From 45afdb267253e7178267d696b8b4488ec1d67d47 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 30 Aug 2017 18:51:11 -0700 Subject: [PATCH] [master] remove default algorithm in dnssec-keygen 4594. [func] dnssec-keygen no longer uses RSASHA1 by default; the signing algorithm must be specified on the command line with the "-a" option. Signing scripts that rely on the existing default behavior will break; use "dnssec-keygen -a RSASHA1" to repair them. (The goal of this change is to make it easier to find scripts using RSASHA1 so they can be changed in the event of that algorithm being deprecated in the future.) [RT #44755] --- CHANGES | 10 ++ bin/dnssec/dnssec-keyfromlabel.c | 58 +++++---- bin/dnssec/dnssec-keyfromlabel.docbook | 68 +++++----- bin/dnssec/dnssec-keygen.c | 82 ++++++------ bin/dnssec/dnssec-keygen.docbook | 124 ++++++++++--------- bin/tests/system/autosign/ns1/keygen.sh | 20 +-- bin/tests/system/autosign/ns2/keygen.sh | 10 +- bin/tests/system/autosign/ns3/keygen.sh | 96 +++++++------- bin/tests/system/autosign/tests.sh | 2 +- bin/tests/system/coverage/setup.sh | 44 +++---- bin/tests/system/dns64/ns1/sign.sh | 4 +- bin/tests/system/dnssec/ns3/sign.sh | 74 +++++------ bin/tests/system/dnssec/ns5/sign.sh | 6 +- bin/tests/system/dnssec/tests.sh | 6 +- bin/tests/system/inline/tests.sh | 6 +- bin/tests/system/keymgr/setup.sh | 90 +++++++------- bin/tests/system/masterformat/ns1/compile.sh | 4 +- bin/tests/system/metadata/setup.sh | 20 +-- bin/tests/system/metadata/tests.sh | 8 +- bin/tests/system/mkeys/ns1/sign.sh | 4 +- bin/tests/system/mkeys/tests.sh | 6 +- bin/tests/system/nsupdate/ns3/sign.sh | 4 +- bin/tests/system/redirect/ns1/sign.sh | 8 +- bin/tests/system/redirect/ns3/sign.sh | 8 +- bin/tests/system/resolver/ns6/keygen.sh | 8 +- bin/tests/system/rpz/setup.sh | 2 +- bin/tests/system/smartsign/tests.sh | 20 +-- bin/tests/system/testcrypto.sh | 2 +- bin/tests/system/verify/zones/genzones.sh | 76 ++++++------ bin/tests/system/views/setup.sh | 12 +- bin/tests/system/zonechecks/setup.sh | 4 +- doc/arm/notes.xml | 11 ++ lib/dns/rcode.c | 2 + 33 files changed, 468 insertions(+), 431 deletions(-) diff --git a/CHANGES b/CHANGES index ca681c5d2b..b6765d5d9d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ +4594. [func] dnssec-keygen no longer uses RSASHA1 by default; + the signing algorithm must be specified on + the command line with the "-a" option. Signing + scripts that rely on the existing default behavior + will break; use "dnssec-keygen -a RSASHA1" to + repair them. (The goal of this change is to make + it easier to find scripts using RSASHA1 so they + can be changed in the event of that algorithm + being deprecated in the future.) [RT #44755] + 4693. [func] Synthesis of responses from DNSSEC-verified records. Stage 1 covers NXDOMAIN synthesis from NSEC records. This is controlled by synth-from-dnssec and is enabled diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 53834005e0..fd640a344f 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -46,15 +46,6 @@ const char *program = "dnssec-keyfromlabel"; int verbose; -#define DEFAULT_ALGORITHM "RSASHA1" -#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1" - -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" - " NSEC3DSA | NSEC3RSASHA1 |" - " RSASHA256 | RSASHA512 | ECCGOST |" - " ECDSAP256SHA256 | ECDSAP384SHA384 |" - " ED25519 | ED448"; - ISC_PLATFORM_NORETURN_PRE static void usage(void) ISC_PLATFORM_NORETURN_POST; @@ -68,9 +59,11 @@ usage(void) { fprintf(stderr, " -l label: label of the key pair\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); - fprintf(stderr, " -a algorithm: %s\n", algs); - fprintf(stderr, " (default: RSASHA1, or " - "NSEC3RSASHA1 if using -3)\n"); + fprintf(stderr, " -a algorithm: \n" + " RSA | RSAMD5 | DH | DSA | RSASHA1 |\n" + " NSEC3DSA | NSEC3RSASHA1 |\n" + " RSASHA256 | RSASHA512 | ECCGOST |\n" + " ECDSAP256SHA256 | ECDSAP384SHA384\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -E :\n"); @@ -394,16 +387,7 @@ main(int argc, char **argv) { } if (algname == NULL) { - if (use_nsec3) - algname = strdup(DEFAULT_NSEC3_ALGORITHM); - else - algname = strdup(DEFAULT_ALGORITHM); - if (algname == NULL) - fatal("strdup failed"); - freeit = algname; - if (verbose > 0) - fprintf(stderr, "no algorithm specified; " - "defaulting to %s\n", algname); + fatal("no algorithm specified"); } if (strcasecmp(algname, "RSA") == 0) { @@ -434,14 +418,28 @@ main(int argc, char **argv) { options |= DST_TYPE_KEY; } - if (use_nsec3 && - alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && - alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST && - alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 && - alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) { - fatal("%s is incompatible with NSEC3; " - "do not use the -3 option", algname); + if (use_nsec3) { + switch (alg) { + case DST_ALG_DSA: + alg = DST_ALG_NSEC3DSA; + break; + case DST_ALG_RSASHA1: + alg = DST_ALG_NSEC3RSASHA1; + break; + case DST_ALG_NSEC3DSA: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: + break; + default: + fatal("%s is incompatible with NSEC3; " + "do not use the -3 option", algname); + } } if (type != NULL && (options & DST_TYPE_KEY) != 0) { diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index ef8e6a71d4..9913f607b8 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -104,7 +104,6 @@ must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. - These values are case insensitive. If no algorithm is specified, then RSASHA1 will be used by @@ -114,11 +113,17 @@ that algorithm will be checked for compatibility with NSEC3.) - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. + These values are case insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and + ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + along with the option, then NSEC3RSASHA1 + or NSEC3DSA will be used instead. - Note 2: DH automatically sets the -k flag. + As of BIND 9.12.0, this option is mandatory except when using + the option (which copies the algorithm from + the predecessory key). Previously, the default for newly + generated keys was RSASHA1. @@ -128,9 +133,10 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm. @@ -454,30 +460,30 @@ - -i interval - - - Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. - - - If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. - - - As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. - - + -i interval + + + Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. + + + If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. + + + As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. + + diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 1beefa987f..0b0e3c95b5 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -61,9 +61,6 @@ const char *program = "dnssec-keygen"; int verbose; -#define DEFAULT_ALGORITHM "RSASHA1" -#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1" - ISC_PLATFORM_NORETURN_PRE static void usage(void) ISC_PLATFORM_NORETURN_POST; @@ -86,8 +83,6 @@ usage(void) { fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | " "HMAC-SHA256 | \n"); fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n"); - fprintf(stderr, " (default: RSASHA1, or " - "NSEC3RSASHA1 if using -3)\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA); @@ -110,9 +105,8 @@ usage(void) { fprintf(stderr, " HMAC-SHA256:\t[1..256]\n"); fprintf(stderr, " HMAC-SHA384:\t[1..384]\n"); fprintf(stderr, " HMAC-SHA512:\t[1..512]\n"); - fprintf(stderr, " (if using the default algorithm, key size\n" - " defaults to 2048 for KSK, or 1024 for all " - "others)\n"); + fprintf(stderr, " (key size defaults are set according to\n" + " algorithm and usage (ZSK or KSK)\n"); fprintf(stderr, " -n : ZONE | HOST | ENTITY | " "USER | OTHER\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); @@ -240,7 +234,7 @@ main(int argc, char **argv) { int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; int dbits = 0; dns_ttl_t ttl = 0; - isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE; + isc_boolean_t use_nsec3 = ISC_FALSE; isc_stdtime_t publish = 0, activate = 0, revokekey = 0; isc_stdtime_t inactive = 0, deltime = 0; isc_stdtime_t now; @@ -537,17 +531,7 @@ main(int argc, char **argv) { isc_result_totext(ret)); if (algname == NULL) { - use_default = ISC_TRUE; - if (use_nsec3) - algname = strdup(DEFAULT_NSEC3_ALGORITHM); - else - algname = strdup(DEFAULT_ALGORITHM); - if (algname == NULL) - fatal("strdup failed"); - freeit = algname; - if (verbose > 0) - fprintf(stderr, "no algorithm specified; " - "defaulting to %s\n", algname); + fatal("no algorithm specified"); } if (strcasecmp(algname, "RSA") == 0) { @@ -601,14 +585,28 @@ main(int argc, char **argv) { if (!dst_algorithm_supported(alg)) fatal("unsupported algorithm: %d", alg); - if (use_nsec3 && - alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && - alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST && - alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 && - alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) { - fatal("%s is incompatible with NSEC3; " - "do not use the -3 option", algname); + if (use_nsec3) { + switch (alg) { + case DST_ALG_DSA: + alg = DST_ALG_NSEC3DSA; + break; + case DST_ALG_RSASHA1: + alg = DST_ALG_NSEC3RSASHA1; + break; + case DST_ALG_NSEC3DSA: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: + break; + default: + fatal("%s is incompatible with NSEC3; " + "do not use the -3 option", algname); + } } if (type != NULL && (options & DST_TYPE_KEY) != 0) { @@ -629,21 +627,31 @@ main(int argc, char **argv) { } if (size < 0) { - if (use_default) { - if ((kskflag & DNS_KEYFLAG_KSK) != 0) + switch (alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: + if ((kskflag & DNS_KEYFLAG_KSK) != 0) { size = 2048; - else + } else { size = 1024; - if (verbose > 0) + } + if (verbose > 0) { fprintf(stderr, "key size not " "specified; defaulting" " to %d\n", size); - } else if (alg != DST_ALG_ECCGOST && - alg != DST_ALG_ECDSA256 && - alg != DST_ALG_ECDSA384 && - alg != DST_ALG_ED25519 && - alg != DST_ALG_ED448) + } + break; + case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: + case DST_ALG_ED25519: + case DST_ALG_ED448: + break; + default: fatal("key size not specified (-b option)"); + } } if (!oldstyle && prepub > 0) { diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 6c79e7f016..12b49a5394 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -53,7 +53,7 @@ dnssec-keygen - + @@ -101,6 +101,13 @@ line. For DNSSEC keys, this must match the name of the zone for which the key is being generated. + + The dnssec-keymgr command acts as a wrapper + around dnssec-keygen, generating and updating keys + as needed to enforce defined security policies such as key rollover + scheduling. Using dnssec-keymgr may be preferable + to direct use of dnssec-keygen. + OPTIONS @@ -114,27 +121,26 @@ Selects the cryptographic algorithm. For DNSSEC keys, the value of must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. - For TSIG/TKEY, the value must - be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, - HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are - case insensitive. + ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For + TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), + HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, + or HMAC-SHA512; specifying any of these algorithms will + automatically set the option as well. + (Note: tsig-keygen produces TSIG keys in a + more useful format than dnssec-keygen.) - If no algorithm is specified, then RSASHA1 will be used by - default, unless the option is specified, - in which case NSEC3RSASHA1 will be used instead. (If - is used and an algorithm is specified, - that algorithm will be checked for compatibility with NSEC3.) + These values are case insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and + ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + along with the option, then NSEC3RSASHA1 + or NSEC3DSA will be used instead. - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is - mandatory. - - - Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 - automatically set the -T KEY option. + As of BIND 9.12.0, this option is mandatory except when using + the option (which copies the algorithm from + the predecessor key). Previously, the default for newly + generated keys was RSASHA1. @@ -152,13 +158,11 @@ this parameter. - The key size does not need to be specified if using a default - algorithm. The default key size is 1024 bits for zone signing - keys (ZSKs) and 2048 bits for key signing keys (KSKs, - generated with ). However, if an - algorithm is explicitly specified with the , - then there is no default key size, and the - must be used. + If the key size is not specified, some algorithms have + pre-defined defaults. For example, RSA keys for use as + DNSSEC zone signing keys have a default size of 1024 bits; + RSA keys for use as key signing keys (KSKs, generated with + ) default to 2048 bits. @@ -169,11 +173,10 @@ Specifies the owner type of the key. The value of must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are case insensitive. Defaults to ZONE for DNSKEY - generation. + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated + with a host (KEY)), USER (for a key associated with a + user(KEY)) or OTHER (DNSKEY). These values are case + insensitive. Defaults to ZONE for DNSKEY generation. @@ -183,11 +186,10 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used and no algorithm is explicitly - set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512, ECCGOST, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 - algorithms are NSEC3-capable. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm. @@ -394,8 +396,8 @@ overridden to KEY for use with SIG(0). - Using any TSIG algorithm (HMAC-* or DH) forces this option - to KEY. + Specifying any TSIG algorithm (HMAC-* or DH) with + forces this option to KEY. @@ -529,30 +531,30 @@ - -i interval - - - Sets the prepublication interval for a key. If set, then - the publication and activation dates must be separated by at least - this much time. If the activation date is specified but the - publication date isn't, then the publication date will default - to this much time before the activation date; conversely, if - the publication date is specified but activation date isn't, - then activation will be set to this much time after publication. - - - If the key is being created as an explicit successor to another - key, then the default prepublication interval is 30 days; - otherwise it is zero. - - - As with date offsets, if the argument is followed by one of - the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the - interval is measured in years, months, weeks, days, hours, - or minutes, respectively. Without a suffix, the interval is - measured in seconds. - - + -i interval + + + Sets the prepublication interval for a key. If set, then + the publication and activation dates must be separated by at least + this much time. If the activation date is specified but the + publication date isn't, then the publication date will default + to this much time before the activation date; conversely, if + the publication date is specified but activation date isn't, + then activation will be set to this much time after publication. + + + If the key is being created as an explicit successor to another + key, then the default prepublication interval is 30 days; + otherwise it is zero. + + + As with date offsets, if the argument is followed by one of + the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the + interval is measured in years, months, weeks, days, hours, + or minutes, respectively. Without a suffix, the interval is + measured in seconds. + + diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 124cdc18c4..a718705e9a 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -17,18 +17,18 @@ infile=root.db.in cat $infile ../ns2/dsset-example$TP > $zonefile -zskact=`$KEYGEN -3 -q -r $RANDFILE $zone` -zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone` -zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone` -zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone` -zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone` -zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone` -zskactnowpub1d=`$KEYGEN -3 -q -r $RANDFILE -A now -P +1d $zone` -zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone` +zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone` +zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone` +zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone` +zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone` +zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone` +zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone` +zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone` +zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone` rm $zsknopriv.private -ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone` -kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone` +ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone` +kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone` cat $ksksby.key | grep -v '^; ' | $PERL -n -e ' local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 3084e21b06..7e5955c428 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -23,16 +23,16 @@ zonefile="${zone}.db" infile="${zonefile}.in" cat $infile dsset-*.example$TP > $zonefile -kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone` -$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone` +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null $DSFROMKEY $kskname.key > dsset-${zone}$TP # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" -ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone` -$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone` +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null cat $ksk.key | grep -v '^; ' | $PERL -n -e ' local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; local $key = join("", @rest); @@ -55,5 +55,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \ do cp $i `echo $i | sed s/X/K/` done -$KEYGEN -q -r $RANDFILE $zone > /dev/null +$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null $DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index a45355b217..c349e9f6c0 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -27,8 +27,8 @@ setup () { setup secure.example cp $infile $zonefile -ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -36,8 +36,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup secure.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -45,8 +45,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec3.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -54,8 +54,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup optout.nsec3.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -63,8 +63,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec3.example cat $infile dsset-*.${zone}$TP > $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -72,9 +72,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup autonsec3.example cat $infile > $zonefile -ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../autoksk.key -zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out echo $zsk > ../autozsk.key $DSFROMKEY $ksk.key > dsset-${zone}$TP @@ -83,8 +83,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup secure.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -92,8 +92,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec3.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup optout.optout.example cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup optout.example cat $infile dsset-*.${zone}$TP > $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -137,8 +137,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup nsec.example cp $infile $zonefile -ksk=`$KEYGEN -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out -$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP # @@ -147,8 +147,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # setup oldsigs.example cp $infile $zonefile -$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # @@ -164,8 +164,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # keys via nsupdate # setup secure-to-insecure.example -$KEYGEN -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # @@ -173,9 +173,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../del1.key -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out echo $zsk > ../del2.key $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out @@ -184,8 +184,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # setup prepub.example infile="secure-to-insecure2.example.db.in" -$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # @@ -194,35 +194,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used setup ttl2.example -$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../delayksk.key -zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out +zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out echo $zsk > ../delayzsk.key # @@ -230,8 +230,8 @@ echo $zsk > ../delayzsk.key # is missing. # setup nozsk.example -$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone` $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out echo $zsk > ../missingzsk.key rm -f ${zsk}.private @@ -241,8 +241,8 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone` $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out echo $zsk > ../inactivezsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out @@ -252,15 +252,15 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out # # A zone which generates a CDS and CDNSEY RRsets automatically # setup sync.example cp $infile $zonefile -ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out -$KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP echo ns3/$ksk > ../sync.key diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 8d91e55475..7cd19084e6 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -858,7 +858,7 @@ ret=0 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u` -$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null +$KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /' newserial=$oldserial diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh index 05867fc717..76f4433830 100644 --- a/bin/tests/system/coverage/setup.sh +++ b/bin/tests/system/coverage/setup.sh @@ -19,110 +19,110 @@ ln -s $CHECKZONE named-compilezone dir=01-ksk-inactive rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 2: ZSK goes inactive before successor is active dir=02-zsk-inactive rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 3: KSK is unpublished before its successor is published dir=03-ksk-unpublished rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 4: ZSK is unpublished before its successor is published dir=04-zsk-unpublished rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 5: KSK deleted and successor published before KSK is deactivated # and successor activated. dir=05-ksk-unpub-active rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 6: ZSK deleted and successor published before ZSK is deactivated # and successor activated. dir=06-zsk-unpub-active rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 7: KSK rolled with insufficient delay after prepublication. dir=07-ksk-ttl rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 8: ZSK rolled with insufficient delay after prepublication. dir=08-zsk-ttl rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 9: KSK goes inactive before successor is active, but checking ZSKs dir=09-check-zsk rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 10: ZSK goes inactive before successor is active, but checking KSKs dir=10-check-ksk rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 11: ZSK goes inactive before successor is active, but after cutoff dir=11-cutoff rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh index 3bb8483f72..7410161a3b 100644 --- a/bin/tests/system/dns64/ns1/sign.sh +++ b/bin/tests/system/dns64/ns1/sign.sh @@ -15,8 +15,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -r $RANDFILE $zone` -key2=`$KEYGEN -q -r $RANDFILE -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index a7555b962e..7dd14bb563 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -283,8 +283,8 @@ zone=kskonly.example. infile=kskonly.example.db.in zonefile=kskonly.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -295,8 +295,8 @@ zone=expired.example. infile=expired.example.db.in zonefile=expired.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 rm -f $kskname.* $zskname.* @@ -308,8 +308,8 @@ zone=update-nsec3.example. infile=update-nsec3.example.db.in zonefile=update-nsec3.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -321,10 +321,10 @@ zone=auto-nsec.example. infile=auto-nsec.example.db.in zonefile=auto-nsec.example.db -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` -kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -336,10 +336,10 @@ zone=auto-nsec3.example. infile=auto-nsec3.example.db.in zonefile=auto-nsec3.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -404,8 +404,8 @@ zone="expiring.example." infile="expiring.example.db.in" zonefile="expiring.example.db" signedfile="expiring.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 mv -f ${zskname}.private ${zskname}.private.moved @@ -419,8 +419,8 @@ infile="upper.example.db.in" zonefile="upper.example.db" lower="upper.example.db.lower" signedfile="upper.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>&1 $CHECKZONE -D upper.example $lower 2>&- | \ @@ -434,8 +434,8 @@ zone="LOWER.EXAMPLE." infile="lower.example.db.in" zonefile="lower.example.db" signedfile="lower.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -447,8 +447,8 @@ zone="nosign.example." infile="nosign.example.db.in" zonefile="nosign.example.db" signedfile="nosign.example.db.signed" -kskname=`$KEYGEN -q -r $RANDFILE $zone` -zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1 # preserve a normalized copy of the NS RRSIG for comparison later @@ -460,8 +460,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \ # An inline signing zone # zone=inline.example. -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` # # publish a new key while deactivating another key at the same time. @@ -470,10 +470,10 @@ zone=publish-inactive.example infile=publish-inactive.example.db.in zonefile=publish-inactive.example.db now=`date -u +%Y%m%d%H%M%S` -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone` -kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -483,8 +483,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=siginterval.example infile=siginterval.example.db.in zonefile=siginterval.example.db -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone` cp $infile $zonefile # @@ -508,8 +508,8 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP zone=future.example infile=future.example.db.in zonefile=future.example.db -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 cp -f $kskname.key trusted-future.key @@ -520,8 +520,8 @@ cp -f $kskname.key trusted-future.key zone=managed-future.example infile=managed-future.example.db.in zonefile=managed-future.example.db -kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` -zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -532,10 +532,10 @@ zone=revkey.example. infile=generic.example.db.in zonefile=revkey.example.db -ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone` +ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone` ksk1=`$REVOKE $ksk1` -ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone` -zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone` +ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone` +zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone` cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index ac6a1b1b05..01d340303c 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -13,7 +13,7 @@ zone=. infile=../ns1/root.db.in zonefile=root.db.signed -keyname=`$KEYGEN -r $RANDFILE -qfk $zone` +keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone` # copy the KSK out first, then revoke it cat $keyname.key | grep -v '^; ' | $PERL -n -e ' @@ -29,6 +29,6 @@ EOF $SETTIME -R now ${keyname}.key > /dev/null # create a current set of keys, and sign the root zone -$KEYGEN -r $RANDFILE -q $zone > /dev/null -$KEYGEN -r $RANDFILE -qfk $zone > /dev/null +$KEYGEN -r $RANDFILE -a RSASHA1 -q $zone > /dev/null +$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone > /dev/null $SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 54bea5c3dd..fe2392c5c2 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2209,7 +2209,7 @@ echo "I:checking that the NSEC3 record for the apex is properly signed when a DN ret=0 ( cd ns3 -kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example` +kskname=`$KEYGEN -q -3 -a RSASHA1 -r $RANDFILE -fk update-nsec3.example` ( echo zone update-nsec3.example echo server 10.53.0.3 5300 @@ -3247,8 +3247,8 @@ ret=0 # generate signed zone with MX and AAAA records at apex. ( cd signer -$KEYGEN -q -r $RANDFILE -3 -fK remove > /dev/null -$KEYGEN -q -r $RANDFILE -3 remove > /dev/null +$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 -fK remove > /dev/null +$KEYGEN -q -r $RANDFILE -a RSASHA1 -33 remove > /dev/null echo > remove.db.signed $SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 ) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index ab360828a7..9677fc56de 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -615,8 +615,8 @@ grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:setup broken"; fi status=`expr $status + $ret` cp ns5/named.conf.post ns5/named.conf -(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1 -(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE -f KSK bits) > /dev/null 2>&1 $RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /' for i in 1 2 3 4 5 6 7 8 9 10 do @@ -870,7 +870,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:testing imported key won't overwrite a private key ($n)" ret=0 -key=`$KEYGEN -r $RANDFILE -q import.example` +key=`$KEYGEN -r $RANDFILE -q -a rsasha256 import.example` cp ${key}.key import.key # import should fail $IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh index 10143534ca..13e636fe81 100644 --- a/bin/tests/system/keymgr/setup.sh +++ b/bin/tests/system/keymgr/setup.sh @@ -18,44 +18,44 @@ dir=01-ksk-inactive echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 2: ZSK goes inactive before successor is active dir=02-zsk-inactive echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 3: KSK is unpublished before its successor is published dir=03-ksk-unpublished echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 4: ZSK is unpublished before its successor is published dir=04-zsk-unpublished echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 5: KSK deleted and successor published before KSK is deactivated # and successor activated. @@ -63,10 +63,10 @@ dir=05-ksk-unpub-active echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 6: ZSK deleted and successor published before ZSK is deactivated # and successor activated. @@ -74,33 +74,33 @@ dir=06-zsk-unpub-active echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 7: KSK rolled with insufficient delay after prepublication. dir=07-ksk-ttl echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 ksk2=`$KEYGEN -K $dir -S $ksk1` $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` # Test 8: ZSK rolled with insufficient delay after prepublication. dir=08-zsk-ttl echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -3 example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -3fk example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` # Test 9: No special preparation needed rm -f $dir/K*.key @@ -111,8 +111,8 @@ dir=10-change-roll echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` -zsk1=`$KEYGEN -K $dir -3 example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1 zsk2=`$KEYGEN -K $dir -S $zsk1` @@ -121,40 +121,40 @@ dir=11-many-simul echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk -P now+1mo -A now+1mo example.com` -z1=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` -z2=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` -z3=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` -z4=`$KEYGEN -K $dir -q3 -P now+1mo -A now+1mo example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk -P now+1mo -A now+1mo example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` +z2=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` +z3=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` +z4=`$KEYGEN -K $dir -a rsasha1 -q3 -P now+1mo -A now+1mo example.com` # Test 12: Many keys all simultaneously scheduled to be active in the past dir=12-many-active echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` -z2=`$KEYGEN -K $dir -q3 example.com` -z3=`$KEYGEN -K $dir -q3 example.com` -z4=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` # Test 13: Multiple simultaneous keys with no configured roll period dir=13-noroll echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -k2=`$KEYGEN -K $dir -q3fk example.com` -k3=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +k2=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +k3=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` # Test 14: Keys exist but have the wrong algorithm dir=14-wrongalg echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -qfk example.com` -z1=`$KEYGEN -K $dir -q example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q example.com` $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null z2=`$KEYGEN -K $dir -q -S ${z1}.key` $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null @@ -167,8 +167,8 @@ dir=15-unspec echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null z2=`$KEYGEN -K $dir -q -S ${z1}.key` $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null @@ -182,8 +182,8 @@ dir=16-wrongalg-unspec echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -qfk example.com` -z1=`$KEYGEN -K $dir -q example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -qfk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q example.com` $SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null z2=`$KEYGEN -K $dir -q -S ${z1}.key` $SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null @@ -197,17 +197,17 @@ dir=17-noforce echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -k1=`$KEYGEN -K $dir -q3fk example.com` -z1=`$KEYGEN -K $dir -q3 example.com` -z2=`$KEYGEN -K $dir -q3 example.com` -z3=`$KEYGEN -K $dir -q3 example.com` -z4=`$KEYGEN -K $dir -q3 example.com` +k1=`$KEYGEN -K $dir -a rsasha1 -q3fk example.com` +z1=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z2=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z3=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` +z4=`$KEYGEN -K $dir -a rsasha1 -q3 example.com` # Test 18: Prepublication interval is set to a nonstandard value dir=18-nonstd-prepub echo I:set up $dir rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -3fk example.com` -zsk1=`$KEYGEN -K $dir -3 example.com` +ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index f145272de3..341fe75b0d 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -25,7 +25,7 @@ SYSTEMTESTTOP=../.. ../named-compilezone -D -F map -o example.db.map example-map \ example.db > /dev/null 2>&1 -$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1 -$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1 +$KEYGEN -q -a rsasha256 -r $RANDFILE signed > /dev/null 2>&1 +$KEYGEN -q -a rsasha256 -r $RANDFILE -fk signed > /dev/null 2>&1 $SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1 ../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1 diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh index 3794e17fad..8b66b1780c 100644 --- a/bin/tests/system/metadata/setup.sh +++ b/bin/tests/system/metadata/setup.sh @@ -19,42 +19,42 @@ czone=child.parent.nil echo "I:generating keys" # active zsk -zsk=`$KEYGEN -q -r $RANDFILE $czone` +zsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $czone` echo $zsk > zsk.key # not yet published or active -pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` +pending=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone` echo $pending > pending.key # published but not active -standby=`$KEYGEN -q -r $RANDFILE -A none $czone` +standby=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone` echo $standby > standby.key # inactive -inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone` +inact=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone` echo $inact > inact.key # active ksk -ksk=`$KEYGEN -q -r $RANDFILE -fk $czone` +ksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` echo $ksk > ksk.key # published but not YET active; will be active in 15 seconds -rolling=`$KEYGEN -q -r $RANDFILE -fk $czone` +rolling=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` $SETTIME -A now+15s $rolling > /dev/null echo $rolling > rolling.key # revoked -revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone` +revoke1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` echo $revoke1 > prerev.key revoke2=`$REVOKE $revoke1` echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key -pzsk=`$KEYGEN -q -r $RANDFILE $pzone` +pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone` echo $pzsk > parent.zsk.key -pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` +pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone` echo $pksk > parent.ksk.key -oldstyle=`$KEYGEN -Cq -r $RANDFILE $pzone` +oldstyle=`$KEYGEN -Cq -a rsasha1 -r $RANDFILE $pzone` echo $oldstyle > oldstyle.key diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index e63277bc68..7b387d8aa6 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -174,7 +174,7 @@ status=`expr $status + $ret` echo "I:checking warning about delete date < inactive date with dnssec-keygen ($n)" ret=0 # keygen should print a warning about delete < inactive -$KEYGEN -q -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 +$KEYGEN -q -a rsasha1 -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 grep "warning" tmp.out > /dev/null 2>&1 || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -182,15 +182,15 @@ status=`expr $status + $ret` echo "I:checking correct behavior setting activation without publication date ($n)" ret=0 -key=`$KEYGEN -q -r $RANDFILE -A +1w $czone` +key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w $czone` pub=`$SETTIME -upP $key | awk '{print $2}'` act=`$SETTIME -upA $key | awk '{print $2}'` [ $pub -eq $act ] || ret=1 -key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone` +key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -i 1d $czone` pub=`$SETTIME -upP $key | awk '{print $2}'` act=`$SETTIME -upA $key | awk '{print $2}'` [ $pub -lt $act ] || ret=1 -key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone` +key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -P never $czone` pub=`$SETTIME -upP $key | awk '{print $2}'` [ $pub = "UNSET" ] || ret=1 n=`expr $n + 1` diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 9669d4fc19..db522216c6 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -12,8 +12,8 @@ SYSTEMTESTTOP=../.. zone=. zonefile=root.db -keyname=`$KEYGEN -qfk -r $RANDFILE $zone` -zskkeyname=`$KEYGEN -q -r $RANDFILE $zone` +keyname=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE $zone` +zskkeyname=`$KEYGEN -a rsasha256 -q -r $RANDFILE $zone` $SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>&- diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index e103794eb5..cbeff3e1f7 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -57,7 +57,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check new trust anchor can be added ($n)" ret=0 -standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .` +standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' sleep 5 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' @@ -241,7 +241,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: revoke original key, add new standby ($n)" ret=0 -standby2=`$KEYGEN -qfk -r $RANDFILE -K ns1 .` +standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' sleep 3 @@ -276,7 +276,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: revoke standby before it is trusted ($n)" ret=0 -standby3=`$KEYGEN -qfk -r $RANDFILE -K ns1 .` +standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' sleep 3 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index a7fd81220a..ba7e85fe87 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -35,8 +35,8 @@ zone=delegation.test. infile=delegation.test.db.in zonefile=delegation.test.db -keyname1=`$KEYGEN -q -r $RANDFILE -3 -f KSK $zone` -keyname2=`$KEYGEN -q -r $RANDFILE -3 $zone` +keyname1=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 -f KSK $zone` +keyname2=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 $zone` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh index 9245260331..51d3b36dfb 100644 --- a/bin/tests/system/redirect/ns1/sign.sh +++ b/bin/tests/system/redirect/ns1/sign.sh @@ -15,8 +15,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -r $RANDFILE $zone` -key2=`$KEYGEN -q -r $RANDFILE -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` cat $infile $key1.key $key2.key > $zonefile @@ -26,8 +26,8 @@ zone=nsec3 infile=example.db zonefile=nsec3.db -key1=`$KEYGEN -q -r $RANDFILE -3 $zone` -key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone` cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh index 02d439ea8a..5884ce895a 100644 --- a/bin/tests/system/redirect/ns3/sign.sh +++ b/bin/tests/system/redirect/ns3/sign.sh @@ -15,8 +15,8 @@ zone=signed infile=example.db zonefile=signed.db -key1=`$KEYGEN -q -r $RANDFILE $zone` -key2=`$KEYGEN -q -r $RANDFILE -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` cat $infile $key1.key $key2.key > $zonefile @@ -26,8 +26,8 @@ zone=nsec3 infile=example.db zonefile=nsec3.db -key1=`$KEYGEN -q -r $RANDFILE -3 $zone` -key2=`$KEYGEN -q -r $RANDFILE -3 -fk $zone` +key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone` +key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone` cat $infile $key1.key $key2.key > $zonefile diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 8f5716ef73..2903e88db7 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -15,8 +15,8 @@ zone=ds.example.net zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zsk=`$KEYGEN -q -3 -r $RANDFILE -b 2048 $zone` +ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` +zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -b 2048 $zone` cat $ksk.key $zsk.key >> $zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -24,8 +24,8 @@ zone=example.net zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile -ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` -zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone` +zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone` cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index e495518a04..5a87d15a42 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -30,7 +30,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE # $1=directory, $2=domain name, $3=input zone file, $4=output file signzone () { - KEYNAME=`$KEYGEN -q -r $RANDFILE -b 1024 -K $1 $2` + KEYNAME=`$KEYGEN -q -a rsasha256 -r $RANDFILE -K $1 $2` cat $1/$3 $1/$KEYNAME.key > $1/tmp $SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index 8270c0795a..5614ba1edf 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -21,39 +21,39 @@ cfile=child.db echo "I:generating child's keys" # active zsk -czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone` +czsk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -L 30 $czone` # not yet published or active -czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` +czsk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone` # published but not active -czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone` +czsk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone` # inactive -czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone` +czsk4=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone` # active in 12 hours, inactive 12 hours after that... -czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone` +czsk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone` # explicit successor to czk5 # (suppressing warning about lack of removal date) czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-` # active ksk -cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone` +cksk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -L 30 $czone` # published but not YET active; will be active in 20 seconds -cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone` +cksk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` # $SETTIME moved after other $KEYGENs echo I:revoking key # revoking key changes its ID -cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone` +cksk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone` cksk4=`$REVOKE $cksk3` echo I:generating parent keys -pzsk=`$KEYGEN -q -r $RANDFILE $pzone` -pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` +pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone` +pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone` echo "I:setting child's activation time" # using now+30s to fix RT 24561 diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index 8aad3e04d8..5c5b7c640e 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -26,7 +26,7 @@ while test "$#" -gt 0; do quiet=1 ;; rsa|RSA) - alg="" + alg="-a RSASHA1" msg1="RSA cryptography" ;; gost|GOST) diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh index 54766d094d..502339080b 100644 --- a/bin/tests/system/verify/zones/genzones.sh +++ b/bin/tests/system/verify/zones/genzones.sh @@ -27,83 +27,83 @@ cp unsigned.db unsigned.bad # A set of nsec zones. setup zsk-only.nsec good -$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec good -$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec good -$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n # A set of nsec3 zones. setup zsk-only.nsec3 good -$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec3 good -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec3 good -$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.outout good -$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n # A set of zones with only DNSKEY records. setup zsk-only.dnskeyonly bad -key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n +key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n cat unsigned.db $key1.key > ${file} setup ksk-only.dnskeyonly bad -key1=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n +key1=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n cat unsigned.db $key1.key > ${file} setup ksk+zsk.dnskeyonly bad -key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n -key2=`$KEYGEN -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n +key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n +key2=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n cat unsigned.db $key1.key $key2.key > ${file} # A set of zones with expired records s="-s -2678400" setup zsk-only.nsec.expired bad -$KEYGEN -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec.expired bad -$KEYGEN -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec.expired bad -$KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup zsk-only.nsec3.expired bad -$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk-only.nsec3.expired bad -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n $SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n setup ksk+zsk.nsec3.expired bad -$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n # ksk expired setup ksk+zsk.nsec.ksk-expired bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n $SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n @@ -112,8 +112,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file setup ksk+zsk.nsec3.ksk-expired bad -zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n $SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n @@ -123,8 +123,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` # broken nsec chain setup ksk+zsk.nsec.broken-chain bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp @@ -132,8 +132,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 | # bad nsec bitmap setup ksk+zsk.nsec.bad-bitmap bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp @@ -141,8 +141,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 | # extra NSEC record out side of zone setup ksk+zsk.nsec.out-of-zone-nsec bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} @@ -150,8 +150,8 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2> # extra NSEC record below bottom of one setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad -zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} @@ -163,8 +163,8 @@ awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${fil # extract the hash fields from the empty node's NSEC 3 record then fix up # the NSEC3 chain to remove it setup ksk+zsk.nsec3.missing-empty bad -zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}` @@ -177,8 +177,8 @@ $SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s # extra NSEC3 record setup ksk+zsk.nsec3.extra-nsec3 bad -zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n -ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n +zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n +ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n awk ' diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh index 053e17c74d..77aa47d476 100644 --- a/bin/tests/system/views/setup.sh +++ b/bin/tests/system/views/setup.sh @@ -26,11 +26,11 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE # same source of "random" data and we want different keys for # internal and external instances of inline. # -$KEYGEN -K ns2/internal -r $RANDFILE -3q inline > /dev/null 2>&1 -$KEYGEN -K ns2/internal -r $RANDFILE -3qfk inline > /dev/null 2>&1 -k1=`$KEYGEN -K ns2/external -r $RANDFILE -3q inline 2> /dev/null` -k2=`$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline 2> /dev/null` -$KEYGEN -K ns2/external -r $RANDFILE -3q inline > /dev/null 2>&1 -$KEYGEN -K ns2/external -r $RANDFILE -3qfk inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1 +k1=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline 2> /dev/null` +k2=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline 2> /dev/null` +$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1 +$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1 test -n "$k1" && rm -f ns2/external/$k1.* test -n "$k2" && rm -f ns2/external/$k2.* diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh index 81ff076f85..e16cb4abb9 100644 --- a/bin/tests/system/zonechecks/setup.sh +++ b/bin/tests/system/zonechecks/setup.sh @@ -19,8 +19,8 @@ cp bigserial.db ns1/ cd ns1 touch master.db.signed echo '$INCLUDE "master.db.signed"' >> master.db -$KEYGEN -r $RANDFILE -3q master.example > /dev/null 2>&1 -$KEYGEN -r $RANDFILE -3qfk master.example > /dev/null 2>&1 +$KEYGEN -r $RANDFILE -a rsasha256 -q master.example > /dev/null 2>&1 +$KEYGEN -r $RANDFILE -a rsasha256 -qfk master.example > /dev/null 2>&1 $SIGNER -SD -o master.example master.db > /dev/null \ 2> signer.err || cat signer.err echo '$INCLUDE "soa.db"' > reload.db diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 407096e9eb..ed0516ce9b 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -433,6 +433,17 @@
Feature Changes + + + dnssec-keygen no longer has default + algorithm settings. It is necessary to explicitly specify the + algorithm on the command line with the option + when generating keys. This may cause errors with existing signing + scripts if they rely on current defaults. The intent is to + reduce the long-term cost of transitioning to newer algorithms in + the event of RSASHA1 being deprecated. [RT #44755] + + Threads in named are now set to human-readable diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index d868bf36c8..723c0183fb 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -131,7 +131,9 @@ { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ + { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ + { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ { DNS_KEYALG_ED25519, "ED25519", 0 }, \ { DNS_KEYALG_ED448, "ED448", 0 }, \ { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \