diff --git a/CHANGES b/CHANGES index ca681c5d2b..b6765d5d9d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ +4594. [func] dnssec-keygen no longer uses RSASHA1 by default; + the signing algorithm must be specified on + the command line with the "-a" option. Signing + scripts that rely on the existing default behavior + will break; use "dnssec-keygen -a RSASHA1" to + repair them. (The goal of this change is to make + it easier to find scripts using RSASHA1 so they + can be changed in the event of that algorithm + being deprecated in the future.) [RT #44755] + 4693. [func] Synthesis of responses from DNSSEC-verified records. Stage 1 covers NXDOMAIN synthesis from NSEC records. This is controlled by synth-from-dnssec and is enabled diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 53834005e0..fd640a344f 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -46,15 +46,6 @@ const char *program = "dnssec-keyfromlabel"; int verbose; -#define DEFAULT_ALGORITHM "RSASHA1" -#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1" - -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" - " NSEC3DSA | NSEC3RSASHA1 |" - " RSASHA256 | RSASHA512 | ECCGOST |" - " ECDSAP256SHA256 | ECDSAP384SHA384 |" - " ED25519 | ED448"; - ISC_PLATFORM_NORETURN_PRE static void usage(void) ISC_PLATFORM_NORETURN_POST; @@ -68,9 +59,11 @@ usage(void) { fprintf(stderr, " -l label: label of the key pair\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); - fprintf(stderr, " -a algorithm: %s\n", algs); - fprintf(stderr, " (default: RSASHA1, or " - "NSEC3RSASHA1 if using -3)\n"); + fprintf(stderr, " -a algorithm: \n" + " RSA | RSAMD5 | DH | DSA | RSASHA1 |\n" + " NSEC3DSA | NSEC3RSASHA1 |\n" + " RSASHA256 | RSASHA512 | ECCGOST |\n" + " ECDSAP256SHA256 | ECDSAP384SHA384\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -E :\n"); @@ -394,16 +387,7 @@ main(int argc, char **argv) { } if (algname == NULL) { - if (use_nsec3) - algname = strdup(DEFAULT_NSEC3_ALGORITHM); - else - algname = strdup(DEFAULT_ALGORITHM); - if (algname == NULL) - fatal("strdup failed"); - freeit = algname; - if (verbose > 0) - fprintf(stderr, "no algorithm specified; " - "defaulting to %s\n", algname); + fatal("no algorithm specified"); } if (strcasecmp(algname, "RSA") == 0) { @@ -434,14 +418,28 @@ main(int argc, char **argv) { options |= DST_TYPE_KEY; } - if (use_nsec3 && - alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && - alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST && - alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 && - alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) { - fatal("%s is incompatible with NSEC3; " - "do not use the -3 option", algname); + if (use_nsec3) { + switch (alg) { + case DST_ALG_DSA: + alg = DST_ALG_NSEC3DSA; + break; + case DST_ALG_RSASHA1: + alg = DST_ALG_NSEC3RSASHA1; + break; + case DST_ALG_NSEC3DSA: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: + break; + default: + fatal("%s is incompatible with NSEC3; " + "do not use the -3 option", algname); + } } if (type != NULL && (options & DST_TYPE_KEY) != 0) { diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index ef8e6a71d4..9913f607b8 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -104,7 +104,6 @@ must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. - These values are case insensitive. If no algorithm is specified, then RSASHA1 will be used by @@ -114,11 +113,17 @@ that algorithm will be checked for compatibility with NSEC3.) - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. + These values are case insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and + ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + along with the option, then NSEC3RSASHA1 + or NSEC3DSA will be used instead. - Note 2: DH automatically sets the -k flag. + As of BIND 9.12.0, this option is mandatory except when using + the option (which copies the algorithm from + the predecessory key). Previously, the default for newly + generated keys was RSASHA1. @@ -128,9 +133,10 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm. @@ -454,30 +460,30 @@ - -i interval - - - Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. - - - If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. - - - As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. - - + -i interval + + + Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. + + + If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. + + + As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. + + diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 1beefa987f..0b0e3c95b5 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -61,9 +61,6 @@ const char *program = "dnssec-keygen"; int verbose; -#define DEFAULT_ALGORITHM "RSASHA1" -#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1" - ISC_PLATFORM_NORETURN_PRE static void usage(void) ISC_PLATFORM_NORETURN_POST; @@ -86,8 +83,6 @@ usage(void) { fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | " "HMAC-SHA256 | \n"); fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n"); - fprintf(stderr, " (default: RSASHA1, or " - "NSEC3RSASHA1 if using -3)\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA); @@ -110,9 +105,8 @@ usage(void) { fprintf(stderr, " HMAC-SHA256:\t[1..256]\n"); fprintf(stderr, " HMAC-SHA384:\t[1..384]\n"); fprintf(stderr, " HMAC-SHA512:\t[1..512]\n"); - fprintf(stderr, " (if using the default algorithm, key size\n" - " defaults to 2048 for KSK, or 1024 for all " - "others)\n"); + fprintf(stderr, " (key size defaults are set according to\n" + " algorithm and usage (ZSK or KSK)\n"); fprintf(stderr, " -n : ZONE | HOST | ENTITY | " "USER | OTHER\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); @@ -240,7 +234,7 @@ main(int argc, char **argv) { int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; int dbits = 0; dns_ttl_t ttl = 0; - isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE; + isc_boolean_t use_nsec3 = ISC_FALSE; isc_stdtime_t publish = 0, activate = 0, revokekey = 0; isc_stdtime_t inactive = 0, deltime = 0; isc_stdtime_t now; @@ -537,17 +531,7 @@ main(int argc, char **argv) { isc_result_totext(ret)); if (algname == NULL) { - use_default = ISC_TRUE; - if (use_nsec3) - algname = strdup(DEFAULT_NSEC3_ALGORITHM); - else - algname = strdup(DEFAULT_ALGORITHM); - if (algname == NULL) - fatal("strdup failed"); - freeit = algname; - if (verbose > 0) - fprintf(stderr, "no algorithm specified; " - "defaulting to %s\n", algname); + fatal("no algorithm specified"); } if (strcasecmp(algname, "RSA") == 0) { @@ -601,14 +585,28 @@ main(int argc, char **argv) { if (!dst_algorithm_supported(alg)) fatal("unsupported algorithm: %d", alg); - if (use_nsec3 && - alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && - alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST && - alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 && - alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) { - fatal("%s is incompatible with NSEC3; " - "do not use the -3 option", algname); + if (use_nsec3) { + switch (alg) { + case DST_ALG_DSA: + alg = DST_ALG_NSEC3DSA; + break; + case DST_ALG_RSASHA1: + alg = DST_ALG_NSEC3RSASHA1; + break; + case DST_ALG_NSEC3DSA: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: + break; + default: + fatal("%s is incompatible with NSEC3; " + "do not use the -3 option", algname); + } } if (type != NULL && (options & DST_TYPE_KEY) != 0) { @@ -629,21 +627,31 @@ main(int argc, char **argv) { } if (size < 0) { - if (use_default) { - if ((kskflag & DNS_KEYFLAG_KSK) != 0) + switch (alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + if ((kskflag & DNS_KEYFLAG_KSK) != 0) { size = 2048; - else + } else { size = 1024; - if (verbose > 0) + } + if (verbose > 0) { fprintf(stderr, "key size not " "specified; defaulting" " to %d\n", size); - } else if (alg != DST_ALG_ECCGOST && - alg != DST_ALG_ECDSA256 && - alg != DST_ALG_ECDSA384 && - alg != DST_ALG_ED25519 && - alg != DST_ALG_ED448) + } + break; + case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: + break; + default: fatal("key size not specified (-b option)"); + } } if (!oldstyle && prepub > 0) { diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 6c79e7f016..12b49a5394 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -53,7 +53,7 @@ dnssec-keygen - + @@ -101,6 +101,13 @@ line. For DNSSEC keys, this must match the name of the zone for which the key is being generated. + + The dnssec-keymgr command acts as a wrapper + around dnssec-keygen, generating and updating keys + as needed to enforce defined security policies such as key rollover + scheduling. Using dnssec-keymgr may be preferable + to direct use of dnssec-keygen. + OPTIONS @@ -114,27 +121,26 @@ Selects the cryptographic algorithm. For DNSSEC keys, the value of must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. - For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. + ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For + TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), + HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, + or HMAC-SHA512; specifying any of these algorithms will + automatically set the option as well. + (Note: tsig-keygen produces TSIG keys in a + more useful format than dnssec-keygen.) - If no algorithm is specified, then RSASHA1 will be used by - default, unless the option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) + These values are case insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and + ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + along with the option, then NSEC3RSASHA1 + or NSEC3DSA will be used instead. - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is - mandatory. - - - Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. + As of BIND 9.12.0, this option is mandatory except when using + the option (which copies the algorithm from + the predecessor key). Previously, the default for newly + generated keys was RSASHA1. @@ -152,13 +158,11 @@ this parameter. - The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with ). However, if an - algorithm is explicitly specified with the , - then there is no default key size, and the - must be used. + If the key size is not specified, some algorithms have + pre-defined defaults. For example, RSA keys for use as + DNSSEC zone signing keys have a default size of 1024 bits; + RSA keys for use as key signing keys (KSKs, generated with + ) default to 2048 bits. @@ -169,11 +173,10 @@ Specifies the owner type of the key. The value of must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY - generation. + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated + with a host (KEY)), USER (for a key associated with a + user(KEY)) or OTHER (DNSKEY). These values are case + insensitive. Defaults to ZONE for DNSKEY generation. @@ -183,11 +186,10 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 - algorithms are NSEC3-capable. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm. @@ -394,8 +396,8 @@ overridden to KEY for use with SIG(0). - Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. + Specifying any TSIG algorithm (HMAC-* or DH) with + forces this option to KEY. @@ -529,30 +531,30 @@ - -i interval - - - Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. - - - If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. - - - As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. - - + -i interval + + + Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. + + + If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. + + + As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. + + diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 124cdc18c4..a718705e9a 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -17,18 +17,18 @@ infile=root.db.in cat $infile ../ns2/dsset-example$TP > $zonefile -zskact=`$KEYGEN -3 -q -r $RANDFILE $zone` -zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone` -zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone` -zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone` -zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone` -zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone` -zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone` -zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone` +zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone` +zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone` +zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone` +zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone` +zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone` +zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone` +zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone` +zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone` rm $zsknopriv.private -ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone` -kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone` +ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone` +kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone` cat $ksksby.key | grep -v '^; ' | $PERL -n -e ' local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 3084e21b06..7e5955c428 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -23,16 +23,16 @@ zonefile="${zone}.db" infile="${zonefile}.in" cat $infile dsset-*.example$TP > $zonefile -kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone` -$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone` +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null $DSFROMKEY $kskname.key > dsset-${zone}$TP # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" -ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone` -$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone` +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null cat $ksk.key | grep -v '^; ' | $PERL -n -e ' local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; local $key = join("", @rest); @@ -55,5 +55,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \ do cp $i `echo $i | sed s/X/K/` done -$KEYGEN -q -r $RANDFILE $zone > /dev/null +$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null $DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index a45355b217..c349e9f6c0 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -27,8 +27,8 @@ setup () { setup secure.example cp $infile $zonefile -ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -36,8 +36,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup secure.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -45,8 +45,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec3.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -54,8 +54,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup optout.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -63,8 +63,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec3.example cat $infile dsset-*.${zone}$TP > $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -72,9 +72,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup autonsec3.example cat $infile > $zonefile -ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../autoksk.key -zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out echo $zsk > ../autozsk.key $DSFROMKEY $ksk.key > dsset-${zone}$TP @@ -83,8 +83,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup secure.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -92,8 +92,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec3.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup optout.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup optout.example cat $infile dsset-*.${zone}$TP > $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -137,8 +137,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec.example cp $infile $zonefile -ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -147,8 +147,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup oldsigs.example cp $infile $zonefile -$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # @@ -164,8 +164,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # keys via nsupdate # setup secure-to-insecure.example -$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # @@ -173,9 +173,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../del1.key -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out echo $zsk > ../del2.key $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out @@ -184,8 +184,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # setup prepub.example infile="secure-to-insecure2.example.db.in" -$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # @@ -194,35 +194,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used setup ttl2.example -$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../delayksk.key -zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out echo $zsk > ../delayzsk.key # @@ -230,8 +230,8 @@ echo $zsk > ../delayzsk.key # is missing. # setup nozsk.example -$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone` $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out echo $zsk > ../missingzsk.key rm -f ${zsk}.private @@ -241,8 +241,8 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone` $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out echo $zsk > ../inactivezsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out @@ -252,15 +252,15 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out # # A zone which generates a CDS and