verify/zones/genzones.sh

0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# Copyright (C) 2012-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews#
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# file, You can obtain one at http://mozilla.org/MPL/2.0/.
da5d53fb1401f5e17a77373af32d865489aa04a8Tinderbox User
da5d53fb1401f5e17a77373af32d865489aa04a8Tinderbox User# $Id$
da5d53fb1401f5e17a77373af32d865489aa04a8Tinderbox User
ad127d839d2e7aa542939a8a336691407e23397eMark AndrewsSYSTEMTESTTOP=../..
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews. $SYSTEMTESTTOP/conf.sh
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsdumpit () {
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    echo "D:${debug}: dumping ${1}"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    cat "${1}" | sed 's/^/D:/'
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup () {
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    echo "I:setting up $2 zone: $1"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    debug="$1"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    zone="$1"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    file="$1.$2"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    n=`expr ${n:-0} + 1`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# A unsigned zone should fail validation.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup unsigned bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscp unsigned.db unsigned.bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# A set of nsec zones.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup zsk-only.nsec good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk-only.nsec good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# A set of nsec3 zones.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup zsk-only.nsec3 good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk-only.nsec3 good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec3 good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.outout good
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# A set of zones with only DNSKEY records.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup zsk-only.dnskeyonly bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewskey1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $key1.key > ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk-only.dnskeyonly bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewskey1=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $key1.key > ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.dnskeyonly bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewskey1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewskey2=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $key1.key $key2.key > ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# A set of zones with expired records
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewss="-s -2678400"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup zsk-only.nsec.expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk-only.nsec.expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec.expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup zsk-only.nsec3.expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk-only.nsec3.expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec3.expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# ksk expired
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec.ksk-expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsnow=`date -u +%Y%m%d%H%M%S`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsexp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec3.ksk-expired bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsnow=`date -u +%Y%m%d%H%M%S`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsexp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# broken nsec chain
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec.broken-chain bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsawk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# bad nsec bitmap
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec.bad-bitmap bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsawk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# extra NSEC record out side of zone
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec.out-of-zone-nsec bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsecho "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# extra NSEC record below bottom of one
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsecho "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# dnssec-signzone signs any node with a NSEC record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsawk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# missing NSEC3 record at empty node
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Hunt# extract the hash fields from the empty node's NSEC 3 record then fix up
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Hunt# the NSEC3 chain to remove it
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec3.missing-empty bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Hunta=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Huntb=`awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}`
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Huntawk '
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Hunt$4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; }
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Hunt$4 == "NSEC3" && NF == 9 { next; }
9a0dd99a757c469d9530acd5cb11789b3b0af5ceEvan Hunt{ print; }' ${file} > ${file}.tmp
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews# extra NSEC3 record
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewssetup ksk+zsk.nsec3.extra-nsec3 bad
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewszsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewsksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
ad127d839d2e7aa542939a8a336691407e23397eMark Andrewscat unsigned.db $ksk.key $zsk.key > $file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark Andrewsawk '
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark AndrewsBEGIN {
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark Andrews    ZONE="'${zone}'.";
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark Andrews}
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark Andrews$4 == "NSEC3" && NF == 9 {
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    $1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE;
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    $9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I";
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark Andrews    print;
3ce2018dfa0912a29666e7e477a9daddf23fc224Mark Andrews}' ${file} >> ${file}
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n