1#!/bin/sh -e 2# 3# Copyright (C) 2004, 2006-2015 Internet Systems Consortium, Inc. ("ISC") 4# Copyright (C) 2000-2002 Internet Software Consortium. 5# 6# Permission to use, copy, modify, and/or distribute this software for any 7# purpose with or without fee is hereby granted, provided that the above 8# copyright notice and this permission notice appear in all copies. 9# 10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16# PERFORMANCE OF THIS SOFTWARE. 17 18SYSTEMTESTTOP=../.. 19. $SYSTEMTESTTOP/conf.sh 20 21zone=secure.example. 22infile=secure.example.db.in 23zonefile=secure.example.db 24 25cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone` 26dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone` 27keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` 28 29cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile 30 31$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 32 33zone=bogus.example. 34infile=bogus.example.db.in 35zonefile=bogus.example.db 36 37keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` 38 39cat $infile $keyname.key >$zonefile 40 41$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 42 43zone=dynamic.example. 44infile=dynamic.example.db.in 45zonefile=dynamic.example.db 46 47keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` 48keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` 49 50cat $infile $keyname1.key $keyname2.key >$zonefile 51 52$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 53 54zone=keyless.example. 55infile=keyless.example.db.in 56zonefile=keyless.example.db 57 58keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` 59 60cat $infile $keyname.key >$zonefile 61 62$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 63 64# Change the signer field of the a.b.keyless.example SIG A 65# to point to a provably nonexistent KEY record. 66mv $zonefile.signed $zonefile.tmp 67<$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/ 68 if /^a.b.keyless.example/../NXT/;' >$zonefile.signed 69rm -f $zonefile.tmp 70 71# 72# NSEC3/NSEC test zone 73# 74zone=secure.nsec3.example. 75infile=secure.nsec3.example.db.in 76zonefile=secure.nsec3.example.db 77 78keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` 79 80cat $infile $keyname.key >$zonefile 81 82$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 83 84# 85# NSEC3/NSEC3 test zone 86# 87zone=nsec3.nsec3.example. 88infile=nsec3.nsec3.example.db.in 89zonefile=nsec3.nsec3.example.db 90 91keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 92 93cat $infile $keyname.key >$zonefile 94 95$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 96 97# 98# OPTOUT/NSEC3 test zone 99# 100zone=optout.nsec3.example. 101infile=optout.nsec3.example.db.in 102zonefile=optout.nsec3.example.db 103 104keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 105 106cat $infile $keyname.key >$zonefile 107 108$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 109 110# 111# A nsec3 zone (non-optout). 112# 113zone=nsec3.example. 114infile=nsec3.example.db.in 115zonefile=nsec3.example.db 116 117keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 118 119cat $infile $keyname.key >$zonefile 120 121$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 122 123# 124# OPTOUT/NSEC test zone 125# 126zone=secure.optout.example. 127infile=secure.optout.example.db.in 128zonefile=secure.optout.example.db 129 130keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` 131 132cat $infile $keyname.key >$zonefile 133 134$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 135 136# 137# OPTOUT/NSEC3 test zone 138# 139zone=nsec3.optout.example. 140infile=nsec3.optout.example.db.in 141zonefile=nsec3.optout.example.db 142 143keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 144 145cat $infile $keyname.key >$zonefile 146 147$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 148 149# 150# OPTOUT/OPTOUT test zone 151# 152zone=optout.optout.example. 153infile=optout.optout.example.db.in 154zonefile=optout.optout.example.db 155 156keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 157 158cat $infile $keyname.key >$zonefile 159 160$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 161 162# 163# A optout nsec3 zone. 164# 165zone=optout.example. 166infile=optout.example.db.in 167zonefile=optout.example.db 168 169keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 170 171cat $infile $keyname.key >$zonefile 172 173$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 174 175# 176# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). 177# 178zone=nsec3-unknown.example. 179infile=nsec3-unknown.example.db.in 180zonefile=nsec3-unknown.example.db 181 182keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 183 184cat $infile $keyname.key >$zonefile 185 186$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 187 188# 189# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). 190# 191zone=optout-unknown.example. 