grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
+
+ n=$((n + 1))
+ echo_i "check dig's +nocrypto flag ($n)"
+ ret=0
+ dig_with_opts +dnssec +norec +nocrypto DNSKEY . @10.53.0.1 >dig.out.dnskey.test$n || ret=1
+ grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.test$n >/dev/null || ret=1
+ grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.test$n >/dev/null || ret=1
+ dig_with_opts +norec +nocrypto DS example \
+ @10.53.0.1 >dig.out.ds.test$n || ret=1
+ grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.test$n >/dev/null || ret=1
+ if [ $ret -ne 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
else
echo_i "$DIG is needed, so skipping these dig tests"
fi
return 1
}
-# check that a zone file is raw format, version 0
-israw0() {
- # shellcheck disable=SC2016
- $PERL <"$1" -e 'binmode STDIN;
- read(STDIN, $input, 8);
- ($style, $version) = unpack("NN", $input);
- exit 1 if ($style != 2 || $version != 0);' || return $?
-}
-
-# check that a zone file is raw format, version 1
-israw1() {
- # shellcheck disable=SC2016
- $PERL <"$1" -e 'binmode STDIN;
- read(STDIN, $input, 8);
- ($style, $version) = unpack("NN", $input);
- exit 1 if ($style != 2 || $version != 1);' || return $?
-}
-
# strip NS and RRSIG NS from input
stripns() {
awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1"
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "basic dnssec-signzone checks:"
-echo_ic "two DNSKEYs ($n)"
-ret=0
-(
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n
- test -f signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)"
-ret=0
-(
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n
- test -f signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)"
-ret=0
-(
- cd signer/general || exit 1
- cp signed.zone signed.expect
- grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1
- mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline
- $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n
- mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private
- grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "one non-KSK DNSKEY ($n)"
-ret=0
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n
- test -f signed.zone
-) && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "one KSK DNSKEY ($n)"
-ret=0
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n
- test -f signed.zone
-) && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "three DNSKEY ($n)"
-ret=0
-(
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n
- test -f signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "three DNSKEY, one private key missing ($n)"
-ret=0
-(
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n
- test -f signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "four DNSKEY ($n)"
-ret=0
-(
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n
- test -f signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "two DNSKEY, both private keys missing ($n)"
-ret=0
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n
- test -f signed.zone
-) && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "two DNSKEY, one private key missing ($n)"
-ret=0
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n
- test -f signed.zone
-) && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)"
-ret=0
-if $FEATURETEST --fips-provider; then
- (
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n
- test -f signed.zone
- ) || ret=1
-else
- echo_i "skipped no FIPS provider available"
-fi
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)"
-ret=0
-if ! $FEATURETEST --fips-provider; then
- echo_i "skipped no FIPS provider available"
-elif [ $RSASHA1_SUPPORTED = 0 ]; then
- echo_i "skipped: RSASHA1 is not supported"
-else
- (
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1
- grep -F -e "fatal: No signing keys specified or found" \
- -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null
- ) || ret=1
-fi
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "revoked KSK ID collides with ZSK ($n)"
-ret=0
-# signing should fail, but should not coredump
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n
-) && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)"
-ret=0
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n
- test -f signed.zone
-) && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "check that dnssec-signzone -J loads journal files ($n)"
-ret=0
-(
- cd signer/general || exit 0
- rm -f signed.zone
- $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl
- $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n
- grep -q extra signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)"
-ret=0
-(
- cd signer/general || exit 1
- rm -f signed.zone
- $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n
- test -f signed.zone
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-get_default_algorithm_key_ids_from_sigs() {
- zone=$1
-
- awk -v alg=$DEFAULT_ALGORITHM_NUMBER '
- NF < 8 { next }
- $(NF-5) != "RRSIG" { next }
- $(NF-3) != alg { next }
- $NF != "(" { next }
- {
- getline;
- print $3;
- }
- ' signer/$zone.db.signed | sort -u
-}
-
-# Test dnssec-signzone ZSK prepublish smooth rollover.
-echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)"
-ret=0
-zone=prepub
-# Generate keys.
-ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone")
-zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone")
-zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone")
-zskid1=$(keyfile_to_key_id "$zsk1")
-zskid2=$(keyfile_to_key_id "$zsk2")
-(
- cd signer || exit 1
- # Set times such that the current set of keys are introduced 60 days ago and
- # start signing now. The successor key is prepublished now and will be active
- # next day.
- $SETTIME -P now-60d -A now $ksk >/dev/null
- $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null
- $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null
- $SETTIME -P now -A now+1d $zsk2.key >/dev/null
- # Sign the zone with initial keys and prepublish successor. The zone signatures
- # are valid for 30 days and the DNSKEY signature is valid for 60 days.
- cp -f $zone.db.in $zone.db
- $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null
- echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db
-)
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1"
-status=$((status + ret))
-
-echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)"
-ret=0
-zone=prepub
-(
- cd signer || exit 1
- # Roll the ZSK. The predecessor is inactive from now on and the successor is
- # activated. The zone signatures are valid for 30 days and the DNSKEY
- # signature is valid for 60 days. Because of the predecessor/successor
- # relationship, the signatures of the predecessor are retained and no new
- # signatures with the successor should be generated.
- $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null
- $SETTIME -A now $zsk2 >/dev/null
- $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null
-)
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "check dnssec-signzone swaps zone signatures after interval ($n)"
-ret=0
-zone=prepub
-(
- cd signer || exit 1
- # After some time the signatures should be replaced. When signing, set the
- # interval to 30 days plus one second, meaning all predecessor signatures
- # are within the refresh interval and should be replaced with successor
- # signatures.
- $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null
- $SETTIME -A now-20d $zsk2 >/dev/null
- $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null
-)
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)"
-ret=0
-zone=example
-# If dnssec-keygen fails, the test script will exit immediately. Prevent that
-# from happening, and also trigger a test failure if dnssec-keygen unexpectedly
-# succeeds, by using "&& ret=1".
-$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1
-grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)"
-ret=0
-zone=example
-# Fake an unsupported algorithm key
-unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp
-mv ${unsupportedkey}.tmp ${unsupportedkey}.key
-# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent
-# that from happening, and also trigger a test failure if dnssec-dsfromkey
-# unexpectedly succeeds, by using "&& ret=1".
-$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1
-grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)"
-ret=0
-ret=0
-cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db
-# If dnssec-signzone fails, the test script will exit immediately. Prevent that
-# from happening, and also trigger a test failure if dnssec-signzone
-# unexpectedly succeeds, by using "&& ret=1".
