1#!/bin/sh -e
2#
3# Copyright (C) 2004, 2006-2015  Internet Systems Consortium, Inc. ("ISC")
4# Copyright (C) 2000-2002  Internet Software Consortium.
5#
6# Permission to use, copy, modify, and/or distribute this software for any
7# purpose with or without fee is hereby granted, provided that the above
8# copyright notice and this permission notice appear in all copies.
9#
10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16# PERFORMANCE OF THIS SOFTWARE.
17
18SYSTEMTESTTOP=../..
19. $SYSTEMTESTTOP/conf.sh
20
21zone=secure.example.
22infile=secure.example.db.in
23zonefile=secure.example.db
24
25cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
26dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
27keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
28
29cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
30
31$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
32
33zone=bogus.example.
34infile=bogus.example.db.in
35zonefile=bogus.example.db
36
37keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
38
39cat $infile $keyname.key >$zonefile
40
41$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
42
43zone=dynamic.example.
44infile=dynamic.example.db.in
45zonefile=dynamic.example.db
46
47keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
48keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
49
50cat $infile $keyname1.key $keyname2.key >$zonefile
51
52$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
53
54zone=keyless.example.
55infile=keyless.example.db.in
56zonefile=keyless.example.db
57
58keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
59
60cat $infile $keyname.key >$zonefile
61
62$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
63
64# Change the signer field of the a.b.keyless.example SIG A
65# to point to a provably nonexistent KEY record.
66mv $zonefile.signed $zonefile.tmp
67<$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/
68    if /^a.b.keyless.example/../NXT/;' >$zonefile.signed
69rm -f $zonefile.tmp
70
71#
72#  NSEC3/NSEC test zone
73#
74zone=secure.nsec3.example.
75infile=secure.nsec3.example.db.in
76zonefile=secure.nsec3.example.db
77
78keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
79
80cat $infile $keyname.key >$zonefile
81
82$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
83
84#
85#  NSEC3/NSEC3 test zone
86#
87zone=nsec3.nsec3.example.
88infile=nsec3.nsec3.example.db.in
89zonefile=nsec3.nsec3.example.db
90
91keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
92
93cat $infile $keyname.key >$zonefile
94
95$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
96
97#
98#  OPTOUT/NSEC3 test zone
99#
100zone=optout.nsec3.example.
101infile=optout.nsec3.example.db.in
102zonefile=optout.nsec3.example.db
103
104keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
105
106cat $infile $keyname.key >$zonefile
107
108$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
109
110#
111# A nsec3 zone (non-optout).
112#
113zone=nsec3.example.
114infile=nsec3.example.db.in
115zonefile=nsec3.example.db
116
117keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
118
119cat $infile $keyname.key >$zonefile
120
121$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
122
123#
124#  OPTOUT/NSEC test zone
125#
126zone=secure.optout.example.
127infile=secure.optout.example.db.in
128zonefile=secure.optout.example.db
129
130keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
131
132cat $infile $keyname.key >$zonefile
133
134$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
135
136#
137#  OPTOUT/NSEC3 test zone
138#
139zone=nsec3.optout.example.
140infile=nsec3.optout.example.db.in
141zonefile=nsec3.optout.example.db
142
143keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
144
145cat $infile $keyname.key >$zonefile
146
147$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
148
149#
150#  OPTOUT/OPTOUT test zone
151#
152zone=optout.optout.example.
153infile=optout.optout.example.db.in
154zonefile=optout.optout.example.db
155
156keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
157
158cat $infile $keyname.key >$zonefile
159
160$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
161
162#
163# A optout nsec3 zone.
164#
165zone=optout.example.
166infile=optout.example.db.in
167zonefile=optout.example.db
168
169keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
170
171cat $infile $keyname.key >$zonefile
172
173$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
174
175#
176# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
177#
178zone=nsec3-unknown.example.
179infile=nsec3-unknown.example.db.in
180zonefile=nsec3-unknown.example.db
181
182keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
183
184cat $infile $keyname.key >$zonefile
185
186$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
187
188#
189# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
190#
191zone=optout-unknown.example.
192infile=optout-unknown.example.db.in
193zonefile=optout-unknown.example.db
194
195keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
196
197cat $infile $keyname.key >$zonefile
198
199$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
200
201#
202# A zone with a unknown DNSKEY algorithm.
203# Algorithm 7 is replaced by 100 in the zone and dsset.
204#
205zone=dnskey-unknown.example.
206infile=dnskey-unknown.example.db.in
207zonefile=dnskey-unknown.example.db
208
209keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
210
211cat $infile $keyname.key >$zonefile
212
213$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
214
215awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
216
217$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
218
219#
220# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
221# Algorithm 7 is replaced by 100 in the zone and dsset.
222#
223zone=dnskey-nsec3-unknown.example.
224infile=dnskey-nsec3-unknown.example.db.in
225zonefile=dnskey-nsec3-unknown.example.db
226
227keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
228
229cat $infile $keyname.key >$zonefile
230
231$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
232
233awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
234
235$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
236
237#
238# A multiple parameter nsec3 zone.
239#
240zone=multiple.example.
241infile=multiple.example.db.in
242zonefile=multiple.example.db
243
244keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
245
246cat $infile $keyname.key >$zonefile
247
248$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
249mv $zonefile.signed $zonefile
250$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
251mv $zonefile.signed $zonefile
252$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
253mv $zonefile.signed $zonefile
254$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
255mv $zonefile.signed $zonefile
256$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
257mv $zonefile.signed $zonefile
258$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
259
260#
261# A RSASHA256 zone.
262#
263zone=rsasha256.example.
264infile=rsasha256.example.db.in
265zonefile=rsasha256.example.db
266
267keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
268
269cat $infile $keyname.key >$zonefile
270
271$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
272
273#
274# A RSASHA512 zone.
275#
276zone=rsasha512.example.
277infile=rsasha512.example.db.in
278zonefile=rsasha512.example.db
279
280keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
281
282cat $infile $keyname.key >$zonefile
283
284$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
285
286#
287# A zone with the DNSKEY set only signed by the KSK
288#
289zone=kskonly.example.
290infile=kskonly.example.db.in
291zonefile=kskonly.example.db
292
293kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
294zskname=`$KEYGEN -q -r $RANDFILE $zone`
295cat $infile $kskname.key $zskname.key >$zonefile
296$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
297
298#
299# A zone with the expired signatures
300#
301zone=expired.example.
302infile=expired.example.db.in
303zonefile=expired.example.db
304
305kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
306zskname=`$KEYGEN -q -r $RANDFILE $zone`
307cat $infile $kskname.key $zskname.key >$zonefile
308$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
309rm -f $kskname.* $zskname.*
310
311#
312# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
313#
314zone=update-nsec3.example.
315infile=update-nsec3.example.db.in
316zonefile=update-nsec3.example.db
317
318kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
319zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
320cat $infile $kskname.key $zskname.key >$zonefile
321$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
322
323#
324# A NSEC signed zone that will have auto-dnssec enabled and
325# extra keys not in the initial signed zone.
326#
327zone=auto-nsec.example.
328infile=auto-nsec.example.db.in
329zonefile=auto-nsec.example.db
330
331kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
332zskname=`$KEYGEN -q -r $RANDFILE $zone`
333kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
334zskname=`$KEYGEN -q -r $RANDFILE $zone`
335cat $infile $kskname.key $zskname.key >$zonefile
336$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
337
338#
339# A NSEC3 signed zone that will have auto-dnssec enabled and
340# extra keys not in the initial signed zone.
341#
342zone=auto-nsec3.example.
343infile=auto-nsec3.example.db.in
344zonefile=auto-nsec3.example.db
345
346kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
347zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
348kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
349zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
350cat $infile $kskname.key $zskname.key >$zonefile
351$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
352
353#
354# Secure below cname test zone.
355#
356zone=secure.below-cname.example.
357infile=secure.below-cname.example.db.in
358zonefile=secure.below-cname.example.db
359keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
360cat $infile $keyname.key >$zonefile
361$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
362
363#
364# Patched TTL test zone.
