From: Ondřej Surý Date: Thu, 7 Nov 2019 08:52:16 +0000 (+0100) Subject: Use the shellcheck -f diff to autofix certain classes of sh errors X-Git-Tag: v9.15.6~24^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec9d6ab64cd1b9bb79e7ca1217080475a1979afd;p=thirdparty%2Fbind9.git Use the shellcheck -f diff to autofix certain classes of sh errors --- diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 5a4b44bca58..f56f31ae9e6 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -19,7 +19,7 @@ setup() { echo_i "setting up zone: $zone" zonefile="${zone}.db" infile="${zone}.db.infile" - echo $zone >> zones + echo "$zone" >> zones } private_type_record() { @@ -29,7 +29,7 @@ private_type_record() { _id=$(keyfile_to_key_id "$_keyfile") - printf "%s. 0 IN TYPE65534 \# 5 %02x%04x0000\n" $_zone $_algorithm $_id + printf "%s. 0 IN TYPE65534 \# 5 %02x%04x0000\n" "$_zone" "$_algorithm" "$_id" } @@ -46,7 +46,7 @@ for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit do setup "${zn}.kasp" - cp template.db.in $zonefile + cp template.db.in "$zonefile" done # Set up zone that stays unsigned. @@ -78,65 +78,65 @@ $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # These signatures are still good, and can be reused. setup fresh-sigs.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # These signatures are already expired, and the private ZSK is missing. setup zsk-missing.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 -rm -f ${ZSK}.private +rm -f "${ZSK}".private # These signatures are already expired, and the private ZSK is retired. setup zsk-retired.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 -$SETTIME -s -I now -g HIDDEN $ZSK > settime.out.$zone.3 2>&1 +$SETTIME -s -I now -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 # # The zones at zsk-prepub.autosign represent the various steps of a ZSK @@ -146,40 +146,40 @@ $SETTIME -s -I now -g HIDDEN $ZSK > settime.out.$zone.3 2>&1 # Step 1: # Introduce the first key. This will immediately be active. setup step1.zsk-prepub.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to pre-publish the successor ZSK. setup step2.zsk-prepub.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # Also: Ipub = Dprp + TTLkey (+publish-safety) # so: Tact(N) = Tpub(N+1) + Ipub - Lzsk = now + (1d2h) - 30d = # now + 26h - 30d = now − 694h TactN="now-694h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 3: # After the publication interval has passed the DNSKEY of the successor ZSK # is OMNIPRESENT and the zone can thus be signed with the successor ZSK. setup step3.zsk-prepub.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1` -ZSK1=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2` -ZSK2=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # Also: Tret(N) = Tact(N+1) = Tact(N) + Lzsk # so: Tact(N) = Tact(N+1) - Lzsk = now - 30d @@ -188,23 +188,23 @@ ZSK2=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3` TactN="now-30d" TpubN1="now-26h" TretN1="now+30d" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN $ZSK1 > settime.out.$zone.2 2>&1 -$SETTIME -s -S $ZSK1 -i 0 $ZSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A now -I $TretN1 -g $O -k $R $TpubN1 -z $H $TpubN1 $ZSK2 > settime.out.$zone.4 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A now -I $TretN1 -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK1 >> "$infile" -private_type_record $zone 13 $ZSK2 >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 4: # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step4.zsk-prepub.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1` -ZSK1=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2` -ZSK2=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tret(N) = Tact(N) + Lzsk # Also: Tdea(N) = Tret(N) + Iret # Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) @@ -221,33 +221,33 @@ TretN="now-241h" TpubN1="now-267h" TactN1="${TretN}" TretN1="now+479h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -z $U $TretN $ZSK1 > settime.out.$zone.2 2>&1 -$SETTIME -s -S $ZSK1 -i 0 $ZSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 $ZSK2 > settime.out.$zone.4 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.zsk-prepub.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1` -ZSK1=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2` -ZSK2=`$KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # Substract DNSKEY TTL from all the times (1h). TactN="now-962h" TretN="now-242h" TpubN1="now-268h" TactN1="${TretN}" TretN1="now+478h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I $TretN -D now -g $H -k $U $TretN -z $U $TretN $ZSK1 > settime.out.$zone.2 2>&1 -$SETTIME -s -S $ZSK1 -i 0 $ZSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 $ZSK2 > settime.out.$zone.4 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -D now -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK1 >> "$infile" -private_type_record $zone 13 $ZSK2 >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # @@ -258,37 +258,37 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 1: # Introduce the first key. This will immediately be active. setup step1.ksk-doubleksk.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. setup step2.ksk-doubleksk.autosign -KSK=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2` +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) # According to RFC 7583: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC # Also: IpubC = DprpC + TTLkey (+publish-safety) # so: Tact(N) = Tpub(N+1) - Lksk + Dreg + IpubC = now - 60d + (1d3h) # now - 1440h + 27h = now - 1413h TactN="now-1413h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN $KSK > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS. setup step3.ksk-doubleksk.autosign -KSK1=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1` -KSK2=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3` +KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) # Also: Tact(N+1) = Tsbm(N+1) + Dreg # so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 60d = now - 59d @@ -299,22 +299,22 @@ TactN="now-59d" TretN="now+1d" TpubN1="now-27h" TretN1="now+61d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN $KSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $KSK1 -i 0 $KSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 $KSK2 > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK1 >> "$infile" -private_type_record $zone 13 $KSK2 >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS should be swapped now. setup step4.ksk-doubleksk.autosign -KSK1=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1` -KSK2=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3` +KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Tret(N) = Tsbm(N+1) + Dreg # Also: Tact(N+1) = Tret(N) @@ -331,22 +331,22 @@ TpubN1="now-101h" TsbmN1="now-74h" TactN1="${TretN}" TretN1="now+1390h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 $KSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $KSK1 -i 0 $KSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 $KSK2 > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK1 >> "$infile" -private_type_record $zone 13 $KSK2 >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.ksk-doubleksk.autosign -KSK1=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1` -KSK2=`$KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2` -ZSK=`$KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3` +KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # Substract DNSKEY TTL from all the times (2h). TactN="now-1492h" TretN="now-52h" @@ -354,14 +354,14 @@ TpubN1="now-102h" TsbmN1="now-75h" TactN1="${TretN}" TretN1="now+1388h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TretN -r $U $TretN -d $H $TretN $KSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $KSK1 -i 0 $KSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 $KSK2 > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN $ZSK > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 13 $KSK1 >> "$infile" -private_type_record $zone 13 $KSK2 >> "$infile" -private_type_record $zone 13 $ZSK >> "$infile" +private_type_record $zone 13 "$KSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # @@ -372,17 +372,17 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll.autosign -CSK=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone 13 $CSK >> "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll.autosign -CSK=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC # Also: Ipub = Dprp + TTLkey (+publish-safety) @@ -391,16 +391,16 @@ CSK=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` # so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1d + 3h = # now - 4464h + 24h + 3h = now - 4437h TactN="now-4437h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone 13 $CSK >> "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll.autosign -CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) # Also: Tact(N+1) = Tsbm(N+1) + Dreg # so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 6mo = now - 185d @@ -411,12 +411,12 @@ TactN="now-185d" TretN="now+1d" TpubN1="now-3h" TretN1="now+187d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 4: @@ -427,8 +427,8 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # (1d + 1h + 1h + 2h = 1d4h). In other words, the DS is swapped before all # zone signatures are replaced. setup step4.csk-roll.autosign -CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Iret = 1h + 1h + 2h = 4h # Also: Tact(N+1) = Tret(N) @@ -444,20 +444,20 @@ TpubN1="now-31h" TsbmN1="now-28h" TactN1="${TretN}" TretN1="now+4460h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 5: # After the DS is swapped in step 4, also the KRRSIG records can be removed. # At this time these have all become hidden. setup step5.csk-roll.autosign -CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Substract DNSKEY TTL plus zone propagation delay from all the times (2h). TactN="now-4470h" TretN="now-6h" @@ -466,20 +466,20 @@ TpubN1="now-33h" TsbmN1="now-30h" TactN1="${TretN}" TretN1="now+4458h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 6: # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step6.csk-roll.autosign -CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Tret(N) = Tact(N) + Lzsk # Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) @@ -496,19 +496,19 @@ TpubN1="now-630h" TsbmN1="now-627h" TactN1="${TretN}" TretN1="now+3837h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step7.csk-roll.autosign -CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Substract DNSKEY TTL plus zone propagation delay from all the times (2h). TactN="now-5093h" TretN="now-629h" @@ -517,12 +517,12 @@ TpubN1="now-632h" TsbmN1="now-629h" TactN1="${TretN}" TretN1="now+3835h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # @@ -535,17 +535,17 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll2.autosign -CSK=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone 13 $CSK >> "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll2.autosign -CSK=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC # Also: Ipub = Dprp + TTLkey (+publish-safety) @@ -554,16 +554,16 @@ CSK=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` # so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1w + 3h = # now - 4464h + 168h + 3h = now - 4635h TactN="now-4635h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone 13 $CSK >> "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll2.autosign -CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) # Also: Tact(N+1) = Tsbm(N+1) + Dreg # so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1w - 6mo = now - 179d @@ -574,12 +574,12 @@ TactN="now-179d" TretN="now+1w" TpubN1="now-3h" TretN1="now+193d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 4: @@ -590,8 +590,8 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # (1w + 1h + 1h + 1h = 1w3h). In other words, the zone signatures are # replaced before the DS is swapped. setup step4.csk-roll2.autosign -CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Tret(N) = Tact(N) + Lzsk # Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) @@ -605,39 +605,39 @@ TretN="now-38h" TpubN1="now-41h" TactN1="${TretN}" TretN1="now+4426" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 5: # Some time later the DS can be swapped and the old DNSKEY can be removed from # the zone. setup step5.csk-roll2.autosign -CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Substract Dreg + Iret (174h). TactN="now-4676h" TretN="now-212h" TpubN1="now-215h" TactN1="${TretN}" TretN1="now+4252h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step6.csk-roll2.autosign -CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` -CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1` +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Substract DNSKEY TTL plus zone propagation delay (2h). TactN="now-4678h" TretN="now-214h" @@ -645,10 +645,10 @@ TdeaN="now-2h" TpubN1="now-217h" TactN1="${TretN}" TretN1="now+4250h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN $CSK1 > settime.out.$zone.1 2>&1 -$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN $CSK2 > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 13 $CSK1 >> "$infile" -private_type_record $zone 13 $CSK2 >> "$infile" +private_type_record $zone 13 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index e577b5699ad..61a5a7c98b6 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -104,12 +104,11 @@ key_clear "KEY3" # Call dig with default options. dig_with_opts() { - _tsig="" if [ -n "$TSIG" ]; then - _tsig="-y $TSIG" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" fi - - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT $_tsig "$@" } # RNDC. @@ -131,12 +130,12 @@ get_keys_which_signed() { get_keyids() { _dir=$1 _zone=$2 - _algorithm=$(printf "%03d" $3) + _algorithm=$(printf "%03d" "$3") _start="${_dir}/K${_zone}.