-$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1
-grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that we can sign a zone with out-of-zone records ($n)"
-ret=0
-zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
-(
- cd signer || exit 1
- cat example.db.in "$key1.key" "$key2.key" >example.db
- $SIGNER -o example -f example.db example.db >/dev/null
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
-ret=0
-zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
-(
- cd signer || exit 1
- cat example.db.in "$key1.key" "$key2.key" >example.db
- $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null
- awk '/^IQF9LQTLK/ {
- printf("%s", $0);
- while (!index($0, ")")) {
- if (getline <= 0)
- break;
- printf (" %s", $0);
- }
- printf("\n");
- }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out
-
- grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)"
-ret=0
-zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
-(
- cd signer || exit 1
- cat example.db.in "$key1.key" "$key2.key" >example3.db
- echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db
- $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null
- awk '/^IQF9LQTLK/ {
- printf("%s", $0);
- while (!index($0, ")")) {
- if (getline <= 0)
- break;
- printf (" %s", $0);
- }
- printf("\n");
- }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out
-
- grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null
-) || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
-ret=0
-zone=example
-key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
-key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
-(
- cd signer || exit 1
- cat example.db.in "$key1.key" "$key2.key" >example.db
- $SIGNER -o example -f example.db.before example.db >/dev/null
- sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed
- $SIGNER -o example -f example.db.after example.db.changed >/dev/null
-)
-grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)"
-ret=0
-zone=example
-key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
-key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
-keyid2=$(keyfile_to_key_id "$key2")
-key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
-keyid3=$(keyfile_to_key_id "$key3")
-(
- cd signer || exit 1
- cat example.db.in "$key1.key" "$key2.key" >example.db
- $SIGNER -D -o example example.db >/dev/null
-
- # now switch out key2 for key3 and resign the zone
- cat example.db.in "$key1.key" "$key3.key" >example.db
- echo "\$INCLUDE \"example.db.signed\"" >>example.db
- $SIGNER -D -o example example.db >/dev/null
-) || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -RD -o example example.db >/dev/null
-) || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)"
-ret=0
-zone=example
-(
- cd signer || exit 1
- cp -f example.db.in example.db
- $SIGNER -SD -o example example.db >/dev/null
- echo "\$INCLUDE \"example.db.signed\"" >>example.db
- # now retire key2 and resign the zone
- $SETTIME -I now "$key2" >/dev/null 2>&1
- $SIGNER -SD -o example example.db >/dev/null
-) || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -SDQ -o example example.db >/dev/null
-) || ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1
-get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone retains unexpired signatures ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -Sxt -o example example.db >signer.out.1
- $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2
-) || ret=1
-gen1=$(awk '/generated/ {print $3}' signer/signer.out.1)
-retain1=$(awk '/retained/ {print $3}' signer/signer.out.1)
-gen2=$(awk '/generated/ {print $3}' signer/signer.out.2)
-retain2=$(awk '/retained/ {print $3}' signer/signer.out.2)
-drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2)
-[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1
-[ "$gen2" -eq 0 ] || ret=1
-[ "$drop2" -eq 0 ] || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)"
-ret=0
-(
- cd signer || exit 1
- # remove NSEC-only keys
- rm -f Kexample.+005*
- cp -f example.db.in example2.db
- cat <<EOF >>example2.db
-sub1.example. IN A 10.53.0.1
-ns.sub2.example. IN A 10.53.0.2
-EOF
- echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
- touch example2.db.signed
- $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null
-) || ret=1
-grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
-grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
-(
- cd signer || exit 1
- cp -f example.db.in example2.db
- cat <<EOF >>example2.db
-sub1.example. IN NS sub1.example.
-sub1.example. IN A 10.53.0.1
-sub2.example. IN NS ns.sub2.example.
-ns.sub2.example. IN A 10.53.0.2
-EOF
- echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
- $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null
-) || ret=1
-grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
-grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)"
-ret=0
-(
- cd signer || exit 1
- rm -f example2.db.signed
- cp -f example.db.in example2.db
- cat <<EOF >>example2.db
-sub1.example. IN A 10.53.0.1
-ns.sub2.example. IN A 10.53.0.2
-EOF
- echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
- touch example2.db.signed
- $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null
-) || ret=1
-grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
-grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
-(
- cd signer || exit 1
- cp -f example.db.in example2.db
- cat <<EOF >>example2.db
-sub1.example. IN NS sub1.example.
-sub1.example. IN A 10.53.0.1
-sub2.example. IN NS ns.sub2.example.
-ns.sub2.example. IN A 10.53.0.2
-EOF
- echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
- $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null
-) || ret=1
-grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
-grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone output format ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null
- $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null
- $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null
- $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null
- $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null
-) || ret=1
-awk 'BEGIN { found = 0; }
- $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); }
- END { if (!found) exit(1); }' signer/signer.out.3 || ret=1
-awk 'BEGIN { found = 0; }
- $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); }
- END { if (!found) exit(1); }' signer/signer.out.4 || ret=1
-israw1 signer/signer.out.5 || ret=1
-israw0 signer/signer.out.6 || ret=1
-israw1 signer/signer.out.7 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking TTLs are capped by dnssec-signzone -M ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null
-) || ret=1
-awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -N date ($n)"
-ret=0
-(
- cd signer || exit 1
- TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null
-) || ret=1
-# shellcheck disable=SC2016
-now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];')
-serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9)
-[ "$now" -eq "$serial" ] || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G ($n)"
-ret=0
-(
- cd signer || exit 1
- $SETTIME -P ds now -P sync now "$key1" >/dev/null
- $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null
-) || ret=1
-test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (default) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null
-) || ret=1
-test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (empty) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null
-) || ret=1
-test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null
-) || ret=1
-test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (no CDS) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null
-) || ret=1
-test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null
-) || ret=1
-test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
-test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (bad argument) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
- grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1
-)
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (bad digest - name) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
- grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1
-)
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (bad digest - number) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
- grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1
-)
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
- grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1
-)
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)"
-ret=0
-(
- cd signer || exit 1
- $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
- grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1
-)
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking validated data are not cached longer than originalttl ($n)"
-ret=0
-dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
-dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
-grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1
-grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1
-grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1
-grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
# Test that "rndc secroots" is able to dump trusted keys
echo_i "checking rndc secroots ($n)"
ret=0
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "check dig's +nocrypto flag ($n)"
-ret=0
-dig_with_opts +norec +nocrypto DNSKEY . \
- @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1
-grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1
-grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1
-dig_with_opts +norec +nocrypto DS example \
- @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1
-grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)"
ret=0
before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA)
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "check the acceptance of seconds as inception and expiration times ($n)"
-ret=0
-in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo="
-
-exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo="
-
-out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//')
-[ "$out" = "$exp" ] || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "check the correct resigning time is reported in zonestatus ($n)"
ret=0
rndccmd 10.53.0.3 \
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
-ret=0
-alg=1
-until test $alg -eq 258; do
- zone="keygen-$alg."
