sign.sh revision 1.1.1.7
1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# shellcheck source=conf.sh 13. "$SYSTEMTESTTOP/conf.sh" 14 15set -e 16 17# Sign child zones (served by ns3). 18( cd ../ns3 && $SHELL sign.sh ) 19 20echo_i "ns2/sign.sh" 21 22# Get the DS records for the "trusted." and "managed." zones. 23for subdomain in secure unsupported disabled enabled 24do 25 cp "../ns3/dsset-$subdomain.managed$TP" . 26 cp "../ns3/dsset-$subdomain.trusted$TP" . 27done 28 29# Sign the "trusted." and "managed." zones. 30zone=managed. 31infile=key.db.in 32zonefile=managed.db 33 34keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 35keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 36 37cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 38 39"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 40 41zone=trusted. 42infile=key.db.in 43zonefile=trusted.db 44 45keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 46keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 47 48cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 49 50"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 51 52# The "example." zone. 53zone=example. 54infile=example.db.in 55zonefile=example.db 56 57# Get the DS records for the "example." zone. 58for subdomain in secure badds bogus dynamic keyless nsec3 optout \ 59 nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ 60 kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ 61 ttlpatch split-dnssec split-smart expired expiring upper lower \ 62 dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ 63 dnskey-nsec3-unknown managed-future revkey \ 64 dname-at-apex-nsec3 occluded 65do 66 cp "../ns3/dsset-$subdomain.example$TP" . 67done 68 69# Sign the "example." zone. 70keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 71keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 72 73cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 74 75"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 76 77# 78# lower/uppercase the signature bits with the exception of the last characters 79# changing the last 4 characters will lead to a bad base64 encoding. 80# 81 82zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 83"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | 84tr -d '\r' | 85awk ' 86tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { 87 for (i = 1; i <= NF; i++ ) { 88 if (i <= 12) { 89 printf("%s ", $i); 90 continue; 91 } 92 prefix = substr($i, 1, length($i) - 4); 93 suffix = substr($i, length($i) - 4, 4); 94 if (i > 12 && tolower(prefix) != prefix) 95 printf("%s%s", tolower(prefix), suffix); 96 else if (i > 12 && toupper(prefix) != prefix) 97 printf("%s%s", toupper(prefix), suffix); 98 else 99 printf("%s%s ", prefix, suffix); 100 } 101 printf("\n"); 102 next; 103} 104 105tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { 106 for (i = 1; i <= NF; i++ ) { 107 if (i <= 12) { 108 printf("%s ", $i); 109 continue; 110 } 111 prefix = substr($i, 1, length($i) - 4); 112 suffix = substr($i, length($i) - 4, 4); 113 if (i > 12 && tolower(prefix) != prefix) 114 printf("%s%s", tolower(prefix), suffix); 115 else if (i > 12 && toupper(prefix) != prefix) 116 printf("%s%s", toupper(prefix), suffix); 117 else 118 printf("%s%s ", prefix, suffix); 119 } 120 printf("\n"); 121 next; 122} 123 124{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" 125 126# 127# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. 128# 129zone=in-addr.arpa. 130infile=in-addr.arpa.db.in 131zonefile=in-addr.arpa.db 132 133keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 134keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 135 136cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 137"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 138 139# Sign the badparam secure file 140 141zone=badparam. 142infile=badparam.db.in 143zonefile=badparam.db 144 145keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 146keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 147 148cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 149 150"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 151 152sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" 153 154# Sign the single-nsec3 secure zone with optout 155 156zone=single-nsec3. 157infile=single-nsec3.db.in 158zonefile=single-nsec3.db 159 160keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 161keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 162 163cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" 164 165"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 166 167# 168# algroll has just has the old DNSKEY records removed and is waiting 169# for them to be flushed from caches. We still need to generate 170# RRSIGs for the old DNSKEY. 171# 172zone=algroll. 173infile=algroll.db.in 174zonefile=algroll.db 175 176keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") 177keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") 178keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 179keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 180 181cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" 182 183"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 184 185# 186# Make a zone big enough that it takes several seconds to generate a new 187# nsec3 chain. 