mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 22:45:39 +00:00
[master] remove default algorithm in dnssec-keygen
4594. [func] dnssec-keygen no longer uses RSASHA1 by default; the signing algorithm must be specified on the command line with the "-a" option. Signing scripts that rely on the existing default behavior will break; use "dnssec-keygen -a RSASHA1" to repair them. (The goal of this change is to make it easier to find scripts using RSASHA1 so they can be changed in the event of that algorithm being deprecated in the future.) [RT #44755]
This commit is contained in:
Evan Hunt
10
CHANGES
10
CHANGES
@@ -1,3 +1,13 @@
|
||||
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
|
||||
the signing algorithm must be specified on
|
||||
the command line with the "-a" option. Signing
|
||||
scripts that rely on the existing default behavior
|
||||
will break; use "dnssec-keygen -a RSASHA1" to
|
||||
repair them. (The goal of this change is to make
|
||||
it easier to find scripts using RSASHA1 so they
|
||||
can be changed in the event of that algorithm
|
||||
being deprecated in the future.) [RT #44755]
|
||||
|
||||
4693. [func] Synthesis of responses from DNSSEC-verified records.
|
||||
Stage 1 covers NXDOMAIN synthesis from NSEC records.
|
||||
This is controlled by synth-from-dnssec and is enabled
|
||||
|
||||
@@ -46,15 +46,6 @@
|
||||
const char *program = "dnssec-keyfromlabel";
|
||||
int verbose;
|
||||
|
||||
#define DEFAULT_ALGORITHM "RSASHA1"
|
||||
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
|
||||
|
||||
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
|
||||
" NSEC3DSA | NSEC3RSASHA1 |"
|
||||
" RSASHA256 | RSASHA512 | ECCGOST |"
|
||||
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
|
||||
" ED25519 | ED448";
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
@@ -68,9 +59,11 @@ usage(void) {
|
||||
fprintf(stderr, " -l label: label of the key pair\n");
|
||||
fprintf(stderr, " name: owner of the key\n");
|
||||
fprintf(stderr, "Other options:\n");
|
||||
fprintf(stderr, " -a algorithm: %s\n", algs);
|
||||
fprintf(stderr, " (default: RSASHA1, or "
|
||||
"NSEC3RSASHA1 if using -3)\n");
|
||||
fprintf(stderr, " -a algorithm: \n"
|
||||
" RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
|
||||
" NSEC3DSA | NSEC3RSASHA1 |\n"
|
||||
" RSASHA256 | RSASHA512 | ECCGOST |\n"
|
||||
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
|
||||
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
||||
fprintf(stderr, " -c class (default: IN)\n");
|
||||
fprintf(stderr, " -E <engine>:\n");
|
||||
@@ -394,16 +387,7 @@ main(int argc, char **argv) {
|
||||
}
|
||||
|
||||
if (algname == NULL) {
|
||||
if (use_nsec3)
|
||||
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
|
||||
else
|
||||
algname = strdup(DEFAULT_ALGORITHM);
|
||||
if (algname == NULL)
|
||||
fatal("strdup failed");
|
||||
freeit = algname;
|
||||
if (verbose > 0)
|
||||
fprintf(stderr, "no algorithm specified; "
|
||||
"defaulting to %s\n", algname);
|
||||
fatal("no algorithm specified");
|
||||
}
|
||||
|
||||
if (strcasecmp(algname, "RSA") == 0) {
|
||||
@@ -434,15 +418,29 @@ main(int argc, char **argv) {
|
||||
options |= DST_TYPE_KEY;
|
||||
}
|
||||
|
||||
if (use_nsec3 &&
|
||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
||||
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
|
||||
alg != DST_ALG_ECCGOST &&
|
||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
|
||||
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
|
||||
if (use_nsec3) {
|
||||
switch (alg) {
|
||||
case DST_ALG_DSA:
|
||||
alg = DST_ALG_NSEC3DSA;
|
||||
break;
|
||||
case DST_ALG_RSASHA1:
|
||||
alg = DST_ALG_NSEC3RSASHA1;
|
||||
break;
|
||||
case DST_ALG_NSEC3DSA:
|
||||
case DST_ALG_NSEC3RSASHA1:
|
||||
case DST_ALG_RSASHA256:
|
||||
case DST_ALG_RSASHA512:
|
||||
case DST_ALG_ECCGOST:
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
case DST_ALG_ED25519:
|
||||
case DST_ALG_ED448:
|
||||
break;
|
||||
default:
|
||||
fatal("%s is incompatible with NSEC3; "
|
||||
"do not use the -3 option", algname);
|
||||
}
|
||||
}
|
||||
|
||||
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
||||
if (strcasecmp(type, "NOAUTH") == 0)
|
||||
|
||||
@@ -104,7 +104,6 @@
|
||||
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
||||
These values are case insensitive.
|
||||
</para>
|
||||
<para>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
@@ -114,11 +113,17 @@
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
</para>
|
||||
<para>
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
||||
algorithm, and DSA is recommended.
|
||||
These values are case insensitive. In some cases, abbreviations
|
||||
are supported, such as ECDSA256 for ECDSAP256SHA256 and
|
||||
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
|
||||
along with the <option>-3</option> option, then NSEC3RSASHA1
|
||||
or NSEC3DSA will be used instead.
|
||||
</para>
|
||||
<para>
|
||||
Note 2: DH automatically sets the -k flag.
|
||||
As of BIND 9.12.0, this option is mandatory except when using
|
||||
the <option>-S</option> option (which copies the algorithm from
|
||||
the predecessory key). Previously, the default for newly
|
||||
generated keys was RSASHA1.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -128,9 +133,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default.
|
||||
If this option is used with an algorithm that has both
|
||||
NSEC and NSEC3 versions, then the NSEC3 version will be
|
||||
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
|
||||
specifies the NSEC3RSASHA1 algorithm.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -61,9 +61,6 @@
|
||||
const char *program = "dnssec-keygen";
|
||||
int verbose;
|
||||
|
||||
#define DEFAULT_ALGORITHM "RSASHA1"
|
||||
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
||||
@@ -86,8 +83,6 @@ usage(void) {
|
||||
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
|
||||
"HMAC-SHA256 | \n");
|
||||
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
|
||||
fprintf(stderr, " (default: RSASHA1, or "
|
||||
"NSEC3RSASHA1 if using -3)\n");
|
||||
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
|
||||
fprintf(stderr, " -b <key size in bits>:\n");
|
||||
fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
|
||||
@@ -110,9 +105,8 @@ usage(void) {
|
||||
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
|
||||
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
|
||||
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
|
||||
fprintf(stderr, " (if using the default algorithm, key size\n"
|
||||
" defaults to 2048 for KSK, or 1024 for all "
|
||||
"others)\n");
|
||||
fprintf(stderr, " (key size defaults are set according to\n"
|
||||
" algorithm and usage (ZSK or KSK)\n");
|
||||
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
|
||||
"USER | OTHER\n");
|
||||
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
|
||||
@@ -240,7 +234,7 @@ main(int argc, char **argv) {
|
||||
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
|
||||
int dbits = 0;
|
||||
dns_ttl_t ttl = 0;
|
||||
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
|
||||
isc_boolean_t use_nsec3 = ISC_FALSE;
|
||||
isc_stdtime_t publish = 0, activate = 0, revokekey = 0;
|
||||
isc_stdtime_t inactive = 0, deltime = 0;
|
||||
isc_stdtime_t now;
|
||||
@@ -537,17 +531,7 @@ main(int argc, char **argv) {
|
||||
isc_result_totext(ret));
|
||||
|
||||
if (algname == NULL) {
|
||||
use_default = ISC_TRUE;
|
||||
if (use_nsec3)
|
||||
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
|
||||
else
|
||||
algname = strdup(DEFAULT_ALGORITHM);
|
||||
if (algname == NULL)
|
||||
fatal("strdup failed");
|
||||
freeit = algname;
|
||||
if (verbose > 0)
|
||||
fprintf(stderr, "no algorithm specified; "
|
||||
"defaulting to %s\n", algname);
|
||||
fatal("no algorithm specified");
|
||||
}
|
||||
|
||||
if (strcasecmp(algname, "RSA") == 0) {
|
||||
@@ -601,15 +585,29 @@ main(int argc, char **argv) {
|
||||
if (!dst_algorithm_supported(alg))
|
||||
fatal("unsupported algorithm: %d", alg);
|
||||
|
||||
if (use_nsec3 &&
|
||||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
||||
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
|
||||
alg != DST_ALG_ECCGOST &&
|
||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
|
||||
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
|
||||
if (use_nsec3) {
|
||||
switch (alg) {
|
||||
case DST_ALG_DSA:
|
||||
alg = DST_ALG_NSEC3DSA;
|
||||
break;
|
||||
case DST_ALG_RSASHA1:
|
||||
alg = DST_ALG_NSEC3RSASHA1;
|
||||
break;
|
||||
case DST_ALG_NSEC3DSA:
|
||||
case DST_ALG_NSEC3RSASHA1:
|
||||
case DST_ALG_RSASHA256:
|
||||
case DST_ALG_RSASHA512:
|
||||
case DST_ALG_ECCGOST:
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
case DST_ALG_ED25519:
|
||||
case DST_ALG_ED448:
|
||||
break;
|
||||
default:
|
||||
fatal("%s is incompatible with NSEC3; "
|
||||
"do not use the -3 option", algname);
|
||||
}
|
||||
}
|
||||
|
||||
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
|
||||
if (strcasecmp(type, "NOAUTH") == 0)
|
||||
@@ -629,22 +627,32 @@ main(int argc, char **argv) {
|
||||
}
|
||||
|
||||
if (size < 0) {
|
||||
if (use_default) {
|
||||
if ((kskflag & DNS_KEYFLAG_KSK) != 0)
|
||||
switch (alg) {
|
||||
case DST_ALG_RSASHA1:
|
||||
case DST_ALG_NSEC3RSASHA1:
|
||||
case DST_ALG_RSASHA256:
|
||||
case DST_ALG_RSASHA512:
|
||||
if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
|
||||
size = 2048;
|
||||
else
|
||||
} else {
|
||||
size = 1024;
|
||||
if (verbose > 0)
|
||||
}
|
||||
if (verbose > 0) {
|
||||
fprintf(stderr, "key size not "
|
||||
"specified; defaulting"
|
||||
" to %d\n", size);
|
||||
} else if (alg != DST_ALG_ECCGOST &&
|
||||
alg != DST_ALG_ECDSA256 &&
|
||||
alg != DST_ALG_ECDSA384 &&
|
||||
alg != DST_ALG_ED25519 &&
|
||||
alg != DST_ALG_ED448)
|
||||
}
|
||||
break;
|
||||
case DST_ALG_ECCGOST:
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
case DST_ALG_ED25519:
|
||||
case DST_ALG_ED448:
|
||||
break;
|
||||
default:
|
||||
fatal("key size not specified (-b option)");
|
||||
}
|
||||
}
|
||||
|
||||
if (!oldstyle && prepub > 0) {
|
||||
if (setpub && setact && (activate - prepub) < publish)
|
||||
|
||||
@@ -53,7 +53,7 @@
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis sepchar=" ">
|
||||
<command>dnssec-keygen</command>
|
||||
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||||
<arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||||
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
||||
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
|
||||
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
|
||||
@@ -101,6 +101,13 @@
|
||||
line. For DNSSEC keys, this must match the name of the zone for
|
||||
which the key is being generated.
|
||||
</para>
|
||||
<para>
|
||||
The <command>dnssec-keymgr</command> command acts as a wrapper
|
||||
around <command>dnssec-keygen</command>, generating and updating keys
|
||||
as needed to enforce defined security policies such as key rollover
|
||||
scheduling. Using <command>dnssec-keymgr</command> may be preferable
|
||||
to direct use of <command>dnssec-keygen</command>.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection><info><title>OPTIONS</title></info>
|
||||
@@ -114,27 +121,26 @@
|
||||
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
||||
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
||||
For TSIG/TKEY, the value must
|
||||
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
|
||||
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
|
||||
case insensitive.
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
|
||||
TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
|
||||
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
|
||||
or HMAC-SHA512; specifying any of these algorithms will
|
||||
automatically set the <option>-T KEY</option> option as well.
|
||||
(Note: <command>tsig-keygen</command> produces TSIG keys in a
|
||||
more useful format than <command>dnssec-keygen</command>.)
|
||||
</para>
|
||||
<para>
|
||||
If no algorithm is specified, then RSASHA1 will be used by
|
||||
default, unless the <option>-3</option> option is specified,
|
||||
in which case NSEC3RSASHA1 will be used instead. (If
|
||||
<option>-3</option> is used and an algorithm is specified,
|
||||
that algorithm will be checked for compatibility with NSEC3.)
|
||||
These values are case insensitive. In some cases, abbreviations
|
||||
are supported, such as ECDSA256 for ECDSAP256SHA256 and
|
||||
ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
|
||||
along with the <option>-3</option> option, then NSEC3RSASHA1
|
||||
or NSEC3DSA will be used instead.
|
||||
</para>
|
||||
<para>
|
||||
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
||||
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
|
||||
mandatory.
|
||||
</para>
|
||||
<para>
|
||||
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
|
||||
automatically set the -T KEY option.
|
||||
As of BIND 9.12.0, this option is mandatory except when using
|
||||
the <option>-S</option> option (which copies the algorithm from
|
||||
the predecessor key). Previously, the default for newly
|
||||
generated keys was RSASHA1.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -152,13 +158,11 @@
|
||||
this parameter.
|
||||
</para>
|
||||
<para>
|
||||
The key size does not need to be specified if using a default
|
||||
algorithm. The default key size is 1024 bits for zone signing
|
||||
keys (ZSKs) and 2048 bits for key signing keys (KSKs,
|
||||
generated with <option>-f KSK</option>). However, if an
|
||||
algorithm is explicitly specified with the <option>-a</option>,
|
||||
then there is no default key size, and the <option>-b</option>
|
||||
must be used.
|
||||
If the key size is not specified, some algorithms have
|
||||
pre-defined defaults. For example, RSA keys for use as
|
||||
DNSSEC zone signing keys have a default size of 1024 bits;
|
||||
RSA keys for use as key signing keys (KSKs, generated with
|
||||
<option>-f KSK</option>) default to 2048 bits.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -169,11 +173,10 @@
|
||||
<para>
|
||||
Specifies the owner type of the key. The value of
|
||||
<option>nametype</option> must either be ZONE (for a DNSSEC
|
||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
|
||||
a host (KEY)),
|
||||
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
|
||||
These values are case insensitive. Defaults to ZONE for DNSKEY
|
||||
generation.
|
||||
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
|
||||
with a host (KEY)), USER (for a key associated with a
|
||||
user(KEY)) or OTHER (DNSKEY). These values are case
|
||||
insensitive. Defaults to ZONE for DNSKEY generation.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -183,11 +186,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Use an NSEC3-capable algorithm to generate a DNSSEC key.
|
||||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default. Note that RSASHA256, RSASHA512, ECCGOST,
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
|
||||
algorithms are NSEC3-capable.
|
||||
If this option is used with an algorithm that has both
|
||||
NSEC and NSEC3 versions, then the NSEC3 version will be
|
||||
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
|
||||
specifies the NSEC3RSASHA1 algorithm.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -394,8 +396,8 @@
|
||||
overridden to KEY for use with SIG(0).
|
||||
<para>
|
||||
</para>
|
||||
Using any TSIG algorithm (HMAC-* or DH) forces this option
|
||||
to KEY.
|
||||
Specifying any TSIG algorithm (HMAC-* or DH) with
|
||||
<option>-a</option> forces this option to KEY.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -17,18 +17,18 @@ infile=root.db.in
|
||||
|
||||
cat $infile ../ns2/dsset-example$TP > $zonefile
|
||||
|
||||
zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
|
||||
zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
|
||||
zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
|
||||
zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
|
||||
zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
|
||||
zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
|
||||
zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone`
|
||||
zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
|
||||
zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
|
||||
zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
|
||||
zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone`
|
||||
zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone`
|
||||
zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone`
|
||||
zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone`
|
||||
zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone`
|
||||
zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
|
||||
rm $zsknopriv.private
|
||||
|
||||
ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
|
||||
kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
|
||||
ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone`
|
||||
kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone`
|
||||
|
||||
cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
|
||||
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||
|
||||
@@ -23,16 +23,16 @@ zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
cat $infile dsset-*.example$TP > $zonefile
|
||||
|
||||
kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
||||
kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
|
||||
$DSFROMKEY $kskname.key > dsset-${zone}$TP
|
||||
|
||||
# Create keys for a private secure zone.
|
||||
zone=private.secure.example
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
|
||||
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
|
||||
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
|
||||
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||
local $key = join("", @rest);
|
||||
@@ -55,5 +55,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
|
||||
do
|
||||
cp $i `echo $i | sed s/X/K/`
|
||||
done
|
||||
$KEYGEN -q -r $RANDFILE $zone > /dev/null
|
||||
$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null
|
||||
$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
|
||||
|
||||
@@ -27,8 +27,8 @@ setup () {
|
||||
|
||||
setup secure.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -36,8 +36,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup secure.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -45,8 +45,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup nsec3.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -54,8 +54,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup optout.nsec3.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -63,8 +63,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup nsec3.example
|
||||
cat $infile dsset-*.${zone}$TP > $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -72,9 +72,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup autonsec3.example
|
||||
cat $infile > $zonefile
|
||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
echo $ksk > ../autoksk.key
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
echo $zsk > ../autozsk.key
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
@@ -83,8 +83,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup secure.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -92,8 +92,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup nsec3.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup optout.optout.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup optout.example
|
||||
cat $infile dsset-*.${zone}$TP > $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -137,8 +137,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup nsec.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
@@ -147,8 +147,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
#
|
||||
setup oldsigs.example
|
||||
cp $infile $zonefile
|
||||
$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
@@ -164,8 +164,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
# keys via nsupdate
|
||||
#
|
||||
setup secure-to-insecure.example
|
||||
$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
@@ -173,9 +173,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
# removal of keys on schedule.
|
||||
#
|
||||
setup secure-to-insecure2.example
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
echo $ksk > ../del1.key
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
echo $zsk > ../del2.key
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
@@ -184,8 +184,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
#
|
||||
setup prepub.example
|
||||
infile="secure-to-insecure2.example.db.in"
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
#
|
||||
@@ -194,35 +194,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
|
||||
|
||||
# no default key TTL; DNSKEY should get SOA TTL
|
||||
setup ttl1.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# default key TTL should be used
|
||||
setup ttl2.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# mismatched key TTLs, should use shortest
|
||||
setup ttl3.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cp $infile $zonefile
|
||||
|
||||
# existing DNSKEY RRset, should retain TTL
|
||||
setup ttl4.example
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
cat ${infile} K${zone}.+*.key > $zonefile
|
||||
$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
|
||||
#
|
||||
# A zone with a DNSKEY RRset that is published before it's activated
|
||||
#
|
||||
setup delay.example
|
||||
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
|
||||
echo $ksk > ../delayksk.key
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
|
||||
echo $zsk > ../delayzsk.key
|
||||
|
||||
#
|
||||
@@ -230,8 +230,8 @@ echo $zsk > ../delayzsk.key
|
||||
# is missing.
|
||||
#
|
||||
setup nozsk.example
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
||||
echo $zsk > ../missingzsk.key
|
||||
rm -f ${zsk}.private
|
||||
@@ -241,8 +241,8 @@ rm -f ${zsk}.private
|
||||
# is inactive.
|
||||
#
|
||||
setup inaczsk.example
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
|
||||
echo $zsk > ../inactivezsk.key
|
||||
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
||||
@@ -252,15 +252,15 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
||||
#
|
||||
setup reconf.example
|
||||
cp secure.example.db.in $zonefile
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
|
||||
#
|
||||
# A zone which generates a CDS and CDNSEY RRsets automatically
|
||||
#
|
||||
setup sync.example
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
||||
$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
echo ns3/$ksk > ../sync.key
|
||||
|
||||
@@ -858,7 +858,7 @@ ret=0
|
||||
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
||||
oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
|
||||
|
||||
$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
||||
$KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
||||
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /'
|
||||
newserial=$oldserial
|
||||
|
||||
@@ -19,110 +19,110 @@ ln -s $CHECKZONE named-compilezone
|
||||
dir=01-ksk-inactive
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 2: ZSK goes inactive before successor is active
|
||||
dir=02-zsk-inactive
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 3: KSK is unpublished before its successor is published
|
||||
dir=03-ksk-unpublished
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 4: ZSK is unpublished before its successor is published
|
||||
dir=04-zsk-unpublished
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 5: KSK deleted and successor published before KSK is deactivated
|
||||
# and successor activated.
|
||||
dir=05-ksk-unpub-active
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 6: ZSK deleted and successor published before ZSK is deactivated
|
||||
# and successor activated.
|
||||
dir=06-zsk-unpub-active
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 7: KSK rolled with insufficient delay after prepublication.
|
||||
dir=07-ksk-ttl
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
# allow only 1 day between publication and activation
|
||||
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 8: ZSK rolled with insufficient delay after prepublication.
|
||||
dir=08-zsk-ttl
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
# allow only 1 day between publication and activation
|
||||
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 9: KSK goes inactive before successor is active, but checking ZSKs
|
||||
dir=09-check-zsk
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 10: ZSK goes inactive before successor is active, but checking KSKs
|
||||
dir=10-check-ksk
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 11: ZSK goes inactive before successor is active, but after cutoff
|
||||
dir=11-cutoff
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
@@ -15,8 +15,8 @@ zone=signed
|
||||
infile=example.db
|
||||
zonefile=signed.db
|
||||
|
||||
key1=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||
|
||||
cat $infile $key1.key $key2.key > $zonefile
|
||||
|
||||
|
||||
@@ -283,8 +283,8 @@ zone=kskonly.example.
|
||||
infile=kskonly.example.db.in
|
||||
zonefile=kskonly.example.db
|
||||
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -295,8 +295,8 @@ zone=expired.example.
|
||||
infile=expired.example.db.in
|
||||
zonefile=expired.example.db
|
||||
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
|
||||
rm -f $kskname.* $zskname.*
|
||||
@@ -308,8 +308,8 @@ zone=update-nsec3.example.
|
||||
infile=update-nsec3.example.db.in
|
||||
zonefile=update-nsec3.example.db
|
||||
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -321,10 +321,10 @@ zone=auto-nsec.example.
|
||||
infile=auto-nsec.example.db.in
|
||||
zonefile=auto-nsec.example.db
|
||||
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -336,10 +336,10 @@ zone=auto-nsec3.example.
|
||||
infile=auto-nsec3.example.db.in
|
||||
zonefile=auto-nsec3.example.db
|
||||
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -404,8 +404,8 @@ zone="expiring.example."
|
||||
infile="expiring.example.db.in"
|
||||
zonefile="expiring.example.db"
|
||||
signedfile="expiring.example.db.signed"
|
||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
|
||||
mv -f ${zskname}.private ${zskname}.private.moved
|
||||
@@ -419,8 +419,8 @@ infile="upper.example.db.in"
|
||||
zonefile="upper.example.db"
|
||||
lower="upper.example.db.lower"
|
||||
signedfile="upper.example.db.signed"
|
||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
cp $infile $zonefile
|
||||
$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
|
||||
$CHECKZONE -D upper.example $lower 2>&- | \
|
||||
@@ -434,8 +434,8 @@ zone="LOWER.EXAMPLE."
|
||||
infile="lower.example.db.in"
|
||||
zonefile="lower.example.db"
|
||||
signedfile="lower.example.db.signed"
|
||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
cp $infile $zonefile
|
||||
$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -447,8 +447,8 @@ zone="nosign.example."
|
||||
infile="nosign.example.db.in"
|
||||
zonefile="nosign.example.db"
|
||||
signedfile="nosign.example.db.signed"
|
||||
kskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
|
||||
# preserve a normalized copy of the NS RRSIG for comparison later
|
||||
@@ -460,8 +460,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
|
||||
# An inline signing zone
|
||||
#
|
||||
zone=inline.example.
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||
|
||||
#
|
||||
# publish a new key while deactivating another key at the same time.
|
||||
@@ -470,10 +470,10 @@ zone=publish-inactive.example
|
||||
infile=publish-inactive.example.db.in
|
||||
zonefile=publish-inactive.example.db
|
||||
now=`date -u +%Y%m%d%H%M%S`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
|
||||
kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -483,8 +483,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
zone=siginterval.example
|
||||
infile=siginterval.example.db.in
|
||||
zonefile=siginterval.example.db
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
|
||||
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
|
||||
cp $infile $zonefile
|
||||
|
||||
#
|
||||
@@ -508,8 +508,8 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
|
||||
zone=future.example
|
||||
infile=future.example.db.in
|
||||
zonefile=future.example.db
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
cp -f $kskname.key trusted-future.key
|
||||
@@ -520,8 +520,8 @@ cp -f $kskname.key trusted-future.key
|
||||
zone=managed-future.example
|
||||
infile=managed-future.example.db.in
|
||||
zonefile=managed-future.example.db
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
|
||||
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
|
||||
cat $infile $kskname.key $zskname.key >$zonefile
|
||||
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -532,10 +532,10 @@ zone=revkey.example.
|
||||
infile=generic.example.db.in
|
||||
zonefile=revkey.example.db
|
||||
|
||||
ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone`
|
||||
ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
|
||||
ksk1=`$REVOKE $ksk1`
|
||||
ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone`
|
||||
zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
||||
ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
|
||||
zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone`
|
||||
|
||||
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ zone=.
|
||||
infile=../ns1/root.db.in
|
||||
zonefile=root.db.signed
|
||||
|
||||
keyname=`$KEYGEN -r $RANDFILE -qfk $zone`
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone`
|
||||
|
||||
# copy the KSK out first, then revoke it
|
||||
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
|
||||
@@ -29,6 +29,6 @@ EOF
|
||||
$SETTIME -R now ${keyname}.key > /dev/null
|
||||
|
||||
# create a current set of keys, and sign the root zone
|
||||
$KEYGEN -r $RANDFILE -q $zone > /dev/null
|
||||
$KEYGEN -r $RANDFILE -qfk $zone > /dev/null
|
||||
$KEYGEN -r $RANDFILE -a RSASHA1 -q $zone > /dev/null
|
||||
$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone > /dev/null
|
||||
$SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1
|
||||
|
||||
@@ -2209,7 +2209,7 @@ echo "I:checking that the NSEC3 record for the apex is properly signed when a DN
|
||||
ret=0
|
||||
(
|
||||
cd ns3
|
||||
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example`
|
||||
kskname=`$KEYGEN -q -3 -a RSASHA1 -r $RANDFILE -fk update-nsec3.example`
|
||||
(
|
||||
echo zone update-nsec3.example
|
||||
echo server 10.53.0.3 5300
|
||||
@@ -3247,8 +3247,8 @@ ret=0
|
||||
# generate signed zone with MX and AAAA records at apex.
|
||||
(
|
||||
cd signer
|
||||
$KEYGEN -q -r $RANDFILE -3 -fK remove > /dev/null
|
||||
$KEYGEN -q -r $RANDFILE -3 remove > /dev/null
|
||||
$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 -fK remove > /dev/null
|
||||
$KEYGEN -q -r $RANDFILE -a RSASHA1 -33 remove > /dev/null
|
||||
echo > remove.db.signed
|
||||
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
|
||||
)
|
||||
|
||||
@@ -615,8 +615,8 @@ grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:setup broken"; fi
|
||||
status=`expr $status + $ret`
|
||||
cp ns5/named.conf.post ns5/named.conf
|
||||
(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1
|
||||
(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1
|
||||
(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE bits) > /dev/null 2>&1
|
||||
(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE -f KSK bits) > /dev/null 2>&1
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
|
||||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
@@ -870,7 +870,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo "I:testing imported key won't overwrite a private key ($n)"
|
||||
ret=0
|
||||
key=`$KEYGEN -r $RANDFILE -q import.example`
|
||||
key=`$KEYGEN -r $RANDFILE -q -a rsasha256 import.example`
|
||||
cp ${key}.key import.key
|
||||
# import should fail
|
||||
$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
|
||||
|
||||
@@ -18,44 +18,44 @@ dir=01-ksk-inactive
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 2: ZSK goes inactive before successor is active
|
||||
dir=02-zsk-inactive
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 3: KSK is unpublished before its successor is published
|
||||
dir=03-ksk-unpublished
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 4: ZSK is unpublished before its successor is published
|
||||
dir=04-zsk-unpublished
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 5: KSK deleted and successor published before KSK is deactivated
|
||||
# and successor activated.
|
||||
@@ -63,10 +63,10 @@ dir=05-ksk-unpub-active
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 6: ZSK deleted and successor published before ZSK is deactivated
|
||||
# and successor activated.
|
||||
@@ -74,33 +74,33 @@ dir=06-zsk-unpub-active
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 7: KSK rolled with insufficient delay after prepublication.
|
||||
dir=07-ksk-ttl
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
|
||||
ksk2=`$KEYGEN -K $dir -S $ksk1`
|
||||
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
|
||||
# Test 8: ZSK rolled with insufficient delay after prepublication.
|
||||
dir=08-zsk-ttl
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
# allow only 1 day between publication and activation
|
||||
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
|
||||
# Test 9: No special preparation needed
|
||||
rm -f $dir/K*.key
|
||||
@@ -111,8 +111,8 @@ dir=10-change-roll
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
|
||||
zsk2=`$KEYGEN -K $dir -S $zsk1`
|
||||
|
||||
@@ -121,40 +121,40 @@ dir=11-many-simul
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -q3fk -P now+1mo -A now+1mo example.com`
|
||||
z1=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
||||
z2=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
||||
z3=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
||||
z4=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk -P now+1mo -A now+1mo example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||
z2=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||
z3=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||
z4=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com`
|
||||
|
||||
# Test 12: Many keys all simultaneously scheduled to be active in the past
|
||||
dir=12-many-active
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
||||
z2=`$KEYGEN -K $dir -q3 example.com`
|
||||
z3=`$KEYGEN -K $dir -q3 example.com`
|
||||
z4=`$KEYGEN -K $dir -q3 example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
|
||||
# Test 13: Multiple simultaneous keys with no configured roll period
|
||||
dir=13-noroll
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
||||
k2=`$KEYGEN -K $dir -q3fk example.com`
|
||||
k3=`$KEYGEN -K $dir -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||
k2=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||
k3=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
|
||||
# Test 14: Keys exist but have the wrong algorithm
|
||||
dir=14-wrongalg
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -qfk example.com`
|
||||
z1=`$KEYGEN -K $dir -q example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q example.com`
|
||||
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
||||
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
||||
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
||||
@@ -167,8 +167,8 @@ dir=15-unspec
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
||||
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
||||
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
||||
@@ -182,8 +182,8 @@ dir=16-wrongalg-unspec
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -qfk example.com`
|
||||
z1=`$KEYGEN -K $dir -q example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q example.com`
|
||||
$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
|
||||
z2=`$KEYGEN -K $dir -q -S ${z1}.key`
|
||||
$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
|
||||
@@ -197,17 +197,17 @@ dir=17-noforce
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
k1=`$KEYGEN -K $dir -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -q3 example.com`
|
||||
z2=`$KEYGEN -K $dir -q3 example.com`
|
||||
z3=`$KEYGEN -K $dir -q3 example.com`
|
||||
z4=`$KEYGEN -K $dir -q3 example.com`
|
||||
k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com`
|
||||
z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com`
|
||||
|
||||
# Test 18: Prepublication interval is set to a nonstandard value
|
||||
dir=18-nonstd-prepub
|
||||
echo I:set up $dir
|
||||
rm -f $dir/K*.key
|
||||
rm -f $dir/K*.private
|
||||
ksk1=`$KEYGEN -K $dir -3fk example.com`
|
||||
zsk1=`$KEYGEN -K $dir -3 example.com`
|
||||
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
|
||||
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
|
||||
$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
|
||||
|
||||
@@ -25,7 +25,7 @@ SYSTEMTESTTOP=../..
|
||||
../named-compilezone -D -F map -o example.db.map example-map \
|
||||
example.db > /dev/null 2>&1
|
||||
|
||||
$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1
|
||||
$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1
|
||||
$KEYGEN -q -a rsasha256 -r $RANDFILE signed > /dev/null 2>&1
|
||||
$KEYGEN -q -a rsasha256 -r $RANDFILE -fk signed > /dev/null 2>&1
|
||||
$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
|
||||
../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
|
||||
|
||||
@@ -19,42 +19,42 @@ czone=child.parent.nil
|
||||
echo "I:generating keys"
|
||||
|
||||
# active zsk
|
||||
zsk=`$KEYGEN -q -r $RANDFILE $czone`
|
||||
zsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $czone`
|
||||
echo $zsk > zsk.key
|
||||
|
||||
# not yet published or active
|
||||
pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
|
||||
pending=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
|
||||
echo $pending > pending.key
|
||||
|
||||
# published but not active
|
||||
standby=`$KEYGEN -q -r $RANDFILE -A none $czone`
|
||||
standby=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
|
||||
echo $standby > standby.key
|
||||
|
||||
# inactive
|
||||
inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
||||
inact=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
||||
echo $inact > inact.key
|
||||
|
||||
# active ksk
|
||||
ksk=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
||||
ksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||
echo $ksk > ksk.key
|
||||
|
||||
# published but not YET active; will be active in 15 seconds
|
||||
rolling=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
||||
rolling=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||
$SETTIME -A now+15s $rolling > /dev/null
|
||||
echo $rolling > rolling.key
|
||||
|
||||
# revoked
|
||||
revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
||||
revoke1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||
echo $revoke1 > prerev.key
|
||||
revoke2=`$REVOKE $revoke1`
|
||||
echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
|
||||
|
||||
pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
|
||||
pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
|
||||
echo $pzsk > parent.zsk.key
|
||||
|
||||
pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
|
||||
pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
|
||||
echo $pksk > parent.ksk.key
|
||||
|
||||
oldstyle=`$KEYGEN -Cq -r $RANDFILE $pzone`
|
||||
oldstyle=`$KEYGEN -Cq -a rsasha1 -r $RANDFILE $pzone`
|
||||
echo $oldstyle > oldstyle.key
|
||||
|
||||
|
||||
@@ -174,7 +174,7 @@ status=`expr $status + $ret`
|
||||
echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)"
|
||||
ret=0
|
||||
# keygen should print a warning about delete < inactive
|
||||
$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
|
||||
$KEYGEN -q -a rsasha1 -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
|
||||
grep "warning" tmp.out > /dev/null 2>&1 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
@@ -182,15 +182,15 @@ status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking correct behavior setting activation without publication date ($n)"
|
||||
ret=0
|
||||
key=`$KEYGEN -q -r $RANDFILE -A +1w $czone`
|
||||
key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w $czone`
|
||||
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
||||
act=`$SETTIME -upA $key | awk '{print $2}'`
|
||||
[ $pub -eq $act ] || ret=1
|
||||
key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone`
|
||||
key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -i 1d $czone`
|
||||
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
||||
act=`$SETTIME -upA $key | awk '{print $2}'`
|
||||
[ $pub -lt $act ] || ret=1
|
||||
key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone`
|
||||
key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -P never $czone`
|
||||
pub=`$SETTIME -upP $key | awk '{print $2}'`
|
||||
[ $pub = "UNSET" ] || ret=1
|
||||
n=`expr $n + 1`
|
||||
|
||||
@@ -12,8 +12,8 @@ SYSTEMTESTTOP=../..
