1#!/bin/sh -e
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12SYSTEMTESTTOP=../..
13. $SYSTEMTESTTOP/conf.sh
14
15SYSTESTDIR=autosign
16
17dumpit () {
18	echo_d "${debug}: dumping ${1}"
19	cat "${1}" | cat_d
20}
21
22setup () {
23	echo_i "setting up zone: $1"
24	debug="$1"
25	zone="$1"
26	zonefile="${zone}.db"
27	infile="${zonefile}.in"
28	n=`expr ${n:-0} + 1`
29}
30
31setup secure.example
32cp $infile $zonefile
33ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
34$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
35$DSFROMKEY $ksk.key > dsset-${zone}$TP
36
37#
38#  NSEC3/NSEC test zone
39#
40setup secure.nsec3.example
41cp $infile $zonefile
42ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
43$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
44$DSFROMKEY $ksk.key > dsset-${zone}$TP
45
46#
47#  NSEC3/NSEC3 test zone
48#
49setup nsec3.nsec3.example
50cp $infile $zonefile
51ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
52$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
53$DSFROMKEY $ksk.key > dsset-${zone}$TP
54
55#
56#  Jitter/NSEC3 test zone
57#
58setup jitter.nsec3.example
59cp $infile $zonefile
60count=1
61while [ $count -le 1000 ]
62do
63    echo "label${count} IN TXT label${count}" >> $zonefile
64    count=`expr $count + 1`
65done
66# Don't create keys just yet, because the scenario we want to test
67# is an unsigned zone that has a NSEC3PARAM record added with
68# dynamic update before the keys are generated.
69
70#
71#  OPTOUT/NSEC3 test zone
72#
73setup optout.nsec3.example
74cp $infile $zonefile
75ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
76$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
77$DSFROMKEY $ksk.key > dsset-${zone}$TP
78
79#
80# A nsec3 zone (non-optout).
81#
82setup nsec3.example
83cat $infile dsset-*.${zone}$TP > $zonefile
84ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
85$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
86$DSFROMKEY $ksk.key > dsset-${zone}$TP
87
88#
89# An NSEC3 zone, with NSEC3 parameters set prior to signing
90#
91setup autonsec3.example
92cat $infile > $zonefile
93ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
94echo $ksk > ../autoksk.key
95zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
96echo $zsk > ../autozsk.key
97$DSFROMKEY $ksk.key > dsset-${zone}$TP
98
99#
100#  OPTOUT/NSEC test zone
101#
102setup secure.optout.example
103cp $infile $zonefile
104ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
105$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
106$DSFROMKEY $ksk.key > dsset-${zone}$TP
107
108#
109#  OPTOUT/NSEC3 test zone
110#
111setup nsec3.optout.example
112cp $infile $zonefile
113ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
114$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
115$DSFROMKEY $ksk.key > dsset-${zone}$TP
116
117#
118#  OPTOUT/OPTOUT test zone
119#
120setup optout.optout.example
121cp $infile $zonefile
122ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
123$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
124$DSFROMKEY $ksk.key > dsset-${zone}$TP
125
126#
127# A optout nsec3 zone.
128#
129setup optout.example
130cat $infile dsset-*.${zone}$TP > $zonefile
131ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
132$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
133$DSFROMKEY $ksk.key > dsset-${zone}$TP
134
135#
136# A RSASHA256 zone.
137#
138setup rsasha256.example
139cp $infile $zonefile
140ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
141$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
142$DSFROMKEY $ksk.key > dsset-${zone}$TP
143
144#
145# A RSASHA512 zone.
146#
147setup rsasha512.example
148cp $infile $zonefile
149ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
150$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
151$DSFROMKEY $ksk.key > dsset-${zone}$TP
152
153#
154# NSEC-only zone.
155#
156setup nsec.example
157cp $infile $zonefile
158ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
159$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
160$DSFROMKEY $ksk.key > dsset-${zone}$TP
161
162#
163# Signature refresh test zone.  Signatures are set to expire long
164# in the past; they should be updated by autosign.
