dns cert support (was: GnuPG 1.4.3 released)

Daniel Hess daniel at rio-grande.ping.de
Fri May 5 23:19:05 CEST 2006


On Tue, Apr 04, 2006 at 05:57:07PM -0400, David Shaw wrote:
> On Tue, Apr 04, 2006 at 08:25:01PM +0200, Peter Palfrader wrote:
> > Also, is there a tool that produces a snippet which is ready for
> > inclusion into a zone file anywhere?  Something similar to ssh-keygen
> > for SSHFP RRs:
> >   weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
> >   galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
> >   weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
> >   galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2
> 
> Good idea.  I just checked one in to the GnuPG SVN.

I've played with it to make it generate output for tinydns (djbdns).

Maybe somebody has use for it, so here is the patch.

One note: You need to run axfrdns to get key-records working.

Daniel
-------------- next part --------------
--- make-dns-cert.c.orig	2006-05-05 22:43:19.000000000 +0200
+++ make-dns-cert.c	2006-05-05 22:50:25.000000000 +0200
@@ -32,6 +32,8 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 
+int djbdns = 0;
+
 /* We use TYPE37 instead of CERT since not all nameservers can handle
    CERT yet... */
 
@@ -66,7 +68,10 @@
     fprintf(stderr,"Warning: key file %s is larger than the default"
 	    " GnuPG max-cert-size\n",keyfile);
 
-  printf("%s\tTYPE37\t\\# %u 0003 0000 00 ",
+  if(djbdns)
+    printf(":%s:37:\\000\\003\\000\\000\\000",name);
+  else
+    printf("%s\tTYPE37\t\\# %u 0003 0000 00 ",
 	 name,(unsigned int)statbuf.st_size+5);
 
   err=1;
@@ -83,7 +88,10 @@
 	}
 
       for(i=0;i<err;i++)
-	printf("%02X",buffer[i]);
+	if(djbdns)
+	  printf("\\%03o",buffer[i]);
+	else
+	  printf("%02X",buffer[i]);
     }
 
   printf("\n");
@@ -100,6 +108,7 @@
 url_key(const char *name,const char *fpr,const char *url)
 {
   int len=6,fprlen=0;
+  char fprtmp[3] = "\0\0";
 
   if(fpr)
     {
@@ -142,17 +151,37 @@
       return 1;
     }
 
-  printf("%s\tTYPE37\t\\# %d 0006 0000 00 %02X",name,len,fprlen);
+  if(djbdns)
+    printf(":%s:37:\\000\\006\\000\\000\\000\\%03o",name,fprlen);
+  else
+    printf("%s\tTYPE37\t\\# %d 0006 0000 00 %02X",name,len,fprlen);
 
-  if(fpr)
-    printf(" %s",fpr);
+  if(fpr) {
+    if(djbdns) {
+      while(*fpr) {
+	if(*fpr != ' ') {
+	  strncpy(fprtmp,fpr,2);
+	  printf("\\%03lo",strtol(fprtmp,(char **)NULL,16));
+	  fpr+=2;
+	} else {
+	  fpr++;
+	}
+      }
+    } else {
+      printf(" %s",fpr);
+    }
+  }
 
   if(url)
     {
       const char *c;
-      printf(" ");
+      if(!djbdns)
+        printf(" ");
       for(c=url;*c;c++)
-	printf("%02X",*c);
+	if(djbdns)
+	  printf("\\%03o",*c);
+	else
+	  printf("%02X",*c);
     }
 
   printf("\n");
@@ -168,13 +197,14 @@
   fprintf(stream,"\t-u\tURL\n");
   fprintf(stream,"\t-k\tkey file\n");
   fprintf(stream,"\t-n\tDNS name\n");
+  fprintf(stream,"\t-d\tGenerate output for djbdns (instead of bind)\n");
 }
 
 int
 main(int argc,char *argv[])
 {
   int arg,err=1;
-  char *fpr=NULL,*url=NULL,*keyfile=NULL,*name=NULL;
+  char *fpr=NULL,*url=NULL,*keyfile=NULL,*name=NULL,*nametmp;
 
   if(argc==1)
     {
@@ -192,7 +222,7 @@
       return 0;
     }
 
-  while((arg=getopt(argc,argv,"hf:u:k:n:"))!=-1)
+  while((arg=getopt(argc,argv,"hf:u:k:n:d"))!=-1)
     switch(arg)
       {
       default:
@@ -215,6 +245,9 @@
       case 'n':
 	name=optarg;
 	break;
+      case 'd':
+	djbdns=1;
+	break;
       }
 
   if(!name)
@@ -230,6 +263,14 @@
       return 1;
     }
 
+  if(djbdns) {
+    nametmp=name;
+    while(*nametmp && *nametmp != '@')
+      nametmp++;
+    if(*nametmp == '@')
+      *nametmp = '.';
+  }
+
   if(keyfile)
     err=cert_key(name,keyfile);
   else


More information about the Gnupg-users mailing list