From: Ondřej Surý Date: Sat, 20 Jul 2019 22:06:16 +0000 (-0400) Subject: Remove 2>&1 from the dnssec-signzone invocation in tests X-Git-Tag: v9.15.3~21^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94354d4655735e66775a9f28be6e0f33f69a36da;p=thirdparty%2Fbind9.git Remove 2>&1 from the dnssec-signzone invocation in tests --- diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 0c8b5078d91..de557d76e2b 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -39,7 +39,7 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` $KEYGEN -a RSASHA1 -3 -q $zone > /dev/null keyfile_to_static_keys $ksk > private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1 +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null # Extract saved keys for the revoke-to-duplicate-key test zone=bar diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 826a35cd795..70103b07a54 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -152,7 +152,7 @@ setup oldsigs.example cp $infile $zonefile $KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out || dumpit s.out # # NSEC3->NSEC transition test zone. @@ -160,7 +160,7 @@ $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || d setup nsec3-to-nsec.example $KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out # # secure-to-insecure transition test zone; used to test removal of @@ -169,7 +169,7 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out setup secure-to-insecure.example $KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out # # another secure-to-insecure transition test zone; used to test @@ -180,7 +180,7 @@ ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../del1.key zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # # Introducing a pre-published key test. @@ -189,7 +189,7 @@ setup prepub.example infile="secure-to-insecure2.example.db.in" $KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # # Key TTL tests. @@ -235,7 +235,7 @@ echo $zsk > ../delayzsk.key setup nozsk.example $KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $zsk > ../missingzsk.key rm -f ${zsk}.private @@ -246,7 +246,7 @@ rm -f ${zsk}.private setup inaczsk.example $KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $zsk > ../inactivezsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index 101af11ef2c..7903a52fb30 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -84,7 +84,7 @@ sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' UP.swapttl sign() { cat >db.$1 - $SIGNER >/dev/null 2>&1 \ + $SIGNER >/dev/null \ -S -O full -o $Z -f sig.$1 db.$1 } diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh index 18c5b662307..d8c95d19da1 100644 --- a/bin/tests/system/chain/ns2/sign.sh +++ b/bin/tests/system/chain/ns2/sign.sh @@ -17,4 +17,4 @@ zonefile=example.db ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` -$SIGNER -S -o $zone example.db > /dev/null 2>&1 +$SIGNER -S -o $zone example.db > /dev/null diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index eddaf3efe08..db685786a8a 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -25,7 +25,7 @@ do keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname1.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null # Zone to test trust anchor that matches disabled algorithm. zone=disabled.${tld} @@ -33,7 +33,7 @@ do keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") cat "$infile" "$keyname2.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null # Zone to test trust anchor that has disabled algorithm for other domain. zone=enabled.${tld} @@ -41,7 +41,7 @@ do keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") cat "$infile" "$keyname3.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null # Zone to test trust anchor with unsupported algorithm. zone=unsupported.${tld} @@ -49,7 +49,7 @@ do keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed # Make trusted-keys and managed keys conf sections for ns8. @@ -62,7 +62,7 @@ do keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname5.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null case $tld in "managed") @@ -86,7 +86,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null zone=bogus.example. infile=bogus.example.db.in @@ -96,7 +96,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,7 +107,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,7 +117,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # Change the signer field of the a.b.keyless.example SIG A # to point to a provably nonexistent KEY record. @@ -138,7 +138,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # NSEC3/NSEC3 test zone @@ -151,7 +151,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -164,7 +164,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout). @@ -177,7 +177,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC test zone @@ -190,7 +190,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -203,7 +203,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/OPTOUT test zone @@ -216,7 +216,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone. @@ -229,7 +229,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,7 +242,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,7 +255,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,7 +269,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -288,7 +288,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -308,7 +308,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,7 +322,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -340,17 +340,17 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null # # A RSASHA256 zone. @@ -363,7 +363,7 @@ keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # A RSASHA512 zone. @@ -376,7 +376,7 @@ keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # A zone with the DNSKEY set only signed by the KSK @@ -388,7 +388,7 @@ zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null # # A zone with the expired signatures @@ -400,7 +400,7 @@ zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null rm -f "$kskname.*" "$zskname.*" # @@ -413,7 +413,7 @@ zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # A NSEC signed zone that will have auto-dnssec enabled and @@ -428,7 +428,7 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -443,7 +443,7 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # Secure below cname test zone. @@ -453,7 +453,7 @@ infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # Patched TTL test zone. @@ -467,7 +467,7 @@ patchedfile=ttlpatch.example.db.patched keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null $CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ awk '{$2 = "3600"; print}' > $patchedfile @@ -483,7 +483,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" : > "$signedfile" -"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null # # Seperate DNSSEC records smart signing. @@ -498,7 +498,7 @@ cp "$infile" "$zonefile" # shellcheck disable=SC2016 echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" : > "$signedfile" -"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -510,7 +510,7 @@ signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null mv -f "${zskname}.private" "${zskname}.private.moved" mv -f "${kskname}.private" "${kskname}.private.moved" @@ -525,7 +525,7 @@ signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null $CHECKZONE -D upper.example $lower 2>/dev/null | \ sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile @@ -540,7 +540,7 @@ signedfile="lower.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null # # Zone with signatures about to expire, and dynamic, but configured @@ -553,7 +553,7 @@ signedfile="nosign.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null # preserve a normalized copy of the NS RRSIG for comparison later $CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ @@ -578,7 +578,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null # # A zone which will change its sig-validity-interval @@ -602,7 +602,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP # @@ -614,7 +614,7 @@ zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null cp -f "$kskname.key" trusted-future.key # @@ -626,7 +626,7 @@ zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null # # A zone with a revoked key @@ -641,7 +641,7 @@ ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -653,7 +653,7 @@ zonefile=dname-at-apex-nsec3.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # A NSEC zone with occuded data at the delegation @@ -668,4 +668,4 @@ keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") $DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 67456b74db9..6253c99d9a9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1329,7 +1329,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1341,7 +1341,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1353,7 +1353,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1365,7 +1365,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1377,7 +1377,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1389,7 +1389,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1401,7 +1401,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1413,7 +1413,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1484,7 +1484,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db example.db > /dev/null 2>&1 +$SIGNER -o example -f example.db example.db > /dev/null ) || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -1498,7 +1498,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 +$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { @@ -1524,7 +1524,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example3.db echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db -$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1 +$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { @@ -1549,9 +1549,9 @@ key2=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 +$SIGNER -o example -f example.db.before example.db > /dev/null sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed -$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 +$SIGNER -o example -f example.db.after example.db.changed > /dev/null ) grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 n=$((n+1)) @@ -1569,12 +1569,12 @@ keyid3=$(keyfile_to_key_id "$key3") ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -D -o example example.db > /dev/null 2>&1 +$SIGNER -D -o example example.db > /dev/null # now switch out key2 for key3 and resign the zone cat example.db.in "$key1.key" "$key3.key" > example.db echo "\$INCLUDE \"example.db.signed\"" >> example.db -$SIGNER -D -o example example.db > /dev/null 2>&1 +$SIGNER -D -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1586,7 +1586,7 @@ echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -RD -o example example.db > /dev/null 2>&1 +$SIGNER -RD -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1600,11 +1600,11 @@ zone=example ( cd signer || exit 1 cp -f example.db.in example.db -$SIGNER -SD -o example example.db > /dev/null 2>&1 +$SIGNER -SD -o example example.db > /dev/null echo "\$INCLUDE \"example.db.signed\"" >> example.db # now retire key2 and resign the zone $SETTIME -I now "$key2" > /dev/null 2>&1 -$SIGNER -SD -o example example.db > /dev/null 2>&1 +$SIGNER -SD -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1616,7 +1616,7 @@ echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -SDQ -o example example.db > /dev/null 2>&1 +$SIGNER -SDQ -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1628,8 +1628,8 @@ echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -Sxt -o example example.db > signer.out.1 2>&1 -$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1 +$SIGNER -Sxt -o example example.db > signer.out.1 +$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 ) || ret=1 gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) @@ -1656,7 +1656,7 @@ ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db touch example2.db.signed -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 @@ -1670,7 +1670,7 @@ sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 @@ -1690,7 +1690,7 @@ ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db touch example2.db.signed -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 @@ -1704,7 +1704,7 @@ sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 @@ -1718,8 +1718,8 @@ ret=0 cd signer || exit 1 $SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null $SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null -$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1 -$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1 +$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null +$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null $SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null ) || ret=1 awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 @@ -1735,7 +1735,7 @@ echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1 +$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 n=$((n+1)) @@ -1746,7 +1746,7 @@ echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( cd signer || exit 1 -TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1 +TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null ) || ret=1 # shellcheck disable=SC2016 now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') @@ -2884,7 +2884,7 @@ cd ns3 || exit 1 for file in K*.moved; do mv "$file" "$(basename "$file" .moved)" done -$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1 +$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null ) || ret=1 rndc_reload ns3 10.53.0.3 expiring.example @@ -3620,7 +3620,7 @@ cd signer || exit 1 $KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null $KEYGEN -q -a RSASHA1 -33 remove > /dev/null echo > remove.db.signed -$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 +$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null || { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; @@ -3628,7 +3628,7 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || { # re-generate signed zone without MX and AAAA records at apex. ( cd signer || exit 1 -$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 +$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; @@ -3643,7 +3643,7 @@ ret=0 ( cd signer || exit 1 echo > remove.db.signed -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null || { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; @@ -3651,7 +3651,7 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || { # re-generate signed zone without MX and AAAA records at apex. ( cd signer || exit 1 -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index 166f4b9c00f..c14a83837eb 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -17,7 +17,7 @@ rm -f K.+*+*.key rm -f K.+*+*.private keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` -$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1 +$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out [ $? = 0 ] || cat signer.out keyfile_to_static_keys $keyname > trusted.conf diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index 621f0776835..7dc0bd09c1b 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -51,7 +51,7 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null cp master2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -61,7 +61,7 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null zone=retransfer rm -f K${zone}.+*+*.key diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index bec30dfbcb3..1340343e6af 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -30,5 +30,5 @@ $CHECKZONE -D -F map -o example.db.map example-map \ $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1 -$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1 +$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null $CHECKZONE -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1 diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 29120195179..cdc03c4ac08 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -324,7 +324,7 @@ status=$((status+ret)) echo_i "checking map format zone is scheduled for resigning (signzone) ($n)" ret=0 rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1 -(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null 2>&1) +(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null) rndc_reload ns1 10.53.0.1 signed rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index c076ec54475..ddec4276180 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -30,8 +30,8 @@ standby=$(keyfile_to_key_id "$(cat standby.key)") zsk=$(keyfile_to_key_id "$(cat zsk.key)") echo_i "signing zones" -$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 -$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1 +$SIGNER -Sg -o $czone $cfile > /dev/null +$SIGNER -Sg -o $pzone $pfile > /dev/null awk '$2 ~ /RRSIG/ { type = $3; @@ -115,7 +115,7 @@ echo_i "waiting 20 seconds for key changes to occur" sleep 20 echo_i "re-signing zone" -$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1 +$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null echo_i "checking that standby KSK is now active ($n)" ret=0 diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh index fe3fa156120..284eb4f680f 100644 --- a/bin/tests/system/pending/ns1/sign.sh +++ b/bin/tests/system/pending/ns1/sign.sh @@ -25,7 +25,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. keyfile_to_static_keys $keyname2 > trusted.conf diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh index 2e8d68a669e..53659fc02e4 100644 --- a/bin/tests/system/pending/ns2/sign.sh +++ b/bin/tests/system/pending/ns2/sign.sh @@ -22,7 +22,7 @@ for domain in example example.com; do cat $infile $keyname1.key $keyname2.key > $zonefile - $SIGNER -3 bebe -o $zone $zonefile > /dev/null 2>&1 + $SIGNER -3 bebe -o $zone $zonefile > /dev/null done # remove "removed" record from example.com, causing the server to diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh index e26904a6b2d..ee8197eeb30 100644 --- a/bin/tests/system/redirect/ns5/sign.sh +++ b/bin/tests/system/redirect/ns5/sign.sh @@ -25,7 +25,7 @@ key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null` cat $infile $key1.key $key2.key > $zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1 +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out cp signed.db.signed ../ns6 @@ -40,4 +40,4 @@ key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null` # cat $infile $key1.key $key2.key > $zonefile cat $infile dsset-signed. $key1.key $key2.key > $zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1 +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 444e68a359d..a6c5c5b176c 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -19,7 +19,7 @@ cp $infile $zonefile ksk=`$KEYGEN -q -a rsasha256 -fk $zone` zsk=`$KEYGEN -q -a rsasha256 -b 2048 $zone` cat $ksk.key $zsk.key >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null zone=example.net zonefile="${zone}.db" @@ -28,7 +28,7 @@ cp $infile $zonefile ksk=`$KEYGEN -q -a rsasha256 -fk $zone` zsk=`$KEYGEN -q -a rsasha256 $zone` cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null # Configure a static key to be used by delv keyfile_to_static_keys $ksk > ../ns5/trusted.conf diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index e1a85d877ac..59aa0b17f0e 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -64,10 +64,10 @@ echo_i "setting child's activation time" $SETTIME -A now+30s $cksk2 > /dev/null echo_i "signing child zone" -czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1` +czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile` echo_i "signing parent zone" -pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1` +pzoneout=`$SIGNER -Sg -o $pzone $pfile` czactive=$(keyfile_to_key_id $czsk1) czgenerated=$(keyfile_to_key_id $czsk2) @@ -99,8 +99,8 @@ status=`expr $status + $ret` echo_i "rechecking dnssec-signzone output with -x" ret=0 # use an alternate output file so -x doesn't interfere with later checks -pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile 2>&1` -czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile 2>&1` +pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile` +czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile` echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1 echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 @@ -204,7 +204,7 @@ status=`expr $status + $ret` echo_i "re-signing and checking imported TTLs again" ret=0 $SETTIME -L 15 ${czsk2} > /dev/null -czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1` +czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile` awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \ ${cfile}.signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -325,7 +325,7 @@ status=`expr $status + $ret` echo_i "waiting 30 seconds for key activation" sleep 30 echo_i "re-signing child zone" -czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed 2>&1` +czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed` mv $cfile.new $cfile.signed echo_i "checking dnssec-signzone output matches expectations" @@ -351,7 +351,7 @@ status=`expr $status + $ret` echo_i "checking sync record deletion" ret=0 $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null -$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null 2>&1 +$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null mv $cfile.new $cfile.signed awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1 awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1 diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh index 3faf5c5d11e..ce7a0f7d131 100755 --- a/bin/tests/system/staticstub/ns3/sign.sh +++ b/bin/tests/system/staticstub/ns3/sign.sh @@ -24,7 +24,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -g -o $zone $zonefile > /dev/null # Configure the resolving server with a trusted key. keyfile_to_static_keys $keyname2 > trusted.conf @@ -36,7 +36,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -g -o $zone $zonefile > /dev/null keyfile_to_static_keys $keyname2 >> trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh index a3b22d7cd77..757c8b4a98d 100755 --- a/bin/tests/system/staticstub/ns4/sign.sh +++ b/bin/tests/system/staticstub/ns4/sign.sh @@ -21,4 +21,4 @@ keyname2=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index de7478df780..710d9f4633b 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -19,7 +19,7 @@ zonefile=example.db keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null zone=dnamed infile=dnamed.db.in @@ -28,7 +28,7 @@ zonefile=dnamed.db keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null zone=. infile=root.db.in @@ -37,7 +37,7 @@ zonefile=root.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. keyfile_to_static_keys "$keyname" > trusted.conf diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh index 8d4f9b6b6ca..1e5dcbb9b01 100644 --- a/bin/tests/system/verify/zones/genzones.sh +++ b/bin/tests/system/verify/zones/genzones.sh @@ -31,49 +31,49 @@ cp unsigned.db unsigned.bad # A set of nsec zones. setup zsk-only.nsec good $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec good $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec good $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec.apex-dname good zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cp unsigned.db ${file}.tmp echo "@ DNAME data" >> ${file}.tmp -$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n # A set of nsec3 zones. setup zsk-only.nsec3 good $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec3 good $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec3 good $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.optout good $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.apex-dname good zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cp unsigned.db ${file}.tmp echo "@ DNAME data" >> ${file}.tmp -$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n # # generate an NSEC record like @@ -94,7 +94,7 @@ FOO AAAA ::1 FOO A 127.0.0.2 aba CNAME FOO EOF -$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} # A set of zones with only DNSKEY records. @@ -115,37 +115,37 @@ cat unsigned.db $key1.key $key2.key > ${file} s="-s -2678400" setup zsk-only.nsec.expired bad $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec.expired bad $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec.expired bad $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup zsk-only.nsec3.expired bad $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec3.expired bad $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.expired bad $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n # ksk expired setup ksk+zsk.nsec.ksk-expired bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n -$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n now=`date -u +%Y%m%d%H%M%S` exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file @@ -154,8 +154,8 @@ setup ksk+zsk.nsec3.ksk-expired bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n -$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n now=`date -u +%Y%m%d%H%M%S` exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file @@ -165,36 +165,36 @@ setup ksk+zsk.nsec.broken-chain bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n # bad nsec bitmap setup ksk+zsk.nsec.bad-bitmap bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n # extra NSEC record out side of zone setup ksk+zsk.nsec.out-of-zone-nsec bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n # extra NSEC record below bottom of zone setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n # dnssec-signzone signs any node with a NSEC record. awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} @@ -203,9 +203,9 @@ setup ksk+zsk.nsec.below-dname-nsec bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n # missing NSEC3 record at empty node # extract the hash fields from the empty node's NSEC 3 record then fix up @@ -214,21 +214,21 @@ setup ksk+zsk.nsec3.missing-empty bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}` b=`awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}` awk ' $4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } $4 == "NSEC3" && NF == 9 { next; } { print; }' ${file} > ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n # extra NSEC3 record setup ksk+zsk.nsec3.extra-nsec3 bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n awk ' BEGIN { ZONE="'${zone}'."; @@ -240,4 +240,4 @@ $4 == "NSEC3" && NF == 9 { }' ${file} > ${file}.tmp cat ${file}.tmp >> ${file} rm -f ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n