|
||||
zone=.
|
||||
zonefile=root.db
|
||||
|
||||
keyname=`$KEYGEN -qfk -r $RANDFILE $zone`
|
||||
zskkeyname=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
keyname=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE $zone`
|
||||
zskkeyname=`$KEYGEN -a rsasha256 -q -r $RANDFILE $zone`
|
||||
|
||||
$SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>&-
|
||||
|
||||
|
||||
@@ -57,7 +57,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo "I: check new trust anchor can be added ($n)"
|
||||
ret=0
|
||||
standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
|
||||
standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
||||
sleep 5
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
|
||||
@@ -241,7 +241,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo "I: revoke original key, add new standby ($n)"
|
||||
ret=0
|
||||
standby2=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
|
||||
standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
|
||||
$SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
||||
sleep 3
|
||||
@@ -276,7 +276,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo "I: revoke standby before it is trusted ($n)"
|
||||
ret=0
|
||||
standby3=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
|
||||
standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
|
||||
sleep 3
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
|
||||
|
||||
@@ -35,8 +35,8 @@ zone=delegation.test.
|
||||
infile=delegation.test.db.in
|
||||
zonefile=delegation.test.db
|
||||
|
||||
keyname1=`$KEYGEN -q -r $RANDFILE -3 -f KSK $zone`
|
||||
keyname2=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
||||
keyname1=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 -f KSK $zone`
|
||||
keyname2=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
|
||||
@@ -15,8 +15,8 @@ zone=signed
|
||||
infile=example.db
|
||||
zonefile=signed.db
|
||||
|
||||
key1=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||
|
||||
cat $infile $key1.key $key2.key > $zonefile
|
||||
|
||||
@@ -26,8 +26,8 @@ zone=nsec3
|
||||
infile=example.db
|
||||
zonefile=nsec3.db
|
||||
|
||||
key1=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
||||
key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone`
|
||||
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
|
||||
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
|
||||
|
||||
cat $infile $key1.key $key2.key > $zonefile
|
||||
|
||||
|
||||
@@ -15,8 +15,8 @@ zone=signed
|
||||
infile=example.db
|
||||
zonefile=signed.db
|
||||
|
||||
key1=`$KEYGEN -q -r $RANDFILE $zone`
|
||||
key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
|
||||
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||
|
||||
cat $infile $key1.key $key2.key > $zonefile
|
||||
|
||||
@@ -26,8 +26,8 @@ zone=nsec3
|
||||
infile=example.db
|
||||
zonefile=nsec3.db
|
||||
|
||||
key1=`$KEYGEN -q -r $RANDFILE -3 $zone`
|
||||
key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone`
|
||||
key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
|
||||
key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
|
||||
|
||||
cat $infile $key1.key $key2.key > $zonefile
|
||||
|
||||
|
||||
@@ -15,8 +15,8 @@ zone=ds.example.net
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE -b 2048 $zone`
|
||||
ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||
zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -b 2048 $zone`
|
||||
cat $ksk.key $zsk.key >> $zonefile
|
||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
@@ -24,8 +24,8 @@ zone=example.net
|
||||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
cp $infile $zonefile
|
||||
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
|
||||
zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
|
||||
cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
|
||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
|
||||
@@ -30,7 +30,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
|
||||
|
||||
# $1=directory, $2=domain name, $3=input zone file, $4=output file
|
||||
signzone () {
|
||||
KEYNAME=`$KEYGEN -q -r $RANDFILE -b 1024 -K $1 $2`
|
||||
KEYNAME=`$KEYGEN -q -a rsasha256 -r $RANDFILE -K $1 $2`
|
||||
cat $1/$3 $1/$KEYNAME.key > $1/tmp
|
||||
$SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
|
||||
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
|
||||
|
||||
@@ -21,39 +21,39 @@ cfile=child.db
|
||||
|
||||
echo "I:generating child's keys"
|
||||
# active zsk
|
||||
czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
|
||||
czsk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -L 30 $czone`
|
||||
|
||||
# not yet published or active
|
||||
czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
|
||||
czsk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
|
||||
|
||||
# published but not active
|
||||
czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
|
||||
czsk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
|
||||
|
||||
# inactive
|
||||
czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
||||
czsk4=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
|
||||
|
||||
# active in 12 hours, inactive 12 hours after that...
|
||||
czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
|
||||
czsk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
|
||||
|
||||
# explicit successor to czk5
|
||||
# (suppressing warning about lack of removal date)
|
||||
czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-`
|
||||
|
||||
# active ksk
|
||||
cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
|
||||
cksk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -L 30 $czone`
|
||||
|
||||
# published but not YET active; will be active in 20 seconds
|
||||
cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
||||
cksk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||
# $SETTIME moved after other $KEYGENs
|
||||
|
||||
echo I:revoking key
|
||||
# revoking key changes its ID
|
||||
cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
|
||||
cksk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
|
||||
cksk4=`$REVOKE $cksk3`
|
||||
|
||||
echo I:generating parent keys
|
||||
pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
|
||||
pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
|
||||
pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
|
||||
pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
|
||||
|
||||
echo "I:setting child's activation time"
|
||||
# using now+30s to fix RT 24561
|
||||
|
||||
@@ -26,7 +26,7 @@ while test "$#" -gt 0; do
|
||||
quiet=1
|
||||
;;
|
||||
rsa|RSA)
|
||||
alg=""
|
||||
alg="-a RSASHA1"
|
||||
msg1="RSA cryptography"
|
||||
;;
|
||||
gost|GOST)