+${_algorithm}+" _end=".key" - if [ $_algorithm -ne 0 ]; then - ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/" + if [ "$_algorithm" -ne 0 ]; then + ls "${_start}"*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/" fi } @@ -182,10 +181,10 @@ key_properties() { key_set "$1" "ROLE" "$2" key_set "$1" "KSK" "no" key_set "$1" "ZSK" "no" - test $2 == "ksk" && key_set "$1" "KSK" "yes" - test $2 == "zsk" && key_set "$1" "ZSK" "yes" - test $2 == "csk" && key_set "$1" "KSK" "yes" - test $2 == "csk" && key_set "$1" "ZSK" "yes" + test "$2" == "ksk" && key_set "$1" "KSK" "yes" + test "$2" == "zsk" && key_set "$1" "ZSK" "yes" + test "$2" == "csk" && key_set "$1" "KSK" "yes" + test "$2" == "csk" && key_set "$1" "ZSK" "yes" key_set "$1" "LIFETIME" "$3" key_set "$1" "ALG_NUM" "$4" key_set "$1" "ALG_STR" "$5" @@ -247,9 +246,9 @@ check_key() { _zone="$ZONE" _role=$(key_get "$1" ROLE) _key_idpad=$2 - _key_id=$(echo $_key_idpad | sed 's/^0*//') + _key_id=$(echo "$_key_idpad" | sed 's/^0*//') _alg_num=$(key_get "$1" ALG_NUM) - _alg_numpad=$(printf "%03d" $_alg_num) + _alg_numpad=$(printf "%03d" "$_alg_num") _alg_string=$(key_get "$1" ALG_STR) _length=$(key_get "$1" "ALG_LEN") _dnskey_ttl="$DNSKEY_TTL" @@ -269,15 +268,15 @@ check_key() { _ksk="no" _zsk="no" - if [ "$_role" == "ksk" ]; then + if [ "$_role" = "ksk" ]; then _role2="key-signing" _ksk="yes" _flags="257" - elif [ "$_role" == "zsk" ]; then + elif [ "$_role" = "zsk" ]; then _role2="zone-signing" _zsk="yes" _flags="256" - elif [ "$_role" == "csk" ]; then + elif [ "$_role" = "csk" ]; then _role2="key-signing" _zsk="yes" _ksk="yes" @@ -293,112 +292,112 @@ check_key() { test $_log -eq 1 && echo_i "check key $BASE_FILE" # Check the public key file. - grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." $KEY_FILE > /dev/null || log_error "mismatch top comment in $KEY_FILE" - grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" $KEY_FILE > /dev/null || log_error "mismatch DNSKEY record in $KEY_FILE" + grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || log_error "mismatch top comment in $KEY_FILE" + grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || log_error "mismatch DNSKEY record in $KEY_FILE" # Now check the private key file. - grep "Private-key-format: v1.3" $PRIVATE_FILE > /dev/null || log_error "mismatch private key format in $PRIVATE_FILE" - grep "Algorithm: ${_alg_num} (${_alg_string})" $PRIVATE_FILE > /dev/null || log_error "mismatch algorithm in $PRIVATE_FILE" + grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || log_error "mismatch private key format in $PRIVATE_FILE" + grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || log_error "mismatch algorithm in $PRIVATE_FILE" # Now check the key state file. - grep "This is the state of key ${_key_id}, for ${_zone}." $STATE_FILE > /dev/null || log_error "mismatch top comment in $STATE_FILE" - grep "Lifetime: ${_lifetime}" $STATE_FILE > /dev/null || log_error "mismatch lifetime in $STATE_FILE" - grep "Algorithm: ${_alg_num}" $STATE_FILE > /dev/null || log_error "mismatch algorithm in $STATE_FILE" - grep "Length: ${_length}" $STATE_FILE > /dev/null || log_error "mismatch length in $STATE_FILE" - grep "KSK: ${_ksk}" $STATE_FILE > /dev/null || log_error "mismatch ksk in $STATE_FILE" - grep "ZSK: ${_zsk}" $STATE_FILE > /dev/null || log_error "mismatch zsk in $STATE_FILE" + grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || log_error "mismatch top comment in $STATE_FILE" + grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || log_error "mismatch lifetime in $STATE_FILE" + grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || log_error "mismatch algorithm in $STATE_FILE" + grep "Length: ${_length}" "$STATE_FILE" > /dev/null || log_error "mismatch length in $STATE_FILE" + grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || log_error "mismatch ksk in $STATE_FILE" + grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || log_error "mismatch zsk in $STATE_FILE" # Check key states. - if [ "$_goal" == "none" ]; then - grep "GoalState: " $STATE_FILE > /dev/null && log_error "unexpected goal state in $STATE_FILE" + if [ "$_goal" = "none" ]; then + grep "GoalState: " "$STATE_FILE" > /dev/null && log_error "unexpected goal state in $STATE_FILE" else - grep "GoalState: ${_goal}" $STATE_FILE > /dev/null || log_error "mismatch goal state in $STATE_FILE" + grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || log_error "mismatch goal state in $STATE_FILE" fi - if [ "$_state_dnskey" == "none" ]; then - grep "DNSKEYState: " $STATE_FILE > /dev/null && log_error "unexpected dnskey state in $STATE_FILE" - grep "DNSKEYChange: " $STATE_FILE > /dev/null && log_error "unexpected dnskey change in $STATE_FILE" + if [ "$_state_dnskey" = "none" ]; then + grep "DNSKEYState: " "$STATE_FILE" > /dev/null && log_error "unexpected dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && log_error "unexpected dnskey change in $STATE_FILE" else - grep "DNSKEYState: ${_state_dnskey}" $STATE_FILE > /dev/null || log_error "mismatch dnskey state in $STATE_FILE" - grep "DNSKEYChange: " $STATE_FILE > /dev/null || log_error "mismatch dnskey change in $STATE_FILE" + grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || log_error "mismatch dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || log_error "mismatch dnskey change in $STATE_FILE" fi - if [ "$_state_zrrsig" == "none" ]; then - grep "ZRRSIGState: " $STATE_FILE > /dev/null && log_error "unexpected zrrsig state in $STATE_FILE" - grep "ZRRSIGChange: " $STATE_FILE > /dev/null && log_error "unexpected zrrsig change in $STATE_FILE" + if [ "$_state_zrrsig" = "none" ]; then + grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && log_error "unexpected zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && log_error "unexpected zrrsig change in $STATE_FILE" else - grep "ZRRSIGState: ${_state_zrrsig}" $STATE_FILE > /dev/null || log_error "mismatch zrrsig state in $STATE_FILE" - grep "ZRRSIGChange: " $STATE_FILE > /dev/null || log_error "mismatch zrrsig change in $STATE_FILE" + grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || log_error "mismatch zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || log_error "mismatch zrrsig change in $STATE_FILE" fi - if [ "$_state_krrsig" == "none" ]; then - grep "KRRSIGState: " $STATE_FILE > /dev/null && log_error "unexpected krrsig state in $STATE_FILE" - grep "KRRSIGChange: " $STATE_FILE > /dev/null && log_error "unexpected krrsig change in $STATE_FILE" + if [ "$_state_krrsig" = "none" ]; then + grep "KRRSIGState: " "$STATE_FILE" > /dev/null && log_error "unexpected krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && log_error "unexpected krrsig change in $STATE_FILE" else - grep "KRRSIGState: ${_state_krrsig}" $STATE_FILE > /dev/null || log_error "mismatch krrsig state in $STATE_FILE" - grep "KRRSIGChange: " $STATE_FILE > /dev/null || log_error "mismatch krrsig change in $STATE_FILE" + grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || log_error "mismatch krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || log_error "mismatch krrsig change in $STATE_FILE" fi - if [ "$_state_ds" == "none" ]; then - grep "DSState: " $STATE_FILE > /dev/null && log_error "unexpected ds state in $STATE_FILE" - grep "DSChange: " $STATE_FILE > /dev/null && log_error "unexpected ds change in $STATE_FILE" + if [ "$_state_ds" = "none" ]; then + grep "DSState: " "$STATE_FILE" > /dev/null && log_error "unexpected ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" > /dev/null && log_error "unexpected ds change in $STATE_FILE" else - grep "DSState: ${_state_ds}" $STATE_FILE > /dev/null || log_error "mismatch ds state in $STATE_FILE" - grep "DSChange: " $STATE_FILE > /dev/null || log_error "mismatch ds change in $STATE_FILE" + grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || log_error "mismatch ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" > /dev/null || log_error "mismatch ds change in $STATE_FILE" fi # Check timing metadata. - if [ "$_published" == "none" ]; then - grep "; Publish:" $KEY_FILE > /dev/null && log_error "unexpected publish comment in $KEY_FILE" - grep "Publish:" $PRIVATE_FILE > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" - grep "Published: " $STATE_FILE > /dev/null && log_error "unexpected publish in $STATE_FILE" + if [ "$_published" = "none" ]; then + grep "; Publish:" "$KEY_FILE" > /dev/null && log_error "unexpected publish comment in $KEY_FILE" + grep "Publish:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" + grep "Published: " "$STATE_FILE" > /dev/null && log_error "unexpected publish in $STATE_FILE" else - grep "; Publish:" $KEY_FILE > /dev/null || log_error "mismatch publish comment in $KEY_FILE ($KEY_PUBLISHED)" - grep "Publish:" $PRIVATE_FILE > /dev/null || log_error "mismatch publish in $PRIVATE_FILE ($KEY_PUBLISHED)" - grep "Published:" $STATE_FILE > /dev/null || log_error "mismatch publish in $STATE_FILE ($KEY_PUBLISHED)" + grep "; Publish:" "$KEY_FILE" > /dev/null || log_error "mismatch publish comment in $KEY_FILE ($KEY_PUBLISHED)" + grep "Publish:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch publish in $PRIVATE_FILE ($KEY_PUBLISHED)" + grep "Published:" "$STATE_FILE" > /dev/null || log_error "mismatch publish in $STATE_FILE ($KEY_PUBLISHED)" fi - if [ "$_active" == "none" ]; then - grep "; Activate:" $KEY_FILE > /dev/null && log_error "unexpected active comment in $KEY_FILE" - grep "Activate:" $PRIVATE_FILE > /dev/null && log_error "unexpected active in $PRIVATE_FILE" - grep "Active: " $STATE_FILE > /dev/null && log_error "unexpected active in $STATE_FILE" + if [ "$_active" = "none" ]; then + grep "; Activate:" "$KEY_FILE" > /dev/null && log_error "unexpected active comment in $KEY_FILE" + grep "Activate:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected active in $PRIVATE_FILE" + grep "Active: " "$STATE_FILE" > /dev/null && log_error "unexpected active in $STATE_FILE" else - grep "; Activate:" $KEY_FILE > /dev/null || log_error "mismatch active comment in $KEY_FILE" - grep "Activate:" $PRIVATE_FILE > /dev/null || log_error "mismatch active in $PRIVATE_FILE" - grep "Active: " $STATE_FILE > /dev/null || log_error "mismatch active in $STATE_FILE" + grep "; Activate:" "$KEY_FILE" > /dev/null || log_error "mismatch active comment in $KEY_FILE" + grep "Activate:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch active in $PRIVATE_FILE" + grep "Active: " "$STATE_FILE" > /dev/null || log_error "mismatch active in $STATE_FILE" fi - if [ "$_retired" == "none" ]; then - grep "; Inactive:" $KEY_FILE > /dev/null && log_error "unexpected retired comment in $KEY_FILE" - grep "Inactive:" $PRIVATE_FILE > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" - grep "Retired: " $STATE_FILE > /dev/null && log_error "unexpected retired in $STATE_FILE" + if [ "$_retired" = "none" ]; then + grep "; Inactive:" "$KEY_FILE" > /dev/null && log_error "unexpected retired comment in $KEY_FILE" + grep "Inactive:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" + grep "Retired: " "$STATE_FILE" > /dev/null && log_error "unexpected retired in $STATE_FILE" else - grep "; Inactive:" $KEY_FILE > /dev/null || log_error "mismatch retired comment in $KEY_FILE" - grep "Inactive:" $PRIVATE_FILE > /dev/null || log_error "mismatch retired in $PRIVATE_FILE" - grep "Retired: " $STATE_FILE > /dev/null || log_error "mismatch retired in $STATE_FILE" + grep "; Inactive:" "$KEY_FILE" > /dev/null || log_error "mismatch retired comment in $KEY_FILE" + grep "Inactive:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch retired in $PRIVATE_FILE" + grep "Retired: " "$STATE_FILE" > /dev/null || log_error "mismatch retired in $STATE_FILE" fi - if [ "$_revoked" == "none" ]; then - grep "; Revoke:" $KEY_FILE > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" - grep "Revoke:" $PRIVATE_FILE > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" - grep "Revoked: " $STATE_FILE > /dev/null && log_error "unexpected revoked in $STATE_FILE" + if [ "$_revoked" = "none" ]; then + grep "; Revoke:" "$KEY_FILE" > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" + grep "Revoke:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" + grep "Revoked: " "$STATE_FILE" > /dev/null && log_error "unexpected revoked in $STATE_FILE" else - grep "; Revoke:" $KEY_FILE > /dev/null || log_error "mismatch revoked comment in $KEY_FILE" - grep "Revoke:" $PRIVATE_FILE > /dev/null || log_error "mismatch revoked in $PRIVATE_FILE" - grep "Revoked: " $STATE_FILE > /dev/null || log_error "mismatch revoked in $STATE_FILE" + grep "; Revoke:" "$KEY_FILE" > /dev/null || log_error "mismatch revoked comment in $KEY_FILE" + grep "Revoke:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch revoked in $PRIVATE_FILE" + grep "Revoked: " "$STATE_FILE" > /dev/null || log_error "mismatch revoked in $STATE_FILE" fi - if [ "$_removed" == "none" ]; then - grep "; Delete:" $KEY_FILE > /dev/null && log_error "unexpected removed comment in $KEY_FILE" - grep "Delete:" $PRIVATE_FILE > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" - grep "Removed: " $STATE_FILE > /dev/null && log_error "unexpected removed in $STATE_FILE" + if [ "$_removed" = "none" ]; then + grep "; Delete:" "$KEY_FILE" > /dev/null && log_error "unexpected removed comment in $KEY_FILE" + grep "Delete:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" + grep "Removed: " "$STATE_FILE" > /dev/null && log_error "unexpected removed in $STATE_FILE" else - grep "; Delete:" $KEY_FILE > /dev/null || log_error "mismatch removed comment in $KEY_FILE" - grep "Delete:" $PRIVATE_FILE > /dev/null || log_error "mismatch removed in $PRIVATE_FILE" - grep "Removed: " $STATE_FILE > /dev/null || log_error "mismatch removed in $STATE_FILE" + grep "; Delete:" "$KEY_FILE" > /dev/null || log_error "mismatch removed comment in $KEY_FILE" + grep "Delete:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch removed in $PRIVATE_FILE" + grep "Removed: " "$STATE_FILE" > /dev/null || log_error "mismatch removed in $STATE_FILE" fi - grep "; Created:" $KEY_FILE > /dev/null || log_error "mismatch created comment in $KEY_FILE" - grep "Created:" $PRIVATE_FILE > /dev/null || log_error "mismatch created in $PRIVATE_FILE" - grep "Generated: " $STATE_FILE > /dev/null || log_error "mismatch generated in $STATE_FILE" + grep "; Created:" "$KEY_FILE" > /dev/null || log_error "mismatch created comment in $KEY_FILE" + grep "Created:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" + grep "Generated: " "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" } # Check the key with key id $1 and see if it is unused. @@ -415,9 +414,9 @@ key_unused() { _dir=$DIR _zone=$ZONE _key_idpad=$1 - _key_id=$(echo $_key_idpad | sed 's/^0*//') + _key_id=$(echo "$_key_idpad" | sed 's/^0*//') _alg_num=$(key_get KEY1 ALG_NUM) - _alg_numpad=$(printf "%03d" $_alg_num) + _alg_numpad=$(printf "%03d" "$_alg_num") BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" KEY_FILE="${BASE_FILE}.key" @@ -428,21 +427,21 @@ key_unused() { test $_log -eq 1 && echo_i "key unused $KEY_ID?" # Check timing metadata. - grep "; Publish:" $KEY_FILE > /dev/null && log_error "unexpected publish comment in $KEY_FILE" - grep "Publish:" $PRIVATE_FILE > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" - grep "Published: " $STATE_FILE > /dev/null && log_error "unexpected publish in $STATE_FILE" - grep "; Activate:" $KEY_FILE > /dev/null && log_error "unexpected active comment in $KEY_FILE" - grep "Activate:" $PRIVATE_FILE > /dev/null && log_error "unexpected active in $PRIVATE_FILE" - grep "Active: " $STATE_FILE > /dev/null && log_error "unexpected active in $STATE_FILE" - grep "; Inactive:" $KEY_FILE > /dev/null && log_error "unexpected retired comment in $KEY_FILE" - grep "Inactive:" $PRIVATE_FILE > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" - grep "Retired: " $STATE_FILE > /dev/null && log_error "unexpected retired in $STATE_FILE" - grep "; Revoke:" $KEY_FILE > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" - grep "Revoke:" $PRIVATE_FILE > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" - grep "Revoked: " $STATE_FILE > /dev/null && log_error "unexpected revoked in $STATE_FILE" - grep "; Delete:" $KEY_FILE > /dev/null && log_error "unexpected removed comment in $KEY_FILE" - grep "Delete:" $PRIVATE_FILE > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" - grep "Removed: " $STATE_FILE > /dev/null && log_error "unexpected removed in $STATE_FILE" + grep "; Publish:" "$KEY_FILE" > /dev/null && log_error "unexpected publish comment in $KEY_FILE" + grep "Publish:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" + grep "Published: " "$STATE_FILE" > /dev/null && log_error "unexpected publish in $STATE_FILE" + grep "; Activate:" "$KEY_FILE" > /dev/null && log_error "unexpected active comment in $KEY_FILE" + grep "Activate:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected active in $PRIVATE_FILE" + grep "Active: " "$STATE_FILE" > /dev/null && log_error "unexpected active in $STATE_FILE" + grep "; Inactive:" "$KEY_FILE" > /dev/null && log_error "unexpected retired comment in $KEY_FILE" + grep "Inactive:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" + grep "Retired: " "$STATE_FILE" > /dev/null && log_error "unexpected retired in $STATE_FILE" + grep "; Revoke:" "$KEY_FILE" > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" + grep "Revoke:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" + grep "Revoked: " "$STATE_FILE" > /dev/null && log_error "unexpected revoked in $STATE_FILE" + grep "; Delete:" "$KEY_FILE" > /dev/null && log_error "unexpected removed comment in $KEY_FILE" + grep "Delete:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" + grep "Removed: " "$STATE_FILE" > /dev/null && log_error "unexpected removed in $STATE_FILE" } # Test: dnssec-verify zone $1. @@ -451,8 +450,8 @@ dnssec_verify() n=$((n+1)) echo_i "dnssec-verify zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @${SERVER} AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" - $VERIFY -z -o $ZONE dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed" + dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" + $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) } @@ -469,8 +468,8 @@ zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1" n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" ret=0 -$KEYGEN -K keys -k $POLICY -l kasp.conf $ZONE > keygen.out.$POLICY.test$n 2>/dev/null || ret=1 -lines=$(cat keygen.out.$POLICY.test$n | wc -l) +$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(cat "keygen.out.$POLICY.test$n" | wc -l) test "$lines" -eq 4 || log_error "wrong number of keys created for policy kasp: $lines" # Temporarily don't log errors because we are searching multiple files. _log=0 @@ -478,8 +477,8 @@ _log=0 key_properties "KEY1" "csk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" -id=$(get_keyids $DIR $ZONE $(key_get KEY1 ALG_NUM)) -check_key "KEY1" $id +id=$(get_keyids "$DIR" "$ZONE" $(key_get KEY1 ALG_NUM)) +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) # Check the other algorithm. @@ -495,17 +494,17 @@ key_properties "KEY3" "zsk" "16070400" "8" "RSASHA256" "2000" "yes" "no" key_timings "KEY3" "none" "none" "none" "none" "none" key_states "KEY3" "none" "none" "none" "none" "none" -ids=$(get_keyids $DIR $ZONE $(key_get KEY1 ALG_NUM)) +ids=$(get_keyids "$DIR" "$ZONE" $(key_get KEY1 ALG_NUM)) for id in $ids; do # There are three key files with the same algorithm. # Check them until a match is found. - ret=0 && check_key "KEY1" $id + ret=0 && check_key "KEY1" "$id" test "$ret" -eq 0 && continue - ret=0 && check_key "KEY2" $id + ret=0 && check_key "KEY2" "$id" test "$ret" -eq 0 && continue - ret=0 && check_key "KEY3" $id + ret=0 && check_key "KEY3" "$id" # If ret is still non-zero, non of the files matched. test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -520,11 +519,11 @@ zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" -$KEYGEN -k $POLICY $ZONE > keygen.out.$POLICY.test$n 2>/dev/null || ret=1 +$KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 lines=$(cat keygen.out.default.test$n | wc -l) test "$lines" -eq 1 || log_error "wrong number of keys created for policy default: $lines" -id=$(get_keyids $DIR $ZONE $(key_get KEY1 ALG_NUM)) -check_key "KEY1" $id +id=$(get_keyids "$DIR" "$ZONE" $(key_get KEY1 ALG_NUM)) +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -535,11 +534,11 @@ zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" -$KEYGEN -k $POLICY $ZONE > keygen.out.$POLICY.test$n 2>/dev/null || ret=1 -lines=$(cat keygen.out.$POLICY.test$n | wc -l) +$KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(cat "keygen.out.