1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=../.. 13. $SYSTEMTESTTOP/conf.sh 14 15SYSTESTDIR=autosign 16 17dumpit () { 18 echo_d "${debug}: dumping ${1}" 19 cat "${1}" | cat_d 20} 21 22setup () { 23 echo_i "setting up zone: $1" 24 debug="$1" 25 zone="$1" 26 zonefile="${zone}.db" 27 infile="${zonefile}.in" 28 n=`expr ${n:-0} + 1` 29} 30 31setup secure.example 32cp $infile $zonefile 33ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 34$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 35$DSFROMKEY $ksk.key > dsset-${zone}$TP 36 37# 38# NSEC3/NSEC test zone 39# 40setup secure.nsec3.example 41cp $infile $zonefile 42ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 43$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 44$DSFROMKEY $ksk.key > dsset-${zone}$TP 45 46# 47# NSEC3/NSEC3 test zone 48# 49setup nsec3.nsec3.example 50cp $infile $zonefile 51ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 52$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 53$DSFROMKEY $ksk.key > dsset-${zone}$TP 54 55# 56# Jitter/NSEC3 test zone 57# 58setup jitter.nsec3.example 59cp $infile $zonefile 60count=1 61while [ $count -le 1000 ] 62do 63 echo "label${count} IN TXT label${count}" >> $zonefile 64 count=`expr $count + 1` 65done 66# Don't create keys just yet, because the scenario we want to test 67# is an unsigned zone that has a NSEC3PARAM record added with 68# dynamic update before the keys are generated. 69 70# 71# OPTOUT/NSEC3 test zone 72# 73setup optout.nsec3.example 74cp $infile $zonefile 75ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 76$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 77$DSFROMKEY $ksk.key > dsset-${zone}$TP 78 79# 80# A nsec3 zone (non-optout). 81# 82setup nsec3.example 83cat $infile dsset-*.${zone}$TP > $zonefile 84ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 85$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 86$DSFROMKEY $ksk.key > dsset-${zone}$TP 87 88# 89# An NSEC3 zone, with NSEC3 parameters set prior to signing 90# 91setup autonsec3.example 92cat $infile > $zonefile 93ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 94echo $ksk > ../autoksk.key 95zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out 96echo $zsk > ../autozsk.key 97$DSFROMKEY $ksk.key > dsset-${zone}$TP 98 99# 100# OPTOUT/NSEC test zone 101# 102setup secure.optout.example 103cp $infile $zonefile 104ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 105$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 106$DSFROMKEY $ksk.key > dsset-${zone}$TP 107 108# 109# OPTOUT/NSEC3 test zone 110# 111setup nsec3.optout.example 112cp $infile $zonefile 113ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 114$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 115$DSFROMKEY $ksk.key > dsset-${zone}$TP 116 117# 118# OPTOUT/OPTOUT test zone 119# 120setup optout.optout.example 121cp $infile $zonefile 122ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 123$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 124$DSFROMKEY $ksk.key > dsset-${zone}$TP 125 126# 127# A optout nsec3 zone. 128# 129setup optout.example 130cat $infile dsset-*.${zone}$TP > $zonefile 131ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 132$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 133$DSFROMKEY $ksk.key > dsset-${zone}$TP 134 135# 136# A RSASHA256 zone. 137# 138setup rsasha256.example 139cp $infile $zonefile 140ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 141$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 142$DSFROMKEY $ksk.key > dsset-${zone}$TP 143 144# 145# A RSASHA512 zone. 146# 147setup rsasha512.example 148cp $infile $zonefile 149ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 150$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 151$DSFROMKEY $ksk.key > dsset-${zone}$TP 152 153# 154# NSEC-only zone. 155# 156setup nsec.example 157cp $infile $zonefile 158ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 159$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 160$DSFROMKEY $ksk.key > dsset-${zone}$TP 161 162# 163# Signature refresh test zone. Signatures are set to expire long 164# in the past; they should be updated by autosign. 165# 166setup oldsigs.example 167cp $infile $zonefile 168count=1 169while [ $count -le 1000 ] 170do 171 echo "label${count} IN TXT label${count}" >> $zonefile 172 count=`expr $count + 1` 173done 174$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 175$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 176$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out 2>&1 || dumpit s.out 177mv $zonefile.signed $zonefile 178 179# 180# NSEC3->NSEC transition test zone. 181# 182setup nsec3-to-nsec.example 183$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 184$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 185$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 186 187# 188# secure-to-insecure transition test zone; used to test removal of 189# keys via nsupdate 190# 191setup secure-to-insecure.example 192$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 193$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 194$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 195 196# 197# another secure-to-insecure transition test zone; used to test 198# removal of keys on schedule. 