Commit 3b7c849a authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

DLV tests unsupported/disabled algorithms

This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.
parent b85007e0
...@@ -16,6 +16,7 @@ rm -f ns1/dsset-* ...@@ -16,6 +16,7 @@ rm -f ns1/dsset-*
rm -f ns1/*.signed rm -f ns1/*.signed
rm -f ns1/signer.err rm -f ns1/signer.err
rm -f ns1/root.db rm -f ns1/root.db
rm -f ns1/trusted.conf
rm -f ns2/K* rm -f ns2/K*
rm -f ns2/dlvset-* rm -f ns2/dlvset-*
rm -f ns2/dsset-* rm -f ns2/dsset-*
...@@ -25,18 +26,19 @@ rm -f ns2/signer.err ...@@ -25,18 +26,19 @@ rm -f ns2/signer.err
rm -f ns2/druz.db rm -f ns2/druz.db
rm -f ns3/K* rm -f ns3/K*
rm -f ns3/*.db rm -f ns3/*.db
rm -f ns3/*.signed rm -f ns3/*.signed ns3/*.signed.tmp
rm -f ns3/dlvset-* rm -f ns3/dlvset-*
rm -f ns3/dsset-* rm -f ns3/dsset-*
rm -f ns3/keyset-* rm -f ns3/keyset-*
rm -f ns1/trusted.conf ns5/trusted.conf rm -f ns3/trusted*.conf
rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
rm -f ns3/signer.err rm -f ns3/signer.err
rm -f ns5/trusted*.conf
rm -f ns6/K* rm -f ns6/K*
rm -f ns6/*.db rm -f ns6/*.db
rm -f ns6/*.signed rm -f ns6/*.signed
rm -f ns6/dsset-* rm -f ns6/dsset-*
rm -f ns6/signer.err rm -f ns6/signer.err
rm -f ns7/trusted*.conf ns8/trusted*.conf
rm -f */named.memstats rm -f */named.memstats
rm -f dig.out.ns*.test* rm -f dig.out.ns*.test*
rm -f ns*/named.lock rm -f ns*/named.lock
......
...@@ -13,7 +13,14 @@ $TTL 120 ...@@ -13,7 +13,14 @@ $TTL 120
@ NS ns.rootservers.utld @ NS ns.rootservers.utld
ns A 10.53.0.1 ns A 10.53.0.1
; ;
; A zone that is unsigned (utld=unsigned tld) that will include a second level
; zone that acts as a DLV.
;
utld NS ns.utld utld NS ns.utld
ns.utld A 10.53.0.2 ns.utld A 10.53.0.2
;
; A zone that has a bad DNSKEY RRset but has good DLV records for its child
; zones.
;
druz NS ns.druz druz NS ns.druz
ns.druz A 10.53.0.2 ns.druz A 10.53.0.2
...@@ -34,3 +34,5 @@ echo_i "signed $zone" ...@@ -34,3 +34,5 @@ echo_i "signed $zone"
keyfile_to_trusted_keys $keyname2 > trusted.conf keyfile_to_trusted_keys $keyname2 > trusted.conf
cp trusted.conf ../ns5 cp trusted.conf ../ns5
cp trusted.conf ../ns7
cp trusted.conf ../ns8
...@@ -21,6 +21,17 @@ options { ...@@ -21,6 +21,17 @@ options {
notify yes; notify yes;
}; };
/* Root hints. */
zone "." { type hint; file "hints"; }; zone "." { type hint; file "hints"; };
/*
* A zone that is unsigned (utld=unsigned tld) that will include a second level
* zone that acts as a DLV.
*/
zone "utld" { type master; file "utld.db"; }; zone "utld" { type master; file "utld.db"; };
/*
* A zone that has a bad DNSKEY RRset but has good DLV records for its child
* zones.
*/
zone "druz" { type master; file "druz.signed"; }; zone "druz" { type master; file "druz.signed"; };
...@@ -18,6 +18,12 @@ ns.rootservers A 10.53.0.1 ...@@ -18,6 +18,12 @@ ns.rootservers A 10.53.0.1
dlv NS ns.dlv dlv NS ns.dlv
ns.dlv A 10.53.0.3 ns.dlv A 10.53.0.3
; ;
disabled-algorithm-dlv NS ns.disabled-algorithm-dlv
ns.disabled-algorithm-dlv A 10.53.0.3
;
unsupported-algorithm-dlv NS ns.unsupported-algorithm-dlv
ns.unsupported-algorithm-dlv A 10.53.0.3
;
child1 NS ns.child1 child1 NS ns.child1
ns.child1 A 10.53.0.3 ns.child1 A 10.53.0.3
; ;
...@@ -47,3 +53,9 @@ ns.child9 A 10.53.0.3 ...@@ -47,3 +53,9 @@ ns.child9 A 10.53.0.3
; ;
child10 NS ns.child10 child10 NS ns.child10
ns.child10 A 10.53.0.3 ns.child10 A 10.53.0.3
;
disabled-algorithm NS ns.disabled-algorithm
ns.disabled-algorithm A 10.53.0.3
;
unsupported-algorithm NS ns.unsupported-algorithm
ns.unsupported-algorithm A 10.53.0.3
...@@ -21,21 +21,121 @@ options { ...@@ -21,21 +21,121 @@ options {
notify yes; notify yes;
}; };
/* Root hints. */
zone "." { type hint; file "hints"; }; zone "." { type hint; file "hints"; };
zone "dlv.utld" { type master; file "dlv.signed"; };
zone "child1.utld" { type master; file "child1.signed"; }; // dlv /* DLV zone below unsigned TLD. */
zone "child3.utld" { type master; file "child3.signed"; }; // dlv zone "dlv.utld" { type master; file "dlv.utld.signed"; };
zone "child4.utld" { type master; file "child4.signed"; }; // dlv
zone "child5.utld" { type master; file "child5.signed"; }; // dlv /* DLV zone signed with a disabled algorithm below unsigned TLD. */
zone "child7.utld" { type master; file "child7.signed"; }; // no dlv zone "disabled-algorithm-dlv.utld." {
zone "child8.utld" { type master; file "child8.signed"; }; // no dlv type master;
zone "child9.utld" { type master; file "child9.signed"; }; // dlv file "disabled-algorithm-dlv.utld.signed";
zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned };
zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv
zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv /* DLV zone signed with an unsupported algorithm below unsigned TLD. */
zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv zone "unsupported-algorithm-dlv.utld." {
zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv type master;
zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv file "unsupported-algorithm-dlv.utld.signed";
zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv };
zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv
zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned /* Signed zone below unsigned TLD with DLV entry. */
zone "child1.utld" { type master; file "child1.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
* with a disabled algorithm.
*/
zone "child3.utld" { type master; file "child3.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry. This one is slightly
* different because its children (the grandchildren) don't have a DS record in
* this zone. The grandchild zones are served by ns6.
*
*/
zone "child4.utld" { type master; file "child4.signed"; };
/*
* Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
* with an unsupported algorithm.
*/
zone "child5.utld" { type master; file "child5.signed"; };
/* Signed zone below unsigned TLD without DLV entry. */
zone "child7.utld" { type master; file "child7.signed"; };
/*
* Signed zone below unsigned TLD without DLV entry and no DS records for the
* grandchildren.
*/
zone "child8.utld" { type master; file "child8.signed"; };
/* Signed zone below unsigned TLD with DLV entry. */
zone "child9.utld" { type master; file "child9.signed"; };
/* Unsigned zone below an unsigned TLD with DLV entry. */
zone "child10.utld" { type master; file "child.db.in"; };
/*
* Zone signed with a disabled algorithm (an algorithm that is disabled in
* one of the test resolvers) with DLV entry.
*/
zone "disabled-algorithm.utld" {
type master;
file "disabled-algorithm.utld.signed";
};
/* Zone signed with an unsupported algorithm with DLV entry. */
zone "unsupported-algorithm.utld" {
type master;
file "unsupported-algorithm.utld.signed";
};
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust.
*/
zone "child1.druz" { type master; file "child1.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust. The DLV zone is signed with a disabled algorithm.
*/
zone "child3.druz" { type master; file "child3.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust. Also there are no DS records for the grandchildren.
*/
zone "child4.druz" { type master; file "child4.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no chain of
* trust. The DLV zone is signed with an unsupported algorithm.
*/
zone "child5.druz" { type master; file "child5.druz.signed"; };
/*
* Signed zone below signed TLD without DLV entry, and no chain of
* trust.
*/
zone "child7.druz" { type master; file "child7.druz.signed"; };
/*
* Signed zone below signed TLD without DLV entry and no DS set. Also DS
* records for the grandchildren are not included in the zone.
*/
zone "child8.druz" { type master; file "child8.druz.signed"; };
/*
* Signed zone below signed TLD with good DLV entry but no DS set. Also DS
* records for the grandchildren are not included in the zone.
*/
zone "child9.druz" { type master; file "child9.druz.signed"; };
/*
* Unsigned zone below signed TLD with good DLV entry but no chain of
* trust.
*/
zone "child10.druz" { type master; file "child.db.in"; };
...@@ -16,10 +16,19 @@ SYSTEMTESTTOP=../.. ...@@ -16,10 +16,19 @@ SYSTEMTESTTOP=../..
echo_i "dlv/ns3/sign.sh" echo_i "dlv/ns3/sign.sh"
dlvzone=dlv.utld. dlvzone="dlv.utld."
dlvsets= dlvsets=
dssets= dssets=
disableddlvzone="disabled-algorithm-dlv.utld."
disableddlvsets=
disableddssets=
unsupporteddlvzone="unsupported-algorithm-dlv.utld."
unsupporteddlvsets=
unsupporteddssets=
# Signed zone below unsigned TLD with DLV entry.
zone=child1.utld. zone=child1.utld.
infile=child.db.in infile=child.db.in
zonefile=child1.utld.db zonefile=child1.utld.db
...@@ -32,15 +41,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -32,15 +41,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
# with a disabled algorithm.
zone=child3.utld. zone=child3.utld.
infile=child.db.in infile=child.db.in
zonefile=child3.utld.db zonefile=child3.utld.db
outfile=child3.signed outfile=child3.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
...@@ -48,10 +59,13 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -48,10 +59,13 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry. This one is slightly
# different because its children (the grandchildren) don't have a DS record in
# this zone. The grandchild zones are served by ns6.
zone=child4.utld. zone=child4.utld.
infile=child.db.in infile=child.db.in
zonefile=child4.utld.db zonefile=child4.utld.db
...@@ -63,15 +77,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -63,15 +77,17 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry in DLV zone that is signed
# with an unsupported algorithm.
zone=child5.utld. zone=child5.utld.
infile=child.db.in infile=child.db.in
zonefile=child5.utld.db zonefile=child5.utld.db
outfile=child5.signed outfile=child5.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
...@@ -79,10 +95,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -79,10 +95,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below unsigned TLD without DLV entry.
zone=child7.utld. zone=child7.utld.
infile=child.db.in infile=child.db.in
zonefile=child7.utld.db zonefile=child7.utld.db
...@@ -94,10 +110,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -94,10 +110,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below unsigned TLD without DLV entry and no DS records for the
# grandchildren.
zone=child8.utld. zone=child8.utld.
infile=child.db.in infile=child.db.in
zonefile=child8.utld.db zonefile=child8.utld.db
...@@ -108,10 +126,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -108,10 +126,10 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below unsigned TLD with DLV entry.
zone=child9.utld. zone=child9.utld.
infile=child.db.in infile=child.db.in
zonefile=child9.utld.db zonefile=child9.utld.db
...@@ -123,9 +141,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -123,9 +141,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Unsigned zone below an unsigned TLD with DLV entry. We still need to sign
# the zone to generate the DLV set.
zone=child10.utld. zone=child10.utld.
infile=child.db.in infile=child.db.in
zonefile=child10.utld.db zonefile=child10.utld.db
...@@ -137,9 +157,50 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -137,9 +157,50 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
# Zone signed with a disabled algorithm (an algorithm that is disabled in
# one of the test resolvers) with DLV entry.
zone=disabled-algorithm.utld.
infile=child.db.in
zonefile=disabled-algorithm.utld.db
outfile=disabled-algorithm.utld.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DISABLED_ALGORITHM -b $DISABLED_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f ${outfile} $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Zone signed with an unsupported algorithm with DLV entry.
zone=unsupported-algorithm.utld.
infile=child.db.in
zonefile=unsupported-algorithm.utld.db
outfile=unsupported-algorithm.utld.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -O full -l $dlvzone -o $zone -f ${outfile}.tmp $zonefile > /dev/null 2> signer.err || cat signer.err
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${outfile}.tmp > $outfile
cp ${keyname2}.key ${keyname2}.tmp
awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
cp dlvset-${zone} dlvset-${zone}tmp
awk '$3 == "DLV" { $5 = 255 } { print }' dlvset-${zone}tmp > dlvset-${zone}
echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set.
zone=child1.druz. zone=child1.druz.
infile=child.db.in infile=child.db.in
zonefile=child1.druz.db zonefile=child1.druz.db
...@@ -153,16 +214,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -153,16 +214,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
# signed with a disabled algorithm.
zone=child3.druz. zone=child3.druz.
infile=child.db.in infile=child.db.in
zonefile=child3.druz.db zonefile=child3.druz.db
outfile=child3.druz.signed outfile=child3.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" disableddlvsets="$disableddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" disableddssets="$disableddssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
...@@ -170,10 +233,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -170,10 +233,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $disableddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set, but missing
# DS records for the grandchildren.
zone=child4.druz. zone=child4.druz.
infile=child.db.in infile=child.db.in
zonefile=child4.druz.db zonefile=child4.druz.db
...@@ -186,16 +251,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -186,16 +251,18 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below signed TLD with DLV entry and DS set. The DLV zone is
# signed with an unsupported algorithm algorithm.
zone=child5.druz. zone=child5.druz.
infile=child.db.in infile=child.db.in
zonefile=child5.druz.db zonefile=child5.druz.db
outfile=child5.druz.signed outfile=child5.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" unsupporteddlvsets="$unsupporteddlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" unsupporteddssets="$unsupportedssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
...@@ -203,10 +270,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -203,10 +270,11 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $unsupporteddlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below signed TLD without DLV entry, but with normal DS set.
zone=child7.druz. zone=child7.druz.
infile=child.db.in infile=child.db.in
zonefile=child7.druz.db zonefile=child7.druz.db
...@@ -219,10 +287,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -219,10 +287,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"
# Signed zone below signed TLD without DLV entry and no DS set. Also DS
# records for the grandchildren are not included in the zone.
zone=child8.druz. zone=child8.druz.
infile=child.db.in infile=child.db.in
zonefile=child8.druz.db zonefile=child8.druz.db
...@@ -233,10 +303,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> ...@@ -233,10 +303,12 @@ keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2>
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err $SIGNER -O full -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone" echo_i "signed $zone"