# Small memento to get things up with BIND 9
#  cd /etc/bind/keys
#  dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE -f KSK -L 172800 example.org
#  dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE        -L 172800 example.org
# then, add the two INCLUDE in the zone file :
#  $INCLUDE ../keys/Kexample.org.+010+31182.key ; 257 = KSK
#  $INCLUDE ../keys/Kexample.org.+010+61130.key ; 256 = ZSK
# finally, launch the make to generate the db.xxxxx.signed file.

# For NSEC3 records, we need 8 random bytes, which means a 16 hexa string
SALT := $(shell dd if=/dev/random bs=13 count=1 2>/dev/null | hexdump -v -e '"%02x"' | cut -c 1-16 )

# There's no easy way to know if bind has been reloaded
# after the .signed file has been generated so it will
# always reload actually.
reload: db.*.signed
	service bind9 reload
	# Ou nsdc rebuild && nsdc reload pour NSD

# Look up for any db.xxx / db.xxx.signed pair and launch
# the signing if db.xxx.signed is older than db.xxx
# memento :
# - $* = "db.xxx.signed"
# - $^ = "db.xxx"
db.%.signed: db.%
	@echo Signing requires a lot of entropy in /dev/random, do not hesitate to load the machine...
	# 5356800 seconds = two months of validity
	#dnssec-signzone -e +5356800 $^
	dnssec-signzone -e +7776000 -o $* -K ../keys/ -3 $(SALT) $^