#
# Copyright (C) 2010-2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
status=0
echo "I:generating child's keys"
# active zsk
# not yet published or active
# published but not active
# inactive
# active in 12 hours, inactive 12 hours after that...
# explicit successor to czk5
# (suppressing warning about lack of removal date)
# active ksk
# published but not YET active; will be active in 20 seconds
# $SETTIME moved after other $KEYGENs
# revoking key changes its ID
echo "I:setting child's activation time"
# using now+30s to fix RT 24561
echo "I:checking dnssec-signzone output matches expectations"
ret=0
if [ $ret != 0 ]; then
echo "I: parent $pzoneout"
echo "I: child $czoneout"
echo "I:failed";
fi
echo "I:rechecking dnssec-signzone output with -x"
ret=0
# use an alternate output file so -x doesn't interfere with later checks
if [ $ret != 0 ]; then
echo "I: parent $pzoneout"
echo "I: child $czoneout"
echo "I:failed";
fi
echo "I:checking parent zone DNSKEY set"
ret=0
ret=1
echo "I: missing expected parent ZSK id = $pzid"
}
ret=1
echo "I: missing expected parent KSK id = $pkid"
}
echo "I:checking parent zone DS records"
ret=0
# revoked key should not be there, hence the &&
echo "I:checking child zone DNSKEY set"
ret=0
ret=1
echo "I: missing expected child KSK id = $ckactive"
}
ret=1
echo "I: missing expected child prepublished KSK id = $ckpublished"
}
ret=1
echo "I: missing expected child revoked KSK id = $ckrevoked"
}
ret=1
echo "I: missing expected child ZSK id = $czactive"
}
ret=1
echo "I: missing expected child prepublished ZSK id = $czpublished"
}
ret=1
echo "I: missing expected child inactive ZSK id = $czinactive"
}
# should not be there, hence the &&
ret=1
echo "I: found unexpect child pre-revoke ZSK id = $ckprerevoke"
}
ret=1
echo "I: found unexpected child generated ZSK id = $czgenerated"
}
echo "I: found unexpected ZSK predecessor id = $czpredecessor (ignored)"
}
echo "I: found unexpected ZSK successor id = $czsuccessor (ignored)"
}
#grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1
#grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1
echo "I:checking key TTLs are correct"
ret=0
echo "I:checking key TTLs were imported correctly"
ret=0
awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
echo "I:re-signing and checking imported TTLs again"
ret=0
awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
# There is some weirdness in Solaris 10 (Generic_120011-14), which
# commands
echo "I:checking child zone signatures"
ret=0
# check DNSKEY signatures first
sub=0
sub=0
sub=0
# should not be there:
sub=0
sub=0
sub=0
sub=0
sub=0
# now check other signatures first
# should not be there:
sub=0
sub=0
sub=0
sub=0
sub=0
sub=0
sub=0
sub=0
sub=0
if [ $ret != 0 ]; then
echo "I:failed";
fi
echo "I:checking RRSIG expiry date correctness"
dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
echo "I:waiting 30 seconds for key activation"
sleep 30
echo "I:re-signing child zone"
echo "I:checking dnssec-signzone output matches expectations"
ret=0
echo "I:checking child zone signatures again"
ret=0
echo "I:exit status: $status"