ZONEFILES=$(filter-out %.signed,$(wildcard db.*))
SIGNEDZONES=$(ZONEFILES:=.signed)

keydir=keys
dsdir=dskeys

.PHONY: all
all: $(SIGNEDZONES)

define generate_keys
	@if [ -z "$(wildcard $(keydir)/K$(1).*.private)" ]; then \
		echo Generating keys for $(1) ;\
		/usr/sbin/dnssec-keygen \
			-a RSASHA256 \
			-b 2048 \
			-f KSK \
			-n ZONE \
			-K $(keydir) \
			$(1) ; \
		/usr/sbin/dnssec-keygen \
			-a RSASHA256 \
			-b 2048 \
			-n ZONE \
			-K $(keydir) \
			$(1) ; \
	fi	
endef



db.%.signed: db.% 
	@echo Signing $<
	$(call generate_keys,$*)

	/usr/sbin/dnssec-signzone \
		    -a \
		    -N unixtime \
	    	    -K $(keydir) \
	            -d $(dsdir) \
		    -o $*  \
	            -S \
		    $<


db.root.signed:
	@# This is a hint zone, it should not be signed.

db.empty.signed:
	@# This is a special zone, it should not be signed.

db.0.in-addr.arpa.signed:
	@# This is a special zone, it should not be signed.

db.127.in-addr.arpa.signed:
	@# This is a special zone, it should not be signed.

db.255.in-addr.arpa.signed:
	@# This is a special zone, it should not be signed.
	
.PHONY: db.root.signed db.empty.signed \
	db.0.in-addr.arpa.signed  \
	db.127.in-addr.arpa.signed  \
	db.255.in-addr.arpa.signed 

clean:
	rm -f *.signed

.PHONY: clean