upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-25 02:47:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '1151-inconsistent-usage-of-stdout-vs-stderr-in-signing-tools' into 'master'

Browse source 
Resolve "Inconsistent usage of stdout vs stderr in signing tools"

Closes #1151

See merge request isc-projects/bind9!2165
This commit is contained in:
Ondřej Surý 2019-07-31 04:24:50 -04:00
commit b23c8aa5e8
33 changed files with 280 additions and 225 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
5271. [func] The normal (non-debugging) output of dnssec-signzone
and dnssec-verify tools now goes to stdout, instead of
the combination of stderr and stdout.
5270. [bug] 'dig +expandaaaa +short' did not work. [GL #1152]
5269. [port] cygwin: can return ETIMEDOUT on connect() with a

1
bin/dnssec/dnssec-keygen.c
View file

@ -218,7 +218,6 @@ main(int argc, char **argv) {
bool unsetrev = false, unsetinact = false;
bool unsetdel = false;
bool genonly = false;
bool quiet = false;
bool show_progress = false;
unsigned char c;
isc_stdtime_t syncadd = 0, syncdel = 0;

21
bin/dnssec/dnssec-signzone.c
View file

@ -2645,11 +2645,13 @@ loadexplicitkeys(char *keyfiles[], int n, bool setksk) {
static void
report(const char *format, ...) {
va_list args;
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
putc('\n', stderr);
if (!quiet) {
FILE *out = output_stdout ? stderr : stdout;
va_list args;
va_start(args, format);
vfprintf(out, format, args);
va_end(args);
}
}
static void
@ -3085,6 +3087,7 @@ usage(void) {
fprintf(stderr, "\t-j jitter:\n");
fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
fprintf(stderr, "\t-v debuglevel (0)\n");
fprintf(stderr, "\t-q quiet\n");
fprintf(stderr, "\t-V:\tprint version information\n");
fprintf(stderr, "\t-o origin:\n");
fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
@ -3217,7 +3220,7 @@ main(int argc, char *argv[]) {
/* Unused letters: Bb G J q Yy (and F is reserved). */
#define CMDLINE_FLAGS \
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQRr:s:ST:tuUv:VX:xzZ:"
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:VX:xzZ:"
/*
* Process memory debugging argument first.
@ -3478,6 +3481,10 @@ main(int argc, char *argv[]) {
fatal("verbose level must be numeric");
break;
case 'q':
quiet = true;
break;
case 'X':
dnskey_endstr = isc_commandline_argument;
break;
@ -3882,7 +3889,7 @@ main(int argc, char *argv[]) {
} else {
vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
NULL, mctx, ignore_kskflag,
keyset_kskonly);
keyset_kskonly, report);
if (vresult != ISC_R_SUCCESS) {
fprintf(output_stdout ? stderr : stdout,
"Zone verification failed (%s)\n",

17
bin/dnssec/dnssec-signzone.docbook
View file

@ -80,6 +80,7 @@
<arg choice="opt" rep="norepeat"><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P</option></arg>
<arg choice="opt" rep="norepeat"><option>-Q</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-R</option></arg>
<arg choice="opt" rep="norepeat"><option>-S</option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
@ -543,6 +544,22 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output. Without this
option, when <command>dnssec-signzone</command> is run it
will print to standard output the number of keys in use,
the algorithms used to verify the zone was signed correctly
and other status information, and finally the filename
containing the signed zone. With it, that output is
suppressed, leaving only the filename.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R</term>
<listitem>

22
bin/dnssec/dnssec-verify.c
View file

@ -78,6 +78,16 @@ static dns_name_t *gorigin; /* The database origin */
static bool ignore_kskflag = false;
static bool keyset_kskonly = false;
static void
report(const char *format, ...) {
if (!quiet) {
va_list args;
va_start(args, format);
vfprintf(stdout, format, args);
va_end(args);
}
}
/*%
* Load the zone file from disk
*/
@ -140,6 +150,7 @@ usage(void) {
fprintf(stderr, "Options: (default value in parenthesis) \n");
fprintf(stderr, "\t-v debuglevel (0)\n");
fprintf(stderr, "\t-q quiet\n");
fprintf(stderr, "\t-V:\tprint version information\n");
fprintf(stderr, "\t-o origin:\n");
fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
@ -172,7 +183,7 @@ main(int argc, char *argv[]) {
int ch;
#define CMDLINE_FLAGS \
"hm:o:I:c:E:v:Vxz"
"c:E:hm:o:I:qv:Vxz"
/*
* Process memory debugging argument first.
@ -237,6 +248,10 @@ main(int argc, char *argv[]) {
fatal("verbose level must be numeric");
break;
case 'q':
quiet = true;
break;
case 'x':
keyset_kskonly = true;
break;
@ -304,7 +319,7 @@ main(int argc, char *argv[]) {
}
gdb = NULL;
fprintf(stderr, "Loading zone '%s' from file '%s'\n", origin, file);
report("Loading zone '%s' from file '%s'\n", origin, file);
loadzone(file, origin, rdclass, &gdb);
gorigin = dns_db_origin(gdb);
gclass = dns_db_class(gdb);
@ -314,7 +329,8 @@ main(int argc, char *argv[]) {
check_result(result, "dns_db_newversion()");
result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, NULL,
mctx, ignore_kskflag, keyset_kskonly);
mctx, ignore_kskflag, keyset_kskonly,
report);
dns_db_closeversion(gdb, &gversion, false);
dns_db_detach(&gdb);

15
bin/dnssec/dnssec-verify.docbook
View file

@ -49,6 +49,7 @@
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-x</option></arg>
@ -140,6 +141,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses output. Without this option, when
<command>dnssec-verify</command> is run it will print to
standard output the number of keys in use, the algorithms
used to verify the zone was signed correctly and other
status information. With it, all non-error output is
suppressed, and only the exit code will indicate success.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>

3
bin/dnssec/dnssectool.c
View file

@ -57,7 +57,8 @@
#include "dnssectool.h"
int verbose;
int verbose = 0;
bool quiet = false;
uint8_t dtype[8];
static fatalcallback_t *fatalcallback = NULL;

3
bin/dnssec/dnssectool.h
View file

@ -25,8 +25,9 @@
#define PATH_MAX 1024 /* WIN32, and others don't define this. */
#endif
/*! verbosity: set by -v option in each program, defined in dnssectool.c */
/*! verbosity: set by -v and -q option in each program, defined in dnssectool.c */
extern int verbose;
extern bool quiet;
/*! program name, statically initialized in each program */
extern const char *program;

2
bin/tests/system/autosign/ns2/keygen.sh
View file

@ -39,7 +39,7 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone`
$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null
keyfile_to_static_keys $ksk > private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar

14
bin/tests/system/autosign/ns3/keygen.sh
View file

@ -152,7 +152,7 @@ setup oldsigs.example
cp $infile $zonefile
$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
# NSEC3->NSEC transition test zone.
@ -160,7 +160,7 @@ $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || d
setup nsec3-to-nsec.example
$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
# secure-to-insecure transition test zone; used to test removal of
@ -169,7 +169,7 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
setup secure-to-insecure.example
$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
# another secure-to-insecure transition test zone; used to test
@ -180,7 +180,7 @@ ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
echo $ksk > ../del1.key
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
echo $zsk > ../del2.key
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
# Introducing a pre-published key test.
@ -189,7 +189,7 @@ setup prepub.example
infile="secure-to-insecure2.example.db.in"
$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
#
# Key TTL tests.
@ -235,7 +235,7 @@ echo $zsk > ../delayzsk.key
setup nozsk.example
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $zsk > ../missingzsk.key
rm -f ${zsk}.private
@ -246,7 +246,7 @@ rm -f ${zsk}.private
setup inaczsk.example
$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
echo $zsk > ../inactivezsk.key
$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out

2
bin/tests/system/cds/setup.sh
View file

@ -84,7 +84,7 @@ sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
sign() {
cat >db.$1
$SIGNER >/dev/null 2>&1 \
$SIGNER >/dev/null \
-S -O full -o $Z -f sig.$1 db.$1
}

2
bin/tests/system/chain/ns2/sign.sh
View file

@ -17,4 +17,4 @@ zonefile=example.db
ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone`
zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone`
$SIGNER -S -o $zone example.db > /dev/null 2>&1
$SIGNER -S -o $zone example.db > /dev/null

