wtdnssign - WtDNS DNSSEC signing tool
wtdnssign [options] [keys] <names>
The wtdnssign command is used to sign record sets or zones and store generated records in the WtDNS data directory.
wtdnssign tries to find out if a domain name is a zone or a record set by querying wtdnsd on the control sockets and checking wether the name has any subnames or not.
Even when signing just a record set, wtdnssign might make additional changes to a zone if it finds that NSEC records must be updated.
In order to use a key, wtdnssign requires that “filename.private”, “filename.key” and “filename.ds” are found.
For keys specified without ’:’, ‘/’ or ‘\’ in the name, wtdnssign searches in the “/etc/wtdns” directory and also checks for the key with a ‘K’ prepended to the name.
If not specified keys are accepted, wtdnssign falls back to keys named the same as the zone (without followed by with a prepended ‘K’) and it’s parents. If no such keys are found, it falls back to keys named “dnssec” and “Kdnssec”.
A typical set of key files can look like this:
Kexample.net.+003+04739.ds
Kexample.net.+003+04739.key
Kexample.net.+003+04739.private
The “.ds” file contains a DS (delegation signer) record in the standard textual representation.
The “.key” file contains a DNSKEY (DNSSEC public key) record in the standard textual representation.
The “.private” file contains the private key in the format used by BINDs dnssec-keygen, ldns-keygen and others.
wtdnssign creates two special NSEC records. The resoning behind those two records are similar to the reasoning in RFC4470 thoigh they serve a different purpose. Both records are used in order to simplify securing dynamixx domains.
The first record is for the host “!”. Since “!” is sorted before all names supported by wtdnsd, this record servers as the first record in a zone regardless of what records are created or delete in the zone, and regardless of what happens in the parent zone. This is not necessarily actually allowed by DNSSEC wich specifies that a NSEC record should not be created for a name that does not exist before the zone is signed.
The second record is the NSEC record for the last name in the zone. This record allways spcifies the host “~” as the next record. Since “~” is sorted after all names supported by wtdnsd, we know that this record can have no other records after it in this zone, and that it can not actually exist. This this means that the zones last record can be created with no regard for other zones.
This utility is not stable. Do not trust the interface to remain the same.
wtdnssign interprets arguments the following way:
Arguments with an initial ’-’.
Arguments containing one of ‘/\*?’. Arguments ending with “.#+#.private” where ‘#’ are decimal integers.
Arguments not matching the above.
The following global options are recognized in the configuration file.
The directory where WtDNS resource records are stored. Default is “/var/lib/wtdns”.
Wether to use the hash part in the domain name paths or not. For small sites turning of hashing might make things easier for the administrator. Default is to use hashing. Do not use wtdnshash to create directories when this is turned off.
If on, WtDNS will omit the ‘#’ i front of the hash, wich makes it compatible with the oriinal SheerDNS software.
The command to use when getting a hash for the host domain directory. Default is “/usr/bin/wtdnshash”.
All resource records are stored in this directory.
The global configuration file.
The key files used to sign zones and record sets.
wtdnssign requires that wtdnsd has been started with the -cs option. # SEE ALSO
wtdns(8), wtdns.ini(8), wtdnsinfo(8), wtdnsadd(8), wtdnshash(8), wtdns-deepen(8), wtdns-flatten(8), wtdnsd(8), wtdns-fromlog(8), wtdns-maintain(8), dig(1)