- case $alg in
- 2) # Diffie Helman
- alg=$((alg + 1))
- continue
- ;;
- 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard
- alg=$((alg + 1))
- continue
- ;;
- 1 | 5 | 7 | 8 | 10) # RSA algorithms
- key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true)
- ;;
- 15 | 16)
- key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true)
- ;;
- 256)
- key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true)
- ;;
- 257)
- key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true)
- ;;
- *)
- key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true)
- ;;
- esac
- if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then
- alg=$((alg + 1))
- continue
- fi
- if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then
- alg=$((alg + 1))
- continue
- fi
- if test -z "$key1"; then
- echo_i "'$KEYGEN -a $alg': failed"
- cat "keygen-$alg.err"
- ret=1
- alg=$((alg + 1))
- continue
- fi
- $SETTIME -I now+4d "$key1.private" >/dev/null
- key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null)
- test -f "$key2.key" -a -f "$key2.private" || {
- ret=1
- echo_i "'dnssec-keygen -S' failed for algorithm: $alg"
- }
- alg=$((alg + 1))
-done
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)"
-ret=0
-if $FEATURETEST --have-fips-mode; then
- echo_i "skipped: already in FIPS mode"
-elif ! $FEATURETEST --fips-provider; then
- echo_i "skipped no FIPS provider available"
-elif [ $RSASHA1_SUPPORTED = 0 ]; then
- echo_i "skipped: RSASHA1 is not supported"
-else
- $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true
- grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1
-fi
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)"
-ret=0
-if $FEATURETEST --have-fips-mode; then
- echo_i "skipped: already in FIPS mode"
-elif ! $FEATURETEST --fips-provider; then
- echo_i "skipped: cannot switch to FIPS mode"
-elif [ $RSASHA1_SUPPORTED = 0 ]; then
- echo_i "skipped: RSASHA1 is not supported"
-else
- $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true
- grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1
-fi
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)"
ret=0
dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)"
-ret=0
-# generate signed zone with MX and AAAA records at apex.
-(
- cd signer || exit 1
- $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null
- $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null
- echo >remove.db.signed
- $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n
-)
-grep "RRSIG MX" signer/remove.db.signed >/dev/null || {
- ret=1
- cp signer/remove.db.signed signer/remove.db.signed.pre$n
-}
-# re-generate signed zone without MX and AAAA records at apex.
-(
- cd signer || exit 1
- $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n
-)
-grep "RRSIG MX" signer/remove.db.signed >/dev/null && {
- ret=1
- cp signer/remove.db.signed signer/remove.db.signed.post$n
-}
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)"
-ret=0
-# generate signed zone with MX and AAAA records at apex.
-(
- cd signer || exit 1
- echo >remove.db.signed
- $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n
-)
-grep "RRSIG MX" signer/remove.db.signed >/dev/null || {
- ret=1
- cp signer/remove.db.signed signer/remove.db.signed.pre$n
-}
-# re-generate signed zone without MX and AAAA records at apex.
-(
- cd signer || exit 1
- $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n
-)
-grep "RRSIG MX" signer/remove.db.signed >/dev/null && {
- ret=1
- cp signer/remove.db.signed signer/remove.db.signed.post$n
-}
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)"
ret=0
dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-echo_i "check that dnssec-keygen honours key tag ranges ($n)"
-ret=0
-zone=settagrange
-ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone")
-zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone")
-kid=$(keyfile_to_key_id "$ksk")
-zid=$(keyfile_to_key_id "$zsk")
-[ $kid -ge 0 -a $kid -le 32767 ] || ret=1
-[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1
-rksk=$($REVOKE -R $ksk)
-rzsk=$($REVOKE -R $zsk)
-krid=$(keyfile_to_key_id "$rksk")
-zrid=$(keyfile_to_key_id "$rzsk")
-[ $krid -ge 0 -a $krid -le 32767 ] || ret=1
-[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)"
ret=0
dig_with_opts @10.53.0.4 b.b.b.b.b.a.nsec3.example. >dig.out.ns4.test$n
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)"
-ret=0
-(
- cd signer || exit 0
- key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example)
- key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example)
- key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example)
- rkey=$(${REVOKE} "$key2")
- cat >>revoke.example.db <<EOF
-\$TTL 3600
-@ SOA . . 0 0 0 0 3600
-@ NS .
-\$INCLUDE "${key1}.key"
-\$INCLUDE "${rkey}.key"
-\$INCLUDE "${key3}.key"
-EOF
- "${DSFROMKEY}" -C "$key1" >>revoke.example.db
- "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n
-) || ret=1
-keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed)
-cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed)
-soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed)
-[ $keycount -eq 3 ] || ret=1
-[ $cdscount -eq 2 ] || ret=1
-[ $soacount -eq 1 ] || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
echo_i "checking validator behavior with mismatching NS ($n)"
ret=0
rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
"canonical*",
"delv.out*",
"dig.out.*",
- "dnssectools.out.*",
"dsfromkey.out.*",
- "keygen*.err*",
"named.secroots.*",
"nsupdate.out.*",
"python.out.*",
"ns7/split-rrsig.db",
"ns7/split-rrsig.db.unsplit",
"ns9/trusted-localkey.conf",
- "signer/example.db",
- "signer/example.db.after",
- "signer/example.db.before",
- "signer/example.db.changed",
- "signer/example2.db",
- "signer/example3.db",
- "signer/general/*.jnl",
- "signer/general/dnskey.expect",
- "signer/general/dsset-*",
- "signer/general/signed.expect",
- "signer/general/signed.zone",
- "signer/general/signer.out.*",
- "signer/nsec3param.out",
- "signer/prepub.db",
- "signer/revoke.example.db",
- "signer/signer.err.*",
- "signer/signer.out.*",
]
)
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12263
+;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
+;; WARNING: recursion requested but not available
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags: do; udp: 1232
+; COOKIE: d70bfeeee608e7490100000068630120672a49b90d12287f (good)
+;; QUESTION SECTION:
+;algroll. IN DNSKEY
+
+;; ANSWER SECTION:
+algroll. 30 IN DNSKEY 257 3 13 8ZsRCWjcBidh4U5O2xldz97ZODaXz9FzeNxQVcpf2bOlKE6QOSEgkvuG IYNnOuHwekp4wpC4x8aqEsULsO1p4w==
+algroll. 30 IN DNSKEY 256 3 13 w6cJYtYydN0OL+N64KM75NtWtl+KUzPCqGD9TE9vO+cCtb5qILojunGr jjxT3LzGVjgwhyLReJwVJkIDMWvHXw==
+algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 47525 algroll. vDuABgFYmjaw9ehT+lb4KDDnOiFu/Ts3LqAFLLRDU9CpPGIY0eH5c00P seEpRaapEF8N55t8/MRQpMxWaQCd67ERenUn3DFuSDACYoftyAdXsFvi 56giRNDziVhWJXKaQDQ/DIfLJ3W7F8BFSVZCFKq5Gv4MiS92+uvdQUkl 7cIgmJEWpcZ7PQB55r0vQizBP8rXrpcMXMtsojTFXQjF0uomW7/o1RIv KOQTcUnqfT1X4nRkQghhJQNJMftVrjVRkxPu+zq2AST+s2XQD9DBntA3 LFd1Yy1+X3OypjY9ZuD6Y5tC+5e1+IEY2CG/fbrqywMo/4pQ3DZ4ZbWC KATW1g==
+algroll. 30 IN RRSIG DNSKEY 8 1 30 20250730202512 20250630202512 60676 algroll. fMZaKG2IwwFMoglH5UxZBVjtT0XGwGokdmO+mA6EJxnBBpKXwhBpv24r Mn61ZXN+pmpn4yUDIsMc1Mb6Irwnak7REfsVO/CKmhNmx/hjmoC2y6B5 +xkoUxCDml8hn/nAFftNVpaFq//1UcPyaXvvALN73hgyuE/Cnrl8DTLL kXfqPzHi7sbEgJf2Fkk0crc+gb4E+Wdrz3D354ogRZ2sguvnOfBZvzA/ uQ5UqKtVx2/44C/nW9Wbnkdi+Z1RuRKJOOoJBHIE0f1dTYnbyUOEMEIW AOAUzoKStDnNom0aWfDs6CGQmPcc9vHp2j63D+h2PkfzmyvHI2K3T9ep HbDCMw==
+algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 13162 algroll. otMMLO7OiYbMvZsYDKBzJrJKsN5E5WCfQLP2KWo5/V0c88U/PJHY9kEa ysChyPRLDM5VN5WnRzzPxgT/KMnqWw==
+algroll. 30 IN RRSIG DNSKEY 13 1 30 20250730202512 20250630202512 54661 algroll. nHj9WTm112HMVGpcg3BsBb4s12R3pLl/mVYnz8snFDBuLrRS0dERMQSp PuNmd3D9WDbLyFBClrjzG+BDHBSILQ==
+
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+algroll. IN DS 54661 13 2 56CE829B928999965B985F77B8725A553B87FDB4B5241AAA1B306959 5621764F
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51808
+;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags: do; udp: 1232
+; COOKIE: e2c7e750ed266cde0100000068630121f863ce122f5ef67e (good)
+;; QUESTION SECTION:
+;revkey.example. IN DNSKEY
+
+;; ANSWER SECTION:
+revkey.example. 300 IN DNSKEY 385 3 13 8dtsAwGIpEVKQMxW/Oyf+aoUU6keQ3+q7jeKcXc1GZf9O/wb5a93ghI9 mnmJSMKNPOXUZlz8XuwNu0kuIU/f+g==
+revkey.example. 300 IN DNSKEY 256 3 13 E+r2vT9F+V/dV2RALkjYSFyZGSv2FMjzNSgscold+M6tT7HRlWU5dOSF BhJfHF1AwyzWjsn2AjdhU15VZQxb7g==
+revkey.example. 300 IN DNSKEY 257 3 13 utSQOEBp4zNV8AnNC+aEU+Pf+zXcutD863bKWhWQRVB/+yBUmtS/q26H ke68j35nLAywm+7/OS+x7Iryhlnh/w==
+revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 25492 revkey.example. p+D2U3RHcdklSeehdbPP1aoZSRYD0rjbQW1cR8PqygCFaWX3M88D5aKS m8L2t6kl5w6ks529zWkpZWsBSj2Vnw==
+revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 54617 revkey.example. fCB4AYrdcceLW5MeDpGim5ItqGOCyw0/M1WYNsbj5D0G4P7lACRISJng plg/H3n1EZUN69H7suKcYo/fn+VT0Q==
+revkey.example. 300 IN RRSIG DNSKEY 13 2 300 20250730202509 20250630202509 57467 revkey.example. lZLA4ik9SoF4+nyQlBoA/Haj8OO/sBpYQ3e597StgSKX2Cq3apfXGcB2 jLIu0raNQ6OjqI2WtwHhKauPlJZloA==
+
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+example. 60 IN SOA example. . 0 0 0 0 0
+example. 60 IN NS example.
+example. 60 IN A 1.2.3.4
+; out of zone record
+out-of-zone. 60 IN A 1.2.3.4
--- /dev/null
+; This is a key-signing key, keyid 23640, for .
+; Created: 20250310185208 (Mon Mar 10 18:52:08 2025)
+; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025)
+; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025)
+; Revoke: 20250310185208 (Mon Mar 10 18:52:08 2025)
+. IN DNSKEY 257 3 13 uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXjvxGZGX4470Jv hq2NCI3HBZQNaCCP/h9sluhIzRGPTA==
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: m5udfGNSijISQ8Tfp4kx09O1em4PErLUw/mCj3SKmqw=
+Created: 20250310185208
+Publish: 20250310185208
+Activate: 20250310185208
+Revoke: 20250310185208
--- /dev/null
+; This is a zone-signing key, keyid 23768, for .
+; Created: 20250310185208 (Mon Mar 10 18:52:08 2025)
+; Publish: 20250310185208 (Mon Mar 10 18:52:08 2025)
+; Activate: 20250310185208 (Mon Mar 10 18:52:08 2025)
+. IN DNSKEY 256 3 13 TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQs24ncRxmxtFf uJuPyVXePNiE4HNI9CIowGUsn5WuBw==
--- /dev/null
+; This is a zone-signing key, keyid 19857, for example.com.
+; Created: 20220902075244 (Fri Sep 2 17:52:44 2022)
+; Publish: 20220902075244 (Fri Sep 2 17:52:44 2022)
+; Activate: 20220902075244 (Fri Sep 2 17:52:44 2022)
+example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw==
+PublicExponent: AQAB
+PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ==
+Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk=
+Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM=
+Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE=
+Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k=
+Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI=
+Created: 20220902075244
+Publish: 20220902075244
+Activate: 20220902075244
--- /dev/null
+; This is a key-signing key, keyid 45884, for example.com.
+; Created: 20220902075336 (Fri Sep 2 17:53:36 2022)
+; Publish: 20220902075336 (Fri Sep 2 17:53:36 2022)
+; Activate: 20220902075336 (Fri Sep 2 17:53:36 2022)
+example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w==
+PublicExponent: AQAB
+PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ==
+Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc=
+Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0=
+Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys=
+Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE=
+Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc=
+Created: 20220902075336
+Publish: 20220902075336
+Activate: 20220902075336
--- /dev/null
+; This is a key-signing key, keyid 15002, for example.com.
+; Created: 20210423012926 (Fri Apr 23 11:29:26 2021)
+; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021)
+; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021)
+example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ==
+PublicExponent: AQAB
+PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ==
+Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0=
+Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0=
+Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk=
+Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040=
+Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o=
+Created: 20210423012926
+Publish: 20210423012926
+Activate: 20210423012926
--- /dev/null
+; This is a zone-signing key, keyid 63613, for example.com.
+; Created: 20210423012810 (Fri Apr 23 11:28:10 2021)
+; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021)
+; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021)
+example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw==
+PublicExponent: AQAB
+PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ==
+Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M=
+Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk=
+Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas=
+Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk=
+Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok=
+Created: 20210423012810
+Publish: 20210423012810
+Activate: 20210423012810
--- /dev/null
+; This is a zone-signing key, keyid 18240, for example.com.
