1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14. ../../conf.sh 15 16keys_to_trust="" 17 18for zonename in sub.example example initially-unavailable; do 19 zone=$zonename 20 infile=$zonename.db.in 21 zonefile=$zonename.db 22 23 keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) 24 keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) 25 26 cat $infile $keyname1.key $keyname2.key >$zonefile 27 28 $SIGNER -P -g -o $zone $zonefile >/dev/null 29done 30 31# Only add the key for "initially-unavailable" to the list of keys trusted by 32# ns3. "example" is expected to be validated using a chain of trust starting in 33# the "root" zone on ns1. 34keys_to_trust="$keys_to_trust $keyname1" 35 36# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit 37# set and add that key to the list of keys to trust. 38zone=verify-csk 39infile=verify.db.in 40zonefile=verify-csk.db 41 42keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) 43cat $infile $keyname.key >$zonefile 44$SIGNER -P -o $zone $zonefile >/dev/null 45keys_to_trust="$keys_to_trust $keyname" 46 47# Prepare remaining zones used in the test. 48ORIGINAL_SERIAL=$(awk '$2 == "SOA" {print $5}' verify.db.in) 49UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1)) 50UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2)) 51 52for variant in addzone axfr ixfr load reconfig untrusted; do 53 zone=verify-$variant 54 infile=verify.db.in 55 zonefile=verify-$variant.db 56 57 keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) 58 keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) 59 60 cat $infile $keyname1.key $keyname2.key >$zonefile 61 62 # Prepare a properly signed version of the zone ("*.original.signed"). 63 $SIGNER -P -o $zone $zonefile >/dev/null 64 cp $zonefile.signed $zonefile.original.signed 65 # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). 66 sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed >$zonefile.bad.signed 67 # Prepare another properly signed version of the zone ("*.good.signed"). 68 sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile >$zonefile.good 69 $SIGNER -P -o $zone $zonefile.good >/dev/null 70 rm -f $zonefile.good 71 72 # Except for the "verify-untrusted" zone, declare the KSK used for 73 # signing the zone to be a trust anchor for ns3. 74 if [ "$variant" != "untrusted" ]; then 75 keys_to_trust="$keys_to_trust $keyname1" 76 fi 77done 78 79keyfile_to_static_ds $keys_to_trust >trusted-mirror.conf 80