sign.sh 14.2 KB
Newer Older
1 2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11

12 13
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
14

15
(cd ../ns6 && $SHELL -e ./sign.sh)
16

Evan Hunt's avatar
Evan Hunt committed
17
echo_i "dlv/ns3/sign.sh"
18

19
dlvzone="dlv.utld."
20
dlvsets=
21
dssets=
22

23 24 25 26 27 28 29 30 31
disableddlvzone="disabled-algorithm-dlv.utld."
disableddlvsets=
disableddssets=

unsupporteddlvzone="unsupported-algorithm-dlv.utld."
unsupporteddlvsets=
unsupporteddssets=

# Signed zone below unsigned TLD with DLV entry.
32 33 34 35
zone=child1.utld.
infile=child.db.in
zonefile=child1.utld.db
outfile=child1.signed
36
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
37

38 39
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
40

41 42
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
43

44
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
45
echo_i "signed $zone"
46 47


48 49
# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
# with a disabled algorithm.
50 51 52 53
zone=child3.utld.
infile=child.db.in
zonefile=child3.utld.db
outfile=child3.signed
54
disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
55

56 57
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
58

59 60
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
61

62
$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
63
echo_i "signed $zone"
64 65


66 67 68
# Signed zone below unsigned TLD with DLV entry.  This one is slightly
# different because its children (the grandchildren) don't have a DS record in
# this zone.  The grandchild zones are served by ns6.
69 70 71 72
zone=child4.utld.
infile=child.db.in
zonefile=child4.utld.db
outfile=child4.signed
73
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
74

75 76
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
77 78 79

cat $infile $keyname1.key $keyname2.key >$zonefile

80
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
81
echo_i "signed $zone"
82 83


84 85
# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
# with an unsupported algorithm.
86 87 88 89
zone=child5.utld.
infile=child.db.in
zonefile=child5.utld.db
outfile=child5.signed
90
unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
91

92 93
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
94

95 96
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
97

98
$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
99
echo_i "signed $zone"
100

101
# Signed zone below unsigned TLD without DLV entry.
102 103 104 105 106
zone=child7.utld.
infile=child.db.in
zonefile=child7.utld.db
outfile=child7.signed

107 108
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
109

110 111
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
112

113
$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
114
echo_i "signed $zone"
115 116


117 118
# Signed zone below unsigned TLD without DLV entry and no DS records for the
# grandchildren.
119 120 121 122 123
zone=child8.utld.
infile=child.db.in
zonefile=child8.utld.db
outfile=child8.signed

124 125
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
126 127 128

cat $infile $keyname1.key $keyname2.key >$zonefile

129
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
130
echo_i "signed $zone"
131

132
# Signed zone below unsigned TLD with DLV entry.
133 134 135 136
zone=child9.utld.
infile=child.db.in
zonefile=child9.utld.db
outfile=child9.signed
137
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
138

139 140
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
141 142 143

cat $infile $keyname1.key $keyname2.key >$zonefile

144
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
145
echo_i "signed $zone"
146

147 148
# Unsigned zone below an unsigned TLD with DLV entry.  We still need to sign
# the zone to generate the DLV set.
149 150 151 152
zone=child10.utld.
infile=child.db.in
zonefile=child10.utld.db
outfile=child10.signed
153
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
154

155 156
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
157 158 159

cat $infile $keyname1.key $keyname2.key >$zonefile

160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"


# Zone signed with a disabled algorithm (an algorithm that is disabled in
# one of the test resolvers) with DLV entry.
zone=disabled-algorithm.utld.
infile=child.db.in
zonefile=disabled-algorithm.utld.db
outfile=disabled-algorithm.utld.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`

cat $infile $keyname1.key $keyname2.key >$zonefile

$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
178
echo_i "signed $zone"
179

180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203

# Zone signed with an unsupported algorithm with DLV entry.
zone=unsupported-algorithm.utld.
infile=child.db.in
zonefile=unsupported-algorithm.utld.db
outfile=unsupported-algorithm.utld.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`

cat $infile $keyname1.key $keyname2.key >$zonefile

$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile

cp ${keyname2}.key ${keyname2}.tmp
awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
cp dlvset-${zone} dlvset-${zone}tmp
awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}

echo_i "signed $zone"

# Signed zone below signed TLD with DLV entry and DS set.
204 205 206 207
zone=child1.druz.
infile=child.db.in
zonefile=child1.druz.db
outfile=child1.druz.signed
208 209
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
210

211 212
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
213

214 215
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
216

217
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
218
echo_i "signed $zone"
219 220


221 222
# Signed zone below signed TLD with DLV entry and DS set.  The DLV zone is
# signed with a disabled algorithm.
223 224 225 226
zone=child3.druz.
infile=child.db.in
zonefile=child3.druz.db
outfile=child3.druz.signed
227 228
disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
disableddssets="$disableddssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
229

230 231
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
232

233 234
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
235

236
$SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
237
echo_i "signed $zone"
238 239


240 241
# Signed zone below signed TLD with DLV entry and DS set, but missing
# DS records for the grandchildren.
242 243 244 245
zone=child4.druz.
infile=child.db.in
zonefile=child4.druz.db
outfile=child4.druz.signed
246 247
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
248

249 250
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
251 252 253

cat $infile $keyname1.key $keyname2.key >$zonefile

254
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
255
echo_i "signed $zone"
256 257


258 259
# Signed zone below signed TLD with DLV entry and DS set.  The DLV zone is
# signed with an unsupported algorithm algorithm.
260 261 262 263
zone=child5.druz.
infile=child.db.in
zonefile=child5.druz.db
outfile=child5.druz.signed
264 265
unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
unsupporteddssets="$unsupportedssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
266

267 268
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
269

270 271
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
272

273
$SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
274
echo_i "signed $zone"
275 276


277
# Signed zone below signed TLD without DLV entry, but with normal DS set.
278 279 280 281
zone=child7.druz.
infile=child.db.in
zonefile=child7.druz.db
outfile=child7.druz.signed
282
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
283

284 285
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
286

287 288
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
289

290
$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
291
echo_i "signed $zone"
292 293


294 295
# Signed zone below signed TLD without DLV entry and no DS set.  Also DS
# records for the grandchildren are not included in the zone.
296 297 298 299 300
zone=child8.druz.
infile=child.db.in
zonefile=child8.druz.db
outfile=child8.druz.signed

301 302
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
303 304 305

cat $infile $keyname1.key $keyname2.key >$zonefile

306
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
307
echo_i "signed $zone"
308 309


310 311
# Signed zone below signed TLD with DLV entry but no DS set.  Also DS
# records for the grandchildren are not included in the zone.
312 313 314 315
zone=child9.druz.
infile=child.db.in
zonefile=child9.druz.db
outfile=child9.druz.signed
316
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
317

318 319
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
320 321 322

cat $infile $keyname1.key $keyname2.key >$zonefile

323
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
324
echo_i "signed $zone"
325

326 327 328

# Unsigned zone below signed TLD with DLV entry and DS set.  We still need to
# sign the zone to generate the DS sets.
329 330 331 332
zone=child10.druz.
infile=child.db.in
zonefile=child10.druz.db
outfile=child10.druz.signed
333 334
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
335

336 337
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
338 339 340

cat $infile $keyname1.key $keyname2.key >$zonefile

341
$SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
Evan Hunt's avatar
Evan Hunt committed
342
echo_i "signed $zone"
343

344 345 346
cp $dssets ../ns2
cp $disableddssets ../ns2
cp $unsupporteddssets ../ns2
347

348
# DLV zones
349
infile=dlv.db.in
350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397
for zone in dlv.utld. disabled-algorithm-dlv.utld. unsupported-algorithm-dlv.utld.
do
	zonefile="${zone}db"
	outfile="${zone}signed"

	case $zone in
	"dlv.utld.")
		algorithm=$DEFAULT_ALGORITHM
		bits=$DEFAULT_BITS
		dlvfiles=$dlvsets
		;;
	"disabled-algorithm-dlv.utld.")
		algorithm=$DISABLED_ALGORITHM
		bits=$DISABLED_BITS
		dlvfiles=$disableddlvsets
		;;
	"unsupported-algorithm-dlv.utld.")
		algorithm=$DEFAULT_ALGORITHM
		bits=$DEFAULT_BITS
		dlvfiles=$unsupporteddlvsets
		;;
	esac

	keyname1=`$KEYGEN -a $algorithm -b $bits -n zone $zone 2> /dev/null`
	keyname2=`$KEYGEN -f KSK -a $algorithm -b $bits -n zone $zone 2> /dev/null`

	cat $infile $dlvfiles $keyname1.key $keyname2.key >$zonefile

	case $zone in
	"dlv.utld.")
		$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
	        keyfile_to_trusted_keys $keyname2 > ../ns5/trusted-dlv.conf
		;;
	"disabled-algorithm-dlv.utld.")
		$SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
		keyfile_to_trusted_keys $keyname2 > ../ns8/trusted-dlv-disabled.conf
		;;
	"unsupported-algorithm-dlv.utld.")
		cp ${keyname2}.key ${keyname2}.tmp
		$SIGNER -O full -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
		awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
		awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
		keyfile_to_trusted_keys $keyname2 > ../ns7/trusted-dlv-unsupported.conf
		;;
	esac

	echo_i "signed $zone"
done