1#!/bin/sh -e 2# 3# Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# $Id: keygen.sh,v 1.8.18.5 2012/02/06 23:45:58 tbox Exp $ 18 19SYSTEMTESTTOP=../.. 20. $SYSTEMTESTTOP/conf.sh 21 22RANDFILE=../random.data 23 24zone=secure.example 25zonefile="${zone}.db" 26infile="${zonefile}.in" 27cp $infile $zonefile 28ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone` 29$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null 30$DSFROMKEY $ksk.key > dsset-${zone}. 31 32# 33# NSEC3/NSEC test zone 34# 35zone=secure.nsec3.example 36zonefile="${zone}.db" 37infile="${zonefile}.in" 38cp $infile $zonefile 39ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 40$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 41$DSFROMKEY $ksk.key > dsset-${zone}. 42 43# 44# NSEC3/NSEC3 test zone 45# 46zone=nsec3.nsec3.example 47zonefile="${zone}.db" 48infile="${zonefile}.in" 49cp $infile $zonefile 50ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 51$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 52$DSFROMKEY $ksk.key > dsset-${zone}. 53 54# 55# OPTOUT/NSEC3 test zone 56# 57zone=optout.nsec3.example 58zonefile="${zone}.db" 59infile="${zonefile}.in" 60cp $infile $zonefile 61ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 62$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 63$DSFROMKEY $ksk.key > dsset-${zone}. 64 65# 66# A nsec3 zone (non-optout). 67# 68zone=nsec3.example 69zonefile="${zone}.db" 70infile="${zonefile}.in" 71cat $infile dsset-*.${zone}. > $zonefile 72ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 73$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 74$DSFROMKEY $ksk.key > dsset-${zone}. 75 76# 77# OPTOUT/NSEC test zone 78# 79zone=secure.optout.example 80zonefile="${zone}.db" 81infile="${zonefile}.in" 82cp $infile $zonefile 83ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 84$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 85$DSFROMKEY $ksk.key > dsset-${zone}. 86 87# 88# OPTOUT/NSEC3 test zone 89# 90zone=nsec3.optout.example 91zonefile="${zone}.db" 92infile="${zonefile}.in" 93cp $infile $zonefile 94ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 95$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 96$DSFROMKEY $ksk.key > dsset-${zone}. 97 98# 99# OPTOUT/OPTOUT test zone 100# 101zone=optout.optout.example 102zonefile="${zone}.db" 103infile="${zonefile}.in" 104cp $infile $zonefile 105ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 106$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 107$DSFROMKEY $ksk.key > dsset-${zone}. 108 109# 110# A optout nsec3 zone. 111# 112zone=optout.example 113zonefile="${zone}.db" 114infile="${zonefile}.in" 115cat $infile dsset-*.${zone}. > $zonefile 116ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 117$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 118$DSFROMKEY $ksk.key > dsset-${zone}. 119 120# 121# A RSASHA256 zone. 122# 123zone=rsasha256.example 124zonefile="${zone}.db" 125infile="${zonefile}.in" 126cp $infile $zonefile 127ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone` 128$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > /dev/null 129$DSFROMKEY $ksk.key > dsset-${zone}. 130 131# 132# A RSASHA512 zone. 133# 134zone=rsasha512.example 135zonefile="${zone}.db" 136infile="${zonefile}.in" 137cp $infile $zonefile 138ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone` 139$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null 140$DSFROMKEY $ksk.key > dsset-${zone}. 141 142# 143# NSEC-only zone. 144# 145zone=nsec.example 146zonefile="${zone}.db" 147infile="${zonefile}.in" 148cp $infile $zonefile 149ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` 150$KEYGEN -q -r $RANDFILE $zone > /dev/null 151$DSFROMKEY $ksk.key > dsset-${zone}. 152 153# 154# Signature refresh test zone. Signatures are set to expire long 155# in the past; they should be updated by autosign. 156# 157zone=oldsigs.example 158zonefile="${zone}.db" 159infile="${zonefile}.in" 160cp $infile $zonefile 161ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` 162$KEYGEN -q -r $RANDFILE $zone > /dev/null 163$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1 164 165# 166# NSEC3->NSEC transition test zone. 167# 168zone=nsec3-to-nsec.example 169zonefile="${zone}.db" 170infile="${zonefile}.in" 171cp $infile $zonefile 172ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone` 173$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null 174$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1 175 176# 177# secure-to-insecure transition test zone; used to test removal of 178# keys via nsupdate 179# 180zone=secure-to-insecure.example 181zonefile="${zone}.db" 182infile="${zonefile}.in" 183ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` 184$KEYGEN -q -r $RANDFILE $zone > /dev/null 185$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1 186 187# 188# another secure-to-insecure transition test zone; used to test 189# removal of keys on schedule. 190# 191zone=secure-to-insecure2.example 192zonefile="${zone}.db" 193infile="${zonefile}.in" 194ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 195echo $ksk > ../del1.key 196zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 197echo $zsk > ../del2.key 198$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1 199 200# 201# Introducing a pre-published key test. 202# 203zone=prepub.example 204zonefile="${zone}.db" 205$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null 206$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null 207$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1 208 209# 210# A zone with a DNSKEY RRset that is published before it's activated 211# 212zone=delay.example 213zonefile="${zone}.db" 214ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone` 215echo $ksk > ../delayksk.key 216zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone` 217echo $zsk > ../delayzsk.key 218 219# 220# A zone with signatures that are already expired, and the private ZSK 221# is missing. 222# 223zone=nozsk.example 224zonefile="${zone}.db" 225$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null 226zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 227$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1 228echo $zsk > ../missingzsk.key 229rm -f ${zsk}.private 230 231# 232# A zone with signatures that are already expired, and the private ZSK 233# is inactive. 234# 235zone=inaczsk.example 236zonefile="${zone}.db" 237$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null 238zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 239$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1 240echo $zsk > ../inactivezsk.key 241$SETTIME -I now $zsk > /dev/null 242 243# 244# A zone that is set to 'auto-dnssec maintain' during a recofnig 245# 246zone=reconf.example 247zonefile="${zone}.db" 248cp secure.example.db.in $zonefile 249$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null 250$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null 251