mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Test jitter distribution
Test jitter distribution in NSEC3 dynamic zone and for a zone that has old signatures. In both cases the generated signatures should be spread nicely.
This commit is contained in:
Matthijs Mekking
parent
6b2fd40269
commit
540b90fd6c
5 changed files with 129 additions and 1 deletions
|
|
@ -39,6 +39,7 @@ rm -f ns3/inacksk2.example.db
|
|||
rm -f ns3/inacksk3.example.db
|
||||
rm -f ns3/inaczsk2.example.db
|
||||
rm -f ns3/inaczsk3.example.db
|
||||
rm -f ns3/jitter.nsec3.example.db
|
||||
rm -f ns3/kg.out ns3/s.out ns3/st.out
|
||||
rm -f ns3/kskonly.example.db
|
||||
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
|
||||
|
|
|
|||
20
bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
Normal file
20
bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
|
||||
|
|
@ -52,6 +52,21 @@ ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
|
|||
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
# Jitter/NSEC3 test zone
|
||||
#
|
||||
setup jitter.nsec3.example
|
||||
cp $infile $zonefile
|
||||
count=1
|
||||
while [ $count -le 100 ]
|
||||
do
|
||||
echo "label${count} IN TXT label${count}" >> $zonefile
|
||||
count=`expr $count + 1`
|
||||
done
|
||||
# Don't create keys just yet, because the scenario we want to test
|
||||
# is an unsigned zone that has a NSEC3PARAM record added with
|
||||
# dynamic update before the keys are generated.
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC3 test zone
|
||||
#
|
||||
|
|
@ -150,9 +165,16 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||
#
|
||||
setup oldsigs.example
|
||||
cp $infile $zonefile
|
||||
count=1
|
||||
while [ $count -le 100 ]
|
||||
do
|
||||
echo "label${count} IN TXT label${count}" >> $zonefile
|
||||
count=`expr $count + 1`
|
||||
done
|
||||
$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
||||
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
|
||||
mv $zonefile.signed $zonefile
|
||||
|
||||
#
|
||||
# NSEC3->NSEC transition test zone.
|
||||
|
|
|
|||
|
|
@ -95,6 +95,14 @@ zone "nsec3.nsec3.example" {
|
|||
auto-dnssec maintain;
|
||||
};
|
||||
|
||||
zone "jitter.nsec3.example" {
|
||||
type master;
|
||||
file "jitter.nsec3.example.db";
|
||||
allow-update { any; };
|
||||
auto-dnssec maintain;
|
||||
sig-validity-interval 10 2;
|
||||
};
|
||||
|
||||
zone "secure.nsec3.example" {
|
||||
type master;
|
||||
file "secure.nsec3.example.db";
|
||||
|
|
@ -178,6 +186,7 @@ zone "oldsigs.example" {
|
|||
file "oldsigs.example.db";
|
||||
allow-update { any; };
|
||||
auto-dnssec maintain;
|
||||
sig-validity-interval 10 2;
|
||||
};
|
||||
|
||||
zone "prepub.example" {
|
||||
|
|
|
|||
|
|
@ -50,6 +50,43 @@ checkprivate () {
|
|||
return 1
|
||||
}
|
||||
|
||||
# Check the signatures expiration times. First check how many signatures
|
||||
# there are in total ($rrsigs). Then see what the distribution of signature
|
||||
# expiration times is ($expiretimes). Ignore the time part for a better
|
||||
# modelled distribution.
|
||||
checkjitter () {
|
||||
_file=$1
|
||||
_ret=0
|
||||
|
||||
cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | cat_i
|
||||
_rrsigs=$(cat $_file | awk '$4 == "RRSIG" {print $4}' | cat_i | wc -l)
|
||||
_expiretimes=$(cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | awk '{print $1}')
|
||||
_count=0
|
||||
_total=0
|
||||
for _num in $_expiretimes
|
||||
do
|
||||
_total=$(($_total + $_num))
|
||||
done
|
||||
# Make sure the total number of numbers matches the number of RRSIGs.
|
||||
test $_total -eq $_rrsigs || _ret=1
|
||||
# Calculate mean: The number of signatures divided over 8 days.
|
||||
_mean=$(($_total / 8))
|
||||
# We expect the number of signatures not to exceed twice the mean.
|
||||
_limit=$(($_mean * 2))
|
||||
# Add an additional margin.
|
||||
_limit=$(($_limit + 10))
|
||||
# Find outliers.
|
||||
for _num in $_expiretimes
|
||||
do
|
||||
if [ $_num -gt $_limit ]; then
|
||||
echo_i "error: too many RRSIG records ($_num) with the same expiration time"
|
||||
_ret=1
|
||||
fi
|
||||
done
|
||||
|
||||
return $_ret
|
||||
}
|
||||
|
||||
#
|
||||
# The NSEC record at the apex of the zone and its RRSIG records are
|
||||
# added as part of the last step in signing a zone. We wait for the
|
||||
|
|
@ -334,6 +371,15 @@ do
|
|||
sleep 1
|
||||
done
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
# Check jitter distribution.
|
||||
echo_i "checking expired signatures were jittered correctly ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
||||
checkjitter dig.out.ns3.test$n || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
|
||||
|
|
@ -938,6 +984,36 @@ n=`expr $n + 1`
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
|
||||
ret=0
|
||||
# Use DNS UPDATE to add an NSEC3PARAM record into the zone.
|
||||
$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone jitter.nsec3.example.
|
||||
update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
|
||||
send
|
||||
END
|
||||
[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
|
||||
# Create DNSSEC keys in the zone directory.
|
||||
$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
|
||||
# Trigger zone signing.
|
||||
$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
|
||||
# Wait until zone has been signed.
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
failed=0
|
||||
$DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1
|
||||
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1
|
||||
[ $failed -eq 0 ] && break
|
||||
echo_i "waiting ... ($i)"
|
||||
sleep 2
|
||||
done
|
||||
[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1
|
||||
# Check jitter distribution.
|
||||
checkjitter dig.out.ns3.test$n || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
|
||||
ret=0
|
||||
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
||||
|
|
|
|||
Loading…
Reference in a new issue