sign.sh 21.3 KB
Newer Older
1
#!/bin/sh -e
Michael Sawyer's avatar
Michael Sawyer committed
2
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11

12
# shellcheck source=conf.sh
13
. ../../conf.sh
David Lawrence's avatar
David Lawrence committed
14

15 16
set -e

17 18 19 20 21 22 23 24 25 26 27
echo_i "ns3/sign.sh"

infile=key.db.in
for tld in managed trusted
do
	# A secure zone to test.
	zone=secure.${tld}
	zonefile=${zone}.db

	keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
	cat "$infile" "$keyname1.key" > "$zonefile"
28
	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
29 30 31 32 33 34 35

	# Zone to test trust anchor that matches disabled algorithm.
	zone=disabled.${tld}
	zonefile=${zone}.db

	keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
	cat "$infile" "$keyname2.key" > "$zonefile"
36
	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
37 38 39 40 41 42 43

	# Zone to test trust anchor that has disabled algorithm for other domain.
	zone=enabled.${tld}
	zonefile=${zone}.db

	keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
	cat "$infile" "$keyname3.key" > "$zonefile"
44
	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
45 46 47 48 49 50 51

	# Zone to test trust anchor with unsupported algorithm.
	zone=unsupported.${tld}
	zonefile=${zone}.db

	keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
	cat "$infile" "$keyname4.key" > "$zonefile"
52
	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
53 54 55 56 57 58 59 60 61 62 63 64
	awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed

	# Make trusted-keys and managed keys conf sections for ns8.
	mv ${keyname4}.key ${keyname4}.tmp
	awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key

	# Zone to test trust anchor that is revoked.
	zone=revoked.${tld}
	zonefile=${zone}.db

	keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
	cat "$infile" "$keyname5.key" > "$zonefile"
65
	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
66 67 68

	case $tld in
	"managed")
69
		keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
70 71
		;;
	"trusted")
72
		keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
73 74 75 76 77 78
		;;
	esac
done

echo_i "ns3/sign.sh: example zones"

Andreas Gustafsson's avatar
Andreas Gustafsson committed
79 80 81 82
zone=secure.example.
infile=secure.example.db.in
zonefile=secure.example.db

83 84 85
cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
Andreas Gustafsson's avatar
Andreas Gustafsson committed
86

87
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
Andreas Gustafsson's avatar
Andreas Gustafsson committed
88

89
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
Andreas Gustafsson's avatar
Andreas Gustafsson committed
90

Michael Sawyer's avatar
Michael Sawyer committed
91 92 93 94
zone=bogus.example.
infile=bogus.example.db.in
zonefile=bogus.example.db

95
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
Michael Sawyer's avatar
Michael Sawyer committed
96

97
cat "$infile" "$keyname.key" > "$zonefile"
Michael Sawyer's avatar
Michael Sawyer committed
98

99
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
100

101 102 103 104
zone=dynamic.example.
infile=dynamic.example.db.in
zonefile=dynamic.example.db

105 106
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
107

108
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
109

110
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
111

112
zone=keyless.example.
113
infile=generic.example.db.in
114 115
zonefile=keyless.example.db

116
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
117

118
cat "$infile" "$keyname.key" > "$zonefile"
119

120
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
121 122 123

# Change the signer field of the a.b.keyless.example SIG A
# to point to a provably nonexistent KEY record.
124 125 126 127 128
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
mv "$zonefile.signed" "$zonefiletmp"
<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/
    if /^a.b.keyless.example/../NXT/;' > "$zonefile.signed"
rm -f "$zonefiletmp"
129 130 131 132 133 134 135 136

#
#  NSEC3/NSEC test zone
#
zone=secure.nsec3.example.
infile=secure.nsec3.example.db.in
zonefile=secure.nsec3.example.db

137
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
138

139
cat "$infile" "$keyname.key" > "$zonefile"
140

141
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
142 143 144 145 146 147 148 149