199# 200setup secure-to-insecure2.example 201ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 202echo $ksk > ../del1.key 203zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out 204echo $zsk > ../del2.key 205$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 206 207# 208# Introducing a pre-published key test. 209# 210setup prepub.example 211infile="secure-to-insecure2.example.db.in" 212$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 213$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 214$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out 215 216# 217# Key TTL tests. 218# 219 220# no default key TTL; DNSKEY should get SOA TTL 221setup ttl1.example 222$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 223$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 224cp $infile $zonefile 225 226# default key TTL should be used 227setup ttl2.example 228$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out 229$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out 230cp $infile $zonefile 231 232# mismatched key TTLs, should use shortest 233setup ttl3.example 234$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out 235$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out 236cp $infile $zonefile 237 238# existing DNSKEY RRset, should retain TTL 239setup ttl4.example 240$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out 241cat ${infile} K${zone}.+*.key > $zonefile 242$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out 243 244# 245# A zone with a DNSKEY RRset that is published before it's activated 246# 247setup delay.example 248ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 249echo $ksk > ../delayksk.key 250zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out 251echo $zsk > ../delayzsk.key 252 253# 254# A zone with signatures that are already expired, and the private ZSK 255# is missing. 256# 257setup nozsk.example 258$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 259zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 260$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out 261echo $zsk > ../missingzsk.key 262rm -f ${zsk}.private 263 264# 265# A zone with signatures that are already expired, and the private ZSK 266# is inactive. 267# 268setup inaczsk.example 269$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 270zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` 271$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out 272echo $zsk > ../inactivezsk.key 273$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out 274 275# 276# A zone that is set to 'auto-dnssec maintain' during a recofnig 277# 278setup reconf.example 279cp secure.example.db.in $zonefile 280$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out 281$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 282 283# 284# A zone which generates a CDS and CDNSEY RRsets automatically 285# 286setup sync.example 287cp $infile $zonefile 288ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out 289$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 290$DSFROMKEY $ksk.key > dsset-${zone}$TP 291echo ns3/$ksk > ../sync.key 292 293# 294# A zone that has a published inactive key that is autosigned. 295# 296setup inacksk2.example 297cp $infile $zonefile 298ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out 299$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 300$DSFROMKEY $ksk.key > dsset-${zone}$TP 301 302# 303# A zone that has a published inactive key that is autosigned. 304# 305setup inaczsk2.example 306cp $infile $zonefile 307ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 308$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out 309$DSFROMKEY $ksk.key > dsset-${zone}$TP 310 311# 312# A zone that starts with a active KSK + ZSK and a inactive ZSK. 313# 314setup inacksk3.example 315cp $infile $zonefile 316$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out 317ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 318$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 319$DSFROMKEY $ksk.key > dsset-${zone}$TP 320 321# 322# A zone that starts with a active KSK + ZSK and a inactive ZSK. 323# 324setup inaczsk3.example 325cp $infile $zonefile 326ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 327$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 328$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out 329$DSFROMKEY $ksk.key > dsset-${zone}$TP 330 331# 332# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the 333# latter getting deleted during the test. 334# 335setup delzsk.example 336cp $infile $zonefile 337ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out 338$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out 339zsk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -I now-1w $zone 2>kg.out` || dumpit kg.out 340echo $zsk > ../delzsk.key 341 342# 343# Check that NSEC3 are correctly signed and returned from below a DNAME 344# 345setup dname-at-apex-nsec3.example 346cp $infile $zonefile 347ksk=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 -fk $zone 2> kg.out` || dumpit kg.out 348$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -3 $zone > kg.out 2>&1 || dumpit kg.out 349$DSFROMKEY $ksk.key > dsset-${zone}$TP 350