CDNSEY RRsets automatically # setup sync.example cp $infile $zonefile -ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP echo ns3/$ksk > ../sync.key diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 8d91e55475..7cd19084e6 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -858,7 +858,7 @@ ret=0 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` -$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null +$KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /' newserial=$oldserial diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh index 05867fc717..76f4433830 100644 --- a/bin/tests/system/coverage/setup.sh +++ b/bin/tests/system/coverage/setup.sh @@ -19,110 +19,110 @@ ln -s $CHECKZONE named-compilezone dir=01-ksk-inactive rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 2: ZSK goes inactive before successor is active dir=02-zsk-inactive rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 3: KSK is unpublished before its successor is published dir=03-ksk-unpublished rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 4: ZSK is unpublished before its successor is published dir=04-zsk-unpublished rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 5: KSK deleted and successor published before KSK is deactivated # and successor activated. dir=05-ksk-unpub-active rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 6: ZSK deleted and successor published before ZSK is deactivated # and successor activated. dir=06-zsk-unpub-active rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 7: KSK rolled with insufficient delay after prepublication. dir=07-ksk-ttl rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 8: ZSK rolled with insufficient delay after prepublication. dir=08-zsk-ttl rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 9: KSK goes inactive before successor is active, but checking ZSKs dir=09-check-zsk rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 10: ZSK goes inactive before successor is active, but checking KSKs dir=10-check-ksk rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 11: ZSK goes inactive before successor is active, but after cutoff dir=11-cutoff rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh index 3bb8483f72..7410161a3b 100644 --- a/bin/tests/system/dns64/ns1/sign.sh +++ b/bin/tests/system/dns64/ns1/sign.sh @@ -15,8 +15,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -r $RANDFILE $zone` -key2=`$KEYGEN -q -r $RANDFILE -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index a7555b962e..7dd14bb563 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -283,8 +283,8 @@ zone=kskonly.example. infile=kskonly.example.db.in zonefile=kskonly.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -295,8 +295,8 @@ zone=expired.example. infile=expired.example.db.in zonefile=expired.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 rm -f $kskname.* $zskname.* @@ -308,8 +308,8 @@ zone=update-nsec3.example. infile=update-nsec3.example.db.in zonefile=update-nsec3.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -321,10 +321,10 @@ zone=auto-nsec.example. infile=auto-nsec.example.db.in zonefile=auto-nsec.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -336,10 +336,10 @@ zone=auto-nsec3.example. infile=auto-nsec3.example.db.in zonefile=auto-nsec3.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -404,8 +404,8 @@ zone="expiring.example." infile="expiring.example.db.in" zonefile="expiring.example.db" signedfile="expiring.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 mv -f ${zskname}.private ${zskname}.private.moved @@ -419,8 +419,8 @@ infile="upper.example.db.in" zonefile="upper.example.db" lower="upper.example.db.lower" signedfile="upper.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1 $CHECKZONE -D upper.example $lower 2>&- | \ @@ -434,8 +434,8 @@ zone="LOWER.EXAMPLE." infile="lower.example.db.in" zonefile="lower.example.db" signedfile="lower.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -447,8 +447,8 @@ zone="nosign.example." infile="nosign.example.db.in" zonefile="nosign.example.db" signedfile="nosign.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 # preserve a normalized copy of the NS RRSIG for comparison later @@ -460,8 +460,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \ # An inline signing zone # zone=inline.example. -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` # # publish a new key while deactivating another key at the same time. @@ -470,10 +470,10 @@ zone=publish-inactive.example infile=publish-inactive.example.db.in zonefile=publish-inactive.example.db now=`date -u +%Y%m%d%H%M%S` -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone` -kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -483,8 +483,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=siginterval.example infile=siginterval.example.db.in zonefile=siginterval.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` cp $infile $zonefile # @@ -508,8 +508,8 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP zone=future.example infile=future.example.db.in zonefile=future.example.db -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 cp -f $kskname.key trusted-future.key @@ -520,8 +520,8 @@ cp -f $kskname.key trusted-future.key zone=managed-future.example infile=managed-future.example.db.in zonefile=managed-future.example.db -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -532,10 +532,10 @@ zone=revkey.example. infile=generic.example.db.in zonefile=revkey.example.db -ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone` +ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone` ksk1=`$REVOKE $ksk1` -ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone` -zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone` +ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone` +zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone` cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index ac6a1b1b05..01d340303c 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -13,7 +13,7 @@ zone=. infile=../ns1/root.db.in zonefile=root.db.signed -keyname=`$KEYGEN -r $RANDFILE -qfk $zone` +keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone` # copy the KSK out first, then revoke it cat $keyname.key | grep -v '^; ' | $PERL -n -e ' @@ -29,6 +29,6 @@ EOF $SETTIME -R now ${keyname}.key > /dev/null # create a current set of keys, and sign the root zone -$KEYGEN -r $RANDFILE -q $zone > /dev/null -$KEYGEN -r $RANDFILE -qfk $zone > /dev/null +$KEYGEN -r $RANDFILE -a RSASHA1 -q $zone > /dev/null +$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone > /dev/null $SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 54bea5c3dd..fe2392c5c2 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2209,7 +2209,7 @@ echo "I:checking that the NSEC3 record for the apex is properly signed when a DN ret=0 ( cd ns3 -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example` +kskname=`$KEYGEN -q -3 -a RSASHA1 -r $RANDFILE -fk update-nsec3.example` ( echo zone update-nsec3.example echo server 10.53.0.3 5300 @@ -3247,8 +3247,8 @@ ret=0 # generate signed zone with MX and AAAA records at apex. ( cd signer -$KEYGEN -q -r $RANDFILE -3 -fK remove > /dev/null -$KEYGEN -q -r $RANDFILE -3 remove > /dev/null +$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 -fK remove > /dev/null +$KEYGEN -q -r $RANDFILE -a RSASHA1 -33 remove > /dev/null echo > remove.db.signed $SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 ) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index ab360828a7..9677fc56de 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -615,8 +615,8 @@ grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:setup broken"; fi status=`expr $status + $ret` cp ns5/named.conf.post ns5/named.conf -(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1 -(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE -f KSK bits) > /dev/null 2>&1 $RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /' for i in 1 2 3 4 5 6 7 8 9 10 do @@ -870,7 +870,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:testing imported key won't overwrite a private key ($n)" ret=0 -key=`$KEYGEN -r $RANDFILE -q import.example` +key=`$KEYGEN -r $RANDFILE -q -a rsasha256 import.example` cp ${key}.key import.key # import should fail $IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh index 10143534ca..13e636fe81 100644 --- a/bin/tests/system/keymgr/setup.sh +++ b/bin/tests/system/keymgr/setup.sh @@ -18,44 +18,44 @@ dir=01-ksk-inactive echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 2: ZSK goes inactive before successor is active dir=02-zsk-inactive echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 3: KSK is unpublished before its successor is published dir=03-ksk-unpublished echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 4: ZSK is unpublished before its successor is published dir=04-zsk-unpublished echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 5: KSK deleted and successor published before KSK is deactivated # and successor activated. @@ -63,10 +63,10 @@ dir=05-ksk-unpub-active echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 6: ZSK deleted and successor published before ZSK is deactivated # and successor activated. @@ -74,33 +74,33 @@ dir=06-zsk-unpub-active echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 7: KSK rolled with insufficient delay after prepublication. dir=07-ksk-ttl echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 8: ZSK rolled with insufficient delay after prepublication. dir=08-zsk-ttl echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 9: No special preparation needed rm -f $dir/K*.key @@ -111,8 +111,8 @@ dir=10-change-roll echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` -zsk1=`$KEYGEN -K $dir -3 example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` @@ -121,40 +121,40 @@ dir=11-many-simul echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk -P now+1mo -A now+1mo example.com` -z1=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` -z2=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` -z3=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` -z4=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk -P now+1mo -A now+1mo example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` +z2=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` +z3=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` +z4=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` # Test 12: Many keys all simultaneously scheduled to be active in the past dir=12-many-active echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` -z2=`$KEYGEN -K $dir -q3 example.com` -z3=`$KEYGEN -K $dir -q3 example.com` -z4=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` # Test 13: Multiple simultaneous keys with no configured roll period dir=13-noroll echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -k2=`$KEYGEN -K $dir -q3fk example.com` -k3=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +k2=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +k3=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` # Test 14: Keys exist but have the wrong algorithm dir=14-wrongalg echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -qfk example.com` -z1=`$KEYGEN -K $dir -q example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q example.com` $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null z2=`$KEYGEN -K $dir -q -S ${z1}.key` $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null @@ -167,8 +167,8 @@ dir=15-unspec echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null