102
bin/tests/system/dnssec/ns3/sign.sh
View file

@ -25,7 +25,7 @@ do
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
@ -33,7 +33,7 @@ do
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
@ -41,7 +41,7 @@ do
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
@ -49,7 +49,7 @@ do
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
# Make trusted-keys and managed keys conf sections for ns8.
@ -62,7 +62,7 @@ do
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
case $tld in
"managed")
@ -86,7 +86,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
zone=bogus.example.
infile=bogus.example.db.in
@ -96,7 +96,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
@ -107,7 +107,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
zone=keyless.example.
infile=generic.example.db.in
@ -117,7 +117,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
# Change the signer field of the a.b.keyless.example SIG A
# to point to a provably nonexistent KEY record.
@ -138,7 +138,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# NSEC3/NSEC3 test zone
@ -151,7 +151,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# OPTOUT/NSEC3 test zone
@ -164,7 +164,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
#
# A nsec3 zone (non-optout).
@ -177,7 +177,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null
#
# OPTOUT/NSEC test zone
@ -190,7 +190,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# OPTOUT/NSEC3 test zone
@ -203,7 +203,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# OPTOUT/OPTOUT test zone
@ -216,7 +216,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
#
# A optout nsec3 zone.
@ -229,7 +229,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null
#
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@ -242,7 +242,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null
#
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@ -255,7 +255,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null
#
# A zone that is signed with an unknown DNSKEY algorithm.
@ -269,7 +269,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
@ -288,7 +288,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
@ -308,7 +308,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@ -322,7 +322,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
@ -340,17 +340,17 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null
mv "$zonefile".signed "$zonefile"
"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null
#
# A RSASHA256 zone.
@ -363,7 +363,7 @@ keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# A RSASHA512 zone.
@ -376,7 +376,7 @@ keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# A zone with the DNSKEY set only signed by the KSK
@ -388,7 +388,7 @@ zonefile=kskonly.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
#
# A zone with the expired signatures
@ -400,7 +400,7 @@ zonefile=expired.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
rm -f "$kskname.*" "$zskname.*"
#
@ -413,7 +413,7 @@ zonefile=update-nsec3.example.db
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# A NSEC signed zone that will have auto-dnssec enabled and
@ -428,7 +428,7 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# A NSEC3 signed zone that will have auto-dnssec enabled and
@ -443,7 +443,7 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# Secure below cname test zone.
@ -453,7 +453,7 @@ infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# Patched TTL test zone.
@ -467,7 +467,7 @@ patchedfile=ttlpatch.example.db.patched
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
awk '{$2 = "3600"; print}' > $patchedfile
@ -483,7 +483,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
#
# Seperate DNSSEC records smart signing.
@ -498,7 +498,7 @@ cp "$infile" "$zonefile"
# shellcheck disable=SC2016
echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
: > "$signedfile"
"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
#
# Zone with signatures about to expire, but no private key to replace them
@ -510,7 +510,7 @@ signedfile="expiring.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
mv -f "${zskname}.private" "${zskname}.private.moved"
mv -f "${kskname}.private" "${kskname}.private.moved"
@ -525,7 +525,7 @@ signedfile="upper.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
$CHECKZONE -D upper.example $lower 2>/dev/null | \
sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
@ -540,7 +540,7 @@ signedfile="lower.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
#
# Zone with signatures about to expire, and dynamic, but configured
@ -553,7 +553,7 @@ signedfile="nosign.example.db.signed"
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
# preserve a normalized copy of the NS RRSIG for comparison later
$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
@ -578,7 +578,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cp "$infile" "$zonefile"
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
#
# A zone which will change its sig-validity-interval
@ -602,7 +602,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
#
@ -614,7 +614,7 @@ zonefile=future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
cp -f "$kskname.key" trusted-future.key
#
@ -626,7 +626,7 @@ zonefile=managed-future.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
#
# A zone with a revoked key
@ -641,7 +641,7 @@ ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
#
# Check that NSEC3 are correctly signed and returned from below a DNAME
@ -653,7 +653,7 @@ zonefile=dname-at-apex-nsec3.example.db
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
#
# A NSEC zone with occuded data at the delegation
@ -668,4 +668,4 @@ keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null

