Commit ba37674d authored by Evan Hunt's avatar Evan Hunt

[master] dnssec-cds

4757.   [func]          New "dnssec-cds" command creates a new parent DS
                        RRset based on CDS or CDNSKEY RRsets found in
                        a child zone, and generates either a dsset file
                        or stream of nsupdate commands to update the
                        parent. Thanks to Tony Finch. [RT #46090]
parent 14afc842
4757. [func] New "dnssec-cds" command creates a new parent DS
RRset based on CDS or CDNSKEY RRsets found in
a child zone, and generates either a dsset file
or stream of nsupdate commands to update the
parent. Thanks to Tony Finch. [RT #46090]
4756. [bug] Interrupting dig could lead to an INSIST failure after
certain errors were encountered while querying a host
whose name resolved to more than one address. Change
......
dnssec-cds
dnssec-dsfromkey
dnssec-keyfromlabel
dnssec-keygen
......
......@@ -32,30 +32,37 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-verify@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
dnssec-verify.c dnssec-importkey.c dnssectool.c
SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
dnssec-verify.8 dnssec-importkey.8
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
HTMLPAGES = dnssec-cds.html dnssec-dsfromkey.html \
dnssec-importkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html \
dnssec-verify.html dnssec-importkey.html
dnssec-verify.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
......@@ -115,4 +122,3 @@ uninstall::
clean distclean::
rm -f ${TARGETS}
.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dnssec-cds
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2017-10-02
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
.SH "SYNOPSIS"
.HP 11
\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
.SH "DESCRIPTION"
.PP
The
\fBdnssec\-cds\fR
command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&.
.PP
Two input files are required\&. The
\fB\-f \fR\fB\fIchild\-file\fR\fR
option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
\fB\-d \fR\fB\fIpath\fR\fR
option specifies the location of a file containing the current DS records\&. For example, this could be a
dsset\-
file generated by
\fBdnssec\-signzone\fR, or the output of
\fBdnssec\-dsfromkey\fR, or the output of a previous run of
\fBdnssec\-cds\fR\&.
.PP
For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
dsset\-
file, or from the
\fB\-s\fR
option\&.
.PP
To protect against breaking the delegation,
\fBdnssec\-cds\fR
ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
.PP
By default, replacement DS records are written to the standard output; with the
\fB\-i\fR
option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
.PP
Warning: Be careful not to delete the DS records when
\fBdnssec\-cds\fR
fails!
.PP
Alternatively,
\fBdnssec\-cds \-u\fR
writes an
\fBnsupdate\fR
script to the standard output\&. You can use the
\fB\-u\fR
and
\fB\-i\fR
options together to maintain a
dsset\-
file as well as emit an
\fBnsupdate\fR
script\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zones\&.
.RE
.PP
\-D
.RS 4
Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
.RE
.PP
\-d \fIpath\fR
.RS 4
Location of the parent DS records\&. The
\fIpath\fR
can be the name of a file containing the DS records, or if it is a directory,
\fBdnssec\-cds\fR
looks for a
dsset\-
file for the
\fIdomain\fR
inside the directory\&.
.sp
To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
dsset\-
file\&. This can be adjusted with the
\fB\-s\fR
option\&.
.RE
.PP
\-f \fIchild\-file\fR
.RS 4
File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
.sp
The EXAMPLES below describe how to generate this file\&.
.RE
.PP
\-i [\fIextension\fR]
.RS 4
Update the
dsset\-
file in place, instead of writing DS records to the standard output\&.
.sp
There must be no space between the
\fB\-i\fR
and the
\fIextension\fR\&. If you provide no
\fIextension\fR
then the old
dsset\-
is discarded\&. If an
\fIextension\fR
is present, a backup of the old
dsset\-
file is kept with the
\fIextension\fR
appended to its filename\&.
.sp
To protect against replay attacks, the modification time of the
dsset\-
file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
dsset\-
file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
.sp
If no
\fIstart\-time\fR
is specified, the modification time of the
dsset\-
file is used\&.
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
.RE
.PP
\-u
.RS 4
Write an
\fBnsupdate\fR
script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
.sp
Note: The TTL of new records needs to be specified, either in the original
dsset\-
file, or with the
\fB\-T\fR
option, or using the
\fBnsupdate\fR
\fBttl\fR
command\&.
.RE
.PP
\-V
.RS 4
Print version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
.RE
.PP
\fIdomain\fR
.RS 4
The name of the delegation point / child zone apex\&.
.RE
.SH "EXIT STATUS"
.PP
The
\fBdnssec\-cds\fR
command exits 0 on success, or non\-zero if an error occurred\&.
.PP
In the success case, the DS records might or might not need to be changed\&.
.SH "EXAMPLES"
.PP
Before running
\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
\fBdnssec\-cds\fR
on every
dsset\-
file\&.
.PP
To fetch the child records required by
\fBdnssec\-cds\fR
you can invoke
\fBdig\fR
as in the script below\&. It\*(Aqs okay if the
\fBdig\fR
fails since
\fBdnssec\-cds\fR
performs all the necessary checking\&.
.sp
.if n \{\
.RS 4
.\}
.nf
for f in dsset\-*
do
d=${f#dsset\-}
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-i \-f /dev/stdin \-d $f $d
done
.fi
.if n \{\
.RE
.\}
.PP
When the parent zone is automatically signed by
\fBnamed\fR, you can use
\fBdnssec\-cds\fR
with
\fBnsupdate\fR
to maintain a delegation as follows\&. The
dsset\-
file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
.sp
.if n \{\
.RS 4
.\}
.nf
dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
nsupdate \-l
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBdnssec-settime\fR(8),
\fBdnssec-signzone\fR(8),
\fBnsupdate\fR(1),
BIND 9 Administrator Reference Manual,
RFC 7344\&.
.SH "AUTHORS"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.PP
\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
.br
.RS 4
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC")
.br
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,11 +38,11 @@
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
.HP 17
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
.SH "DESCRIPTION"
.PP
......
......@@ -346,7 +346,7 @@ usage(void) {
int
main(int argc, char **argv) {
char *algname = NULL, *classname = NULL;
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
......@@ -393,7 +393,7 @@ main(int argc, char **argv) {
showall = ISC_TRUE;
break;
case 'a':
algname = isc_commandline_argument;
dtype = strtodsdigest(isc_commandline_argument);
both = ISC_FALSE;
break;
case 'C':
......@@ -430,7 +430,7 @@ main(int argc, char **argv) {
break;
case 'T':
emitttl = ISC_TRUE;
ttl = atol(isc_commandline_argument);
ttl = strtottl(isc_commandline_argument);
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
......@@ -460,24 +460,6 @@ main(int argc, char **argv) {
}
}
if (algname != NULL) {
if (strcasecmp(algname, "SHA1") == 0 ||
strcasecmp(algname, "SHA-1") == 0)
dtype = DNS_DSDIGEST_SHA1;
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
dtype = DNS_DSDIGEST_SHA384;
else
fatal("unknown algorithm %s", algname);
}
rdclass = strtoclass(classname);
if (usekeyset && filename != NULL)
......
......@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-importkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,9 +38,9 @@
.SH "NAME"
dnssec-importkey \- import DNSKEY records from external systems so they can be managed
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-importkey\fR\ 'u
.HP 17
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
.HP \w'\fBdnssec\-importkey\fR\ 'u
.HP 17
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
......
......@@ -9,7 +9,7 @@
'\" t
.\" Title: dnssec-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
......@@ -38,7 +38,7 @@
.SH "NAME"
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-settime\fR\ 'u
.HP 15
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
......
......@@ -412,6 +412,29 @@ strtoclass(const char *str) {
return (rdclass);
}
unsigned int
strtodsdigest(const char *algname) {
if (strcasecmp(algname, "SHA1") == 0 ||
strcasecmp(algname, "SHA-1") == 0)
{
return (DNS_DSDIGEST_SHA1);
} else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
{
return (DNS_DSDIGEST_SHA256);
#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
} else if (strcasecmp(algname, "GOST") == 0) {
return (DNS_DSDIGEST_GOST);
#endif
} else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
{
return (DNS_DSDIGEST_SHA384);
} else {
fatal("unknown algorithm %s", algname);
}
}
isc_result_t
try_dir(const char *dirname) {
isc_result_t result;
......
......@@ -65,6 +65,9 @@ isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base,
isc_boolean_t *setp);
unsigned int
strtodsdigest(const char *str);
dns_rdataclass_t
strtoclass(const char *str);
......
CDNSKEY*
CDS*
DS*
K*
UP*
brk.*
db.*
dsset-*
err
empty
out
sig.*
vars.sh
#!/usr/bin/perl
my $target = shift;
my $file = shift;
my $mtime = time - (stat $file)[9];
die "bad mtime $mtime"
unless abs($mtime - $target) < 3;
#!/usr/bin/perl
$target = shift;
while (<>) {
$notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]$};
$inception = $1 if m{^.* inception time \d+ [(](\d+)[)]$};
}
die "missing notbefore time" unless $notbefore;
die "missing inception time" unless $inception;
my $delta = $inception - $notbefore;
die "bad inception time $delta"
unless abs($delta - $target) < 3;
#!/bin/sh -e
#
# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
while read glob
do rm -f $glob
done <.gitignore
#!/usr/bin/perl
my $re = $ARGV[0];
shift;
while (<>) {
s{($re)........}{${1}00000000};
print;
}
#!/bin/sh
#
# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh
#!/bin/sh -e
#
# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
set -eu
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
touch empty
Z=cds.test
keyz=$($KEYGEN -q -r $RANDFILE -a RSASHA256 $Z)
key1=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
key2=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
idz=$(echo $keyz | sed 's/.*+0*//')
id1=$(echo $key1 | sed 's/.*+0*//')
id2=$(echo $key2 | sed 's/.*+0*//')
cat <<EOF >vars.sh
Z=$Z
key1=$key1
key2=$key2
idz=$idz
id1=$id1
id2=$id2
EOF
tac() {
perl -e 'print reverse <>' "$@"
}
convert() {
local key=$1 n=$2
$DSFROMKEY $key >DS.$n
grep ' 8 1 ' DS.$n >DS.$n-1
grep ' 8 2 ' DS.$n >DS.$n-2
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
tac <DS.$n >DS.rev$n
}
convert $key1 1
convert $key2 2
# consistent order wrt IDs
sort DS.1 DS.2 >DS.both
cp DS.1 DS.inplace
$PERL -we 'utime time, time - 7200, "DS.inplace" or die'
mangle="$PERL mangle.pl"
$mangle " IN DS $id1 8 1 " <DS.1 >DS.broke1
$mangle " IN DS $id1 8 2 " <DS.1 >DS.broke2
$mangle " IN DS $id1 8 [12] " <DS.1 >DS.broke12
sed 's/^/update add /;$a send' <DS.2 >UP.add2
sed 's/^/update del /;$a send' <DS.1 >UP.del1
cat UP.add2 UP.del1 | sed 3d >UP.swap
sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
sign() {
cat >db.$1
$SIGNER >/dev/null 2>&1 -r $RANDFILE \
-S -O full -o $Z -f sig.$1 db.$1
}
sign null <<EOF
\$TTL 1h
@ SOA localhost. root.localhost. (
1 ; serial
1h ; refresh
1h ; retry
1w ; expiry
1h ; minimum
)
;
NS localhost.
;
EOF
cat sig.null CDS.1 >brk.unsigned-cds
cat db.null CDS.1 | sign cds.1
cat db.null CDS.2 | sign cds.2
cat db.null CDS.1 CDS.2 | sign cds.both
tac <sig.cds.1 >sig.cds.rev1
cat db.null CDNSKEY.2 | sign cdnskey.2
cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2
$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.zsk
$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
<sig.cds.1 >brk.rrsig.cds.ksk
$mangle " IN CDS $id1 8 1 " <db.cds.1 |
sign cds-mangled
sed 's/IN CDS '$id1' 8 1 /IN CDS '$((id1 ^ 255))' 8 1 /' <db.cds.1 |
sign bad-digests
sed '/IN CDS '$id1' 8 /p;s//IN CDS '$((id1 ^ 255))' 13 /' <db.cds.1 |
sign bad-algos
rm -f dsset-*
#!/bin/sh -e
#
# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
set -eu
status=0
die() {
echo "I:failed"
status=1
}
ck() {
local x=$1 die=:
shift
echo "I:$name"
if [ $x != $("$@" 2>err 1>out; echo $?) ]
then echo "D:exit status does not match $y"
die=die
fi
ckerr
ckout
$die
rm -f err out xerr xout
unset name err out
}
ckerr() {
if [ -n "${err:=}" ]
then egrep "$err" err >/dev/null &&
return 0
else [ -s err ] ||
return 0
fi
echo "D:stderr did not match '$err'"
sed 's/^/D:/' err
die=die
}
ckout() {
cmp out "${out:-empty}" >/dev/null && return
echo "D:stdout did not match '$out'"
( echo "wanted"