summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/dnssec/ns3/sign.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 16:41:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 16:41:29 +0000
commite2fc8e037ea6bb5de92b25ec9c12a624737ac5ca (patch)
tree65e6bbf5e12c3fe09b43e577f8d1786d06bcd559 /bin/tests/system/dnssec/ns3/sign.sh
parentReleasing progress-linux version 1:9.18.19-1~deb12u1progress7u1. (diff)
downloadbind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.tar.xz
bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.zip
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/dnssec/ns3/sign.sh')
-rw-r--r--bin/tests/system/dnssec/ns3/sign.sh325
1 files changed, 163 insertions, 162 deletions
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index f56edb2..14fc709 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -19,61 +19,60 @@ set -e
echo_i "ns3/sign.sh"
infile=key.db.in
-for tld in managed trusted
-do
- # A secure zone to test.
- zone=secure.${tld}
- zonefile=${zone}.db
-
- keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
- cat "$infile" "$keyname1.key" > "$zonefile"
- "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
-
- # Zone to test trust anchor that matches disabled algorithm.
- zone=disabled.${tld}
- zonefile=${zone}.db
-
- keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
- cat "$infile" "$keyname2.key" > "$zonefile"
- "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
-
- # Zone to test trust anchor that has disabled algorithm for other domain.
- zone=enabled.${tld}
- zonefile=${zone}.db
-
- keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
- cat "$infile" "$keyname3.key" > "$zonefile"
- "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
-
- # Zone to test trust anchor with unsupported algorithm.
- zone=unsupported.${tld}
- zonefile=${zone}.db
-
- keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
- cat "$infile" "$keyname4.key" > "$zonefile"
- "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
- awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
-
- # Make trusted-keys and managed keys conf sections for ns8.
- mv ${keyname4}.key ${keyname4}.tmp
- awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key
-
- # Zone to test trust anchor that is revoked.
- zone=revoked.${tld}
- zonefile=${zone}.db
-
- keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
- cat "$infile" "$keyname5.key" > "$zonefile"
- "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
-
- case $tld in
- "managed")
- keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
- ;;
- "trusted")
- keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
- ;;
- esac
+for tld in managed trusted; do
+ # A secure zone to test.
+ zone=secure.${tld}
+ zonefile=${zone}.db
+
+ keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ cat "$infile" "$keyname1.key" >"$zonefile"
+ "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
+
+ # Zone to test trust anchor that matches disabled algorithm.
+ zone=disabled.${tld}
+ zonefile=${zone}.db
+
+ keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
+ cat "$infile" "$keyname2.key" >"$zonefile"
+ "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
+
+ # Zone to test trust anchor that has disabled algorithm for other domain.
+ zone=enabled.${tld}
+ zonefile=${zone}.db
+
+ keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
+ cat "$infile" "$keyname3.key" >"$zonefile"
+ "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
+
+ # Zone to test trust anchor with unsupported algorithm.
+ zone=unsupported.${tld}
+ zonefile=${zone}.db
+
+ keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ cat "$infile" "$keyname4.key" >"$zonefile"
+ "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
+ awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
+
+ # Make trusted-keys and managed keys conf sections for ns8.
+ mv ${keyname4}.key ${keyname4}.tmp
+ awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key
+
+ # Zone to test trust anchor that is revoked.
+ zone=revoked.${tld}
+ zonefile=${zone}.db
+
+ keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ cat "$infile" "$keyname5.key" >"$zonefile"
+ "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null
+
+ case $tld in
+ "managed")
+ keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf
+ ;;
+ "trusted")
+ keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf
+ ;;
+ esac
done
echo_i "ns3/sign.sh: example zones"
@@ -86,9 +85,11 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
+cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
zone=bogus.example.
infile=bogus.example.db.in
@@ -96,9 +97,9 @@ zonefile=bogus.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
@@ -107,9 +108,9 @@ zonefile=dynamic.example.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
-"$SIGNER" -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -o "$zone" "$zonefile" >/dev/null
zone=keyless.example.
infile=generic.example.db.in
@@ -117,16 +118,16 @@ zonefile=keyless.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
# Change the signer field of the a.b.keyless.example RRSIG A
# to point to a provably nonexistent DNSKEY record.
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
mv "$zonefile.signed" "$zonefiletmp"
-<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/
- if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed"
+"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/
+ if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed"
rm -f "$zonefiletmp"
#
@@ -138,9 +139,9 @@ zonefile=secure.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
#
# NSEC3/NSEC3 test zone
@@ -151,9 +152,9 @@ zonefile=nsec3.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@@ -164,9 +165,9 @@ zonefile=optout.nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout).
@@ -177,9 +178,9 @@ zonefile=nsec3.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC test zone
@@ -190,9 +191,9 @@ zonefile=secure.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/NSEC3 test zone
@@ -203,9 +204,9 @@ zonefile=nsec3.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null
#
# OPTOUT/OPTOUT test zone
@@ -216,9 +217,9 @@ zonefile=optout.optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone.