68
bin/tests/system/dnssec/tests.sh
View file

@ -1329,7 +1329,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n
test -f signed.zone
) || ret=1
n=$((n+1))
@ -1341,7 +1341,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n
test -f signed.zone
) && ret=1
n=$((n+1))
@ -1353,7 +1353,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n
test -f signed.zone
) && ret=1
n=$((n+1))
@ -1365,7 +1365,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n
test -f signed.zone
) || ret=1
n=$((n+1))
@ -1377,7 +1377,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n
test -f signed.zone
) || ret=1
n=$((n+1))
@ -1389,7 +1389,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n
test -f signed.zone
) || ret=1
n=$((n+1))
@ -1401,7 +1401,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n
test -f signed.zone
) && ret=1
n=$((n+1))
@ -1413,7 +1413,7 @@ ret=0
(
cd signer/general || exit 1
rm -f signed.zone
$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n 2>&1
$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n
test -f signed.zone
) && ret=1
n=$((n+1))
@ -1484,7 +1484,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
$SIGNER -o example -f example.db example.db > /dev/null 2>&1
$SIGNER -o example -f example.db example.db > /dev/null
) || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
@ -1498,7 +1498,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1
$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null
awk '/^IQF9LQTLK/ {
printf("%s", $0);
while (!index($0, ")")) {
@ -1524,7 +1524,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone)
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example3.db
echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db
$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1
$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null
awk '/^IQF9LQTLK/ {
printf("%s", $0);
while (!index($0, ")")) {
@ -1549,9 +1549,9 @@ key2=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone)
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
$SIGNER -o example -f example.db.before example.db > /dev/null
sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed
$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
$SIGNER -o example -f example.db.after example.db.changed > /dev/null
)
grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1
n=$((n+1))
@ -1569,12 +1569,12 @@ keyid3=$(keyfile_to_key_id "$key3")
(
cd signer || exit 1
cat example.db.in "$key1.key" "$key2.key" > example.db
$SIGNER -D -o example example.db > /dev/null 2>&1
$SIGNER -D -o example example.db > /dev/null
# now switch out key2 for key3 and resign the zone
cat example.db.in "$key1.key" "$key3.key" > example.db
echo "\$INCLUDE \"example.db.signed\"" >> example.db
$SIGNER -D -o example example.db > /dev/null 2>&1
$SIGNER -D -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
@ -1586,7 +1586,7 @@ echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)"
ret=0
(
cd signer || exit 1
$SIGNER -RD -o example example.db > /dev/null 2>&1
$SIGNER -RD -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
@ -1600,11 +1600,11 @@ zone=example
(
cd signer || exit 1
cp -f example.db.in example.db
$SIGNER -SD -o example example.db > /dev/null 2>&1
$SIGNER -SD -o example example.db > /dev/null
echo "\$INCLUDE \"example.db.signed\"" >> example.db
# now retire key2 and resign the zone
$SETTIME -I now "$key2" > /dev/null 2>&1
$SIGNER -SD -o example example.db > /dev/null 2>&1
$SIGNER -SD -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
@ -1616,7 +1616,7 @@ echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)"
ret=0
(
cd signer || exit 1
$SIGNER -SDQ -o example example.db > /dev/null 2>&1
$SIGNER -SDQ -o example example.db > /dev/null
) || ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1
get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1
@ -1628,8 +1628,8 @@ echo_i "checking dnssec-signzone retains unexpired signatures ($n)"
ret=0
(
cd signer || exit 1
$SIGNER -Sxt -o example example.db > signer.out.1 2>&1
$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1
$SIGNER -Sxt -o example example.db > signer.out.1
$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2
) || ret=1
gen1=$(awk '/generated/ {print $3}' signer/signer.out.1)
retain1=$(awk '/retained/ {print $3}' signer/signer.out.1)
@ -1656,7 +1656,7 @@ ns.sub2.example. IN A 10.53.0.2
EOF
echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
touch example2.db.signed
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null
) || ret=1
grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
@ -1670,7 +1670,7 @@ sub2.example. IN NS ns.sub2.example.
ns.sub2.example. IN A 10.53.0.2
EOF
echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null
) || ret=1
grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
@ -1690,7 +1690,7 @@ ns.sub2.example. IN A 10.53.0.2
EOF
echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
touch example2.db.signed
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null
) || ret=1
grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
@ -1704,7 +1704,7 @@ sub2.example. IN NS ns.sub2.example.
ns.sub2.example. IN A 10.53.0.2
EOF
echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null
) || ret=1
grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
@ -1718,8 +1718,8 @@ ret=0
cd signer || exit 1
$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null
$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null
$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1
$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1
$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null
$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null
$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null
) || ret=1
awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1
@ -1735,7 +1735,7 @@ echo_i "checking TTLs are capped by dnssec-signzone -M ($n)"
ret=0
(
cd signer || exit 1
$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1
$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null
) || ret=1
awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1
n=$((n+1))
@ -1746,7 +1746,7 @@ echo_i "checking dnssec-signzone -N date ($n)"
ret=0
(
cd signer || exit 1
TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1
TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null
) || ret=1
# shellcheck disable=SC2016
now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];')
@ -2884,7 +2884,7 @@ cd ns3 || exit 1
for file in K*.moved; do
mv "$file" "$(basename "$file" .moved)"
done
$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null
) || ret=1
rndc_reload ns3 10.53.0.3 expiring.example
@ -3620,7 +3620,7 @@ cd signer || exit 1
$KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null
$KEYGEN -q -a RSASHA1 -33 remove > /dev/null
echo > remove.db.signed
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n
)
grep "RRSIG MX" signer/remove.db.signed > /dev/null || {
ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n;
@ -3628,7 +3628,7 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || {
# re-generate signed zone without MX and AAAA records at apex.
(
cd signer || exit 1
$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n
)
grep "RRSIG MX" signer/remove.db.signed > /dev/null && {
ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n;
@ -3643,7 +3643,7 @@ ret=0
(
cd signer || exit 1
echo > remove.db.signed
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n
)
grep "RRSIG MX" signer/remove.db.signed > /dev/null || {
ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n;
@ -3651,7 +3651,7 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || {
# re-generate signed zone without MX and AAAA records at apex.
(
cd signer || exit 1
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n
)
grep "RRSIG MX" signer/remove.db.signed > /dev/null && {
ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n;

2
bin/tests/system/inline/ns1/sign.sh
View file

@ -17,7 +17,7 @@ rm -f K.+*+*.key
rm -f K.+*+*.private
keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1
$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out
[ $? = 0 ] || cat signer.out
keyfile_to_static_keys $keyname > trusted.conf

4
bin/tests/system/inline/ns3/sign.sh
View file

@ -51,7 +51,7 @@ rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
cp master2.db.in updated.db
# signatures are expired and should be regenerated on startup
@ -61,7 +61,7 @@ rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
zone=retransfer
rm -f K${zone}.+*+*.key

2
bin/tests/system/masterformat/ns1/compile.sh
View file

@ -30,5 +30,5 @@ $CHECKZONE -D -F map -o example.db.map example-map \
$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1
$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1
$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null
$CHECKZONE -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1

2
bin/tests/system/masterformat/tests.sh
View file

@ -324,7 +324,7 @@ status=$((status+ret))
echo_i "checking map format zone is scheduled for resigning (signzone) ($n)"
ret=0
rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1
(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null 2>&1)
(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null)
rndc_reload ns1 10.53.0.1 signed
rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1
grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1

6
bin/tests/system/metadata/tests.sh
View file

@ -30,8 +30,8 @@ standby=$(keyfile_to_key_id "$(cat standby.key)")
zsk=$(keyfile_to_key_id "$(cat zsk.key)")
echo_i "signing zones"
$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1
$SIGNER -Sg -o $czone $cfile > /dev/null
$SIGNER -Sg -o $pzone $pfile > /dev/null
awk '$2 ~ /RRSIG/ {
type = $3;
@ -115,7 +115,7 @@ echo_i "waiting 20 seconds for key changes to occur"
sleep 20
echo_i "re-signing zone"
$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1
$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null
echo_i "checking that standby KSK is now active ($n)"
ret=0

2
bin/tests/system/pending/ns1/sign.sh
View file

@ -25,7 +25,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -o $zone $zonefile > /dev/null 2>&1
$SIGNER -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys $keyname2 > trusted.conf

2
bin/tests/system/pending/ns2/sign.sh
View file

@ -22,7 +22,7 @@ for domain in example example.com; do
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -3 bebe -o $zone $zonefile > /dev/null 2>&1
$SIGNER -3 bebe -o $zone $zonefile > /dev/null
done
# remove "removed" record from example.com, causing the server to

4
bin/tests/system/redirect/ns5/sign.sh
View file

@ -25,7 +25,7 @@ key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1
$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out
cp signed.db.signed ../ns6
@ -40,4 +40,4 @@ key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
# cat $infile $key1.key $key2.key > $zonefile
cat $infile dsset-signed. $key1.key $key2.key > $zonefile
$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1
$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out

4
bin/tests/system/resolver/ns6/keygen.sh
View file

@ -19,7 +19,7 @@ cp $infile $zonefile
ksk=`$KEYGEN -q -a rsasha256 -fk $zone`
zsk=`$KEYGEN -q -a rsasha256 -b 2048 $zone`
cat $ksk.key $zsk.key >> $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
$SIGNER -P -o $zone $zonefile > /dev/null
zone=example.net
zonefile="${zone}.db"
@ -28,7 +28,7 @@ cp $infile $zonefile
ksk=`$KEYGEN -q -a rsasha256 -fk $zone`
zsk=`$KEYGEN -q -a rsasha256 $zone`
cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
$SIGNER -P -o $zone $zonefile > /dev/null
# Configure a static key to be used by delv
keyfile_to_static_keys $ksk > ../ns5/trusted.conf

