diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 5d8c7f3622..3ac389cf88 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -1402,8 +1402,6 @@ for special in \ this.zone/domain.has.a.slash.dom10.example \ this.zone\\\\domain.has.backslash.dom10.example \ this.zone:domain.has.a.colon.dom.10.example; do - # hashes below are generated by: - # python ${TOP}/contrib/scripts/catzhash.py "${special}" case "$special" in this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) diff --git a/contrib/README b/contrib/README index 8bf5a1369f..aed58d2164 100644 --- a/contrib/README +++ b/contrib/README @@ -15,11 +15,6 @@ This directory contains scripts, tools, and other useful accessories to BIND 9. Contrib software is not supported by ISC, but reported bugs will be fixed as time permits. - - scripts/ - - Assorted useful scripts, including 'zone-edit' - which enables editing of a dynamic zone, and others. - - gitchangelog/ QA utility to produce changelog and release notes from git log. diff --git a/contrib/scripts/.gitignore b/contrib/scripts/.gitignore deleted file mode 100644 index 990d9f7c77..0000000000 --- a/contrib/scripts/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -check-secure-delegation.pl -zone-edit.sh diff --git a/contrib/scripts/catzhash.py b/contrib/scripts/catzhash.py deleted file mode 100644 index fa0b69becf..0000000000 --- a/contrib/scripts/catzhash.py +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/python -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# catzhash.py: generate the SHA-1 hash of a domain name in wire format. -# -# This can be used to determine the label to use in a catalog zone to -# represent the specified zone. For example, the zone -# "domain.example" can be represented in a catalog zone called -# "catalog.example" by adding the following record: -# -# 5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. \ -# IN PTR domain.example. -# -# The label "5960775ba382e7a4e09263fc06e7c00569b6a05c" is the output of -# this script when run with the argument "domain.example". - -import sys -import hashlib -import dns.name - -if len(sys.argv) < 2: - print("Usage: %s name" % sys.argv[0]) - -NAME = dns.name.from_text(sys.argv[1]).to_wire() -print(hashlib.sha1(NAME).hexdigest()) diff --git a/contrib/scripts/check-secure-delegation.pl.in b/contrib/scripts/check-secure-delegation.pl.in deleted file mode 100644 index 0f38c08f22..0000000000 --- a/contrib/scripts/check-secure-delegation.pl.in +++ /dev/null @@ -1,116 +0,0 @@ -#!@PERL@ -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -use warnings; -use FileHandle; -use IPC::Open2; -use POSIX qw/strftime/; - -# -# We only compare keyid / DNSSEC algorithm pairs. If this succeeds then -# the crypto will likely succeed. If it fails then the crypto will definitely -# fail. -# -$prefix = "@prefix@"; -$dig = "$prefix/bin/dig +cd +dnssec +noall +answer"; -$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin"; - -# Get "now" in a RRSIG datestamp format. -$now = strftime "%Y%m%d%H%M%S", gmtime; - -foreach $zone (@ARGV) { - my %algorithms = (); - my %dnskeygood = (); - my %dnskeyalg = (); - my %dnskey = (); - my %dsgood = (); - my %ds = (); - - # Read the DS records and extract the key id, algorithm pairs - open(DS, "$dig -t DS -q $zone|") || die("dig DS failed"); - while() { - @words = split; - if ($words[3] eq "RRSIG" && $words[4] eq "DS") { - next if ($words[8] >= $now && $words[9] <= $now); - print "BAD SIG DATES: $_"; - } - next if ($words[3] ne "DS"); - $ds{"$words[4] $words[5]"} = 1; - $algorithms{"$words[5]"} = 1; - } - close(DS); - - # Read the RRSIG(DNSKEY) records and extract the key id, - # algorithm pairs. Set good if we have a match against the DS - # records. DNSKEY records should be before the RRSIG records. - open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed"); - while () { - @words = split; - if ($words[3] eq "DNSKEY") { - $dnskeyalg{"$words[6]"} = 1; - next if (! -e "/dev/stdin"); - # get the key id ($dswords[3]). - $pid = open2(*Reader, *Writer, "$dsfromkey $zone"); - die("dsfromkey failed") if ($pid == -1); - print Writer "$_"; - close(Writer); - $line = ; - close(Reader); - @dswords = split /\s/, $line; - $dnskey{"$dswords[3] $dswords[4]"} = 1; - next; - } - next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY"); - if ($words[8] >= $now && $words[9] <= $now) { - # If we don't have /dev/stdin then just check for the - # RRSIG otherwise check for both the DNSKEY and - # RRSIG. - $dsgood{"$words[5]"} = 1 - if (! -e "/dev/stdin" && - exists($ds{"$words[10] $words[5]"})); - $dsgood{"$words[5]"} = 1 - if (exists($ds{"$words[10] $words[5]"}) && - exists($dnskey{"$words[10] $words[5]"})); - $dnskeygood{"$words[5]"} = 1 - if (! -e "/dev/stdin"); - $dnskeygood{"$words[5]"} = 1 - if (exists($dnskey{"$words[10] $words[5]"})); - } else { - $dnskeygood{"$words[5]"} = 1; - print "BAD SIG DATES: $_"; - } - } - close(DNSKEY); - - # Do we have signatures for all DNSKEY algorithms? - foreach $alg ( keys %dnskeyalg ) { - print "Missing $zone DNSKEY RRSIG for algorithm $alg\n" - if (!exists($dnskeygood{$alg})); - } - - # Do we have a matching self signed DNSKEY for all DNSSEC algorithms - # in the DS records. - $count = 0; - foreach $alg ( keys %algorithms ) { - if (exists($dsgood{$alg})) { - print "$zone algorithm $alg good " . - "(found DS / self signed DNSKEY pair)\n"; - } else { - print "$zone algorithm $alg bad " . - "(no DS / self signed DNSKEY pair found)\n"; - } - $count++; - } - print "$zone has no secure delegation records\n" - if (! $count); -} diff --git a/contrib/scripts/check5011.pl b/contrib/scripts/check5011.pl deleted file mode 100644 index 814295a332..0000000000 --- a/contrib/scripts/check5011.pl +++ /dev/null @@ -1,210 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -use warnings; -use strict; - -use POSIX qw(strftime); -my $now = strftime "%Y%m%d%H%M%S", gmtime; - -sub ext8601 ($) { - my $d = shift; - $d =~ s{(....)(..)(..)(..)(..)(..)} - {$1-$2-$3.$4:$5:$6+0000}; - return $d; -} - -sub getkey ($$) { - my $h = shift; - my $k = shift; - m{\s+(\d+)\s+(\d+)\s+(\d+)\s+[(]\s*$}; - $k->{flags} = $1; - $k->{protocol} = $2; - $k->{algorithm} = $3; - my $data = "("; - while (<$h>) { - s{^\s+}{}; - s{\s+$}{}; - last if m{^[)]}; - $data .= $_; - } - m{ alg = (\S+)\s*; key id = (\d+)}; - $k->{alg} = $1; - $k->{id} = $2; - $k->{data} = $data; - return $k; -} - -sub fmtkey ($) { - my $k = shift; - return sprintf "%16s tag %s", $k->{name}, $k->{id}; -} - -sub printstatus ($) { - my $a = shift; - if ($a->{removehd} ne "19700101000000") { - printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd}; - } elsif ($a->{addhd} le $now) { - printf " trusted\n"; - } else { - printf " waiting for %s\n", ext8601 $a->{addhd}; - } -} - -sub digkeys ($) { - my $name = shift; - my $keys; - open my $d, "-|", qw{dig +multiline DNSKEY}, $name; - while (<$d>) { - next unless m{^([a-z0-9.-]*)\s+\d+\s+IN\s+DNSKEY\s+}; - next unless $name eq $1; - push @$keys, getkey $d, { name => $name }; - } - return $keys; -} - -my $anchor; -my $owner = "."; -while (<>) { - next unless m{^([a-z0-9.-]*)\s+KEYDATA\s+(\d+)\s+(\d+)\s+(\d+)\s+}; - my $k = getkey *ARGV, { - name => $1, - refresh => $2, - addhd => $3, - removehd => $4, - }; - if ($k->{name} eq "") { - $k->{name} = $owner; - } else { - $owner = $k->{name}; - } - $k->{name} =~ s{[.]*$}{.}; - push @{$anchor->{$k->{name}}}, $k; -} - -for my $name (keys %$anchor) { - my $keys = digkeys $name; - my $anchors = $anchor->{$name}; - for my $k (@$keys) { - if ($k->{flags} & 1) { - printf "%s %s", fmtkey $k, $k->{alg}; - } else { - # ZSK - skipping - next; - } - if ($k->{flags} & 512) { - print " revoked;"; - } - my $a; - for my $t (@$anchors) { - if ($t->{data} eq $k->{data} and - $t->{protocol} eq $k->{protocol} and - $t->{algorithm} eq $k->{algorithm}) { - $t->{matched} = 1; - $a = $t; - last; - } - } - if (not defined $a) { - print " no trust anchor\n"; - next; - } - printstatus $a; - } - for my $a (@$anchors) { - next if $a->{matched}; - printf "%s %s missing;", fmtkey $a, $a->{alg}; - printstatus $a; - } -} - -exit; - -__END__ - -=head1 NAME - -check5011 - summarize DNSSEC trust anchor status - -=head1 SYNOPSIS - -check5011 > - -=head1 DESCRIPTION - -The BIND managed-keys file contains DNSSEC trust anchors -that can be automatically updated according to RFC 5011. The -B program reads this file and prints a summary of the -status of the trust anchors. It fetches the corresponding -DNSKEY records using B and compares them to the trust anchors. - -Each key is printed on a line with its name, its tag, and its -algorithm, followed by a summary of its status. - -=over - -=item C - -The key is currently trusted. - -=item C - -The key is new, and B is waiting for the "add hold-down" period -to pass before the key will be trusted. - -=item C - -The key was revoked and will be removed at the stated time. - -=item C - -The key is present in the DNS but not in the managed-keys file. - -=item C - -The key has its revoked flag set. This is printed before the key's -trust anchor status which should normally be C if -B has observed the revocation. - -=item C - -There is no DNSKEY record for this trust anchor. This is printed -before the key's trust anchor status. - -=back - -By default the managed keys are stored in a file called -F in B's working directory. This location -can be changed with B's B option. If -you are using views the file may be named with the SHA256 hash of a -view name with a F<.mkeys> extension added. - -=head1 AUTHOR - -=over - -=item Written by Tony Finch - -=item at the University of Cambridge Computing Service. - -=item You may do anything with this. It has no warranty. - -=item L - -=back - -=head1 SEE ALSO - -dig(1), named(8) - -=cut diff --git a/contrib/scripts/zone-edit.sh.in b/contrib/scripts/zone-edit.sh.in deleted file mode 100644 index 92f8052d07..0000000000 --- a/contrib/scripts/zone-edit.sh.in +++ /dev/null @@ -1,144 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -dir=/tmp/zone-edit.$$ -mkdir ${dir} || exit 1 -trap "/bin/rm -rf ${dir}" 0 - -prefix=@prefix@ -exec_prefix=@exec_prefix@ -bindir=@bindir@ - -dig=${bindir}/dig -checkzone=${bindir}/named-checkzone -nsupdate=${bindir}/nsupdate - -case $# in - 0) - echo "Usage: zone-edit [dig options] [ -- nsupdate options ]" - exit 0 - ;; -esac - -# What kind of echo are we using? -try=$(echo -n "") -if test "X$try" = "X-n "; then - echo_arg="" - bsc="\\c" -else - echo_arg="-n" - bsc="" -fi - -zone="${1}" -shift -digopts= -while test $# -ne 0; do - case "${1}" in - --) - shift - break - ;; - *) - digopts="$digopts $1" - shift - ;; - esac -done - -${dig} axfr "$zone" $digopts \ - | awk '$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next; } { print; }' >${dir}/old - -if test -s ${dir}/old; then - ${checkzone} -q -D "$zone" ${dir}/old >${dir}/ooo -fi - -if test -s ${dir}/ooo; then - cp ${dir}/ooo ${dir}/new - while :; do - if ${VISUAL:-${EDITOR:-/bin/ed}} ${dir}/new; then - if ${checkzone} -q -D "$zone" ${dir}/new >${dir}/nnn; then - sort ${dir}/ooo >${dir}/s1 - sort ${dir}/nnn >${dir}/s2 - comm -23 ${dir}/s1 ${dir}/s2 \ - | sed 's/^/update delete /' >${dir}/ccc - comm -13 ${dir}/s1 ${dir}/s2 \ - | sed 's/^/update add /' >>${dir}/ccc - if test -s ${dir}/ccc; then - cat ${dir}/ccc | more - while :; do - echo ${echo_arg} "Update (u), Abort (a), Redo (r), Modify (m), Display (d) : $bsc" - read ans - case "$ans" in - u) - ( - echo zone "$zone" - cat ${dir}/ccc - echo send - ) | ${nsupdate} "$@" - break 2 - ;; - a) - break 2 - ;; - d) - cat ${dir}/ccc | more - ;; - r) - cp ${dir}/ooo ${dir}/new - break - ;; - m) - break - ;; - esac - done - else - while :; do - echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc" - read ans - case "$ans" in - a) - break 2 - ;; - r) - cp ${dir}/ooo ${dir}/new - break - ;; - m) - break - ;; - esac - done - fi - else - while :; do - echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc" - read ans - case "$ans" in - a) - break 2 - ;; - r) - cp ${dir}/ooo ${dir}/new - break - ;; - m) - break - ;; - esac - done - fi - fi - done -fi