]>
git.saurik.com Git - apple/network_cmds.git/blob - unbound/contrib/update-anchor.sh
2 # update-anchor.sh, update a trust anchor.
3 # Copyright 2008, W.C.A. Wijngaards
4 # This file is BSD licensed, see doc/LICENSE.
6 # which validating lookup to use.
11 echo "usage: update-anchor [-r hs] [-b] <zone name> <trust anchor file>"
12 echo " performs an update of trust anchor file"
13 echo " the trust anchor file is overwritten with the latest keys"
14 echo " the trust anchor file should contain only keys for one zone"
15 echo " -b causes keyfile to be made in bind format."
16 echo " without -b the file is made in unbound format."
19 echo " update-anchor [-r hints] [-b] -d directory"
20 echo " update all <zone>.anchor files in the directory."
22 echo " name the files br.anchor se.anchor ..., and include them in"
23 echo " the validating resolver config file."
24 echo " put keys for the root in a file with the name root.anchor."
26 echo "-r root.hints use different root hints. Strict option order."
28 echo "Exit code 0 means anchors updated, 1 no changes, others are errors."
32 if test $# -eq 0; then
38 if test X
"$1" = "X-r"; then
43 if test X
"$1" = "X-b"; then
48 if test $# -ne 2; then
49 echo "arguments wrong."
54 # arguments: <zonename> <keyfile>
57 tmpfile
="/tmp/update-anchor.$$"
61 if test -n "$roothints"; then
62 echo "server: root-hints: '$roothints'" > $tmp3
65 $ubhost -v $rh $filearg "$keyfile" -t DNSKEY
"$zonename" >$tmpfile
66 if test $?
-ne 0; then
68 echo "Error: Could not update zone $zonename anchor file $keyfile"
69 echo "Cause: $ubhost lookup failed"
70 echo " (Is the domain decommissioned? Is connectivity lost?)"
74 # has the lookup been DNSSEC validated?
75 if grep '(secure)$' $tmpfile >/dev
/null
2>&1; then
79 echo "Error: Could not update zone $zonename anchor file $keyfile"
80 echo "Cause: result of lookup was not secure"
81 echo " (keys too far out of date? domain changed ownership? need root hints?)"
85 if test $bindformat = "yes"; then
86 # are there any KSK keys on board?
87 echo 'trusted-keys {' > "$tmp2"
88 if grep ' has DNSKEY record 257' $tmpfile >/dev
/null
2>&1; then
89 # store KSK keys in anchor file
90 grep '(secure)$' $tmpfile | \
91 grep ' has DNSKEY record 257' | \
92 sed -e 's/ (secure)$/";/' | \
93 sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
94 sed -e 's/^\.\././' | sort >> "$tmp2"
96 # store all keys in the anchor file
97 grep '(secure)$' $tmpfile | \
98 sed -e 's/ (secure)$/";/' | \
99 sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
100 sed -e 's/^\.\././' | sort >> "$tmp2"
104 # are there any KSK keys on board?
105 if grep ' has DNSKEY record 257' $tmpfile >/dev
/null
2>&1; then
106 # store KSK keys in anchor file
107 grep '(secure)$' $tmpfile | \
108 grep ' has DNSKEY record 257' | \
109 sed -e 's/ (secure)$//' | \
110 sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
111 sed -e 's/^\.\././' | sort > "$tmp2"
113 # store all keys in the anchor file
114 grep '(secure)$' $tmpfile | \
115 sed -e 's/ (secure)$//' | \
116 sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
117 sed -e 's/^\.\././' | sort > "$tmp2"
119 fi # endif-bindformat
121 # copy over if changed
122 diff $tmp2 $keyfile >/dev
/null
2>&1
123 if test $?
-eq 1; then # 0 means no change, 2 means trouble.
126 echo "$zonename key file $keyfile updated."
128 echo "$zonename key file $keyfile unchanged."
131 rm -f $tmpfile $tmp2 $tmp3
135 if test X
"$1" = "X-d"; then
137 echo "start updating in $2"
138 for x
in $tdir/*.anchor
; do
139 if test `basename "$x"` = "root.anchor"; then
142 zname
=`basename "$x" .anchor`
144 do_update
"$zname" "$x"
146 echo "done updating in $2"
149 if test X
"$1" = "X."; then
152 # strip trailing dot from zone name
153 zname
="`echo $1 | sed -e 's/\.$//'`"
156 do_update
$zname $kfile
projects / apple / network_cmds.git / blob