# # script to demonstrate sigining a sample zone with the generated keybundles # if [ -z "$DOMAIN" ]; then echo "You must \"export DOMAIN=yourdomain\" first"; exit 1; fi export PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so" read -s -p "HSM PIN: " PKCS11_LIBRARY_PIN echo "" export PKCS11_LIBRARY_PIN killall -r named pkcs11-backup signem* 2>/dev/null rm -rf /tmp/namedb cd /tmp mkdir namedb cd namedb mkdir log data master slave keys cd keys # Generate KSK echo "Generating 2048 bit RSA SHA256 KSK" echo "dnssec-keygen -P +0 -A +0 -I +86400 -R +129600 -f ksk -a 8 -b 2048 $DOMAIN." dnssec-keygen -P +0 -A +0 -I +86400 -R +129600 -f ksk -a 8 -b 2048 $DOMAIN. # generate some overlapping test ZSKs if [ "$TEST" ]; then ttl=60 else ttl=600 fi T1=$(( $ttl * 2 )) T2=$(( $ttl * 5 )) TINC=$(( $ttl * 5 )) tp=0 # start NOW ta=$tp ti=$(( $ta + $T2 )) td=$(( $ti + $T1 )) echo dnssec-keygen -P +$tp -A +$ta -I +$ti -D +$td -a 8 -b 1024 $DOMAIN. dnssec-keygen -P +$tp -A +$ta -I +$ti -D +$td -a 8 -b 1024 $DOMAIN. tp=$(( $ttl * 3 )) ta=$(( $tp + $T1 )) ti=$(( $ta + $T2 )) td=$(( $ti + $T1 )) cnt=0 while [ $cnt -lt 2 ]; do echo dnssec-keygen -P +$tp -A +$ta -I +$ti -D +$td -a 8 -b 1024 $DOMAIN. dnssec-keygen -P +$tp -A +$ta -I +$ti -D +$td -a 8 -b 1024 $DOMAIN. tp=$(( $tp + $TINC )) ta=$(( $ta + $TINC )) ti=$(( $ti + $TINC )) td=$(( $td + $TINC )) cnt=$(( $cnt + 1 )) done echo "Run \"cardshow\" to see keys on smartcard" cd .. # Create a test zone cd slave dn="$DOMAIN" echo "\$TTL $ttl" > $dn.zone echo "@ IN SOA ns1.$dn. your@email.address. (" >> $dn.zone echo " 2012091100 ; Serial" >> $dn.zone echo " 10m ; Refresh" >> $dn.zone echo " 5m ; Retry" >> $dn.zone echo " 2w ; Expire" >> $dn.zone echo " $ttl ) ; Negative" >> $dn.zone echo " IN NS ns1.$dn. ; master" >> $dn.zone echo " IN NS ns2.$dn. ; slave" >> $dn.zone echo "ns1 IN A 10.10.35.1" >> $dn.zone echo "ns2 IN A 10.10.35.2" >> $dn.zone echo "www IN A 10.10.35.3 ; your own IP" >> $dn.zone cd .. cp -p slave/$dn.zone master/ # Create test named.conf echo "options {" > named.conf echo " directory \"/tmp/namedb\";" >> named.conf echo " dump-file \"data/cache_dump.db\";" >> named.conf echo " statistics-file \"data/named_stats.txt\";" >> named.conf echo " memstatistics-file \"data/named_mem_stats.txt\";" >> named.conf echo " listen-on port 53 { any; };" >> named.conf echo " allow-query { any; };" >> named.conf echo " recursion no;" >> named.conf echo " dnssec-dnskey-kskonly yes;" >> named.conf echo "};" >> named.conf echo "zone $dn {" >> named.conf echo " type master;" >> named.conf echo " file \"master/$dn.zone\";" >> named.conf echo " key-directory \"keys\";" >> named.conf echo " auto-dnssec maintain;" >> named.conf echo " inline-signing yes;" >> named.conf echo "};" >> named.conf echo "logging {" >> named.conf echo " channel everything_else {" >> named.conf echo " file \"log/runlog\" versions 2 size 100m;" >> named.conf echo " print-time yes;" >> named.conf echo " print-severity yes;" >> named.conf echo " print-category yes;" >> named.conf echo " severity debug 3;" >> named.conf echo " };" >> named.conf echo " category default { everything_else; };" >> named.conf echo "};" >> named.conf # create test rndc keys rndc-confgen -a -r /dev/urandom if [ $? -ne 0 ]; then exit 1; fi chmod +r /etc/rndc.key # start named named -c named.conf if [ $? -ne 0 ]; then exit 1; fi sleep 9 # display named status. rndc signing -list $dn dig +dnssec -t dnskey $dn @127.0.0.1 echo "See /tmp/namedb/log/ for named output." # # end #