diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 18:37:14 +0000 |
| commit | ea648e70a989cca190cd7403fe892fd2dcc290b4 (patch) | |
| tree | e2b6b1c647da68b0d4d66082835e256eb30970e8 /bin/tests/system/dnssec/ns2/sign.sh | |
| parent | Initial commit. (diff) | |
| download | bind9-ea648e70a989cca190cd7403fe892fd2dcc290b4.tar.xz bind9-ea648e70a989cca190cd7403fe892fd2dcc290b4.zip | |
Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/dnssec/ns2/sign.sh')
| -rw-r--r-- | bin/tests/system/dnssec/ns2/sign.sh | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh new file mode 100644 index 0000000..9078459 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -0,0 +1,239 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +zonefile=example.db + +# Have the child generate a zone key and pass it to us. + +( cd ../ns3 && $SHELL sign.sh ) + +for subdomain in secure badds bogus dynamic keyless nsec3 optout \ + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-nsec3-unknown managed-future revkey +do + cp ../ns3/dsset-$subdomain.example$TP . +done + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# +# lower/uppercase the signature bits with the exception of the last characters +# changing the last 4 characters will lead to a bad base64 encoding. +# +$CHECKZONE -D -q -i local $zone $zonefile.signed | +awk ' +tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { + for (i = 1; i <= NF; i++ ) { + if (i <= 12) { + printf("%s ", $i); + continue; + } + prefix = substr($i, 1, length($i) - 4); + suffix = substr($i, length($i) - 4, 4); + if (i > 12 && tolower(prefix) != prefix) + printf("%s%s", tolower(prefix), suffix); + else if (i > 12 && toupper(prefix) != prefix) + printf("%s%s", toupper(prefix), suffix); + else + printf("%s%s ", prefix, suffix); + } + printf("\n"); + next; +} + +tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { + for (i = 1; i <= NF; i++ ) { + if (i <= 12) { + printf("%s ", $i); + continue; + } + prefix = substr($i, 1, length($i) - 4); + suffix = substr($i, length($i) - 4, 4); + if (i > 12 && tolower(prefix) != prefix) + printf("%s%s", tolower(prefix), suffix); + else if (i > 12 && toupper(prefix) != prefix) + printf("%s%s", toupper(prefix), suffix); + else + printf("%s%s ", prefix, suffix); + } + printf("\n"); + next; +} + +{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed + +# +# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. +# +zone=in-addr.arpa. +infile=in-addr.arpa.db.in +zonefile=in-addr.arpa.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# Sign the privately secure file + +privzone=private.secure.example. +privinfile=private.secure.example.db.in +privzonefile=private.secure.example.db + +privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` + +cat $privinfile $privkeyname.key >$privzonefile + +$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null + +# Sign the DLV secure zone. + + +dlvzone=dlv. +dlvinfile=dlv.db.in +dlvzonefile=dlv.db +dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP + +dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` + +cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile + +$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null + +# Sign the badparam secure file + +zone=badparam. +infile=badparam.db.in +zonefile=badparam.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad + +# Sign the single-nsec3 secure zone with optout + +zone=single-nsec3. +infile=single-nsec3.db.in +zonefile=single-nsec3.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# +# algroll has just has the old DNSKEY records removed and is waiting +# for them to be flushed from caches. We still need to generate +# RRSIGs for the old DNSKEY. +# +zone=algroll. +infile=algroll.db.in +zonefile=algroll.db + +keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` +keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + +cat $infile $keynew1.key $keynew2.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null + +# +# Make a zone big enough that it takes several seconds to generate a new +# nsec3 chain. +# +zone=nsec3chain-test +zonefile=nsec3chain-test.db +cat > $zonefile << 'EOF' +$TTL 10 +@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 +@ 10 NS ns2 +@ 10 NS ns3 +ns2 10 A 10.53.0.2 +ns3 10 A 10.53.0.3 +EOF +awk 'END { for (i = 0; i < 300; i++) + print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` +cat $key1.key $key2.key >> $zonefile +$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null + +zone=cds.secure +infile=cds.secure.db.in +zonefile=cds.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +$DSFROMKEY -C $key1.key > $key1.cds +cat $infile $key1.key $key2.key $key1.cds >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cds-update.secure +infile=cds-update.secure.db.in +zonefile=cds-update.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +cat $infile $key1.key $key2.key > $zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cds-auto.secure +infile=cds-auto.secure.db.in +zonefile=cds-auto.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +$DSFROMKEY -C $key1.key > $key1.cds +cat $infile $key1.cds > $zonefile.signed + +zone=cdnskey.secure +infile=cdnskey.secure.db.in +zonefile=cdnskey.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds +cat $infile $key1.key $key2.key $key1.cds >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cdnskey-update.secure +infile=cdnskey-update.secure.db.in +zonefile=cdnskey-update.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +cat $infile $key1.key $key2.key > $zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +zone=cdnskey-auto.secure +infile=cdnskey-auto.secure.db.in +zonefile=cdnskey-auto.secure.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds +cat $infile $key1.cds > $zonefile.signed |