2009-10-27 22:25:37 +00:00
|
|
|
#!/bin/sh -e
|
2000-05-19 22:45:47 +00:00
|
|
|
#
|
2011-02-08 23:10:07 +00:00
|
|
|
# Copyright (C) 2004, 2006-2011 Internet Systems Consortium, Inc. ("ISC")
|
2002-02-20 03:35:59 +00:00
|
|
|
# Copyright (C) 2000-2002 Internet Software Consortium.
|
2000-08-01 01:33:37 +00:00
|
|
|
#
|
2007-06-18 23:47:57 +00:00
|
|
|
# Permission to use, copy, modify, and/or distribute this software for any
|
2000-05-19 22:45:47 +00:00
|
|
|
# purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
# copyright notice and this permission notice appear in all copies.
|
2000-08-01 01:33:37 +00:00
|
|
|
#
|
2004-03-05 05:14:21 +00:00
|
|
|
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
|
|
|
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
|
|
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
|
|
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
|
|
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
|
|
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
|
|
# PERFORMANCE OF THIS SOFTWARE.
|
2000-07-27 09:55:03 +00:00
|
|
|
|
2011-02-15 22:02:36 +00:00
|
|
|
# $Id: sign.sh,v 1.36 2011/02/15 22:02:36 marka Exp $
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
SYSTEMTESTTOP=../..
|
|
|
|
|
. $SYSTEMTESTTOP/conf.sh
|
2000-06-22 22:00:42 +00:00
|
|
|
|
2000-06-12 20:32:47 +00:00
|
|
|
RANDFILE=../random.data
|
|
|
|
|
|
2000-05-15 22:53:15 +00:00
|
|
|
zone=secure.example.
|
|
|
|
|
infile=secure.example.db.in
|
|
|
|
|
zonefile=secure.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
|
2000-05-15 22:53:15 +00:00
|
|
|
|
2000-05-16 01:22:45 +00:00
|
|
|
cat $infile $keyname.key >$zonefile
|
2000-05-15 22:53:15 +00:00
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2000-05-15 22:53:15 +00:00
|
|
|
|
2000-05-17 22:10:42 +00:00
|
|
|
zone=bogus.example.
|
|
|
|
|
infile=bogus.example.db.in
|
|
|
|
|
zonefile=bogus.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
|
2000-05-17 22:10:42 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2001-09-19 21:19:52 +00:00
|
|
|
|
2002-01-22 22:27:29 +00:00
|
|
|
zone=dynamic.example.
|
|
|
|
|
infile=dynamic.example.db.in
|
|
|
|
|
zonefile=dynamic.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
|
|
|
|
|
keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
|
2002-01-22 22:27:29 +00:00
|
|
|
|
2006-03-06 01:27:52 +00:00
|
|
|
cat $infile $keyname1.key $keyname2.key >$zonefile
|
2002-01-22 22:27:29 +00:00
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2002-01-22 22:27:29 +00:00
|
|
|
|
2001-09-19 21:19:52 +00:00
|
|
|
zone=keyless.example.
|
|
|
|
|
infile=keyless.example.db.in
|
|
|
|
|
zonefile=keyless.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
|
2001-09-19 21:19:52 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2001-09-19 21:19:52 +00:00
|
|
|
|
|
|
|
|
# Change the signer field of the a.b.keyless.example SIG A
|
|
|
|
|
# to point to a provably nonexistent KEY record.
|
|
|
|
|
mv $zonefile.signed $zonefile.tmp
|
|
|
|
|
<$zonefile.tmp perl -p -e 's/ keyless.example/ b.keyless.example/
|
|
|
|
|
if /^a.b.keyless.example/../NXT/;' >$zonefile.signed
|
|
|
|
|
rm -f $zonefile.tmp
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# NSEC3/NSEC test zone
|
|
|
|
|
#
|
|
|
|
|
zone=secure.nsec3.example.
|
|
|
|
|
infile=secure.nsec3.example.db.in
|
|
|
|
|
zonefile=secure.nsec3.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# NSEC3/NSEC3 test zone
|
|
|
|
|
#
|
|
|
|
|
zone=nsec3.nsec3.example.
|
|
|
|
|
infile=nsec3.nsec3.example.db.in
|
|
|
|
|
zonefile=nsec3.nsec3.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# OPTOUT/NSEC3 test zone
|
|
|
|
|
#
|
|
|
|
|
zone=optout.nsec3.example.
|
|
|
|
|
infile=optout.nsec3.example.db.in
|
|
|
|
|
zonefile=optout.nsec3.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A nsec3 zone (non-optout).
|
|
|
|
|
#
|
|
|
|
|
zone=nsec3.example.
|
|
|
|
|
infile=nsec3.example.db.in
|
|
|
|
|
zonefile=nsec3.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# OPTOUT/NSEC test zone
|
|
|
|
|
#
|
|
|
|
|
zone=secure.optout.example.
|
|
|
|
|
infile=secure.optout.example.db.in
|
|
|
|
|
zonefile=secure.optout.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# OPTOUT/NSEC3 test zone
|
|
|
|
|
#
|
|
|
|
|
zone=nsec3.optout.example.
|
|
|
|
|
infile=nsec3.optout.example.db.in
|
|
|
|
|
zonefile=nsec3.optout.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# OPTOUT/OPTOUT test zone
|
|
|
|
|
#
|
|
|
|
|
zone=optout.optout.example.
|
|
|
|
|
infile=optout.optout.example.db.in
|
|
|
|
|
zonefile=optout.optout.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A optout nsec3 zone.
|
|
|
|
|
#
|
|
|
|
|
zone=optout.example.
|
|
|
|
|
infile=optout.example.db.in
|
|
|
|
|
zonefile=optout.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A nsec3 zone (non-optout) with unknown hash algorithm.
|
|
|
|
|
#
|
|
|
|
|
zone=nsec3-unknown.example.
|
|
|
|
|
infile=nsec3-unknown.example.db.in
|
|
|
|
|
zonefile=nsec3-unknown.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A optout nsec3 zone.
|
|
|
|
|
#
|
|
|
|
|
zone=optout-unknown.example.
|
|
|
|
|
infile=optout-unknown.example.db.in
|
|
|
|
|
zonefile=optout-unknown.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A multiple parameter nsec3 zone.
|
|
|
|
|
#
|
|
|
|
|
zone=multiple.example.
|
|
|
|
|
infile=multiple.example.db.in
|
|
|
|
|
zonefile=multiple.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
mv $zonefile.signed $zonefile
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
mv $zonefile.signed $zonefile
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
mv $zonefile.signed $zonefile
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
mv $zonefile.signed $zonefile
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2008-09-24 02:46:23 +00:00
|
|
|
mv $zonefile.signed $zonefile
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2009-10-27 22:25:37 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A RSASHA256 zone.
|
|
|
|
|
#
|
|
|
|
|
zone=rsasha256.example.
|
|
|
|
|
infile=rsasha256.example.db.in
|
|
|
|
|
zonefile=rsasha256.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
|
2009-10-27 22:25:37 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2009-10-27 22:25:37 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A RSASHA512 zone.
|
|
|
|
|
#
|
|
|
|
|
zone=rsasha512.example.
|
|
|
|
|
infile=rsasha512.example.db.in
|
|
|
|
|
zonefile=rsasha512.example.db
|
|
|
|
|
|
2009-10-28 00:27:10 +00:00
|
|
|
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
|
2009-10-27 22:25:37 +00:00
|
|
|
|
|
|
|
|
cat $infile $keyname.key >$zonefile
|
|
|
|
|
|
2010-01-18 19:19:31 +00:00
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A zone with the DNSKEY set only signed by the KSK
|
|
|
|
|
#
|
|
|
|
|
zone=kskonly.example.
|
|
|
|
|
infile=kskonly.example.db.in
|
|
|
|
|
zonefile=kskonly.example.db
|
|
|
|
|
|
|
|
|
|
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
|
|
|
|
cat $infile $kskname.key $zskname.key >$zonefile
|
|
|
|
|
$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2011-02-08 03:47:02 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A zone with the expired signatures
|
|
|
|
|
#
|
|
|
|
|
zone=expired.example.
|
|
|
|
|
infile=expired.example.db.in
|
|
|
|
|
zonefile=expired.example.db
|
|
|
|
|
|
|
|
|
|
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
|
|
|
|
cat $infile $kskname.key $zskname.key >$zonefile
|
|
|
|
|
$SIGNER -P -r $RANDFILE -o $zone -s -3h -e +1h $zonefile > /dev/null 2>&1
|
|
|
|
|
rm -f $kskname.* $zskname.*
|
2011-02-14 23:53:44 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
|
|
|
|
|
#
|
|
|
|
|
zone=update-nsec3.example.
|
|
|
|
|
infile=update-nsec3.example.db.in
|
|
|
|
|
zonefile=update-nsec3.example.db
|
|
|
|
|
|
|
|
|
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
|
|
|
|
cat $infile $kskname.key $zskname.key >$zonefile
|
|
|
|
|
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
2011-02-15 22:02:36 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A NSEC signed zone that will have auto-dnssec enabled and
|
|
|
|
|
# extra keys not in the initial signed zone.
|
|
|
|
|
#
|
|
|
|
|
zone=auto-nsec.example.
|
|
|
|
|
infile=auto-nsec.example.db.in
|
|
|
|
|
zonefile=auto-nsec.example.db
|
|
|
|
|
|
|
|
|
|
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
|
|
|
|
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
|
|
|
|
cat $infile $kskname.key $zskname.key >$zonefile
|
|
|
|
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# A NSEC3 signed zone that will have auto-dnssec enabled and
|
|
|
|
|
# extra keys not in the initial signed zone.
|
|
|
|
|
#
|
|
|
|
|
zone=auto-nsec3.example.
|
|
|
|
|
infile=auto-nsec3.example.db.in
|
|
|
|
|
zonefile=auto-nsec3.example.db
|
|
|
|
|
|
|
|
|
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
|
|
|
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
|
|
|
|
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
|
|
|
|
cat $infile $kskname.key $zskname.key >$zonefile
|
|
|
|
|
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