365#
366zone=ttlpatch.example.
367infile=ttlpatch.example.db.in
368zonefile=ttlpatch.example.db
369signedfile=ttlpatch.example.db.signed
370patchedfile=ttlpatch.example.db.patched
371
372keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
373cat $infile $keyname.key >$zonefile
374
375$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
376$CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \
377    awk '{$2 = "3600"; print}' > $patchedfile
378
379#
380# Seperate DNSSEC records.
381#
382zone=split-dnssec.example.
383infile=split-dnssec.example.db.in
384zonefile=split-dnssec.example.db
385signedfile=split-dnssec.example.db.signed
386
387keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
388cat $infile $keyname.key >$zonefile
389echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
390: > $signedfile
391$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
392
393#
394# Seperate DNSSEC records smart signing.
395#
396zone=split-smart.example.
397infile=split-smart.example.db.in
398zonefile=split-smart.example.db
399signedfile=split-smart.example.db.signed
400
401keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
402cp $infile $zonefile
403echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
404: > $signedfile
405$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
406
407#
408# Zone with signatures about to expire, but no private key to replace them
409#
410zone="expiring.example."
411infile="expiring.example.db.in"
412zonefile="expiring.example.db"
413signedfile="expiring.example.db.signed"
414kskname=`$KEYGEN -q -r $RANDFILE $zone`
415zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
416cp $infile $zonefile
417$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
418mv -f ${zskname}.private ${zskname}.private.moved
419mv -f ${kskname}.private ${kskname}.private.moved
420
421#
422# A zone where the signer's name has been forced to uppercase.
423#
424zone="upper.example."
425infile="upper.example.db.in"
426zonefile="upper.example.db"
427lower="upper.example.db.lower"
428signedfile="upper.example.db.signed"
429kskname=`$KEYGEN -q -r $RANDFILE $zone`
430zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
431cp $infile $zonefile
432$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1
433$CHECKZONE -D upper.example $lower 2>&- | \
434	sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
435
436#
437# Check that the signer's name is in lower case when zone name is in
438# upper case.
439#
440zone="LOWER.EXAMPLE."
441infile="lower.example.db.in"
442zonefile="lower.example.db"
443signedfile="lower.example.db.signed"
444kskname=`$KEYGEN -q -r $RANDFILE $zone`
445zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
446cp $infile $zonefile
447$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
448
449#
450# Zone with signatures about to expire, and dynamic, but configured
451# not to resign with 'auto-resign no;'
452#
453zone="nosign.example."
454infile="nosign.example.db.in"
455zonefile="nosign.example.db"
456signedfile="nosign.example.db.signed"
457kskname=`$KEYGEN -q -r $RANDFILE $zone`
458zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
459cp $infile $zonefile
460$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
461# preserve a normalized copy of the NS RRSIG for comparison later
462$CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
463        awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
464        sed 's/[ 	][ 	]*/ /g'> ../nosign.before
465
466#
467# An inline signing zone
468#
469zone=inline.example.
470kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
471zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
472
473#
474# publish a new key while deactivating another key at the same time.
475#
476zone=publish-inactive.example
477infile=publish-inactive.example.db.in
478zonefile=publish-inactive.example.db
479now=`date -u +%Y%m%d%H%M%S`
480kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
481kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
482kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
483zskname=`$KEYGEN -q -r $RANDFILE $zone`
484cp $infile $zonefile
485$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
486
487#
488# A zone which will change its sig-validity-interval
489#
490zone=siginterval.example
491infile=siginterval.example.db.in
492zonefile=siginterval.example.db
493kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
494zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
495cp $infile $zonefile
496
497#
498# A zone with future signatures.
499#
500zone=future.example
501infile=future.example.db.in
502zonefile=future.example.db
503kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
504zskname=`$KEYGEN -q -r $RANDFILE $zone`
505cat $infile $kskname.key $zskname.key >$zonefile
506$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
507cp -f $kskname.key trusted-future.key
508