keygen.sh 10.8 KB
Newer Older
1 2
#!/bin/sh -e
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11

12
. ../../conf.sh
13

Evan Hunt's avatar
Evan Hunt committed
14 15
SYSTESTDIR=autosign

16
dumpit () {
17 18
	echo_d "${debug}: dumping ${1}"
	cat "${1}" | cat_d
19 20 21
}

setup () {
Evan Hunt's avatar
Evan Hunt committed
22
	echo_i "setting up zone: $1"
23 24 25 26 27 28 29 30
	debug="$1"
	zone="$1"
	zonefile="${zone}.db"
	infile="${zonefile}.in"
	n=`expr ${n:-0} + 1`
}

setup secure.example
31
cp $infile $zonefile
32 33
ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
34
$DSFROMKEY $ksk.key > dsset-${zone}$TP
35 36 37 38

#
#  NSEC3/NSEC test zone
#
39
setup secure.nsec3.example
40
cp $infile $zonefile
41 42
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
43
$DSFROMKEY $ksk.key > dsset-${zone}$TP
44 45 46 47

#
#  NSEC3/NSEC3 test zone
#
48
setup nsec3.nsec3.example
49
cp $infile $zonefile
50 51
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
52
$DSFROMKEY $ksk.key > dsset-${zone}$TP
53

Matthijs Mekking's avatar
Matthijs Mekking committed
54 55 56 57 58 59
#
#  Jitter/NSEC3 test zone
#
setup jitter.nsec3.example
cp $infile $zonefile
count=1
60
while [ $count -le 1000 ]
Matthijs Mekking's avatar
Matthijs Mekking committed
61 62 63 64 65 66 67 68
do
    echo "label${count} IN TXT label${count}" >> $zonefile
    count=`expr $count + 1`
done
# Don't create keys just yet, because the scenario we want to test
# is an unsigned zone that has a NSEC3PARAM record added with
# dynamic update before the keys are generated.

69 70 71
#
#  OPTOUT/NSEC3 test zone
#
72
setup optout.nsec3.example
73
cp $infile $zonefile
74 75
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
76
$DSFROMKEY $ksk.key > dsset-${zone}$TP
77 78 79 80

#
# A nsec3 zone (non-optout).
#
81
setup nsec3.example
82
cat $infile dsset-*.${zone}$TP > $zonefile
83 84
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
85
$DSFROMKEY $ksk.key > dsset-${zone}$TP
86

87 88 89
#
# An NSEC3 zone, with NSEC3 parameters set prior to signing
#
90
setup autonsec3.example
91
cat $infile > $zonefile
92
ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
93
echo $ksk > ../autoksk.key
94
zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
95
echo $zsk > ../autozsk.key
96
$DSFROMKEY $ksk.key > dsset-${zone}$TP
97

98 99 100
#
#  OPTOUT/NSEC test zone
#
101
setup secure.optout.example
102
cp $infile $zonefile
103 104
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
105
$DSFROMKEY $ksk.key > dsset-${zone}$TP
106 107 108 109

#
#  OPTOUT/NSEC3 test zone
#
110
setup nsec3.optout.example
111
cp $infile $zonefile
112 113
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
114
$DSFROMKEY $ksk.key > dsset-${zone}$TP
115 116 117 118

#
#  OPTOUT/OPTOUT test zone
#
119
setup optout.optout.example
120
cp $infile $zonefile
121 122
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
123
$DSFROMKEY $ksk.key > dsset-${zone}$TP
124 125 126 127

#
# A optout nsec3 zone.
#
128
setup optout.example
129
cat $infile dsset-*.${zone}$TP > $zonefile
130 131
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
132
$DSFROMKEY $ksk.key > dsset-${zone}$TP
133 134 135 136

#
# A RSASHA256 zone.
#
137
setup rsasha256.example
138
cp $infile $zonefile
139 140
ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA256 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
141
$DSFROMKEY $ksk.key > dsset-${zone}$TP
142 143 144 145

#
# A RSASHA512 zone.
#
146
setup rsasha512.example
147
cp $infile $zonefile
148 149
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
150
$DSFROMKEY $ksk.key > dsset-${zone}$TP
151 152 153 154

#
# NSEC-only zone.
#
155
setup nsec.example
156
cp $infile $zonefile
157 158
ksk=`$KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
159
$DSFROMKEY $ksk.key > dsset-${zone}$TP
160 161 162 163 164

