Tutorial 3: Signing a zone file

The full source code can be found in examples/ldns-signzone.c

Of course, we start by the usual includes. Since we need a bit more here, we'll add those right away.

#include "config.h"
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <ldns/ldns.h>
#include <ldns/keys.h>
#ifdef HAVE_SSL
#include <openssl/conf.h>
#include <openssl/engine.h>
#endif /* HAVE_SSL */
#define MAX_FILENAME_LEN 250

Let's skip the boring usage() and sanity check functions, and dive right into main().

main(int argc, char *argv[])

We'll be reading another zone file, so let's prepare some variables for that.

const char *zonefile_name;
FILE *zonefile = NULL;
int line_nr = 0;
int c;
int argi;

We will create a separate zone structure for the signed zone, so let's have a clear name for the original one.

ldns_zone *orig_zone;
ldns_rr_list *orig_rrs = NULL;
ldns_rr *orig_soa = NULL;
ldns_dnssec_zone *signed_zone;

To sign a zone, we need keys, so we need some variables to read and store it;

char *keyfile_name_base;
char *keyfile_name = NULL;
FILE *keyfile = NULL;
ldns_key *key = NULL;

The ldns_key structure holds (private) keys. These can be of any supported algorithm type; you can put an RSA key in it, an DSA key, or an HMAC key. Public keys can simply be put in an ldns_rr structure with type LDNS_RR_TYPE_DNSKEY.

The ldns_key_list type is much like the ldns_rr_list, only, you guessed it, for ldns_key entries.

The signed zone will be stored in a new file.

char *outputfile_name = NULL;
FILE *outputfile;

And we have some command line options for the output zone.

/* tmp vars for engine keys */
char *eng_key_l;
size_t eng_key_id_len;
char *eng_key_id;
int eng_key_algo;
bool use_nsec3 = false;
int signflags = 0;
/* Add the given keys to the zone if they are not yet present */
bool add_keys = true;
uint8_t nsec3_algorithm = 1;
uint8_t nsec3_flags = 0;
size_t nsec3_iterations_cmd = 1;
uint16_t nsec3_iterations = 1;
uint8_t nsec3_salt_length = 0;
uint8_t *nsec3_salt = NULL;
/* we need to know the origin before reading ksk's,
* so keep an array of filenames until we know it
struct tm tm;
uint32_t inception;
uint32_t expiration;
ldns_rdf *origin = NULL;
uint32_t ttl = LDNS_DEFAULT_TTL;

origin is a domain name, so it can be stored in an ldns_rdf variable with type LDNS_RDF_TYPE_DNAME.

The next part is option parsing, which is pretty straightforward using getopt(), so we'll skip this too. U can always look to the source of the file to check it out.

Okay that's it for the variables, let's get to work!

First we'll try to read in the zone that is to be signed.

zonefile = fopen(zonefile_name, "r");
if (!zonefile) {
"Error: unable to read %s (%s)\n",
} else {

If the file exists and can be read, we'll let ldns mold it into a zone structure:

s = ldns_zone_new_frm_fp_l(&orig_zone,

This creates a new (new) zone from (frm) a filepointer (fp), while remembering the current line (l) in the input file (for error messages).

A pointer to the zone structure to be filled is passed as the first argument, like in most new_frm functions.

Like a lot of ldns functions, this one returns a ldns_status indicating success or the type of failure, so let us check that.

if (s != LDNS_STATUS_OK) {
fprintf(stderr, "Zone not read, error: %s at %s line %d\n",
zonefile_name, line_nr);
} else {

If everything is ok so far, we check if the zone has a SOA record and contains actual data.

orig_soa = ldns_zone_soa(orig_zone);
if (!orig_soa) {
"Error reading zonefile: missing SOA record\n");
orig_rrs = ldns_zone_rrs(orig_zone);
if (!orig_rrs) {
"Error reading zonefile: no resource records\n");

Now that we have the complete zone in our memory, we won't be needing the file anymore.


If there was no origin given, we'll use the one derived from the original zone file.

* dnssec_zone and 'shallow' free the original zone and added
* records, or the other way around

No signing party can be complete without keys to sign with, let's fetch those.

Multiple key files can be specified on the command line, by using the base names of the .key/.private file pairs.

As you can see, we append ".private" to the name, which should result in the complete file name of the private key. Later we'll also form the ".key" file name, which will be directly included in the signed zone.

If the file exists, we'll read it and create a ldns_key from its contents, much like the way we read the zone earlier.

If this went ok, we need to set the inception and expiration times, which are set in the keys, but will eventually end up in the RRSIGs generated by those keys.

And now that we have read the private keys, we read the public keys and add them to the zone.

Reading them from the files works roughly the same as reading private keys, but public keys are normal Resource Records, and they can be stored in general ldns_rr structures.

With push() we add them to our key list and our zone. This function clones the data, so we can safely free it after that.

And if we're done, we free the allocated memory for the file name.

If the reading did not work, we print an error. Finally, we move on to the next key in the argument list.

Just to be sure, we add a little check to see if we actually have any keys now.

So, we have our zone, we have our keys, let's do some signing!

Yes. That's it. We now have a completely signed zone, ldns_zone_sign checks the keys, and uses the zone signing keys to sign the data resource records. NSEC and RRSIG resource records are generated and added to the new zone.

So now that we have a signed zone, all that is left is to store it somewhere.

If no explicit output file name was given, we'll just append ".signed" to the original zone file name.

ldns_zone_sign returns NULL if the signing did not work, so we must check that.

Writing to a file is no different than normal printing, so we'll print to the file and close it.

And of course, give an error if the signing failed.

Just to be nice, let's free the rest of the data we allocated, and exit with the right return value.