Commit aaaf8d4f authored by Mark Andrews's avatar Mark Andrews
Browse files

3317. [func] Add ECDSA support (RFC 6605). [RT #21918]

parent c604bc89
3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
3316. [tuning] Improved locking performance when recursing. 3316. [tuning] Improved locking performance when recursing.
[RT #28836] [RT #28836]
......
...@@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int *sig); ...@@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if OpenSSL includes DSA support */ /* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA #undef HAVE_OPENSSL_DSA
/* Define if OpenSSL includes ECDSA support */
#undef HAVE_OPENSSL_ECDSA
/* Define to the length type used by the socket API (socklen_t, size_t, int). */ /* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T #undef ISC_SOCKADDR_LEN_T
......
...@@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm. ...@@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm.
.RS 4 .RS 4
Select the digest algorithm. The value of Select the digest algorithm. The value of
\fBalgorithm\fR \fBalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive. must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
.RE .RE
.PP .PP
\-T \fITTL\fR \-T \fITTL\fR
......
...@@ -327,7 +327,7 @@ usage(void) { ...@@ -327,7 +327,7 @@ usage(void) {
fprintf(stderr, " -K <directory>: directory in which to find " fprintf(stderr, " -K <directory>: directory in which to find "
"key file or keyset file\n"); "key file or keyset file\n");
fprintf(stderr, " -a algorithm: digest algorithm " fprintf(stderr, " -a algorithm: digest algorithm "
"(SHA-1, SHA-256 or GOST)\n"); "(SHA-1, SHA-256, GOST or SHA-384)\n");
fprintf(stderr, " -1: use SHA-1\n"); fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n"); fprintf(stderr, " -2: use SHA-256\n");
fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
...@@ -450,6 +450,9 @@ main(int argc, char **argv) { ...@@ -450,6 +450,9 @@ main(int argc, char **argv) {
else if (strcasecmp(algname, "GOST") == 0) else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST; dtype = DNS_DSDIGEST_GOST;
#endif #endif
else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
dtype = DNS_DSDIGEST_SHA384;
else else
fatal("unknown algorithm %s", algname); fatal("unknown algorithm %s", algname);
} }
......
...@@ -110,7 +110,8 @@ ...@@ -110,7 +110,8 @@
<para> <para>
Select the digest algorithm. The value of Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1), <option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive. SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -54,7 +54,8 @@ ...@@ -54,7 +54,8 @@
<dd><p> <dd><p>
Select the digest algorithm. The value of Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1), <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive. SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd> </p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt> <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p> <dd><p>
......
...@@ -47,7 +47,7 @@ of the key is specified on the command line. This must match the name of the zon ...@@ -47,7 +47,7 @@ of the key is specified on the command line. This must match the name of the zon
.RS 4 .RS 4
Selects the cryptographic algorithm. The value of Selects the cryptographic algorithm. The value of
\fBalgorithm\fR \fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive. must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.
.sp .sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR \fB\-3\fR
......
...@@ -55,7 +55,8 @@ int verbose; ...@@ -55,7 +55,8 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |" " NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST"; " RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384";
ISC_PLATFORM_NORETURN_PRE static void ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST; usage(void) ISC_PLATFORM_NORETURN_POST;
...@@ -378,7 +379,8 @@ main(int argc, char **argv) { ...@@ -378,7 +379,8 @@ main(int argc, char **argv) {
if (use_nsec3 && if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 && alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST) { alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
fatal("%s is incompatible with NSEC3; " fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname); "do not use the -3 option", algname);
} }
......
...@@ -95,7 +95,8 @@ ...@@ -95,7 +95,8 @@
<para> <para>
Selects the cryptographic algorithm. The value of Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1, <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive. These values are case insensitive.
</para> </para>
<para> <para>
......
...@@ -51,7 +51,8 @@ ...@@ -51,7 +51,8 @@
<p> <p>
Selects the cryptographic algorithm. The value of Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive. These values are case insensitive.
</p> </p>
<p> <p>
......
...@@ -48,7 +48,7 @@ of the key is specified on the command line. For DNSSEC keys, this must match th ...@@ -48,7 +48,7 @@ of the key is specified on the command line. For DNSSEC keys, this must match th
.RS 4 .RS 4
Selects the cryptographic algorithm. For DNSSEC keys, the value of Selects the cryptographic algorithm. For DNSSEC keys, the value of
\fBalgorithm\fR \fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
.sp .sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR \fB\-3\fR
...@@ -63,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the ...@@ -63,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the
.PP .PP
\-b \fIkeysize\fR \-b \fIkeysize\fR
.RS 4 .RS 4
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
.sp .sp
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the \fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
...@@ -81,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a ...@@ -81,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
.PP .PP
\-3 \-3
.RS 4 .RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable. Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.
.RE .RE
.PP .PP
\-C \-C
......
...@@ -85,6 +85,7 @@ usage(void) { ...@@ -85,6 +85,7 @@ usage(void) {
fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1" fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
" | NSEC3DSA |\n"); " | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | " fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n"); "HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n"); fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
...@@ -102,6 +103,8 @@ usage(void) { ...@@ -102,6 +103,8 @@ usage(void) {
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible " fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
"by 64\n"); "by 64\n");
fprintf(stderr, " ECCGOST:\tignored\n"); fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
...@@ -557,7 +560,8 @@ main(int argc, char **argv) { ...@@ -557,7 +560,8 @@ main(int argc, char **argv) {
if (use_nsec3 && if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST) { alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
fatal("%s is incompatible with NSEC3; " fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname); "do not use the -3 option", algname);
} }
...@@ -587,9 +591,11 @@ main(int argc, char **argv) { ...@@ -587,9 +591,11 @@ main(int argc, char **argv) {
size = 1024; size = 1024;
if (verbose > 0) if (verbose > 0)
fprintf(stderr, "key size not " fprintf(stderr, "key size not "
"specified; defaulting " "specified; defaulting"
"to %d\n", size); " to %d\n", size);
} else if (alg != DST_ALG_ECCGOST) } else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
alg != DST_ALG_ECDSA384)
fatal("key size not specified (-b option)"); fatal("key size not specified (-b option)");
} }
...@@ -718,6 +724,8 @@ main(int argc, char **argv) { ...@@ -718,6 +724,8 @@ main(int argc, char **argv) {
fatal("invalid DSS key size: %d", size); fatal("invalid DSS key size: %d", size);
break; break;
case DST_ALG_ECCGOST: case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
break; break;
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY; options |= DST_TYPE_KEY;
...@@ -783,7 +791,8 @@ main(int argc, char **argv) { ...@@ -783,7 +791,8 @@ main(int argc, char **argv) {
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 || alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) && alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST ||
alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) &&
rsa_exp != 0) rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key"); fatal("specified RSA exponent for a non-RSA key");
...@@ -857,6 +866,8 @@ main(int argc, char **argv) { ...@@ -857,6 +866,8 @@ main(int argc, char **argv) {
case DNS_KEYALG_DSA: case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA: case DNS_KEYALG_NSEC3DSA:
case DST_ALG_ECCGOST: case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
show_progress = ISC_TRUE; show_progress = ISC_TRUE;
/* fall through */ /* fall through */
......
...@@ -116,7 +116,8 @@ ...@@ -116,7 +116,8 @@
<para> <para>
Selects the cryptographic algorithm. For DNSSEC keys, the value Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1, of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
...@@ -150,7 +151,8 @@ ...@@ -150,7 +151,8 @@
between 512 and 2048 bits. Diffie Hellman keys must be between between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024 128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</para> </para>
<para> <para>
The key size does not need to be specified if using a default The key size does not need to be specified if using a default
...@@ -186,7 +188,8 @@ ...@@ -186,7 +188,8 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key. Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable. are NSEC3-capable.
</para> </para>
</listitem> </listitem>
......
...@@ -53,7 +53,8 @@ ...@@ -53,7 +53,8 @@
<p> <p>
Selects the cryptographic algorithm. For DNSSEC keys, the value Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
...@@ -84,7 +85,8 @@ ...@@ -84,7 +85,8 @@
between 512 and 2048 bits. Diffie Hellman keys must be between between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024 128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p> </p>
<p> <p>
The key size does not need to be specified if using a default The key size does not need to be specified if using a default
...@@ -111,7 +113,8 @@ ...@@ -111,7 +113,8 @@
Use an NSEC3-capable algorithm to generate a DNSSEC key. Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable. are NSEC3-capable.
</p></dd> </p></dd>
<dt><span class="term">-C</span></dt> <dt><span class="term">-C</span></dt>
......
#!/bin/sh
#
# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id$
rm -f */K* */dsset-* */*.signed */trusted.conf
rm -f ns1/root.db
rm -f ns1/signer.err
rm -f dig.out*
rm -f random.data
rm -f */named.run
rm -f */named.memstats
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db.signed";
};
include "trusted.conf";
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id$
$TTL 300
. IN SOA fdupont.isc.org. a.root.servers.nil. (
2012040600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
#!/bin/sh -e
#
# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id$
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
zone=.
infile=root.db.in
zonefile=root.db
key1=`$KEYGEN -q -r $RANDFILE -a ECDSAP256SHA256 -n zone $zone`
key2=`$KEYGEN -q -r $RANDFILE -a ECDSAP384SHA384 -n zone -f KSK $zone`
$DSFROMKEY -a sha-384 $key2.key > dsset-384
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
# Configure the resolving server with a trusted key.
cat $key1.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > trusted.conf
cp trusted.conf ../ns2/trusted.conf
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";
#!/bin/sh -e
#
# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id$