microdnssec, (c) Svenne Krap (svenne@krap.dk), 2010
released under 2-clause BSD-license

Design goals:
- small
- few dependencies (bash, bind, ssh)
- offline (i.e. not having the private-keys on the dns servers)

Limitations (by design):
- needs bind and ssh-access set up already
- needs bind set up to include zone.conf (or equivalent) to get managed zones
- no way to handle unsigned zones
- no way to handle dns-information (you must be able to provide zonefiles)
- no secondary dns-server support (but can run as N primaries)

Limitations (to be fixed): 
- no welcome banner (or version-info) in scripts
- hardcorded paths (shebangs)
- script for handling ds-handovers not begun

Before use there are multiple things you need to do:
1) have one or more servers running bind (9.6.x) you can ssh into 
2) set up this bind to include an autogenerated file (seczone.conf for example) 
3) configure microdnssec in conf/settings (start out with a copy from
conf/settings.sample)

Workflow - new domains: 
- prepare-zone.sh <zone> <zone-maintainer-mail> 
   (i.e. prepare-zone example.com dns@example.com )
- edit-zone.sh <zone>
- sign-zone.sh <zone>
- update-zone-conf.sh

Work-flow resign : 
- refresh-signatures.sh

Work-flow key-roll-over
- make-{z,k}sk.sh <zone>
- sign-all.sh
> pass DS-record upstream, if needed
- list-keys.sh <zone>
> find the correct key to expire
- retire-key.sh <zone> <key> (copy/paste key from list-keys output)
> wait til all signatures from the old key has expired
- purge-retired-keys.sh <zone>