external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh

   1 #!/bin/sh -e
   2 #
   3 # Copyright (C) 2004, 2006-2015  Internet Systems Consortium, Inc. ("ISC")
   4 # Copyright (C) 2000-2002  Internet Software Consortium.
   5 #
   6 # Permission to use, copy, modify, and/or distribute this software for any
   7 # purpose with or without fee is hereby granted, provided that the above
   8 # copyright notice and this permission notice appear in all copies.
   9 #
  10 # THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  11 # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  12 # AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  13 # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  14 # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  15 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  16 # PERFORMANCE OF THIS SOFTWARE.
  17
  18 SYSTEMTESTTOP=../..
  19 . $SYSTEMTESTTOP/conf.sh
  20
  21 zone=secure.example.
  22 infile=secure.example.db.in
  23 zonefile=secure.example.db
  24
  25 cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
  26 dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
  27 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
  28
  29 cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
  30
  31 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
  32
  33 zone=bogus.example.
  34 infile=bogus.example.db.in
  35 zonefile=bogus.example.db
  36
  37 keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
  38
  39 cat $infile $keyname.key >$zonefile
  40
  41 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
  42
  43 zone=dynamic.example.
  44 infile=dynamic.example.db.in
  45 zonefile=dynamic.example.db
  46
  47 keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
  48 keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
  49
  50 cat $infile $keyname1.key $keyname2.key >$zonefile
  51
  52 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
  53
  54 zone=keyless.example.
  55 infile=keyless.example.db.in
  56 zonefile=keyless.example.db
  57
  58 keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
  59
  60 cat $infile $keyname.key >$zonefile
  61
  62 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
  63
  64 # Change the signer field of the a.b.keyless.example SIG A
  65 # to point to a provably nonexistent KEY record.
  66 mv $zonefile.signed $zonefile.tmp
  67 <$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/
  68     if /^a.b.keyless.example/../NXT/;' >$zonefile.signed
  69 rm -f $zonefile.tmp
  70
  71 #
  72 #  NSEC3/NSEC test zone
  73 #
  74 zone=secure.nsec3.example.
  75 infile=secure.nsec3.example.db.in
  76 zonefile=secure.nsec3.example.db
  77
  78 keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
  79
  80 cat $infile $keyname.key >$zonefile
  81
  82 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
  83
  84 #
  85 #  NSEC3/NSEC3 test zone
  86 #
  87 zone=nsec3.nsec3.example.
  88 infile=nsec3.nsec3.example.db.in
  89 zonefile=nsec3.nsec3.example.db
  90
  91 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
  92
  93 cat $infile $keyname.key >$zonefile
  94
  95 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
  96
  97 #
  98 #  OPTOUT/NSEC3 test zone
  99 #
 100 zone=optout.nsec3.example.
 101 infile=optout.nsec3.example.db.in
 102 zonefile=optout.nsec3.example.db
 103
 104 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 105
 106 cat $infile $keyname.key >$zonefile
 107
 108 $SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 109
 110 #
 111 # A nsec3 zone (non-optout).
 112 #
 113 zone=nsec3.example.
 114 infile=nsec3.example.db.in
 115 zonefile=nsec3.example.db
 116
 117 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 118
 119 cat $infile $keyname.key >$zonefile
 120
 121 $SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 122
 123 #
 124 #  OPTOUT/NSEC test zone
 125 #
 126 zone=secure.optout.example.
 127 infile=secure.optout.example.db.in
 128 zonefile=secure.optout.example.db
 129
 130 keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 131
 132 cat $infile $keyname.key >$zonefile
 133
 134 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 135
 136 #
 137 #  OPTOUT/NSEC3 test zone
 138 #
 139 zone=nsec3.optout.example.
 140 infile=nsec3.optout.example.db.in
 141 zonefile=nsec3.optout.example.db
 142
 143 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 144
 145 cat $infile $keyname.key >$zonefile
 146
 147 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 148
 149 #
 150 #  OPTOUT/OPTOUT test zone
 151 #
 152 zone=optout.optout.example.
 153 infile=optout.optout.example.db.in
 154 zonefile=optout.optout.example.db
 155
 156 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 157
 158 cat $infile $keyname.key >$zonefile
 159
 160 $SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 161
 162 #
 163 # A optout nsec3 zone.
 164 #
 165 zone=optout.example.
 166 infile=optout.example.db.in
 167 zonefile=optout.example.db
 168
 169 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 170
 171 cat $infile $keyname.key >$zonefile
 172
 173 $SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 174
 175 #
 176 # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
 177 #
 178 zone=nsec3-unknown.example.
