dnssec/ns2/sign.sh

e09cdbac087b88524ac40e943d040e2a032c48f2Mark Andrews#!/bin/sh -e
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer#
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# Copyright (C) 2000-2004, 2006-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews#
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# file, You can obtain one at http://mozilla.org/MPL/2.0/.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews
813d6c9781d1fb48bb5c1d6d3415e65f7be5eeb0Andreas GustafssonSYSTEMTESTTOP=../..
813d6c9781d1fb48bb5c1d6d3415e65f7be5eeb0Andreas Gustafsson. $SYSTEMTESTTOP/conf.sh
813d6c9781d1fb48bb5c1d6d3415e65f7be5eeb0Andreas Gustafsson
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafssonzone=example.
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafssoninfile=example.db.in
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafssonzonefile=example.db
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews# Have the child generate a zone key and pass it to us.
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson
60988462e5d6db53205851d056e3482a29239be9Evan Hunt( cd ../ns3 && $SHELL sign.sh )
02b4e9aef28c1e1d261f49f88a6cf389d117948bAndreas Gustafsson
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Huntfor subdomain in secure badds bogus dynamic keyless nsec3 optout \
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt    nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt    kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
a5c7cfbac4e401c41741c123347739ab87c80a52Mark Andrews    ttlpatch split-dnssec split-smart expired expiring upper lower \
3cd204c4a46f21bf2a38f35e79af45ac595be943Evan Hunt    dnskey-unknown dnskey-nsec3-unknown managed-future revkey
473ca0bf8c73e5fc3132df074b2d4e14be5eaa1eAndreas Gustafssondo
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki    cp ../ns3/dsset-$subdomain.example$TP .
473ca0bf8c73e5fc3132df074b2d4e14be5eaa1eAndreas Gustafssondone
d98372394fd6253336e9c9d580f48bd6ff9710f7Michael Sawyer
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrewskeyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrewskeyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewscat $infile $keyname1.key $keyname2.key >$zonefile
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉#
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉# lower/uppercase the signature bits with the exception of the last characters
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉# changing the last 4 characters will lead to a bad base64 encoding.
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉#
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉$CHECKZONE -D -q -i local $zone $zonefile.signed |
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉awk '
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    for (i = 1; i <= NF; i++ ) {
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        if (i <= 12) {
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s ", $i);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            continue;
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        }
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        prefix = substr($i, 1, length($i) - 4);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        suffix = substr($i, length($i) - 4, 4);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        if (i > 12 && tolower(prefix) != prefix)
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s%s", tolower(prefix), suffix);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        else if (i > 12 && toupper(prefix) != prefix)
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s%s", toupper(prefix), suffix);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        else
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s%s ", prefix, suffix);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    }
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    printf("\n");
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    next;
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉}
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    for (i = 1; i <= NF; i++ ) {
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        if (i <= 12) {
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s ", $i);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            continue;
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        }
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        prefix = substr($i, 1, length($i) - 4);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        suffix = substr($i, length($i) - 4, 4);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        if (i > 12 && tolower(prefix) != prefix)
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s%s", tolower(prefix), suffix);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        else if (i > 12 && toupper(prefix) != prefix)
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s%s", toupper(prefix), suffix);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉        else
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉            printf("%s%s ", prefix, suffix);
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    }
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    printf("\n");
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉    next;
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉}
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrews#
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrews# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrews#
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrewszone=in-addr.arpa.
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrewsinfile=in-addr.arpa.db.in
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrewszonefile=in-addr.arpa.db
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrews
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrewskeyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrewskeyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrews
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrewscat $infile $keyname1.key $keyname2.key >$zonefile
840d6a4614f6a561fc076d0797d144e9f28e06bcMark Andrews$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
d8680445d6212d5552ea8a22fd2f9951b11c4b10Tatuya JINMEI 神明達哉
5006de65318890450e5b7008d8805ce48525f58eBrian Wellington# Sign the privately secure file
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson
5006de65318890450e5b7008d8805ce48525f58eBrian Wellingtonprivzone=private.secure.example.
5006de65318890450e5b7008d8805ce48525f58eBrian Wellingtonprivinfile=private.secure.example.db.in
5006de65318890450e5b7008d8805ce48525f58eBrian Wellingtonprivzonefile=private.secure.example.db
5006de65318890450e5b7008d8805ce48525f58eBrian Wellington
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrewsprivkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
5006de65318890450e5b7008d8805ce48525f58eBrian Wellington
5006de65318890450e5b7008d8805ce48525f58eBrian Wellingtoncat $privinfile $privkeyname.key >$privzonefile
5006de65318890450e5b7008d8805ce48525f58eBrian Wellington
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
50105afc551903541608b11851d73278b23579a3Mark Andrews
50105afc551903541608b11851d73278b23579a3Mark Andrews# Sign the DLV secure zone.
