mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-02 15:45:25 +00:00
[master] remove default algorithm in dnssec-keygen
4594. [func] dnssec-keygen no longer uses RSASHA1 by default; the signing algorithm must be specified on the command line with the "-a" option. Signing scripts that rely on the existing default behavior will break; use "dnssec-keygen -a RSASHA1" to repair them. (The goal of this change is to make it easier to find scripts using RSASHA1 so they can be changed in the event of that algorithm being deprecated in the future.) [RT #44755]
This commit is contained in:
Evan Hunt
10
CHANGES
10
CHANGES
@@ -1,3 +1,13 @@
|
|||||||
|
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
|
||||||
|
the signing algorithm must be specified on
|
||||||
|
the command line with the "-a" option. Signing
|
||||||
|
scripts that rely on the existing default behavior
|
||||||
|
will break; use "dnssec-keygen -a RSASHA1" to
|
||||||
|
repair them. (The goal of this change is to make
|
||||||
|
it easier to find scripts using RSASHA1 so they
|
||||||
|
can be changed in the event of that algorithm
|
||||||
|
being deprecated in the future.) [RT #44755]
|
||||||
|
|
||||||
4693. [func] Synthesis of responses from DNSSEC-verified records.
|
4693. [func] Synthesis of responses from DNSSEC-verified records.
|
||||||
Stage 1 covers NXDOMAIN synthesis from NSEC records.
|
Stage 1 covers NXDOMAIN synthesis from NSEC records.
|
||||||
This is controlled by synth-from-dnssec and is enabled
|
This is controlled by synth-from-dnssec and is enabled
|
||||||
|
|||||||
@@ -46,15 +46,6 @@
|
|||||||
const char *program = "dnssec-keyfromlabel";
|
const char *program = "dnssec-keyfromlabel";
|
||||||
int verbose;
|
int verbose;
|
||||||
|
|
||||||
#define DEFAULT_ALGORITHM "RSASHA1"
|
|
||||||
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
|
|
||||||
|
|
||||||
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
|
|
||||||
" NSEC3DSA | NSEC3RSASHA1 |"
|
|
||||||
" RSASHA256 | RSASHA512 | ECCGOST |"
|
|
||||||
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
|
|
||||||
" ED25519 | ED448";
|
|
||||||
|
|
||||||
ISC_PLATFORM_NORETURN_PRE static void
|
ISC_PLATFORM_NORETURN_PRE static void
|
||||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||||
|
|
||||||
@@ -68,9 +59,11 @@ usage(void) {
|
|||||||
fprintf(stderr, " -l label: label of the key pair\n");
|
fprintf(stderr, " -l label: label of the key pair\n");
|
||||||
fprintf(stderr, " name: owner of the key\n");
|
fprintf(stderr, " name: owner of the key\n");
|
||||||
fprintf(stderr, "Other options:\n");
|
fprintf(stderr, "Other options:\n");
|
||||||
fprintf(stderr, " -a algorithm: %s\n", algs);
|
fprintf(stderr, " -a algorithm: \n"
|
||||||
fprintf(stderr, " (default: RSASHA1, or "
|
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
|
||||||
"NSEC3RSASHA1 if using -3)\n");
|
" NSEC3DSA | NSEC3RSASHA1 |\n"
|
||||||
|
" RSASHA256 | RSASHA512 | ECCGOST |\n"
|
||||||
|
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
|
||||||
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
||||||
fprintf(stderr, " -c class (default: IN)\n");
|
fprintf(stderr, " -c class (default: IN)\n");
|
||||||
fprintf(stderr, " -E <engine>:\n");
|
fprintf(stderr, " -E <engine>:\n");
|
||||||
@@ -394,16 +387,7 @@ main(int argc, char **argv) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (algname == NULL) {
|
if (algname == NULL) {
|
||||||
if (use_nsec3)
|
fatal("no algorithm specified");
|
||||||
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
|
|
||||||
else
|
|
||||||
algname = strdup(DEFAULT_ALGORITHM);
|
|
||||||
if (algname == NULL)
|
|
||||||
fatal("strdup failed");
|
|
||||||
freeit = algname;
|
|
||||||
if (verbose > 0)
|
|
||||||
fprintf(stderr, "no algorithm specified; "
|
|
||||||
"defaulting to %s\n", algname);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strcasecmp(algname, "RSA") == 0) {
|
if (strcasecmp(algname, "RSA") == 0) {
|
||||||
@@ -434,15 +418,29 @@ main(int argc, char **argv) {
|
|||||||
options |= DST_TYPE_KEY;
|
options |= DST_TYPE_KEY;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (use_nsec3 &&
|
if (use_nsec3) {
|
||||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
switch (alg) {
|
||||||
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
|
case DST_ALG_DSA:
|
||||||
alg != DST_ALG_ECCGOST &&
|
alg = DST_ALG_NSEC3DSA;
|
||||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
|
break;
|
||||||
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
|
case DST_ALG_RSASHA1:
|
||||||
|
alg = DST_ALG_NSEC3RSASHA1;
|
||||||
|
break;
|
||||||
|
case DST_ALG_NSEC3DSA:
|
||||||
|
case DST_ALG_NSEC3RSASHA1:
|
||||||
|
case DST_ALG_RSASHA256:
|
||||||
|
case DST_ALG_RSASHA512:
|
||||||
|
case DST_ALG_ECCGOST:
|
||||||
|
case DST_ALG_ECDSA256:
|
||||||
|
case DST_ALG_ECDSA384:
|
||||||
|
case DST_ALG_ED25519:
|
||||||
|
case DST_ALG_ED448:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
fatal("%s is incompatible with NSEC3; "
|
fatal("%s is incompatible with NSEC3; "
|
||||||
"do not use the -3 option", algname);
|
"do not use the -3 option", algname);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
||||||
if (strcasecmp(type, "NOAUTH") == 0)
|
if (strcasecmp(type, "NOAUTH") == 0)
|
||||||
|
|||||||
@@ -104,7 +104,6 @@
|
|||||||
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
||||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
||||||
These values are case insensitive.
|
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If no algorithm is specified, then RSASHA1 will be used by
|
If no algorithm is specified, then RSASHA1 will be used by
|
||||||
@@ -114,11 +113,17 @@
|
|||||||
that algorithm will be checked for compatibility with NSEC3.)
|
that algorithm will be checked for compatibility with NSEC3.)
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
These values are case insensitive. In some cases, abbreviations
|
||||||
algorithm, and DSA is recommended.
|
are supported, such as ECDSA256 for ECDSAP256SHA256 and
|
||||||
|
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
|
||||||
|
along with the <option>-3</option> option, then NSEC3RSASHA1
|
||||||
|
or NSEC3DSA will be used instead.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note 2: DH automatically sets the -k flag.
|
As of BIND 9.12.0, this option is mandatory except when using
|
||||||
|
the <option>-S</option> option (which copies the algorithm from
|
||||||
|
the predecessory key). Previously, the default for newly
|
||||||
|
generated keys was RSASHA1.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -128,9 +133,10 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||||
If this option is used and no algorithm is explicitly
|
If this option is used with an algorithm that has both
|
||||||
set on the command line, NSEC3RSASHA1 will be used by
|
NSEC and NSEC3 versions, then the NSEC3 version will be
|
||||||
default.
|
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
|
||||||
|
specifies the NSEC3RSASHA1 algorithm.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@@ -61,9 +61,6 @@
|
|||||||
const char *program = "dnssec-keygen";
|
const char *program = "dnssec-keygen";
|
||||||
int verbose;
|
int verbose;
|
||||||
|
|
||||||
#define DEFAULT_ALGORITHM "RSASHA1"
|
|
||||||
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
|
|
||||||
|
|
||||||
ISC_PLATFORM_NORETURN_PRE static void
|
ISC_PLATFORM_NORETURN_PRE static void
|
||||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||||
|
|
||||||
@@ -86,8 +83,6 @@ usage(void) {
|
|||||||
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
|
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
|
||||||
"HMAC-SHA256 | \n");
|
"HMAC-SHA256 | \n");
|
||||||
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
|
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
|
||||||
fprintf(stderr, " (default: RSASHA1, or "
|
|
||||||
"NSEC3RSASHA1 if using -3)\n");
|
|
||||||
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
||||||
fprintf(stderr, " -b <key size in bits>:\n");
|
fprintf(stderr, " -b <key size in bits>:\n");
|
||||||
fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
|
fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
|
||||||
@@ -110,9 +105,8 @@ usage(void) {
|
|||||||
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
|
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
|
||||||
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
|
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
|
||||||
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
|
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
|
||||||
fprintf(stderr, " (if using the default algorithm, key size\n"
|
fprintf(stderr, " (key size defaults are set according to\n"
|
||||||
" defaults to 2048 for KSK, or 1024 for all "
|
" algorithm and usage (ZSK or KSK)\n");
|
||||||
"others)\n");
|
|
||||||
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
|
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
|
||||||
"USER | OTHER\n");
|
"USER | OTHER\n");
|
||||||
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
|
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
|
||||||
@@ -240,7 +234,7 @@ main(int argc, char **argv) {
|
|||||||
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
|
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
|
||||||
int dbits = 0;
|
int dbits = 0;
|
||||||
dns_ttl_t ttl = 0;
|
dns_ttl_t ttl = 0;
|
||||||
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
|
isc_boolean_t use_nsec3 = ISC_FALSE;
|
||||||
isc_stdtime_t publish = 0, activate = 0, revokekey = 0;
|
isc_stdtime_t publish = 0, activate = 0, revokekey = 0;
|
||||||
isc_stdtime_t inactive = 0, deltime = 0;
|
isc_stdtime_t inactive = 0, deltime = 0;
|
||||||
isc_stdtime_t now;
|
isc_stdtime_t now;
|
||||||
@@ -537,17 +531,7 @@ main(int argc, char **argv) {
|
|||||||
isc_result_totext(ret));
|
isc_result_totext(ret));
|
||||||
|
|
||||||
if (algname == NULL) {
|
if (algname == NULL) {
|
||||||
use_default = ISC_TRUE;
|
fatal("no algorithm specified");
|
||||||
if (use_nsec3)
|
|
||||||
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
|
|
||||||
else
|
|
||||||
algname = strdup(DEFAULT_ALGORITHM);
|
|
||||||
if (algname == NULL)
|
|
||||||
fatal("strdup failed");
|
|
||||||
freeit = algname;
|
|
||||||
if (verbose > 0)
|
|
||||||
fprintf(stderr, "no algorithm specified; "
|
|
||||||
"defaulting to %s\n", algname);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strcasecmp(algname, "RSA") == 0) {
|
if (strcasecmp(algname, "RSA") == 0) {
|
||||||
@@ -601,15 +585,29 @@ main(int argc, char **argv) {
|
|||||||
if (!dst_algorithm_supported(alg))
|
if (!dst_algorithm_supported(alg))
|
||||||
fatal("unsupported algorithm: %d", alg);
|
fatal("unsupported algorithm: %d", alg);
|
||||||
|
|
||||||
if (use_nsec3 &&
|
if (use_nsec3) {
|
||||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
switch (alg) {
|
||||||
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
|
case DST_ALG_DSA:
|
||||||
alg != DST_ALG_ECCGOST &&
|
alg = DST_ALG_NSEC3DSA;
|
||||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
|
break;
|
||||||
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
|
case DST_ALG_RSASHA1:
|
||||||
|
alg = DST_ALG_NSEC3RSASHA1;
|
||||||
|
break;
|
||||||
|
case DST_ALG_NSEC3DSA:
|
||||||
|
case DST_ALG_NSEC3RSASHA1:
|
||||||
|
case DST_ALG_RSASHA256:
|
||||||
|
case DST_ALG_RSASHA512:
|
||||||
|
case DST_ALG_ECCGOST:
|
||||||
|
case DST_ALG_ECDSA256:
|
||||||
|
case DST_ALG_ECDSA384:
|
||||||
|
case DST_ALG_ED25519:
|
||||||
|
case DST_ALG_ED448:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
fatal("%s is incompatible with NSEC3; "
|
fatal("%s is incompatible with NSEC3; "
|
||||||
"do not use the -3 option", algname);
|
"do not use the -3 option", algname);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
||||||
if (strcasecmp(type, "NOAUTH") == 0)
|
if (strcasecmp(type, "NOAUTH") == 0)
|
||||||
@@ -629,22 +627,32 @@ main(int argc, char **argv) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (size < 0) {
|
if (size < 0) {
|
||||||
if (use_default) {
|
switch (alg) {
|
||||||
if ((kskflag & DNS_KEYFLAG_KSK) != 0)
|
case DST_ALG_RSASHA1:
|
||||||
|
case DST_ALG_NSEC3RSASHA1:
|
||||||
|
case DST_ALG_RSASHA256:
|
||||||
|
case DST_ALG_RSASHA512:
|
||||||
|
if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
|
||||||
size = 2048;
|
size = 2048;
|
||||||
else
|
} else {
|
||||||
size = 1024;
|
size = 1024;
|
||||||
if (verbose > 0)
|
}
|
||||||
|
if (verbose > 0) {
|
||||||
fprintf(stderr, "key size not "
|
fprintf(stderr, "key size not "
|
||||||
"specified; defaulting"
|
"specified; defaulting"
|
||||||
" to %d\n", size);
|
" to %d\n", size);
|
||||||
} else if (alg != DST_ALG_ECCGOST &&
|
}
|
||||||
alg != DST_ALG_ECDSA256 &&
|
break;
|
||||||
alg != DST_ALG_ECDSA384 &&
|
case DST_ALG_ECCGOST:
|
||||||
alg != DST_ALG_ED25519 &&
|
case DST_ALG_ECDSA256:
|
||||||
alg != DST_ALG_ED448)
|
case DST_ALG_ECDSA384:
|
||||||
|
case DST_ALG_ED25519:
|
||||||
|
case DST_ALG_ED448:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
fatal("key size not specified (-b option)");
|
fatal("key size not specified (-b option)");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!oldstyle && prepub > 0) {
|
if (!oldstyle && prepub > 0) {
|
||||||
if (setpub && setact && (activate - prepub) < publish)
|
if (setpub && setact && (activate - prepub) < publish)
|
||||||
|
|||||||
@@ -53,7 +53,7 @@
|
|||||||
<refsynopsisdiv>
|
<refsynopsisdiv>
|
||||||
<cmdsynopsis sepchar=" ">
|
<cmdsynopsis sepchar=" ">
|
||||||
<command>dnssec-keygen</command>
|
<command>dnssec-keygen</command>
|
||||||
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
<arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||||||
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
||||||
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
|
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
|
||||||
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
|
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
|
||||||
@@ -101,6 +101,13 @@
|
|||||||
line. For DNSSEC keys, this must match the name of the zone for
|
line. For DNSSEC keys, this must match the name of the zone for
|
||||||
which the key is being generated.
|
which the key is being generated.
|
||||||
</para>
|
</para>
|
||||||
|
<para>
|
||||||
|
The <command>dnssec-keymgr</command> command acts as a wrapper
|
||||||
|
around <command>dnssec-keygen</command>, generating and updating keys
|
||||||
|
as needed to enforce defined security policies such as key rollover
|
||||||
|
scheduling. Using <command>dnssec-keymgr</command> may be preferable
|
||||||
|
to direct use of <command>dnssec-keygen</command>.
|
||||||
|
</para>
|
||||||
</refsection>
|
</refsection>
|
||||||
|
|
||||||
<refsection><info><title>OPTIONS</title></info>
|
<refsection><info><title>OPTIONS</title></info>
|
||||||
@@ -114,27 +121,26 @@
|
|||||||
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
||||||
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
||||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
|
||||||
For TSIG/TKEY, the value must
|
TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
|
||||||
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
|
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
|
||||||
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
|
or HMAC-SHA512; specifying any of these algorithms will
|
||||||
case insensitive.
|
automatically set the <option>-T KEY</option> option as well.
|
||||||
|
(Note: <command>tsig-keygen</command> produces TSIG keys in a
|
||||||
|
more useful format than <command>dnssec-keygen</command>.)
