Introduce new DNSSEC tool dnssec-ksr

Introduce a new DNSSEC tool, dnssec-ksr, for creating signed key
response (SKR) files, given one or more key signing requests (KSRs).

For now it is just a dummy tool, but the future purpose of this utility
is to pregenerate ZSKs and signed RRsets for DNSKEY, CDNSKEY, and CDS
for a given period that a KSK is to be offline.

.gitignore

@@ -75,6 +75,7 @@ doc/man/dnssec-importkey.8in
 doc/man/dnssec-keyfromlabel.8in
 doc/man/dnssec-keygen.8in
 doc/man/dnssec-keymgr.8in
+doc/man/dnssec-ksr.8in
 doc/man/dnssec-revoke.8in
 doc/man/dnssec-settime.8in
 doc/man/dnssec-signzone.8in

bin/dnssec/.gitignore

@@ -2,6 +2,7 @@ dnssec-cds
 dnssec-dsfromkey
 dnssec-keyfromlabel
 dnssec-keygen
+dnssec-ksr
 dnssec-makekeyset
 dnssec-revoke
 dnssec-settime

bin/dnssec/Makefile.am

@@ -21,6 +21,7 @@ bin_PROGRAMS = \
 	dnssec-importkey	\
 	dnssec-keyfromlabel	\
 	dnssec-keygen		\
+	dnssec-ksr		\
 	dnssec-revoke		\
 	dnssec-settime		\
 	dnssec-signzone		\

bin/dnssec/dnssec-ksr.c

@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdio.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-ksr";
+
+/*
+ * Infrastructure
+ */
+static isc_log_t *lctx = NULL;
+static isc_mem_t *mctx = NULL;
+
+static void
+usage(int ret) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s options [options]\n", program);
+	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
+	fprintf(stderr, "Options:\n"
+			"    -h: print usage and exit\n"
+			"    -v <level>: set verbosity level\n"
+			"    -V: print version information\n");
+	exit(ret);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	char *endp;
+
+	isc_mem_create(&mctx);
+
+	isc_commandline_errprint = false;
+
+#define OPTIONS "hv:V"
+	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
+		switch (ch) {
+		case 'h':
+			usage(0);
+			break;
+		case 'V':
+			version(program);
+			break;
+		case 'v':
+			verbose = strtoul(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		default:
+			usage(1);
+			break;
+		}
+	}
+	argv += isc_commandline_index;
+	argc -= isc_commandline_index;
+
+	if (argc != 0) {
+		usage(1);
+	}
+
+	setup_logging(mctx, &lctx);
+
+	vbprintf(verbose, "KSR: Hello, world.\n");
+
+	exit(0);
+}

bin/dnssec/dnssec-ksr.rst

@@ -0,0 +1,67 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. iscman:: dnssec-ksr
+.. program:: dnssec-ksr
+.. _man_dnssec-ksr:
+
+dnssec-ksr - Create signed key response (SKR) files for offline KSK setups
+--------------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-ksr [**-h**]` [**-V**] [**-v** level]
+
+Description
+~~~~~~~~~~~
+
+The :program:`dnssec-ksr` command creates signed key responses (SKRs) that can
+be loaded by a DNS authoritative server. An SKR is a RRset of type DNSKEY,
+CDNSKEY, or CDS, with signatures from a key that is typically offline during
+normal operation.
+
+Options
+~~~~~~~
+
+.. option:: -h
+
+   This option prints a short summary of the options and arguments to
+   :program:`dnssec-ksr`.
+
+.. option:: -V
+
+   This option prints version information.
+
+.. option:: -v level
+
+   This option sets the debugging level. Level 1 is intended to be usefully
+   verbose for general users; higher levels are intended for developers.
+
+Exit Status
+~~~~~~~~~~~
+
+The :program:`dnssec-ksr` command exits 0 on success, or non-zero if an error
+occurred.
+
+Examples
+~~~~~~~~
+
+To do.
+
+See Also
+~~~~~~~~
+
+:iscman:`dnssec-keygen(8) <dnssec-keygen>`,
+:iscman:`dnssec-signzone(8) <dnssec-signzone>`,
+BIND 9 Administrator Reference Manual.

bin/tests/system/conf.sh.in

@@ -42,6 +42,7 @@ export IMPORTKEY=$TOP_BUILDDIR/bin/dnssec/dnssec-importkey
 export JOURNALPRINT=$TOP_BUILDDIR/bin/tools/named-journalprint
 export KEYFRLAB=$TOP_BUILDDIR/bin/dnssec/dnssec-keyfromlabel
 export KEYGEN=$TOP_BUILDDIR/bin/dnssec/dnssec-keygen
+export KSR=$TOP_BUILDDIR/bin/dnssec/dnssec-ksr
 export MDIG=$TOP_BUILDDIR/bin/tools/mdig
 export NAMED=$TOP_BUILDDIR/bin/named/named
 export NSEC3HASH=$TOP_BUILDDIR/bin/tools/nsec3hash

doc/arm/manpages.rst

@@ -23,6 +23,7 @@ Manual Pages
 .. include:: ../../bin/dnssec/dnssec-importkey.rst
 .. include:: ../../bin/dnssec/dnssec-keyfromlabel.rst
 .. include:: ../../bin/dnssec/dnssec-keygen.rst
+.. include:: ../../bin/dnssec/dnssec-ksr.rst
 .. include:: ../../bin/dnssec/dnssec-revoke.rst
 .. include:: ../../bin/dnssec/dnssec-settime.rst
 .. include:: ../../bin/dnssec/dnssec-signzone.rst

doc/man/Makefile.am

@@ -11,6 +11,7 @@ MANPAGES_RST =				\
 	dnssec-importkey.rst		\
 	dnssec-keyfromlabel.rst		\
 	dnssec-keygen.rst		\
+	dnssec-ksr.rst			\
 	dnssec-revoke.rst		\
 	dnssec-settime.rst		\
 	dnssec-signzone.rst		\
@@ -51,6 +52,7 @@ MANPAGES_RST =				\
 	../../bin/dnssec/dnssec-importkey.rst \
 	../../bin/dnssec/dnssec-keyfromlabel.rst \
 	../../bin/dnssec/dnssec-keygen.rst \
+	../../bin/dnssec/dnssec-ksr.rst \
 	../../bin/dnssec/dnssec-revoke.rst \
 	../../bin/dnssec/dnssec-settime.rst \
 	../../bin/dnssec/dnssec-signzone.rst \
@@ -87,6 +89,7 @@ man_MANS =				\
 	dnssec-importkey.1		\
 	dnssec-keyfromlabel.1		\
 	dnssec-keygen.1			\
+	dnssec-ksr.1			\
 	dnssec-revoke.1			\
 	dnssec-settime.1		\
 	dnssec-signzone.1		\

doc/man/conf.py

@@ -100,6 +100,13 @@ man_pages = [
         1,
     ),
     ("dnssec-keygen", "dnssec-keygen", "DNSSEC key generation tool", author, 1),
+    (
+        "dnssec-ksr",
+        "dnssec-ksr",
+        "create signed key response (SKR) files for offline KSK setups",
+        author,
+        1,
+    ),
     (
         "dnssec-revoke",
         "dnssec-revoke",

doc/man/dnssec-ksr.rst

@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-ksr.rst