From 90f4c1c5a2632c28cf89736328e0d51d7afe9682 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sun, 21 Jul 2019 07:36:13 -0400 Subject: [PATCH 1/7] Use stdout to print information about signing Previously, the default output from the libdns library went to stderr by default. This was inconsistent with the rest of the output. This commit changes the default logging to go to stdout, with notable exception - when the output of the signing process goes to stdout, the messages are printed to the stderr. This is consistent with other functions that output information about the signing process - e.g. print_stats(). --- bin/dnssec/dnssec-signzone.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index c440e8f10c..6a030ca594 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -2645,11 +2645,12 @@ loadexplicitkeys(char *keyfiles[], int n, bool setksk) { static void report(const char *format, ...) { + FILE *out = output_stdout ? stderr : stdout; va_list args; va_start(args, format); - vfprintf(stderr, format, args); + vfprintf(out, format, args); va_end(args); - putc('\n', stderr); + putc('\n', out); } static void From ced15edea1ca7eed4abc5ee0b4cb94818fdef67d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sun, 21 Jul 2019 08:07:20 -0400 Subject: [PATCH 2/7] Change the zoneverify.c to print the information to user supplied function The lib/dns/zoneverify.c output was hardwired to stderr, which was inconsistent with lib/dns/dnssec.c. This commit changes zoneverify.c to print the normal run information to caller supplied function - same model as in the lib/dns/dnssec.c. --- bin/dnssec/dnssec-signzone.c | 2 +- bin/dnssec/dnssec-verify.c | 14 +++++- lib/dns/include/dns/zoneverify.h | 3 +- lib/dns/zone.c | 2 +- lib/dns/zoneverify.c | 85 +++++++++++++------------------- 5 files changed, 49 insertions(+), 57 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 6a030ca594..7a0155baa5 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3883,7 +3883,7 @@ main(int argc, char *argv[]) { } else { vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, NULL, mctx, ignore_kskflag, - keyset_kskonly); + keyset_kskonly, report); if (vresult != ISC_R_SUCCESS) { fprintf(output_stdout ? stderr : stdout, "Zone verification failed (%s)\n", diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index b38368b2df..caf9742695 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -78,6 +78,15 @@ static dns_name_t *gorigin; /* The database origin */ static bool ignore_kskflag = false; static bool keyset_kskonly = false; +static void +report(const char *format, ...) { + va_list args; + va_start(args, format); + vfprintf(stdout, format, args); + va_end(args); + putc('\n', stdout); +} + /*% * Load the zone file from disk */ @@ -304,7 +313,7 @@ main(int argc, char *argv[]) { } gdb = NULL; - fprintf(stderr, "Loading zone '%s' from file '%s'\n", origin, file); + report("Loading zone '%s' from file '%s'\n", origin, file); loadzone(file, origin, rdclass, &gdb); gorigin = dns_db_origin(gdb); gclass = dns_db_class(gdb); @@ -314,7 +323,8 @@ main(int argc, char *argv[]) { check_result(result, "dns_db_newversion()"); result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, NULL, - mctx, ignore_kskflag, keyset_kskonly); + mctx, ignore_kskflag, keyset_kskonly, + report); dns_db_closeversion(gdb, &gversion, false); dns_db_detach(&gdb); diff --git a/lib/dns/include/dns/zoneverify.h b/lib/dns/include/dns/zoneverify.h index b432935c69..d9aca5b0a1 100644 --- a/lib/dns/include/dns/zoneverify.h +++ b/lib/dns/include/dns/zoneverify.h @@ -43,6 +43,7 @@ isc_result_t dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, dns_keytable_t *secroots, isc_mem_t *mctx, bool ignore_kskflag, - bool keyset_kskonly); + bool keyset_kskonly, + void (*report)(const char *, ...)); ISC_LANG_ENDDECLS diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 25e93d1047..100477eeb9 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -19881,7 +19881,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { origin = dns_db_origin(db); result = dns_zoneverify_dnssec(zone, db, version, origin, secroots, - zone->mctx, true, false); + zone->mctx, true, false, dnssec_report); done: if (secroots != NULL) { diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index 29a06c4757..3d75efb7ce 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -116,23 +116,6 @@ zoneverify_log_error(const vctx_t *vctx, const char *fmt, ...) { va_end(ap); } -/*% - * If invoked from a standalone tool, print a message described by 'fmt' and - * the variable arguments following it to stderr. - */ -static void -zoneverify_print(const vctx_t *vctx, const char *fmt, ...) { - va_list ap; - - if (vctx->zone != NULL) { - return; - } - - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); -} - static bool is_delegation(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, uint32_t *ttlp) @@ -1679,13 +1662,13 @@ check_dnskey(vctx_t *vctx) { static void determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag, - bool keyset_kskonly) + bool keyset_kskonly, + void (*report)(const char *, ...)) { char algbuf[DNS_SECALG_FORMATSIZE]; int i; - zoneverify_print(vctx, - "Verifying the zone using the following algorithms:"); + report("Verifying the zone using the following algorithms:"); for (i = 0; i < 256; i++) { if (ignore_kskflag) { @@ -1698,10 +1681,10 @@ determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag, } if (vctx->act_algorithms[i] != 0) { dns_secalg_format(i, algbuf, sizeof(algbuf)); - zoneverify_print(vctx, " %s", algbuf); + report(" %s", algbuf); } } - zoneverify_print(vctx, ".\n"); + report(".