Add signzone command.

[ximon18]

Currently depends on domain branch initial-nsec3-generation, which has had multiple branches/PRs merged into it (see NLnetLabs/domain#416)

Supports:

• The basic command line arguments zonefile key [key [key]] and the NSEC3 arguments -n, -a, -t, -s and -p.
• Additional command line arguments -o, -i, d, -e, -f,-u, -A, -U and -v.
• -z and -Z for ZONEMD

Partially supports:

• Command line argument -b (support for Bubble Babble DS comment output is not planned at present).

Lacks but should have support for:

• Support for parsing some record types. These require support to be added to the underlying domain library. See:
  • SSHFP: Add support for SSHFP records in zonefile parsing. domain#451
  • TLSA: Add support for TLSA records in zonefile parsing. domain#452
  • OPENPGPKEY: Add support for OPENPGPKEY records in zonefile parsing. domain#453
  • IPSECKEY: Add support for IPSECKEY records in zonefile parsing. domain#454
  • RFC 3597 unknown record type with zero length data: Don't error with unexpected end of entry for RFC 3597 RDATA of length zero. domain#475

Lacks and do not plan to add support for:

• OpenSSL engine related arguments.
• Bubble Babble DS comment output.

Other:

• Partial signing and re-signing: LDNS has strange behaviour here, so dnst removes DNSSEC records on loading already signed zonefiles.
• Verify that it is expected that the -U option causes a warning from dnssec-verify (it also does so for the original ldns-signzone when using -U so I think this is fine). We should think do we want to support the -U option for dnst signzone?
• Rendering zonefile entries may not exactly match the output of ldns-signzone as the behaviour is determined by the domain crate. (see ldns_rr2buffer_str_fmt() in LDNS). Known differences are:
  • Some RDATA values are cased differently, but all known examples relate to RFCs that say that the text in question is "case-insensitive", so this is a difference but not an error.

Additional related DRAFT PRs:

• Optionally show progress while signing. #35
  • Requires: Report zonefile parsing & signing progress to the caller. domain#448

This PR adds automated tests but has also been tested manually against the original ldns-signzone and dnssec-signzone.

[bal-e]

Good work, @ximon18! We'll have to see whether the argument parsing needs to be changed to separate ldns / dnst, but the code generally looks good.

[ximon18]

dnst-signzone currently allows not specifying a key to sign with. In that case it just copies the original zone over into the .signed file (with no signatures ofc).

That's a bug.

This has been resolved.