaults to 15.
+
+.. option:: -h, --help
+
+      Print the help text (short summary with ``-h``, long help with
+      ``--help``).