xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/dnssec/ns3/sign.sh (revision 9689912e6b171cbda866ec33f15ae94a04e2c02d) 
1#!/bin/sh -e
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# shellcheck source=conf.sh
15. ../../conf.sh
16
17set -e
18
19echo_i "ns3/sign.sh"
20
21infile=key.db.in
22for tld in managed trusted; do
23  # A secure zone to test.
24  zone=secure.${tld}
25  zonefile=${zone}.db
26
27  keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
28  cat "$infile" "$keyname1.key" >"$zonefile"
29  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
30
31  # Zone to test trust anchor that matches disabled algorithm.
32  zone=disabled.${tld}
33  zonefile=${zone}.db
34
35  keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
36  cat "$infile" "$keyname2.key" >"$zonefile"
37  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
38
39  # Zone to test trust anchor that has disabled algorithm for other domain.
40  zone=enabled.${tld}
41  zonefile=${zone}.db
42
43  keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
44  cat "$infile" "$keyname3.key" >"$zonefile"
45  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
46
47  # Zone to test trust anchor with unsupported algorithm.
48  zone=unsupported.${tld}
49  zonefile=${zone}.db
50
51  keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
52  cat "$infile" "$keyname4.key" >"$zonefile"
53  "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
54  awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
55
56  # Make trusted-keys and managed keys conf sections for ns8.
57  mv ${keyname4}.key ${keyname4}.tmp
58  awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key
59
60  # Zone to test trust anchor that is revoked.
61  zone=revoked.${tld}
62  zonefile=${zone}.db
63
64  keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
65  cat "$infile" "$keyname5.key" >"$zonefile"
66  "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
67
68  case $tld in
69    "managed")
70      keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf
71      ;;
72    "trusted")
73      keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf
74      ;;
75  esac
76done
77
78echo_i "ns3/sign.sh: example zones"
79
80zone=secure.example.
81infile=secure.example.db.in
82zonefile=secure.example.db
83
84cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
85dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
86keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
87
88cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
89
90"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
91cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
92mv "$zonefile".tmp "$zonefile".signed
93
94zone=bogus.example.
95infile=bogus.example.db.in
96zonefile=bogus.example.db
97
98keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
99
100cat "$infile" "$keyname.key" >"$zonefile"
101
102"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
103
104zone=dynamic.example.
105infile=dynamic.example.db.in
106zonefile=dynamic.example.db
107
108keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
109keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
110
111cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
112
113"$SIGNER" -o "$zone" "$zonefile" >/dev/null
114
115zone=keyless.example.
116infile=generic.example.db.in
117zonefile=keyless.example.db
118
119keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
120
121cat "$infile" "$keyname.key" >"$zonefile"
122
123"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
124
125# Change the signer field of the a.b.keyless.example RRSIG A
126# to point to a provably nonexistent DNSKEY record.
127zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
128mv "$zonefile.signed" "$zonefiletmp"
129"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/
130    if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed"
131rm -f "$zonefiletmp"
132
133#
134#  NSEC3/NSEC test zone
135#
136zone=secure.nsec3.example.
137infile=secure.nsec3.example.db.in
138zonefile=secure.nsec3.example.db
139
140keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
141
142cat "$infile" "$keyname.key" >"$zonefile"
143
144"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
145
146#
147#  NSEC3/NSEC3 test zone
148#
149zone=nsec3.nsec3.example.
150infile=nsec3.nsec3.example.db.in
151zonefile=nsec3.nsec3.example.db
152
153keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
154
155cat "$infile" "$keyname.key" >"$zonefile"
156
157"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
158
159#
160#  OPTOUT/NSEC3 test zone
161#
162zone=optout.nsec3.example.
163infile=optout.nsec3.example.db.in
164zonefile=optout.nsec3.example.db
165
166keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
167
168cat "$infile" "$keyname.key" >"$zonefile"
169
170"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
171
172#
173# A nsec3 zone (non-optout).
174#
175zone=nsec3.example.
176infile=nsec3.example.db.in
177zonefile=nsec3.example.db
178
179keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
180
181cat "$infile" "$keyname.key" >"$zonefile"
182
183"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null
184
185#
186#  OPTOUT/NSEC test zone
187#
188zone=secure.optout.example.
189infile=secure.optout.example.db.in
190zonefile=secure.optout.example.db
191
192keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
193
194cat "$infile" "$keyname.key" >"$zonefile"
195
196"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
197
198#
199#  OPTOUT/NSEC3 test zone
200#
201zone=nsec3.optout.example.
202infile=nsec3.optout.example.db.in
203zonefile=nsec3.optout.example.db
204
205keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
206
207cat "$infile" "$keyname.key" >"$zonefile"
208
209"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
210
211#
212#  OPTOUT/OPTOUT test zone
213#
214zone=optout.optout.example.
215infile=optout.optout.example.db.in
216zonefile=optout.optout.example.db
217
218keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
219
220cat "$infile" "$keyname.key" >"$zonefile"
221
222"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
223
224#
225# A optout nsec3 zone.
226#
227zone=optout.example.
228infile=optout.example.db.in
229zonefile=optout.example.db
230
231keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
232
233cat "$infile" "$keyname.key" >"$zonefile"
234
235"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null
236
237#
238# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
239#
240zone=nsec3-unknown.example.
241infile=nsec3-unknown.example.db.in
242zonefile=nsec3-unknown.example.db
243
244keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
245
246cat "$infile" "$keyname.key" >"$zonefile"
247
248"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null
249
250#
251# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
252#
253zone=optout-unknown.example.
254infile=optout-unknown.example.db.in
255zonefile=optout-unknown.example.db
256
257keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
258
259cat "$infile" "$keyname.key" >"$zonefile"
260
261"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null
262
263#
264# A zone that is signed with an unknown DNSKEY algorithm.
265# Algorithm 7 is replaced by 100 in the zone and dsset.
266#
267zone=dnskey-unknown.example
268infile=dnskey-unknown.example.db.in
269zonefile=dnskey-unknown.example.db
270
271keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
272
273cat "$infile" "$keyname.key" >"$zonefile"
274
275"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
276
277awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed
278
279DSFILE="dsset-${zone}."
280$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
281
282#
283# A zone that is signed with an unsupported DNSKEY algorithm (3).
284# Algorithm 7 is replaced by 255 in the zone and dsset.
285#
286zone=dnskey-unsupported.example
287infile=dnskey-unsupported.example.db.in
288zonefile=dnskey-unsupported.example.db
289
290keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
291
292cat "$infile" "$keyname.key" >"$zonefile"
293
294"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
295
296awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
297
298DSFILE="dsset-${zone}."
299$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
300
301#
302# A zone with a published unsupported DNSKEY algorithm (Reserved).
303# Different from above because this key is not intended for signing.
304#
305zone=dnskey-unsupported-2.example
306infile=dnskey-unsupported-2.example.db.in
307zonefile=dnskey-unsupported-2.example.db
308
309ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
310zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
311
312cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
313
314"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null
315
316#
317# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
318# Algorithm 7 is replaced by 100 in the zone and dsset.
319#
320zone=dnskey-nsec3-unknown.example
321infile=dnskey-nsec3-unknown.example.db.in
322zonefile=dnskey-nsec3-unknown.example.db
323
324keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
325
326cat "$infile" "$keyname.key" >"$zonefile"
327
328"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
329
330awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed
331
332DSFILE="dsset-${zone}."
333$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
334
335#
336# A multiple parameter nsec3 zone.
337#
338zone=multiple.example.
339infile=multiple.example.db.in
340zonefile=multiple.example.db
341
342keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
343
344cat "$infile" "$keyname.key" >"$zonefile"
345
346"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null
347awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC
348"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null
349awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3
350"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null
351awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
352"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null
353awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
354"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null
355awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
356"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null
357cat NSEC NSEC3 >>"$zonefile".signed
358
359#
360# A RSASHA256 zone.
361#
362zone=rsasha256.example.
363infile=rsasha256.example.db.in
364zonefile=rsasha256.example.db
365
366keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
367
368cat "$infile" "$keyname.key" >"$zonefile"
369
370"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
371
372#
373# A RSASHA512 zone.
374#
375zone=rsasha512.example.
376infile=rsasha512.example.db.in
377zonefile=rsasha512.example.db
378
379keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
380
381cat "$infile" "$keyname.key" >"$zonefile"
382
383"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
384
385#
386# A zone with the DNSKEY set only signed by the KSK
387#
388zone=kskonly.example.
389infile=kskonly.example.db.in
390zonefile=kskonly.example.db
391
392kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
393zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
394cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
395"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null
396
397#
398# A zone with the expired signatures
399#
400zone=expired.example.
401infile=expired.example.db.in
402zonefile=expired.example.db
403
404kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
405zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
406cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
407"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null
408rm -f "$kskname.*" "$zskname.*"
409
410#
411# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
412#
413zone=update-nsec3.example.
414infile=update-nsec3.example.db.in
415zonefile=update-nsec3.example.db
416
417kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
418zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
419cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
420"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
421
422#
423# A NSEC signed zone that will have dnssec-policy enabled and
424# extra keys not in the initial signed zone.
425#
426zone=auto-nsec.example.
427infile=auto-nsec.example.db.in
428zonefile=auto-nsec.example.db
429
430kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
431zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
432"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" >/dev/null
433"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" >/dev/null
434cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
435"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
436
437#
438# A NSEC3 signed zone that will have dnssec-policy enabled and
439# extra keys not in the initial signed zone.
440#
441zone=auto-nsec3.example.
442infile=auto-nsec3.example.db.in
443zonefile=auto-nsec3.example.db
444
445kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
446zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
447"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" >/dev/null
448"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" >/dev/null
449cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
450"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
451
452#
453# Secure below cname test zone.
454#
455zone=secure.below-cname.example.
456infile=secure.below-cname.example.db.in
457zonefile=secure.below-cname.example.db
458keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
459cat "$infile" "$keyname.key" >"$zonefile"
460"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
461
462#
463# Patched TTL test zone.
464#
465zone=ttlpatch.example.
466infile=ttlpatch.example.db.in
467zonefile=ttlpatch.example.db
468signedfile=ttlpatch.example.db.signed
469patchedfile=ttlpatch.example.db.patched
470
471keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
472cat "$infile" "$keyname.key" >"$zonefile"
473
474"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null
475$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \
476  | awk '{$2 = "3600"; print}' >$patchedfile
477
478#
479# Separate DNSSEC records.
480#
481zone=split-dnssec.example.
482infile=split-dnssec.example.db.in
483zonefile=split-dnssec.example.db
484signedfile=split-dnssec.example.db.signed
485
486keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
487cat "$infile" "$keyname.key" >"$zonefile"
488echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
489: >"$signedfile"
490"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
491
492#
493# Separate DNSSEC records smart signing.
494#
495zone=split-smart.example.
496infile=split-smart.example.db.in
497zonefile=split-smart.example.db
498signedfile=split-smart.example.db.signed
499
500keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
501cp "$infile" "$zonefile"
502# shellcheck disable=SC2016
503echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
504: >"$signedfile"
505"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null
506
507#
508# Zone with signatures about to expire, but no private key to replace them
509#
510zone="expiring.example."
511infile="expiring.example.db.in"
512zonefile="expiring.example.db"
513signedfile="expiring.example.db.signed"
514kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
515zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
516cp "$infile" "$zonefile"
517"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null
518mv -f "${zskname}.private" "${zskname}.private.moved"
519mv -f "${kskname}.private" "${kskname}.private.moved"
520
521#
522# A zone where the signer's name has been forced to uppercase.
523#
524zone="upper.example."
525infile="upper.example.db.in"
526zonefile="upper.example.db"
527lower="upper.example.db.lower"
528signedfile="upper.example.db.signed"
529kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
530zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
531cp "$infile" "$zonefile"
532"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null
533$CHECKZONE -D upper.example $lower 2>/dev/null \
534  | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile
535
536#
537# Check that the signer's name is in lower case when zone name is in
538# upper case.
539#
540zone="LOWER.EXAMPLE."
541infile="lower.example.db.in"
542zonefile="lower.example.db"
543signedfile="lower.example.db.signed"
544kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
545zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
546cp "$infile" "$zonefile"
547"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null
548
549#
550# An inline signing zone
551#
552zone=inline.example.
553kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
554zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
555
556#
557# A zone which will change its signatures-validity
558#
559zone=siginterval.example
560infile=siginterval.example.db.in
561zonefile=siginterval.example.db
562kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
563zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
564cp "$infile" "$zonefile"
565
566#
567# A zone with a bad DS in the parent
568# (sourced from bogus.example.db.in)
569#
570zone=badds.example.
571infile=bogus.example.db.in
572zonefile=badds.example.db
573
574keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
575
576cat "$infile" "$keyname.key" >"$zonefile"
577
578"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
579sed -e 's/bogus/badds/g' <dsset-bogus.example. >dsset-badds.example.
580
581#
582# A zone with future signatures.
583#
584zone=future.example
585infile=future.example.db.in
586zonefile=future.example.db
587kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
588zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
589cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
590"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
591cp -f "$kskname.key" trusted-future.key
592
593#
594# A zone with future signatures.
595#
596zone=managed-future.example
597infile=managed-future.example.db.in
598zonefile=managed-future.example.db
599kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
600zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
601cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
602"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
603
604#
605# A zone with a revoked key
606#
607zone=revkey.example.
608infile=generic.example.db.in
609zonefile=revkey.example.db
610
611ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
612ksk1=$("$REVOKE" "$ksk1")
613ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
614zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
615
616cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile"
617"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
618
619#
620# Check that NSEC3 are correctly signed and returned from below a DNAME
621#
622zone=dname-at-apex-nsec3.example
623infile=dname-at-apex-nsec3.example.db.in
624zonefile=dname-at-apex-nsec3.example.db
625
626kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
627zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
628cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
629"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
630
631#
632# A NSEC zone with occluded data at the delegation
633#
634zone=occluded.example
635infile=occluded.example.db.in
636zonefile=occluded.example.db
637kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
638zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
639dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
640keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -n HOST -T KEY "delegation.$zone")
641$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
642cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
643  "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
644"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
645
646#
647# Pre-signed zone for FIPS validation of RSASHA1 signed zones
648# See sign-rsasha1.sh for how to regenerate rsasha1.example.db
649# with non-FIPS compliant instance.
650#
651# We only need to generate the dsset.
652#
653zone=rsasha1.example
654zonefile=rsasha1.example.db
655awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
656  | $DSFROMKEY -f - "$zone" >"dsset-${zone}."
657
658zone=rsasha1-1024.example
659zonefile=rsasha1-1024.example.db
660awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
661  | $DSFROMKEY -f - "$zone" >"dsset-${zone}."
662