ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Don't use 'dnssec-signzone -P' unless necessary

Browse Source 
Most of the test zones in the dnssec system test can be verified.
Use -z when only a single key is being used so that the verifier
knows that only a single key is in use.
This commit is contained in:
Mark Andrews
2021-11-18 14:31:52 +11:00
parent 77ca778377
commit dbeea1afa0
4 changed files with 43 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
bin/tests/system/dnssec/ns2/sign.sh
View File

@@ -36,7 +36,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
zone=trusted.
infile=key.db.in
@@ -47,7 +47,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
# The "example." zone.
zone=example.
@@ -72,7 +72,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
#
# lower/uppercase the signature bits with the exception of the last characters
@@ -134,7 +134,7 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
# Sign the badparam secure file
@@ -147,7 +147,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
@@ -162,7 +162,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
#
# algroll has just has the old DNSKEY records removed and is waiting
@@ -180,7 +180,7 @@ keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
#
# Make a zone big enough that it takes several seconds to generate a new
@@ -204,7 +204,7 @@ done >> "$zonefile"
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$key1.key" "$key2.key" >> "$zonefile"
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
zone=cds.secure
infile=cds.secure.db.in
@@ -213,7 +213,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-x.secure
infile=cds.secure.db.in
@@ -223,7 +223,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-update.secure
infile=cds-update.secure.db.in
@@ -231,7 +231,7 @@ zonefile=cds-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
@@ -239,7 +239,7 @@ zonefile=cds-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
zone=cds-auto.secure
@@ -257,7 +257,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-x.secure
infile=cdnskey.secure.db.in
@@ -267,7 +267,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
@@ -275,7 +275,7 @@ zonefile=cdnskey-update.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
@@ -283,7 +283,7 @@ zonefile=cdnskey-kskonly.secure.db
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
zone=cdnskey-auto.secure