Skip to content

Instantly share code, notes, and snippets.

@jpmens

jpmens/bsig.sh Secret

Created Sep 22, 2022
Embed
What would you like to do?
signing script
#!/bin/sh
# _ _ _
# | |__ (_)_ __ __| |
# | '_ \| | '_ \ / _` |
# | |_) | | | | | (_| |
# |_.__/|_|_| |_|\__,_|
#
# sign the zone with BIND9 utilities; using smart signing means
# the key with which to sign will be determined automatically
set -euo pipefail
function log() {
printf "*** $@\n"
}
zone=example.com
signed=${zone}.signed
tmp=${zone}.tmp
log "sign the zone; set SOA serial to epoch"
dnssec-signzone -q -x -z -N unixtime -O full -S $zone
log "remove dsset file as it contains ZSK only"
rm -f "dsset-${zone}."
log "replace RRSIG over DNSKEY created by ZSK with that created by KSK"
(
awk '{ if ($4 == "RRSIG" && $5 == "DNSKEY") { print "; deleted rrsig/dnskey" } else { print }}' $signed
cat KSK.data
) > $tmp && mv $tmp $signed
log "verify signed zone using ldns-verify-zone"
ldns-verify-zone < $signed
log "verify signed zone using dnssec-verify"
dnssec-verify -o $zone $signed
log "verify signed zone using validns"
validns -s -z $zone $signed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment