1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. ../../conf.sh 16 17set -e 18 19echo_i "ns7/sign.sh" 20 21zone=split-rrsig 22infile=split-rrsig.db.in 23zonefile=split-rrsig.db 24 25k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 26k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") 27 28cat "$infile" "$k1.key" "$k2.key" >"$zonefile" 29 30# The awk script below achieves two goals: 31# 32# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so 33# that these two records (forming a single RRset) are not placed immediately 34# next to each other; the test then checks if RRSIG RRsets split this way are 35# correctly added to resigning heaps, 36# 37# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the 38# zone apex; the test then checks whether such signatures are automatically 39# removed from the zone after it is loaded. 40"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 41awk 'BEGIN { r = ""; } 42 $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } 43 { print } 44 END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" 45