1#!/usr/bin/env bash 2 3# This script was used to generate the broken signed zones used for testing. 4 5# Override the current date; it is used in Unbound's configuration also. 6NOW=20010101 7 8# differentiate for MacOS with "gdate" 9DATE=date 10which gdate > /dev/null 2>&1 && DATE=gdate 11 12ONEMONTHAGO=`$DATE -d "$NOW - 1 month" +%Y%m%d` 13ONEMONTH=`$DATE -d "$NOW + 1 month" +%Y%m%d` 14YESTERDAY=`$DATE -d "$NOW - 2 days" +%Y%m%d` 15TOMORROW=`$DATE -d "$NOW + 2 days" +%Y%m%d` 16 17# Root trust anchor 18echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" > bogus/trust-anchors 19 20# create oudated zones 21CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test` 22echo $CSK 23cat $CSK.ds >> bogus/trust-anchors 24 25ldns-signzone -i $YESTERDAY -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \ 26 grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ 27 sed 's/Signatures invalid/Signatures INVALID/g' | \ 28 grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \ 29 grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ 30 grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \ 31 grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base 32ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \ 33 grep -v '[ ]NSEC[ ]' | \ 34 grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired 35ldns-signzone -i $TOMORROW -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \ 36 grep -v '[ ]NSEC[ ]' | \ 37 grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted 38 39cat base expired notyetincepted > bogus/dnssec-failures.test.signed 40 41# cleanup old zone keys 42rm -f $CSK.* 43 44# create zone with DNSKEY missing 45CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test` 46echo $CSK 47cat $CSK.ds >> bogus/trust-anchors 48 49ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/dnskey-failures.test $CSK 50grep -v ' DNSKEY ' tmp.signed > bogus/dnskey-failures.test.signed 51 52# cleanup old zone keys 53rm -f $CSK.* 54 55# create zone with NSEC missing 56CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test` 57echo $CSK 58cat $CSK.ds >> bogus/trust-anchors 59 60ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/nsec-failures.test $CSK 61grep -v ' NSEC ' tmp.signed > bogus/nsec-failures.test.signed 62 63# cleanup old zone keys 64rm -f $CSK.* 65 66# create zone with RRSIGs missing 67CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test` 68echo $CSK 69cat $CSK.ds >> bogus/trust-anchors 70 71ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/rrsig-failures.test $CSK 72grep -v ' RRSIG ' tmp.signed > bogus/rrsig-failures.test.signed 73 74# cleanup 75rm -f base expired notyetincepted tmp.signed $CSK.* 76