xref: /netbsd-src/external/bsd/unbound/dist/testdata/ede.tdir/bogus/make-broken-zone.sh (revision 15a984a0d95c8f96abe9717ee6241762c55dc106) 
1#!/usr/bin/env bash
2
3# create oudated zones
4CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
5echo $CSK
6
7echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
8	cat $CSK.ds - > bogus/trust-anchors
9
10# differentiate for MacOS with "gdate"
11DATE=date
12which gdate > /dev/null 2>&1 && DATE=gdate
13
14ONEMONTHAGO=`$DATE -d 'now - 1 month' +%Y%m%d`
15YESTERDAY=`$DATE -d 'now - 2 days' +%Y%m%d`
16TOMORROW=`$DATE -d 'now + 2 days' +%Y%m%d`
17
18ldns-signzone -i $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \
19	grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
20	sed 's/Signatures invalid/Signatures INVALID/g' | \
21	grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
22	grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
23	grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
24	grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
25ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \
26	grep -v '[	]NSEC[	]' | \
27	grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
28ldns-signzone -i $TOMORROW -f - bogus/dnssec-failures.test $CSK | \
29	grep -v '[	]NSEC[	]' | \
30	grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
31
32cat base expired notyetincepted > bogus/dnssec-failures.test.signed
33
34# cleanup old zone keys
35rm -f $CSK.*
36# create zone with DNSKEY missing
37CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test`
38echo $CSK
39cat $CSK.ds >> bogus/trust-anchors
40
41ldns-signzone -f tmp.signed bogus/dnskey-failures.test $CSK
42grep -v '	DNSKEY	' tmp.signed > bogus/dnskey-failures.test.signed
43
44
45# cleanup old zone keys
46rm -f $CSK.*
47# create zone with NSEC missing
48CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test`
49echo $CSK
50cat $CSK.ds >> bogus/trust-anchors
51
52ldns-signzone -f tmp.signed bogus/nsec-failures.test $CSK
53grep -v '	NSEC	' tmp.signed > bogus/nsec-failures.test.signed
54
55
56# cleanup old zone keys
57rm -f $CSK.*
58# create zone with RRSIGs missing
59CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test`
60echo $CSK
61cat $CSK.ds >> bogus/trust-anchors
62
63ldns-signzone -f tmp.signed bogus/rrsig-failures.test $CSK
64grep -v '	RRSIG	' tmp.signed > bogus/rrsig-failures.test.signed
65
66# cleanup
67rm -f base expired notyetincepted tmp.signed $CSK.*
68