165#
166setup oldsigs.example
167cp $infile $zonefile
168count=1
169while [ $count -le 1000 ]
170do
171    echo "label${count} IN TXT label${count}" >> $zonefile
172    count=`expr $count + 1`
173done
174$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
175$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
176$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out 2>&1 || dumpit s.out
177mv $zonefile.signed $zonefile
178
179#
180# NSEC3->NSEC transition test zone.
181#
182setup nsec3-to-nsec.example
183$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
184$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
185$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
186
187#
188# secure-to-insecure transition test zone; used to test removal of
189# keys via nsupdate
190#
191setup secure-to-insecure.example
192$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
193$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
194$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
195
196#
197# another secure-to-insecure transition test zone; used to test
198# removal of keys on schedule.
199#
200setup secure-to-insecure2.example
201ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
202echo $ksk > ../del1.key
203zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
204echo $zsk > ../del2.key
205$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
206
207#
208# Introducing a pre-published key test.
209#
210setup prepub.example
211infile="secure-to-insecure2.example.db.in"
212$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
213$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
214$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
215
216#
217# Key TTL tests.
218#
219
220# no default key TTL; DNSKEY should get SOA TTL
221setup ttl1.example
222$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
223$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
224cp $infile $zonefile
225
226# default key TTL should be used
227setup ttl2.example
228$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
229$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
230cp $infile $zonefile
231
232# mismatched key TTLs, should use shortest
233setup ttl3.example
234$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
235$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
236cp $infile $zonefile
237
238# existing DNSKEY RRset, should retain TTL
239setup ttl4.example
240$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
241cat ${infile} K${zone}.+*.key > $zonefile
242$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
243
244#
245# A zone with a DNSKEY RRset that is published before it's activated
246#
247setup delay.example
248ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
249echo $ksk > ../delayksk.key
250zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
251echo $zsk > ../delayzsk.key
252
253#
254# A zone with signatures that are already expired, and the private ZSK
255# is missing.
256#
257setup nozsk.example
258$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
259zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
260$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
261echo $zsk > ../missingzsk.key
262rm -f ${zsk}.private
263
264#
265# A zone with signatures that are already expired, and the private ZSK
266# is inactive.
267#
268setup inaczsk.example
269$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
270zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
271$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
272echo $zsk > ../inactivezsk.key
273$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
274
275#
276# A zone that is set to 'auto-dnssec maintain' during a recofnig
277#
278setup reconf.example
279cp secure.example.db.in $zonefile
280$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
281$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
282
283#
284# A zone which generates a CDS and CDNSEY RRsets automatically
285#
286setup sync.example
287cp $infile $zonefile
288ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
289$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
290$DSFROMKEY $ksk.key > dsset-${zone}$TP
291echo ns3/$ksk > ../sync.key
292
293#
294# A zone that has a published inactive key that is autosigned.
295#
296setup inacksk2.example
297cp $infile $zonefile
298ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
299$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
300$DSFROMKEY $ksk.key > dsset-${zone}$TP
301
302#
303# A zone that has a published inactive key that is autosigned.
304#
305setup inaczsk2.example
306cp $infile $zonefile
307ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
308$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
309$DSFROMKEY $ksk.key > dsset-${zone}$TP
310
311#
312#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
313#
314setup inacksk3.example
315cp $infile $zonefile
316$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
317ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
318$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
319$DSFROMKEY $ksk.key > dsset-${zone}$TP
320
321#
322#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
323#
324setup inaczsk3.example
325cp $infile $zonefile
326ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
327$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
328$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
329$DSFROMKEY $ksk.key > dsset-${zone}$TP
330
331#
332# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
333# latter getting deleted during the test.
334#
335setup delzsk.example
336cp $infile $zonefile
337ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
338$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
339zsk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -I now-1w $zone 2>kg.out` || dumpit kg.out
340echo $zsk > ../delzsk.key
341
342#
343#  Check that NSEC3 are correctly signed and returned from below a DNAME
344#
345setup dname-at-apex-nsec3.example
346cp $infile $zonefile
347ksk=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 -fk $zone 2> kg.out` || dumpit kg.out
348$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 $zone > kg.out 2>&1 || dumpit kg.out
349$DSFROMKEY $ksk.key > dsset-${zone}$TP
350