diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh new file mode 100644 index 0000000000..35eeb5ffe4 --- /dev/null +++ b/bin/tests/system/autosign/clean.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk +rm -f inact.key del.key unpub.key standby.key rev.key +rm -f ns1/root.db ns2/example.db ns3/secure.example.db +rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db +rm -f ns2/private.secure.example.db +rm -f */core +rm -f */example.bk +rm -f dig.out.* +rm -f random.data +rm -f ns2/dlv.db +rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db +rm -f ns3/optout-unknown.example.db ns3/optout.example.db +rm -f */named.memstats +rm -f ns3/nsec3.nsec3.example.db +rm -f ns3/nsec3.optout.example.db +rm -f ns3/optout.nsec3.example.db +rm -f ns3/optout.optout.example.db +rm -f ns3/secure.nsec3.example.db +rm -f ns3/secure.optout.example.db diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh new file mode 100644 index 0000000000..408c7049be --- /dev/null +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -0,0 +1,70 @@ +#!/bin/sh -e +# +# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: keygen.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +zonefile=root.db +infile=root.db.in + +(cd ../ns2 && sh keygen.sh ) + +cat $infile ../ns2/dsset-example. > $zonefile + +$KEYGEN -q -r $RANDFILE $zone > /dev/null +zskdel=`$KEYGEN -q -r $RANDFILE -D now $zone` +zskinact=`$KEYGEN -q -r $RANDFILE -I now $zone` +zskunpub=`$KEYGEN -q -r $RANDFILE -G $zone` +zsksby=`$KEYGEN -q -r $RANDFILE -A none $zone` + +ksksby=`$KEYGEN -q -r $RANDFILE -P now -A now+15s -fk $zone` +kskrev=`$KEYGEN -q -r $RANDFILE -R now+15s -fk $zone` + +cat $ksksby.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf + +cat $kskrev.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf +cp trusted.conf ../ns5/trusted.conf + +echo $zskdel > ../del.key +echo $zskinact > ../inact.key +echo $zskunpub > ../unpub.key +echo $zsksby > ../standby.key +echo $kskrev > ../rev.key diff --git a/bin/tests/system/autosign/ns1/named.conf b/bin/tests/system/autosign/ns1/named.conf new file mode 100644 index 0000000000..187640cc99 --- /dev/null +++ b/bin/tests/system/autosign/ns1/named.conf @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2009/11/30 21:00:47 each Exp $ */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "." { + type master; + file "root.db"; + allow-transfer { any; }; + allow-query { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns1/root.db.in b/bin/tests/system/autosign/ns1/root.db.in new file mode 100644 index 0000000000..01f9ba6439 --- /dev/null +++ b/bin/tests/system/autosign/ns1/root.db.in @@ -0,0 +1,30 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: root.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 30 +. IN SOA a.root.servers.nil. each.isc.org. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/autosign/ns2/child.nsec3.example.db b/bin/tests/system/autosign/ns2/child.nsec3.example.db new file mode 100644 index 0000000000..8aa2427703 --- /dev/null +++ b/bin/tests/system/autosign/ns2/child.nsec3.example.db @@ -0,0 +1,25 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: child.nsec3.example.db,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/child.optout.example.db b/bin/tests/system/autosign/ns2/child.optout.example.db new file mode 100644 index 0000000000..1fb542cb29 --- /dev/null +++ b/bin/tests/system/autosign/ns2/child.optout.example.db @@ -0,0 +1,25 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: child.optout.example.db,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/dst.example.db.in b/bin/tests/system/autosign/ns2/dst.example.db.in new file mode 100644 index 0000000000..9e0feae3a2 --- /dev/null +++ b/bin/tests/system/autosign/ns2/dst.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: dst.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +a A 10.0.0.1 diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in new file mode 100644 index 0000000000..d02517e8d7 --- /dev/null +++ b/bin/tests/system/autosign/ns2/example.db.in @@ -0,0 +1,86 @@ +; Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000-2002 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +z A 10.0.0.26 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns2/insecure.secure.example.db b/bin/tests/system/autosign/ns2/insecure.secure.example.db new file mode 100644 index 0000000000..cd2d62e6d9 --- /dev/null +++ b/bin/tests/system/autosign/ns2/insecure.secure.example.db @@ -0,0 +1,32 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: insecure.secure.example.db,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh new file mode 100644 index 0000000000..9554723412 --- /dev/null +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -0,0 +1,49 @@ +#!/bin/sh -e +# +# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: keygen.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +# Have the child generate subdomain keys and pass DS sets to us. +( cd ../ns3 && sh keygen.sh ) + +for subdomain in secure nsec3 optout rsasha256 rsasha512 +do + cp ../ns3/dsset-$subdomain.example. . +done + +# Create keys and pass the DS to the parent. +zone=example +zonefile="${zone}.db" +infile="${zonefile}.in" +cat $infile dsset-*.example. > $zonefile + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +$KEYGEN -q -r $RANDFILE $zone > /dev/null +$DSFROMKEY $kskname.key > dsset-${zone}. + +# Create keys for a private secure zone. +zone=private.secure.