From dbeea1afa072da220c81f1f251c8a665cfceb0ce Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 18 Nov 2021 14:31:52 +1100 Subject: [PATCH] Don't use 'dnssec-signzone -P' unless necessary Most of the test zones in the dnssec system test can be verified. Use -z when only a single key is being used so that the verifier knows that only a single key is in use. --- bin/tests/system/dnssec/ns1/sign.sh | 2 +- bin/tests/system/dnssec/ns2/sign.sh | 32 +++++++++--------- bin/tests/system/dnssec/ns3/sign.sh | 50 ++++++++++++++--------------- bin/tests/system/dnssec/ns6/sign.sh | 2 +- 4 files changed, 43 insertions(+), 43 deletions(-) diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index e59e534c51..75de1cf256 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -36,7 +36,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 # Configure the resolving server with a staitc key. keyfile_to_static_ds "$ksk" > trusted.conf diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index af2717825f..6e3893b782 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -36,7 +36,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,7 +47,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # The "example." zone. zone=example. @@ -72,7 +72,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -134,7 +134,7 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # Sign the badparam secure file @@ -147,7 +147,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" @@ -162,7 +162,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -180,7 +180,7 @@ keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -204,7 +204,7 @@ done >> "$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in @@ -213,7 +213,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") "$DSFROMKEY" -C "$key1.key" > "$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -223,7 +223,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") "$DSFROMKEY" -C "$key2.key" > "$key2.cds" cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in @@ -231,7 +231,7 @@ zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in @@ -239,7 +239,7 @@ zonefile=cds-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 keyfile_to_key_id "$key1" > cds-kskonly.secure.id zone=cds-auto.secure @@ -257,7 +257,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -267,7 +267,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in @@ -275,7 +275,7 @@ zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in @@ -283,7 +283,7 @@ zonefile=cdnskey-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id zone=cdnskey-auto.secure diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 59fd58d77c..d89287f1bf 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -49,7 +49,7 @@ do keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null + "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed # Make trusted-keys and managed keys conf sections for ns8. @@ -86,7 +86,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null zone=bogus.example. infile=bogus.example.db.in @@ -96,7 +96,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,7 +107,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -o "$zone" "$zonefile" > /dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,7 +117,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null # Change the signer field of the a.b.keyless.example SIG A # to point to a provably nonexistent KEY record. @@ -138,7 +138,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null # # NSEC3/NSEC3 test zone @@ -151,7 +151,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -164,7 +164,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout). @@ -177,7 +177,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC test zone @@ -190,7 +190,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -203,7 +203,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/OPTOUT test zone @@ -216,7 +216,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone. @@ -229,7 +229,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,7 +242,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,7 +255,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,7 +269,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -288,7 +288,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -308,7 +308,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null +"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,7 +322,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -340,17 +340,17 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -O full -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC -"$SIGNER" -P -O full -u3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 -"$SIGNER" -P -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -P -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -P -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -P -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null cat NSEC NSEC3 >> "$zonefile".signed # diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 4eb2fa5b71..d308f4844b 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -24,4 +24,4 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1