@@ -229,9 +230,9 @@ zonefile=optout.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null
#
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@@ -242,9 +243,9 @@ zonefile=nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null
#
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@@ -255,9 +256,9 @@ zonefile=optout-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null
#
# A zone that is signed with an unknown DNSKEY algorithm.
@@ -269,14 +270,14 @@ zonefile=dnskey-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
-awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
-$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone that is signed with an unsupported DNSKEY algorithm (3).
@@ -288,14 +289,14 @@ zonefile=dnskey-unsupported.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
-awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
-$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A zone with a published unsupported DNSKEY algorithm (Reserved).
@@ -308,9 +309,9 @@ zonefile=dnskey-unsupported-2.example.db
ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
+cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"
-"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
+"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@@ -322,14 +323,14 @@ zonefile=dnskey-nsec3-unknown.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null
-awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed
DSFILE="dsset-${zone}."
-$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"
#
# A multiple parameter nsec3 zone.
@@ -340,20 +341,20 @@ zonefile=multiple.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null
-awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC
-"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null
-awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3
-"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null
-awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
-"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null
-awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
-"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null
-awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
-"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null
-cat NSEC NSEC3 >> "$zonefile".signed
+"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null
+awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC
+"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null
+awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3
+"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null
+awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
+"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null
+awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
+"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null
+awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3
+"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null
+cat NSEC NSEC3 >>"$zonefile".signed
#
# A RSASHA256 zone.
@@ -364,9 +365,9 @@ zonefile=rsasha256.example.db
keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A RSASHA512 zone.
@@ -377,9 +378,9 @@ zonefile=rsasha512.example.db
keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A zone with the DNSKEY set only signed by the KSK
@@ -390,8 +391,8 @@ zonefile=kskonly.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null
#
# A zone with the expired signatures
@@ -402,8 +403,8 @@ zonefile=expired.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null
rm -f "$kskname.*" "$zskname.*"
#
@@ -415,8 +416,8 @@ zonefile=update-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC signed zone that will have auto-dnssec enabled and
@@ -430,8 +431,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# A NSEC3 signed zone that will have auto-dnssec enabled and
@@ -445,8 +446,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone"
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# Secure below cname test zone.
@@ -455,8 +456,8 @@ zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$keyname.key" >"$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Patched TTL test zone.
@@ -468,11 +469,11 @@ signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
-$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
- awk '{$2 = "3600"; print}' > $patchedfile
+"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null
+$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \
+ | awk '{$2 = "3600"; print}' >$patchedfile
#
# Separate DNSSEC records.
@@ -483,10 +484,10 @@ zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
-echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
-: > "$signedfile"
-"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$keyname.key" >"$zonefile"
+echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
+: >"$signedfile"
+"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
#
# Separate DNSSEC records smart signing.
@@ -499,9 +500,9 @@ signedfile=split-smart.example.db.signed
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cp "$infile" "$zonefile"
# shellcheck disable=SC2016
-echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
-: > "$signedfile"
-"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
+echo "\$INCLUDE \"$signedfile\"" >>"$zonefile"
+: >"$signedfile"
+"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, but no private key to replace them
@@ -513,7 +514,7 @@ signedfile="expiring.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
-"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null
mv -f "${zskname}.private" "${zskname}.private.moved"
mv -f "${kskname}.private" "${kskname}.private.moved"
@@ -528,9 +529,9 @@ signedfile="upper.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
-"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
-$CHECKZONE -D upper.example $lower 2>/dev/null | \
- sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
+"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null
+$CHECKZONE -D upper.example $lower 2>/dev/null \
+ | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile
#
# Check that the signer's name is in lower case when zone name is in
@@ -543,7 +544,7 @@ signedfile="lower.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
-"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null
#
# Zone with signatures about to expire, and dynamic, but configured
@@ -556,11 +557,11 @@ signedfile="nosign.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
-"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null
# preserve a normalized copy of the NS RRSIG for comparison later
-$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
- awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
- sed 's/[ ][ ]*/ /g'> ../nosign.before
+$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \
+ | awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \
+ | sed 's/[ ][ ]*/ /g' >../nosign.before
#
# An inline signing zone
@@ -581,7 +582,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
-"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null
#
# A zone which will change its sig-validity-interval
@@ -603,10 +604,10 @@ zonefile=badds.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname.key" > "$zonefile"
+cat "$infile" "$keyname.key" >"$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
-sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example.
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
+sed -e 's/bogus/badds/g' <dsset-bogus.example. >dsset-badds.example.
#
# A zone with future signatures.
@@ -616,8 +617,8 @@ infile=future.example.db.in
zonefile=future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
cp -f "$kskname.key" trusted-future.key
#
@@ -628,8 +629,8 @@ infile=managed-future.example.db.in
zonefile=managed-future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
-"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile"
+"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null
#
# A zone with a revoked key
@@ -643,8 +644,8 @@ ksk1=$("$REVOKE" "$ksk1")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
-cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
@@ -656,7 +657,7 @@ zonefile=dname-at-apex-nsec3.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
-"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null
#
# A NSEC zone with occuded data at the delegation
@@ -668,7 +669,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
-$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}."
+$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
- "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+ "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-19 14:24:47 +0000