signing script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# _ _ _ | |
# | |__ (_)_ __ __| | | |
# | '_ \| | '_ \ / _` | | |
# | |_) | | | | | (_| | | |
# |_.__/|_|_| |_|\__,_| | |
# | |
# sign the zone with BIND9 utilities; using smart signing means | |
# the key with which to sign will be determined automatically | |
set -euo pipefail | |
function log() { | |
printf "*** $@\n" | |
} | |
zone=example.com | |
signed=${zone}.signed | |
tmp=${zone}.tmp | |
log "sign the zone; set SOA serial to epoch" | |
dnssec-signzone -q -x -z -N unixtime -O full -S $zone | |
log "remove dsset file as it contains ZSK only" | |
rm -f "dsset-${zone}." | |
log "replace RRSIG over DNSKEY created by ZSK with that created by KSK" | |
( | |
awk '{ if ($4 == "RRSIG" && $5 == "DNSKEY") { print "; deleted rrsig/dnskey" } else { print }}' $signed | |
cat KSK.data | |
) > $tmp && mv $tmp $signed | |
log "verify signed zone using ldns-verify-zone" | |
ldns-verify-zone < $signed | |
log "verify signed zone using dnssec-verify" | |
dnssec-verify -o $zone $signed | |
log "verify signed zone using validns" | |
validns -s -z $zone $signed | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment