499 lines
23 KiB
Diff
499 lines
23 KiB
Diff
From 99316385d35dc4a212988be7c69aadd20bc31fa1 Mon Sep 17 00:00:00 2001
|
|
From: Matthijs Mekking <matthijs@isc.org>
|
|
Date: Wed, 5 Jan 2022 11:39:03 +0100
|
|
Subject: [PATCH] Replace RSASHA1 in autosign test with default alg
|
|
|
|
Change RSASHA1 to $DEFAULT_ALGORITHM to be FIPS compliant.
|
|
|
|
There is one RSASHA1 occurence left, to test that dynamically adding an
|
|
NSEC3PARAM record to an NSEC-only zone fails.
|
|
|
|
(cherry picked from commit 6e9fed2d24bc6bd475132285971ad1a86c0f9dc6)
|
|
Conflict: NA
|
|
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/99316385d35dc4a212988be7c69aadd20bc31fa1
|
|
---
|
|
bin/tests/system/autosign/ns3/keygen.sh | 132 ++++++++++++------------
|
|
bin/tests/system/autosign/tests.sh | 35 ++++---
|
|
2 files changed, 85 insertions(+), 82 deletions(-)
|
|
|
|
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
|
|
index 633e08360a..1755a499fe 100644
|
|
--- a/bin/tests/system/autosign/ns3/keygen.sh
|
|
+++ b/bin/tests/system/autosign/ns3/keygen.sh
|
|
@@ -30,8 +30,8 @@ setup () {
|
|
|
|
setup secure.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -39,8 +39,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup secure.nsec3.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -48,8 +48,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup nsec3.nsec3.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -72,8 +72,8 @@ done
|
|
#
|
|
setup optout.nsec3.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -81,8 +81,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup nsec3.example
|
|
cat $infile dsset-*.${zone}$TP > $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -90,9 +90,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup autonsec3.example
|
|
cat $infile > $zonefile
|
|
-ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
echo $ksk > ../autoksk.key
|
|
-zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
|
|
+zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
|
|
echo $zsk > ../autozsk.key
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
@@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup secure.optout.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup nsec3.optout.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -119,8 +119,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup optout.optout.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -128,8 +128,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup optout.example
|
|
cat $infile dsset-*.${zone}$TP > $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -171,8 +171,8 @@ do
|
|
echo "label${count} IN TXT label${count}" >> $zonefile
|
|
count=`expr $count + 1`
|
|
done
|
|
-$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
|
|
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
|
|
mv $zonefile.signed $zonefile
|
|
|
|
@@ -189,8 +189,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
# keys via nsupdate
|
|
#
|
|
setup secure-to-insecure.example
|
|
-$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
|
|
#
|
|
@@ -198,9 +198,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
# removal of keys on schedule.
|
|
#
|
|
setup secure-to-insecure2.example
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
echo $ksk > ../del1.key
|
|
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
|
|
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
|
|
echo $zsk > ../del2.key
|
|
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
|
|
@@ -209,8 +209,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
#
|
|
setup prepub.example
|
|
infile="secure-to-insecure2.example.db.in"
|
|
-$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
|
|
#
|
|
@@ -219,35 +219,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
|
|
|
# no default key TTL; DNSKEY should get SOA TTL
|
|
setup ttl1.example
|
|
-$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
cp $infile $zonefile
|
|
|
|
# default key TTL should be used
|
|
-setup ttl2.example
|
|
-$KEYGEN -a RSASHA1 -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+setup ttl2.example
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
|
cp $infile $zonefile
|
|
|
|
# mismatched key TTLs, should use shortest
|
|
setup ttl3.example
|
|
-$KEYGEN -a RSASHA1 -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
|
|
cp $infile $zonefile
|
|
|
|
# existing DNSKEY RRset, should retain TTL
|
|
setup ttl4.example
|
|
-$KEYGEN -a RSASHA1 -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
cat ${infile} K${zone}.+*.key > $zonefile
|
|
-$KEYGEN -a RSASHA1 -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
|
|
|
|
#
|
|
# A zone with a DNSKEY RRset that is published before it's activated
|
|
#
|
|
setup delay.example
|
|
-ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
echo $ksk > ../delayksk.key
|
|
-zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
|
|
+zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
|
|
echo $zsk > ../delayzsk.key
|
|
|
|
#
|
|
@@ -255,8 +255,8 @@ echo $zsk > ../delayzsk.key
|
|
# is missing.
|
|
#
|
|
setup noksk.example
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
|
|
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
|
|
echo $ksk > ../noksk-ksk.key
|
|
rm -f ${ksk}.private
|
|
@@ -266,8 +266,8 @@ rm -f ${ksk}.private
|
|
# is missing.
|
|
#
|
|
setup nozsk.example
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
|
|
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
|
|
echo $ksk > ../nozsk-ksk.key
|
|
echo $zsk > ../nozsk-zsk.key
|
|
@@ -278,8 +278,8 @@ rm -f ${zsk}.private
|
|
# is inactive.
|
|
#
|
|
setup inaczsk.example
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
|
|
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
|
|
echo $ksk > ../inaczsk-ksk.key
|
|
echo $zsk > ../inaczsk-zsk.key
|
|
@@ -290,16 +290,16 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
|
|
#
|
|
setup reconf.example
|
|
cp secure.example.db.in $zonefile
|
|
-$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
|
|
#
|
|
# A zone which generates CDS and CDNSEY RRsets automatically
|
|
#
|
|
setup sync.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
echo ns3/$ksk > ../sync.key
|
|
|
|
@@ -308,8 +308,8 @@ echo ns3/$ksk > ../sync.key
|
|
#
|
|
setup kskonly.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -317,8 +317,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup inacksk2.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a RSASHA1 -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -326,8 +326,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup inaczsk2.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -335,9 +335,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup inacksk3.example
|
|
cp $infile $zonefile
|
|
-$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -345,9 +345,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup inaczsk3.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
-$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
|
|
#
|
|
@@ -356,9 +356,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
#
|
|
setup delzsk.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
-zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
|
|
+ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
|
|
+zsk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
|
|
echo $zsk > ../delzsk.key
|
|
|
|
#
|
|
@@ -366,6 +366,6 @@ echo $zsk > ../delzsk.key
|
|
#
|
|
setup dname-at-apex-nsec3.example
|
|
cp $infile $zonefile
|
|
-ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
-$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
+ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
|
|
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
|
|
index 33692cd5f5..b5069ce6fe 100755
|
|
--- a/bin/tests/system/autosign/tests.sh
|
|
+++ b/bin/tests/system/autosign/tests.sh
|
|
@@ -203,9 +203,9 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
|
|
|
|
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
|
|
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
|
|
-grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
|
|
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
@@ -221,7 +221,8 @@ test $count -eq 3 || ret=1
|
|
awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
|
|
id=`awk "${awk}" dig.out.ns3.test$n`
|
|
|
|
-$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > settime.out.test$n || ret=1
|
|
+keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
|
|
+$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
|
|
($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
|
|
|
|
n=`expr $n + 1`
|
|
@@ -238,8 +239,8 @@ ret=0
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
|
|
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
|
|
$DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
|
|
-grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
|
|
-grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
|
|
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1
|
|
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
|
|
count=`awk 'BEGIN { count = 0 }
|
|
$4 == "RRSIG" && $5 == "CNAME" { count++ }
|
|
END {print count}' dig.out.ns3.test$n`
|
|
@@ -249,7 +250,9 @@ count=`awk 'BEGIN { count = 0 }
|
|
END {print count}' dig.out.ns3.test$n`
|
|
test $count -eq 3 || ret=1
|
|
id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
|
|
-$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > settime.out.test$n || ret=1
|
|
+
|
|
+keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
|
|
+$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
|
|
($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
|
|
n=`expr $n + 1`
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -399,7 +402,7 @@ status=`expr $status + $ret`
|
|
|
|
echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)"
|
|
ret=0
|
|
-loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
|
|
+loglines=`grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l`
|
|
[ "$loglines" -eq 0 ] || ret=1
|
|
n=`expr $n + 1`
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -407,7 +410,7 @@ status=`expr $status + $ret`
|
|
|
|
echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)"
|
|
ret=0
|
|
-loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
|
|
+loglines=`grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l`
|
|
[ "$loglines" -eq 0 ] || ret=1
|
|
n=`expr $n + 1`
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -1065,7 +1068,7 @@ send
|
|
END
|
|
[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
|
|
# Create DNSSEC keys in the zone directory.
|
|
-$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null
|
|
# Trigger zone signing.
|
|
($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
|
|
# Wait until zone has been signed.
|
|
@@ -1089,7 +1092,7 @@ ret=0
|
|
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
|
oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
|
|
|
|
-$KEYGEN -a rsasha1 -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
|
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
|
|
|
|
($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
|
|
newserial=$oldserial
|
|
@@ -1473,12 +1476,12 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
|
|
|
|
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
|
|
$DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
|
|
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
|
|
$DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
|
|
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
|
|
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} "
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
|
|
|
|
n=`expr $n + 1`
|
|
@@ -1488,7 +1491,7 @@ status=`expr $status + $ret`
|
|
echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
|
|
ret=0
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
|
|
-grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
|
|
+grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
|
|
n=`expr $n + 1`
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
status=`expr $status + $ret`
|
|
@@ -1505,7 +1508,7 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
|
|
|
|
zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
|
|
$DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
|
|
-pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
|
|
grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
|
|
|
|
count=`awk 'BEGIN { count = 0 }
|
|
@@ -1532,7 +1535,7 @@ ret=0
|
|
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
|
|
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
|
|
$DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
|
|
-grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
|
|
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
|
|
count=`awk 'BEGIN { count = 0 }
|
|
$4 == "RRSIG" && $5 == "CNAME" { count++ }
|
|
END {print count}' dig.out.ns3.test$n`
|
|
@@ -1606,7 +1609,7 @@ status=`expr $status + $ret`
|
|
echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
|
|
ret=0
|
|
$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
|
-grep "RRSIG NSEC3 7 3 600" dig.out.ns3.test$n > /dev/null || ret=1
|
|
+grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
|
|
n=`expr $n + 1`
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
status=`expr $status + $ret`
|
|
--
|
|
2.23.0
|
|
|