\n"); if (ignore_kskflag || keyset_kskonly) { return; @@ -1930,7 +1913,7 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) { } static isc_result_t -check_bad_algorithms(const vctx_t *vctx) { +check_bad_algorithms(const vctx_t *vctx, void (*report)(const char *, ...)) { char algbuf[DNS_SECALG_FORMATSIZE]; bool first = true; int i; @@ -1940,28 +1923,27 @@ check_bad_algorithms(const vctx_t *vctx) { continue; } if (first) { - zoneverify_print(vctx, - "The zone is not fully signed for " - "the following algorithms:"); + report("The zone is not fully signed " + "for the following algorithms:"); } dns_secalg_format(i, algbuf, sizeof(algbuf)); - zoneverify_print(vctx, " %s", algbuf); + report(" %s", algbuf); first = false; } if (!first) { - zoneverify_print(vctx, ".\n"); + report(".\n"); } return (first ? ISC_R_SUCCESS : ISC_R_FAILURE); } static void -print_summary(const vctx_t *vctx, bool keyset_kskonly) { +print_summary(const vctx_t *vctx, bool keyset_kskonly, void (*report)(const char *, ...)) { char algbuf[DNS_SECALG_FORMATSIZE]; int i; - zoneverify_print(vctx, "Zone fully signed:\n"); + report("Zone fully signed:\n"); for (i = 0; i < 256; i++) { if ((vctx->ksk_algorithms[i] == 0) && (vctx->standby_ksk[i] == 0) && @@ -1973,20 +1955,18 @@ print_summary(const vctx_t *vctx, bool keyset_kskonly) { continue; } dns_secalg_format(i, algbuf, sizeof(algbuf)); - zoneverify_print(vctx, - "Algorithm: %s: KSKs: " - "%u active, %u stand-by, %u revoked\n", - algbuf, vctx->ksk_algorithms[i], - vctx->standby_ksk[i], - vctx->revoked_ksk[i]); - zoneverify_print(vctx, - "%*sZSKs: " - "%u active, %u %s, %u revoked\n", - (int)strlen(algbuf) + 13, "", - vctx->zsk_algorithms[i], - vctx->standby_zsk[i], - keyset_kskonly ? "present" : "stand-by", - vctx->revoked_zsk[i]); + report("Algorithm: %s: KSKs: " + "%u active, %u stand-by, %u revoked\n", + algbuf, vctx->ksk_algorithms[i], + vctx->standby_ksk[i], + vctx->revoked_ksk[i]); + report("%*sZSKs: " + "%u active, %u %s, %u revoked\n", + (int)strlen(algbuf) + 13, "", + vctx->zsk_algorithms[i], + vctx->standby_zsk[i], + keyset_kskonly ? "present" : "stand-by", + vctx->revoked_zsk[i]); } } @@ -1994,7 +1974,8 @@ isc_result_t dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, dns_keytable_t *secroots, isc_mem_t *mctx, bool ignore_kskflag, - bool keyset_kskonly) + bool keyset_kskonly, + void (*report)(const char *, ...)) { const char *keydesc = (secroots == NULL ? "self-signed" : "trusted"); isc_result_t result, vresult = ISC_R_UNSET; @@ -2028,7 +2009,8 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, goto done; } - determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly); + determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly, + report); result = verify_nodes(&vctx, &vresult); if (result != ISC_R_SUCCESS) { @@ -2043,22 +2025,21 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, vresult = result; } - result = check_bad_algorithms(&vctx); + result = check_bad_algorithms(&vctx, report); if (result != ISC_R_SUCCESS) { - zoneverify_print(&vctx, "DNSSEC completeness test failed.\n"); + report("DNSSEC completeness test failed.\n"); goto done; } result = vresult; if (result != ISC_R_SUCCESS) { - zoneverify_print(&vctx, - "DNSSEC completeness test failed (%s).\n", - dns_result_totext(result)); + report("DNSSEC completeness test failed (%s).\n", + dns_result_totext(result)); goto done; } if (vctx.goodksk || ignore_kskflag) { - print_summary(&vctx, keyset_kskonly); + print_summary(&vctx, keyset_kskonly, report); } done: From 94354d4655735e66775a9f28be6e0f33f69a36da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 20 Jul 2019 18:06:16 -0400 Subject: [PATCH 3/7] Remove 2>&1 from the dnssec-signzone invocation in tests --- bin/tests/system/autosign/ns2/keygen.sh | 2 +- bin/tests/system/autosign/ns3/keygen.sh | 14 +-- bin/tests/system/cds/setup.sh | 2 +- bin/tests/system/chain/ns2/sign.sh | 2 +- bin/tests/system/dnssec/ns3/sign.sh | 102 +++++++++---------- bin/tests/system/dnssec/tests.sh | 68 ++++++------- bin/tests/system/inline/ns1/sign.sh | 2 +- bin/tests/system/inline/ns3/sign.sh | 4 +- bin/tests/system/masterformat/ns1/compile.sh | 2 +- bin/tests/system/masterformat/tests.sh | 2 +- bin/tests/system/metadata/tests.sh | 6 +- bin/tests/system/pending/ns1/sign.sh | 2 +- bin/tests/system/pending/ns2/sign.sh | 2 +- bin/tests/system/redirect/ns5/sign.sh | 4 +- bin/tests/system/resolver/ns6/keygen.sh | 4 +- bin/tests/system/smartsign/tests.sh | 14 +-- bin/tests/system/staticstub/ns3/sign.sh | 4 +- bin/tests/system/staticstub/ns4/sign.sh | 2 +- bin/tests/system/synthfromdnssec/ns1/sign.sh | 6 +- bin/tests/system/verify/zones/genzones.sh | 68 ++++++------- 20 files changed, 156 insertions(+), 156 deletions(-) diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 0c8b5078d9..de557d76e2 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -39,7 +39,7 @@ ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone` $KEYGEN -a RSASHA1 -3 -q $zone > /dev/null keyfile_to_static_keys $ksk > private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1 +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null # Extract saved keys for the revoke-to-duplicate-key test zone=bar diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 826a35cd79..70103b07a5 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -152,7 +152,7 @@ setup oldsigs.example cp $infile $zonefile $KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out || dumpit s.out # # NSEC3->NSEC transition test zone. @@ -160,7 +160,7 @@ $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || d setup nsec3-to-nsec.example $KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out # # secure-to-insecure transition test zone; used to test removal of @@ -169,7 +169,7 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out setup secure-to-insecure.example $KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out # # another secure-to-insecure transition test zone; used to test @@ -180,7 +180,7 @@ ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out echo $ksk > ../del1.key zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # # Introducing a pre-published key test. @@ -189,7 +189,7 @@ setup prepub.example infile="secure-to-insecure2.example.db.in" $KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # # Key TTL tests. @@ -235,7 +235,7 @@ echo $zsk > ../delayzsk.key setup nozsk.example $KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $zsk > ../missingzsk.key rm -f ${zsk}.private @@ -246,7 +246,7 @@ rm -f ${zsk}.private setup inaczsk.example $KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out zsk=`$KEYGEN -q -a RSASHA1 -3 $zone` -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out echo $zsk > ../inactivezsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index 101af11ef2..7903a52fb3 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -84,7 +84,7 @@ sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' UP.swapttl sign() { cat >db.$1 - $SIGNER >/dev/null 2>&1 \ + $SIGNER >/dev/null \ -S -O full -o $Z -f sig.$1 db.$1 } diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh index 18c5b66230..d8c95d19da 100644 --- a/bin/tests/system/chain/ns2/sign.sh +++ b/bin/tests/system/chain/ns2/sign.sh @@ -17,4 +17,4 @@ zonefile=example.db ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone` zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone` -$SIGNER -S -o $zone example.db > /dev/null 2>&1 +$SIGNER -S -o $zone example.db > /dev/null diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index eddaf3efe0..db685786a8 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -25,7 +25,7 @@ do keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname1.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null # Zone to test trust anchor that matches disabled algorithm. zone=disabled.${tld} @@ -33,7 +33,7 @@ do keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") cat "$infile" "$keyname2.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null # Zone to test trust anchor that has disabled algorithm for other domain. zone=enabled.${tld} @@ -41,7 +41,7 @@ do keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") cat "$infile" "$keyname3.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null # Zone to test trust anchor with unsupported algorithm. zone=unsupported.${tld} @@ -49,7 +49,7 @@ do keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed # Make trusted-keys and managed keys conf sections for ns8. @@ -62,7 +62,7 @@ do keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname5.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null case $tld in "managed") @@ -86,7 +86,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null zone=bogus.example. infile=bogus.example.db.in @@ -96,7 +96,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,7 +107,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,7 +117,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # Change the signer field of the a.b.keyless.example SIG A # to point to a provably nonexistent KEY record. @@ -138,7 +138,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # NSEC3/NSEC3 test zone @@ -151,7 +151,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -164,7 +164,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout). @@ -177,7 +177,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC test zone @@ -190,7 +190,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # OPTOUT/NSEC3 test zone @@ -203,7 +203,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # OPTOUT/OPTOUT test zone @@ -216,7 +216,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone. @@ -229,7 +229,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,7 +242,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,7 +255,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,7 +269,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -288,7 +288,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -308,7 +308,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,7 +322,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed @@ -340,17 +340,17 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null # # A RSASHA256 zone. @@ -363,7 +363,7 @@ keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # A RSASHA512 zone. @@ -376,7 +376,7 @@ keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # A zone with the DNSKEY set only signed by the KSK @@ -388,7 +388,7 @@ zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null # # A zone with the expired signatures @@ -400,7 +400,7 @@ zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null rm -f "$kskname.*" "$zskname.*" # @@ -413,7 +413,7 @@ zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # A NSEC signed zone that will have auto-dnssec enabled and @@ -428,7 +428,7 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -443,7 +443,7 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # Secure below cname test zone. @@ -453,7 +453,7 @@ infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # Patched TTL test zone. @@ -467,7 +467,7 @@ patchedfile=ttlpatch.example.db.patched keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null $CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ awk '{$2 = "3600"; print}' > $patchedfile @@ -483,7 +483,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" : > "$signedfile" -"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null # # Seperate DNSSEC records smart signing. @@ -498,7 +498,7 @@ cp "$infile" "$zonefile" # shellcheck disable=SC2016 echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" : > "$signedfile" -"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -510,7 +510,7 @@ signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null mv -f "${zskname}.private" "${zskname}.private.moved" mv -f "${kskname}.private" "${kskname}.private.moved" @@ -525,7 +525,7 @@ signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null $CHECKZONE -D upper.example $lower 2>/dev/null | \ sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile @@ -540,7 +540,7 @@ signedfile="lower.