sign.sh revision 1.1.1.2
1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=../.. 13. $SYSTEMTESTTOP/conf.sh 14 15zone=example. 16infile=example.db.in 17zonefile=example.db 18 19# Have the child generate a zone key and pass it to us. 20 21( cd ../ns3 && $SHELL sign.sh ) 22 23for subdomain in secure badds bogus dynamic keyless nsec3 optout \ 24 nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ 25 kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ 26 ttlpatch split-dnssec split-smart expired expiring upper lower \ 27 dnskey-unknown dnskey-nsec3-unknown managed-future revkey 28do 29 cp ../ns3/dsset-$subdomain.example$TP . 30done 31 32keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` 33keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` 34 35cat $infile $keyname1.key $keyname2.key >$zonefile 36 37$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 38 39# 40# lower/uppercase the signature bits with the exception of the last characters 41# changing the last 4 characters will lead to a bad base64 encoding. 42# 43$CHECKZONE -D -q -i local $zone $zonefile.signed | 44awk ' 45tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { 46 for (i = 1; i <= NF; i++ ) { 47 if (i <= 12) { 48 printf("%s ", $i); 49 continue; 50 } 51 prefix = substr($i, 1, length($i) - 4); 52 suffix = substr($i, length($i) - 4, 4); 53 if (i > 12 && tolower(prefix) != prefix) 54 printf("%s%s", tolower(prefix), suffix); 55 else if (i > 12 && toupper(prefix) != prefix) 56 printf("%s%s", toupper(prefix), suffix); 57 else 58 printf("%s%s ", prefix, suffix); 59 } 60 printf("\n"); 61 next; 62} 63 64tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { 65 for (i = 1; i <= NF; i++ ) { 66 if (i <= 12) { 67 printf("%s ", $i); 68 continue; 69 } 70 prefix = substr($i, 1, length($i) - 4); 71 suffix = substr($i, length($i) - 4, 4); 72 if (i > 12 && tolower(prefix) != prefix) 73 printf("%s%s", tolower(prefix), suffix); 74 else if (i > 12 && toupper(prefix) != prefix) 75 printf("%s%s", toupper(prefix), suffix); 76 else 77 printf("%s%s ", prefix, suffix); 78 } 79 printf("\n"); 80 next; 81} 82 83{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed 84 85# 86# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. 87# 88zone=in-addr.arpa. 89infile=in-addr.arpa.db.in 90zonefile=in-addr.arpa.db 91 92keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` 93keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` 94 95cat $infile $keyname1.key $keyname2.key >$zonefile 96$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 97 98# Sign the privately secure file 99 100privzone=private.secure.example. 101privinfile=private.secure.example.db.in 102privzonefile=private.secure.example.db 103 104privkeyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $privzone` 105 106cat $privinfile $privkeyname.key >$privzonefile 107 108$SIGNER -P -g -o $privzone -l dlv $privzonefile > /dev/null 109 110# Sign the DLV secure zone. 111 112 113dlvzone=dlv. 114dlvinfile=dlv.db.in 115dlvzonefile=dlv.db 116dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP 117 118dlvkeyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $dlvzone` 119 120cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile 121 122$SIGNER -P -g -o $dlvzone $dlvzonefile > /dev/null 123 124# Sign the badparam secure file 125 126zone=badparam. 127infile=badparam.db.in 128zonefile=badparam.db 129 130keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone` 131keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` 132 133cat $infile $keyname1.key $keyname2.key >$zonefile 134 135$SIGNER -P -3 - -H 1 -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 136 137sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad 138 139# Sign the single-nsec3 secure zone with optout 140 141zone=single-nsec3. 142infile=single-nsec3.db.in 143zonefile=single-nsec3.db 144 145keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone` 146keyname2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` 147 148cat $infile $keyname1.key $keyname2.key >$zonefile 149 150$SIGNER -P -3 - -A -H 1 -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 151 152# 153# algroll has just has the old DNSKEY records removed and is waiting 154# for them to be flushed from caches. We still need to generate 155# RRSIGs for the old DNSKEY. 156# 157zone=algroll. 