 179 infile=nsec3-unknown.example.db.in
 180 zonefile=nsec3-unknown.example.db
 181
 182 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 183
 184 cat $infile $keyname.key >$zonefile
 185
 186 $SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 187
 188 #
 189 # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
 190 #
 191 zone=optout-unknown.example.
 192 infile=optout-unknown.example.db.in
 193 zonefile=optout-unknown.example.db
 194
 195 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 196
 197 cat $infile $keyname.key >$zonefile
 198
 199 $SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 200
 201 #
 202 # A zone with a unknown DNSKEY algorithm.
 203 # Algorithm 7 is replaced by 100 in the zone and dsset.
 204 #
 205 zone=dnskey-unknown.example.
 206 infile=dnskey-unknown.example.db.in
 207 zonefile=dnskey-unknown.example.db
 208
 209 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 210
 211 cat $infile $keyname.key >$zonefile
 212
 213 $SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
 214
 215 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
 216
 217 $DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
 218
 219 #
 220 # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
 221 # Algorithm 7 is replaced by 100 in the zone and dsset.
 222 #
 223 zone=dnskey-nsec3-unknown.example.
 224 infile=dnskey-nsec3-unknown.example.db.in
 225 zonefile=dnskey-nsec3-unknown.example.db
 226
 227 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 228
 229 cat $infile $keyname.key >$zonefile
 230
 231 $SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
 232
 233 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
 234
 235 $DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
 236
 237 #
 238 # A multiple parameter nsec3 zone.
 239 #
 240 zone=multiple.example.
 241 infile=multiple.example.db.in
 242 zonefile=multiple.example.db
 243
 244 keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 245
 246 cat $infile $keyname.key >$zonefile
 247
 248 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 249 mv $zonefile.signed $zonefile
 250 $SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 251 mv $zonefile.signed $zonefile
 252 $SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 253 mv $zonefile.signed $zonefile
 254 $SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 255 mv $zonefile.signed $zonefile
 256 $SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 257 mv $zonefile.signed $zonefile
 258 $SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 259
 260 #
 261 # A RSASHA256 zone.
 262 #
 263 zone=rsasha256.example.
 264 infile=rsasha256.example.db.in
 265 zonefile=rsasha256.example.db
 266
 267 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
 268
 269 cat $infile $keyname.key >$zonefile
 270
 271 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 272
 273 #
 274 # A RSASHA512 zone.
 275 #
 276 zone=rsasha512.example.
 277 infile=rsasha512.example.db.in
 278 zonefile=rsasha512.example.db
 279
 280 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
 281
 282 cat $infile $keyname.key >$zonefile
 283
 284 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 285
 286 #
 287 # A zone with the DNSKEY set only signed by the KSK
 288 #
 289 zone=kskonly.example.
 290 infile=kskonly.example.db.in
 291 zonefile=kskonly.example.db
 292
 293 kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
 294 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 295 cat $infile $kskname.key $zskname.key >$zonefile
 296 $SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 297
 298 #
 299 # A zone with the expired signatures
 300 #
 301 zone=expired.example.
 302 infile=expired.example.db.in
 303 zonefile=expired.example.db
 304
 305 kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
 306 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 307 cat $infile $kskname.key $zskname.key >$zonefile
 308 $SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
 309 rm -f $kskname.* $zskname.*
 310
 311 #
 312 # A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
 313 #
 314 zone=update-nsec3.example.
 315 infile=update-nsec3.example.db.in
 316 zonefile=update-nsec3.example.db
 317
 318 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 319 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 320 cat $infile $kskname.key $zskname.key >$zonefile
 321 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 322
 323 #
 324 # A NSEC signed zone that will have auto-dnssec enabled and
 325 # extra keys not in the initial signed zone.
 326 #
 327 zone=auto-nsec.example.
 328 infile=auto-nsec.example.db.in
 329 zonefile=auto-nsec.example.db
 330
 331 kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
 332 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 333 kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
 334 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 335 cat $infile $kskname.key $zskname.key >$zonefile
 336 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 337
 338 #
 339 # A NSEC3 signed zone that will have auto-dnssec enabled and
 340 # extra keys not in the initial signed zone.
 341 #
 342 zone=auto-nsec3.example.
 343 infile=auto-nsec3.example.db.in
 344 zonefile=auto-nsec3.example.db
 345
 346 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 347 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 348 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 349 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 350 cat $infile $kskname.key $zskname.key >$zonefile
 351 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 352
 353 #
 354 # Secure below cname test zone.
 355 #
 356 zone=secure.below-cname.example.
