1#!/bin/sh -e 2# 3# Copyright (C) 2004, 2006-2012, 2014 Internet Systems Consortium, Inc. ("ISC") 4# Copyright (C) 2000-2003 Internet Software Consortium. 5# 6# Permission to use, copy, modify, and/or distribute this software for any 7# purpose with or without fee is hereby granted, provided that the above 8# copyright notice and this permission notice appear in all copies. 9# 10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16# PERFORMANCE OF THIS SOFTWARE. 17 18SYSTEMTESTTOP=../.. 19. $SYSTEMTESTTOP/conf.sh 20 21zone=example. 22infile=example.db.in 23zonefile=example.db 24 25# Have the child generate a zone key and pass it to us. 26 27( cd ../ns3 && $SHELL sign.sh ) 28 29for subdomain in secure bogus dnskey-unknown dnskey-nsec3-unknown \ 30 dynamic keyless nsec3 optout nsec3-unknown optout-unknown \ 31 multiple rsasha256 rsasha512 kskonly update-nsec3 auto-nsec \ 32 auto-nsec3 secure.below-cname ttlpatch split-dnssec split-smart \ 33 expired expiring upper lower 34 35do 36 cp ../ns3/dsset-$subdomain.example. . 37done 38 39keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` 40keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` 41 42cat $infile $keyname1.key $keyname2.key >$zonefile 43 44$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 45 46# 47# lower/uppercase the signature bits with the exception of the last characters 48# changing the last 4 characters will lead to a bad base64 encoding. 49# 50$CHECKZONE -D -q -i local $zone $zonefile.signed | 51awk ' 52tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { 53 for (i = 1; i <= NF; i++ ) { 54 if (i <= 12) { 55 printf("%s ", $i); 56 continue; 57 } 58 prefix = substr($i, 1, length($i) - 4); 59 suffix = substr($i, length($i) - 4, 4); 60 if (i > 12 && tolower(prefix) != prefix) 61 printf("%s%s", tolower(prefix), suffix); 62 else if (i > 12 && toupper(prefix) != prefix) 63 printf("%s%s", toupper(prefix), suffix); 64 else 65 printf("%s%s ", prefix, suffix); 66 } 67 printf("\n"); 68 next; 69} 70 71tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { 72 for (i = 1; i <= NF; i++ ) { 73 if (i <= 12) { 74 printf("%s ", $i); 75 continue; 76 } 77 prefix = substr($i, 1, length($i) - 4); 78 suffix = substr($i, length($i) - 4, 4); 79 if (i > 12 && tolower(prefix) != prefix) 80 printf("%s%s", tolower(prefix), suffix); 81 else if (i > 12 && toupper(prefix) != prefix) 82 printf("%s%s", toupper(prefix), suffix); 83 else 84 printf("%s%s ", prefix, suffix); 85 } 86 printf("\n"); 87 next; 88} 89 90{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed 91 92# 93# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. 94# 95zone=in-addr.arpa. 96infile=in-addr.arpa.db.in 97zonefile=in-addr.arpa.db 98 99keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` 100keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` 101 102cat $infile $keyname1.key $keyname2.key >$zonefile 103$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 104 105# Sign the privately secure file 106 107privzone=private.secure.example. 108privinfile=private.secure.example.db.in 109privzonefile=private.secure.example.db 110 111privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` 112 113cat $privinfile $privkeyname.key >$privzonefile 114 115$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null 116 117# Sign the DLV secure zone. 118 119 120dlvzone=dlv. 121dlvinfile=dlv.db.in 122dlvzonefile=dlv.db 123 124dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` 125 126cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile 127 128$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null 129 130# Sign the badparam secure file 131 132zone=badparam. 133infile=badparam.db.in 134zonefile=badparam.db 135 136keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` 137keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` 138 139cat $infile $keyname1.key $keyname2.key >$zonefile 140 141$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 142 143sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad 144 145# Sign the single-nsec3 secure zone with optout 146 147zone=single-nsec3. 148infile=single-nsec3.db.in 149zonefile=single-nsec3.db 150 151keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` 152keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` 153 154cat $infile $keyname1.key $keyname2.key >$zonefile 155 156$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 157 158# 159# algroll has just has the old DNSKEY records removed and is waiting 160# for them to be flushed from caches. We still need to generate 161# RRSIGs for the old DNSKEY. 162# 163zone=algroll. 164infile=algroll.db.in 165zonefile=algroll.db 166 167keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` 168keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 169keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` 170keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` 171 172cat $infile $keynew1.key $keynew2.key >$zonefile 173 174$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null 175 176# 177# Make a zone big enough that it takes several seconds to generate a new 178# nsec3 chain. 179# 180zone=nsec3chain-test 181zonefile=nsec3chain-test.db 182cat > $zonefile << 'EOF' 183$TTL 10 184@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 185@ 10 NS ns2 186@ 10 NS ns3 187ns2 10 A 10.53.0.2 188ns3 10 A 10.53.0.3 189EOF 190awk 'END { for (i = 0; i < 300; i++) 191 print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile 192key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` 193key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` 194cat $key1.key $key2.key >> $zonefile 195$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null 196