192infile=optout-unknown.example.db.in 193zonefile=optout-unknown.example.db 194 195keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 196 197cat $infile $keyname.key >$zonefile 198 199$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 200 201# 202# A zone with a unknown DNSKEY algorithm. 203# Algorithm 7 is replaced by 100 in the zone and dsset. 204# 205zone=dnskey-unknown.example. 206infile=dnskey-unknown.example.db.in 207zonefile=dnskey-unknown.example.db 208 209keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 210 211cat $infile $keyname.key >$zonefile 212 213$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 214 215awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed 216 217$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone} 218 219# 220# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). 221# Algorithm 7 is replaced by 100 in the zone and dsset. 222# 223zone=dnskey-nsec3-unknown.example. 224infile=dnskey-nsec3-unknown.example.db.in 225zonefile=dnskey-nsec3-unknown.example.db 226 227keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 228 229cat $infile $keyname.key >$zonefile 230 231$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 232 233awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed 234 235$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone} 236 237# 238# A multiple parameter nsec3 zone. 239# 240zone=multiple.example. 241infile=multiple.example.db.in 242zonefile=multiple.example.db 243 244keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` 245 246cat $infile $keyname.key >$zonefile 247 248$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 249mv $zonefile.signed $zonefile 250$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 251mv $zonefile.signed $zonefile 252$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 253mv $zonefile.signed $zonefile 254$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 255mv $zonefile.signed $zonefile 256$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 257mv $zonefile.signed $zonefile 258$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 259 260# 261# A RSASHA256 zone. 262# 263zone=rsasha256.example. 264infile=rsasha256.example.db.in 265zonefile=rsasha256.example.db 266 267keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` 268 269cat $infile $keyname.key >$zonefile 270 271$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 272 273# 274# A RSASHA512 zone. 275# 276zone=rsasha512.example. 277infile=rsasha512.example.db.in 278zonefile=rsasha512.example.db 279 280keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone` 281 282cat $infile $keyname.key >$zonefile 283 284$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 285 286# 287# A zone with the DNSKEY set only signed by the KSK 288# 289zone=kskonly.example. 290infile=kskonly.example.db.in 291zonefile=kskonly.example.db 292 293kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` 294zskname=`$KEYGEN -q -r $RANDFILE $zone` 295cat $infile $kskname.key $zskname.key >$zonefile 296$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 297 298# 299# A zone with the expired signatures 300# 301zone=expired.example. 302infile=expired.example.db.in 303zonefile=expired.example.db 304 305kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` 306zskname=`$KEYGEN -q -r $RANDFILE $zone` 307cat $infile $kskname.key $zskname.key >$zonefile 308$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 309rm -f $kskname.* $zskname.* 310 311# 312# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. 313# 314zone=update-nsec3.example. 315infile=update-nsec3.example.db.in 316zonefile=update-nsec3.example.db 317 318kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 319zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` 320cat $infile $kskname.key $zskname.key >$zonefile 321$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 322 323# 324# A NSEC signed zone that will have auto-dnssec enabled and 325# extra keys not in the initial signed zone. 326# 327zone=auto-nsec.example. 328infile=auto-nsec.example.db.in 329zonefile=auto-nsec.example.db 330 331kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` 332zskname=`$KEYGEN -q -r $RANDFILE $zone` 333kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` 334zskname=`$KEYGEN -q -r $RANDFILE $zone` 335cat $infile $kskname.key $zskname.key >$zonefile 336$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 337 338# 339# A NSEC3 signed zone that will have auto-dnssec enabled and 340# extra keys not in the initial signed zone. 341# 342zone=auto-nsec3.example. 343infile=auto-nsec3.example.db.in 344zonefile=auto-nsec3.example.db 345 346kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 347zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` 348kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 349zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` 350cat $infile $kskname.key $zskname.key >$zonefile 351$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 352 353# 354# Secure below cname test zone. 355# 356zone=secure.below-cname.example. 