1#!/bin/sh -e
2#
3# Copyright (C) 2004, 2006-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
4# Copyright (C) 2000-2003  Internet Software Consortium.
5#
6# Permission to use, copy, modify, and/or distribute this software for any
7# purpose with or without fee is hereby granted, provided that the above
8# copyright notice and this permission notice appear in all copies.
9#
10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16# PERFORMANCE OF THIS SOFTWARE.
17
18SYSTEMTESTTOP=../..
19. $SYSTEMTESTTOP/conf.sh
20
21zone=example.
22infile=example.db.in
23zonefile=example.db
24
25# Have the child generate a zone key and pass it to us.
26
27( cd ../ns3 && $SHELL sign.sh )
28
29for subdomain in secure bogus dnskey-unknown dnskey-nsec3-unknown \
30	dynamic keyless nsec3 optout nsec3-unknown optout-unknown \
31	multiple rsasha256 rsasha512 kskonly update-nsec3 auto-nsec \
32	auto-nsec3 secure.below-cname ttlpatch split-dnssec split-smart \
33	expired expiring upper lower
34
35do
36	cp ../ns3/dsset-$subdomain.example. .
37done
38
39keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
40keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
41
42cat $infile $keyname1.key $keyname2.key >$zonefile
43
44$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
45
46#
47# lower/uppercase the signature bits with the exception of the last characters
48# changing the last 4 characters will lead to a bad base64 encoding.
49#
50$CHECKZONE -D -q -i local $zone $zonefile.signed |
51awk '
52tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
53	for (i = 1; i <= NF; i++ ) {
54		if (i <= 12) {
55			printf("%s ", $i);
56			continue;
57		}
58		prefix = substr($i, 1, length($i) - 4);
59		suffix = substr($i, length($i) - 4, 4);
60		if (i > 12 && tolower(prefix) != prefix)
61			printf("%s%s", tolower(prefix), suffix);
62		else if (i > 12 && toupper(prefix) != prefix)
63			printf("%s%s", toupper(prefix), suffix);
64		else
65			printf("%s%s ", prefix, suffix);
66	}
67	printf("\n");
68	next;
69}
70
71tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
72	for (i = 1; i <= NF; i++ ) {
73		if (i <= 12) {
74			printf("%s ", $i);
75			continue;
76		}
77		prefix = substr($i, 1, length($i) - 4);
78		suffix = substr($i, length($i) - 4, 4);
79		if (i > 12 && tolower(prefix) != prefix)
80			printf("%s%s", tolower(prefix), suffix);
81		else if (i > 12 && toupper(prefix) != prefix)
82			printf("%s%s", toupper(prefix), suffix);
83		else
84			printf("%s%s ", prefix, suffix);
85	}
86	printf("\n");
87	next;
88}
89
90{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
91
92#
93# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
94#
95zone=in-addr.arpa.
96infile=in-addr.arpa.db.in
97zonefile=in-addr.arpa.db
98
99keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
100keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
101
102cat $infile $keyname1.key $keyname2.key >$zonefile
103$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
104
105# Sign the privately secure file
106
107privzone=private.secure.example.
108privinfile=private.secure.example.db.in
109privzonefile=private.secure.example.db
110
111privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
112
113cat $privinfile $privkeyname.key >$privzonefile
114
115$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
116
117# Sign the DLV secure zone.
118
119
120dlvzone=dlv.
121dlvinfile=dlv.db.in
122dlvzonefile=dlv.db
123
124dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
125
126cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
127
128$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
129
130# Sign the badparam secure file
131
132zone=badparam.
133infile=badparam.db.in
134zonefile=badparam.db
135
136keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
137keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
138
139cat $infile $keyname1.key $keyname2.key >$zonefile
140
141$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
142
143sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad
144
145# Sign the single-nsec3 secure zone with optout
146
147zone=single-nsec3.
148infile=single-nsec3.db.in
149zonefile=single-nsec3.db
150
151keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
152keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
153
154cat $infile $keyname1.key $keyname2.key >$zonefile
155
156$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
157
158#
159# algroll has just has the old DNSKEY records removed and is waiting
160# for them to be flushed from caches.  We still need to generate
161# RRSIGs for the old DNSKEY.
162#
163zone=algroll.
164infile=algroll.db.in
165zonefile=algroll.db
166
167keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
168keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
169keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
170keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
171
172cat $infile $keynew1.key $keynew2.key >$zonefile
173
174$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
175
176#
177# Make a zone big enough that it takes several seconds to generate a new
178# nsec3 chain.
179#
180zone=nsec3chain-test
181zonefile=nsec3chain-test.db
182cat > $zonefile << 'EOF'
183$TTL 10
184@	10	SOA	ns2 hostmaster 0 3600 1200 864000 1200
185@	10	NS	ns2
186@	10	NS	ns3
187ns2	10	A	10.53.0.2
188ns3	10	A	10.53.0.3
189EOF
190awk 'END { for (i = 0; i < 300; i++)
191	print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile
192key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
193key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
194cat $key1.key $key2.key >> $zonefile
195$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null
196