| version 1.1.1.1.2.1, 2018/08/12 12:07:33 |
version 1.1.1.1.2.2, 2018/09/06 06:54:12 |
|
|
| |
#!/bin/sh -e |
| |
# |
| |
# Copyright (C) Internet Systems Consortium, Inc. ("ISC") |
| |
# |
| |
# This Source Code Form is subject to the terms of the Mozilla Public |
| |
# License, v. 2.0. If a copy of the MPL was not distributed with this |
| |
# file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| |
# |
| |
# See the COPYRIGHT file distributed with this work for additional |
| |
# information regarding copyright ownership. |
| |
|
| |
SYSTEMTESTTOP=../.. |
| |
. $SYSTEMTESTTOP/conf.sh |
| |
|
| |
zone=secure.example. |
| |
infile=secure.example.db.in |
| |
zonefile=secure.example.db |
| |
|
| |
cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host cnameandkey.$zone` |
| |
dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host dnameandkey.$zone` |
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
zone=bogus.example. |
| |
infile=bogus.example.db.in |
| |
zonefile=bogus.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
zone=dynamic.example. |
| |
infile=dynamic.example.db.in |
| |
zonefile=dynamic.example.db |
| |
|
| |
keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone` |
| |
keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` |
| |
|
| |
cat $infile $keyname1.key $keyname2.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
zone=keyless.example. |
| |
infile=generic.example.db.in |
| |
zonefile=keyless.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# Change the signer field of the a.b.keyless.example SIG A |
| |
# to point to a provably nonexistent KEY record. |
| |
mv $zonefile.signed $zonefile.tmp |
| |
<$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/ |
| |
if /^a.b.keyless.example/../NXT/;' >$zonefile.signed |
| |
rm -f $zonefile.tmp |
| |
|
| |
# |
| |
# NSEC3/NSEC test zone |
| |
# |
| |
zone=secure.nsec3.example. |
| |
infile=secure.nsec3.example.db.in |
| |
zonefile=secure.nsec3.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# NSEC3/NSEC3 test zone |
| |
# |
| |
zone=nsec3.nsec3.example. |
| |
infile=nsec3.nsec3.example.db.in |
| |
zonefile=nsec3.nsec3.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# OPTOUT/NSEC3 test zone |
| |
# |
| |
zone=optout.nsec3.example. |
| |
infile=optout.nsec3.example.db.in |
| |
zonefile=optout.nsec3.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A nsec3 zone (non-optout). |
| |
# |
| |
zone=nsec3.example. |
| |
infile=nsec3.example.db.in |
| |
zonefile=nsec3.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# OPTOUT/NSEC test zone |
| |
# |
| |
zone=secure.optout.example. |
| |
infile=secure.optout.example.db.in |
| |
zonefile=secure.optout.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# OPTOUT/NSEC3 test zone |
| |
# |
| |
zone=nsec3.optout.example. |
| |
infile=nsec3.optout.example.db.in |
| |
zonefile=nsec3.optout.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# OPTOUT/OPTOUT test zone |
| |
# |
| |
zone=optout.optout.example. |
| |
infile=optout.optout.example.db.in |
| |
zonefile=optout.optout.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A optout nsec3 zone. |
| |
# |
| |
zone=optout.example. |
| |
infile=optout.example.db.in |
| |
zonefile=optout.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). |
| |
# |
| |
zone=nsec3-unknown.example. |
| |
infile=nsec3-unknown.example.db.in |
| |
zonefile=nsec3-unknown.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). |
| |
# |
| |
zone=optout-unknown.example. |
| |
infile=optout-unknown.example.db.in |
| |
zonefile=optout-unknown.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A zone with a unknown DNSKEY algorithm. |
| |
# Algorithm 7 is replaced by 100 in the zone and dsset. |
| |
# |
| |
zone=dnskey-unknown.example. |
| |
infile=dnskey-unknown.example.db.in |
| |
zonefile=dnskey-unknown.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 |
| |
|
| |
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed |
| |
|
| |
DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP |
| |
$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE |
| |
|
| |
# |
| |
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). |
| |
# Algorithm 7 is replaced by 100 in the zone and dsset. |
| |
# |
| |
zone=dnskey-nsec3-unknown.example. |
| |
infile=dnskey-nsec3-unknown.example.db.in |
| |
zonefile=dnskey-nsec3-unknown.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 |