188# 189zone=nsec3chain-test 190zonefile=nsec3chain-test.db 191cat > "$zonefile" << EOF 192\$TTL 10 193@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 194@ 10 NS ns2 195@ 10 NS ns3 196ns2 10 A 10.53.0.2 197ns3 10 A 10.53.0.3 198EOF 199i=1 200while [ $i -le 300 ]; do 201 echo "host$i 10 IN NS ns.elsewhere" 202 i=$((i+1)) 203done >> "$zonefile" 204key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 205key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 206cat "$key1.key" "$key2.key" >> "$zonefile" 207"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 208 209zone=cds.secure 210infile=cds.secure.db.in 211zonefile=cds.secure.db 212key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 213key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 214"$DSFROMKEY" -C "$key1.key" > "$key1.cds" 215cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile 216"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 217 218zone=cds-x.secure 219infile=cds.secure.db.in 220zonefile=cds-x.secure.db 221key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 222key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 223key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 224"$DSFROMKEY" -C "$key2.key" > "$key2.cds" 225cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" 226"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 227 228zone=cds-update.secure 229infile=cds-update.secure.db.in 230zonefile=cds-update.secure.db 231key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 232key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 233cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 234"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 235 236zone=cds-kskonly.secure 237infile=cds-kskonly.secure.db.in 238zonefile=cds-kskonly.secure.db 239key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 240key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 241cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 242"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 243keyfile_to_key_id "$key1" > cds-kskonly.secure.id 244 245zone=cds-auto.secure 246infile=cds-auto.secure.db.in 247zonefile=cds-auto.secure.db 248key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 249key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 250$SETTIME -P sync now "$key1" > /dev/null 251cat "$infile" > "$zonefile.signed" 252 253zone=cdnskey.secure 254infile=cdnskey.secure.db.in 255zonefile=cdnskey.secure.db 256key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 257key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 258sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" 259cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" 260"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 261 262zone=cdnskey-x.secure 263infile=cdnskey.secure.db.in 264zonefile=cdnskey-x.secure.db 265key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 266key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 267key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 268sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" 269cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" 270"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 271 272zone=cdnskey-update.secure 273infile=cdnskey-update.secure.db.in 274zonefile=cdnskey-update.secure.db 275key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 276key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 277cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 278"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 279 280zone=cdnskey-kskonly.secure 281infile=cdnskey-kskonly.secure.db.in 282zonefile=cdnskey-kskonly.secure.db 283key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 284key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 285cat "$infile" "$key1.key" "$key2.key" > "$zonefile" 286"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 287keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id 288 289zone=cdnskey-auto.secure 290infile=cdnskey-auto.secure.db.in 291zonefile=cdnskey-auto.secure.db 292key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 293key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 294$SETTIME -P sync now "$key1" > /dev/null 295cat "$infile" > "$zonefile.signed" 296 297zone=updatecheck-kskonly.secure 298infile=template.secure.db.in 299zonefile=${zone}.db 300key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 301key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 302# Save key id's for checking active key usage 303keyfile_to_key_id "$key1" > $zone.ksk.id 304keyfile_to_key_id "$key2" > $zone.zsk.id 305echo "${key1}" > $zone.ksk.key 306echo "${key2}" > $zone.zsk.key 307# Add CDS and CDNSKEY records 308sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" 309"$DSFROMKEY" -C "$key1.key" > "$key1.cds" 310cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" 311# Don't sign, let auto-dnssec maintain do it. 312mv $zonefile "$zonefile.signed" 313 314zone=hours-vs-days 315infile=hours-vs-days.db.in 316zonefile=hours-vs-days.db 317key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") 318key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 319$SETTIME -P sync now "$key1" > /dev/null 320cat "$infile" > "$zonefile.signed" 321