#
#  NSEC3/NSEC3 test zone
#
zone=nsec3.nsec3.example.
infile=nsec3.nsec3.example.db.in
zonefile=nsec3.nsec3.example.db

150
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
151

152
cat "$infile" "$keyname.key" > "$zonefile"
153

154
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
155 156 157 158 159 160 161 162

#
#  OPTOUT/NSEC3 test zone
#
zone=optout.nsec3.example.
infile=optout.nsec3.example.db.in
zonefile=optout.nsec3.example.db

163
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
164

165
cat "$infile" "$keyname.key" > "$zonefile"
166

167
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
168 169 170 171 172 173 174 175

#
# A nsec3 zone (non-optout).
#
zone=nsec3.example.
infile=nsec3.example.db.in
zonefile=nsec3.example.db

176
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
177

178
cat "$infile" "$keyname.key" > "$zonefile"
179

180
"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null
181 182 183 184 185 186 187 188

#
#  OPTOUT/NSEC test zone
#
zone=secure.optout.example.
infile=secure.optout.example.db.in
zonefile=secure.optout.example.db

189
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
190

191
cat "$infile" "$keyname.key" > "$zonefile"
192

193
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
194 195 196 197 198 199 200 201

#
#  OPTOUT/NSEC3 test zone
#
zone=nsec3.optout.example.
infile=nsec3.optout.example.db.in
zonefile=nsec3.optout.example.db

202
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
203

204
cat "$infile" "$keyname.key" > "$zonefile"
205

206
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
207 208 209 210 211 212 213 214

#
#  OPTOUT/OPTOUT test zone
#
zone=optout.optout.example.
infile=optout.optout.example.db.in
zonefile=optout.optout.example.db

215
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
216

217
cat "$infile" "$keyname.key" > "$zonefile"
218

219
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
220 221 222 223 224 225 226 227

#
# A optout nsec3 zone.
#
zone=optout.example.
infile=optout.example.db.in
zonefile=optout.example.db

228
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
229

230
cat "$infile" "$keyname.key" > "$zonefile"
231

232
"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null
233 234

#
235
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
236 237 238 239 240
#
zone=nsec3-unknown.example.
infile=nsec3-unknown.example.db.in
zonefile=nsec3-unknown.example.db

241
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
242

243
cat "$infile" "$keyname.key" > "$zonefile"
244

245
"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null
246 247

#
248
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
249 250 251 252 253
#
zone=optout-unknown.example.
infile=optout-unknown.example.db.in
zonefile=optout-unknown.example.db

254
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
255

256
cat "$infile" "$keyname.key" > "$zonefile"
257

258
"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null
259

260
#
261
# A zone that is signed with an unknown DNSKEY algorithm.
262 263
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
264
zone=dnskey-unknown.example
265 266 267
infile=dnskey-unknown.example.db.in
zonefile=dnskey-unknown.example.db

268
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
269

270
cat "$infile" "$keyname.key" > "$zonefile"
271

272
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
273

274
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
275

276
DSFILE="dsset-${zone}${TP}"
277
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
278

279 280
#
# A zone that is signed with an unsupported DNSKEY algorithm (3).
281
# Algorithm 7 is replaced by 255 in the zone and dsset.
282
#
283
zone=dnskey-unsupported.example
284 285 286 287 288 289 290
infile=dnskey-unsupported.example.db.in
zonefile=dnskey-unsupported.example.db

keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

cat "$infile" "$keyname.key" > "$zonefile"

291
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
292

293
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
294

295
DSFILE="dsset-${zone}${TP}"
296 297 298
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"

#
299
# A zone with a published unsupported DNSKEY algorithm (Reserved).
300 301
# Different from above because this key is not intended for signing.
#
302
zone=dnskey-unsupported-2.example
303 304 305 306 307 308
infile=dnskey-unsupported-2.example.db.in
zonefile=dnskey-unsupported-2.example.db

ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

309
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
310

311
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
312

313 314 315 316
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
317
zone=dnskey-nsec3-unknown.example
318 319 320
infile=dnskey-nsec3-unknown.example.db.in
zonefile=dnskey-nsec3-unknown.example.db

321
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
322

323
cat "$infile" "$keyname.key" > "$zonefile"
324

325
"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
326 327 328

awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed

329
DSFILE="dsset-${zone}${TP}"
330
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
331

332 333 334 335 336 337 338
#
# A multiple parameter nsec3 zone.
#
zone=multiple.example.
infile=multiple.example.db.in
zonefile=multiple.example.db

339
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
340

341
cat "$infile" "$keyname.key" > "$zonefile"
342

343
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
344
mv "$zonefile".signed "$zonefile"
345
"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null
346
mv "$zonefile".signed "$zonefile"
347
"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null
348
mv "$zonefile".signed "$zonefile"
349
"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null
350
mv "$zonefile".signed "$zonefile"
351
"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null
352
mv "$zonefile".signed "$zonefile"
353
"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null
354 355 356 357 358 359 360 361

#
# A RSASHA256 zone.
#
zone=rsasha256.example.
infile=rsasha256.example.db.in
zonefile=rsasha256.example.db

362
keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
363

364
cat "$infile" "$keyname.key" > "$zonefile"
365

366
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
367 368 369 370 371 372 373 374

#
# A RSASHA512 zone.
#
zone=rsasha512.example.
infile=rsasha512.example.db.in
zonefile=rsasha512.example.db

375
keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
376

377
cat "$infile" "$keyname.key" > "$zonefile"
378

379
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
380 381 382 383 384 385 386 387

#
# A zone with the DNSKEY set only signed by the KSK
#
zone=kskonly.example.
infile=kskonly.example.db.in
zonefile=kskonly.example.db

388 389 390
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
391
"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
Mark Andrews's avatar
Mark Andrews committed
392 393 394 395 396 397 398 399

#
# A zone with the expired signatures
#
zone=expired.example.
infile=expired.example.db.in
zonefile=expired.example.db

400 401 402
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
403
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
404
rm -f "$kskname.*" "$zskname.*"
405 406 407 408 409 410 411 412

#
# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
#
zone=update-nsec3.example.
infile=update-nsec3.example.db.in
zonefile=update-nsec3.example.db

413 414 415
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
416
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
417 418 419 420 421 422 423 424 425

#
# A NSEC signed zone that will have auto-dnssec enabled and
# extra keys not in the initial signed zone.
#
zone=auto-nsec.example.
infile=auto-nsec.example.db.in
zonefile=auto-nsec.example.db

426 427 428 429 430
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
431
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
432 433 434 435 436 437 438 439 440

#
# A NSEC3 signed zone that will have auto-dnssec enabled and
# extra keys not in the initial signed zone.
#
zone=auto-nsec3.example.
infile=auto-nsec3.example.db.in
zonefile=auto-nsec3.example.db

441 442 443 444 445
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
446
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
447 448 449 450 451 452 453

#
# Secure below cname test zone.
#
zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
454 455
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
456
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
457 458 459 460 461 462 463 464 465 466

#
# Patched TTL test zone.
#
zone=ttlpatch.example.
infile=ttlpatch.example.db.in
zonefile=ttlpatch.example.db
signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched

467 468
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
469

470
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
471
$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
472
    awk '{$2 = "3600"; print}' > $patchedfile
473 474

#
475
# Separate DNSSEC records.
476 477 478 479 480 481
#
zone=split-dnssec.example.
infile=split-dnssec.example.db.in
zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed

482 483 484 485
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
486
"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
487 488

#
489
# Separate DNSSEC records smart signing.
490 491 492 493 494 495
#
zone=split-smart.example.
infile=split-smart.example.db.in
zonefile=split-smart.example.db
signedfile=split-smart.example.db.signed

496 497 498 499 500
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cp "$infile" "$zonefile"
# shellcheck disable=SC2016
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
501
"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
502

503
#
504 505
# Zone with signatures about to expire, but no private key to replace them
#
Scott Mann's avatar
Scott Mann committed
506 507 508 509
zone="expiring.example."
infile="expiring.example.db.in"
zonefile="expiring.example.db"
signedfile="expiring.example.db.signed"
510 511 512
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
513
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
514 515
mv -f "${zskname}.private" "${zskname}.private.moved"
mv -f "${kskname}.private" "${kskname}.private.moved"
Scott Mann's avatar
Scott Mann committed
516

517 518 519 520 521 522 523 524
#
# A zone where the signer's name has been forced to uppercase.
#
zone="upper.example."
infile="upper.example.db.in"
zonefile="upper.example.db"
lower="upper.example.db.lower"
signedfile="upper.example.db.signed"
525 526 527
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
528
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
529
$CHECKZONE -D upper.example $lower 2>/dev/null | \
530
	sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
531 532 533 534 535 536 537 538 539

#
# Check that the signer's name is in lower case when zone name is in
# upper case.
#
zone="LOWER.EXAMPLE."
infile="lower.example.db.in"
zonefile="lower.example.db"
signedfile="lower.example.db.signed"
540 541 542
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
543
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
544

545 546 547 548 549 550 551 552
#
# Zone with signatures about to expire, and dynamic, but configured
# not to resign with 'auto-resign no;'
#
zone="nosign.example."
infile="nosign.example.db.in"
zonefile="nosign.example.db"
signedfile="nosign.example.db.signed"
553 554 555
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
556
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
557
# preserve a normalized copy of the NS RRSIG for comparison later
558
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
559 560 561
        awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
        sed 's/[ 	][ 	]*/ /g'> ../nosign.before

562 563 564 565
#
# An inline signing zone
#
zone=inline.example.
566 567
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
568 569 570 571 572 573 574

#
# publish a new key while deactivating another key at the same time.
#
zone=publish-inactive.example
infile=publish-inactive.example.db.in
zonefile=publish-inactive.example.db
575 576 577 578 579 580
now=$(date -u +%Y%m%d%H%M%S)
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
581
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
582 583 584 585 586 587 588

#
# A zone which will change its sig-validity-interval
#
zone=siginterval.example
infile=siginterval.example.db.in
zonefile=siginterval.example.db
589 590 591
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
Evan Hunt's avatar
Evan Hunt committed
592 593 594 595 596 597 598 599 600

#
# A zone with a bad DS in the parent
# (sourced from bogus.example.db.in)
#
zone=badds.example.
infile=bogus.example.db.in
zonefile=badds.example.db

601
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
Evan Hunt's avatar
Evan Hunt committed
602

603
cat "$infile" "$keyname.key" > "$zonefile"
Evan Hunt's avatar
Evan Hunt committed
604

605
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
606
sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
607 608 609 610 611 612 613

#
# A zone with future signatures.
#
zone=future.example
infile=future.example.db.in
zonefile=future.example.db
614 615 616
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
617
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
618
cp -f "$kskname.key" trusted-future.key
619 620 621 622 623 624 625

#
# A zone with future signatures.
#
zone=managed-future.example
infile=managed-future.example.db.in
zonefile=managed-future.example.db
626 627 628
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
629
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
630 631 632 633 634 635 636 637

#
# A zone with a revoked key
#
zone=revkey.example.
infile=generic.example.db.in
zonefile=revkey.example.db

638 639 640 641
ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
ksk1=$("$REVOKE" "$ksk1")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
642

643
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
644
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
645 646 647 648 649 650 651

#
# Check that NSEC3 are correctly signed and returned from below a DNAME
#
zone=dname-at-apex-nsec3.example
infile=dname-at-apex-nsec3.example.db.in
zonefile=dname-at-apex-nsec3.example.db
652 653 654 655

kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
656
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
657 658 659 660 661 662 663 664 665 666

#
# A NSEC zone with occuded data at the delegation
#
zone=occluded.example
infile=occluded.example.db.in
zonefile=occluded.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
667
keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
668 669 670
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
    "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
671
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null