+; Created: 20211221062121 (Tue Dec 21 17:21:21 2021)
+; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021)
+; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021)
+example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 10 (RSASHA512)
+Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw==
+PublicExponent: AQAB
+PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ==
+Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0=
+Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8=
+Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE=
+Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98=
+Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0=
+Created: 20211221062121
+Publish: 20211221062121
+Activate: 20211221062121
--- /dev/null
+; This is a key-signing key, keyid 28633, for example.com.
+; Created: 20211221062130 (Tue Dec 21 17:21:30 2021)
+; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021)
+; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021)
+example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 10 (RSASHA512)
+Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw==
+PublicExponent: AQAB
+PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ==
+Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98=
+Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0=
+Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0=
+Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0=
+Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro=
+Created: 20211221062130
+Publish: 20211221062130
+Activate: 20211221062130
--- /dev/null
+;
+; This is a bogus key. It will not have a .private file.
+;
+; This will be key id 23221
+;
+example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc=
--- /dev/null
+;
+; This is a bogus key. It will not have a .private file.
+;
+; This will be key id 48930
+;
+example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s=
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, both of which have
+; existing private key files available. They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, both of which have
+; existing private key files available. They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00100000 1200 3600 604800 300
+extra.example.com. IN A 1.2.3.4
+$include Kexample.com.+008+63613.key
+$include Kexample.com.+008+15002.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, both of which have
+; existing private key files available. They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+19857.key
+$include Kexample.com.+005+45884.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, both of which have
+; existing private key files available. They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 30 ; 30 seconds
+. IN SOA a.root.servers.nil. each.isc.org. (
+ 2000042101 ; serial
+ 600 ; refresh (10 minutes)
+ 600 ; retry (10 minutes)
+ 1200 ; expire (20 minutes)
+ 600 ; minimum (10 minutes)
+ )
+ NS a.root-servers.nil.
+ DNSKEY 256 3 13 (
+ TFelYtTRBWeA9A307vvuWIcaNwW4txW4RgSELtsi46ZQ
+ s24ncRxmxtFfuJuPyVXePNiE4HNI9CIowGUsn5WuBw==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 23768
+ DNSKEY 257 3 13 (
+ OSmhpULEDCUzHCBeDU5uJXzkCcGuW2qrkQznKRPGhRZN
+ j7ZUIGInGzM5Um5m02ULWt8tKbi55NJUeifKWegQ0g==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 22255
+ DNSKEY 385 3 13 (
+ uKwpRtMH+9iuUk/Xj6LciIP5ZckaBtXaUqxUxzJYexXj
+ vxGZGX4470Jvhq2NCI3HBZQNaCCP/h9sluhIzRGPTA==
+ ) ; revoked KSK; alg = ECDSAP256SHA256 ; key id = 23768
+a.root-servers.nil. A 10.53.0.1
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has one non-KSK DNSKEY record for which the
+; private key file exists. It should be loaded automatically and the zone
+; correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has one KSK DNSKEY record for which the
+; private key file exists. It should be loaded automatically. As there
+; is no non-KSK DNSKEY the resulting zone should be rejected.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+28633.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has three DNSKEY records, two (KSK + ZSK) of
+; which have existing private key files available. The third is a
+; pre-published ZSK.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
+$include bogus-zsk.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which
+; have existing private key files available. The third is a KSK.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
+$include bogus-ksk.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has four DNSKEY records, two (KK + ZSK) of which
+; have existing private key files available. There are also a KSK and ZSK
+; for which there will be no signatures.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
+$include bogus-ksk.key
+$include bogus-zsk.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, none of which have
+; existing private key files available. The resulting zone should fail
+; the consistency tests.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include bogus-ksk.key
+$include bogus-zsk.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, one of which,
+; the KSK, has a private key. The resulting zone should be rejected as
+; it has no ZSK signatures.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+28633.key
+$include bogus-zsk.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This is a zone which has two DNSKEY records, both of which have
+; existing private key files available. They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+008+63613.key
+$include Kexample.com.+008+15002.key
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+prepub. 60 IN SOA prepub. . 0 0 0 0 0
+prepub. 60 IN NS prepub.
+prepub. 60 IN A 1.2.3.4
+; out of zone record
+out-of-zone. 60 IN A 1.2.3.4
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+remove. 60 IN SOA remove. . 0 0 0 0 0
+remove. 60 IN NS remove.
+remove. 60 IN A 1.2.3.4
+remove. 60 IN AAAA ::ffff:1.2.3.4
+remove. 60 IN MX 0 remove.
+$INCLUDE remove.db.signed
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+remove. 60 IN SOA remove. . 0 0 0 0 0
+remove. 60 IN NS remove.
+remove. 60 IN A 1.2.3.4
+$INCLUDE remove.db.signed
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+status=0
+n=1
+
+# check that a zone file is raw format, version 0
+israw0() {
+ # shellcheck disable=SC2016
+ $PERL <"$1" -e 'binmode STDIN;
+ read(STDIN, $input, 8);
+ ($style, $version) = unpack("NN", $input);
+ exit 1 if ($style != 2 || $version != 0);' || return $?
+}
+
+# check that a zone file is raw format, version 1
+israw1() {
+ # shellcheck disable=SC2016
+ $PERL <"$1" -e 'binmode STDIN;
+ read(STDIN, $input, 8);
+ ($style, $version) = unpack("NN", $input);
+ exit 1 if ($style != 2 || $version != 1);' || return $?