| |
|
| |
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed |
| |
|
| |
DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP |
| |
$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE |
| |
|
| |
# |
| |
# A multiple parameter nsec3 zone. |
| |
# |
| |
zone=multiple.example. |
| |
infile=multiple.example.db.in |
| |
zonefile=multiple.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
mv $zonefile.signed $zonefile |
| |
$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
mv $zonefile.signed $zonefile |
| |
$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
mv $zonefile.signed $zonefile |
| |
$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
mv $zonefile.signed $zonefile |
| |
$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
mv $zonefile.signed $zonefile |
| |
$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A RSASHA256 zone. |
| |
# |
| |
zone=rsasha256.example. |
| |
infile=rsasha256.example.db.in |
| |
zonefile=rsasha256.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A RSASHA512 zone. |
| |
# |
| |
zone=rsasha512.example. |
| |
infile=rsasha512.example.db.in |
| |
zonefile=rsasha512.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A zone with the DNSKEY set only signed by the KSK |
| |
# |
| |
zone=kskonly.example. |
| |
infile=kskonly.example.db.in |
| |
zonefile=kskonly.example.db |
| |
|
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A zone with the expired signatures |
| |
# |
| |
zone=expired.example. |
| |
infile=expired.example.db.in |
| |
zonefile=expired.example.db |
| |
|
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 |
| |
rm -f $kskname.* $zskname.* |
| |
|
| |
# |
| |
# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. |
| |
# |
| |
zone=update-nsec3.example. |
| |
infile=update-nsec3.example.db.in |
| |
zonefile=update-nsec3.example.db |
| |
|
| |
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A NSEC signed zone that will have auto-dnssec enabled and |
| |
# extra keys not in the initial signed zone. |
| |
# |
| |
zone=auto-nsec.example. |
| |
infile=auto-nsec.example.db.in |
| |
zonefile=auto-nsec.example.db |
| |
|
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A NSEC3 signed zone that will have auto-dnssec enabled and |
| |
# extra keys not in the initial signed zone. |
| |
# |
| |
zone=auto-nsec3.example. |
| |
infile=auto-nsec3.example.db.in |
| |
zonefile=auto-nsec3.example.db |
| |
|
| |
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` |
| |
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# Secure below cname test zone. |
| |
# |
| |
zone=secure.below-cname.example. |
| |
infile=secure.below-cname.example.db.in |
| |
zonefile=secure.below-cname.example.db |
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` |
| |
cat $infile $keyname.key >$zonefile |
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# Patched TTL test zone. |
| |
# |
| |
zone=ttlpatch.example. |
| |
infile=ttlpatch.example.db.in |
| |
zonefile=ttlpatch.example.db |
| |
signedfile=ttlpatch.example.db.signed |
| |
patchedfile=ttlpatch.example.db.patched |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` |
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 |
| |
$CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \ |
| |
awk '{$2 = "3600"; print}' > $patchedfile |
| |
|
| |
# |
| |
# Seperate DNSSEC records. |
| |
# |
| |
zone=split-dnssec.example. |
| |
infile=split-dnssec.example.db.in |
| |
zonefile=split-dnssec.example.db |
| |
signedfile=split-dnssec.example.db.signed |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` |
| |
cat $infile $keyname.key >$zonefile |
| |
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile |
| |
: > $signedfile |
| |
$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# Seperate DNSSEC records smart signing. |
| |
# |
| |
zone=split-smart.example. |
| |
infile=split-smart.example.db.in |
| |
zonefile=split-smart.example.db |
| |
signedfile=split-smart.example.db.signed |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` |
| |
cp $infile $zonefile |
| |
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile |
| |
: > $signedfile |
| |
$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# Zone with signatures about to expire, but no private key to replace them |
| |
# |
| |
zone="expiring.example." |
| |
infile="expiring.example.db.in" |
| |
zonefile="expiring.example.db" |
| |
signedfile="expiring.example.db.signed" |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
cp $infile $zonefile |
| |
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 |
| |
mv -f ${zskname}.private ${zskname}.private.moved |
| |
mv -f ${kskname}.private ${kskname}.private.moved |
| |
|
| |
# |
| |
# A zone where the signer's name has been forced to uppercase. |
| |
# |
| |
zone="upper.example." |
| |
infile="upper.example.db.in" |
| |
zonefile="upper.example.db" |
| |
lower="upper.example.db.lower" |
| |
signedfile="upper.example.db.signed" |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
cp $infile $zonefile |
| |
$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>/dev/null |
| |
$CHECKZONE -D upper.example $lower 2>/dev/null | \ |
| |
sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile |
| |
|
| |
# |
| |
# Check that the signer's name is in lower case when zone name is in |
| |
# upper case. |
| |
# |
| |
zone="LOWER.EXAMPLE." |
| |
infile="lower.example.db.in" |
| |
zonefile="lower.example.db" |
| |
signedfile="lower.example.db.signed" |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
cp $infile $zonefile |
| |
$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# Zone with signatures about to expire, and dynamic, but configured |
| |
# not to resign with 'auto-resign no;' |
| |
# |
| |
zone="nosign.example." |
| |
infile="nosign.example.db.in" |
| |
zonefile="nosign.example.db" |
| |
signedfile="nosign.example.db.signed" |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
cp $infile $zonefile |
| |
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 |
| |
# preserve a normalized copy of the NS RRSIG for comparison later |
| |
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ |
| |
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ |
| |
sed 's/[ ][ ]*/ /g'> ../nosign.before |
| |
|
| |
# |
| |
# An inline signing zone |
| |
# |
| |
zone=inline.example. |
| |
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` |
| |
|
| |
# |
| |
# publish a new key while deactivating another key at the same time. |
| |
# |
| |
zone=publish-inactive.example |
| |
infile=publish-inactive.example.db.in |
| |
zonefile=publish-inactive.example.db |
| |
now=`date -u +%Y%m%d%H%M%S` |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
cp $infile $zonefile |
| |
$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A zone which will change its sig-validity-interval |
| |
# |
| |
zone=siginterval.example |
| |
infile=siginterval.example.db.in |
| |
zonefile=siginterval.example.db |
| |
kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` |
| |
zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` |
| |
cp $infile $zonefile |
| |
|
| |
# |
| |
# A zone with a bad DS in the parent |
| |
# (sourced from bogus.example.db.in) |
| |
# |
| |
zone=badds.example. |
| |
infile=bogus.example.db.in |
| |
zonefile=badds.example.db |
| |
|
| |
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone` |
| |
|
| |
cat $infile $keyname.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP |
| |
|
| |
# |
| |
# A zone with future signatures. |
| |
# |
| |
zone=future.example |
| |
infile=future.example.db.in |
| |
zonefile=future.example.db |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
cp -f $kskname.key trusted-future.key |
| |
|
| |
# |
| |
# A zone with future signatures. |
| |
# |
| |
zone=managed-future.example |
| |
infile=managed-future.example.db.in |
| |
zonefile=managed-future.example.db |
| |
kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` |
| |
zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` |
| |
cat $infile $kskname.key $zskname.key >$zonefile |
| |
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
| |
|
| |
# |
| |
# A zone with a revoked key |
| |
# |
| |
zone=revkey.example. |
| |
infile=generic.example.db.in |
| |
zonefile=revkey.example.db |
| |
|
| |
ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone` |
| |
ksk1=`$REVOKE $ksk1` |
| |
ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone` |
| |
zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone` |
| |
|
| |
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile |
| |
|
| |
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 |
![[BACK]](/icons/back.gif){kind=icon}
Return to sign.sh CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / external / mpl / bind / dist / bin / tests / system / dnssec / ns3