Commit dd7d1df8 authored by Mukund Sivaraman's avatar Mukund Sivaraman

Increase minimum RSA keygen size to 1024 bits (#36895)

parent f5c39b07
4595. [func] dnssec-keygen will no longer generate RSA keys
less than 1024 bits in length. dnssec-keymgr
was similarly updated. [RT #36895]
4594. [func] "dnstap-read -x" prints a hex dump of the wire 4594. [func] "dnstap-read -x" prints a hex dump of the wire
format of each logged DNS message. [RT #44816] format of each logged DNS message. [RT #44816]
......
...@@ -89,10 +89,10 @@ usage(void) { ...@@ -89,10 +89,10 @@ usage(void) {
"NSEC3RSASHA1 if using -3)\n"); "NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n"); fprintf(stderr, " -b <key size in bits>:\n");
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
...@@ -748,7 +748,7 @@ main(int argc, char **argv) { ...@@ -748,7 +748,7 @@ main(int argc, char **argv) {
case DNS_KEYALG_RSASHA1: case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256: case DNS_KEYALG_RSASHA256:
if (size != 0 && (size < 512 || size > MAX_RSA)) if (size != 0 && (size < 1024 || size > MAX_RSA))
fatal("RSA key size %d out of range", size); fatal("RSA key size %d out of range", size);
break; break;
case DNS_KEYALG_RSASHA512: case DNS_KEYALG_RSASHA512:
......
...@@ -144,7 +144,7 @@ ...@@ -144,7 +144,7 @@
<para> <para>
Specifies the number of bits in the key. The choice of key Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024 128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need between 1 and 512 bits. Elliptic curve algorithms don't need
......
...@@ -131,11 +131,11 @@ class Policy: ...@@ -131,11 +131,11 @@ class Policy:
directory = None directory = None
valid_key_sz_per_algo = {'DSA': [512, 1024], valid_key_sz_per_algo = {'DSA': [512, 1024],
'NSEC3DSA': [512, 1024], 'NSEC3DSA': [512, 1024],
'RSAMD5': [512, 4096], 'RSAMD5': [1024, 4096],
'RSASHA1': [512, 4096], 'RSASHA1': [1024, 4096],
'NSEC3RSASHA1': [512, 4096], 'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [512, 4096], 'RSASHA256': [1024, 4096],
'RSASHA512': [512, 4096], 'RSASHA512': [1024, 4096],
'ECCGOST': None, 'ECCGOST': None,
'ECDSAP256SHA256': None, 'ECDSAP256SHA256': None,
'ECDSAP384SHA384': None} 'ECDSAP384SHA384': None}
......
...@@ -11,7 +11,7 @@ SYSTEMTESTTOP=.. ...@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
. ./clean.sh . ./clean.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
echo "I:generating keys and preparing zones" echo "I:generating keys and preparing zones"
cd ns1 && $SHELL keygen.sh cd ns1 && $SHELL keygen.sh
...@@ -9,6 +9,6 @@ ...@@ -9,6 +9,6 @@
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
(cd ns1 && $SHELL -e sign.sh) (cd ns1 && $SHELL -e sign.sh)
...@@ -13,7 +13,7 @@ zone=dlv.isc.org ...@@ -13,7 +13,7 @@ zone=dlv.isc.org
infile=dlv.isc.org.db.in infile=dlv.isc.org.db.in
zonefile=dlv.isc.org.db zonefile=dlv.isc.org.db
dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $dlvkey.key > $zonefile cat $infile $dlvkey.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
...@@ -21,7 +21,7 @@ zone=. ...@@ -21,7 +21,7 @@ zone=.
infile=root.db.in infile=root.db.in
zonefile=root.db zonefile=root.db
rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $rootkey.key > $zonefile cat $infile $rootkey.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
......
...@@ -11,6 +11,6 @@ SYSTEMTESTTOP=.. ...@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
$SHELL clean.sh $SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh cd ns1 && $SHELL sign.sh
...@@ -9,6 +9,6 @@ ...@@ -9,6 +9,6 @@
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
...@@ -11,6 +11,6 @@ SYSTEMTESTTOP=.. ...@@ -11,6 +11,6 @@ SYSTEMTESTTOP=..
$SHELL clean.sh $SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh cd ns1 && $SHELL sign.sh
...@@ -24,7 +24,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . ...@@ -24,7 +24,7 @@ cp ../ns2/dsset-in-addr.arpa$TP .
grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
cp ../ns6/dsset-optout-tld$TP . cp ../ns6/dsset-optout-tld$TP .
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $keyname.key > $zonefile cat $infile $keyname.key > $zonefile
......
