sign.sh revision 1.1.1.4
1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# shellcheck source=conf.sh 13. "$SYSTEMTESTTOP/conf.sh" 14 15set -e 16 17# Sign child zones (served by ns3). 18( cd ../ns3 && $SHELL sign.sh ) 19 20echo_i "ns2/sign.sh" 21 22# Get the DS records for the "trusted." and "managed." zones. 23for subdomain in secure unsupported disabled enabled 24do 25 cp "../ns3/dsset-$subdomain.managed$TP" . 26 cp "../ns3/dsset-$subdomain.trusted$TP" . 27done 28 29# Sign the "trusted." and "managed." zones. 30zone=managed. 31infile=key.db.in 32zonefile=managed.db 33 34keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 35keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 36 37cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 38 39"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 40 41zone=trusted. 42infile=key.db.in 43zonefile=trusted.db 44 45keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 46keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 47 48cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 49 50"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 51 52# The "example." zone. 53zone=example. 54infile=example.db.in 55zonefile=example.db 56 57# Get the DS records for the "example." zone. 58for subdomain in secure badds bogus dynamic keyless nsec3 optout \ 59 nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ 60 kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ 61 ttlpatch split-dnssec split-smart expired expiring upper lower \ 62 dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ 63 dnskey-nsec3-unknown managed-future revkey \ 64 dname-at-apex-nsec3 occluded 65do 66 cp "../ns3/dsset-$subdomain.example$TP" . 67done 68 69# Sign the "example." zone. 70keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 71keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 72 73cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 74 75"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 76 77# 78# lower/uppercase the signature bits with the exception of the last characters 79# changing the last 4 characters will lead to a bad base64 encoding. 80# 81 82zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 83"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | 84tr -d '\r' | 85awk ' 86tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { 87 for (i = 1; i <= NF; i++ ) { 88 if (i <= 12) { 89 printf("%s ", $i); 90 continue; 91 } 92 prefix = substr($i, 1, length($i) - 4); 93 suffix = substr($i, length($i) - 4, 4); 94 if (i > 12 && tolower(prefix) != prefix) 95 printf("%s%s", tolower(prefix), suffix); 96 else if (i > 12 && toupper(prefix) != prefix) 97 printf("%s%s", toupper(prefix), suffix); 98 else 99 printf("%s%s ", prefix, suffix); 100 } 101 printf("\n"); 102 next; 103} 104 105tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { 106 for (i = 1; i <= NF; i++ ) { 107 if (i <= 12) { 108 printf("%s ", $i); 109 continue; 110 } 111 prefix = substr($i, 1, length($i) - 4); 112 suffix = substr($i, length($i) - 4, 4); 113 if (i > 12 && tolower(prefix) != prefix) 114 printf("%s%s", tolower(prefix), suffix); 115 else if (i > 12 && toupper(prefix) != prefix) 116 printf("%s%s", toupper(prefix), suffix); 117 else 118 printf("%s%s ", prefix, suffix); 119 } 120 printf("\n"); 121 next; 122} 123 124{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" 125 126# 127# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. 128# 129zone=in-addr.arpa. 130infile=in-addr.arpa.db.in 131zonefile=in-addr.arpa.db 132 133keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 134keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 135 136cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 137"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 138 139# Sign the privately secure file 140 141privzone=private.secure.example 142privinfile=private.secure.example.db.in 143privzonefile=private.secure.example.db 144 145privkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$privzone") 146 147cat "$privinfile" "$privkeyname.key" > "$privzonefile" 148 149"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null 2>&1 150 151# Sign the DLV secure zone. 152 153dlvzone=dlv. 154dlvinfile=dlv.db.in 155dlvzonefile=dlv.db 156dlvsetfile="dlvset-${privzone}${TP}" 157 158dlvkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$dlvzone") 159 160cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile" 161 162"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null 2>&1 163 164# Sign the badparam secure file 165 166zone=badparam. 167infile=badparam.db.in 168zonefile=badparam.db 169 170keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 171keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 172 173cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 174 175"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 176 177sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" 178 179# Sign the single-nsec3 secure zone with optout 180 181zone=single-nsec3. 182infile=single-nsec3.db.in 183zonefile=single-nsec3.db 184 185keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 186keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 187 188cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 189 190"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 191 192# 193# algroll has just has the old DNSKEY records removed and is waiting 194# for them to be flushed from caches. We still need to generate 195# RRSIGs for the old DNSKEY. 196# 197zone=algroll. 198infile=algroll.db.in 199zonefile=algroll.db 200 201keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 202keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 203keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 204keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 205 206cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" 207 208"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 209 210# 211# Make a zone big enough that it takes several seconds to generate a new 212# nsec3 chain. 213# 214zone=nsec3chain-test 215zonefile=nsec3chain-test.db 216cat > "$zonefile" << EOF 217\$TTL 10 218@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 219@ 10 NS ns2 220@ 10 NS ns3 221ns2 10 A 10.53.0.2 222ns3 10 A 10.53.0.3 223EOF 224for i in $(seq 300); do 225 echo "host$i 10 IN NS ns.elsewhere" 226done >> "$zonefile" 227key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 228key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 229cat "$key1.key" "$key2.key" >> "$zonefile" 230"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 231 232zone=cds.secure 233infile=cds.secure.db.in 234zonefile=cds.secure.db 235key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 236key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 237"$DSFROMKEY" -C "$key1.key" > "$key1.cds" 238cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile 239"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 240 241zone=cds-x.secure 242infile=cds.secure.db.in 243zonefile=cds-x.secure.db 244key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 245key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 246key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 247"$DSFROMKEY" -C "$key2.key" > "$key2.cds" 248cat "$infile" "$key1.key" "$key3.key" "$key2.cds" > "$zonefile" 249"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 250 251zone=cds-update.secure 252infile=cds-update.secure.db.in 253zonefile=cds-update.secure.db 254key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 255key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 256cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 257"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 258 259zone=cds-kskonly.secure 260infile=cds-kskonly.secure.db.in 261zonefile=cds-kskonly.secure.db 262key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 263key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 264cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 265"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 266 267zone=cds-auto.secure 268infile=cds-auto.secure.db.in 269zonefile=cds-auto.secure.db 270key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 271key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 272"$DSFROMKEY" -C "$key1.key" > "$key1.cds" 273cat "$infile" "$key1.cds" > "$zonefile.signed" 274 275zone=cdnskey.secure 276infile=cdnskey.secure.db.in 277zonefile=cdnskey.secure.db 278key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 279key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 280sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" 281cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" 282"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 283 284zone=cdnskey-x.secure 285infile=cdnskey.secure.db.in 286zonefile=cdnskey-x.secure.db 287key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 288key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 289key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 290sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" 291cat "$infile" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" 292"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 293 294zone=cdnskey-update.secure 295infile=cdnskey-update.secure.db.in 296zonefile=cdnskey-update.secure.db 297key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 298key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 299cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 300"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 301 302zone=cdnskey-kskonly.secure 303infile=cdnskey-kskonly.secure.db.in 304zonefile=cdnskey-kskonly.secure.db 305key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 306key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 307cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 308"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 309 310zone=cdnskey-auto.secure 311infile=cdnskey-auto.secure.db.in 312zonefile=cdnskey-auto.secure.db 313key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 314key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 315sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" 316cat "$infile" "$key1.cds" > "$zonefile.signed" 317 318zone=updatecheck-kskonly.secure 319infile=template.secure.db.in 320zonefile=${zone}.db 321key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 322key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 323# Save key id's for checking active key usage 324keyfile_to_key_id "$key1" > $zone.ksk.id 325keyfile_to_key_id "$key2" > $zone.zsk.id 326echo "${key1}" > $zone.ksk.key 327echo "${key2}" > $zone.zsk.key 328# Add CDS and CDNSKEY records 329sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" 330"$DSFROMKEY" -C "$key1.key" > "$key1.cds" 331cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" 332# Don't sign, let auto-dnssec maintain do it. 333mv $zonefile "$zonefile.signed" 334