summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/dnssec/ns2/sign.sh
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/dnssec/ns2/sign.sh')
-rw-r--r--bin/tests/system/dnssec/ns2/sign.sh144
1 files changed, 71 insertions, 73 deletions
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 47248a4..05e8293 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -17,15 +17,14 @@
set -e
# Sign child zones (served by ns3).
-( cd ../ns3 && $SHELL sign.sh )
+(cd ../ns3 && $SHELL sign.sh)
echo_i "ns2/sign.sh"
# Get the DS records for the "trusted." and "managed." zones.
-for subdomain in secure unsupported disabled enabled
-do
- cp "../ns3/dsset-$subdomain.managed." .
- cp "../ns3/dsset-$subdomain.trusted." .
+for subdomain in secure unsupported disabled enabled; do
+ cp "../ns3/dsset-$subdomain.managed." .
+ cp "../ns3/dsset-$subdomain.trusted." .
done
# Sign the "trusted." and "managed." zones.
@@ -36,9 +35,9 @@ zonefile=managed.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
-"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
zone=trusted.
infile=key.db.in
@@ -47,9 +46,9 @@ zonefile=trusted.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
-"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# The "example." zone.
zone=example.
@@ -58,23 +57,22 @@ zonefile=example.db
# Get the DS records for the "example." zone.
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
- nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
- kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
- ttlpatch split-dnssec split-smart expired expiring upper lower \
- dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
- dnskey-nsec3-unknown managed-future revkey \
- dname-at-apex-nsec3 occluded
-do
- cp "../ns3/dsset-$subdomain.example." .
+ nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
+ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
+ ttlpatch split-dnssec split-smart expired expiring upper lower \
+ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
+ dnskey-nsec3-unknown managed-future revkey \
+ dname-at-apex-nsec3 occluded; do
+ cp "../ns3/dsset-$subdomain.example." .
done
# Sign the "example." zone.
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
-"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# lower/uppercase the signature bits with the exception of the last characters
@@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
#
zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
-"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" |
-awk '
+"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
+ | awk '
tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
for (i = 1; i <= NF; i++ ) {
if (i <= 12) {
@@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
next;
}
-{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
+{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
#
# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
@@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
-"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
+"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
# Sign the badparam secure file
@@ -146,11 +144,11 @@ zonefile=badparam.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
-"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
-sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
+sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad"
# Sign the single-nsec3 secure zone with optout
@@ -161,9 +159,9 @@ zonefile=single-nsec3.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
-"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1
#
# algroll has just has the old DNSKEY records removed and is waiting
@@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon
keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
+cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile"
-"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
+"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1
#
# Make a zone big enough that it takes several seconds to generate a new
@@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
#
zone=nsec3chain-test
zonefile=nsec3chain-test.db
-cat > "$zonefile" << EOF
+cat >"$zonefile" <<EOF
\$TTL 10
@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200
@ 10 NS ns2
@@ -199,22 +197,22 @@ ns3 10 A 10.53.0.3
EOF
i=1
while [ $i -le 300 ]; do
- echo "host$i 10 IN NS ns.elsewhere"
- i=$((i+1))
-done >> "$zonefile"
+ echo "host$i 10 IN NS ns.elsewhere"
+ i=$((i + 1))
+done >>"$zonefile"
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$key1.key" "$key2.key" >> "$zonefile"
-"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
+cat "$key1.key" "$key2.key" >>"$zonefile"
+"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
zonefile=cds.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
+"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
-"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
@@ -222,43 +220,43 @@ zonefile=cds-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
-cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
-"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
+"$DSFROMKEY" -C "$key2.key" >"$key2.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile"
+"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
zonefile=cds-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
zonefile=cds-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
-keyfile_to_key_id "$key1" > cds-kskonly.secure.id
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+keyfile_to_key_id "$key1" >cds-kskonly.secure.id
zone=cds-auto.secure
infile=cds-auto.secure.db.in
zonefile=cds-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-$SETTIME -P sync now "$key1" > /dev/null
-cat "$infile" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" >/dev/null
+cat "$infile" >"$zonefile.signed"
zone=cdnskey.secure
infile=cdnskey.secure.db.in
zonefile=cdnskey.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
-"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
+sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
@@ -266,34 +264,34 @@ zonefile=cdnskey-x.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
-"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
+sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile"
+"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
zonefile=cdnskey-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
zonefile=cdnskey-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
-keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
zonefile=cdnskey-auto.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-$SETTIME -P sync now "$key1" > /dev/null
-cat "$infile" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" >/dev/null
+cat "$infile" >"$zonefile.signed"
zone=updatecheck-kskonly.secure
infile=template.secure.db.in
@@ -301,14 +299,14 @@ zonefile=${zone}.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
# Save key id's for checking active key usage
-keyfile_to_key_id "$key1" > $zone.ksk.id
-keyfile_to_key_id "$key2" > $zone.zsk.id
-echo "${key1}" > $zone.ksk.key
-echo "${key2}" > $zone.zsk.key
+keyfile_to_key_id "$key1" >$zone.ksk.id
+keyfile_to_key_id "$key2" >$zone.zsk.id
+echo "${key1}" >$zone.ksk.key
+echo "${key2}" >$zone.zsk.key
# Add CDS and CDNSKEY records
-sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
-"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
+sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey"
+"$DSFROMKEY" -C "$key1.key" >"$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile"
# Don't sign, let auto-dnssec maintain do it.
mv $zonefile "$zonefile.signed"
@@ -317,8 +315,8 @@ infile=hours-vs-days.db.in
zonefile=hours-vs-days.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-$SETTIME -P sync now "$key1" > /dev/null
-cat "$infile" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" >/dev/null
+cat "$infile" >"$zonefile.signed"
#
# Negative result from this zone should come back as insecure.
@@ -328,5 +326,5 @@ infile=too-many-iterations.db.in
zonefile=too-many-iterations.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
-"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 11:06:29 +0000