autosign/ns3/keygen.sh

75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#!/bin/sh -e
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
45c5f403619029a363cf089e0a4b1bb44425dd84Tinderbox User# Copyright (C) 2009-2012, 2014-2017  Internet Systems Consortium, Inc. ("ISC")
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews#
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# file, You can obtain one at http://mozilla.org/MPL/2.0/.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
2f4561bc9cd5e5cdc58e29e600303c812f6902eeAutomatic Updater# $Id: keygen.sh,v 1.15 2012/02/06 23:46:46 tbox Exp $
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan HuntSYSTEMTESTTOP=../..
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt. $SYSTEMTESTTOP/conf.sh
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsdumpit () {
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    echo "D:${debug}: dumping ${1}"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    cat "${1}" | sed 's/^/D:/'
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup () {
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    echo "I:setting up zone: $1"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    debug="$1"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    zone="$1"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    zonefile="${zone}.db"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    infile="${zonefile}.in"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    n=`expr ${n:-0} + 1`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup secure.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#  NSEC3/NSEC test zone
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup secure.nsec3.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#  NSEC3/NSEC3 test zone
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup nsec3.nsec3.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#  OPTOUT/NSEC3 test zone
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup optout.nsec3.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# A nsec3 zone (non-optout).
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup nsec3.example
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecickicat $infile dsset-*.${zone}$TP > $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt#
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt# An NSEC3 zone, with NSEC3 parameters set prior to signing
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup autonsec3.example
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntcat $infile > $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntecho $ksk > ../autoksk.key
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Huntecho $zsk > ../autozsk.key
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#  OPTOUT/NSEC test zone
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup secure.optout.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#  OPTOUT/NSEC3 test zone
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup nsec3.optout.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#  OPTOUT/OPTOUT test zone
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup optout.optout.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# A optout nsec3 zone.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup optout.example
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecickicat $infile dsset-*.${zone}$TP > $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# A RSASHA256 zone.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup rsasha256.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# A RSASHA512 zone.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup rsasha512.example
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt# NSEC-only zone.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup nsec.example
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt# Signature refresh test zone.  Signatures are set to expire long
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt# in the past; they should be updated by autosign.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup oldsigs.example
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntcp $infile $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt# NSEC3->NSEC transition test zone.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup nsec3-to-nsec.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews# secure-to-insecure transition test zone; used to test removal of
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews# keys via nsupdate
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup secure-to-insecure.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews#
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews# another secure-to-insecure transition test zone; used to test
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews# removal of keys on schedule.
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup secure-to-insecure2.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrewsecho $ksk > ../del1.key
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrewsecho $zsk > ../del2.key
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt#
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt# Introducing a pre-published key test.
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup prepub.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsinfile="secure-to-insecure2.example.db.in"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt#
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt# Key TTL tests.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt#
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt# no default key TTL; DNSKEY should get SOA TTL
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ttl1.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntcp $infile $zonefile
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt# default key TTL should be used
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ttl2.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntcp $infile $zonefile
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt# mismatched key TTLs, should use shortest
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ttl3.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntcp $infile $zonefile
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt# existing DNSKEY RRset, should retain TTL
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ttl4.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Huntcat ${infile} K${zone}.+*.key > $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt#
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt# A zone with a DNSKEY RRset that is published before it's activated
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup delay.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho $ksk > ../delayksk.key
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Huntecho $zsk > ../delayzsk.key
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt#
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt# A zone with signatures that are already expired, and the private ZSK
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt# is missing.
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup nozsk.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntzsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntecho $zsk > ../missingzsk.key
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntrm -f ${zsk}.private
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt#
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt# A zone with signatures that are already expired, and the private ZSK
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt# is inactive.
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup inaczsk.example
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntzsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Huntecho $zsk > ../inactivezsk.key
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt#
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt# A zone that is set to 'auto-dnssec maintain' during a recofnig
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt#
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup reconf.example
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Huntcp secure.example.db.in $zonefile
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews#
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews# A zone which generates a CDS and CDNSEY RRsets automatically
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews#
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewssetup sync.example
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewscp $infile $zonefile
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki$DSFROMKEY $ksk.key > dsset-${zone}$TP
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrewsecho ns3/$ksk > ../sync.key
677f507de7c546c187c1505c48bc7b440545485cMark Andrews
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews#
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews# A zone that has a published inactive key that is autosigned.
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews#
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewssetup inacksk2.example
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewscp $infile $zonefile
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$DSFROMKEY $ksk.key > dsset-${zone}$TP
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews
677f507de7c546c187c1505c48bc7b440545485cMark Andrews#
677f507de7c546c187c1505c48bc7b440545485cMark Andrews# A zone that has a published inactive key that is autosigned.
677f507de7c546c187c1505c48bc7b440545485cMark Andrews#
677f507de7c546c187c1505c48bc7b440545485cMark Andrewssetup inaczsk2.example
677f507de7c546c187c1505c48bc7b440545485cMark Andrewscp $infile $zonefile
677f507de7c546c187c1505c48bc7b440545485cMark Andrewsksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
677f507de7c546c187c1505c48bc7b440545485cMark Andrews$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
677f507de7c546c187c1505c48bc7b440545485cMark Andrews$DSFROMKEY $ksk.key > dsset-${zone}$TP
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews#
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews#
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewssetup inacksk3.example
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewscp $infile $zonefile
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$DSFROMKEY $ksk.key > dsset-${zone}$TP
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews#
15057131d5f815e8b6b2b9a58961d6707e317440Mark Andrews#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews#
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewssetup inaczsk3.example
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrewscp $infile $zonefile
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrewsksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews$DSFROMKEY $ksk.key > dsset-${zone}$TP