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If no algorithm is specified, then RSASHA1 will be used by
|
These values are case insensitive. In some cases, abbreviations
|
||||||
default, unless the <option>-3</option> option is specified,
|
are supported, such as ECDSA256 for ECDSAP256SHA256 and
|
||||||
in which case NSEC3RSASHA1 will be used instead. (If
|
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
|
||||||
<option>-3</option> is used and an algorithm is specified,
|
along with the <option>-3</option> option, then NSEC3RSASHA1
|
||||||
that algorithm will be checked for compatibility with NSEC3.)
|
or NSEC3DSA will be used instead.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
As of BIND 9.12.0, this option is mandatory except when using
|
||||||
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
|
the <option>-S</option> option (which copies the algorithm from
|
||||||
mandatory.
|
the predecessor key). Previously, the default for newly
|
||||||
</para>
|
generated keys was RSASHA1.
|
||||||
<para>
|
|
||||||
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
|
|
||||||
automatically set the -T KEY option.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -152,13 +158,11 @@
|
|||||||
this parameter.
|
this parameter.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The key size does not need to be specified if using a default
|
If the key size is not specified, some algorithms have
|
||||||
algorithm. The default key size is 1024 bits for zone signing
|
pre-defined defaults. For example, RSA keys for use as
|
||||||
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
|
DNSSEC zone signing keys have a default size of 1024 bits;
|
||||||
generated with <option>-f KSK</option>). However, if an
|
RSA keys for use as key signing keys (KSKs, generated with
|
||||||
algorithm is explicitly specified with the <option>-a</option>,
|
<option>-f KSK</option>) default to 2048 bits.
|
||||||
then there is no default key size, and the <option>-b</option>
|
|
||||||
must be used.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -169,11 +173,10 @@
|
|||||||
<para>
|
<para>
|
||||||
Specifies the owner type of the key. The value of
|
Specifies the owner type of the key. The value of
|
||||||
<option>nametype</option> must either be ZONE (for a DNSSEC
|
<option>nametype</option> must either be ZONE (for a DNSSEC
|
||||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
|
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
|
||||||
a host (KEY)),
|
with a host (KEY)), USER (for a key associated with a
|
||||||
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
|
user(KEY)) or OTHER (DNSKEY). These values are case
|
||||||
These values are case insensitive. Defaults to ZONE for DNSKEY
|
insensitive. Defaults to ZONE for DNSKEY generation.
|
||||||
generation.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -183,11 +186,10 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||||
If this option is used and no algorithm is explicitly
|
If this option is used with an algorithm that has both
|
||||||
set on the command line, NSEC3RSASHA1 will be used by
|
NSEC and NSEC3 versions, then the NSEC3 version will be
|
||||||
default. Note that RSASHA256, RSASHA512, ECCGOST,
|
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
|
||||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
|
specifies the NSEC3RSASHA1 algorithm.
|
||||||
algorithms are NSEC3-capable.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -394,8 +396,8 @@
|
|||||||
overridden to KEY for use with SIG(0).
|
overridden to KEY for use with SIG(0).
|
||||||
<para>
|
<para>
|
||||||
</para>
|
</para>
|
||||||
Using any TSIG algorithm (HMAC-* or DH) forces this option
|
Specifying any TSIG algorithm (HMAC-* or DH) with
|
||||||
to KEY.
|
<option>-a</option> forces this option to KEY.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@@ -17,18 +17,18 @@ infile=root.db.in
|
|||||||
|
|
||||||
cat $infile ../ns2/dsset-example$TP > $zonefile
|
cat $infile ../ns2/dsset-example$TP > $zonefile
|
||||||
|
|
||||||
zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
|
zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
|
||||||
zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
|
zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
|
||||||
zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
|
zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone`
|
||||||
zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
|
zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone`
|
||||||
zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
|
zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone`
|
||||||
zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
|
zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone`
|
||||||
zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone`
|
zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone`
|
||||||
zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
|
zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
|
||||||
rm $zsknopriv.private
|
rm $zsknopriv.private
|
||||||
|
|
||||||
ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
|
ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone`
|
||||||
kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
|
kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone`
|
||||||
|
|
||||||
cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
|
cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
|
||||||
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||||
|
|||||||
@@ -23,16 +23,16 @@ zonefile="${zone}.db"
|
|||||||
infile="${zonefile}.in"
|
infile="${zonefile}.in"
|
||||||
cat $infile dsset-*.example$TP > $zonefile
|
cat $infile dsset-*.example$TP > $zonefile
|
||||||
|
|
||||||
kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
|
||||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
|
||||||
$DSFROMKEY $kskname.key > dsset-${zone}$TP
|
$DSFROMKEY $kskname.key > dsset-${zone}$TP
|
||||||
|
|
||||||
# Create keys for a private secure zone.
|
# Create keys for a private secure zone.
|
||||||
zone=private.secure.example
|
zone=private.secure.example
|
||||||
zonefile="${zone}.db"
|
zonefile="${zone}.db"
|
||||||
infile="${zonefile}.in"
|
infile="${zonefile}.in"
|
||||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
|
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
|
||||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
|
||||||
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
|
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
|
||||||
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||||
local $key = join("", @rest);
|
local $key = join("", @rest);
|
||||||
@@ -55,5 +55,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
|
|||||||
do
|
do
|
||||||
cp $i `echo $i | sed s/X/K/`
|
cp $i `echo $i | sed s/X/K/`
|
||||||
done
|
done
|
||||||
$KEYGEN -q -r $RANDFILE $zone > /dev/null
|
$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null
|
||||||
$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
|
$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
|
||||||
|
|||||||
@@ -27,8 +27,8 @@ setup () {
|
|||||||
|
|
||||||
setup secure.example
|
setup secure.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -36,8 +36,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup secure.nsec3.example
|
setup secure.nsec3.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -45,8 +45,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup nsec3.nsec3.example
|
setup nsec3.nsec3.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -54,8 +54,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup optout.nsec3.example
|
setup optout.nsec3.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -63,8 +63,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup nsec3.example
|
setup nsec3.example
|
||||||
cat $infile dsset-*.${zone}$TP > $zonefile
|
cat $infile dsset-*.${zone}$TP > $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -72,9 +72,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup autonsec3.example
|
setup autonsec3.example
|
||||||
cat $infile > $zonefile
|
cat $infile > $zonefile
|
||||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
echo $ksk > ../autoksk.key
|
echo $ksk > ../autoksk.key
|
||||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||||
echo $zsk > ../autozsk.key
|
echo $zsk > ../autozsk.key
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
@@ -83,8 +83,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup secure.optout.example
|
setup secure.optout.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -92,8 +92,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup nsec3.optout.example
|
setup nsec3.optout.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup optout.optout.example
|
setup optout.optout.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup optout.example
|
setup optout.example
|
||||||
cat $infile dsset-*.${zone}$TP > $zonefile
|
cat $infile dsset-*.${zone}$TP > $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -137,8 +137,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup nsec.example
|
setup nsec.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -147,8 +147,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||||||
#
|
#
|
||||||
setup oldsigs.example
|
setup oldsigs.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -164,8 +164,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
|||||||
# keys via nsupdate
|
# keys via nsupdate
|
||||||
#
|
#
|
||||||
setup secure-to-insecure.example
|
setup secure-to-insecure.example
|
||||||
$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -173,9 +173,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
|||||||
# removal of keys on schedule.
|
# removal of keys on schedule.
|
||||||
#
|
#
|
||||||
setup secure-to-insecure2.example
|
setup secure-to-insecure2.example
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
echo $ksk > ../del1.key
|
echo $ksk > ../del1.key
|
||||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||||
echo $zsk > ../del2.key
|
echo $zsk > ../del2.key
|
||||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||||
|
|
||||||
@@ -184,8 +184,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
|||||||
#
|
#
|
||||||
setup prepub.example
|
setup prepub.example
|
||||||
infile="secure-to-insecure2.example.db.in"
|
infile="secure-to-insecure2.example.db.in"
|
||||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -194,35 +194,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
|||||||
|
|
||||||
# no default key TTL; DNSKEY should get SOA TTL
|
# no default key TTL; DNSKEY should get SOA TTL
|
||||||
setup ttl1.example
|
setup ttl1.example
|
||||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
|
|
||||||
# default key TTL should be used
|
# default key TTL should be used
|
||||||
setup ttl2.example
|
setup ttl2.example
|
||||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
|
|
||||||
# mismatched key TTLs, should use shortest
|
# mismatched key TTLs, should use shortest
|
||||||
setup ttl3.example
|
setup ttl3.example
|
||||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
|
|
||||||
# existing DNSKEY RRset, should retain TTL
|
# existing DNSKEY RRset, should retain TTL
|
||||||
setup ttl4.example
|
setup ttl4.example
|
||||||
$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
cat ${infile} K${zone}.+*.key > $zonefile
|
cat ${infile} K${zone}.+*.key > $zonefile
|
||||||
$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
|
|
||||||
#
|
#
|
||||||
# A zone with a DNSKEY RRset that is published before it's activated
|
# A zone with a DNSKEY RRset that is published before it's activated
|
||||||
#
|
#
|
||||||
setup delay.example
|
setup delay.example
|
||||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||||
echo $ksk > ../delayksk.key
|
echo $ksk > ../delayksk.key
|
||||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||||
echo $zsk > ../delayzsk.key
|
echo $zsk > ../delayzsk.key
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -230,8 +230,8 @@ echo $zsk > ../delayzsk.key