$POLICY.test$n" | wc -l) test "$lines" -eq 1 || log_error "wrong number of keys created for policy default: $lines" -id=$(get_keyids $DIR $ZONE $(key_get KEY1 ALG_NUM)) -check_key "KEY1" $id +id=$(get_keyids "$DIR" "$ZONE" $(key_get KEY1 ALG_NUM)) +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -553,46 +552,46 @@ CMP_FILE="${BASE_FILE}.cmp" n=$((n+1)) echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" ret=0 -cp $STATE_FILE $CMP_FILE -$SETTIME -P +3600 $BASE_FILE > /dev/null || log_error "settime failed" -grep "; Publish: " $KEY_FILE > /dev/null || log_error "mismatch published in $KEY_FILE" -grep "Publish: " $PRIVATE_FILE > /dev/null || log_error "mismatch published in $PRIVATE_FILE" -$DIFF $CMP_FILE $STATE_FILE || log_error "unexpected file change in $STATE_FILE" +cp "$STATE_FILE" "$CMP_FILE" +$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" +grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" +grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" +$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" ret=0 -cp $STATE_FILE $CMP_FILE +cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) -$SETTIME -s -P $now -g "omnipresent" -k "rumoured" $now -z "omnipresent" $now -r "rumoured" $now -d "hidden" $now $BASE_FILE > /dev/null || log_error "settime failed" +$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" key_timings "KEY1" "published" "none" "none" "none" "none" key_states "KEY1" "omnipresent" "rumoured" "omnipresent" "rumoured" "hidden" -check_key "KEY1" $id +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" ret=0 -cp $STATE_FILE $CMP_FILE -$SETTIME -s -P "none" -g "none" -k "none" $now -z "none" $now -r "none" $now -d "none" $now $BASE_FILE > /dev/null || log_error "settime failed" +cp "$STATE_FILE" "$CMP_FILE" +$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" -check_key "KEY1" $id +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" ret=0 -cp $STATE_FILE $CMP_FILE +cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) -$SETTIME -s -A $now -g "HIDDEN" -k "UNRETENTIVE" $now -z "UNRETENTIVE" $now -r "OMNIPRESENT" $now -d "OMNIPRESENT" $now $BASE_FILE > /dev/null || log_error "settime failed" +$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" key_timings "KEY1" "none" "active" "none" "none" "none" key_states "KEY1" "hidden" "unretentive" "unretentive" "omnipresent" "omnipresent" -check_key "KEY1" $id +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -612,13 +611,13 @@ i=0 while [ $i -lt 30 ] do ret=0 - for z in `cat ns3/zones` + for z in $(cat ns3/zones) do - dig_with_opts $z @10.53.0.3 nsec > dig.out.ns3.test$n.$z || ret=1 - grep "NS SOA" dig.out.ns3.test$n.$z > /dev/null || ret=1 - grep "$z\..*IN.*RRSIG" dig.out.ns3.test$n.$z > /dev/null || ret=1 + dig_with_opts "$z" @10.53.0.3 nsec > "dig.out.ns3.test$n.$z" || ret=1 + grep "NS SOA" "dig.out.ns3.test$n.$z" > /dev/null || ret=1 + grep "$z\..*IN.*RRSIG" "dig.out.ns3.test$n.$z" > /dev/null || ret=1 done - i=`expr $i + 1` + i=$((i+1)) if [ $ret = 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 1 @@ -641,25 +640,25 @@ key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" n=$((n+1)) echo_i "check key is created for zone ${ZONE} ($n)" ret=0 -id=$(get_keyids $DIR $ZONE $(key_get KEY1 ALG_NUM)) -check_key "KEY1" $id +id=$(get_keyids "$DIR" "$ZONE" $(key_get KEY1 ALG_NUM)) +check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) # Verify signed zone. -dnssec_verify $ZONE +dnssec_verify "$ZONE" # Test DNSKEY query. qtype="DNSKEY" n=$((n+1)) echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 -dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" -grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" -grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${qtype}.*257.*.3.*${KEY1__ALG_NUM}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response" -lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l) +dig_with_opts "$ZONE" "@${SERVER}" $qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${qtype} failed" +grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" +grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${qtype}.*257.*.3.*${KEY1__ALG_NUM}" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${qtype} record in response" +lines=$(get_keys_which_signed $qtype "dig.out.$DIR.test$n" | wc -l) test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response" -get_keys_which_signed $qtype dig.out.$DIR.test$n | grep "^${KEY_ID}$" > /dev/null || log_error "${qtype} RRset not signed with key ${KEY_ID}" +get_keys_which_signed $qtype "dig.out.$DIR.test$n" | grep "^${KEY_ID}$" > /dev/null || log_error "${qtype} RRset not signed with key ${KEY_ID}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -668,12 +667,12 @@ qtype="SOA" n=$((n+1)) echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 -dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" -grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" -grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${qtype}.*mname1\..*\." dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response" -lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l) +dig_with_opts "$ZONE" "@${SERVER}" $qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${qtype} failed" +grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" +grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${qtype}.*mname1\..*\." "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${qtype} record in response" +lines=$(get_keys_which_signed $qtype "dig.out.$DIR.test$n" | wc -l) test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response" -get_keys_which_signed $qtype dig.out.$DIR.test$n | grep "^${KEY_ID}$" > /dev/null || log_error "${qtype} RRset not signed with key ${KEY_ID}" +get_keys_which_signed $qtype "dig.out.$DIR.test$n" | grep "^${KEY_ID}$" > /dev/null || log_error "${qtype} RRset not signed with key ${KEY_ID}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -682,28 +681,28 @@ n=$((n+1)) echo_i "check that we can update unsigned zone file and new record gets signed for zone ${ZONE} ($n)" ret=0 cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 reload $ZONE > /dev/null || log_error "rndc reload zone ${ZONE} failed" +rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" _log=0 i=0 while [ $i -lt 5 ] do ret=0 - dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" - grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response" - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response" - lines=$(get_keys_which_signed A dig.out.$DIR.test$n.a | wc -l) + dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || log_error "dig a.${ZONE} A failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || log_error "mismatch status in DNS response" + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || log_error "missing a.${ZONE} A record in response" + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response" - get_keys_which_signed A dig.out.$DIR.test$n.a | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}" + get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}" - dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" - grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response" - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response" - lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l) + dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || log_error "dig d.${ZONE} A failed" + grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || log_error "mismatch status in DNS response" + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n".d > /dev/null || log_error "missing d.${ZONE} A record in response" + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response" - get_keys_which_signed A dig.out.