14
bin/tests/system/smartsign/tests.sh
View file

@ -64,10 +64,10 @@ echo_i "setting child's activation time"
$SETTIME -A now+30s $cksk2 > /dev/null
echo_i "signing child zone"
czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1`
czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile`
echo_i "signing parent zone"
pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1`
pzoneout=`$SIGNER -Sg -o $pzone $pfile`
czactive=$(keyfile_to_key_id $czsk1)
czgenerated=$(keyfile_to_key_id $czsk2)
@ -99,8 +99,8 @@ status=`expr $status + $ret`
echo_i "rechecking dnssec-signzone output with -x"
ret=0
# use an alternate output file so -x doesn't interfere with later checks
pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile 2>&1`
czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile 2>&1`
pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile`
czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile`
echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
@ -204,7 +204,7 @@ status=`expr $status + $ret`
echo_i "re-signing and checking imported TTLs again"
ret=0
$SETTIME -L 15 ${czsk2} > /dev/null
czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1`
czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile`
awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
${cfile}.signed || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -325,7 +325,7 @@ status=`expr $status + $ret`
echo_i "waiting 30 seconds for key activation"
sleep 30
echo_i "re-signing child zone"
czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed 2>&1`
czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed`
mv $cfile.new $cfile.signed
echo_i "checking dnssec-signzone output matches expectations"
@ -351,7 +351,7 @@ status=`expr $status + $ret`
echo_i "checking sync record deletion"
ret=0
$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null
$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null 2>&1
$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null
mv $cfile.new $cfile.signed
awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1
awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1

4
bin/tests/system/staticstub/ns3/sign.sh
View file

@ -24,7 +24,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -o $zone $zonefile > /dev/null 2>&1
$SIGNER -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a trusted key.
keyfile_to_static_keys $keyname2 > trusted.conf
@ -36,7 +36,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -o $zone $zonefile > /dev/null 2>&1
$SIGNER -g -o $zone $zonefile > /dev/null
keyfile_to_static_keys $keyname2 >> trusted.conf
cp trusted.conf ../ns2/trusted.conf

2
bin/tests/system/staticstub/ns4/sign.sh
View file

@ -21,4 +21,4 @@ keyname2=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -o $zone $zonefile > /dev/null 2>&1
$SIGNER -o $zone $zonefile > /dev/null

6
bin/tests/system/synthfromdnssec/ns1/sign.sh
View file

@ -19,7 +19,7 @@ zonefile=example.db
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
cat "$infile" "$keyname.key" > "$zonefile"
$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
$SIGNER -P -o $zone $zonefile > /dev/null
zone=dnamed
infile=dnamed.db.in
@ -28,7 +28,7 @@ zonefile=dnamed.db
keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
cat "$infile" "$keyname.key" > "$zonefile"
$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
$SIGNER -P -o $zone $zonefile > /dev/null
zone=.
infile=root.db.in
@ -37,7 +37,7 @@ zonefile=root.db
keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone)
cat "$infile" "$keyname.key" > "$zonefile"
$SIGNER -P -g -o $zone $zonefile > /dev/null 2>&1
$SIGNER -P -g -o $zone $zonefile > /dev/null
# Configure the resolving server with a static key.
keyfile_to_static_keys "$keyname" > trusted.conf

68
bin/tests/system/verify/zones/genzones.sh
View file

@ -31,49 +31,49 @@ cp unsigned.db unsigned.bad
# A set of nsec zones.
setup zsk-only.nsec good
$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk-only.nsec good
$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.nsec good
$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.nsec.apex-dname good
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cp unsigned.db ${file}.tmp
echo "@ DNAME data" >> ${file}.tmp
$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n
# A set of nsec3 zones.
setup zsk-only.nsec3 good
$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk-only.nsec3 good
$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.nsec3 good
$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.optout good
$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.nsec3.apex-dname good
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cp unsigned.db ${file}.tmp
echo "@ DNAME data" >> ${file}.tmp
$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n
#
# generate an NSEC record like
@ -94,7 +94,7 @@ FOO AAAA ::1
FOO A 127.0.0.2
aba CNAME FOO
EOF
$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n
sed 's/^FOO\./foo\./' < ${file}.tmp > ${file}
# A set of zones with only DNSKEY records.
@ -115,37 +115,37 @@ cat unsigned.db $key1.key $key2.key > ${file}
s="-s -2678400"
setup zsk-only.nsec.expired bad
$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk-only.nsec.expired bad
$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.nsec.expired bad
$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup zsk-only.nsec3.expired bad
$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk-only.nsec3.expired bad
$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
setup ksk+zsk.nsec3.expired bad
$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
# ksk expired
setup ksk+zsk.nsec.ksk-expired bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
now=`date -u +%Y%m%d%H%M%S`
exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
@ -154,8 +154,8 @@ setup ksk+zsk.nsec3.ksk-expired bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
now=`date -u +%Y%m%d%H%M%S`
exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
@ -165,36 +165,36 @@ setup ksk+zsk.nsec.broken-chain bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n
# bad nsec bitmap
setup ksk+zsk.nsec.bad-bitmap bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n
# extra NSEC record out side of zone
setup ksk+zsk.nsec.out-of-zone-nsec bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
# extra NSEC record below bottom of zone
setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n
# dnssec-signzone signs any node with a NSEC record.
awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}
@ -203,9 +203,9 @@ setup ksk+zsk.nsec.below-dname-nsec bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
# missing NSEC3 record at empty node
# extract the hash fields from the empty node's NSEC 3 record then fix up
@ -214,21 +214,21 @@ setup ksk+zsk.nsec3.missing-empty bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
b=`awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}`
awk '
$4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; }
$4 == "NSEC3" && NF == 9 { next; }
{ print; }' ${file} > ${file}.tmp
$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n
# extra NSEC3 record
setup ksk+zsk.nsec3.extra-nsec3 bad
zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
awk '
BEGIN {
ZONE="'${zone}'.";
@ -240,4 +240,4 @@ $4 == "NSEC3" && NF == 9 {
}' ${file} > ${file}.tmp
cat ${file}.tmp >> ${file}
rm -f ${file}.tmp
$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n

11
doc/arm/notes.xml
View file

@ -277,6 +277,17 @@
algorithm and same Server Secret for the best performance.
</para>
</listitem>
<listitem>
<para>
The information from the <command>dnssec-signzone</command> and
<command>dnssec-verify</command> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <command>-f -</command> option. A new
configuration option <command>-q</command> has been added to silence
all output on standard output except for the name of the signed zone.
</para>
</listitem>
</itemizedlist>
</section>

4
lib/dns/dnssec.c
View file

@ -1813,7 +1813,7 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
dst_key_format(key->key, keystr, sizeof(keystr));
report("Fetching %s (%s) from key %s.",
report("Fetching %s (%s) from key %s.\n",
keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK",
key->source == dns_keysource_user ? "file" : "repository");
@ -1849,7 +1849,7 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
char alg[80];
dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
report("Removing %s key %d/%s from DNSKEY RRset.",
report("Removing %s key %d/%s from DNSKEY RRset.\n",
reason, dst_key_id(key->key), alg);
RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));

3
lib/dns/include/dns/zoneverify.h
View file

@ -43,6 +43,7 @@ isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, dns_keytable_t *secroots,
isc_mem_t *mctx, bool ignore_kskflag,
bool keyset_kskonly);
bool keyset_kskonly,
void (*report)(const char *, ...));
ISC_LANG_ENDDECLS

2
lib/dns/zone.c
View file

@ -19881,7 +19881,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
origin = dns_db_origin(db);
result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
zone->mctx, true, false);
zone->mctx, true, false, dnssec_report);
done:
if (secroots != NULL) {

