From b9afe3d437cf856edfc01ca91f9c56b5c2d4d693 Mon Sep 17 00:00:00 2001
From: Jerry <isjerryxiao@outlook.com>
Date: Mon, 5 Dec 2022 16:08:07 +0800
Subject: [PATCH] refine dnskey handling for root dns anycast

---
 dns/dnssec/10.127.keys   |  5 ++++-
 dns/dnssec/fd10.127.keys |  5 ++++-
 dns/dnssec/neo.keys      |  5 ++++-
 scripts/dns-generator.py |  6 +++---
 scripts/roa.py           | 18 ++++++++++--------
 5 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/dns/dnssec/10.127.keys b/dns/dnssec/10.127.keys
index 16c0233..c5a6847 100644
--- a/dns/dnssec/10.127.keys
+++ b/dns/dnssec/10.127.keys
@@ -1 +1,4 @@
-127.10.in-addr.arpa. 600 IN DNSKEY 257 3 13 QVgt1c+OlL9X9jrnD39njabYFCi2eEYjLI5AvpXT6HWAF1BbAOfNm/56 4OeU03oDcCgQ6zNQMV0FNPvrk53K0w==
+; KSK owner entity/JerryXiao
+127.10.in-addr.arpa. 3600 IN DNSKEY 257 3 13 QVgt1c+OlL9X9jrnD39njabYFCi2eEYjLI5AvpXT6HWAF1BbAOfNm/56 4OeU03oDcCgQ6zNQMV0FNPvrk53K0w==
+; ZSK owner entity/JerryXiao
+127.10.in-addr.arpa. 3600 IN DNSKEY 256 3 13 tmr6/kCoMAtGpwQkLg3ONtQlm5FysG2l4mJcxVrqpb7BClNXVzdfvcJK 3NIu2/N/zUQrlMrW2CeJO4STSgvt+A==
diff --git a/dns/dnssec/fd10.127.keys b/dns/dnssec/fd10.127.keys
index 00f360b..da8b46a 100644
--- a/dns/dnssec/fd10.127.keys
+++ b/dns/dnssec/fd10.127.keys
@@ -1 +1,4 @@
-7.2.1.0.0.1.d.f.ip6.arpa. 600 IN DNSKEY 257 3 13 sI90N0KcwXtpqNDmsagKH/761EzsjSlGyYxx338qRrDlzRwXQPG6bO1m HoTdnKrWBcd1JqYM0/tgDXKep7dJgA==
+; KSK owner entity/JerryXiao
+7.2.1.0.0.1.d.f.ip6.arpa. 3600 IN DNSKEY 257 3 13 sI90N0KcwXtpqNDmsagKH/761EzsjSlGyYxx338qRrDlzRwXQPG6bO1m HoTdnKrWBcd1JqYM0/tgDXKep7dJgA==
+; ZSK owner entity/JerryXiao
+7.2.1.0.0.1.d.f.ip6.arpa. 3600 IN DNSKEY 256 3 13 fu+4con6sb7biVu866tpzq0w6IeFZWTlXSikshue3G26ftLMU0jz5tVV dqOMHP+CpXz9y0kQ6lOHmIlCzi4pAA==
diff --git a/dns/dnssec/neo.keys b/dns/dnssec/neo.keys
index cb447bb..4f93a83 100644
--- a/dns/dnssec/neo.keys
+++ b/dns/dnssec/neo.keys
@@ -1 +1,4 @@
-neo. 600 IN DNSKEY 257 3 13 jDd4k21xTgqOFqtvQkeqdQs/RH5+SU+vFchqnOHk5yaEL6EQDOKNuYJ2 C4ld+tVHf007GgbKX6BC68uMU8iGIg==
+; KSK owner entity/JerryXiao
+neo. 3600 IN DNSKEY 257 3 13 jDd4k21xTgqOFqtvQkeqdQs/RH5+SU+vFchqnOHk5yaEL6EQDOKNuYJ2 C4ld+tVHf007GgbKX6BC68uMU8iGIg==
+; ZSK owner entity/JerryXiao
+neo. 3600 IN DNSKEY 256 3 13 oUcsKJykGOVwz58smxaygPFhm4PZEPKIukPO+HKbEBwGFnIbcamMsXFJ Gp2Wi7T5a0Z61IT/VxWLV4D7UhcAvg==
diff --git a/scripts/dns-generator.py b/scripts/dns-generator.py
index 95e41c9..da201cf 100755
--- a/scripts/dns-generator.py
+++ b/scripts/dns-generator.py
@@ -25,7 +25,7 @@ def iter_rfc2317_entry():
 
 
 def main():
-    DNSKEYS = {entry['zone']: entry['records'] for entry in export_dnssec_dnskey()}
+    DNSKEYS = {entry['zone']: entry['records'] for entry in export_dnssec_dnskey(include_zsk=True)}
     for zone, zone_file in ZONE_FILE_MAP.items():
         orignal = zone_file.read_text()
         records = [orignal, "; AUTOGENERATED"]
@@ -35,8 +35,8 @@ def main():
                 records.extend(gen_reverse_pointers(route, ns, ds, ttl))
                 records.append("")
         records.extend(("", "; dnskey"))
-        for key_ds in DNSKEYS[zone]:
-            records.append(f"@ IN DNSKEY {key_ds['dnskey']}")
+        for dnskey in DNSKEYS[zone]:
+            records.append(f"@ IN DNSKEY {dnskey['dnskey']}")
         records.append("")
         zone_file.write_text("\n".join(records))
 
diff --git a/scripts/roa.py b/scripts/roa.py
index 3da10a5..eab5c91 100755
--- a/scripts/roa.py
+++ b/scripts/roa.py
@@ -190,7 +190,7 @@ def prehandle_roa(asn_table: dict, args):
     return roa4, roa6
 
 
-def export_dnssec_dnskey():
+def export_dnssec_dnskey(include_zsk=False):
     def ds_from_dnskey(zone, flags, protocol, algorithm, *key):
         dnspy_dnskey = DNSKEY(
             "IN",
@@ -208,7 +208,7 @@ def export_dnssec_dnskey():
         if f.name.endswith(".keys"):
             zonekey = {"zone": "", "records": list()}
             records = f.read_text().split("\n")
-            records = [r.split() for r in records if r]
+            records = [r.split() for r in records if r and not r.startswith(';')]
             for zone, _ttl, _in, _dnskey, *dnskey in records:
                 int(_ttl)
                 assert _in == "IN" and _dnskey == "DNSKEY"
@@ -216,12 +216,14 @@ def export_dnssec_dnskey():
                     zonekey["zone"] = zone
                 else:
                     assert zonekey["zone"] == zone
-                zonekey["records"].append(
-                    {
-                        "dnskey": " ".join(dnskey),
-                        "ds": ds_from_dnskey(zone, *dnskey),
-                    }
-                )
+                assert dnskey[0] in ['256', '257']
+                if dnskey[0] == '257' or include_zsk:
+                    zonekey["records"].append(
+                        {
+                            "dnskey": " ".join(dnskey),
+                            "ds": ds_from_dnskey(zone, *dnskey),
+                        }
+                    )
             if zonekey["zone"]:
                 dnskeys.append(zonekey)
     return dnskeys