1#!/bin/sh -e 2# 3# Copyright (C) 2009-2012, 2014 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# Id: keygen.sh,v 1.15 2012/02/06 23:46:46 tbox Exp 18 19SYSTEMTESTTOP=../.. 20. $SYSTEMTESTTOP/conf.sh 21 22dumpit () { 23 echo "D:${debug}: dumping ${1}" 24 cat "${1}" | sed 's/^/D:/' 25} 26 27setup () { 28 echo "I:setting up zone: $1" 29 debug="$1" 30 zone="$1" 31 zonefile="${zone}.db" 32 infile="${zonefile}.in" 33 n=`expr ${n:-0} + 1` 34} 35 36setup secure.example 37cp $infile $zonefile 38ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 39$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 40$DSFROMKEY $ksk.key > dsset-${zone}. 41 42# 43# NSEC3/NSEC test zone 44# 45setup secure.nsec3.example 46cp $infile $zonefile 47ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 48$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 49$DSFROMKEY $ksk.key > dsset-${zone}. 50 51# 52# NSEC3/NSEC3 test zone 53# 54setup nsec3.nsec3.example 55cp $infile $zonefile 56ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 57$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 58$DSFROMKEY $ksk.key > dsset-${zone}. 59 60# 61# OPTOUT/NSEC3 test zone 62# 63setup optout.nsec3.example 64cp $infile $zonefile 65ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 66$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 67$DSFROMKEY $ksk.key > dsset-${zone}. 68 69# 70# A nsec3 zone (non-optout). 71# 72setup nsec3.example 73cat $infile dsset-*.${zone}. > $zonefile 74ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 75$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 76$DSFROMKEY $ksk.key > dsset-${zone}. 77 78# 79# An NSEC3 zone, with NSEC3 parameters set prior to signing 80# 81setup autonsec3.example 82cat $infile > $zonefile 83ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 84echo $ksk > ../autoksk.key 85zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out 86echo $zsk > ../autozsk.key 87$DSFROMKEY $ksk.key > dsset-${zone}. 88 89# 90# OPTOUT/NSEC test zone 91# 92setup secure.optout.example 93cp $infile $zonefile 94ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 95$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 96$DSFROMKEY $ksk.key > dsset-${zone}. 97 98# 99# OPTOUT/NSEC3 test zone 100# 101setup nsec3.optout.example 102cp $infile $zonefile 103ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 104$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 105$DSFROMKEY $ksk.key > dsset-${zone}. 106 107# 108# OPTOUT/OPTOUT test zone 109# 110setup optout.optout.example 111cp $infile $zonefile 112ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 113$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 114$DSFROMKEY $ksk.key > dsset-${zone}. 115 116# 117# A optout nsec3 zone. 118# 119setup optout.example 120cat $infile dsset-*.${zone}. > $zonefile 121ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 122$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 123$DSFROMKEY $ksk.key > dsset-${zone}. 124 125# 126# A RSASHA256 zone. 127# 128setup rsasha256.example 129cp $infile $zonefile 130ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 131$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 132$DSFROMKEY $ksk.key > dsset-${zone}. 133 134# 135# A RSASHA512 zone. 136# 137setup rsasha512.example 138cp $infile $zonefile 139ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 140$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 141$DSFROMKEY $ksk.key > dsset-${zone}. 142 143# 144# NSEC-only zone. 145# 146setup nsec.example 147cp $infile $zonefile 148ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 149$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 150$DSFROMKEY $ksk.key > dsset-${zone}. 151 152# 153# Signature refresh test zone. Signatures are set to expire long 154# in the past; they should be updated by autosign. 155# 156setup oldsigs.example 157cp $infile $zonefile 158$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 159$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 160$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 161 162# 163# NSEC3->NSEC transition test zone. 164# 165setup nsec3-to-nsec.example 166$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 167$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 168$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 169 170# 171# secure-to-insecure transition test zone; used to test removal of 172# keys via nsupdate 173# 174setup secure-to-insecure.example 175$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 176$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 177$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 178 179# 180# another secure-to-insecure transition test zone; used to test 181# removal of keys on schedule. 182# 183setup secure-to-insecure2.example 184ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 185echo $ksk > ../del1.key 186zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out 187echo $zsk > ../del2.key 188$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 189 190# 191# Introducing a pre-published key test. 192# 193setup prepub.example 194infile="secure-to-insecure2.example.db.in" 195$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 196$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 197$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 198 199# 200# Key TTL tests. 201# 202 203# no default key TTL; DNSKEY should get SOA TTL 204setup ttl1.example 205$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 206$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 207cp $infile $zonefile 208 209# default key TTL should be used 210setup ttl2.example 211$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out 212$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out 213cp $infile $zonefile 214 215# mismatched key TTLs, should use shortest 216setup ttl3.example 217$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out 218$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out 219cp $infile $zonefile 220 221# existing DNSKEY RRset, should retain TTL 222setup ttl4.example 223$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out 224cat ${infile} K${zone}.+*.key > $zonefile 225$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out 226 227# 228# A zone with a DNSKEY RRset that is published before it's activated 229# 230setup delay.example 231ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 232echo $ksk > ../delayksk.key 233zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out 234echo $zsk > ../delayzsk.key 235 236# 237# A zone with signatures that are already expired, and the private ZSK 238# is missing. 239# 240setup nozsk.example 241$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 242zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 243$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out 244echo $zsk > ../missingzsk.key 245rm -f ${zsk}.private 246 247# 248# A zone with signatures that are already expired, and the private ZSK 249# is inactive. 250# 251setup inaczsk.example 252$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 253zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 254$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out 255echo $zsk > ../inactivezsk.key 256$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out 257 258# 259# A zone that is set to 'auto-dnssec maintain' during a recofnig 260# 261setup reconf.example 262cp secure.example.db.in $zonefile 263$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 264$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 265