|
||||
|
||||
@@ -27,83 +27,83 @@ cp unsigned.db unsigned.bad
|
||||
|
||||
# A set of nsec zones.
|
||||
setup zsk-only.nsec good
|
||||
$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk-only.nsec good
|
||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk+zsk.nsec good
|
||||
$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
# A set of nsec3 zones.
|
||||
setup zsk-only.nsec3 good
|
||||
$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk-only.nsec3 good
|
||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk+zsk.nsec3 good
|
||||
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk+zsk.outout good
|
||||
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
# A set of zones with only DNSKEY records.
|
||||
setup zsk-only.dnskeyonly bad
|
||||
key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
cat unsigned.db $key1.key > ${file}
|
||||
|
||||
setup ksk-only.dnskeyonly bad
|
||||
key1=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
key1=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
cat unsigned.db $key1.key > ${file}
|
||||
|
||||
setup ksk+zsk.dnskeyonly bad
|
||||
key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
key2=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
key2=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
|
||||
cat unsigned.db $key1.key $key2.key > ${file}
|
||||
|
||||
# A set of zones with expired records
|
||||
s="-s -2678400"
|
||||
setup zsk-only.nsec.expired bad
|
||||
$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk-only.nsec.expired bad
|
||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk+zsk.nsec.expired bad
|
||||
$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup zsk-only.nsec3.expired bad
|
||||
$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk-only.nsec3.expired bad
|
||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
|
||||
$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
setup ksk+zsk.nsec3.expired bad
|
||||
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
|
||||
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
|
||||
$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
|
||||
|
||||
# ksk expired
|
||||
setup ksk+zsk.nsec.ksk-expired bad
|
||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
|
||||
$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
@@ -112,8 +112,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
|
||||
[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
|
||||
|
||||
setup ksk+zsk.nsec3.ksk-expired bad
|
||||
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
|
||||
$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
@@ -123,8 +123,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
|
||||
|
||||
# broken nsec chain
|
||||
setup ksk+zsk.nsec.broken-chain bad
|
||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
|
||||
@@ -132,8 +132,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
|
||||
|
||||
# bad nsec bitmap
|
||||
setup ksk+zsk.nsec.bad-bitmap bad
|
||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
|
||||
@@ -141,8 +141,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
|
||||
|
||||
# extra NSEC record out side of zone
|
||||
setup ksk+zsk.nsec.out-of-zone-nsec bad
|
||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
|
||||
@@ -150,8 +150,8 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>
|
||||
|
||||
# extra NSEC record below bottom of one
|
||||
setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
|
||||
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
|
||||
@@ -163,8 +163,8 @@ awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${fil
|
||||
# extract the hash fields from the empty node's NSEC 3 record then fix up
|
||||
# the NSEC3 chain to remove it
|
||||
setup ksk+zsk.nsec3.missing-empty bad
|
||||
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
|
||||
@@ -177,8 +177,8 @@ $SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s
|
||||
|
||||
# extra NSEC3 record
|
||||
setup ksk+zsk.nsec3.extra-nsec3 bad
|
||||
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
|
||||
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
|
||||
cat unsigned.db $ksk.key $zsk.key > $file
|
||||
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
|
||||
awk '
|
||||
|
||||
@@ -26,11 +26,11 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
|
||||
# same source of "random" data and we want different keys for
|
||||
# internal and external instances of inline.
|
||||
#
|
||||
$KEYGEN -K ns2/internal -r $RANDFILE -3q inline > /dev/null 2>&1
|
||||
$KEYGEN -K ns2/internal -r $RANDFILE -3qfk inline > /dev/null 2>&1
|
||||
k1=`$KEYGEN -K ns2/external -r $RANDFILE -3q inline 2> /dev/null`
|
||||
k2=`$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline 2> /dev/null`
|
||||
$KEYGEN -K ns2/external -r $RANDFILE -3q inline > /dev/null 2>&1
|
||||
$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline > /dev/null 2>&1
|
||||
$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
|
||||
$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
|
||||
k1=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline 2> /dev/null`
|
||||
k2=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline 2> /dev/null`
|
||||
$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
|
||||
$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
|
||||
test -n "$k1" && rm -f ns2/external/$k1.*
|
||||
test -n "$k2" && rm -f ns2/external/$k2.*
|
||||
|
||||
@@ -19,8 +19,8 @@ cp bigserial.db ns1/
|
||||
cd ns1
|
||||
touch master.db.signed
|
||||
echo '$INCLUDE "master.db.signed"' >> master.db
|
||||
$KEYGEN -r $RANDFILE -3q master.example > /dev/null 2>&1
|
||||
$KEYGEN -r $RANDFILE -3qfk master.example > /dev/null 2>&1
|
||||
$KEYGEN -r $RANDFILE -a rsasha256 -q master.example > /dev/null 2>&1
|
||||
$KEYGEN -r $RANDFILE -a rsasha256 -qfk master.example > /dev/null 2>&1
|
||||
$SIGNER -SD -o master.example master.db > /dev/null \
|
||||
2> signer.err || cat signer.err
|
||||
echo '$INCLUDE "soa.db"' > reload.db
|
||||
|
||||
@@ -433,6 +433,17 @@
|
||||
|
||||
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>dnssec-keygen</command> no longer has default
|
||||
algorithm settings. It is necessary to explicitly specify the
|
||||
algorithm on the command line with the <option>-a</option> option
|
||||
when generating keys. This may cause errors with existing signing
|
||||
scripts if they rely on current defaults. The intent is to
|
||||
reduce the long-term cost of transitioning to newer algorithms in
|
||||
the event of RSASHA1 being deprecated. [RT #44755]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Threads in <command>named</command> are now set to human-readable
|
||||
|
||||
@@ -131,7 +131,9 @@
|
||||
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
|
||||
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
|
||||
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
|
||||
{ DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \
|
||||
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
|
||||
{ DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \
|
||||
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
|
||||
{ DNS_KEYALG_ED448, "ED448", 0 }, \
|
||||
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
|
||||
|
||||
Reference in New Issue
Block a user