#!/usr/bin/env perl

=pod

=head1 SUMMARY

This script supports signing an RRset (one or more DNS records)
by the provided private key

=head1 SYNOPSIS

cat data-file | sign-rrset.pl --key KEY --exp DATETIME --inc DATETIME

sign-rrset.pl --help

=over 3

=item *
KEY is the file with the private key matching the intended DNSKEY record.

=item *
DATETIME is the date-time in the format "YYYYMMDDHHMMSS" for RRSIG expiration (--exp)
and RRSIG inception (--inc) respectively.

=back

=head1 DATA FILE

Create a file with the complete RRset to be signed. You can freely add
comment lines starting with "#" anywhere.

=head1 EXAMPLE FILE

=begin text

err-mult-nsec-1.dnssec10.xa. 86400 IN	NSEC	ns1.err-mult-nsec-1.dnssec10.xa. NS SOA RRSIG NSEC DNSKEY TYPE65534
err-mult-nsec-1.dnssec10.xa. 86400 IN	NSEC	www.err-mult-nsec-1.dnssec10.xa. NS SOA RRSIG NSEC DNSKEY TYPE65534

=end text

=cut


use 5.16.0;
use warnings;

use Net::DNS::SEC 1.26;
use Net::DNS 1.47;

use Getopt::Long;
use Pod::Usage;

my ( $key, $exp, $inc, $help );
GetOptions( 'key=s' => \$key,
            'exp=s' => \$exp,
            'inc=s' => \$inc,
            'help'  => \$help
          );

if ( $help ) {
    pod2usage(-verbose => 99);
    exit 0;
}

unless ( $key ) {
    say STDERR "Missing private key file";
    say STDERR "Run with --help to get help";
    exit 1;
}

unless ( $exp and $inc ) {
    say STDERR "Missing expiration and/or inception value";
    say STDERR "Run with --help to get help";
    exit 1;
}

my @rrsetref; # List of references to RRs.

while( my $line = <> ) {
    chomp ( $line );
    next if $line =~ /^\s*$/;
    next if $line =~ /^#/;
    my $rrref = Net::DNS::RR->new( $line );
    push ( @rrsetref, $rrref );
    
}

unless ( @rrsetref ) {
    say "Missing RRset to sign";
    say STDERR "Run with --help to get help";
    exit 1;
};

my $private = Net::DNS::SEC::Private->new($key);

my $sigrr= Net::DNS::RR::RRSIG->create( \@rrsetref, $private, sigex => $exp, sigin => $inc );

say $sigrr->plain;