...@@ -98,7 +98,7 @@ privzone=private.secure.example. ...@@ -98,7 +98,7 @@ privzone=private.secure.example.
privinfile=private.secure.example.db.in privinfile=private.secure.example.db.in
privzonefile=private.secure.example.db privzonefile=private.secure.example.db
privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone`
cat $privinfile $privkeyname.key >$privzonefile cat $privinfile $privkeyname.key >$privzonefile
...@@ -112,7 +112,7 @@ dlvinfile=dlv.db.in ...@@ -112,7 +112,7 @@ dlvinfile=dlv.db.in
dlvzonefile=dlv.db dlvzonefile=dlv.db
dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone`
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
......
...@@ -13,9 +13,9 @@ zone=secure.example. ...@@ -13,9 +13,9 @@ zone=secure.example.
infile=secure.example.db.in infile=secure.example.db.in
zonefile=secure.example.db zonefile=secure.example.db
cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone` cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host cnameandkey.$zone`
dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone` dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host dnameandkey.$zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
...@@ -25,7 +25,7 @@ zone=bogus.example. ...@@ -25,7 +25,7 @@ zone=bogus.example.
infile=bogus.example.db.in infile=bogus.example.db.in
zonefile=bogus.example.db zonefile=bogus.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -35,7 +35,7 @@ zone=dynamic.example. ...@@ -35,7 +35,7 @@ zone=dynamic.example.
infile=dynamic.example.db.in infile=dynamic.example.db.in
zonefile=dynamic.example.db zonefile=dynamic.example.db
keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
...@@ -46,7 +46,7 @@ zone=keyless.example. ...@@ -46,7 +46,7 @@ zone=keyless.example.
infile=generic.example.db.in infile=generic.example.db.in
zonefile=keyless.example.db zonefile=keyless.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -66,7 +66,7 @@ zone=secure.nsec3.example. ...@@ -66,7 +66,7 @@ zone=secure.nsec3.example.
infile=secure.nsec3.example.db.in infile=secure.nsec3.example.db.in
zonefile=secure.nsec3.example.db zonefile=secure.nsec3.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -79,7 +79,7 @@ zone=nsec3.nsec3.example. ...@@ -79,7 +79,7 @@ zone=nsec3.nsec3.example.
infile=nsec3.nsec3.example.db.in infile=nsec3.nsec3.example.db.in
zonefile=nsec3.nsec3.example.db zonefile=nsec3.nsec3.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -92,7 +92,7 @@ zone=optout.nsec3.example. ...@@ -92,7 +92,7 @@ zone=optout.nsec3.example.
infile=optout.nsec3.example.db.in infile=optout.nsec3.example.db.in
zonefile=optout.nsec3.example.db zonefile=optout.nsec3.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -105,7 +105,7 @@ zone=nsec3.example. ...@@ -105,7 +105,7 @@ zone=nsec3.example.
infile=nsec3.example.db.in infile=nsec3.example.db.in
zonefile=nsec3.example.db zonefile=nsec3.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -118,7 +118,7 @@ zone=secure.optout.example. ...@@ -118,7 +118,7 @@ zone=secure.optout.example.
infile=secure.optout.example.db.in infile=secure.optout.example.db.in
zonefile=secure.optout.example.db zonefile=secure.optout.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -131,7 +131,7 @@ zone=nsec3.optout.example. ...@@ -131,7 +131,7 @@ zone=nsec3.optout.example.
infile=nsec3.optout.example.db.in infile=nsec3.optout.example.db.in
zonefile=nsec3.optout.example.db zonefile=nsec3.optout.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -144,7 +144,7 @@ zone=optout.optout.example. ...@@ -144,7 +144,7 @@ zone=optout.optout.example.
infile=optout.optout.example.db.in infile=optout.optout.example.db.in
zonefile=optout.optout.example.db zonefile=optout.optout.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -157,7 +157,7 @@ zone=optout.example. ...@@ -157,7 +157,7 @@ zone=optout.example.
infile=optout.example.db.in infile=optout.example.db.in
zonefile=optout.example.db zonefile=optout.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -170,7 +170,7 @@ zone=nsec3-unknown.example. ...@@ -170,7 +170,7 @@ zone=nsec3-unknown.example.
infile=nsec3-unknown.example.db.in infile=nsec3-unknown.example.db.in
zonefile=nsec3-unknown.example.db zonefile=nsec3-unknown.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -183,7 +183,7 @@ zone=optout-unknown.example. ...@@ -183,7 +183,7 @@ zone=optout-unknown.example.
infile=optout-unknown.example.db.in infile=optout-unknown.example.db.in
zonefile=optout-unknown.example.db zonefile=optout-unknown.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -197,7 +197,7 @@ zone=dnskey-unknown.example. ...@@ -197,7 +197,7 @@ zone=dnskey-unknown.example.
