#!/bin/sh
# Creates 2x ZSKs and 1x KSKs for a zone
# NOTE, zone should be entered without the trailing dot (ie, wrong)
# Mark Kamichoff <prox@prolixium.com>

PATH="/bin:/usr/bin:/sbin:/usr/sbin"

if test "$1" != ''; then

	ZONE="$1"

	# Create KSK
	dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -f KSK -b 2048 $ZONE 1> ${ZONE}.KSK.txt

	# Create current ZSK
	dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 1024 $ZONE 1> ${ZONE}.ZSK.txt

	# Create new ZSK
	dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 1024 $ZONE 1> ${ZONE}.ZSK.new.txt

	# Create .dnssec file
	cat $(cat ${ZONE}.KSK.txt).key > ${ZONE}.dnssec
	cat $(cat ${ZONE}.ZSK.txt).key >> ${ZONE}.dnssec
	cat $(cat ${ZONE}.ZSK.new.txt).key >> ${ZONE}.dnssec

	# Instructions
	echo "#"
	echo "# Now, you need to do more stuff!"
	echo "#"
	echo "# 1) Include ${ZONE}.dnssec in ${ZONE}.external."
	echo "# 2) Add ${ZONE} to dnssec.txt."
	echo "# 3) Update named.conf.local to point to ${ZONE}.external.signed."
	echo "# 4) Run dnssec-sign.sh."
	echo "# 5) Take the first DS record from dsset-${ZONE}. and send to parent."
	echo "#"

else
	echo "Usage: $0 [ZONE]"
fi