From 4e18991fedf6cff15292885eaa482869311e10b4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 4 Oct 2022 15:42:03 +0200 Subject: [PATCH] Add multisigner system test Add a new system test to test multisigner model use cases. This initial test just tests a small part of the model 2, and uses two providers for the same zone, ns3 and ns4, each with their own unique key set. This commit tests that each provider can import their ZSK of the other provider into their DNSKEY RRset, using dynamic update. Both providers use dnssec-policy, ns3 applies the DNSSEC records directly, while ns4 uses inline-signing. --- bin/tests/system/Makefile.am | 2 +- bin/tests/system/conf.sh.in | 1 + bin/tests/system/multisigner/clean.sh | 35 +++++ bin/tests/system/multisigner/kasp.conf | 19 +++ .../multisigner/ns3/model2.multisigner.db | 27 ++++ .../system/multisigner/ns3/named.conf.in | 46 +++++++ bin/tests/system/multisigner/ns3/setup.sh | 31 +++++ .../multisigner/ns4/model2.multisigner.db | 26 ++++ .../system/multisigner/ns4/named.conf.in | 46 +++++++ bin/tests/system/multisigner/ns4/setup.sh | 31 +++++ bin/tests/system/multisigner/setup.sh | 31 +++++ bin/tests/system/multisigner/tests.sh | 129 ++++++++++++++++++ 12 files changed, 423 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/multisigner/clean.sh create mode 100644 bin/tests/system/multisigner/kasp.conf create mode 100644 bin/tests/system/multisigner/ns3/model2.multisigner.db create mode 100644 bin/tests/system/multisigner/ns3/named.conf.in create mode 100644 bin/tests/system/multisigner/ns3/setup.sh create mode 100644 bin/tests/system/multisigner/ns4/model2.multisigner.db create mode 100644 bin/tests/system/multisigner/ns4/named.conf.in create mode 100644 bin/tests/system/multisigner/ns4/setup.sh create mode 100644 bin/tests/system/multisigner/setup.sh create mode 100644 bin/tests/system/multisigner/tests.sh diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index b0dfbecbac..245d02240c 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -201,7 +201,7 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER endif HAVE_PERLMOD_NET_DNS if HAVE_PYTHON -TESTS += kasp keymgr2kasp tcp pipelined +TESTS += kasp keymgr2kasp multisigner tcp pipelined if HAVE_PYTEST TESTS += checkds dispatch rpzextra shutdown timeouts diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index ebf4d52522..d15791696b 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -108,6 +108,7 @@ keyfromlabel keymgr2kasp legacy logfileconfig +multisigner nzd2nzf pipelined qmin diff --git a/bin/tests/system/multisigner/clean.sh b/bin/tests/system/multisigner/clean.sh new file mode 100644 index 0000000000..0cd0a18f7d --- /dev/null +++ b/bin/tests/system/multisigner/clean.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f *.created +rm -f created.key-* +rm -f dig.out.* +rm -f python.out.* +rm -f rndc.dnssec.status.out.* +rm -f unused.key-* +rm -f verify.out.* + +rm -f ns*/*.jbk +rm -f ns*/*.jnl +rm -f ns*/*.signed +rm -f ns*/*.signed.jnl +rm -f ns*/*.zsk +rm -f ns*/K* +rm -f ns*/keygen.out.* +rm -f ns*/managed-keys* +rm -f ns*/named.conf +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/settime.out.* diff --git a/bin/tests/system/multisigner/kasp.conf b/bin/tests/system/multisigner/kasp.conf new file mode 100644 index 0000000000..5fe6de862f --- /dev/null +++ b/bin/tests/system/multisigner/kasp.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "model2" { + keys { + ksk lifetime unlimited algorithm ecdsap256sha256; + zsk lifetime unlimited algorithm ecdsap256sha256; + }; +}; diff --git a/bin/tests/system/multisigner/ns3/model2.multisigner.db b/bin/tests/system/multisigner/ns3/model2.multisigner.db new file mode 100644 index 0000000000..010b05b3cb --- /dev/null +++ b/bin/tests/system/multisigner/ns3/model2.multisigner.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/multisigner/ns3/named.conf.in b/bin/tests/system/multisigner/ns3/named.conf.in new file mode 100644 index 0000000000..893e79d87b --- /dev/null +++ b/bin/tests/system/multisigner/ns3/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "../kasp.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "model2.multisigner." { + type primary; + allow-update { any; }; + file "model2.multisigner.db"; + dnssec-policy model2; + inline-signing no; +}; diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh new file mode 100644 index 0000000000..54ee7dcb45 --- /dev/null +++ b/bin/tests/system/multisigner/ns3/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns3/setup.sh" + +zone="model2.multisigner" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" + +O="OMNIPRESENT" +ksktimes="-P now -A now -P sync now" +zsktimes="-P now -A now" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" > settime.out.$zone.2 2>&1 +# ZSK will be added to the other provider with nsupdate. +cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk" diff --git a/bin/tests/system/multisigner/ns4/model2.multisigner.db b/bin/tests/system/multisigner/ns4/model2.multisigner.db new file mode 100644 index 0000000000..86a1708b45 --- /dev/null +++ b/bin/tests/system/multisigner/ns4/model2.multisigner.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns4/named.conf.in b/bin/tests/system/multisigner/ns4/named.conf.in new file mode 100644 index 0000000000..ba1f6b85fa --- /dev/null +++ b/bin/tests/system/multisigner/ns4/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +include "../kasp.conf"; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "model2.multisigner." { + type primary; + allow-update { any; }; + file "model2.multisigner.db"; + dnssec-policy model2; + inline-signing yes; +}; diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh new file mode 100644 index 0000000000..05d1060be4 --- /dev/null +++ b/bin/tests/system/multisigner/ns4/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns4/setup.sh" + +zone="model2.multisigner" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" + +O="OMNIPRESENT" +ksktimes="-P now -A now -P sync now" +zsktimes="-P now -A now" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" > settime.out.$zone.2 2>&1 +# ZSK will be added to the other provider with nsupdate. +cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk" diff --git a/bin/tests/system/multisigner/setup.sh b/bin/tests/system/multisigner/setup.sh new file mode 100644 index 0000000000..a28917fdd9 --- /dev/null +++ b/bin/tests/system/multisigner/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +( + cd ns3 + $SHELL setup.sh +) +( + cd ns4 + $SHELL setup.sh +) diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh new file mode 100644 index 0000000000..f1a477f100 --- /dev/null +++ b/bin/tests/system/multisigner/tests.sh @@ -0,0 +1,129 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh +# shellcheck source=kasp.sh +. ../kasp.sh + +dig_with_opts() { + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT "$@" +} + + +start_time="$(TZ=UTC date +%s)" +status=0 +n=0 + +set_zone "model2.multisigner" +set_policy "model2" "2" "3600" + +# Key properties and states. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + +key_clear "KEY3" +key_clear "KEY4" + +set_keytimes_model2() { + # The first KSK is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + set_keytime "KEY1" "SYNCPUBLISH" "${created}" + + # The first ZSKs are immediately published and activated. + created=$(key_get KEY2 CREATED) + set_keytime "KEY2" "PUBLISHED" "${created}" + set_keytime "KEY2" "ACTIVE" "${created}" +} + +set_server "ns3" "10.53.0.3" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_model2 +check_keytimes +check_apex +dnssec_verify + +# Check that the ZSKs from the other provider are published. +zsks_are_published() { + dig_with_opts "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 + # We should have two ZSKs. + lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 2 || return 1 + # And one KSK. + lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 1 || return 1 +} + +n=$((n+1)) +echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4" +ret=0 +( +echo zone ${ZONE} +echo server 10.53.0.3 "$PORT" +echo update add $(cat "ns4/${ZONE}.zsk") +echo send +) | $NSUPDATE +echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)" +retry_quiet 10 zsks_are_published || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +# Verify again. +dnssec_verify + +set_server "ns4" "10.53.0.4" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_model2 +check_keytimes +check_apex +dnssec_verify + +n=$((n+1)) +echo_i "update zone ${ZONE} at ns4 with ZSK from provider ns3" +ret=0 +( +echo zone ${ZONE} +echo server 10.53.0.4 "$PORT" +echo update add $(cat "ns3/${ZONE}.zsk") +echo send +) | $NSUPDATE +echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)" +retry_quiet 10 zsks_are_published || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +# Verify again. +dnssec_verify + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1