Explain the format of the trusted-keys file. (gh-20)

MonitoringPlug · Aug 1, 2014 · 893aca6 · 893aca6
1 parent 2f1de92
commit 893aca6
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 0 deletions.
diff --git a/dns/check_dnssec_expiration.c b/dns/check_dnssec_expiration.c
@@ -298,6 +298,9 @@ void print_help (void) {
     printf("      File to read trust-anchors from.\n");
     print_help_warn_time("2 days");
     print_help_crit_time("1 day");
+
+    printf("\n");
+    print_help_ldns_keyfile();
 }
 
 /* vim: set ts=4 sw=4 et syn=c : */
diff --git a/dns/check_dnssec_trace.c b/dns/check_dnssec_trace.c
@@ -356,6 +356,9 @@ void print_help (void) {
     printf("      The name of the domain to trace from. (default: .)\n");
     printf(" -k, --trusted-keys=FILE\n");
     printf("      File to read trust-anchors from.\n");
+
+    printf("\n");
+    print_help_ldns_keyfile();
 }
 
 /* vim: set ts=4 sw=4 et syn=c : */
diff --git a/doc/check_dnssec_expiration.xml b/doc/check_dnssec_expiration.xml
@@ -80,6 +80,11 @@
         <term><option>--trusted-keys=<replaceable>FILE</replaceable></option></term>
         <listitem>
           <para>File to read truste-anchors from.</para>
+          <para>
+            The keyfile should be a Zonefile alike list of Trusted Keys or DS.
+            Create the file with 'dig -t <replaceable>DNSKEY|DS</replaceable> +noall +answer <replaceable>ZONE</replaceable> > file'.
+            Do not forget to verify the DNSKEY/DS record against a trustworthy source.
+          </para>
         </listitem>
       </varlistentry>
       <varlistentry>

diff --git a/doc/check_dnssec_trace.xml b/doc/check_dnssec_trace.xml
@@ -92,6 +92,11 @@
         <term><option>--trusted-keys=<replaceable>FILE</replaceable></option></term>
         <listitem>
           <para>File to read truste-anchors from.</para>
+          <para>
+            The keyfile should be a Zonefile alike list of Trusted Keys or DS.
+            Create the file with 'dig -t <replaceable>DNSKEY|DS</replaceable> +noall +answer <replaceable>ZONE</replaceable> > file'.
+            Do not forget to verify the DNSKEY/DS record against a trustworthy source.
+          </para>
         </listitem>
       </varlistentry>
     </variablelist>

diff --git a/lib/ldns_utils.c b/lib/ldns_utils.c
@@ -366,6 +366,15 @@ void print_help_ldns(void) {
     printf("      Use TCP for DNS queries.\n");
 }
 
+void print_help_ldns_keyfile(void) {
+    printf(
+        "Keyfile Format:\n"
+        " The keyfile should be a Zonefile alike list of Trusted Keys or DS.\n"
+        " Create the file with 'dig -t <DNSKEY|DS> +noall +answer <ZONE> > file'.\n"
+        " Do not forget to verify the DNSKEY/DS record against a trustworthy source.\n"
+    );
+}
+
 void print_revision_ldns(void) {
     printf(" ldns v%s\n", LDNS_VERSION);
 }

diff --git a/lib/ldns_utils.h b/lib/ldns_utils.h
@@ -102,6 +102,11 @@ void getopt_ldns(int c);
  */
 void print_help_ldns(void);
 
+/**
+ * Print the help got the Keyfile format.
+ */
+void print_help_ldns_keyfile(void);
+
 /**
  * Print the ldns revision.
  */