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +$KEYGEN -q -r $RANDFILE -fk $zone > /dev/null +$KEYGEN -q -r $RANDFILE $zone > /dev/null diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf new file mode 100644 index 0000000000..f7ec6e8b1d --- /dev/null +++ b/bin/tests/system/autosign/ns2/named.conf @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2004, 2006-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2002 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2009/11/30 21:00:47 each Exp $ */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "private.secure.example" { + type master; + file "private.secure.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "insecure.secure.example" { + type master; + file "insecure.secure.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "child.nsec3.example" { + type master; + file "child.nsec3.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "child.optout.example" { + type master; + file "child.optout.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/private.secure.example.db.in b/bin/tests/system/autosign/ns2/private.secure.example.db.in new file mode 100644 index 0000000000..a5d4cde51f --- /dev/null +++ b/bin/tests/system/autosign/ns2/private.secure.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: private.secure.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +private2secure-nxdomain CNAME r.example. diff --git a/bin/tests/system/autosign/ns3/insecure.example.db b/bin/tests/system/autosign/ns3/insecure.example.db new file mode 100644 index 0000000000..66fdc4c96e --- /dev/null +++ b/bin/tests/system/autosign/ns3/insecure.example.db @@ -0,0 +1,32 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: insecure.example.db,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh new file mode 100644 index 0000000000..a9c288b071 --- /dev/null +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -0,0 +1,141 @@ +#!/bin/sh -e +# +# Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: keygen.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=secure.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` +$KEYGEN -q -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# NSEC3/NSEC test zone +# +zone=secure.nsec3.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# NSEC3/NSEC3 test zone +# +zone=nsec3.nsec3.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# OPTOUT/NSEC3 test zone +# +zone=optout.nsec3.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# A nsec3 zone (non-optout). +# +zone=nsec3.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cat $infile dsset-*.${zone}. > $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# OPTOUT/NSEC test zone +# +zone=secure.optout.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# OPTOUT/NSEC3 test zone +# +zone=nsec3.optout.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# OPTOUT/OPTOUT test zone +# +zone=optout.optout.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -r $RANDFILE -fk $zone` +$KEYGEN -q -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# A optout nsec3 zone. +# +zone=optout.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cat $infile dsset-*.${zone}. > $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# A RSASHA256 zone. +# +zone=rsasha256.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone` +$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. + +# +# A RSASHA512 zone. +# +zone=rsasha512.example +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone` +$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null +$DSFROMKEY $ksk.key > dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/multiple.example.db.in b/bin/tests/system/autosign/ns3/multiple.example.db.in new file mode 100644 index 0000000000..dd90f4631c --- /dev/null +++ b/bin/tests/system/autosign/ns3/multiple.example.db.in @@ -0,0 +1,34 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: multiple.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf new file mode 100644 index 0000000000..ffd029e802 --- /dev/null +++ b/bin/tests/system/autosign/ns3/named.conf @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2004, 2006-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2002 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2009/11/30 21:00:47 each Exp $ */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type slave; + masters { 10.53.0.2; }; + file "example.bk"; +}; + +zone "secure.example" { + type master; + file "secure.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "insecure.example" { + type master; + file "insecure.example.db"; +}; + +zone "nsec3.example" { + type master; + file "nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout.nsec3.example" { + type master; + file "optout.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec3.nsec3.example" { + type master; + file "nsec3.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "secure.nsec3.example" { + type master; + file "secure.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout.example" { + type master; + file "optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "secure.optout.example" { + type master; + file "secure.optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec3.optout.example" { + type master; + file "nsec3.optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout.optout.example" { + type master; + file "optout.optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "multiple.example" { + type master; + file "multiple.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "rsasha256.example" { + type master; + file "rsasha256.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "rsasha512.example" { + type master; + file "rsasha512.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.example.db.in new file mode 100644 index 0000000000..c7db3fe432 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3.example.db.in @@ -0,0 +1,42 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nsec3.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in new file mode 100644 index 0000000000..8869b7899e --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nsec3.nsec3.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in new file mode 100644 index 0000000000..a35fa79272 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nsec3.optout.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/optout.example.db.in b/bin/tests/system/autosign/ns3/optout.example.db.in new file mode 100644 index 0000000000..780c048fd1 --- /dev/null +++ b/bin/tests/system/autosign/ns3/optout.example.db.in @@ -0,0 +1,43 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: optout.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in new file mode 100644 index 0000000000..0ee2375111 --- /dev/null +++ b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: optout.nsec3.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/optout.optout.example.db.in b/bin/tests/system/autosign/ns3/optout.optout.example.db.in new file mode 100644 index 0000000000..63a281cb97 --- /dev/null +++ b/bin/tests/system/autosign/ns3/optout.optout.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: optout.optout.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/rsasha256.example.db.in b/bin/tests/system/autosign/ns3/rsasha256.example.db.in new file mode 100644 index 0000000000..27640c6e08 --- /dev/null +++ b/bin/tests/system/autosign/ns3/rsasha256.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: rsasha256.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/rsasha512.example.db.in b/bin/tests/system/autosign/ns3/rsasha512.example.db.in new file mode 100644 index 0000000000..e4c1c80485 --- /dev/null +++ b/bin/tests/system/autosign/ns3/rsasha512.example.db.in @@ -0,0 +1,33 @@ +; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: rsasha512.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/secure.example.db.in b/bin/tests/system/autosign/ns3/secure.example.db.in new file mode 100644 index 0000000000..58a500ae84 --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure.example.db.in @@ -0,0 +1,41 @@ +; Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: secure.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in new file mode 100644 index 0000000000..563808b144 --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: secure.nsec3.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/secure.optout.example.db.in b/bin/tests/system/autosign/ns3/secure.optout.example.db.in new file mode 100644 index 0000000000..36361d2956 --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure.optout.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: secure.optout.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns4/named.conf b/bin/tests/system/autosign/ns4/named.conf new file mode 100644 index 0000000000..5b9242a393 --- /dev/null +++ b/bin/tests/system/autosign/ns4/named.conf @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2009/11/30 21:00:47 each Exp $ */ + +// NS4 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; + dnssec-must-be-secure mustbesecure.example yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns5/named.conf b/bin/tests/system/autosign/ns5/named.conf new file mode 100644 index 0000000000..3a821154c9 --- /dev/null +++ b/bin/tests/system/autosign/ns5/named.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2009/11/30 21:00:47 each Exp $ */ + +// NS5 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/prereq.sh b/bin/tests/system/autosign/prereq.sh new file mode 100644 index 0000000000..9c31602201 --- /dev/null +++ b/bin/tests/system/autosign/prereq.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: prereq.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +../../../tools/genrandom 400 random.data + +if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1 +then + rm -f Kfoo* +else + echo "I:This test requires that --with-openssl was used." >&2 + exit 1 +fi diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh new file mode 100644 index 0000000000..4864dbfb5c --- /dev/null +++ b/bin/tests/system/autosign/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e +# +# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000, 2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + +../../../tools/genrandom 400 random.data + +cd ns1 && sh keygen.sh diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh new file mode 100644 index 0000000000..04706b4874 --- /dev/null +++ b/bin/tests/system/autosign/tests.sh @@ -0,0 +1,516 @@ +#!/bin/sh +# +# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.2 2009/11/30 21:00:47 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" + +echo "I:converting zones from nsec to nsec3" +$NSUPDATE > /dev/null <&1 | sed 's/^/I:ns1 /' +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze 2>&1 | sed 's/^/I:ns2 /' +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze 2>&1 | sed 's/^/I:ns3 /' + +# Check the example. domain + +echo "I:checking that zone transfer worked ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation NXDOMAIN NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation NXDOMAIN NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation NXDOMAIN OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation NODATA NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation NODATA NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking negative validation NODATA OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# Check the insecure.example domain + +echo "I:checking 1-server insecurity proof NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking 1-server negative insecurity proof NSEC ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# Check the secure.example domain + +echo "I:checking multi-stage positive validation NSEC/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking empty NODATA OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth empty.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth empty.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# Check the insecure.secure.example domain (insecurity proof) + +echo "I:checking 2-server insecurity proof ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# Check a negative response in insecure.secure.example + +echo "I:checking 2-server insecurity proof with a negative answer ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ + || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking security root query ($n)" +ret=0 +$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation RSASHA256 NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking positive validation RSASHA512 NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that positive validation in a privately secure zone works ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that negative validation in a privately secure zone works ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking privately secure to nxdomain works ($n)" +ret=0 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# Try validating with a revoked trusted key. +# This should fail. + +echo "I:checking that validation fails due to revoked trusted key ($n)" +ret=0 +$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that revoked key is present ($n)" +ret=0 +id=`sed s/^K.+005+0*// < rev.key` +id=`expr $id + 128 % 65536` +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that revoked key self-signs ($n)" +ret=0 +id=`sed s/^K.+005+0*// < rev.key` +id=`expr $id + 128 % 65536` +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking for unpublished key ($n)" +ret=0 +id=`sed s/^K.+005+0*// < unpub.key` +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that standby key does not sign records ($n)" +ret=0 +id=`sed s/^K.+005+0*// < standby.key` +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that deactivated key does not sign records ($n)" +ret=0 +id=`sed s/^K.+005+0*// < inact.key` +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking key deletion ($n)" +ret=0 +id=`sed s/^K.+005+0*// < del.key` +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:exit status: $status" + +exit $status diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index d19138662c..8cbaf373ab 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: conf.sh.in,v 1.42 2009/11/17 23:55:18 marka Exp $ +# $Id: conf.sh.in,v 1.43 2009/11/30 21:00:47 each Exp $ # # Common configuration data for system tests, to be sourced into @@ -38,15 +38,19 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen KEYGEN=$TOP/bin/dnssec/dnssec-keygen SIGNER=$TOP/bin/dnssec/dnssec-signzone +REVOKE=$TOP/bin/dnssec/dnssec-revoke +SETTIME=$TOP/bin/dnssec/dnssec-settime +DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey CHECKZONE=$TOP/bin/check/named-checkzone CHECKCONF=$TOP/bin/check/named-checkconf # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. # v6synth -SUBDIRS="acl cacheclean checkconf checknames dnssec forward glue ixfr limits - lwresd masterfile masterformat notify nsupdate pending resolver rrsetorder - sortlist stub tkey unknown upforwd views xfer xferquota zonechecks" +SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr + limits lwresd masterfile masterformat metadata notify nsupdate pending + resolver rrsetorder sortlist stub tkey unknown upforwd views xfer xferquota + zonechecks" # PERL will be an empty string if no perl interpreter was found. PERL=@PERL@ diff --git a/bin/tests/system/metadata/child.db b/bin/tests/system/metadata/child.db new file mode 100644 index 0000000000..e74bda904b --- /dev/null +++ b/bin/tests/system/metadata/child.db @@ -0,0 +1,13 @@ +$ORIGIN . +$TTL 20 +child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns.child.parent.nil. +$ORIGIN child.parent.nil. +$TTL 300 ; 5 minutes +ns A 10.53.0.3 diff --git a/bin/tests/system/metadata/clean.sh b/bin/tests/system/metadata/clean.sh new file mode 100644 index 0000000000..edc2ab0e46 --- /dev/null +++ b/bin/tests/system/metadata/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2 2009/11/30 21:00:48 each Exp $ + +rm -f K* dsset-* *.signed *.new random.data +rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key +rm -f pending.key rolling.key standby.key inact.key +rm -f prerev.key postrev.key +rm -f keys sigs diff --git a/bin/tests/system/metadata/parent.db b/bin/tests/system/metadata/parent.db new file mode 100644 index 0000000000..060c0454f5 --- /dev/null +++ b/bin/tests/system/metadata/parent.db @@ -0,0 +1,20 @@ +$ORIGIN . +$TTL 300 ; 5 minutes +parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1.parent.nil. + NS ns2.parent.nil. +$ORIGIN parent.nil. +$TTL 3600 ; 1 hour +a A 1.1.1.1 +$TTL 300 ; 5 minutes +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 + +child NS ns.child +ns.child A 10.53.0.3 diff --git a/bin/tests/system/metadata/prereq.sh b/bin/tests/system/metadata/prereq.sh new file mode 100644 index 0000000000..2b811d5402 --- /dev/null +++ b/bin/tests/system/metadata/prereq.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: prereq.sh,v 1.2 2009/11/30 21:00:48 each Exp $ + +../../../tools/genrandom 400 random.data + +if $KEYGEN -q -r random.data foo > /dev/null 2>&1 +then + rm -f Kfoo* +else + echo "I:This test requires that --with-openssl was used." >&2 + exit 1 +fi diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh new file mode 100644 index 0000000000..087bb3026a --- /dev/null +++ b/bin/tests/system/metadata/setup.sh @@ -0,0 +1,69 @@ +#!/bin/sh -e +# +# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000, 2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.2 2009/11/30 21:00:48 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + +RANDFILE=./random.data + +pzone=parent.nil +czone=child.parent.nil + +../../../tools/genrandom 400 $RANDFILE + +echo "I:generating keys" + +# active zsk +zsk=`$KEYGEN -q -r $RANDFILE $czone` +echo $zsk > zsk.key + +# not yet published or active +pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` +echo $pending > pending.key + +# published but not active +standby=`$KEYGEN -q -r $RANDFILE -A none $czone` +echo $standby > standby.key + +# inactive +inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone` +echo $inact > inact.key + +# active ksk +ksk=`$KEYGEN -q -r $RANDFILE -fk $czone` +echo $ksk > ksk.key + +# published but not YET active; will be active in 15 seconds +rolling=`$KEYGEN -q -r $RANDFILE -fk $czone` +$SETTIME -A now+15s $rolling > /dev/null +echo $rolling > rolling.key + +# revoked +revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone` +echo $revoke1 > prerev.key +revoke2=`$REVOKE $revoke1` +echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key + +pzsk=`$KEYGEN -q -r $RANDFILE $pzone` +echo $pzsk > parent.zsk.key + +pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` +echo $pksk > parent.ksk.key + diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh new file mode 100644 index 0000000000..e67ba0eb67 --- /dev/null +++ b/bin/tests/system/metadata/tests.sh @@ -0,0 +1,136 @@ +#!/bin/sh +# +# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.2 2009/11/30 21:00:48 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=./random.data +pzone=parent.nil pfile=parent.db +czone=child.parent.nil cfile=child.db +status=0 +n=0 + +inact=`sed s/^K${czone}.+005+0*// < inact.key` +ksk=`sed s/^K${czone}.+005+0*// < ksk.key` +pending=`sed s/^K${czone}.+005+0*// < pending.key` +postrev=`sed s/^K${czone}.+005+0*// < postrev.key` +prerev=`sed s/^K${czone}.+005+0*// < prerev.key` +rolling=`sed s/^K${czone}.+005+0*// < rolling.key` +standby=`sed s/^K${czone}.+005+0*// < standby.key` +zsk=`sed s/^K${czone}.+005+0*// < zsk.key` + +../../../tools/genrandom 400 $RANDFILE + +echo "I:signing zones" +$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1 +$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1 + +awk -v CZ="${czone}." '$2 ~ /RRSIG/ { + type = $3; + getline; + id = $2; + if ($3 ~ CZ) { + print type, id + } +}' < ${cfile}.signed > sigs + +awk '$2 ~ /DNSKEY/ { + flags = $3; + while ($0 !~ "key id =") + getline; + id = $6; + print flags, id; +}' < ${cfile}.signed > keys + +echo "I:checking that KSK signed DNSKEY only ($n)" +ret=0 +grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 +grep "SOA $ksk"'$' sigs > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that ZSK signed ($n)" +ret=0 +grep "SOA $zsk"'$' sigs > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that standby ZSK did not sign ($n)" +ret=0 +grep " $standby"'$' sigs > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that inactive key did not sign ($n)" +ret=0 +grep " $inact"'$' sigs > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that pending key was not published ($n)" +ret=0 +grep " $pending"'$' keys > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that standby KSK did not sign but is delegated ($n)" +ret=0 +grep " $rolling"'$' sigs > /dev/null && ret=1 +grep " $rolling"'$' keys > /dev/null || ret=1 +egrep "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that key was revoked ($n)" +ret=0 +grep " $prerev"'$' keys > /dev/null && ret=1 +grep " $postrev"'$' keys > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that revoked key self-signed ($n)" +ret=0 +grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 +grep "SOA $postrev"'$' sigs > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:waiting 20 seconds for key changes to occur" +sleep 20 + +echo "I:re-signing zone" +$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1 + +echo "I:checking that standby KSK is now active ($n)" +ret=0 +grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:exit status: $status" +exit $status