|
|||||||
# is missing.
|
# is missing.
|
||||||
#
|
#
|
||||||
setup nozsk.example
|
setup nozsk.example
|
||||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
|
||||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
||||||
echo $zsk > ../missingzsk.key
|
echo $zsk > ../missingzsk.key
|
||||||
rm -f ${zsk}.private
|
rm -f ${zsk}.private
|
||||||
@@ -241,8 +241,8 @@ rm -f ${zsk}.private
|
|||||||
# is inactive.
|
# is inactive.
|
||||||
#
|
#
|
||||||
setup inaczsk.example
|
setup inaczsk.example
|
||||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
|
||||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
||||||
echo $zsk > ../inactivezsk.key
|
echo $zsk > ../inactivezsk.key
|
||||||
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
||||||
@@ -252,15 +252,15 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
|||||||
#
|
#
|
||||||
setup reconf.example
|
setup reconf.example
|
||||||
cp secure.example.db.in $zonefile
|
cp secure.example.db.in $zonefile
|
||||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
|
|
||||||
#
|
#
|
||||||
# A zone which generates a CDS and CDNSEY RRsets automatically
|
# A zone which generates a CDS and CDNSEY RRsets automatically
|
||||||
#
|
#
|
||||||
setup sync.example
|
setup sync.example
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
||||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||||
echo ns3/$ksk > ../sync.key
|
echo ns3/$ksk > ../sync.key
|
||||||
|
|||||||
@@ -858,7 +858,7 @@ ret=0
|
|||||||
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
||||||
oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
|
oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
|
||||||
|
|
||||||
$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
$KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
||||||
|
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /'
|
||||||
newserial=$oldserial
|
newserial=$oldserial
|
||||||
|
|||||||
@@ -19,110 +19,110 @@ ln -s $CHECKZONE named-compilezone
|
|||||||
dir=01-ksk-inactive
|
dir=01-ksk-inactive
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 2: ZSK goes inactive before successor is active
|
# Test 2: ZSK goes inactive before successor is active
|
||||||
dir=02-zsk-inactive
|
dir=02-zsk-inactive
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 3: KSK is unpublished before its successor is published
|
# Test 3: KSK is unpublished before its successor is published
|
||||||
dir=03-ksk-unpublished
|
dir=03-ksk-unpublished
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 4: ZSK is unpublished before its successor is published
|
# Test 4: ZSK is unpublished before its successor is published
|
||||||
dir=04-zsk-unpublished
|
dir=04-zsk-unpublished
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 5: KSK deleted and successor published before KSK is deactivated
|
# Test 5: KSK deleted and successor published before KSK is deactivated
|
||||||
# and successor activated.
|
# and successor activated.
|
||||||
dir=05-ksk-unpub-active
|
dir=05-ksk-unpub-active
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 6: ZSK deleted and successor published before ZSK is deactivated
|
# Test 6: ZSK deleted and successor published before ZSK is deactivated
|
||||||
# and successor activated.
|
# and successor activated.
|
||||||
dir=06-zsk-unpub-active
|
dir=06-zsk-unpub-active
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 7: KSK rolled with insufficient delay after prepublication.
|
# Test 7: KSK rolled with insufficient delay after prepublication.
|
||||||
dir=07-ksk-ttl
|
dir=07-ksk-ttl
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
# allow only 1 day between publication and activation
|
# allow only 1 day between publication and activation
|
||||||
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
|
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 8: ZSK rolled with insufficient delay after prepublication.
|
# Test 8: ZSK rolled with insufficient delay after prepublication.
|
||||||
dir=08-zsk-ttl
|
dir=08-zsk-ttl
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
# allow only 1 day between publication and activation
|
# allow only 1 day between publication and activation
|
||||||
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
|
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 9: KSK goes inactive before successor is active, but checking ZSKs
|
# Test 9: KSK goes inactive before successor is active, but checking ZSKs
|
||||||
dir=09-check-zsk
|
dir=09-check-zsk
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 10: ZSK goes inactive before successor is active, but checking KSKs
|
# Test 10: ZSK goes inactive before successor is active, but checking KSKs
|
||||||
dir=10-check-ksk
|
dir=10-check-ksk
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 11: ZSK goes inactive before successor is active, but after cutoff
|
# Test 11: ZSK goes inactive before successor is active, but after cutoff
|
||||||
dir=11-cutoff
|
dir=11-cutoff
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|||||||
@@ -15,8 +15,8 @@ zone=signed
|
|||||||
infile=example.db
|
infile=example.db
|
||||||
zonefile=signed.db
|
zonefile=signed.db
|
||||||
|
|
||||||
key1=`$KEYGEN -q -r $RANDFILE $zone`
|
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||||
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||||
|
|
||||||
cat $infile $key1.key $key2.key > $zonefile
|
cat $infile $key1.key $key2.key > $zonefile
|
||||||
|
|
||||||
|
|||||||
@@ -283,8 +283,8 @@ zone=kskonly.example.
|
|||||||
infile=kskonly.example.db.in
|
infile=kskonly.example.db.in
|
||||||
zonefile=kskonly.example.db
|
zonefile=kskonly.example.db
|
||||||
|
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -295,8 +295,8 @@ zone=expired.example.
|
|||||||
infile=expired.example.db.in
|
infile=expired.example.db.in
|
||||||
zonefile=expired.example.db
|
zonefile=expired.example.db
|
||||||
|
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
|
$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
|
||||||
rm -f $kskname.* $zskname.*
|
rm -f $kskname.* $zskname.*
|
||||||
@@ -308,8 +308,8 @@ zone=update-nsec3.example.
|
|||||||
infile=update-nsec3.example.db.in
|
infile=update-nsec3.example.db.in
|
||||||
zonefile=update-nsec3.example.db
|
zonefile=update-nsec3.example.db
|
||||||
|
|
||||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -321,10 +321,10 @@ zone=auto-nsec.example.
|
|||||||
infile=auto-nsec.example.db.in
|
infile=auto-nsec.example.db.in
|
||||||
zonefile=auto-nsec.example.db
|
zonefile=auto-nsec.example.db
|
||||||
|
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -336,10 +336,10 @@ zone=auto-nsec3.example.
|
|||||||
infile=auto-nsec3.example.db.in
|
infile=auto-nsec3.example.db.in
|
||||||
zonefile=auto-nsec3.example.db
|
zonefile=auto-nsec3.example.db
|
||||||
|
|
||||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -404,8 +404,8 @@ zone="expiring.example."
|
|||||||
infile="expiring.example.db.in"
|
infile="expiring.example.db.in"
|
||||||
zonefile="expiring.example.db"
|
zonefile="expiring.example.db"
|
||||||
signedfile="expiring.example.db.signed"
|
signedfile="expiring.example.db.signed"
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
|
||||||
mv -f ${zskname}.private ${zskname}.private.moved
|
mv -f ${zskname}.private ${zskname}.private.moved
|
||||||
@@ -419,8 +419,8 @@ infile="upper.example.db.in"
|
|||||||
zonefile="upper.example.db"
|
zonefile="upper.example.db"
|
||||||
lower="upper.example.db.lower"
|
lower="upper.example.db.lower"
|
||||||
signedfile="upper.example.db.signed"
|
signedfile="upper.example.db.signed"
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
|
$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
|
||||||
$CHECKZONE -D upper.example $lower 2>&- | \
|
$CHECKZONE -D upper.example $lower 2>&- | \
|
||||||
@@ -434,8 +434,8 @@ zone="LOWER.EXAMPLE."
|
|||||||
infile="lower.example.db.in"
|
infile="lower.example.db.in"
|
||||||
zonefile="lower.example.db"
|
zonefile="lower.example.db"
|
||||||
signedfile="lower.example.db.signed"
|
signedfile="lower.example.db.signed"
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -447,8 +447,8 @@ zone="nosign.example."
|
|||||||
infile="nosign.example.db.in"
|
infile="nosign.example.db.in"
|
||||||
zonefile="nosign.example.db"
|
zonefile="nosign.example.db"
|
||||||
signedfile="nosign.example.db.signed"
|
signedfile="nosign.example.db.signed"
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
|
||||||
# preserve a normalized copy of the NS RRSIG for comparison later
|
# preserve a normalized copy of the NS RRSIG for comparison later
|
||||||
@@ -460,8 +460,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
|
|||||||
# An inline signing zone
|
# An inline signing zone
|
||||||
#
|
#
|
||||||
zone=inline.example.
|
zone=inline.example.
|
||||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||||
|
|
||||||
#
|
#
|
||||||
# publish a new key while deactivating another key at the same time.
|
# publish a new key while deactivating another key at the same time.
|
||||||
@@ -470,10 +470,10 @@ zone=publish-inactive.example
|
|||||||
infile=publish-inactive.example.db.in
|
infile=publish-inactive.example.db.in
|
||||||
zonefile=publish-inactive.example.db
|
zonefile=publish-inactive.example.db
|
||||||
now=`date -u +%Y%m%d%H%M%S`
|
now=`date -u +%Y%m%d%H%M%S`
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
|
kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
|
kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -483,8 +483,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
|||||||
zone=siginterval.example
|
zone=siginterval.example
|
||||||
infile=siginterval.example.db.in
|
infile=siginterval.example.db.in
|
||||||
zonefile=siginterval.example.db
|
zonefile=siginterval.example.db
|
||||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -508,8 +508,8 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
|
|||||||
zone=future.example
|
zone=future.example
|
||||||
infile=future.example.db.in
|
infile=future.example.db.in
|
||||||
zonefile=future.example.db
|
zonefile=future.example.db
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
cp -f $kskname.key trusted-future.key
|
cp -f $kskname.key trusted-future.key
|
||||||
@@ -520,8 +520,8 @@ cp -f $kskname.key trusted-future.key
|
|||||||
zone=managed-future.example
|
zone=managed-future.example
|
||||||
infile=managed-future.example.db.in
|
infile=managed-future.example.db.in
|
||||||
zonefile=managed-future.example.db
|
zonefile=managed-future.example.db
|
||||||
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||||
cat $infile $kskname.key $zskname.key >$zonefile
|
cat $infile $kskname.key $zskname.key >$zonefile
|
||||||
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -532,10 +532,10 @@ zone=revkey.example.
|
|||||||
infile=generic.example.db.in
|
infile=generic.example.db.in
|
||||||
zonefile=revkey.example.db
|
zonefile=revkey.example.db
|
||||||
|
|
||||||
ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone`
|
ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
|
||||||
ksk1=`$REVOKE $ksk1`
|
ksk1=`$REVOKE $ksk1`
|
||||||
ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone`
|
ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
|
||||||
zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone`
|
||||||
|
|
||||||
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
|
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
|
||||||
|
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ zone=.
|
|||||||
infile=../ns1/root.db.in
|
infile=../ns1/root.db.in
|
||||||
zonefile=root.db.signed
|
zonefile=root.db.signed
|
||||||
|
|
||||||
keyname=`$KEYGEN -r $RANDFILE -qfk $zone`
|
keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone`
|
||||||
|
|
||||||
# copy the KSK out first, then revoke it
|
# copy the KSK out first, then revoke it
|
||||||
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
|
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
|
||||||
@@ -29,6 +29,6 @@ EOF
|
|||||||
$SETTIME -R now ${keyname}.key > /dev/null
|
$SETTIME -R now ${keyname}.key > /dev/null
|
||||||
|
|
||||||
# create a current set of keys, and sign the root zone
|
# create a current set of keys, and sign the root zone
|
||||||
$KEYGEN -r $RANDFILE -q $zone > /dev/null
|
$KEYGEN -r $RANDFILE -a RSASHA1 -q $zone > /dev/null
|
||||||
$KEYGEN -r $RANDFILE -qfk $zone > /dev/null
|
$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone > /dev/null
|
||||||
$SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1
|
$SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||||
|
|||||||
@@ -2209,7 +2209,7 @@ echo "I:checking that the NSEC3 record for the apex is properly signed when a DN
|
|||||||
ret=0
|
ret=0
|
||||||
(
|
(
|
||||||
cd ns3
|
cd ns3
|
||||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example`
|
kskname=`$KEYGEN -q -3 -a RSASHA1 -r $RANDFILE -fk update-nsec3.example`
|
||||||
(
|
(
|
||||||
echo zone update-nsec3.example
|
echo zone update-nsec3.example
|
||||||
echo server 10.53.0.3 5300
|
echo server 10.53.0.3 5300
|
||||||
@@ -3247,8 +3247,8 @@ ret=0
|
|||||||
# generate signed zone with MX and AAAA records at apex.
|
# generate signed zone with MX and AAAA records at apex.
|
||||||
(
|
(
|
||||||
cd signer
|
cd signer
|
||||||
$KEYGEN -q -r $RANDFILE -3 -fK remove > /dev/null
|
$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 -fK remove > /dev/null
|
||||||
$KEYGEN -q -r $RANDFILE -3 remove > /dev/null
|
$KEYGEN -q -r $RANDFILE -a RSASHA1 -33 remove > /dev/null
|
||||||
echo > remove.db.signed
|
echo > remove.db.signed
|
||||||
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
|
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -615,8 +615,8 @@ grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
|
|||||||
if [ $ret != 0 ]; then echo "I:setup broken"; fi
|
if [ $ret != 0 ]; then echo "I:setup broken"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
cp ns5/named.conf.post ns5/named.conf
|
cp ns5/named.conf.post ns5/named.conf
|
||||||
(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1
|
(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE bits) > /dev/null 2>&1
|
||||||
(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1
|
(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE -f KSK bits) > /dev/null 2>&1
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
|
||||||
for i in 1 2 3 4 5 6 7 8 9 10
|
for i in 1 2 3 4 5 6 7 8 9 10
|
||||||
do
|
do
|
||||||
@@ -870,7 +870,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo "I:testing imported key won't overwrite a private key ($n)"
|
echo "I:testing imported key won't overwrite a private key ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
key=`$KEYGEN -r $RANDFILE -q import.example`
|
key=`$KEYGEN -r $RANDFILE -q -a rsasha256 import.example`
|
||||||
cp ${key}.key import.key
|
cp ${key}.key import.key
|
||||||
# import should fail
|
# import should fail
|
||||||
$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
|
$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
|
||||||
|
|||||||
@@ -18,44 +18,44 @@ dir=01-ksk-inactive
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 2: ZSK goes inactive before successor is active
|
# Test 2: ZSK goes inactive before successor is active
|
||||||
dir=02-zsk-inactive
|
dir=02-zsk-inactive
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 3: KSK is unpublished before its successor is published
|
# Test 3: KSK is unpublished before its successor is published
|
||||||
dir=03-ksk-unpublished
|
dir=03-ksk-unpublished
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 4: ZSK is unpublished before its successor is published
|
# Test 4: ZSK is unpublished before its successor is published
|
||||||
dir=04-zsk-unpublished
|
dir=04-zsk-unpublished
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 5: KSK deleted and successor published before KSK is deactivated
|
# Test 5: KSK deleted and successor published before KSK is deactivated
|
||||||
# and successor activated.
|
# and successor activated.
|
||||||
@@ -63,10 +63,10 @@ dir=05-ksk-unpub-active
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 6: ZSK deleted and successor published before ZSK is deactivated
|
# Test 6: ZSK deleted and successor published before ZSK is deactivated
|
||||||
# and successor activated.
|
# and successor activated.
|
||||||
@@ -74,33 +74,33 @@ dir=06-zsk-unpub-active
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 7: KSK rolled with insufficient delay after prepublication.
|
# Test 7: KSK rolled with insufficient delay after prepublication.
|
||||||
dir=07-ksk-ttl
|
dir=07-ksk-ttl
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||||
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
|
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
|
|
||||||
# Test 8: ZSK rolled with insufficient delay after prepublication.
|
# Test 8: ZSK rolled with insufficient delay after prepublication.
|
||||||
dir=08-zsk-ttl
|
dir=08-zsk-ttl
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
# allow only 1 day between publication and activation
|
# allow only 1 day between publication and activation
|
||||||
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
|
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
|
|
||||||
# Test 9: No special preparation needed
|
# Test 9: No special preparation needed
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
@@ -111,8 +111,8 @@ dir=10-change-roll
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
|
$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
|
||||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||||
|
|
||||||
@@ -121,40 +121,40 @@ dir=11-many-simul
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -q3fk -P now+1mo -A now+1mo example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk -P now+1mo -A now+1mo example.com`
|
||||||
z1=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||||
z2=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
z2=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||||
z3=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
z3=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||||
z4=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
z4=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||||
|
|
||||||
# Test 12: Many keys all simultaneously scheduled to be active in the past
|
# Test 12: Many keys all simultaneously scheduled to be active in the past
|
||||||
dir=12-many-active
|
dir=12-many-active
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
z2=`$KEYGEN -K $dir -q3 example.com`
|
z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
z3=`$KEYGEN -K $dir -q3 example.com`
|
z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
z4=`$KEYGEN -K $dir -q3 example.com`
|
z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
|
|
||||||
# Test 13: Multiple simultaneous keys with no configured roll period
|
# Test 13: Multiple simultaneous keys with no configured roll period
|
||||||
dir=13-noroll
|
dir=13-noroll
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||||
k2=`$KEYGEN -K $dir -q3fk example.com`
|
k2=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||||
k3=`$KEYGEN -K $dir -q3fk example.com`
|
k3=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
|
|
||||||
# Test 14: Keys exist but have the wrong algorithm
|
# Test 14: Keys exist but have the wrong algorithm
|
||||||
dir=14-wrongalg
|
dir=14-wrongalg
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -qfk example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com`
|
||||||
z1=`$KEYGEN -K $dir -q example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q example.com`
|
||||||
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
||||||
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
||||||
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
||||||
@@ -167,8 +167,8 @@ dir=15-unspec
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
||||||
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
||||||
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
||||||
@@ -182,8 +182,8 @@ dir=16-wrongalg-unspec
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -qfk example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com`
|
||||||
z1=`$KEYGEN -K $dir -q example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q example.com`
|
||||||
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
||||||
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
||||||
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
||||||
@@ -197,17 +197,17 @@ dir=17-noforce
|
|||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
z2=`$KEYGEN -K $dir -q3 example.com`
|
z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
z3=`$KEYGEN -K $dir -q3 example.com`
|
z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
z4=`$KEYGEN -K $dir -q3 example.com`
|
z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||||
|
|
||||||
# Test 18: Prepublication interval is set to a nonstandard value
|
# Test 18: Prepublication interval is set to a nonstandard value
|
||||||
dir=18-nonstd-prepub
|
dir=18-nonstd-prepub
|
||||||
echo I:set up $dir
|
echo I:set up $dir
|
||||||
rm -f $dir/K*.key
|
rm -f $dir/K*.key
|
||||||
rm -f $dir/K*.private
|
rm -f $dir/K*.private
|
||||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||||
$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
|
$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ SYSTEMTESTTOP=../..
|
|||||||
../named-compilezone -D -F map -o example.db.map example-map \
|
../named-compilezone -D -F map -o example.db.map example-map \
|
||||||
example.db > /dev/null 2>&1
|
example.db > /dev/null 2>&1
|
||||||
|
|
||||||
$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1
|
$KEYGEN -q -a rsasha256 -r $RANDFILE signed > /dev/null 2>&1
|
||||||
$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1
|
$KEYGEN -q -a rsasha256 -r $RANDFILE -fk signed > /dev/null 2>&1
|
||||||
$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
|
$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
|
||||||
../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
|
../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
|
||||||
|
|||||||
@@ -19,42 +19,42 @@ czone=child.parent.nil
|
|||||||
echo "I:generating keys"
|
echo "I:generating keys"
|
||||||
|
|
||||||
# active zsk
|
# active zsk
|
||||||
zsk=`$KEYGEN -q -r $RANDFILE $czone`
|
zsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $czone`
|
||||||
echo $zsk > zsk.key
|
echo $zsk > zsk.key
|
||||||
|
|
||||||
# not yet published or active
|
# not yet published or active
|
||||||
pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
|
pending=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
|
||||||
echo $pending > pending.key
|
echo $pending > pending.key
|
||||||
|
|
||||||
# published but not active
|
# published but not active
|
||||||
standby=`$KEYGEN -q -r $RANDFILE -A none $czone`
|
standby=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
|
||||||
echo $standby > standby.key
|
echo $standby > standby.key
|
||||||
|
|
||||||
# inactive
|
# inactive
|
||||||
inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
inact=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
||||||
echo $inact > inact.key
|
echo $inact > inact.key
|
||||||
|
|
||||||
# active ksk
|
# active ksk
|
||||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
ksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||||
echo $ksk > ksk.key
|
echo $ksk > ksk.key
|
||||||
|
|
||||||
# published but not YET active; will be active in 15 seconds
|
# published but not YET active; will be active in 15 seconds
|
||||||
rolling=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
rolling=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||||
$SETTIME -A now+15s $rolling > /dev/null
|
$SETTIME -A now+15s $rolling > /dev/null
|
||||||
echo $rolling > rolling.key
|
echo $rolling > rolling.key
|
||||||
|
|
||||||
# revoked
|
# revoked
|
||||||
revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
revoke1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||||
echo $revoke1 > prerev.key
|
echo $revoke1 > prerev.key
|
||||||
revoke2=`$REVOKE $revoke1`
|
revoke2=`$REVOKE $revoke1`
|
||||||
echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
|
echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
|
||||||
|
|
||||||
pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
|
pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
|
||||||
echo $pzsk > parent.zsk.key
|
echo $pzsk > parent.zsk.key
|
||||||
|
|
||||||
pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
|
pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
|
||||||
echo $pksk > parent.ksk.key
|
echo $pksk > parent.ksk.key
|
||||||
|
|
||||||
oldstyle=`$KEYGEN -Cq -r $RANDFILE $pzone`
|
oldstyle=`$KEYGEN -Cq -a rsasha1 -r $RANDFILE $pzone`
|
||||||
echo $oldstyle > oldstyle.key
|
echo $oldstyle > oldstyle.key
|
||||||
|
|
||||||
|
|||||||
@@ -174,7 +174,7 @@ status=`expr $status + $ret`
|
|||||||
echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)"
|
echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
# keygen should print a warning about delete < inactive
|
# keygen should print a warning about delete < inactive
|
||||||
$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
|
$KEYGEN -q -a rsasha1 -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
|
||||||
grep "warning" tmp.out > /dev/null 2>&1 || ret=1
|
grep "warning" tmp.out > /dev/null 2>&1 || ret=1
|
||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||||
@@ -182,15 +182,15 @@ status=`expr $status + $ret`
|
|||||||
|
|
||||||
echo "I:checking correct behavior setting activation without publication date ($n)"
|
echo "I:checking correct behavior setting activation without publication date ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
key=`$KEYGEN -q -r $RANDFILE -A +1w $czone`
|
key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w $czone`
|
||||||
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
||||||
act=`$SETTIME -upA $key | awk '{print $2}'`
|
act=`$SETTIME -upA $key | awk '{print $2}'`
|
||||||
[ $pub -eq $act ] || ret=1
|
[ $pub -eq $act ] || ret=1
|
||||||
key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone`
|
key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -i 1d $czone`
|
||||||
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
||||||
act=`$SETTIME -upA $key | awk '{print $2}'`
|
act=`$SETTIME -upA $key | awk '{print $2}'`
|
||||||
[ $pub -lt $act ] || ret=1
|
[ $pub -lt $act ] || ret=1
|
||||||
key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone`
|
key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -P never $czone`
|
||||||
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
||||||
[ $pub = "UNSET" ] || ret=1
|
[ $pub = "UNSET" ] || ret=1
|
||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
|
|||||||
@@ -12,8 +12,8 @@ SYSTEMTESTTOP=../..
|
|||||||
zone=.
|
zone=.
|
||||||
zonefile=root.db
|
zonefile=root.db
|
||||||
|
|
||||||
keyname=`$KEYGEN -qfk -r $RANDFILE $zone`
|
keyname=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE $zone`
|
||||||
zskkeyname=`$KEYGEN -q -r $RANDFILE $zone`
|
zskkeyname=`$KEYGEN -a rsasha256 -q -r $RANDFILE $zone`
|
||||||
|
|
||||||
$SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>&-
|
$SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>&-
|
||||||
|
|
||||||
|
|||||||
@@ -57,7 +57,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo "I: check new trust anchor can be added ($n)"
|
echo "I: check new trust anchor can be added ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
|
standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
||||||
sleep 5
|
sleep 5
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
|
||||||
@@ -241,7 +241,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo "I: revoke original key, add new standby ($n)"
|
echo "I: revoke original key, add new standby ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
standby2=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
|
standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
|
||||||
$SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null
|
$SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
||||||
sleep 3
|
sleep 3
|
||||||
@@ -276,7 +276,7 @@ status=`expr $status + $ret`
|
|||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo "I: revoke standby before it is trusted ($n)"
|
echo "I: revoke standby before it is trusted ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
standby3=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
|
standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
||||||
sleep 3
|
sleep 3
|
||||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
|
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
|
||||||
|
|||||||
@@ -35,8 +35,8 @@ zone=delegation.test.
|
|||||||
infile=delegation.test.db.in
|
infile=delegation.test.db.in
|
||||||
zonefile=delegation.test.db
|
zonefile=delegation.test.db
|
||||||
|
|
||||||
keyname1=`$KEYGEN -q -r $RANDFILE -3 -f KSK $zone`
|
keyname1=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 -f KSK $zone`
|
||||||
keyname2=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
keyname2=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 $zone`
|
||||||
|
|
||||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||||
|
|
||||||
|
|||||||
@@ -15,8 +15,8 @@ zone=signed
|
|||||||
infile=example.db
|
infile=example.db
|
||||||
zonefile=signed.db
|
zonefile=signed.db
|
||||||
|
|
||||||
key1=`$KEYGEN -q -r $RANDFILE $zone`
|
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||||
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||||
|
|
||||||
cat $infile $key1.key $key2.key > $zonefile
|
cat $infile $key1.key $key2.key > $zonefile
|
||||||
|
|
||||||
@@ -26,8 +26,8 @@ zone=nsec3
|
|||||||
infile=example.db
|
infile=example.db
|
||||||
zonefile=nsec3.db
|
zonefile=nsec3.db
|
||||||
|
|
||||||
key1=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
|
||||||
key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone`
|
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
|
||||||
|
|
||||||
cat $infile $key1.key $key2.key > $zonefile
|
cat $infile $key1.key $key2.key > $zonefile
|
||||||
|
|
||||||
|
|||||||
@@ -15,8 +15,8 @@ zone=signed
|
|||||||
infile=example.db
|
infile=example.db
|
||||||
zonefile=signed.db
|
zonefile=signed.db
|
||||||
|
|
||||||
key1=`$KEYGEN -q -r $RANDFILE $zone`
|
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||||
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||||
|
|
||||||
cat $infile $key1.key $key2.key > $zonefile
|
cat $infile $key1.key $key2.key > $zonefile
|
||||||
|
|
||||||
@@ -26,8 +26,8 @@ zone=nsec3
|
|||||||
infile=example.db
|
infile=example.db
|
||||||
zonefile=nsec3.db
|
zonefile=nsec3.db
|
||||||
|
|
||||||
key1=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
|
||||||
key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone`
|
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
|
||||||
|
|
||||||
cat $infile $key1.key $key2.key > $zonefile
|
cat $infile $key1.key $key2.key > $zonefile
|
||||||
|
|
||||||
|
|||||||
@@ -15,8 +15,8 @@ zone=ds.example.net
|
|||||||
zonefile="${zone}.db"
|
zonefile="${zone}.db"
|
||||||
infile="${zonefile}.in"
|
infile="${zonefile}.in"
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||||
zsk=`$KEYGEN -q -3 -r $RANDFILE -b 2048 $zone`
|
zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -b 2048 $zone`
|
||||||
cat $ksk.key $zsk.key >> $zonefile
|
cat $ksk.key $zsk.key >> $zonefile
|
||||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
@@ -24,8 +24,8 @@ zone=example.net
|
|||||||
zonefile="${zone}.db"
|
zonefile="${zone}.db"
|
||||||
infile="${zonefile}.in"
|
infile="${zonefile}.in"
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||||
cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
|
cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
|
||||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
|
|||||||
|
|
||||||
# $1=directory, $2=domain name, $3=input zone file, $4=output file
|
# $1=directory, $2=domain name, $3=input zone file, $4=output file
|
||||||
signzone () {
|
signzone () {
|
||||||
KEYNAME=`$KEYGEN -q -r $RANDFILE -b 1024 -K $1 $2`
|
KEYNAME=`$KEYGEN -q -a rsasha256 -r $RANDFILE -K $1 $2`
|
||||||
cat $1/$3 $1/$KEYNAME.key > $1/tmp
|
cat $1/$3 $1/$KEYNAME.key > $1/tmp
|
||||||
$SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
|
$SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
|
||||||
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
|
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
|
||||||
|
|||||||
@@ -21,39 +21,39 @@ cfile=child.db
|
|||||||
|
|
||||||
echo "I:generating child's keys"
|
echo "I:generating child's keys"
|
||||||
# active zsk
|
# active zsk
|
||||||
czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
|
czsk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -L 30 $czone`
|
||||||
|
|
||||||
# not yet published or active
|
# not yet published or active
|
||||||
czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
|
czsk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
|
||||||
|
|
||||||
# published but not active
|
# published but not active
|
||||||
czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
|
czsk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
|
||||||
|
|
||||||
# inactive
|
# inactive
|
||||||
czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
czsk4=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
||||||
|
|
||||||
# active in 12 hours, inactive 12 hours after that...
|
# active in 12 hours, inactive 12 hours after that...
|
||||||
czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
|
czsk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
|
||||||
|
|
||||||
# explicit successor to czk5
|
# explicit successor to czk5
|
||||||
# (suppressing warning about lack of removal date)
|
# (suppressing warning about lack of removal date)
|
||||||
czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-`
|
czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-`
|
||||||
|
|
||||||
# active ksk
|
# active ksk
|
||||||
cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
|
cksk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -L 30 $czone`
|
||||||
|
|
||||||
# published but not YET active; will be active in 20 seconds
|
# published but not YET active; will be active in 20 seconds
|
||||||
cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
cksk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||||
# $SETTIME moved after other $KEYGENs
|
# $SETTIME moved after other $KEYGENs
|
||||||
|
|
||||||
echo I:revoking key
|
echo I:revoking key
|
||||||
# revoking key changes its ID
|
# revoking key changes its ID
|
||||||
cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
cksk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||||
cksk4=`$REVOKE $cksk3`
|
cksk4=`$REVOKE $cksk3`
|
||||||
|
|
||||||
echo I:generating parent keys
|
echo I:generating parent keys
|
||||||
pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
|
pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
|
||||||
pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
|
pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
|
||||||
|
|
||||||
echo "I:setting child's activation time"
|
echo "I:setting child's activation time"
|
||||||
# using now+30s to fix RT 24561
|
# using now+30s to fix RT 24561
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ while test "$#" -gt 0; do
|
|||||||
quiet=1
|
quiet=1
|
||||||
;;
|
;;
|
||||||
rsa|RSA)
|
rsa|RSA)
|
||||||
alg=""
|
alg="-a RSASHA1"
|
||||||
msg1="RSA cryptography"
|
msg1="RSA cryptography"
|
||||||
;;
|
;;
|
||||||
gost|GOST)
|
gost|GOST)
|
||||||
|
|||||||
@@ -27,83 +27,83 @@ cp unsigned.db unsigned.bad
|
|||||||
|
|
||||||
# A set of nsec zones.
|
# A set of nsec zones.
|
||||||
setup zsk-only.nsec good
|
setup zsk-only.nsec good
|
||||||
$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk-only.nsec good
|
setup ksk-only.nsec good
|
||||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk+zsk.nsec good
|
setup ksk+zsk.nsec good
|
||||||
$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||||
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
# A set of nsec3 zones.
|
# A set of nsec3 zones.
|
||||||
setup zsk-only.nsec3 good
|
setup zsk-only.nsec3 good
|
||||||
$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk-only.nsec3 good
|
setup ksk-only.nsec3 good
|
||||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk+zsk.nsec3 good
|
setup ksk+zsk.nsec3 good
|
||||||
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||||
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk+zsk.outout good
|
setup ksk+zsk.outout good
|
||||||
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||||
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
# A set of zones with only DNSKEY records.
|
# A set of zones with only DNSKEY records.
|
||||||
setup zsk-only.dnskeyonly bad
|
setup zsk-only.dnskeyonly bad
|
||||||
key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
||||||
cat unsigned.db $key1.key > ${file}
|
cat unsigned.db $key1.key > ${file}
|
||||||
|
|
||||||
setup ksk-only.dnskeyonly bad
|
setup ksk-only.dnskeyonly bad
|
||||||
key1=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
key1=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
||||||
cat unsigned.db $key1.key > ${file}
|
cat unsigned.db $key1.key > ${file}
|
||||||
|
|
||||||
setup ksk+zsk.dnskeyonly bad
|
setup ksk+zsk.dnskeyonly bad
|
||||||
key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
||||||
key2=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
key2=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
||||||
cat unsigned.db $key1.key $key2.key > ${file}
|
cat unsigned.db $key1.key $key2.key > ${file}
|
||||||
|
|
||||||
# A set of zones with expired records
|
# A set of zones with expired records
|
||||||
s="-s -2678400"
|
s="-s -2678400"
|
||||||
setup zsk-only.nsec.expired bad
|
setup zsk-only.nsec.expired bad
|
||||||
$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk-only.nsec.expired bad
|
setup ksk-only.nsec.expired bad
|
||||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk+zsk.nsec.expired bad
|
setup ksk+zsk.nsec.expired bad
|
||||||
$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||||
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup zsk-only.nsec3.expired bad
|
setup zsk-only.nsec3.expired bad
|
||||||
$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk-only.nsec3.expired bad
|
setup ksk-only.nsec3.expired bad
|
||||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||||
$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
setup ksk+zsk.nsec3.expired bad
|
setup ksk+zsk.nsec3.expired bad
|
||||||
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||||
$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||||
|
|
||||||
# ksk expired
|
# ksk expired
|
||||||
setup ksk+zsk.nsec.ksk-expired bad
|
setup ksk+zsk.nsec.ksk-expired bad
|
||||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
@@ -112,8 +112,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
|
|||||||
[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
|
[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
|
||||||
|
|
||||||
setup ksk+zsk.nsec3.ksk-expired bad
|
setup ksk+zsk.nsec3.ksk-expired bad
|
||||||
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
@@ -123,8 +123,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
|
|||||||
|
|
||||||
# broken nsec chain
|
# broken nsec chain
|
||||||
setup ksk+zsk.nsec.broken-chain bad
|
setup ksk+zsk.nsec.broken-chain bad
|
||||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
|
awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
|
||||||
@@ -132,8 +132,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
|
|||||||
|
|
||||||
# bad nsec bitmap
|
# bad nsec bitmap
|
||||||
setup ksk+zsk.nsec.bad-bitmap bad
|
setup ksk+zsk.nsec.bad-bitmap bad
|
||||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
|
awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
|
||||||
@@ -141,8 +141,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
|
|||||||
|
|
||||||
# extra NSEC record out side of zone
|
# extra NSEC record out side of zone
|
||||||
setup ksk+zsk.nsec.out-of-zone-nsec bad
|
setup ksk+zsk.nsec.out-of-zone-nsec bad
|
||||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
|
echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
|
||||||
@@ -150,8 +150,8 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>
|
|||||||
|
|
||||||
# extra NSEC record below bottom of one
|
# extra NSEC record below bottom of one
|
||||||
setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
|
setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
|
||||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
|
echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
|
||||||
@@ -163,8 +163,8 @@ awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${fil
|
|||||||
# extract the hash fields from the empty node's NSEC 3 record then fix up
|
# extract the hash fields from the empty node's NSEC 3 record then fix up
|
||||||
# the NSEC3 chain to remove it
|
# the NSEC3 chain to remove it
|
||||||
setup ksk+zsk.nsec3.missing-empty bad
|
setup ksk+zsk.nsec3.missing-empty bad
|
||||||
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
|
a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
|
||||||
@@ -177,8 +177,8 @@ $SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s
|
|||||||
|
|
||||||
# extra NSEC3 record
|
# extra NSEC3 record
|
||||||
setup ksk+zsk.nsec3.extra-nsec3 bad
|
setup ksk+zsk.nsec3.extra-nsec3 bad
|
||||||
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||||
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||||
cat unsigned.db $ksk.key $zsk.key > $file
|
cat unsigned.db $ksk.key $zsk.key > $file
|
||||||
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||||
awk '
|
awk '
|
||||||
|
|||||||
@@ -26,11 +26,11 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
|
|||||||
# same source of "random" data and we want different keys for
|
# same source of "random" data and we want different keys for
|
||||||
# internal and external instances of inline.
|
# internal and external instances of inline.
|
||||||
#
|
#
|
||||||
$KEYGEN -K ns2/internal -r $RANDFILE -3q inline > /dev/null 2>&1
|
$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
|
||||||
$KEYGEN -K ns2/internal -r $RANDFILE -3qfk inline > /dev/null 2>&1
|
$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
|
||||||
k1=`$KEYGEN -K ns2/external -r $RANDFILE -3q inline 2> /dev/null`
|
k1=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline 2> /dev/null`
|
||||||
k2=`$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline 2> /dev/null`
|
k2=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline 2> /dev/null`
|
||||||
$KEYGEN -K ns2/external -r $RANDFILE -3q inline > /dev/null 2>&1
|
$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
|
||||||
$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline > /dev/null 2>&1
|
$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
|
||||||
test -n "$k1" && rm -f ns2/external/$k1.*
|
test -n "$k1" && rm -f ns2/external/$k1.*
|
||||||
test -n "$k2" && rm -f ns2/external/$k2.*
|
test -n "$k2" && rm -f ns2/external/$k2.*
|
||||||
|
|||||||
@@ -19,8 +19,8 @@ cp bigserial.db ns1/
|
|||||||
cd ns1
|
cd ns1
|
||||||
touch master.db.signed
|
touch master.db.signed
|
||||||
echo '$INCLUDE "master.db.signed"' >> master.db
|
echo '$INCLUDE "master.db.signed"' >> master.db
|
||||||
$KEYGEN -r $RANDFILE -3q master.example > /dev/null 2>&1
|
$KEYGEN -r $RANDFILE -a rsasha256 -q master.example > /dev/null 2>&1
|
||||||
$KEYGEN -r $RANDFILE -3qfk master.example > /dev/null 2>&1
|
$KEYGEN -r $RANDFILE -a rsasha256 -qfk master.example > /dev/null 2>&1
|
||||||
$SIGNER -SD -o master.example master.db > /dev/null \
|
$SIGNER -SD -o master.example master.db > /dev/null \
|
||||||
2> signer.err || cat signer.err
|
2> signer.err || cat signer.err
|
||||||
echo '$INCLUDE "soa.db"' > reload.db
|
echo '$INCLUDE "soa.db"' > reload.db
|
||||||
|
|||||||
@@ -433,6 +433,17 @@
|
|||||||
|
|
||||||
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<command>dnssec-keygen</command> no longer has default
|
||||||
|
algorithm settings. It is necessary to explicitly specify the
|
||||||
|
algorithm on the command line with the <option>-a</option> option
|
||||||
|
when generating keys. This may cause errors with existing signing
|
||||||
|
scripts if they rely on current defaults. The intent is to
|
||||||
|
reduce the long-term cost of transitioning to newer algorithms in
|
||||||
|
the event of RSASHA1 being deprecated. [RT #44755]
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Threads in <command>named</command> are now set to human-readable
|
Threads in <command>named</command> are now set to human-readable
|
||||||
|
|||||||
@@ -131,7 +131,9 @@
|
|||||||
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
|
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
|
||||||
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
|
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
|
||||||
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
|
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
|
||||||
|
{ DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
|
||||||
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
|
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
|
||||||
|
{ DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
|
||||||
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
|
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
|
||||||
{ DNS_KEYALG_ED448, "ED448", 0 }, \
|
{ DNS_KEYALG_ED448, "ED448", 0 }, \
|
||||||
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
|
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
|
||||||
|
|||||||
Reference in New Issue
Block a user