 357 infile=secure.below-cname.example.db.in
 358 zonefile=secure.below-cname.example.db
 359 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 360 cat $infile $keyname.key >$zonefile
 361 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 362
 363 #
 364 # Patched TTL test zone.
 365 #
 366 zone=ttlpatch.example.
 367 infile=ttlpatch.example.db.in
 368 zonefile=ttlpatch.example.db
 369 signedfile=ttlpatch.example.db.signed
 370 patchedfile=ttlpatch.example.db.patched
 371
 372 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 373 cat $infile $keyname.key >$zonefile
 374
 375 $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
 376 $CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \
 377     awk '{$2 = "3600"; print}' > $patchedfile
 378
 379 #
 380 # Seperate DNSSEC records.
 381 #
 382 zone=split-dnssec.example.
 383 infile=split-dnssec.example.db.in
 384 zonefile=split-dnssec.example.db
 385 signedfile=split-dnssec.example.db.signed
 386
 387 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 388 cat $infile $keyname.key >$zonefile
 389 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 390 : > $signedfile
 391 $SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
 392
 393 #
 394 # Seperate DNSSEC records smart signing.
 395 #
 396 zone=split-smart.example.
 397 infile=split-smart.example.db.in
 398 zonefile=split-smart.example.db
 399 signedfile=split-smart.example.db.signed
 400
 401 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 402 cp $infile $zonefile
 403 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 404 : > $signedfile
 405 $SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
 406
 407 #
 408 # Zone with signatures about to expire, but no private key to replace them
 409 #
 410 zone="expiring.example."
 411 infile="expiring.example.db.in"
 412 zonefile="expiring.example.db"
 413 signedfile="expiring.example.db.signed"
 414 kskname=`$KEYGEN -q -r $RANDFILE $zone`
 415 zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 416 cp $infile $zonefile
 417 $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
 418 mv -f ${zskname}.private ${zskname}.private.moved
 419 mv -f ${kskname}.private ${kskname}.private.moved
 420
 421 #
 422 # A zone where the signer's name has been forced to uppercase.
 423 #
 424 zone="upper.example."
 425 infile="upper.example.db.in"
 426 zonefile="upper.example.db"
 427 lower="upper.example.db.lower"
 428 signedfile="upper.example.db.signed"
 429 kskname=`$KEYGEN -q -r $RANDFILE $zone`
 430 zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 431 cp $infile $zonefile
 432 $SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
 433 $CHECKZONE -D upper.example $lower 2>&- | \
 434         sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
 435
 436 #
 437 # Check that the signer's name is in lower case when zone name is in
 438 # upper case.
 439 #
 440 zone="LOWER.EXAMPLE."
 441 infile="lower.example.db.in"
 442 zonefile="lower.example.db"
 443 signedfile="lower.example.db.signed"
 444 kskname=`$KEYGEN -q -r $RANDFILE $zone`
 445 zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 446 cp $infile $zonefile
 447 $SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 448
 449 #
 450 # Zone with signatures about to expire, and dynamic, but configured
 451 # not to resign with 'auto-resign no;'
 452 #
 453 zone="nosign.example."
 454 infile="nosign.example.db.in"
 455 zonefile="nosign.example.db"
 456 signedfile="nosign.example.db.signed"
 457 kskname=`$KEYGEN -q -r $RANDFILE $zone`
 458 zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 459 cp $infile $zonefile
 460 $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
 461 # preserve a normalized copy of the NS RRSIG for comparison later
 462 $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
 463         awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
 464         sed 's/[        ][      ]*/ /g'> ../nosign.before
 465
 466 #
 467 # An inline signing zone
 468 #
 469 zone=inline.example.
 470 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 471 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 472
 473 #
 474 # publish a new key while deactivating another key at the same time.
 475 #
 476 zone=publish-inactive.example
 477 infile=publish-inactive.example.db.in
 478 zonefile=publish-inactive.example.db
 479 now=`date -u +%Y%m%d%H%M%S`
 480 kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 481 kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
 482 kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
 483 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 484 cp $infile $zonefile
 485 $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 486
 487 #
 488 # A zone which will change its sig-validity-interval
 489 #
 490 zone=siginterval.example
 491 infile=siginterval.example.db.in
 492 zonefile=siginterval.example.db
 493 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 494 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 495 cp $infile $zonefile
 496
 497 #
 498 # A zone with future signatures.
 499 #
 500 zone=future.example
 501 infile=future.example.db.in
 502 zonefile=future.example.db
 503 kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 504 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 505 cat $infile $kskname.key $zskname.key >$zonefile
 506 $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 507 cp -f $kskname.key trusted-future.key