158infile=algroll.db.in 159zonefile=algroll.db 160 161keyold1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 162keyold2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 163keynew1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -fk $zone` 164keynew2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` 165 166cat $infile $keynew1.key $keynew2.key >$zonefile 167 168$SIGNER -P -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null 169 170# 171# Make a zone big enough that it takes several seconds to generate a new 172# nsec3 chain. 173# 174zone=nsec3chain-test 175zonefile=nsec3chain-test.db 176cat > $zonefile << 'EOF' 177$TTL 10 178@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 179@ 10 NS ns2 180@ 10 NS ns3 181ns2 10 A 10.53.0.2 182ns3 10 A 10.53.0.3 183EOF 184awk 'END { for (i = 0; i < 300; i++) 185 print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile 186key1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -fk $zone` 187key2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` 188cat $key1.key $key2.key >> $zonefile 189$SIGNER -P -3 - -A -H 1 -g -o $zone -k $key1 $zonefile $key2 > /dev/null 190 191zone=cds.secure 192infile=cds.secure.db.in 193zonefile=cds.secure.db 194key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 195key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 196$DSFROMKEY -C $key1.key > $key1.cds 197cat $infile $key1.key $key2.key $key1.cds >$zonefile 198$SIGNER -P -g -o $zone $zonefile > /dev/null 199 200zone=cds-x.secure 201infile=cds.secure.db.in 202zonefile=cds-x.secure.db 203key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 204key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 205key3=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 206$DSFROMKEY -C $key2.key > $key2.cds 207cat $infile $key1.key $key3.key $key2.cds >$zonefile 208$SIGNER -P -g -x -o $zone $zonefile > /dev/null 209 210zone=cds-update.secure 211infile=cds-update.secure.db.in 212zonefile=cds-update.secure.db 213key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 214key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 215cat $infile $key1.key $key2.key > $zonefile 216$SIGNER -P -g -o $zone $zonefile > /dev/null 217 218zone=cds-kskonly.secure 219infile=cds-kskonly.secure.db.in 220zonefile=cds-kskonly.secure.db 221key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 222key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 223cat $infile $key1.key $key2.key > $zonefile 224$SIGNER -P -g -o $zone $zonefile > /dev/null 225 226zone=cds-auto.secure 227infile=cds-auto.secure.db.in 228zonefile=cds-auto.secure.db 229key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 230key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 231$DSFROMKEY -C $key1.key > $key1.cds 232cat $infile $key1.cds > $zonefile.signed 233 234zone=cdnskey.secure 235infile=cdnskey.secure.db.in 236zonefile=cdnskey.secure.db 237key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 238key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 239sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds 240cat $infile $key1.key $key2.key $key1.cds >$zonefile 241$SIGNER -P -g -o $zone $zonefile > /dev/null 242 243zone=cdnskey-x.secure 244infile=cdnskey.secure.db.in 245zonefile=cdnskey-x.secure.db 246key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 247key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 248key3=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 249sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds 250cat $infile $key2.key $key3.key $key1.cds >$zonefile 251$SIGNER -P -g -x -o $zone $zonefile > /dev/null 252 253zone=cdnskey-update.secure 254infile=cdnskey-update.secure.db.in 255zonefile=cdnskey-update.secure.db 256key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 257key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 258cat $infile $key1.key $key2.key > $zonefile 259$SIGNER -P -g -o $zone $zonefile > /dev/null 260 261zone=cdnskey-kskonly.secure 262infile=cdnskey-kskonly.secure.db.in 263zonefile=cdnskey-kskonly.secure.db 264key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 265key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 266cat $infile $key1.key $key2.key > $zonefile 267$SIGNER -P -g -o $zone $zonefile > /dev/null 268 269zone=cdnskey-auto.secure 270infile=cdnskey-auto.secure.db.in 271zonefile=cdnskey-auto.secure.db 272key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` 273key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` 274sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds 275cat $infile $key1.cds > $zonefile.signed 276