50105afc551903541608b11851d73278b23579a3Mark Andrews
50105afc551903541608b11851d73278b23579a3Mark Andrews
50105afc551903541608b11851d73278b23579a3Mark Andrewsdlvzone=dlv.
50105afc551903541608b11851d73278b23579a3Mark Andrewsdlvinfile=dlv.db.in
50105afc551903541608b11851d73278b23579a3Mark Andrewsdlvzonefile=dlv.db
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecickidlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
50105afc551903541608b11851d73278b23579a3Mark Andrews
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrewsdlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
50105afc551903541608b11851d73278b23579a3Mark Andrews
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecickicat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
50105afc551903541608b11851d73278b23579a3Mark Andrews
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews# Sign the badparam secure file
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewszone=badparam.
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewsinfile=badparam.db.in
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewszonefile=badparam.db
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewskeyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewskeyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewscat $infile $keyname1.key $keyname2.key >$zonefile
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrews
c73d8c1b72ddc3330cfc21e2070dffabca324bf7Mark Andrewssed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews# Sign the single-nsec3 secure zone with optout
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrewszone=single-nsec3.
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrewsinfile=single-nsec3.db.in
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrewszonefile=single-nsec3.db
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrewskeyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrewskeyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrewscat $infile $keyname1.key $keyname2.key >$zonefile
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews
240a7dc59d6bc135ed298436b59dc86c84928ca2Mark Andrews$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews#
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews# algroll has just has the old DNSKEY records removed and is waiting
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews# for them to be flushed from caches.  We still need to generate
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews# RRSIGs for the old DNSKEY.
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews#
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewszone=algroll.
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewsinfile=algroll.db.in
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewszonefile=algroll.db
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewskeyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewskeyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewskeynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewskeynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrewscat $infile $keynew1.key $keynew2.key >$zonefile
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews
a27b3757fdd8976ce05e37f391ad9e7ac4638e5dMark Andrews$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews#
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrews# Make a zone big enough that it takes several seconds to generate a new
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrews# nsec3 chain.
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews#
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrewszone=nsec3chain-test
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrewszonefile=nsec3chain-test.db
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrewscat > $zonefile << 'EOF'
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrews$TTL 10
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews@   10  SOA ns2 hostmaster 0 3600 1200 864000 1200
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews@   10  NS  ns2
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews@   10  NS  ns3
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrewsns2 10  A   10.53.0.2
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrewsns3 10  A   10.53.0.3
5095e72ac3c0f1e16c246b56e8277614571bf132Mark AndrewsEOF
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrewsawk 'END { for (i = 0; i < 300; i++)
5095e72ac3c0f1e16c246b56e8277614571bf132Mark Andrews    print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrewscat $key1.key $key2.key >> $zonefile
c2265bd34179d31f5c27d8ac4d0cf7f64abfed26Mark Andrews$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszone=cds.secure
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewsinfile=cds.secure.db.in
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszonefile=cds.secure.db
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews$DSFROMKEY -C $key1.key > $key1.cds
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewscat $infile $key1.key $key2.key $key1.cds >$zonefile
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszone=cds-update.secure
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewsinfile=cds-update.secure.db.in
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszonefile=cds-update.secure.db
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewscat $infile $key1.key $key2.key > $zonefile
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszone=cds-auto.secure
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewsinfile=cds-auto.secure.db.in
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszonefile=cds-auto.secure.db
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews$DSFROMKEY -C $key1.key > $key1.cds
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewscat $infile $key1.cds > $zonefile.signed
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszone=cdnskey.secure
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewsinfile=cdnskey.secure.db.in
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszonefile=cdnskey.secure.db
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewssed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewscat $infile $key1.key $key2.key $key1.cds >$zonefile
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszone=cdnskey-update.secure
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewsinfile=cdnskey-update.secure.db.in
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszonefile=cdnskey-update.secure.db
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewscat $infile $key1.key $key2.key > $zonefile
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszone=cdnskey-auto.secure
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewsinfile=cdnskey-auto.secure.db.in
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewszonefile=cdnskey-auto.secure.db
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewskey2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewssed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
598b502695802c3d4e23316b85368e54f39f5cabMark Andrewscat $infile $key1.cds > $zonefile.signed