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null # # Zone with signatures about to expire, and dynamic, but configured @@ -553,7 +553,7 @@ signedfile="nosign.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null # preserve a normalized copy of the NS RRSIG for comparison later $CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ @@ -578,7 +578,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null # # A zone which will change its sig-validity-interval @@ -602,7 +602,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP # @@ -614,7 +614,7 @@ zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null cp -f "$kskname.key" trusted-future.key # @@ -626,7 +626,7 @@ zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null # # A zone with a revoked key @@ -641,7 +641,7 @@ ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -653,7 +653,7 @@ zonefile=dname-at-apex-nsec3.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # # A NSEC zone with occuded data at the delegation @@ -668,4 +668,4 @@ keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") $DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 67456b74db..6253c99d9a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1329,7 +1329,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1341,7 +1341,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1353,7 +1353,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1365,7 +1365,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1377,7 +1377,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1389,7 +1389,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n test -f signed.zone ) || ret=1 n=$((n+1)) @@ -1401,7 +1401,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1413,7 +1413,7 @@ ret=0 ( cd signer/general || exit 1 rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n 2>&1 +$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n test -f signed.zone ) && ret=1 n=$((n+1)) @@ -1484,7 +1484,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db example.db > /dev/null 2>&1 +$SIGNER -o example -f example.db example.db > /dev/null ) || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -1498,7 +1498,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 +$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { @@ -1524,7 +1524,7 @@ key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example3.db echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db -$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1 +$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { @@ -1549,9 +1549,9 @@ key2=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 +$SIGNER -o example -f example.db.before example.db > /dev/null sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed -$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 +$SIGNER -o example -f example.db.after example.db.changed > /dev/null ) grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 n=$((n+1)) @@ -1569,12 +1569,12 @@ keyid3=$(keyfile_to_key_id "$key3") ( cd signer || exit 1 cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -D -o example example.db > /dev/null 2>&1 +$SIGNER -D -o example example.db > /dev/null # now switch out key2 for key3 and resign the zone cat example.db.in "$key1.key" "$key3.key" > example.db echo "\$INCLUDE \"example.db.signed\"" >> example.db -$SIGNER -D -o example example.db > /dev/null 2>&1 +$SIGNER -D -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1586,7 +1586,7 @@ echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -RD -o example example.db > /dev/null 2>&1 +$SIGNER -RD -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1600,11 +1600,11 @@ zone=example ( cd signer || exit 1 cp -f example.db.in example.db -$SIGNER -SD -o example example.db > /dev/null 2>&1 +$SIGNER -SD -o example example.db > /dev/null echo "\$INCLUDE \"example.db.signed\"" >> example.db # now retire key2 and resign the zone $SETTIME -I now "$key2" > /dev/null 2>&1 -$SIGNER -SD -o example example.db > /dev/null 2>&1 +$SIGNER -SD -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1616,7 +1616,7 @@ echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -SDQ -o example example.db > /dev/null 2>&1 +$SIGNER -SDQ -o example example.db > /dev/null ) || ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid2$" > /dev/null && ret=1 get_rsasha1_key_ids_from_sigs | grep "^$keyid3$" > /dev/null || ret=1 @@ -1628,8 +1628,8 @@ echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -Sxt -o example example.db > signer.out.1 2>&1 -$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1 +$SIGNER -Sxt -o example example.db > signer.out.1 +$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 ) || ret=1 gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) @@ -1656,7 +1656,7 @@ ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db touch example2.db.signed -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 @@ -1670,7 +1670,7 @@ sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 @@ -1690,7 +1690,7 @@ ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db touch example2.db.signed -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 @@ -1704,7 +1704,7 @@ sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null ) || ret=1 grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 @@ -1718,8 +1718,8 @@ ret=0 cd signer || exit 1 $SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null $SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null -$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1 -$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1 +$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null +$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null $SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null ) || ret=1 awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 @@ -1735,7 +1735,7 @@ echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( cd signer || exit 1 -$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1 +$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 n=$((n+1)) @@ -1746,7 +1746,7 @@ echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( cd signer || exit 1 -TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1 +TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null ) || ret=1 # shellcheck disable=SC2016 now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') @@ -2884,7 +2884,7 @@ cd ns3 || exit 1 for file in K*.moved; do mv "$file" "$(basename "$file" .moved)" done -$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1 +$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null ) || ret=1 rndc_reload ns3 10.53.0.3 expiring.example @@ -3620,7 +3620,7 @@ cd signer || exit 1 $KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null $KEYGEN -q -a RSASHA1 -33 remove > /dev/null echo > remove.db.signed -$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 +$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null || { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; @@ -3628,7 +3628,7 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || { # re-generate signed zone without MX and AAAA records at apex. ( cd signer || exit 1 -$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 +$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; @@ -3643,7 +3643,7 @@ ret=0 ( cd signer || exit 1 echo > remove.db.signed -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null || { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; @@ -3651,7 +3651,7 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || { # re-generate signed zone without MX and AAAA records at apex. ( cd signer || exit 1 -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n ) grep "RRSIG MX" signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index 166f4b9c00..c14a83837e 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -17,7 +17,7 @@ rm -f K.+*+*.key rm -f K.+*+*.private keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` -$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1 +$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out [ $? = 0 ] || cat signer.out keyfile_to_static_keys $keyname > trusted.conf diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index 621f077683..7dc0bd09c1 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -51,7 +51,7 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null cp master2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -61,7 +61,7 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null zone=retransfer rm -f K${zone}.+*+*.key diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index bec30dfbcb..1340343e6a 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -30,5 +30,5 @@ $CHECKZONE -D -F map -o example.db.map example-map \ $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1 -$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1 +$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null $CHECKZONE -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1 diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 2912019517..cdc03c4ac0 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -324,7 +324,7 @@ status=$((status+ret)) echo_i "checking map format zone is scheduled for resigning (signzone) ($n)" ret=0 rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1 -(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null 2>&1) +(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null) rndc_reload ns1 10.53.0.1 signed rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index c076ec5447..ddec427618 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -30,8 +30,8 @@ standby=$(keyfile_to_key_id "$(cat standby.key)") zsk=$(keyfile_to_key_id "$(cat zsk.key)") echo_i "signing zones" -$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 -$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1 +$SIGNER -Sg -o $czone $cfile > /dev/null +$SIGNER -Sg -o $pzone $pfile > /dev/null awk '$2 ~ /RRSIG/ { type = $3; @@ -115,7 +115,7 @@ echo_i "waiting 20 seconds for key changes to occur" sleep 20 echo_i "re-signing zone" -$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1 +$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null echo_i "checking that standby KSK is now active ($n)" ret=0 diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh index fe3fa15612..284eb4f680 100644 --- a/bin/tests/system/pending/ns1/sign.sh +++ b/bin/tests/system/pending/ns1/sign.sh @@ -25,7 +25,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. keyfile_to_static_keys $keyname2 > trusted.conf diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh index 2e8d68a669..53659fc02e 100644 --- a/bin/tests/system/pending/ns2/sign.sh +++ b/bin/tests/system/pending/ns2/sign.sh @@ -22,7 +22,7 @@ for domain in example example.com; do cat $infile $keyname1.key $keyname2.key > $zonefile - $SIGNER -3 bebe -o $zone $zonefile > /dev/null 2>&1 + $SIGNER -3 bebe -o $zone $zonefile > /dev/null done # remove "removed" record from example.com, causing the server to diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh index e26904a6b2..ee8197eeb3 100644 --- a/bin/tests/system/redirect/ns5/sign.sh +++ b/bin/tests/system/redirect/ns5/sign.sh @@ -25,7 +25,7 @@ key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null` cat $infile $key1.key $key2.key > $zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1 +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out cp signed.db.signed ../ns6 @@ -40,4 +40,4 @@ key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null` # cat $infile $key1.key $key2.key > $zonefile cat $infile dsset-signed. $key1.key $key2.key > $zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1 +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 444e68a359..a6c5c5b176 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -19,7 +19,7 @@ cp $infile $zonefile ksk=`$KEYGEN -q -a rsasha256 -fk $zone` zsk=`$KEYGEN -q -a rsasha256 -b 2048 $zone` cat $ksk.key $zsk.key >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null zone=example.net zonefile="${zone}.db" @@ -28,7 +28,7 @@ cp $infile $zonefile ksk=`$KEYGEN -q -a rsasha256 -fk $zone` zsk=`$KEYGEN -q -a rsasha256 $zone` cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null # Configure a static key to be used by delv keyfile_to_static_keys $ksk > ../ns5/trusted.conf diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index e1a85d877a..59aa0b17f0 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -64,10 +64,10 @@ echo_i "setting child's activation time" $SETTIME -A now+30s $cksk2 > /dev/null echo_i "signing child zone" -czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1` +czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile` echo_i "signing parent zone" -pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1` +pzoneout=`$SIGNER -Sg -o $pzone $pfile` czactive=$(keyfile_to_key_id $czsk1) czgenerated=$(keyfile_to_key_id $czsk2) @@ -99,8 +99,8 @@ status=`expr $status + $ret` echo_i "rechecking dnssec-signzone output with -x" ret=0 # use an alternate output file so -x doesn't interfere with later checks -pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile 2>&1` -czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile 2>&1` +pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile` +czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile` echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1 echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 @@ -204,7 +204,7 @@ status=`expr $status + $ret` echo_i "re-signing and checking imported TTLs again" ret=0 $SETTIME -L 15 ${czsk2} > /dev/null -czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1` +czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile` awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \ ${cfile}.signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -325,7 +325,7 @@ status=`expr $status + $ret` echo_i "waiting 30 seconds for key activation" sleep 30 echo_i "re-signing child zone" -czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed 2>&1` +czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed` mv $cfile.new $cfile.signed echo_i "checking dnssec-signzone output matches expectations" @@ -351,7 +351,7 @@ status=`expr $status + $ret` echo_i "checking sync record deletion" ret=0 $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null -$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null 2>&1 +$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null mv $cfile.new $cfile.signed awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1 awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1 diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh index 3faf5c5d11..ce7a0f7d13 100755 --- a/bin/tests/system/staticstub/ns3/sign.sh +++ b/bin/tests/system/staticstub/ns3/sign.sh @@ -24,7 +24,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -g -o $zone $zonefile > /dev/null # Configure the resolving server with a trusted key. keyfile_to_static_keys $keyname2 > trusted.conf @@ -36,7 +36,7 @@ keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -g -o $zone $zonefile > /dev/null keyfile_to_static_keys $keyname2 >> trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh index a3b22d7cd7..757c8b4a98 100755 --- a/bin/tests/system/staticstub/ns4/sign.sh +++ b/bin/tests/system/staticstub/ns4/sign.sh @@ -21,4 +21,4 @@ keyname2=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index de7478df78..710d9f4633 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -19,7 +19,7 @@ zonefile=example.db keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null zone=dnamed infile=dnamed.db.in @@ -28,7 +28,7 @@ zonefile=dnamed.db keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -o $zone $zonefile > /dev/null zone=. infile=root.db.in @@ -37,7 +37,7 @@ zonefile=root.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone) cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null 2>&1 +$SIGNER -P -g -o $zone $zonefile > /dev/null # Configure the resolving server with a static key. keyfile_to_static_keys "$keyname" > trusted.conf diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh index 8d4f9b6b6c..1e5dcbb9b0 100644 --- a/bin/tests/system/verify/zones/genzones.sh +++ b/bin/tests/system/verify/zones/genzones.sh @@ -31,49 +31,49 @@ cp unsigned.db unsigned.bad # A set of nsec zones. setup zsk-only.nsec good $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec good $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec good $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec.apex-dname good zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cp unsigned.db ${file}.tmp echo "@ DNAME data" >> ${file}.tmp -$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n # A set of nsec3 zones. setup zsk-only.nsec3 good $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec3 good $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec3 good $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.optout good $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.apex-dname good zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cp unsigned.db ${file}.tmp echo "@ DNAME data" >> ${file}.tmp -$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n # # generate an NSEC record like @@ -94,7 +94,7 @@ FOO AAAA ::1 FOO A 127.0.0.2 aba CNAME FOO EOF -$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} # A set of zones with only DNSKEY records. @@ -115,37 +115,37 @@ cat unsigned.db $key1.key $key2.key > ${file} s="-s -2678400" setup zsk-only.nsec.expired bad $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec.expired bad $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec.expired bad $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup zsk-only.nsec3.expired bad $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk-only.nsec3.expired bad $KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.expired bad $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n # ksk expired setup ksk+zsk.nsec.ksk-expired bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n -$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n now=`date -u +%Y%m%d%H%M%S` exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file @@ -154,8 +154,8 @@ setup ksk+zsk.nsec3.ksk-expired bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n -$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n now=`date -u +%Y%m%d%H%M%S` exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}` [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file @@ -165,36 +165,36 @@ setup ksk+zsk.nsec.broken-chain bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n # bad nsec bitmap setup ksk+zsk.nsec.bad-bitmap bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n # extra NSEC record out side of zone setup ksk+zsk.nsec.out-of-zone-nsec bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n # extra NSEC record below bottom of zone setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n # dnssec-signzone signs any node with a NSEC record. awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} @@ -203,9 +203,9 @@ setup ksk+zsk.nsec.below-dname-nsec bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n # missing NSEC3 record at empty node # extract the hash fields from the empty node's NSEC 3 record then fix up @@ -214,21 +214,21 @@ setup ksk+zsk.nsec3.missing-empty bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}` b=`awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}` awk ' $4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } $4 == "NSEC3" && NF == 9 { next; } { print; }' ${file} > ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n # extra NSEC3 record setup ksk+zsk.nsec3.extra-nsec3 bad zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n awk ' BEGIN { ZONE="'${zone}'."; @@ -240,4 +240,4 @@ $4 == "NSEC3" && NF == 9 { }' ${file} > ${file}.tmp cat ${file}.tmp >> ${file} rm -f ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n From fd00bac736a53d26c4c7f39c3d04d82d40f61958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 22 Jul 2019 10:33:17 -0400 Subject: [PATCH 4/7] Add -q (quiet) option to dnssec-signzone and dnssec-verify tool With the move of the normal output to stdout, we need a way how to silence the extra output, so the signed file name can be captured in a simple way. This commit adds `-q` command line option that will silence all the normal output that get's printed from both tools. --- bin/dnssec/dnssec-keygen.c | 1 - bin/dnssec/dnssec-signzone.c | 19 +++++++++++++------ bin/dnssec/dnssec-verify.c | 17 ++++++++++++----- bin/dnssec/dnssectool.c | 3 ++- bin/dnssec/dnssectool.h | 3 ++- 5 files changed, 29 insertions(+), 14 deletions(-) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index be6779ca1d..2fad3fb285 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -218,7 +218,6 @@ main(int argc, char **argv) { bool unsetrev = false, unsetinact = false; bool unsetdel = false; bool genonly = false; - bool quiet = false; bool show_progress = false; unsigned char c; isc_stdtime_t syncadd = 0, syncdel = 0; diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 7a0155baa5..8b5e4c34a5 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -2645,12 +2645,14 @@ loadexplicitkeys(char *keyfiles[], int n, bool setksk) { static void report(const char *format, ...) { - FILE *out = output_stdout ? stderr : stdout; - va_list args; - va_start(args, format); - vfprintf(out, format, args); - va_end(args); - putc('\n', out); + if (!quiet) { + FILE *out = output_stdout ? stderr : stdout; + va_list args; + va_start(args, format); + vfprintf(out, format, args); + va_end(args); + putc('\n', out); + } } static void @@ -3086,6 +3088,7 @@ usage(void) { fprintf(stderr, "\t-j jitter:\n"); fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n"); fprintf(stderr, "\t-v debuglevel (0)\n"); + fprintf(stderr, "\t-q quiet\n"); fprintf(stderr, "\t-V:\tprint version information\n"); fprintf(stderr, "\t-o origin:\n"); fprintf(stderr, "\t\tzone origin (name of zonefile)\n"); @@ -3479,6 +3482,10 @@ main(int argc, char *argv[]) { fatal("verbose level must be numeric"); break; + case 'q': + quiet = true; + break; + case 'X': dnskey_endstr = isc_commandline_argument; break; diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index caf9742695..7fff0df94e 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -80,11 +80,13 @@ static bool keyset_kskonly = false; static void report(const char *format, ...) { - va_list args; - va_start(args, format); - vfprintf(stdout, format, args); - va_end(args); - putc('\n', stdout); + if (!quiet) { + va_list args; + va_start(args, format); + vfprintf(stdout, format, args); + va_end(args); + putc('\n', stdout); + } } /*% @@ -149,6 +151,7 @@ usage(void) { fprintf(stderr, "Options: (default value in parenthesis) \n"); fprintf(stderr, "\t-v debuglevel (0)\n"); + fprintf(stderr, "\t-q quiet\n"); fprintf(stderr, "\t-V:\tprint version information\n"); fprintf(stderr, "\t-o origin:\n"); fprintf(stderr, "\t\tzone origin (name of zonefile)\n"); @@ -246,6 +249,10 @@ main(int argc, char *argv[]) { fatal("verbose level must be numeric"); break; + case 'q': + quiet = true; + break; + case 'x': keyset_kskonly = true; break; diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index e1205d05f8..5ba2cc1266 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -57,7 +57,8 @@ #include "dnssectool.h" -int verbose; +int verbose = 0; +bool quiet = false; uint8_t dtype[8]; static fatalcallback_t *fatalcallback = NULL; diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index e4798e8336..cddfb2f902 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -25,8 +25,9 @@ #define PATH_MAX 1024 /* WIN32, and others don't define this. */ #endif -/*! verbosity: set by -v option in each program, defined in dnssectool.c */ +/*! verbosity: set by -v and -q option in each program, defined in dnssectool.c */ extern int verbose; +extern bool quiet; /*! program name, statically initialized in each program */ extern const char *program; From 022649abc36ae73bc9fc443930c7d6a930d8d4d1 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 30 Jul 2019 08:43:12 -0700 Subject: [PATCH 5/7] document `-q` option in dnssec-signzone and dnssec-verify man pages --- bin/dnssec/dnssec-signzone.docbook | 17 +++++++++++++++++ bin/dnssec/dnssec-verify.docbook | 15 +++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 5f39282ba4..986bc990a4 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -80,6 +80,7 @@ + @@ -543,6 +544,22 @@ + + + -q + + + Quiet mode: Suppresses unnecessary output. Without this + option, when dnssec-signzone is run it + will print to standard output the number of keys in use, + the algorithms used to verify the zone was signed correctly + and other status information, and finally the filename + containing the signed zone. With it, that output is + suppressed, leaving only the filename. + + + + -R diff --git a/bin/dnssec/dnssec-verify.docbook b/bin/dnssec/dnssec-verify.docbook index 9d7c74698d..6d62284981 100644 --- a/bin/dnssec/dnssec-verify.docbook +++ b/bin/dnssec/dnssec-verify.docbook @@ -49,6 +49,7 @@ + @@ -140,6 +141,20 @@ + + -q + + + Quiet mode: Suppresses output. Without this option, when + dnssec-verify is run it will print to + standard output the number of keys in use, the algorithms + used to verify the zone was signed correctly and other + status information. With it, all non-error output is + suppressed, and only the exit code will indicate success. + + + + -x From 664b8f04f5f2322086138f5eda5899a62bcc019b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 30 Jul 2019 08:43:30 -0700 Subject: [PATCH 6/7] add -q to getopt flags, and use newlines consistently with report() --- bin/dnssec/dnssec-signzone.c | 3 +-- bin/dnssec/dnssec-verify.c | 3 +-- lib/dns/dnssec.c | 4 ++-- lib/dns/zoneverify.c | 4 +++- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 8b5e4c34a5..8fc7080a46 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -2651,7 +2651,6 @@ report(const char *format, ...) { va_start(args, format); vfprintf(out, format, args); va_end(args); - putc('\n', out); } } @@ -3221,7 +3220,7 @@ main(int argc, char *argv[]) { /* Unused letters: Bb G J q Yy (and F is reserved). */ #define CMDLINE_FLAGS \ - "3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQRr:s:ST:tuUv:VX:xzZ:" + "3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:VX:xzZ:" /* * Process memory debugging argument first. diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index 7fff0df94e..420bf979b8 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -85,7 +85,6 @@ report(const char *format, ...) { va_start(args, format); vfprintf(stdout, format, args); va_end(args); - putc('\n', stdout); } } @@ -184,7 +183,7 @@ main(int argc, char *argv[]) { int ch; #define CMDLINE_FLAGS \ - "hm:o:I:c:E:v:Vxz" + "c:E:hm:o:I:qv:Vxz" /* * Process memory debugging argument first. diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index b99803489d..800271956c 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1813,7 +1813,7 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin, RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey)); dst_key_format(key->key, keystr, sizeof(keystr)); - report("Fetching %s (%s) from key %s.", + report("Fetching %s (%s) from key %s.\n", keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK", key->source == dns_keysource_user ? "file" : "repository"); @@ -1849,7 +1849,7 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin, char alg[80]; dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg)); - report("Removing %s key %d/%s from DNSKEY RRset.", + report("Removing %s key %d/%s from DNSKEY RRset.\n", reason, dst_key_id(key->key), alg); RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey)); diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index 3d75efb7ce..eb5aedc196 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -1939,7 +1939,9 @@ check_bad_algorithms(const vctx_t *vctx, void (*report)(const char *, ...)) { } static void -print_summary(const vctx_t *vctx, bool keyset_kskonly, void (*report)(const char *, ...)) { +print_summary(const vctx_t *vctx, bool keyset_kskonly, + void (*report)(const char *, ...)) +{ char algbuf[DNS_SECALG_FORMATSIZE]; int i; From e4144fb9cf910b7d25b6a849f14f36307e5588b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sun, 21 Jul 2019 08:18:56 -0400 Subject: [PATCH 7/7] Add CHANGES and release note --- CHANGES | 4 ++++ doc/arm/notes.xml | 11 +++++++++++ 2 files changed, 15 insertions(+) diff --git a/CHANGES b/CHANGES index 40c9bc9749..53bd0aae5b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5271. [func] The normal (non-debugging) output of dnssec-signzone + and dnssec-verify tools now goes to stdout, instead of + the combination of stderr and stdout. + 5270. [bug] 'dig +expandaaaa +short' did not work. [GL #1152] 5269. [port] cygwin: can return ETIMEDOUT on connect() with a diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index c82d3b0894..cdd45ff338 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -277,6 +277,17 @@ algorithm and same Server Secret for the best performance. + + + The information from the dnssec-signzone and + dnssec-verify commands is now printed to standard + output. The standard error output is only used to print warnings and + errors, and in case the user requests the signed zone to be printed to + standard output with -f - option. A new + configuration option -q has been added to silence + all output on standard output except for the name of the signed zone. + +