$DIR.test$n.d | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}" + get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}" - i=`expr $i + 1` + i=$((i+1)) if [ $ret = 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 1 @@ -751,8 +750,8 @@ check_keys() n=$((n+1)) echo_i "check number of keys with algorithm ${_key_algnum} for zone ${ZONE} in dir ${DIR} ($n)" ret=0 - _numkeys=$(get_keyids $DIR $ZONE $_key_algnum | wc -l) - test "$_numkeys" -eq $NUM_KEYS || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)" + _numkeys=$(get_keyids "$DIR" "$ZONE" "$_key_algnum" | wc -l) + test "$_numkeys" -eq "$NUM_KEYS" || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -765,49 +764,49 @@ check_keys() key_set KEY3 ID 0 # Check key files. - _ids=$(get_keyids $DIR $ZONE "$_key_algnum") + _ids=$(get_keyids "$DIR" "$ZONE" "$_key_algnum") for _id in $_ids; do # There are three key files with the same algorithm. # Check them until a match is found. echo_i "check key $_id" - if [ "0" == "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" == "yes" ]; then + if [ "0" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then ret=0 - check_key "KEY1" $_id - test "$ret" -eq 0 && key_set "$1" "ID" "$KEY_ID" && continue + check_key "KEY1" "$_id" + test "$ret" -eq 0 && key_set KEY1 "ID" "$KEY_ID" && continue fi - if [ "0" == "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" == "yes" ]; then + if [ "0" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then ret=0 - check_key "KEY2" $_id + check_key "KEY2" "$_id" test "$ret" -eq 0 && key_set KEY2 "ID" "$KEY_ID" && continue fi - if [ "0" == "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" == "yes" ]; then + if [ "0" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then ret=0 - check_key "KEY3" $_id + check_key "KEY3" "$_id" test "$ret" -eq 0 && key_set KEY3 ID "$KEY_ID" && continue fi # This may be an unused key. - ret=0 && key_unused $_id + ret=0 && key_unused "$_id" test "$ret" -eq 0 && continue # If ret is still non-zero, non of the files matched. test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status+1)) done # Turn error logs on again. _log=1 ret=0 - if [ "$(key_get KEY1 EXPECT)" == "yes" ]; then - test "0" == "$(key_get KEY1 ID)" && log_error "No KEY1 found for zone ${ZONE}" + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + test "0" = "$(key_get KEY1 ID)" && log_error "No KEY1 found for zone ${ZONE}" fi - if [ "$(key_get KEY2 EXPECT)" == "yes" ]; then - test "0" == "$(key_get KEY2 ID)" && log_error "No KEY2 found for zone ${ZONE}" + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + test "0" = "$(key_get KEY2 ID)" && log_error "No KEY2 found for zone ${ZONE}" fi - if [ "$(key_get KEY3 EXPECT)" == "yes" ]; then - test "0" == "$(key_get KEY3 ID)" && log_error "No KEY3 found for zone ${ZONE}" + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + test "0" = "$(key_get KEY3 ID)" && log_error "No KEY3 found for zone ${ZONE}" fi test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -820,28 +819,28 @@ check_signatures() { _file=$2 _role=$3 - if [ $_role == $KSK ]; then + if [ "$_role" = "$KSK" ]; then _expect_type=$EXPECT_KRRSIG - elif [ $_role == $ZSK ]; then + elif [ "$_role" = "$ZSK" ]; then _expect_type=$EXPECT_ZRRSIG fi - if [ "$(key_get KEY1 _expect_type)" == "yes" ] && [ "$(key_get KEY1 _role)" == "yes" ]; then - get_keys_which_signed $_qtype $_file | grep "^$(key_get KEY1 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY1 ID)" - elif [ "$(key_get KEY1 EXPECT)" == "yes" ]; then - get_keys_which_signed $_qtype $_file | grep "^$(key_get KEY1 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY1 ID)" + if [ "$(key_get KEY1 _expect_type)" = "yes" ] && [ "$(key_get KEY1 _role)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY1 ID)" + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY1 ID)" fi - if [ "$(key_get KEY2 _expect_type)" == "yes" ] && [ "$(key_get KEY2 _role)" == "yes" ]; then - get_keys_which_signed $_qtype $_file | grep "^$(key_get KEY2 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY2 ID)" - elif [ "$(key_get KEY2 EXPECT)" == "yes" ]; then - get_keys_which_signed $_qtype $_file | grep "^$(key_get KEY2 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY2 ID)" + if [ "$(key_get KEY2 _expect_type)" = "yes" ] && [ "$(key_get KEY2 _role)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY2 ID)" + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY2 ID)" fi - if [ "$(key_get KEY3 _expect_type)" == "yes" ] && [ "$(key_get KEY3 _role)" == "yes" ]; then - get_keys_which_signed $_qtype $_file | grep "^$(key_get KEY3 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY3 ID)" - elif [ "$(key_get KEY3 EXPECT)" == "yes" ]; then - get_keys_which_signed $_qtype $_file | grep "^$(key_get KEY3 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY3 ID)" + if [ "$(key_get KEY3 _expect_type)" = "yes" ] && [ "$(key_get KEY3 _role)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY3 ID)" + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY3 ID)" fi } @@ -854,28 +853,28 @@ check_cds() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - - if [ "$(key_get KEY1 STATE_DS)" == "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" == "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY1 ID).*${_key_algnum}.*2" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)" - check_signatures $_qtype dig.out.$DIR.test$n $KSK - elif [ "$(key_get KEY1 EXPECT)" == "yes" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY1 ID).*${_key_algnum}.*2" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY1 ID)" + dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + + if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY1 ID).*${_key_algnum}.*2" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)" + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY1 ID).*${_key_algnum}.*2" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY1 ID)" fi - if [ "$(key_get KEY2 STATE_DS)" == "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" == "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY2 ID).*${_key_algnum}.*2" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY2 ID)" - check_signatures $_qtype dig.out.$DIR.test$n $KSK - elif [ "$(key_get KEY2 EXPECT)" == "yes" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY2 ID).*${_key_algnum}.*2" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY2 ID)" + if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY2 ID).*${_key_algnum}.*2" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY2 ID)" + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY2 ID).*${_key_algnum}.*2" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY2 ID)" fi - if [ "$(key_get KEY3 STATE_DS)" == "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" == "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY3 ID).*${_key_algnum}.*2" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY3 ID)" - check_signatures $_qtype dig.out.$DIR.test$n $KSK - elif [ "$(key_get KEY3 EXPECT)" == "yes" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY3 ID).*${_key_algnum}.*2" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY3 ID)" + if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY3 ID).*${_key_algnum}.*2" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY3 ID)" + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*$(key_get KEY3 ID).*${_key_algnum}.*2" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY3 ID)" fi test "$ret" -eq 0 || echo_i "failed" @@ -892,35 +891,35 @@ check_apex() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" + dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - if [ "$(key_get KEY1 STATE_DNSKEY)" == "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" == "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)" - check_signatures $_qtype dig.out.$DIR.test$n $KSK + if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)" + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" numkeys=$((numkeys+1)) - elif [ "$(key_get KEY1 EXPECT)" == "yes" ]; then - grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY1 ID)" + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY1 ID)" fi - if [ "$(key_get KEY2 STATE_DNSKEY)" == "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" == "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY2 ID)" - check_signatures $_qtype dig.out.$DIR.test$n $KSK + if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY2 ID)" + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" numkeys=$((numkeys+1)) - elif [ "$(key_get KEY2 EXPECT)" == "yes" ]; then - grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY2 ID)" + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY2 ID)" fi - if [ "$(key_get KEY3 STATE_DNSKEY)" == "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" == "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY3 ID)" - check_signatures $_qtype dig.out.$DIR.test$n $KSK + if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY3 ID)" + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" numkeys=$((numkeys+1)) - elif [ "$(key_get KEY3 EXPECT)" == "yes" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY3 ID)" + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY3 ID)" fi - lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) - check_signatures $_qtype dig.out.$DIR.test$n $KSK + lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n" "$KSK" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -929,11 +928,11 @@ check_apex() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response" - lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) - check_signatures $_qtype dig.out.$DIR.test$n $ZSK + dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response" + lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n" "$ZSK" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -947,11 +946,11 @@ check_subdomain() { n=$((n+1)) echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts a.$ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" dig.out.$DIR.test$n > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response" - lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) - check_signatures $_qtype dig.out.$DIR.test$n $ZSK + dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig a.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response" + lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n" "$ZSK" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) } @@ -1051,25 +1050,25 @@ n=$((n+1)) echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" ret=0 cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db -rndccmd 10.53.0.2 reload $ZONE > /dev/null || log_error "rndc reload zone ${ZONE} failed" +rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" _log=0 i=0 while [ $i -lt 5 ] do ret=0 - dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" - grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response" - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response" - check_signatures $_qtype dig.out.$DIR.test$n.a $ZSK + dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || log_error "dig a.${ZONE} A failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || log_error "mismatch status in DNS response" + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || log_error "missing a.${ZONE} A record in response" + check_signatures $_qtype "dig.out.$DIR.test$n.a" "$ZSK" - dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" - grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response" - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response" - lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l) - check_signatures $_qtype dig.out.$DIR.test$n.d $ZSK + dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || log_error "dig d.${ZONE} A failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || log_error "mismatch status in DNS response" + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || log_error "missing d.${ZONE} A record in response" + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.d" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n.d" "$ZSK" - i=`expr $i + 1` + i=$((i+1)) if [ $ret = 0 ]; then break; fi echo_i "waiting ... ($i)" sleep 1 @@ -1177,11 +1176,11 @@ check_rrsig_refresh() { n=$((n+1)) echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" # If this exact RRSIG is also in the zone file it is not refreshed. - _rrsig=`cat rrsig.out.$ZONE.$_qtype` + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1197,10 +1196,10 @@ check_rrsig_refresh() { n=$((n+1)) echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" - _rrsig=`cat rrsig.out.$ZONE.$_qtype` + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1229,11 +1228,11 @@ check_rrsig_reuse() { n=$((n+1)) echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" # If this exact RRSIG is also in the zone file it is not refreshed. - _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < rrsig.out.$ZONE.$_qtype) + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1249,10 +1248,10 @@ check_rrsig_reuse() { n=$((n+1)) echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" - grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" - _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < rrsig.out.$ZONE.$_qtype) + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1500,17 +1499,17 @@ check_next_key_event() { n=$((n+1)) echo_i "check next key event for zone ${ZONE} ($n)" ret=0 - grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > keyevent.out.$ZONE.test$n || log_error "no next key event for zone ${ZONE}" + grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || log_error "no next key event for zone ${ZONE}" - _time=$(awk '{print $10}' < keyevent.out.$ZONE.test$n) + _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n") # The next key event time must within 10 seconds of the # expected time. _expectmin=$((_expect-10)) _expectmax=$((_expect+10)) - test $_expectmin -le $_time || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})" - test $_expectmax -ge $_time || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})" + test $_expectmin -le "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})" + test $_expectmax -ge "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret))