1#!/bin/sh -e
2#
3# Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
4#
5# Permission to use, copy, modify, and/or distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15# PERFORMANCE OF THIS SOFTWARE.
16
17# $Id: keygen.sh,v 1.8.18.5 2012/02/06 23:45:58 tbox Exp $
18
19SYSTEMTESTTOP=../..
20. $SYSTEMTESTTOP/conf.sh
21
22RANDFILE=../random.data
23
24zone=secure.example
25zonefile="${zone}.db"
26infile="${zonefile}.in"
27cp $infile $zonefile
28ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
29$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
30$DSFROMKEY $ksk.key > dsset-${zone}.
31
32#
33#  NSEC3/NSEC test zone
34#
35zone=secure.nsec3.example
36zonefile="${zone}.db"
37infile="${zonefile}.in"
38cp $infile $zonefile
39ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
40$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
41$DSFROMKEY $ksk.key > dsset-${zone}.
42
43#
44#  NSEC3/NSEC3 test zone
45#
46zone=nsec3.nsec3.example
47zonefile="${zone}.db"
48infile="${zonefile}.in"
49cp $infile $zonefile
50ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
51$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
52$DSFROMKEY $ksk.key > dsset-${zone}.
53
54#
55#  OPTOUT/NSEC3 test zone
56#
57zone=optout.nsec3.example
58zonefile="${zone}.db"
59infile="${zonefile}.in"
60cp $infile $zonefile
61ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
62$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
63$DSFROMKEY $ksk.key > dsset-${zone}.
64
65#
66# A nsec3 zone (non-optout).
67#
68zone=nsec3.example
69zonefile="${zone}.db"
70infile="${zonefile}.in"
71cat $infile dsset-*.${zone}. > $zonefile
72ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
73$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
74$DSFROMKEY $ksk.key > dsset-${zone}.
75
76#
77#  OPTOUT/NSEC test zone
78#
79zone=secure.optout.example
80zonefile="${zone}.db"
81infile="${zonefile}.in"
82cp $infile $zonefile
83ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
84$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
85$DSFROMKEY $ksk.key > dsset-${zone}.
86
87#
88#  OPTOUT/NSEC3 test zone
89#
90zone=nsec3.optout.example
91zonefile="${zone}.db"
92infile="${zonefile}.in"
93cp $infile $zonefile
94ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
95$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
96$DSFROMKEY $ksk.key > dsset-${zone}.
97
98#
99#  OPTOUT/OPTOUT test zone
100#
101zone=optout.optout.example
102zonefile="${zone}.db"
103infile="${zonefile}.in"
104cp $infile $zonefile
105ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
106$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
107$DSFROMKEY $ksk.key > dsset-${zone}.
108
109#
110# A optout nsec3 zone.
111#
112zone=optout.example
113zonefile="${zone}.db"
114infile="${zonefile}.in"
115cat $infile dsset-*.${zone}. > $zonefile
116ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
117$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
118$DSFROMKEY $ksk.key > dsset-${zone}.
119
120#
121# A RSASHA256 zone.
122#
123zone=rsasha256.example
124zonefile="${zone}.db"
125infile="${zonefile}.in"
126cp $infile $zonefile
127ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone`
128$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > /dev/null
129$DSFROMKEY $ksk.key > dsset-${zone}.
130
131#
132# A RSASHA512 zone.
133#
134zone=rsasha512.example
135zonefile="${zone}.db"
136infile="${zonefile}.in"
137cp $infile $zonefile
138ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
139$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
140$DSFROMKEY $ksk.key > dsset-${zone}.
141
142#
143# NSEC-only zone.
144#
145zone=nsec.example
146zonefile="${zone}.db"
147infile="${zonefile}.in"
148cp $infile $zonefile
149ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
150$KEYGEN -q -r $RANDFILE $zone > /dev/null
151$DSFROMKEY $ksk.key > dsset-${zone}.
152
153#
154# Signature refresh test zone.  Signatures are set to expire long
155# in the past; they should be updated by autosign.
156#
157zone=oldsigs.example
158zonefile="${zone}.db"
159infile="${zonefile}.in"
160cp $infile $zonefile
161ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
162$KEYGEN -q -r $RANDFILE $zone > /dev/null
163$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
164
165#
166# NSEC3->NSEC transition test zone.
167#
168zone=nsec3-to-nsec.example
169zonefile="${zone}.db"
170infile="${zonefile}.in"
171cp $infile $zonefile
172ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
173$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
174$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
175
176#
177# secure-to-insecure transition test zone; used to test removal of
178# keys via nsupdate
179#
180zone=secure-to-insecure.example
181zonefile="${zone}.db"
182infile="${zonefile}.in"
183ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
184$KEYGEN -q -r $RANDFILE $zone > /dev/null
185$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1
186
187#
188# another secure-to-insecure transition test zone; used to test
189# removal of keys on schedule.
190#
191zone=secure-to-insecure2.example
192zonefile="${zone}.db"
193infile="${zonefile}.in"
194ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
195echo $ksk > ../del1.key
196zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
197echo $zsk > ../del2.key
198$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
199
200#
201# Introducing a pre-published key test.
202#
203zone=prepub.example
204zonefile="${zone}.db"
205$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
206$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
207$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
208
209#
210# A zone with a DNSKEY RRset that is published before it's activated
211#
212zone=delay.example
213zonefile="${zone}.db"
214ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
215echo $ksk > ../delayksk.key
216zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
217echo $zsk > ../delayzsk.key
218
219#
220# A zone with signatures that are already expired, and the private ZSK
221# is missing.
222#
223zone=nozsk.example
224zonefile="${zone}.db"
225$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
226zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
227$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
228echo $zsk > ../missingzsk.key
229rm -f ${zsk}.private
230
231#
232# A zone with signatures that are already expired, and the private ZSK
233# is inactive.
234#
235zone=inaczsk.example
236zonefile="${zone}.db"
237$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
238zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
239$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
240echo $zsk > ../inactivezsk.key
241$SETTIME -I now $zsk > /dev/null
242
243#
244# A zone that is set to 'auto-dnssec maintain' during a recofnig
245#
246zone=reconf.example
247zonefile="${zone}.db"
248cp secure.example.db.in $zonefile
249$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
250$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
251