#!/usr/bin/perl

use Net::DNS;
use Net::DNS::SEC;
use Data::Dumper;
use Net::DNS::SEC::Tools::QWPrimitives;

my %opts =
  ( 'a' => 'SHA256'
  );

DTGetOptions(\%opts,
		['GUI:VERSION',"0.1\nDNSSEC-Tools Version: 1.5"],

		['a|hash-algorithm=s',
		 'Hash algorithm to use (SHA256 or SHA1)'],
		['z|print-zsks',     'Print ZSK DS records too, not just KSKS'],

		['GUI:otherargs_text',"DOMAIN_NAME"],
	       ) || exit;

# query the DNSKEY from the net
my $res  = Net::DNS::Resolver->new;
my $q = $res->query($ARGV[0], "DNSKEY");
my @keys = $q->answer;

#
# for each of the keys found, print out the DS record
#
foreach my $key (@keys) {
    next if (($key->flags & 0x1) == 0);  # KSKs only
    $key->{'name'} = $ARGV[0];

    my $ds = create Net::DNS::RR::DS($key,
				     digtype => $opts{'a'},
				    );
    $ds->print;
}

=head1 NAME

getds - Create a DS record from DNSKEYing information

=head1 SYNOPSIS

getds dnssec-tools.org

=head1 DESCRIPTION

B<getds> will create a DS record from DNSKEYs for a particular DNS
domain.  It does this by converting DNSKEYs to DS records using the
specified hashing algorithm.  The results can then be passed to
upstream DNSSEC supporting parents or to DLV registries.

=head1 SECURITY CONSIDERATIONS

By default, getds pulls data from the live DNS.  If you DNS resolver
isn't configured so that this is pulled securely, then the results
can't be trusted.

=cut