357infile=secure.below-cname.example.db.in 358zonefile=secure.below-cname.example.db 359keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 360cat $infile $keyname.key >$zonefile 361$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 362 363# 364# Patched TTL test zone. 365# 366zone=ttlpatch.example. 367infile=ttlpatch.example.db.in 368zonefile=ttlpatch.example.db 369signedfile=ttlpatch.example.db.signed 370patchedfile=ttlpatch.example.db.patched 371 372keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` 373cat $infile $keyname.key >$zonefile 374 375$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 376$CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \ 377 awk '{$2 = "3600"; print}' > $patchedfile 378 379# 380# Seperate DNSSEC records. 381# 382zone=split-dnssec.example. 383infile=split-dnssec.example.db.in 384zonefile=split-dnssec.example.db 385signedfile=split-dnssec.example.db.signed 386 387keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` 388cat $infile $keyname.key >$zonefile 389echo '$INCLUDE "'"$signedfile"'"' >> $zonefile 390: > $signedfile 391$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 392 393# 394# Seperate DNSSEC records smart signing. 395# 396zone=split-smart.example. 397infile=split-smart.example.db.in 398zonefile=split-smart.example.db 399signedfile=split-smart.example.db.signed 400 401keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` 402cp $infile $zonefile 403echo '$INCLUDE "'"$signedfile"'"' >> $zonefile 404: > $signedfile 405$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 406 407# 408# Zone with signatures about to expire, but no private key to replace them 409# 410zone="expiring.example." 411infile="expiring.example.db.in" 412zonefile="expiring.example.db" 413signedfile="expiring.example.db.signed" 414kskname=`$KEYGEN -q -r $RANDFILE $zone` 415zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` 416cp $infile $zonefile 417$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 418mv -f ${zskname}.private ${zskname}.private.moved 419mv -f ${kskname}.private ${kskname}.private.moved 420 421# 422# A zone where the signer's name has been forced to uppercase. 423# 424zone="upper.example." 425infile="upper.example.db.in" 426zonefile="upper.example.db" 427lower="upper.example.db.lower" 428signedfile="upper.example.db.signed" 429kskname=`$KEYGEN -q -r $RANDFILE $zone` 430zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` 431cp $infile $zonefile 432$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1 433$CHECKZONE -D upper.example $lower 2>&- | \ 434 sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile 435 436# 437# Check that the signer's name is in lower case when zone name is in 438# upper case. 439# 440zone="LOWER.EXAMPLE." 441infile="lower.example.db.in" 442zonefile="lower.example.db" 443signedfile="lower.example.db.signed" 444kskname=`$KEYGEN -q -r $RANDFILE $zone` 445zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` 446cp $infile $zonefile 447$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 448 449# 450# Zone with signatures about to expire, and dynamic, but configured 451# not to resign with 'auto-resign no;' 452# 453zone="nosign.example." 454infile="nosign.example.db.in" 455zonefile="nosign.example.db" 456signedfile="nosign.example.db.signed" 457kskname=`$KEYGEN -q -r $RANDFILE $zone` 458zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` 459cp $infile $zonefile 460$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 461# preserve a normalized copy of the NS RRSIG for comparison later 462$CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \ 463 awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ 464 sed 's/[ ][ ]*/ /g'> ../nosign.before 465 466# 467# An inline signing zone 468# 469zone=inline.example. 470kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 471zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` 472 473# 474# publish a new key while deactivating another key at the same time. 475# 476zone=publish-inactive.example 477infile=publish-inactive.example.db.in 478zonefile=publish-inactive.example.db 479now=`date -u +%Y%m%d%H%M%S` 480kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` 481kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone` 482kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` 483zskname=`$KEYGEN -q -r $RANDFILE $zone` 484cp $infile $zonefile 485$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 486 487# 488# A zone which will change its sig-validity-interval 489# 490zone=siginterval.example 491infile=siginterval.example.db.in 492zonefile=siginterval.example.db 493kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` 494zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` 495cp $infile $zonefile 496 497# 498# A zone with future signatures. 499# 500zone=future.example 501infile=future.example.db.in 502zonefile=future.example.db 503kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` 504zskname=`$KEYGEN -q -r $RANDFILE $zone` 505cat $infile $kskname.key $zskname.key >$zonefile 506$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 507cp -f $kskname.key trusted-future.key 508