#
# Signature refresh test zone.  Signatures are set to expire long
# in the past; they should be updated by autosign.
#
165
setup oldsigs.example
166
cp $infile $zonefile
Matthijs Mekking's avatar
Matthijs Mekking committed
167
count=1
168
while [ $count -le 1000 ]
Matthijs Mekking's avatar
Matthijs Mekking committed
169 170 171 172
do
    echo "label${count} IN TXT label${count}" >> $zonefile
    count=`expr $count + 1`
done
173 174
$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
Matthijs Mekking's avatar
Matthijs Mekking committed
175 176
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
mv $zonefile.signed $zonefile
177 178 179 180

#
# NSEC3->NSEC transition test zone.
#
181
setup nsec3-to-nsec.example
182 183
$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
184
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
185 186

#
187 188
# secure-to-insecure transition test zone; used to test removal of
# keys via nsupdate
189
#
190
setup secure-to-insecure.example
191 192
$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out
193
$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
194 195 196 197 198

#
# another secure-to-insecure transition test zone; used to test
# removal of keys on schedule.
#
199
setup secure-to-insecure2.example
200
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
201
echo $ksk > ../del1.key
202
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
203
echo $zsk > ../del2.key
204
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
205 206 207 208

#
# Introducing a pre-published key test.
#
209 210
setup prepub.example
infile="secure-to-insecure2.example.db.in"
211 212
$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
213
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
214 215 216 217 218 219

#
# Key TTL tests.
#

# no default key TTL; DNSKEY should get SOA TTL
220
setup ttl1.example
221 222
$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
223 224 225
cp $infile $zonefile

# default key TTL should be used
226
setup ttl2.example 
227 228
$KEYGEN -a RSASHA1 -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
229 230 231
cp $infile $zonefile

# mismatched key TTLs, should use shortest
232
setup ttl3.example
233 234
$KEYGEN -a RSASHA1 -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
235 236 237
cp $infile $zonefile

# existing DNSKEY RRset, should retain TTL
238
setup ttl4.example
239
$KEYGEN -a RSASHA1 -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
240
cat ${infile} K${zone}.+*.key > $zonefile
241
$KEYGEN -a RSASHA1 -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
242 243 244 245

#
# A zone with a DNSKEY RRset that is published before it's activated
#
246
setup delay.example
247
ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
248
echo $ksk > ../delayksk.key
249
zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
250
echo $zsk > ../delayzsk.key
251

252 253 254 255
#
# A zone with signatures that are already expired, and the private ZSK
# is missing.
#
256
setup nozsk.example
257 258
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
259
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
260 261 262 263 264 265 266
echo $zsk > ../missingzsk.key
rm -f ${zsk}.private

#
# A zone with signatures that are already expired, and the private ZSK
# is inactive.
#
267
setup inaczsk.example
268 269
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
270
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
271
echo $zsk > ../inactivezsk.key
272
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
273 274

#
275
# A zone that is set to 'auto-dnssec maintain' during a reconfig
276
#
277
setup reconf.example
278
cp secure.example.db.in $zonefile
279 280
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
281 282

#
283
# A zone which generates CDS and CDNSEY RRsets automatically
284 285 286
#
setup sync.example
cp $infile $zonefile
287 288
ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
289
$DSFROMKEY $ksk.key > dsset-${zone}$TP
290
echo ns3/$ksk > ../sync.key
291 292 293 294 295 296

#
# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly
#
setup kskonly.example
cp $infile $zonefile
297 298
ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
299
$DSFROMKEY $ksk.key > dsset-${zone}$TP
300

301 302 303 304 305
#
# A zone that has a published inactive key that is autosigned.
#
setup inacksk2.example
cp $infile $zonefile
306 307
ksk=`$KEYGEN -a RSASHA1 -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
308 309
$DSFROMKEY $ksk.key > dsset-${zone}$TP

310 311 312 313 314
#
# A zone that has a published inactive key that is autosigned.
#
setup inaczsk2.example
cp $infile $zonefile
315 316
ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
317
$DSFROMKEY $ksk.key > dsset-${zone}$TP
318

319 320 321 322 323
#
#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inacksk3.example
cp $infile $zonefile
324 325 326
$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
327 328
$DSFROMKEY $ksk.key > dsset-${zone}$TP

329
#
330
#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
331 332 333
#
setup inaczsk3.example
cp $infile $zonefile
334 335 336
ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
337
$DSFROMKEY $ksk.key > dsset-${zone}$TP
338 339 340 341 342 343 344 345 346 347 348

#
# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
# latter getting deleted during the test.
#
setup delzsk.example
cp $infile $zonefile
ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
echo $zsk > ../delzsk.key
349 350 351 352 353 354 355 356 357

#
#  Check that NSEC3 are correctly signed and returned from below a DNAME
#
setup dname-at-apex-nsec3.example
cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP