make-broken-zone.sh revision 1.1.1.1.2.1
1 #!/usr/bin/env bash 2 3 # This script was used to generate the broken signed zones used for testing. 4 5 # Override the current date; it is used in Unbound's configuration also. 6 NOW=20010101 7 8 # differentiate for MacOS with "gdate" 9 DATE=date 10 which gdate > /dev/null 2>&1 && DATE=gdate 11 12 ONEMONTHAGO=`$DATE -d "$NOW - 1 month" +%Y%m%d` 13 ONEMONTH=`$DATE -d "$NOW + 1 month" +%Y%m%d` 14 YESTERDAY=`$DATE -d "$NOW - 2 days" +%Y%m%d` 15 TOMORROW=`$DATE -d "$NOW + 2 days" +%Y%m%d` 16 17 # Root trust anchor 18 echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" > bogus/trust-anchors 19 20 # create oudated zones 21 CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test` 22 echo $CSK 23 cat $CSK.ds >> bogus/trust-anchors 24 25 ldns-signzone -i $YESTERDAY -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \ 26 grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ 27 sed 's/Signatures invalid/Signatures INVALID/g' | \ 28 grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \ 29 grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ 30 grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \ 31 grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base 32 ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \ 33 grep -v '[ ]NSEC[ ]' | \ 34 grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired 35 ldns-signzone -i $TOMORROW -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \ 36 grep -v '[ ]NSEC[ ]' | \ 37 grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted 38 39 cat base expired notyetincepted > bogus/dnssec-failures.test.signed 40 41 # cleanup old zone keys 42 rm -f $CSK.* 43 44 # create zone with DNSKEY missing 45 CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test` 46 echo $CSK 47 cat $CSK.ds >> bogus/trust-anchors 48 49 ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/dnskey-failures.test $CSK 50 grep -v ' DNSKEY ' tmp.signed > bogus/dnskey-failures.test.signed 51 52 # cleanup old zone keys 53 rm -f $CSK.* 54 55 # create zone with NSEC missing 56 CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test` 57 echo $CSK 58 cat $CSK.ds >> bogus/trust-anchors 59 60 ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/nsec-failures.test $CSK 61 grep -v ' NSEC ' tmp.signed > bogus/nsec-failures.test.signed 62 63 # cleanup old zone keys 64 rm -f $CSK.* 65 66 # create zone with RRSIGs missing 67 CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test` 68 echo $CSK 69 cat $CSK.ds >> bogus/trust-anchors 70 71 ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/rrsig-failures.test $CSK 72 grep -v ' RRSIG ' tmp.signed > bogus/rrsig-failures.test.signed 73 74 # cleanup 75 rm -f base expired notyetincepted tmp.signed $CSK.* 76
Indexes created Sat Feb 28 05:31:39 UTC 2026