infile=dnskey-unknown.example.db.in infile=dnskey-unknown.example.db.in
zonefile=dnskey-unknown.example.db zonefile=dnskey-unknown.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -216,7 +216,7 @@ zone=dnskey-nsec3-unknown.example. ...@@ -216,7 +216,7 @@ zone=dnskey-nsec3-unknown.example.
infile=dnskey-nsec3-unknown.example.db.in infile=dnskey-nsec3-unknown.example.db.in
zonefile=dnskey-nsec3-unknown.example.db zonefile=dnskey-nsec3-unknown.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -234,7 +234,7 @@ zone=multiple.example. ...@@ -234,7 +234,7 @@ zone=multiple.example.
infile=multiple.example.db.in infile=multiple.example.db.in
zonefile=multiple.example.db zonefile=multiple.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -257,7 +257,7 @@ zone=rsasha256.example. ...@@ -257,7 +257,7 @@ zone=rsasha256.example.
infile=rsasha256.example.db.in infile=rsasha256.example.db.in
zonefile=rsasha256.example.db zonefile=rsasha256.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
...@@ -362,7 +362,7 @@ zonefile=ttlpatch.example.db ...@@ -362,7 +362,7 @@ zonefile=ttlpatch.example.db
signedfile=ttlpatch.example.db.signed signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched patchedfile=ttlpatch.example.db.patched
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
...@@ -377,7 +377,7 @@ infile=split-dnssec.example.db.in ...@@ -377,7 +377,7 @@ infile=split-dnssec.example.db.in
zonefile=split-dnssec.example.db zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed signedfile=split-dnssec.example.db.signed
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile : > $signedfile
...@@ -391,7 +391,7 @@ infile=split-smart.example.db.in ...@@ -391,7 +391,7 @@ infile=split-smart.example.db.in
zonefile=split-smart.example.db zonefile=split-smart.example.db
signedfile=split-smart.example.db.signed signedfile=split-smart.example.db.signed
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cp $infile $zonefile cp $infile $zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile : > $signedfile
...@@ -495,7 +495,7 @@ zone=badds.example. ...@@ -495,7 +495,7 @@ zone=badds.example.
infile=bogus.example.db.in infile=bogus.example.db.in
zonefile=badds.example.db zonefile=badds.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
......
...@@ -15,7 +15,7 @@ zone=optout-tld ...@@ -15,7 +15,7 @@ zone=optout-tld
infile=optout-tld.db.in infile=optout-tld.db.in
zonefile=optout-tld.db zonefile=optout-tld.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile cat $infile $keyname.key >$zonefile
......
...@@ -15,8 +15,8 @@ zone=split-rrsig ...@@ -15,8 +15,8 @@ zone=split-rrsig
infile=split-rrsig.db.in infile=split-rrsig.db.in
zonefile=split-rrsig.db zonefile=split-rrsig.db
k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
cat $infile $k1.key $k2.key >$zonefile cat $infile $k1.key $k2.key >$zonefile
......
...@@ -11,7 +11,7 @@ SYSTEMTESTTOP=.. ...@@ -11,7 +11,7 @@ SYSTEMTESTTOP=..
$SHELL clean.sh $SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh cd ns1 && $SHELL sign.sh
......
...@@ -2938,16 +2938,23 @@ until test $alg = 256 ...@@ -2938,16 +2938,23 @@ until test $alg = 256
do do
size= size=
case $alg in case $alg in
1) size="-b 512";; 1) # RSA/MD5
size="-b 1024";;
2) # Diffie Helman 2) # Diffie Helman
alg=`expr $alg + 1` alg=`expr $alg + 1`
continue;; continue;;
3) size="-b 512";; 3) # DSA/SHA1
5) size="-b 512";; size="-b 512";;
6) size="-b 512";; 5) # RSA/SHA-1
7) size="-b 512";; size="-b 1024";;
8) size="-b 512";; 6) # DSA-NSEC3-SHA1
10) size="-b 1024";; size="-b 512";;
7) # RSASHA1-NSEC3-SHA1
size="-b 1024";;
8) # RSA/SHA-256
size="-b 1024";;
10) # RSA/SHA-512
size="-b 1024";;
157|160|161|162|163|164|165) # private - non standard 157|160|161|162|163|164|165) # private - non standard
alg=`expr $alg + 1` alg=`expr $alg + 1`
continue;; continue;;
......
...@@ -9,6 +9,6 @@ ...@@ -9,6 +9,6 @@
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh cd ns1 && $SHELL sign.sh
...@@ -9,6 +9,6 @@ ...@@ -9,6 +9,6 @@
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cd ns1 && $SHELL sign.sh cd ns1 && $SHELL sign.sh