sign.sh 5.63 KB
Newer Older
1
#!/bin/sh -e
Michael Sawyer's avatar
Michael Sawyer committed
2
#
Automatic Updater's avatar
Automatic Updater committed
3
# Copyright (C) 2004, 2006-2011  Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
# Copyright (C) 2000-2003  Internet Software Consortium.
5
#
Automatic Updater's avatar
Automatic Updater committed
6
# Permission to use, copy, modify, and/or distribute this software for any
Michael Sawyer's avatar
Michael Sawyer committed
7
8
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
9
#
Mark Andrews's avatar
Mark Andrews committed
10
11
12
13
14
15
16
17
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.

18
# $Id: sign.sh,v 1.49 2011/03/21 20:31:22 marka Exp $
David Lawrence's avatar
David Lawrence committed
19

20
21
22
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh

23
24
RANDFILE=../random.data

Andreas Gustafsson's avatar
Andreas Gustafsson committed
25
26
27
28
zone=example.
infile=example.db.in
zonefile=example.db

29
# Have the child generate a zone key and pass it to us.
Andreas Gustafsson's avatar
Andreas Gustafsson committed
30
31

( cd ../ns3 && sh sign.sh )
32

33
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
34
    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
35
36
    auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
    split-smart
37
do
38
	cp ../ns3/dsset-$subdomain.example. .
39
done
Michael Sawyer's avatar
Michael Sawyer committed
40

41
42
keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
Andreas Gustafsson's avatar
Andreas Gustafsson committed
43

44
cat $infile $keyname1.key $keyname2.key >$zonefile
Andreas Gustafsson's avatar
Andreas Gustafsson committed
45

46
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
Andreas Gustafsson's avatar
Andreas Gustafsson committed
47

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#
# lower/uppercase the signature bits with the exception of the last characters
# changing the last 4 characters will lead to a bad base64 encoding.
#
$CHECKZONE -D -q -i local $zone $zonefile.signed |
awk '
tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
	for (i = 1; i <= NF; i++ ) {
		if (i <= 12) {
			printf("%s ", $i);
			continue;
		}
		prefix = substr($i, 1, length($i) - 4);
		suffix = substr($i, length($i) - 4, 4);
		if (i > 12 && tolower(prefix) != prefix)
			printf("%s%s", tolower(prefix), suffix);
		else if (i > 12 && toupper(prefix) != prefix)
			printf("%s%s", toupper(prefix), suffix);
		else
			printf("%s%s ", prefix, suffix);
	}
	printf("\n");
	next;
}

tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
	for (i = 1; i <= NF; i++ ) {
		if (i <= 12) {
			printf("%s ", $i);
			continue;
		}
		prefix = substr($i, 1, length($i) - 4);
		suffix = substr($i, length($i) - 4, 4);
		if (i > 12 && tolower(prefix) != prefix)
			printf("%s%s", tolower(prefix), suffix);
		else if (i > 12 && toupper(prefix) != prefix)
			printf("%s%s", toupper(prefix), suffix);
		else
			printf("%s%s ", prefix, suffix);
	}
	printf("\n");
	next;
}

{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed


95
# Sign the privately secure file
Andreas Gustafsson's avatar
Andreas Gustafsson committed
96

97
98
99
100
privzone=private.secure.example.
privinfile=private.secure.example.db.in
privzonefile=private.secure.example.db

101
privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
102
103
104

cat $privinfile $privkeyname.key >$privzonefile

105
$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
106
107
108
109
110
111
112
113

# Sign the DLV secure zone.


dlvzone=dlv.
dlvinfile=dlv.db.in
dlvzonefile=dlv.db

114
dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
115
116
117

cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile

118
$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

# Sign the badparam secure file

zone=badparam.
infile=badparam.db.in
zonefile=badparam.db

keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`

cat $infile $keyname1.key $keyname2.key >$zonefile

$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null

sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad
134
135
136
137
138
139
140
141
142
143
144
145
146

# Sign the single-nsec3 secure zone with optout

zone=single-nsec3.
infile=single-nsec3.db.in
zonefile=single-nsec3.db

keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`

cat $infile $keyname1.key $keyname2.key >$zonefile

$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

#
# algroll has just has the old DNSKEY records removed and is waiting
# for them to be flushed from caches.  We still need to generate
# RRSIGs for the old DNSKEY.
#
zone=algroll.
infile=algroll.db.in
zonefile=algroll.db

keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`

cat $infile $keynew1.key $keynew2.key >$zonefile

$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
165
166

#
167
168
# Make a zone big enough that it takes several seconds to generate a new
# nsec3 chain.
169
170
#
zone=nsec3chain-test
171
172
173
zonefile=nsec3chain-test.db
cat > $zonefile << 'EOF'
$TTL 10
174
175
176
177
178
179
@	10	SOA	ns2 hostmaster 0 3600 1200 864000 1200
@	10	NS	ns2
@	10	NS	ns3
ns2	10	A	10.53.0.2
ns3	10	A	10.53.0.3
EOF
180
awk 'END { for (i = 0; i < 300; i++)
181
	print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile
182
183
184
185
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
cat $key1.key $key2.key >> $zonefile
$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null