z2=`$KEYGEN -K $dir -q -S ${z1}.key` $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null @@ -182,8 +182,8 @@ dir=16-wrongalg-unspec echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -qfk example.com` -z1=`$KEYGEN -K $dir -q example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q example.com` $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null z2=`$KEYGEN -K $dir -q -S ${z1}.key` $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null @@ -197,17 +197,17 @@ dir=17-noforce echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` -z2=`$KEYGEN -K $dir -q3 example.com` -z3=`$KEYGEN -K $dir -q3 example.com` -z4=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` # Test 18: Prepublication interval is set to a nonstandard value dir=18-nonstd-prepub echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` -zsk1=`$KEYGEN -K $dir -3 example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index f145272de3..341fe75b0d 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -25,7 +25,7 @@ SYSTEMTESTTOP=../.. ../named-compilezone -D -F map -o example.db.map example-map \ example.db > /dev/null 2>&1 -$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1 -$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1 +$KEYGEN -q -a rsasha256 -r $RANDFILE signed > /dev/null 2>&1 +$KEYGEN -q -a rsasha256 -r $RANDFILE -fk signed > /dev/null 2>&1 $SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1 ../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1 diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh index 3794e17fad..8b66b1780c 100644 --- a/bin/tests/system/metadata/setup.sh +++ b/bin/tests/system/metadata/setup.sh @@ -19,42 +19,42 @@ czone=child.parent.nil echo "I:generating keys" # active zsk -zsk=`$KEYGEN -q -r $RANDFILE $czone` +zsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $czone` echo $zsk > zsk.key # not yet published or active -pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` +pending=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone` echo $pending > pending.key # published but not active -standby=`$KEYGEN -q -r $RANDFILE -A none $czone` +standby=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone` echo $standby > standby.key # inactive -inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone` +inact=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone` echo $inact > inact.key # active ksk -ksk=`$KEYGEN -q -r $RANDFILE -fk $czone` +ksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` echo $ksk > ksk.key # published but not YET active; will be active in 15 seconds -rolling=`$KEYGEN -q -r $RANDFILE -fk $czone` +rolling=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` $SETTIME -A now+15s $rolling > /dev/null echo $rolling > rolling.key # revoked -revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone` +revoke1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` echo $revoke1 > prerev.key revoke2=`$REVOKE $revoke1` echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key -pzsk=`$KEYGEN -q -r $RANDFILE $pzone` +pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone` echo $pzsk > parent.zsk.key -pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` +pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone` echo $pksk > parent.ksk.key -oldstyle=`$KEYGEN -Cq -r $RANDFILE $pzone` +oldstyle=`$KEYGEN -Cq -a rsasha1 -r $RANDFILE $pzone` echo $oldstyle > oldstyle.key diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index e63277bc68..7b387d8aa6 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -174,7 +174,7 @@ status=`expr $status + $ret` echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)" ret=0 # keygen should print a warning about delete < inactive -$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 +$KEYGEN -q -a rsasha1 -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 grep "warning" tmp.out > /dev/null 2>&1 || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -182,15 +182,15 @@ status=`expr $status + $ret` echo "I:checking correct behavior setting activation without publication date ($n)" ret=0 -key=`$KEYGEN -q -r $RANDFILE -A +1w $czone` +key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w $czone` pub=`$SETTIME -upP $key | awk '{print $2}'` act=`$SETTIME -upA $key | awk '{print $2}'` [ $pub -eq $act ] || ret=1 -key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone` +key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -i 1d $czone` pub=`$SETTIME -upP $key | awk '{print $2}'` act=`$SETTIME -upA $key | awk '{print $2}'` [ $pub -lt $act ] || ret=1 -key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone` +key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -P never $czone` pub=`$SETTIME -upP $key | awk '{print $2}'` [ $pub = "UNSET" ] || ret=1 n=`expr $n + 1` diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 9669d4fc19..db522216c6 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -12,8 +12,8 @@ SYSTEMTESTTOP=../.. zone=. zonefile=root.db -keyname=`$KEYGEN -qfk -r $RANDFILE $zone` -zskkeyname=`$KEYGEN -q -r $RANDFILE $zone` +keyname=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE $zone` +zskkeyname=`$KEYGEN -a rsasha256 -q -r $RANDFILE $zone` $SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>&- diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index e103794eb5..cbeff3e1f7 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -57,7 +57,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check new trust anchor can be added ($n)" ret=0 -standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .` +standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' sleep 5 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' @@ -241,7 +241,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: revoke original key, add new standby ($n)" ret=0 -standby2=`$KEYGEN -qfk -r $RANDFILE -K ns1 .` +standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' sleep 3 @@ -276,7 +276,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: revoke standby before it is trusted ($n)" ret=0 -standby3=`$KEYGEN -qfk -r $RANDFILE -K ns1 .` +standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' sleep 3 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index a7fd81220a..ba7e85fe87 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -35,8 +35,8 @@ zone=delegation.test. infile=delegation.test.db.in zonefile=delegation.test.db -keyname1=`$KEYGEN -q -r $RANDFILE -3 -f KSK $zone` -keyname2=`$KEYGEN -q -r $RANDFILE -3 $zone` +keyname1=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 -f KSK $zone` +keyname2=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 $zone` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh index 9245260331..51d3b36dfb 100644 --- a/bin/tests/system/redirect/ns1/sign.sh +++ b/bin/tests/system/redirect/ns1/sign.sh @@ -15,8 +15,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -r $RANDFILE $zone` -key2=`$KEYGEN -q -r $RANDFILE -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` cat $infile $key1.key $key2.key > $zonefile @@ -26,8 +26,8 @@ zone=nsec3 infile=example.db zonefile=nsec3.db -key1=`$KEYGEN -q -r $RANDFILE -3 $zone` -key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone` cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh index 02d439ea8a..5884ce895a 100644 --- a/bin/tests/system/redirect/ns3/sign.sh +++ b/bin/tests/system/redirect/ns3/sign.sh @@ -15,8 +15,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -r $RANDFILE $zone` -key2=`$KEYGEN -q -r $RANDFILE -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` cat $infile $key1.key $key2.key > $zonefile @@ -26,8 +26,8 @@ zone=nsec3 infile=example.db zonefile=nsec3.db -key1=`$KEYGEN -q -r $RANDFILE -3 $zone` -key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone` cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 8f5716ef73..2903e88db7 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -15,8 +15,8 @@ zone=ds.example.net zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zsk=`$KEYGEN -q -3 -r $RANDFILE -b 2048 $zone` +ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` +zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -b 2048 $zone` cat $ksk.key $zsk.key >> $zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -24,8 +24,8 @@ zone=example.net zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` +zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index e495518a04..5a87d15a42 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -30,7 +30,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE # $1=directory, $2=domain name, $3=input zone file, $4=output file signzone () { - KEYNAME=`$KEYGEN -q -r $RANDFILE -b 1024 -K $1 $2` + KEYNAME=`$KEYGEN -q -a rsasha256 -r $RANDFILE -K $1 $2` cat $1/$3 $1/$KEYNAME.key > $1/tmp $SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index 8270c0795a..5614ba1edf 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -21,39 +21,39 @@ cfile=child.db echo "I:generating child's keys" # active zsk -czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone` +czsk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -L 30 $czone` # not yet published or active -czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` +czsk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone` # published but not active -czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone` +czsk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone` # inactive -czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone` +czsk4=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone` # active in 12 hours, inactive 12 hours after that... -czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone` +czsk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone` # explicit successor to czk5 # (suppressing warning about lack of removal date) czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-` # active ksk -cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone` +cksk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -L 30 $czone` # published but not YET active; will be active in 20 seconds -cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone` +cksk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` # $SETTIME moved after other $KEYGENs echo I:revoking key # revoking key changes its ID -cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone` +cksk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` cksk4=`$REVOKE $cksk3` echo I:generating parent keys -pzsk=`$KEYGEN -q -r $RANDFILE $pzone` -pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` +pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone` +pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone` echo "I:setting child's activation time" # using now+30s to fix RT 24561 diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index 8aad3e04d8..5c5b7c640e 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -26,7 +26,7 @@ while test "$#" -gt 0; do quiet=1 ;; rsa|RSA) - alg="" + alg="-a RSASHA1" msg1="RSA cryptography" ;; gost|GOST) diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh index 54766d094d..502339080b 100644 --- a/bin/tests/system/verify/zones/genzones.sh +++ b/bin/tests/system/verify/zones/genzones.sh @@ -27,83 +27,83 @@ cp unsigned.db unsigned.bad # A set of nsec zones. setup zsk-only.nsec good -$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec good -$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec good -$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n # A set of nsec3 zones. setup zsk-only.nsec3 good -$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec3 good -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec3 good -$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.outout good -$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n # A set of zones with only DNSKEY records. setup zsk-only.dnskeyonly bad -key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n +key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n cat unsigned.db $key1.key > ${file} setup ksk-only.dnskeyonly bad -key1=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n +key1=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n cat unsigned.db $key1.key > ${file} setup ksk+zsk.dnskeyonly bad -key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n -key2=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n +key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n +key2=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n cat unsigned.db $key1.key $key2.key > ${file} # A set of zones with expired records s="-s -2678400" setup zsk-only.nsec.expired bad -$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec.expired bad -$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec.expired bad -$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup zsk-only.nsec3.expired bad -$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec3.expired bad -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec3.expired bad -$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n # ksk expired setup ksk+zsk.nsec.ksk-expired bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n $SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n @@ -112,8 +112,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file setup ksk+zsk.nsec3.ksk-expired bad -zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n $SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n @@ -123,8 +123,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` # broken nsec chain setup ksk+zsk.nsec.broken-chain bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp @@ -132,8 +132,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 | # bad nsec bitmap setup ksk+zsk.nsec.bad-bitmap bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp @@ -141,8 +141,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 | # extra NSEC record out side of zone setup ksk+zsk.nsec.out-of-zone-nsec bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} @@ -150,8 +150,8 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2> # extra NSEC record below bottom of one setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} @@ -163,8 +163,8 @@ awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${fil # extract the hash fields from the empty node's NSEC 3 record then fix up # the NSEC3 chain to remove it setup ksk+zsk.nsec3.missing-empty bad -zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}` @@ -177,8 +177,8 @@ $SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s # extra NSEC3 record setup ksk+zsk.nsec3.extra-nsec3 bad -zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n awk ' diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh index 053e17c74d..77aa47d476 100644 --- a/bin/tests/system/views/setup.sh +++ b/bin/tests/system/views/setup.sh @@ -26,11 +26,11 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE # same source of "random" data and we want different keys for # internal and external instances of inline. # -$KEYGEN -K ns2/internal -r $RANDFILE -3q inline > /dev/null 2>&1 -$KEYGEN -K ns2/internal -r $RANDFILE -3qfk inline > /dev/null 2>&1 -k1=`$KEYGEN -K ns2/external -r $RANDFILE -3q inline 2> /dev/null` -k2=`$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline 2> /dev/null` -$KEYGEN -K ns2/external -r $RANDFILE -3q inline > /dev/null 2>&1 -$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1 +k1=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline 2> /dev/null` +k2=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline 2> /dev/null` +$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1 +$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1 test -n "$k1" && rm -f ns2/external/$k1.* test -n "$k2" && rm -f ns2/external/$k2.* diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh index 81ff076f85..e16cb4abb9 100644 --- a/bin/tests/system/zonechecks/setup.sh +++ b/bin/tests/system/zonechecks/setup.sh @@ -19,8 +19,8 @@ cp bigserial.db ns1/ cd ns1 touch master.db.signed echo '$INCLUDE "master.db.signed"' >> master.db -$KEYGEN -r $RANDFILE -3q master.example > /dev/null 2>&1 -$KEYGEN -r $RANDFILE -3qfk master.example > /dev/null 2>&1 +$KEYGEN -r $RANDFILE -a rsasha256 -q master.example > /dev/null 2>&1 +$KEYGEN -r $RANDFILE -a rsasha256 -qfk master.example > /dev/null 2>&1 $SIGNER -SD -o master.example master.db > /dev/null \ 2> signer.err || cat signer.err echo '$INCLUDE "soa.db"' > reload.db diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 407096e9eb..ed0516ce9b 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -433,6 +433,17 @@
Feature Changes + + + dnssec-keygen no longer has default + algorithm settings. It is necessary to explicitly specify the + algorithm on the command line with the option + when generating keys. This may cause errors with existing signing + scripts if they rely on current defaults. The intent is to + reduce the long-term cost of transitioning to newer algorithms in + the event of RSASHA1 being deprecated. [RT #44755] + + Threads in named are now set to human-readable diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index d868bf36c8..723c0183fb 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -131,7 +131,9 @@ { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ { DNS_KEYALG_ED25519, "ED25519", 0 }, \ { DNS_KEYALG_ED448, "ED448", 0 }, \ { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \