NAME

wtdnssign - WtDNS DNSSEC signing tool

SYNOPSIS

wtdnssign [options] [keys] <names>

DESCRIPTION

The wtdnssign command is used to sign record sets or zones and store generated records in the WtDNS data directory.

Names, Zones and Record Sets

wtdnssign tries to find out if a domain name is a zone or a record set by querying wtdnsd on the control sockets and checking wether the name has any subnames or not.

Even when signing just a record set, wtdnssign might make additional changes to a zone if it finds that NSEC records must be updated.

Keys

In order to use a key, wtdnssign requires that “filename.private”, “filename.key” and “filename.ds” are found.

For keys specified without ’:’, ‘/’ or ‘\’ in the name, wtdnssign searches in the “/etc/wtdns” directory and also checks for the key with a ‘K’ prepended to the name.

If not specified keys are accepted, wtdnssign falls back to keys named the same as the zone (without followed by with a prepended ‘K’) and it’s parents. If no such keys are found, it falls back to keys named “dnssec” and “Kdnssec”.

A typical set of key files can look like this:

Kexample.net.+003+04739.ds
Kexample.net.+003+04739.key
Kexample.net.+003+04739.private
.ds

The “.ds” file contains a DS (delegation signer) record in the standard textual representation.

.key

The “.key” file contains a DNSKEY (DNSSEC public key) record in the standard textual representation.

.private

The “.private” file contains the private key in the format used by BINDs dnssec-keygen, ldns-keygen and others.

NSEC

wtdnssign creates two special NSEC records. The resoning behind those two records are similar to the reasoning in RFC4470 thoigh they serve a different purpose. Both records are used in order to simplify securing dynamixx domains.

The first record is for the host “!”. Since “!” is sorted before all names supported by wtdnsd, this record servers as the first record in a zone regardless of what records are created or delete in the zone, and regardless of what happens in the parent zone. This is not necessarily actually allowed by DNSSEC wich specifies that a NSEC record should not be created for a name that does not exist before the zone is signed.

The second record is the NSEC record for the last name in the zone. This record allways spcifies the host “~” as the next record. Since “~” is sorted after all names supported by wtdnsd, we know that this record can have no other records after it in this zone, and that it can not actually exist. This this means that the zones last record can be created with no regard for other zones.

OPTIONS

This utility is not stable. Do not trust the interface to remain the same.

wtdnssign interprets arguments the following way:

Options

Arguments with an initial ’-’.

Keys

Arguments containing one of ‘/\*?’. Arguments ending with “.#+#.private” where ‘#’ are decimal integers.

Domain names

Arguments not matching the above.

CONFIGURATION

The following global options are recognized in the configuration file.

datadir = directory

The directory where WtDNS resource records are stored. Default is “/var/lib/wtdns”.

hashing = yes/no

Wether to use the hash part in the domain name paths or not. For small sites turning of hashing might make things easier for the administrator. Default is to use hashing. Do not use wtdnshash to create directories when this is turned off.

oldhash = yes/no

If on, WtDNS will omit the ‘#’ i front of the hash, wich makes it compatible with the oriinal SheerDNS software.

hasher = command

The command to use when getting a hash for the host domain directory. Default is “/usr/bin/wtdnshash”.

FILES

/var/lib/wtdns

All resource records are stored in this directory.

/etc/wtdns/wtdns.ini

The global configuration file.

/etc/wtdns/.ds, /etc/wtdns/.key, /etc/wtdns/*.private

The key files used to sign zones and record sets.

NOTES

wtdnssign requires that wtdnsd has been started with the -cs option. # SEE ALSO

wtdns(8), wtdns.ini(8), wtdnsinfo(8), wtdnsadd(8), wtdnshash(8), wtdns-deepen(8), wtdns-flatten(8), wtdnsd(8), wtdns-fromlog(8), wtdns-maintain(8), dig(1)