+}
+
+echo_i "basic dnssec-signzone checks:"
+echo_ic "two DNSKEYs ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n
+ test -f signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n
+ test -f signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ cp signed.zone signed.expect
+ grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1
+ mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline
+ $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n 2>/dev/null
+ mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private
+ grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "one non-KSK DNSKEY ($n)"
+ret=0
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n
+ test -f signed.zone
+) && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "one KSK DNSKEY ($n)"
+ret=0
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n 2>/dev/null
+ test -f signed.zone
+) && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "three DNSKEY ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n 2>/dev/null
+ test -f signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "three DNSKEY, one private key missing ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n 2>/dev/null
+ test -f signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "four DNSKEY ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n 2>/dev/null
+ test -f signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "two DNSKEY, both private keys missing ($n)"
+ret=0
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n 2>/dev/null
+ test -f signed.zone
+) && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "two DNSKEY, one private key missing ($n)"
+ret=0
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n 2>/dev/null
+ test -f signed.zone
+) && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)"
+ret=0
+if $FEATURETEST --fips-provider; then
+ (
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -F -f signed.zone -o example.com. test1.zone >signer.out.$n
+ test -f signed.zone
+ ) || ret=1
+else
+ echo_i "skipped no FIPS provider available"
+fi
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)"
+ret=0
+if ! $FEATURETEST --fips-provider; then
+ echo_i "skipped no FIPS provider available"
+elif [ $RSASHA1_SUPPORTED = 0 ]; then
+ echo_i "skipped: RSASHA1 is not supported"
+else
+ (
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -F -f signed.zone -o example.com. test11.zone >signer.out.$n 2>&1 && exit 1
+ grep -F -e "fatal: No signing keys specified or found" \
+ -e "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n >/dev/null
+ ) || ret=1
+fi
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "revoked KSK ID collides with ZSK ($n)"
+ret=0
+# signing should fail, but should not coredump
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $SIGNER -S -f signed.zone -o . test12.zone >signer.out.$n 2>/dev/null
+) && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)"
+ret=0
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $SIGNER -f signed.zone -3 - -H 51 -o example.com. test9.zone >signer.out.$n
+ test -f signed.zone
+) && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "check that dnssec-signzone -J loads journal files ($n)"
+ret=0
+(
+ cd signer/general || exit 0
+ rm -f signed.zone
+ $MAKEJOURNAL example.com. test9.zone test10.zone test9.zone.jnl
+ $SIGNER -f signed.zone -o example.com. -J test9.zone.jnl test9.zone >signer.out.$n
+ grep -q extra signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)"
+ret=0
+(
+ cd signer/general || exit 1
+ rm -f signed.zone
+ $SIGNER -f signed.zone -3 - -H 50 -o example.com. test9.zone >signer.out.$n
+ test -f signed.zone
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+get_default_algorithm_key_ids_from_sigs() {
+ zone=$1
+
+ awk -v alg=$DEFAULT_ALGORITHM_NUMBER '
+ NF < 8 { next }
+ $(NF-5) != "RRSIG" { next }
+ $(NF-3) != alg { next }
+ $NF != "(" { next }
+ {
+ getline;
+ print $3;
+ }
+ ' signer/$zone.db.signed | sort -u
+}
+
+# Test dnssec-signzone ZSK prepublish smooth rollover.
+echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)"
+ret=0
+zone=prepub
+# Generate keys.
+ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM "$zone")
+zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone")
+zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM "$zone")
+zskid1=$(keyfile_to_key_id "$zsk1")
+zskid2=$(keyfile_to_key_id "$zsk2")
+(
+ cd signer || exit 1
+ # Set times such that the current set of keys are introduced 60 days ago and
+ # start signing now. The successor key is prepublished now and will be active
+ # next day.
+ $SETTIME -P now-60d -A now $ksk >/dev/null
+ $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null
+ $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null
+ $SETTIME -P now -A now+1d $zsk2.key >/dev/null
+ # Sign the zone with initial keys and prepublish successor. The zone signatures
+ # are valid for 30 days and the DNSKEY signature is valid for 60 days.
+ cp -f $zone.db.in $zone.db
+ $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null
+ echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db
+)
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1"
+status=$((status + ret))
+
+echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)"
+ret=0
+zone=prepub
+(
+ cd signer || exit 1
+ # Roll the ZSK. The predecessor is inactive from now on and the successor is
+ # activated. The zone signatures are valid for 30 days and the DNSKEY
+ # signature is valid for 60 days. Because of the predecessor/successor
+ # relationship, the signatures of the predecessor are retained and no new
+ # signatures with the successor should be generated.
+ $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null
+ $SETTIME -A now $zsk2 >/dev/null
+ $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null
+)
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check dnssec-signzone swaps zone signatures after interval ($n)"
+ret=0
+zone=prepub
+(
+ cd signer || exit 1
+ # After some time the signatures should be replaced. When signing, set the
+ # interval to 30 days plus one second, meaning all predecessor signatures
+ # are within the refresh interval and should be replaced with successor
+ # signatures.
+ $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null
+ $SETTIME -A now-20d $zsk2 >/dev/null
+ $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null
+)
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)"
+ret=0
+zone=example
+# If dnssec-keygen fails, the test script will exit immediately. Prevent that
+# from happening, and also trigger a test failure if dnssec-keygen unexpectedly
+# succeeds, by using "&& ret=1".
+$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1
+grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)"
+ret=0
+zone=example
+# Fake an unsupported algorithm key
+unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp
+mv ${unsupportedkey}.tmp ${unsupportedkey}.key
+# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent
+# that from happening, and also trigger a test failure if dnssec-dsfromkey
+# unexpectedly succeeds, by using "&& ret=1".
+$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1
+grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)"
+ret=0
+ret=0
+cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db
+# If dnssec-signzone fails, the test script will exit immediately. Prevent that
+# from happening, and also trigger a test failure if dnssec-signzone
+# unexpectedly succeeds, by using "&& ret=1".
+$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1
+grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that we can sign a zone with out-of-zone records ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
+(
+ cd signer || exit 1
+ cat example.db.in "$key1.key" "$key2.key" >example.db
+ $SIGNER -o example -f example.db example.db >/dev/null
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
+(
+ cd signer || exit 1
+ cat example.db.in "$key1.key" "$key2.key" >example.db
+ $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null
+ awk '/^IQF9LQTLK/ {
+ printf("%s", $0);
+ while (!index($0, ")")) {
+ if (getline <= 0)
+ break;
+ printf (" %s", $0);
+ }
+ printf("\n");
+ }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out
+
+ grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
+(
+ cd signer || exit 1
+ cat example.db.in "$key1.key" "$key2.key" >example3.db
+ echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db
+ $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null
+ awk '/^IQF9LQTLK/ {
+ printf("%s", $0);
+ while (!index($0, ")")) {
+ if (getline <= 0)
+ break;
+ printf (" %s", $0);
+ }
+ printf("\n");
+ }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out
+
+ grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
+(
+ cd signer || exit 1
+ cat example.db.in "$key1.key" "$key2.key" >example.db
+ $SIGNER -o example -f example.db.before example.db >/dev/null
+ sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed
+ $SIGNER -o example -f example.db.after example.db.changed >/dev/null
+)
+grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+keyid2=$(keyfile_to_key_id "$key2")
+key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM $zone)
+keyid3=$(keyfile_to_key_id "$key3")
+(
+ cd signer || exit 1
+ cat example.db.in "$key1.key" "$key2.key" >example.db
+ $SIGNER -D -o example example.db >/dev/null
+
+ # now switch out key2 for key3 and resign the zone
+ cat example.db.in "$key1.key" "$key3.key" >example.db
+ echo "\$INCLUDE \"example.db.signed\"" >>example.db
+ $SIGNER -D -o example example.db >/dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -RD -o example example.db >/dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)"
+ret=0
+zone=example
+(
+ cd signer || exit 1
+ cp -f example.db.in example.db
+ $SIGNER -SD -o example example.db >/dev/null
+ echo "\$INCLUDE \"example.db.signed\"" >>example.db
+ # now retire key2 and resign the zone
+ $SETTIME -I now "$key2" >/dev/null 2>&1
+ $SIGNER -SD -o example example.db >/dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -SDQ -o example example.db >/dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone retains unexpired signatures ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -Sxt -o example example.db >signer.out.1
+ $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2
+) || ret=1
+gen1=$(awk '/generated/ {print $3}' signer/signer.out.1)
+retain1=$(awk '/retained/ {print $3}' signer/signer.out.1)
+gen2=$(awk '/generated/ {print $3}' signer/signer.out.2)
+retain2=$(awk '/retained/ {print $3}' signer/signer.out.2)
+drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2)
+[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1
+[ "$gen2" -eq 0 ] || ret=1
+[ "$drop2" -eq 0 ] || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ # remove NSEC-only keys
+ rm -f Kexample.+005*
+ cp -f example.db.in example2.db
+ cat <<EOF >>example2.db
+sub1.example. IN A 10.53.0.1
+ns.sub2.example. IN A 10.53.0.2
+EOF
+ echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
+ touch example2.db.signed
+ $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
+(
+ cd signer || exit 1
+ cp -f example.db.in example2.db
+ cat <<EOF >>example2.db
+sub1.example. IN NS sub1.example.
+sub1.example. IN A 10.53.0.1
+sub2.example. IN NS ns.sub2.example.
+ns.sub2.example. IN A 10.53.0.2
+EOF
+ echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
+ $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ rm -f example2.db.signed
+ cp -f example.db.in example2.db
+ cat <<EOF >>example2.db
+sub1.example. IN A 10.53.0.1
+ns.sub2.example. IN A 10.53.0.2
+EOF
+ echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
+ touch example2.db.signed
+ $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1
+(
+ cd signer || exit 1
+ cp -f example.db.in example2.db
+ cat <<EOF >>example2.db
+sub1.example. IN NS sub1.example.
+sub1.example. IN A 10.53.0.1
+sub2.example. IN NS ns.sub2.example.
+ns.sub2.example. IN A 10.53.0.2
+EOF
+ echo "\$INCLUDE \"example2.db.signed\"" >>example2.db
+ $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone output format ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null
+ $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null
+ $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null
+ $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null
+ $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null
+) || ret=1
+awk 'BEGIN { found = 0; }
+ $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); }
+ END { if (!found) exit(1); }' signer/signer.out.3 || ret=1
+awk 'BEGIN { found = 0; }
+ $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); }
+ END { if (!found) exit(1); }' signer/signer.out.4 || ret=1
+israw1 signer/signer.out.5 || ret=1
+israw0 signer/signer.out.6 || ret=1
+israw1 signer/signer.out.7 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking TTLs are capped by dnssec-signzone -M ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null
+) || ret=1
+awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -N date ($n)"
+ret=0
+(
+ cd signer || exit 1
+ TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null
+) || ret=1
+# shellcheck disable=SC2016
+now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];')
+serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9)
+[ "$now" -eq "$serial" ] || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SETTIME -P ds now -P sync now "$key1" >/dev/null
+ $SIGNER -G "cdnskey,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null
+) || ret=1
+test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (default) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -O full -S -f signer.out.$n -o example example2.db >/dev/null
+) || ret=1
+test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (empty) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "" -O full -S -f signer.out.$n -o example example2.db >/dev/null
+) || ret=1
+test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (no CDNSKEY) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cds:sha-256,cds:sha384" -O full -S -f signer.out.$n -o example example2.db >/dev/null
+) || ret=1
+test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (no CDS) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null
+) || ret=1
+test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (suppress duplicates) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey,cds:sha256,cds:sha256,cdnskey" -O full -S -f signer.out.$n -o example example2.db >/dev/null
+) || ret=1
+test $(awk '$4 == "CDNSKEY" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "2" { print }' signer/signer.out.$n | wc -l) -eq 1 || ret=1
+test $(awk '$4 == "CDS" && $7 == "4" { print }' signer/signer.out.$n | wc -l) -eq 0 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (bad argument) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey,foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
+ grep "digest must specify cds:algorithm ('foobar')" signer.err.$n >/dev/null || ret=1
+)
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (bad digest - name) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey,cds:foobar" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
+ grep "bad digest 'cds:foobar'" signer.err.$n >/dev/null || ret=1
+)
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (bad digest - number) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey,cds:256" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
+ grep "bad digest 'cds:256': out of range" signer.err.$n >/dev/null || ret=1
+)
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (unsupported digest - name) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey,cds:gost" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
+ grep "unsupported digest 'cds:gost'" signer.err.$n >/dev/null || ret=1
+)
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone -G (unsupported digest - number) ($n)"
+ret=0
+(
+ cd signer || exit 1
+ $SIGNER -G "cdnskey,cds:200" -O full -S -f signer.out.$n -o example example2.db 2>signer.err.$n && ret=1
+ grep "unsupported digest 'cds:200'" signer.err.$n >/dev/null || ret=1
+)
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)"
+ret=0
+# generate signed zone with MX and AAAA records at apex.
+(
+ cd signer || exit 1
+ $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null
+ $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null
+ echo >remove.db.signed
+ $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n
+)
+grep "RRSIG MX" signer/remove.db.signed >/dev/null || {
+ ret=1
+ cp signer/remove.db.signed signer/remove.db.signed.pre$n
+}
+# re-generate signed zone without MX and AAAA records at apex.
+(
+ cd signer || exit 1
+ $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n
+)
+grep "RRSIG MX" signer/remove.db.signed >/dev/null && {
+ ret=1
+ cp signer/remove.db.signed signer/remove.db.signed.post$n
+}
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)"
+ret=0
+# generate signed zone with MX and AAAA records at apex.
+(
+ cd signer || exit 1
+ echo >remove.db.signed
+ $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n
+)
+grep "RRSIG MX" signer/remove.db.signed >/dev/null || {
+ ret=1
+ cp signer/remove.db.signed signer/remove.db.signed.pre$n
+}
+# re-generate signed zone without MX and AAAA records at apex.
+(
+ cd signer || exit 1
+ $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n
+)
+grep "RRSIG MX" signer/remove.db.signed >/dev/null && {
+ ret=1
+ cp signer/remove.db.signed signer/remove.db.signed.post$n
+}
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)"
+ret=0
+(
+ cd signer || exit 0
+ key1=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example)
+ key2=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" -f KSK revoke.example)
+ key3=$(${KEYGEN} -a "${DEFAULT_ALGORITHM}" revoke.example)
+ rkey=$(${REVOKE} "$key2")
+ cat >>revoke.example.db <<EOF
+\$TTL 3600
+@ SOA . . 0 0 0 0 3600
+@ NS .
+\$INCLUDE "${key1}.key"
+\$INCLUDE "${rkey}.key"
+\$INCLUDE "${key3}.key"
+EOF
+ "${DSFROMKEY}" -C "$key1" >>revoke.example.db
+ "${SIGNER}" -o revoke.example revoke.example.db >signer.out.$n
+) || ret=1
+keycount=$(grep -c "RRSIG.DNSKEY ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed)
+cdscount=$(grep -c "RRSIG.CDS ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed)
+soacount=$(grep -c "RRSIG.SOA ${DEFAULT_ALGORITHM_NUMBER} " signer/revoke.example.db.signed)
+[ $keycount -eq 3 ] || ret=1
+[ $cdscount -eq 2 ] || ret=1
+[ $soacount -eq 1 ] || ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
+ret=0
+alg=1
+until test $alg -eq 258; do
+ zone="keygen-$alg."
+ case $alg in
+ 2) # Diffie Helman
+ alg=$((alg + 1))
+ continue
+ ;;
+ 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard
+ alg=$((alg + 1))
+ continue
+ ;;
+ 1 | 5 | 7 | 8 | 10) # RSA algorithms
+ key1=$($KEYGEN -a "$alg" -b "2048" "$zone" 2>"keygen-$alg.err" || true)
+ ;;
+ 15 | 16)
+ key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true)
+ ;;
+ 256)
+ key1=$($KEYGEN -a "RSASHA256OID" "$zone" 2>"keygen-$alg.err" || true)
+ ;;
+ 257)
+ key1=$($KEYGEN -a "RSASHA512OID" "$zone" 2>"keygen-$alg.err" || true)
+ ;;
+ *)
+ key1=$($KEYGEN -a "$alg" "$zone" 2>"keygen-$alg.err" || true)
+ ;;
+ esac
+ if grep "unknown algorithm" "keygen-$alg.err" >/dev/null; then
+ alg=$((alg + 1))
+ continue
+ fi
+ if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then
+ alg=$((alg + 1))
+ continue
+ fi
+ if test -z "$key1"; then
+ echo_i "'$KEYGEN -a $alg': failed"
+ cat "keygen-$alg.err"
+ ret=1
+ alg=$((alg + 1))
+ continue
+ fi
+ $SETTIME -I now+4d "$key1.private" >/dev/null
+ key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null)
+ test -f "$key2.key" -a -f "$key2.private" || {
+ ret=1
+ echo_i "'dnssec-keygen -S' failed for algorithm: $alg"
+ }
+ alg=$((alg + 1))
+done
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)"
+ret=0
+if $FEATURETEST --have-fips-mode; then
+ echo_i "skipped: already in FIPS mode"
+elif ! $FEATURETEST --fips-provider; then
+ echo_i "skipped no FIPS provider available"
+elif [ $RSASHA1_SUPPORTED = 0 ]; then
+ echo_i "skipped: RSASHA1 is not supported"
+else
+ $KEYGEN -F -a rsasha1 example.fips 2>keygen.err$n || true
+ grep -i "unsupported algorithm: RSASHA1" "keygen.err$n" >/dev/null || ret=1
+fi
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)"
+ret=0
+if $FEATURETEST --have-fips-mode; then
+ echo_i "skipped: already in FIPS mode"
+elif ! $FEATURETEST --fips-provider; then
+ echo_i "skipped: cannot switch to FIPS mode"
+elif [ $RSASHA1_SUPPORTED = 0 ]; then
+ echo_i "skipped: RSASHA1 is not supported"
+else
+ $KEYGEN -F -a nsec3rsasha1 example.fips 2>keygen.err$n || true
+ grep -i "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" >/dev/null || ret=1
+fi
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that dnssec-keygen honours key tag ranges ($n)"
+ret=0
+zone=settagrange
+ksk=$("$KEYGEN" -f KSK -q -a $DEFAULT_ALGORITHM -M 0:32767 "$zone")
+zsk=$("$KEYGEN" -q -a $DEFAULT_ALGORITHM -M 32768:65535 "$zone")
+kid=$(keyfile_to_key_id "$ksk")
+zid=$(keyfile_to_key_id "$zsk")
+[ $kid -ge 0 -a $kid -le 32767 ] || ret=1
+[ $zid -ge 32768 -a $zid -le 65535 ] || ret=1
+rksk=$($REVOKE -R $ksk)
+rzsk=$($REVOKE -R $zsk)
+krid=$(keyfile_to_key_id "$rksk")
+zrid=$(keyfile_to_key_id "$rzsk")
+[ $krid -ge 0 -a $krid -le 32767 ] || ret=1
+[ $zrid -ge 32768 -a $zrid -le 65535 ] || ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check dnssec-dsfromkey from stdin ($n)"
+ret=0
+cat algroll.dnskey | $DSFROMKEY -f - algroll. >dsfromkey.out.test$n
+NF=$(awk '{print NF}' dsfromkey.out.test$n | sort -u)
+[ "${NF}" = 7 ] || ret=1
+# make canonical
+awk '/^algroll/ {
+ for (i=1;i<7;i++) printf("%s ", $i);
+ for (i=7;i<=NF;i++) printf("%s", $i);
+ printf("\n");
+}' <dsfromkey.out.test$n >canonical1.$n || ret=1
+awk '/^algroll/ {
+ for (i=1;i<7;i++) printf("%s ", $i);
+ for (i=7;i<=NF;i++) printf("%s", $i);
+ printf("\n");
+}' <dsset-algroll. >canonical2.$n || ret=1
+diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+# Intentionally strip ".key" from keyfile name to ensure the error message
+# includes it anyway to avoid confusion (RT #21731)
+echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)"
+ret=0
+key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example. 2>/dev/null) || ret=1
+mv "$key.key" "$key"
+$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1
+grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check dnssec-dsfromkey with revoked key ($n)"
+ret=0
+$DSFROMKEY -f revkey.dnskey revkey.example. >dsfromkey.out.test$n || ret=1
+test $(wc -l <dsfromkey.out.test$n) -eq 1 || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+pytestmark = pytest.mark.extra_artifacts(
+ [
+ "K*",
+ "canonical*",
+ "delv.out*",
+ "dnssectools.out.*",
+ "dsfromkey.out.*",
+ "keygen*.err*",
+ "*/K*",
+ "*/dsset-*",
+ "*/*.signed",
+ "signer/example.db",
+ "signer/example.db.after",
+ "signer/example.db.before",
+ "signer/example.db.changed",
+ "signer/example2.db",
+ "signer/example3.db",
+ "signer/general/*.jnl",
+ "signer/general/dnskey.expect",
+ "signer/general/dsset-*",
+ "signer/general/signed.expect",
+ "signer/general/signed.zone",
+ "signer/general/signer.out.*",
+ "signer/nsec3param.out",
+ "signer/prepub.db",
+ "signer/revoke.example.db",
+ "signer/signer.err.*",
+ "signer/signer.out.*",
+ ]
+)
+
+
+def test_dnssec(run_tests_sh):
+ run_tests_sh()
assert rr_class_orig == rr_class
assert rr_type_orig == rr_type
assert rr_rest_orig == " ".join(rr_rest)
+
+
+def test_rrchecker_seconds():
+ # check the acceptance of seconds as RRSIG inception and expiration
+ intext = "NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo="
+ expected = "NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo="
+ _, _, *rr_rest = run_rrchecker("-p", "IN", "RRSIG", intext)
+ assert " ".join(rr_rest) == expected
projects / thirdparty / bind9.git / commitdiff
