jpmens/lsig.sh Secret

## lsig.sh
#!/bin/sh

#   _     _
#  | | __| |_ __  ___
#  | |/ _` | '_ \/ __|
#  | | (_| | | | \__ \
#  |_|\__,_|_| |_|___/
#

set -euo pipefail

function log() {
	printf "*** $@\n"
}

zone=example.com
zsk=Kexample.com.+013+54147
signed=${zone}.signed.ldns
tmp=${zone}.tmp

log "sign the zone; set SOA serial to epoch"
ldns-signzone -u -f $signed -o $zone $zone $zsk

log "replace RRSIG over DNSKEY created by ZSK with that created by KSK"
(
	awk '{ if ($4 == "RRSIG" && $5 == "DNSKEY") { print "; deleted rrsig/dnskey" } else { print }}' $signed
	cat KSK.data
) > $tmp && mv $tmp $signed

log "verify signed zone using ldns-verify-zone"
ldns-verify-zone < $signed

log "verify signed zone using dnssec-verify"
dnssec-verify -o $zone $signed

log "verify signed zone using validns"
validns -s -z $zone $signed
	#!/bin/sh

	# _ _
	# \| \| __\| \|_ __ ___
	# \| \|/ _` \| '_ \/ __\|
	# \| \| (_\| \| \| \| \__ \
	# \|_\|\__,_\|_\| \|_\|___/
	#

	set -euo pipefail

	function log() {
	printf "*** $@\n"
	}

	zone=example.com
	zsk=Kexample.com.+013+54147
	signed=${zone}.signed.ldns
	tmp=${zone}.tmp

	log "sign the zone; set SOA serial to epoch"
	ldns-signzone -u -f $signed -o $zone $zone $zsk

	log "replace RRSIG over DNSKEY created by ZSK with that created by KSK"
	(
	awk '{ if ($4 == "RRSIG" && $5 == "DNSKEY") { print "; deleted rrsig/dnskey" } else { print }}' $signed
	cat KSK.data
	) > $tmp && mv $tmp $signed

	log "verify signed zone using ldns-verify-zone"
	ldns-verify-zone < $signed

	log "verify signed zone using dnssec-verify"
	dnssec-verify -o $zone $signed

	log "verify signed zone using validns"
	validns -s -z $zone $signed