+++ /dev/null
-; This is a key-signing key, keyid 30676, for bar.
-; Created: Sat Dec 26 03:13:10 2009
-; Publish: Sat Dec 26 03:13:10 2009
-; Activate: Sat Dec 26 03:13:10 2009
-bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+++ /dev/null
-Private-key-format: v1.3
-Algorithm: 5 (RSASHA1)
-Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
-PublicExponent: AQAB
-PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
-Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
-Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
-Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
-Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
-Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
-Created: 20091226021310
-Publish: 20091226021310
-Activate: 20091226021310
+++ /dev/null
-; This is a key-signing key, keyid 30804, for bar.
-; Created: Sat Dec 26 03:13:10 2009
-; Publish: Sat Dec 26 03:13:10 2009
-; Activate: Sat Dec 26 03:13:10 2009
-bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+++ /dev/null
-Private-key-format: v1.3
-Algorithm: 5 (RSASHA1)
-Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
-PublicExponent: AQCB
-PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
-Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
-Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
-Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
-Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
-Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
-Created: 20091226021310
-Publish: 20091226021310
-Activate: 20091226021310
--- /dev/null
+; This is a key-signing key, keyid 59973, for bar.
+; Created: 20220623022335 (Thu Jun 23 12:23:35 2022)
+; Publish: 20220623022335 (Thu Jun 23 12:23:35 2022)
+; Activate: 20220623022335 (Thu Jun 23 12:23:35 2022)
+bar. IN DNSKEY 257 3 13 QT6CpMaV4BT072+NaKLY5H01Mj2r1MOgsxgoiTAq1Fbf6rrkEWpnbktu Dh9Ol9kuzcUrefxDuxNwsXJu3iDPxw==
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: joFZ8vCdyqkgMb6rZ0zanrdrzOSCg1GyEJV6tp5F+Bw=
+Created: 20220623022335
+Publish: 20220623022335
+Activate: 20220623022335
--- /dev/null
+; This is a key-signing key, keyid 60101, for bar.
+; Created: 20220623022331 (Thu Jun 23 12:23:31 2022)
+; Publish: 20220623022331 (Thu Jun 23 12:23:31 2022)
+; Activate: 20220623022331 (Thu Jun 23 12:23:31 2022)
+bar. IN DNSKEY 257 3 13 dLGGOAE5uJd53Gci9MdymaRTMwsXVn13j05IfGJoVt9ucpeXpoIKVViX JNVE/uO4eJvkHycdEAvdVUWcslEmMQ==
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: pTTXxZUTzeVBXHMUJxTMxjh9yU4oxDtEhEvpkj+olf0=
+Created: 20220623022331
+Publish: 20220623022331
+Activate: 20220623022331
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile > $zonefile
-for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
- Xbar.+005+30804.private
+for i in Xbar.+013+59973.key Xbar.+013+59973.private \
+ Xbar.+013+60101.key Xbar.+013+60101.private
do
- cp $i $(echo $i | sed s/X/K/)
+ cp $i $(echo $i | sed s/X/K/)
done
-$KEYGEN -a RSASHA1 -q $zone > /dev/null
-$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
+$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
+$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP
setup rsasha256.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA256 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup rsasha512.example
cp $infile $zonefile
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
+# None of these algorithms are supported for signing in FIPS mode
+# as they are MD5 and SHA1 based.
#
-setup nsec-only.example
-cp $infile $zonefile
-ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
-$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
-$DSFROMKEY $ksk.key > dsset-${zone}$TP
+if (cd ..; SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1)
+then
+ setup nsec-only.example
+ cp $infile $zonefile
+ ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
+ $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
+ $DSFROMKEY $ksk.key > dsset-${zone}$TP
+else
+ echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
+fi
#
# Signature refresh test zone. Signatures are set to expire long
while [ $count -le 1000 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
- count=$(expr $count + 1)
+ count=$((count + 1))
done
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
# NSEC3->NSEC transition test zone.
#
setup nsec3-to-nsec.example
-$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
send
END
-# try to convert nsec-only.example; this should fail due to non-NSEC key
-echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
-$NSUPDATE > nsupdate.out 2>&1 <<END
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+ # try to convert nsec-only.example; this should fail due to
+ # non-NSEC3 compatible keys
+ echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
+ $NSUPDATE > nsupdate.out 2>&1 <<END
server 10.53.0.3 ${PORT}
zone nsec-only.example.
update add nsec-only.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
+fi
echo_i "checking for nsec3param in unsigned zone ($n)"
ret=0
echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
ret=0
-grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+ grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+else
+ echo_i "skip: RSASHA1 not supported"
+fi
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
sleep 4
echo_i "revoking key to duplicated key ID"
-$SETTIME -R now -K ns2 Kbar.+005+30676.key > settime.out.test$n.3 || ret=1
+$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1
($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
checkprivate nsec3.optout.example 10.53.0.3 || ret=1
checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
-checkprivate nsec-only.example 10.53.0.3 || ret=1
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+ checkprivate nsec-only.example 10.53.0.3 || ret=1
+fi
checkprivate oldsigs.example 10.53.0.3 || ret=1
checkprivate optout.example 10.53.0.3 || ret=1
checkprivate optout.nsec3.example 10.53.0.3 || ret=1
echo_i "checking revoked key with duplicate key ID ($n)"
ret=0
-id=30676
-rid=30804
+id=59973
+rid=60101
$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1
keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l)
args="$args -q"
quiet=1
;;
- rsa|RSA)
+ rsa|RSA|rsasha1|RSASHA1)
alg="-a RSASHA1"
msg="RSA cryptography"
;;
projects / thirdparty / bind9.git / commitdiff