87
lib/dns/zoneverify.c
View file

@ -116,23 +116,6 @@ zoneverify_log_error(const vctx_t *vctx, const char *fmt, ...) {
va_end(ap);
}
/*%
* If invoked from a standalone tool, print a message described by 'fmt' and
* the variable arguments following it to stderr.
*/
static void
zoneverify_print(const vctx_t *vctx, const char *fmt, ...) {
va_list ap;
if (vctx->zone != NULL) {
return;
}
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
}
static bool
is_delegation(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
uint32_t *ttlp)
@ -1679,13 +1662,13 @@ check_dnskey(vctx_t *vctx) {
static void
determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag,
bool keyset_kskonly)
bool keyset_kskonly,
void (*report)(const char *, ...))
{
char algbuf[DNS_SECALG_FORMATSIZE];
int i;
zoneverify_print(vctx,
"Verifying the zone using the following algorithms:");
report("Verifying the zone using the following algorithms:");
for (i = 0; i < 256; i++) {
if (ignore_kskflag) {
@ -1698,10 +1681,10 @@ determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag,
}
if (vctx->act_algorithms[i] != 0) {
dns_secalg_format(i, algbuf, sizeof(algbuf));
zoneverify_print(vctx, " %s", algbuf);
report(" %s", algbuf);
}
}
zoneverify_print(vctx, ".\n");
report(".\n");
if (ignore_kskflag || keyset_kskonly) {
return;
@ -1930,7 +1913,7 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
}
static isc_result_t
check_bad_algorithms(const vctx_t *vctx) {
check_bad_algorithms(const vctx_t *vctx, void (*report)(const char *, ...)) {
char algbuf[DNS_SECALG_FORMATSIZE];
bool first = true;
int i;
@ -1940,28 +1923,29 @@ check_bad_algorithms(const vctx_t *vctx) {
continue;
}
if (first) {
zoneverify_print(vctx,
"The zone is not fully signed for "
"the following algorithms:");
report("The zone is not fully signed "
"for the following algorithms:");
}
dns_secalg_format(i, algbuf, sizeof(algbuf));
zoneverify_print(vctx, " %s", algbuf);
report(" %s", algbuf);
first = false;
}
if (!first) {
zoneverify_print(vctx, ".\n");
report(".\n");
}
return (first ? ISC_R_SUCCESS : ISC_R_FAILURE);
}
static void
print_summary(const vctx_t *vctx, bool keyset_kskonly) {
print_summary(const vctx_t *vctx, bool keyset_kskonly,
void (*report)(const char *, ...))
{
char algbuf[DNS_SECALG_FORMATSIZE];
int i;
zoneverify_print(vctx, "Zone fully signed:\n");
report("Zone fully signed:\n");
for (i = 0; i < 256; i++) {
if ((vctx->ksk_algorithms[i] == 0) &&
(vctx->standby_ksk[i] == 0) &&
@ -1973,20 +1957,18 @@ print_summary(const vctx_t *vctx, bool keyset_kskonly) {
continue;
}
dns_secalg_format(i, algbuf, sizeof(algbuf));
zoneverify_print(vctx,
"Algorithm: %s: KSKs: "
"%u active, %u stand-by, %u revoked\n",
algbuf, vctx->ksk_algorithms[i],
vctx->standby_ksk[i],
vctx->revoked_ksk[i]);
zoneverify_print(vctx,
"%*sZSKs: "
"%u active, %u %s, %u revoked\n",
(int)strlen(algbuf) + 13, "",
vctx->zsk_algorithms[i],
vctx->standby_zsk[i],
keyset_kskonly ? "present" : "stand-by",
vctx->revoked_zsk[i]);
report("Algorithm: %s: KSKs: "
"%u active, %u stand-by, %u revoked\n",
algbuf, vctx->ksk_algorithms[i],
vctx->standby_ksk[i],
vctx->revoked_ksk[i]);
report("%*sZSKs: "
"%u active, %u %s, %u revoked\n",
(int)strlen(algbuf) + 13, "",
vctx->zsk_algorithms[i],
vctx->standby_zsk[i],
keyset_kskonly ? "present" : "stand-by",
vctx->revoked_zsk[i]);
}
}
@ -1994,7 +1976,8 @@ isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, dns_keytable_t *secroots,
isc_mem_t *mctx, bool ignore_kskflag,
bool keyset_kskonly)
bool keyset_kskonly,
void (*report)(const char *, ...))
{
const char *keydesc = (secroots == NULL ? "self-signed" : "trusted");
isc_result_t result, vresult = ISC_R_UNSET;
@ -2028,7 +2011,8 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
goto done;
}
determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly,
report);
result = verify_nodes(&vctx, &vresult);
if (result != ISC_R_SUCCESS) {
@ -2043,22 +2027,21 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
vresult = result;
}
result = check_bad_algorithms(&vctx);
result = check_bad_algorithms(&vctx, report);
if (result != ISC_R_SUCCESS) {
zoneverify_print(&vctx, "DNSSEC completeness test failed.\n");
report("DNSSEC completeness test failed.\n");
goto done;
}
result = vresult;
if (result != ISC_R_SUCCESS) {
zoneverify_print(&vctx,
"DNSSEC completeness test failed (%s).\n",
dns_result_totext(result));
report("DNSSEC completeness test failed (%s).\n",
dns_result_totext(result));
goto done;
}
if (vctx.goodksk || ignore_kskflag) {
print_summary(&vctx, keyset_kskonly);
print_summary(&vctx, keyset_kskonly, report);
}
done: