sign.sh revision 1.1.1.10
1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. ../../conf.sh 16 17set -e 18 19# Sign child zones (served by ns3). 20(cd ../ns3 && $SHELL sign.sh) 21 22echo_i "ns2/sign.sh" 23 24# Get the DS records for the "trusted." and "managed." zones. 25for subdomain in secure unsupported disabled enabled; do 26 cp "../ns3/dsset-$subdomain.managed." . 27 cp "../ns3/dsset-$subdomain.trusted." . 28done 29 30# Sign the "trusted." and "managed." zones. 31zone=managed. 32infile=key.db.in 33zonefile=managed.db 34 35keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 36keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 37 38cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" 39 40"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 41 42zone=trusted. 43infile=key.db.in 44zonefile=trusted.db 45 46keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 47keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 48 49cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" 50 51"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 52 53# The "example." zone. 54zone=example. 55infile=example.db.in 56zonefile=example.db 57 58# Get the DS records for the "example." zone. 59for subdomain in secure badds bogus dynamic keyless nsec3 optout \ 60 nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ 61 kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ 62 ttlpatch split-dnssec split-smart expired expiring upper lower \ 63 dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ 64 dnskey-nsec3-unknown managed-future revkey \ 65 dname-at-apex-nsec3 occluded; do 66 cp "../ns3/dsset-$subdomain.example." . 67done 68 69# Sign the "example." zone. 70keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 71keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 72 73cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" 74 75"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 76 77# 78# lower/uppercase the signature bits with the exception of the last characters 79# changing the last 4 characters will lead to a bad base64 encoding. 80# 81 82zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 83"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ 84 | awk ' 85tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { 86 for (i = 1; i <= NF; i++ ) { 87 if (i <= 12) { 88 printf("%s ", $i); 89 continue; 90 } 91 prefix = substr($i, 1, length($i) - 4); 92 suffix = substr($i, length($i) - 4, 4); 93 if (i > 12 && tolower(prefix) != prefix) 94 printf("%s%s", tolower(prefix), suffix); 95 else if (i > 12 && toupper(prefix) != prefix) 96 printf("%s%s", toupper(prefix), suffix); 97 else 98 printf("%s%s ", prefix, suffix); 99 } 100 printf("\n"); 101 next; 102} 103 104tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { 105 for (i = 1; i <= NF; i++ ) { 106 if (i <= 12) { 107 printf("%s ", $i); 108 continue; 109 } 110 prefix = substr($i, 1, length($i) - 4); 111 suffix = substr($i, length($i) - 4, 4); 112 if (i > 12 && tolower(prefix) != prefix) 113 printf("%s%s", tolower(prefix), suffix); 114 else if (i > 12 && toupper(prefix) != prefix) 115 printf("%s%s", toupper(prefix), suffix); 116 else 117 printf("%s%s ", prefix, suffix); 118 } 119 printf("\n"); 120 next; 121} 122 123{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" 124 125# 126# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. 127# 128zone=in-addr.arpa. 129infile=in-addr.arpa.db.in 130zonefile=in-addr.arpa.db 131 132keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 133keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 134 135cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" 136"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 137 138# Sign the badparam secure file 139 140zone=badparam. 141infile=badparam.db.in 142zonefile=badparam.db 143 144keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 145keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 146 147cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" 148 149"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 150 151sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad" 152 153# Sign the single-nsec3 secure zone with optout 154 155zone=single-nsec3. 156infile=single-nsec3.db.in 157zonefile=single-nsec3.db 158 159keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 160keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 161 162cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" 163 164"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 165 166# 167# algroll has just has the old DNSKEY records removed and is waiting 168# for them to be flushed from caches. We still need to generate 169# RRSIGs for the old DNSKEY. 170# 171zone=algroll. 172infile=algroll.db.in 173zonefile=algroll.db 174 175keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 176keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 177keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 178keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 179 180cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile" 181 182"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1 183 184# 185# Make a zone big enough that it takes several seconds to generate a new 186# nsec3 chain. 187# 188zone=nsec3chain-test 189zonefile=nsec3chain-test.db 190cat >"$zonefile" <<EOF 191\$TTL 10 192@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 193@ 10 NS ns2 194@ 10 NS ns3 195ns2 10 A 10.53.0.2 196ns3 10 A 10.53.0.3 197EOF 198i=1 199while [ $i -le 300 ]; do 200 echo "host$i 10 IN NS ns.elsewhere" 201 i=$((i + 1)) 202done >>"$zonefile" 203key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 204key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 205cat "$key1.key" "$key2.key" >>"$zonefile" 206"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 207 208zone=cds.secure 209infile=cds.secure.db.in 210zonefile=cds.secure.db 211key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 212key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 213"$DSFROMKEY" -C "$key1.key" >"$key1.cds" 214cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile 215"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 216 217zone=cds-x.secure 218infile=cds.secure.db.in 219zonefile=cds-x.secure.db 220key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 221key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 222key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 223"$DSFROMKEY" -C "$key2.key" >"$key2.cds" 224cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" 225"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 226 227zone=cds-update.secure 228infile=cds-update.secure.db.in 229zonefile=cds-update.secure.db 230key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 231key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 232cat "$infile" "$key1.key" "$key2.key" >"$zonefile" 233"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 234 235zone=cds-kskonly.secure 236infile=cds-kskonly.secure.db.in 237zonefile=cds-kskonly.secure.db 238key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 239key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 240cat "$infile" "$key1.key" "$key2.key" >"$zonefile" 241"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 242keyfile_to_key_id "$key1" >cds-kskonly.secure.id 243 244zone=cds-auto.secure 245infile=cds-auto.secure.db.in 246zonefile=cds-auto.secure.db 247key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 248key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 249$SETTIME -P sync now "$key1" >/dev/null 250cat "$infile" >"$zonefile.signed" 251 252zone=cdnskey.secure 253infile=cdnskey.secure.db.in 254zonefile=cdnskey.secure.db 255key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 256key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 257sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" 258cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" 259"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 260 261zone=cdnskey-x.secure 262infile=cdnskey.secure.db.in 263zonefile=cdnskey-x.secure.db 264key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 265key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 266key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 267sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" 268cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" 269"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 270 271zone=cdnskey-update.secure 272infile=cdnskey-update.secure.db.in 273zonefile=cdnskey-update.secure.db 274key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 275key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 276cat "$infile" "$key1.key" "$key2.key" >"$zonefile" 277"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 278 279zone=cdnskey-kskonly.secure 280infile=cdnskey-kskonly.secure.db.in 281zonefile=cdnskey-kskonly.secure.db 282key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 283key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 284cat "$infile" "$key1.key" "$key2.key" >"$zonefile" 285"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 286keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id 287 288zone=cdnskey-auto.secure 289infile=cdnskey-auto.secure.db.in 290zonefile=cdnskey-auto.secure.db 291key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 292key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 293$SETTIME -P sync now "$key1" >/dev/null 294cat "$infile" >"$zonefile.signed" 295 296zone=updatecheck-kskonly.secure 297infile=template.secure.db.in 298zonefile=${zone}.db 299key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 300key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 301# Save key id's for checking active key usage 302keyfile_to_key_id "$key1" >$zone.ksk.id 303keyfile_to_key_id "$key2" >$zone.zsk.id 304echo "${key1}" >$zone.ksk.key 305echo "${key2}" >$zone.zsk.key 306# Add CDS and CDNSKEY records 307sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey" 308"$DSFROMKEY" -C "$key1.key" >"$key1.cds" 309cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile" 310# Don't sign, let auto-dnssec maintain do it. 311mv $zonefile "$zonefile.signed" 312 313zone=hours-vs-days 314infile=hours-vs-days.db.in 315zonefile=hours-vs-days.db 316key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 317key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 318$SETTIME -P sync now "$key1" >/dev/null 319cat "$infile" >"$zonefile.signed" 320 321# 322# Negative result from this zone should come back as insecure. 323# 324zone=too-many-iterations 325infile=too-many-iterations.db.in 326zonefile=too-many-iterations.db 327key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 328key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 329cat "$infile" "$key1.key" "$key2.key" >"$zonefile" 330"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 331